Privacy Policy
Last updated: April 26, 2026
1. Identity and Contact Information of the Data Controller
In compliance with Article 17 of Law 25.326 and Article 13 of the GDPR, the following information is provided:
| Name | EkamDasha (registered trademark) |
| Owner | Diego Sergio Mozzi |
| Tax ID (CUIT) | 20-32309122-7 |
| Address | Río Colorado, Province of Río Negro, Argentine Republic |
| legal@ekamdasha.com | |
| Phone | +54 9 11 7631 5651 |
| DPO / Privacy Officer | Pending designation — interim contact: legal@ekamdasha.com |
| AAIP Registration | Pending registration (see Section 12) |
2. Scope of Application and Covered Services
This Policy covers the processing of personal data carried out in the context of the following EkamDasha services:
- EkamDasha Shield: Anti-spam content analysis API and integration with URL reputation services.
- EkamDasha Pass: Zero-knowledge password manager with Chrome extension.
- EK Conversational Agent: Assistant powered by Anthropic (Claude).
- Public Shield: Analysis endpoint accessible without registration by anonymous users.
- Website: ekamdasha.com and associated subdomains.
This Policy applies to both registered users and anonymous users who use the public endpoint or access the website. It does not apply to the processing of data that EkamDasha's clients (who integrate Shield into their own platforms) carry out on their own end users; in that case, such clients act as data controllers and must establish their own privacy policies.
3. Categories of Data Processed, Purposes and Legal Bases
3.1 Data processed by Shield (registered service users)
| Data Category | Purpose | GDPR Legal Basis | Law 25.326 Legal Basis |
|---|---|---|---|
| Submission content (text, names, form data) | Spam and malicious content analysis | Art. 6.1.b — Contract | Art. 5 — Contractual relationship |
| Source IP, user-agent, referrer, timestamp | Risk analysis, abuse prevention, security auditing | Art. 6.1.f — Legitimate interest | Art. 5 — Legitimate interest |
| URLs included in content | Reputation verification against Safe Browsing / VirusTotal | Art. 6.1.f — Legitimate interest | Art. 5 — Legitimate interest |
| Anonymized and aggregated data | Improvement of detection algorithms | Not applicable (anonymous data) | Not applicable (statistical data) |
3.2 Public Shield — Anonymous Users
The public endpoint (/api/Shield/v1/public/analyze) processes data from users who have not registered. By using this endpoint, the user provides tacit consent to the processing of the following data:
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Submission content | Spam analysis | Art. 6.1.f GDPR — Legitimate interest / Law 25.326 Art. 5 |
| Source IP, user-agent, timestamp | Service abuse prevention and auditing | Art. 6.1.f GDPR — Legitimate interest / Law 25.326 Art. 5 |
| Included URLs | Reputation verification | Art. 6.1.f GDPR — Legitimate interest / Law 25.326 Art. 5 |
EkamDasha applies the data minimization principle: it does not collect additional identifying data from anonymous users beyond the technical metadata necessary for providing the service.
3.3 EkamDasha Pass
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Email address | Account identification, notifications, account recovery | Art. 6.1.b GDPR / Law 25.326 Art. 5 |
| Creation date, subscription status | Access and billing management | Art. 6.1.b GDPR / Law 25.326 Art. 5 |
| Device metadata and session timestamps | Account security, detection of unauthorized access | Art. 6.1.f GDPR / Law 25.326 Art. 5 |
| Encrypted vault data (AES-256-GCM) | Secure storage of user credentials | Art. 6.1.b GDPR / Law 25.326 Art. 5 |
| Security logs (failed attempts, alerts) | Fraud prevention, account protection | Art. 6.1.f GDPR / Law 25.326 Art. 5 |
ZERO-KNOWLEDGE ARCHITECTURE — PASS
EkamDasha never has access to the user's master password or to the decrypted content of the vault. Vault data stored on EkamDasha's servers is cryptographically unreadable to EkamDasha, even in response to judicial or administrative requests. EkamDasha cannot assist in the recovery of vault data whose master password has been lost.
3.4 EK Conversational Agent
EK is powered by Anthropic (Claude API). The data processed varies according to session type:
| Data | Anonymous Session | Authenticated Session |
|---|---|---|
| Source IP | Yes — temporarily recorded | Yes — persistently recorded |
| User identification | No | Yes |
| Detected language | Yes | Yes |
| Analyzed text | Yes | Yes |
| Conversation messages | Yes — only during active session | Yes — persistent history |
| History recoverable between sessions | No (deleted on close/refresh) | Yes (until account deletion) |
Legal basis (anonymous session): Art. 6.1.f GDPR / Art. 5 Law 25.326. Legal basis (authenticated session): Art. 6.1.b GDPR / Art. 5 Law 25.326. Transfer to Anthropic: messages are transmitted to the Anthropic API without additional user-identifying data. Anthropic acts as a data processor in accordance with its Privacy Policy and Data Processing Agreement (DPA).
