Your Privacy, Our Priority
We believe in transparency and your right to privacy. This policy explains how we collect, use, and protect your personal information.
Last Updated: June 12, 2026 · Effective Date: June 12, 2026
This Privacy Policy describes how Enalca LLC ("Enalca", "we", "us", or "our") collects, uses, discloses, and protects personal data when you visit enalca.com, communicate with us, or use our related services (collectively, the "Services"). We operate from Puerto Rico and New York and adhere to applicable U.S. and Puerto Rico privacy laws, and we honor the rights granted by the California Consumer Privacy Act (CCPA/CPRA) and the EU/UK General Data Protection Regulation (GDPR) for visitors those laws protect.
We build software for regulated industries. We hold ourselves to the same standard we build for our clients — so this policy says exactly what we collect, why, on what legal basis, how long we keep it, and who touches it. No filler.
The Short Version
- •We collect only what you give us (contact forms, chat, email) plus, with your consent, basic analytics.
- •Nothing loads behind your back: analytics and chat tracking stay off until you click "Accept all" in our cookie banner.
- •We honor Global Privacy Control signals automatically — if your browser sends one, trackers stay off no matter what.
- •We never sell your data or share it for cross-context behavioral advertising. Ever.
- •Client project data is governed by contracts and NDAs — held to a higher standard than this website policy.
- •Want your data accessed, corrected, or deleted? One email: nathan.galarza@enalca.com. We respond within 30 days.
1. Who We Are
Enalca LLC is the data controller for personal data collected through the Services.
- •Legal entity: Enalca LLC
- •Locations: San Juan, Puerto Rico · New York, NY
- •Privacy contact: nathan.galarza@enalca.com · +1 (787) 361-0791
2. Personal Data We Collect
Data You Provide Directly
| Category | Examples | When |
|---|---|---|
| Identifiers | Name, email address, phone number, company name | Contact form, chat, email, calls |
| Commercial information | Project descriptions, budget context, service interests | Consultation requests |
| Communications content | Messages you send us by form, chat, or email | Any correspondence |
| Professional information | Job title, company, role context you share | Sales conversations |
Data Collected Automatically — Only With Your Consent
We show every new visitor a cookie banner before any analytics or marketing technology loads. If you choose "Accept all":
| Category | Examples | Source |
|---|---|---|
| Internet activity | Pages visited, time on page, referring site, clicks | HubSpot, Apollo |
| Device information | Browser type, operating system, screen size | HubSpot, Apollo |
| Coarse location | City/region inferred from IP address | HubSpot, Apollo |
| Identifiers | Cookie IDs, IP address | HubSpot, Apollo |
If you choose "Essentials only", none of the above is collected. The site works fully without it.
Data Collected for Security (All Visitors)
| Category | Examples | Purpose |
|---|---|---|
| Server logs | IP address, request timestamps, user agent | Abuse and spam prevention, debugging |
| Spam signals | Device and interaction signals via Google reCAPTCHA | Protecting our forms |
| Error reports | Technical stack traces, browser context via Sentry | Detecting and fixing site failures |
We do not collect: precise geolocation, biometric data, health data through this website, or data from data brokers.
3. How We Use Personal Data — And Our Legal Bases
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Respond to consultation requests and inquiries | Identifiers, commercial info, communications | Legitimate interest / pre-contract steps |
| Provide live chat | Communications, identifiers | Consent |
| Send transactional email (confirmations, follow-ups) | Identifiers | Legitimate interest |
| Understand site usage and improve content | Internet activity, device info | Consent |
| Secure the Services against spam and abuse | Server logs, spam signals | Legitimate interest |
| Maintain client portal sessions | Identifiers, authentication tokens | Contract |
| Comply with legal obligations | As required | Legal obligation |
We do not use your personal data for automated decision-making with legal effects, and we do not sell it, rent it, or share it with third parties for their own advertising.
4. Cookies & Similar Technologies
Your Choices
- •The banner comes first. Analytics and marketing technologies do not load until you click "Accept all".
- •Essentials only keeps just what the site needs to run.
- •Global Privacy Control (GPC): if your browser sends a GPC signal, we treat it as an opt-out automatically — trackers stay off even if consent was previously given on this device.
- •Changing your mind: clear this site's data in your browser settings and the banner will ask again — or email us and we'll walk you through it.