3.5 Browsing Data — Website
EkamDasha may collect technical browsing data (IP, browser type, pages visited, timestamps) through web analytics tools for the purpose of maintaining and improving the site. This data is processed in anonymized form to the extent possible. The site may use essential cookies for authentication and session management; no tracking or advertising cookies are used.
4. Data Processing Principles
EkamDasha applies the following principles in accordance with Article 4 of Law 25.326 and Article 5 of the GDPR:
| Principle | Concrete application in EkamDasha |
|---|---|
| Lawfulness, fairness and transparency | All data collection has a valid legal basis and the user is informed through this Policy. |
| Purpose limitation | Data is collected for determined, explicit and legitimate purposes; it is not used for incompatible purposes. |
| Data minimization | Only data strictly necessary for each service is collected. Pass encrypts data before storage; Safe Browsing/VirusTotal only receive URLs, without user data. |
| Accuracy | Users can correct their data at any time from their account panel. |
| Storage limitation | Data is kept for the minimum necessary time according to the periods defined in Section 5. |
| Integrity and confidentiality | Appropriate technical and organizational measures are implemented (encryption, access controls, audits). |
| Proactive responsibility (accountability) | EkamDasha documents its processing activities and will designate a DPO when applicable. |
5. Data Retention Periods
5.1 Shield
| Data Type | Retention Period | Justification |
|---|---|---|
| Legitimate submission content | Immediate deletion after analysis | No longer necessary once legitimacy is confirmed. |
| Content marked as spam | Up to 6 months | Algorithm training and improvement. After the period, data is anonymized or deleted. |
| Verified URLs (Safe Browsing/VirusTotal) | Not retained by EkamDasha | URLs are transmitted for real-time verification and are not stored in EkamDasha's systems. |
| IP, user-agent, timestamp (connection logs) | Up to 12 months | Abuse prevention, security audits, legal compliance. |
| Anonymized and aggregated data | Indefinitely | As they do not contain personal identifiers, they are not subject to retention periods under GDPR or Law 25.326. |
5.2 Pass
| Data Type | Retention Period | Justification |
|---|---|---|
| Encrypted vault data | Until account deletion + 30 days | Additional 30 days to allow error recovery before permanent deletion. |
| Email address and account data | Until account deletion + 90 days | Billing management and compliance with legal obligations. |
| Security logs (login attempts, alerts) | Up to 12 months | Security audits, fraud prevention, and regulatory compliance. |
| Anonymized usage statistics | Indefinitely | Non-identifiable data; not subject to mandatory retention periods. |
5.3 EK Agent
| Data Type | Retention Period | Justification |
|---|---|---|
| Anonymous conversations (messages, IP, language) | Duration of active session | Automatically deleted when session expires or page is refreshed/closed. |
| Authenticated conversations (messages, IP, user identification) | Until account deletion | Retained to provide conversation history to the user. Deleted with the account. |
| EK connection metadata (IP, timestamps) | Up to 12 months | Service abuse prevention and security auditing. |
After the indicated periods have elapsed, EkamDasha will proceed with secure deletion or anonymization of the data, unless there is a current legal obligation to retain it. In that case, EkamDasha will retain only the data strictly necessary to fulfill such obligation, in a restricted manner and separate from ordinary processing.
6. International Data Transfers
In providing its Services, EkamDasha may transfer personal data to other countries or international organizations. The following transfers and applicable safeguards are detailed below:
| Recipient | Country | Data Transferred | GDPR Safeguard | Law 25.326 Safeguard |
|---|---|---|---|---|
| Anthropic PBC | USA | EK messages (without user identification) | Art. 46 — DPA / SCCs | Adequate guarantees |
| Google LLC (Safe Browsing) | USA | URLs from analyzed content | Art. 46 — SCCs / EU-US Framework | Adequate guarantees |
| VirusTotal (Alphabet/Google) | USA | URLs from analyzed content | Art. 46 — SCCs / EU-US Framework | Adequate guarantees |
| MercadoPago S.R.L. | Argentina | User payment data | N/A (adequate country) | N/A (local operator) |
The Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) are incorporated by reference into contracts with service providers in the United States. To consult the text of such clauses or request a copy of the safeguard instruments, users may contact legal@ekamdasha.com.
7. Data Processors (Subprocessors)
EkamDasha uses the following data processors in providing its Services, subject to contractual confidentiality and security obligations:
| Subprocessor | Function | Data Accessed | Country | Certification / Guarantee |
|---|---|---|---|---|
| Anthropic PBC | AI processing for EK Agent | Conversation messages | USA | Enterprise DPA / SCCs |
| Google LLC — Safe Browsing | Malicious URL verification | URLs from analyzed content | USA | Google Cloud DPA / SCCs |
| VirusTotal (Google/Alphabet) | Multi-engine URL verification | URLs from analyzed content | USA | VirusTotal ToS / SCCs |
| Infrastructure provider (Germany) | Server and database infrastructure | All data at rest | Germany (EU) | ISO/IEC 27001:2022, BSI C5 Type 2, PCI DSS 4.0 |
| MercadoPago S.R.L. | Payment processing | User payment data | Argentina | PCI-DSS |
EkamDasha maintains an up-to-date register of its subprocessors. In the event of material changes to the list, EkamDasha will provide at least 30 days' prior notice, granting the user the possibility to object to such change.
8. Technical and Organizational Security Measures
8.1 Technical measures
- Encryption in transit: TLS 1.2 or higher for all communications.
- Encryption at rest: Pass vault data is stored encrypted with AES-256-GCM; encryption keys never reside with EkamDasha.
- Key derivation: PBKDF2 with SHA-256 and over 600,000 iterations for the Pass master password.
- API authentication: API keys with periodic rotation and access control.
- Two-factor authentication (2FA): Available and recommended for all registered users.
- Access control: Principle of least privilege in databases and production systems.
- Audit logs: Logging of access, modifications, and security events with 12-month retention.
- Certified infrastructure: Servers hosted in data centers certified ISO/IEC 27001:2022, BSI C5 Type 2, and PCI DSS 4.0, located in Germany.
8.2 Organizational measures
- Confidentiality agreements (NDA) with all employees and subcontractors who access personal data.
- Documented security breach management procedure, including notification deadlines.
- Regular security reviews and penetration testing.
- Patch management and security update policy.
- Regular data protection training for EkamDasha personnel.
8.3 Breach notification protocol
- Detection and assessment (0-24 h): Identification of scope, categories of data affected, and estimated number of affected data subjects.
- Notification to supervisory authority (max 72 h from detection): EkamDasha will notify the AAIP (and, where applicable, the competent EEA supervisory authority) pursuant to Article 43bis of Law 25.326 and Article 33 of the GDPR.
- Notification to affected individuals: When the breach may entail a high risk, EkamDasha will directly notify data subjects in clear language (GDPR Art. 34).
- Particularity of Pass: Given the zero-knowledge architecture, a potential breach of EkamDasha's servers only exposes unreadable encrypted data. Notwithstanding this, EkamDasha will notify in accordance with the above procedure.
9. Data Subject Rights
| Right | Applicable Articles | Description | Limitations and Exceptions |
|---|---|---|---|
| Information / Access | Art. 14 Law 25.326 / Art. 15 GDPR | Obtain confirmation of processing and a copy of data. | May be limited if it violates third-party rights or system security. |
| Rectification | Art. 16 Law 25.326 / Art. 16 GDPR | Correct inaccurate data or complete incomplete data. | Does not apply to Pass vault data (EkamDasha cannot access it). |
| Erasure / Right to be forgotten | Art. 16 Law 25.326 / Art. 17 GDPR | Delete data when no longer necessary or when consent is withdrawn. | May be limited by legal retention obligations or defense of claims. |
| Portability | Art. 20 GDPR (EEA users) | Receive data in a structured, machine-readable format. | Pass offers encrypted vault export. |
| Objection | Art. 27 Law 25.326 / Art. 21 GDPR | Object to processing based on legitimate interest or for direct marketing. | EkamDasha must demonstrate compelling legitimate grounds that override. |
| Restriction of processing | Art. 18 GDPR (EEA users) | Suspend processing while a dispute regarding accuracy or lawfulness is resolved. | Data may be retained but not actively processed. |
| Withdrawal of consent | Art. 5 Law 25.326 / Art. 7.3 GDPR | Withdraw consent at any time without retroactive effects. | Only applies to processing based on consent. |
| Not to be subject to automated decisions | Art. 22 GDPR (EEA users) | Not be subject to decisions with significant effects based solely on automated processing. | User may request human review for Shield blocking decisions. |
9.1 Procedure for Exercising Rights
To exercise any of the above rights, the user must send a request to info@ekamdasha.com with the subject line "Exercise of rights — [name of right]" indicating:
- Full name and registered email address;
- Clear description of the right they wish to exercise;
- If acting as a representative, proof thereof.
EkamDasha will respond within the following periods:
- Law 25.326: maximum 30 business days;
- GDPR: within one month, extendable by two additional months upon notification to the user within the first month.
Responses will be provided free of charge, except for manifestly unfounded or excessive requests.
9.2 Complaint Channels
- Argentina: File a complaint with the Agency for Access to Public Information (AAIP): www.argentina.gob.ar/aaip / datospersonales@aaip.gob.ar.
- European Union / EEA: File a complaint with the competent supervisory authority of their country of residence (GDPR Art. 77). List available at edpb.europa.eu.
10. Cookies and Tracking Technologies
10.1 Website
| Cookie Type | Purpose | Legal Basis | Possibility to Reject |
|---|---|---|---|
| Essential / Technical | Authentication, session management, CSRF security | Art. 6.1.b GDPR — Necessary for contract | No (necessary for operation) |
| Analytics (anonymized) | Site usage statistics, experience improvement | Art. 6.1.f GDPR — Legitimate interest | Yes, via browser settings |
| Preferences | Remember user settings (language, theme) | Art. 6.1.b GDPR — Contract | Not recommended (affects functionality) |
EkamDasha does not use advertising cookies or third-party tracking for user profiling. Cookie information is not shared with advertising networks.
10.2 Shield and Pass APIs
The Shield and Pass APIs do not use cookies. Authentication is managed through secure tokens transmitted in HTTP headers.
10.3 Pass Chrome Extension
The extension does not use third-party cookies. Local storage is limited to the encrypted session token and vault synchronization data. No browsing data is collected.
11. Minors
EkamDasha's Services are not directed at minors under 18 years of age. EkamDasha does not knowingly collect personal data from minors. If EkamDasha becomes aware that it has collected data from a minor without verifiable consent from a parent or guardian, it will delete such data without delay. Parents or guardians who believe that their minor children have provided personal data may contact legal@ekamdasha.com.
For users between 13 and 17 years of age, verifiable consent from a parent or legal guardian is required, in accordance with Article 8 of the GDPR and Law 26.061 on the Comprehensive Protection of the Rights of Children and Adolescents (Argentina).
12. Database Registration with AAIP
EkamDasha is in the process of registering the following databases with the AAIP:
| Database | Registration Status | Main Purpose |
|---|---|---|
| Registered users and customers | In progress | Account management, billing, and service provision. |
| EK Agent conversations | In progress | Provision of conversational assistance service and its improvement. |
| Shield analysis and logs | In progress | Spam detection, malicious content, and fraud prevention. |
| Security logs | In progress | Prevention of unauthorized access and security auditing. |
Once registration numbers are obtained, they will be published in this Policy and on the EkamDasha website. Until then, EkamDasha complies with all substantive obligations of Law 25.326.
13. Data Protection Officer (DPO)
EkamDasha is evaluating whether its processing activities meet the thresholds requiring mandatory DPO designation under the GDPR and Argentine regulations. Until this evaluation is completed, data protection inquiries may be directed to legal@ekamdasha.com. Once a DPO is designated, their contact details will be published in this Policy.
14. Record of Processing Activities
Pursuant to Article 30 of the GDPR, EkamDasha maintains an internal record of processing activities carried out under its responsibility, available for consultation by competent supervisory authorities. Users interested in obtaining information about a specific processing activity may request it at legal@ekamdasha.com.
15. Modifications to this Policy
EkamDasha may update this Policy at any time. Material modifications will be notified by:
- Posting on the website with an updated "Last Updated" date;
- Email notification to registered users with at least 30 days' notice when the change expands the scope of processing or reduces user rights.
If the user does not accept the modifications, they may cancel their account before the effective date. Continued use of the Services will constitute tacit acceptance of the updated Policy. Changes required by legal obligations may take effect immediately.
16. Contact and Exercise of Rights
For any inquiries about this Policy, to exercise your rights, or to report any privacy-related incidents:
- Email (general inquiries): legal@ekamdasha.com
- Email (exercise of rights): info@ekamdasha.com
- Recommended subject: "Exercise of rights — [Requested right]" or "Privacy inquiry"
- Postal address: Río Colorado, Río Negro, Argentina
- Phone: +54 9 11 7631 5651
For users in Argentina, if a satisfactory response is not obtained, they may contact the AAIP: www.argentina.gob.ar/aaip. For users in the EU/EEA, they may contact the supervisory authority of their country of residence.