Cookie & Storage Inventory
| Name | Provider | Purpose | Category | Duration |
|---|---|---|---|---|
| enalca-cookie-consent | Enalca (localStorage) | Remembers your consent choice | Essential | Until cleared |
| theme | Enalca (localStorage) | Remembers display preferences | Essential | Until cleared |
| __hstc | HubSpot | Visitor analytics | Analytics (consent) | 13 months |
| hubspotutk | HubSpot | Visitor identification | Analytics (consent) | 13 months |
| __hssc | HubSpot | Session tracking | Analytics (consent) | 30 minutes |
| __hssrc | HubSpot | Session start detection | Analytics (consent) | Session |
| messagesUtk | HubSpot | Live chat visitor recognition | Functional (consent) | 13 months |
| _GRECAPTCHA | Spam protection on forms | Security | 6 months | |
| Apollo identifiers | Apollo | Business visitor analytics | Analytics (consent) | Up to 13 months |
5. How We Disclose Personal Data
We share personal data only with service providers who help us run the Services, each bound to use it solely for the service they provide to us:
| Provider | Service | Loads | Privacy policy |
|---|---|---|---|
| HubSpot | CRM, live chat, site analytics | After consent only | HubSpot Privacy |
| Apollo | Business visitor analytics | After consent only | Apollo Privacy |
| Postmark (ActiveCampaign) | Transactional email delivery | Server-side | Postmark Privacy |
| Amazon Web Services | Cloud storage and infrastructure | Server-side | AWS Privacy |
| Google reCAPTCHA | Form spam prevention | On form use | Google Privacy |
| Sentry | Error monitoring | Always (technical only) | Sentry Privacy |
We may also disclose personal data if required by law, court order, or to protect our rights, safety, or property — and if Enalca is ever involved in a merger or acquisition, personal data may transfer as part of that transaction under the same protections.
We have not sold personal data and do not share it for cross-context behavioral advertising, including in the 12 months preceding the effective date of this policy.
6. Client & Project Data
If you engage Enalca to build software, the data involved in your project — source code, documents, databases, end-user records — is governed by our service agreement and NDA with you, not by this website policy. Our standing practices for client work:
- •Confidentiality by default: project details are never used in marketing without written approval.
- •Least-privilege access: only team members working on your project can touch your data, with access revoked when their work ends.
- •Regulated data (health records, youth services, financial, government): handled under the applicable framework — including HIPAA Business Associate Agreements where required — with de-identification, audit logging, and human review built into our delivery process.
- •No training on your data: we do not use client data to train AI models for other clients or ourselves.
- •Return or destruction: at the end of an engagement, client data is returned or destroyed per the service agreement.
7. Data Retention
| Data | Retention period |
|---|---|
| Consultation inquiries that don't become engagements | Up to 24 months after last interaction |
| Chat transcripts | Up to 24 months |
| Client correspondence | Duration of the relationship + 3 years |
| Server and security logs | 90 days |
| Error reports | 90 days |
| Analytics cookies | Per the durations in the cookie table above |
When a retention period ends, data is deleted or irreversibly anonymized. We retain data longer only where the law requires it.
8. Security
We protect personal data with the same engineering discipline we apply to client systems:
- •Encryption in transit (TLS) across all Services.
- •Encryption at rest for stored data on our cloud infrastructure.
- •Role-based, least-privilege access controls with multi-factor authentication on internal tools.
- •Code review and dependency scanning in our development process.
- •Continuous error and anomaly monitoring.
No method of transmission over the Internet is 100% secure, but we treat your data the way we'd want ours treated. If a breach affecting your personal data ever occurs, we will notify you and regulators as required by law.
9. International Transfers
We are U.S.-based and process data primarily in the United States. Where our service providers process data in other jurisdictions, we rely on appropriate safeguards such as Standard Contractual Clauses for transfers from the EU/UK.
10. Your Privacy Rights
Everyone
Regardless of where you live, you may ask us to:
- •Access the personal data we hold about you.
- •Correct inaccurate data.
- •Delete your data.
- •Stop marketing communications at any time.
California Residents (CCPA/CPRA)
You additionally have the right to know the categories of personal data we collect (Sections 2, 4, and 5 above), the right to data portability, the right to limit use of sensitive personal information (we don't collect any through this site), and the right to non-discrimination for exercising your rights. We do not sell or share personal data as defined by the CCPA, so there is nothing to opt out of — and we honor Global Privacy Control as a valid opt-out signal regardless.
EU, EEA & UK Visitors (GDPR)
You additionally have the right to data portability, the right to object to processing based on legitimate interest, the right to withdraw consent at any time (without affecting prior processing), the right to restrict processing, and the right to lodge a complaint with your local supervisory authority.
Exercising Your Rights
Email nathan.galarza@enalca.com with your request. We will verify your identity using the email address associated with your data, respond within 30 days, and never charge a fee or discriminate against you for asking. If we can't fulfill a request, we'll tell you exactly why.
11. Children's Privacy
Our Services are directed at businesses and are not intended for children under 13 (or under 16 where stricter rules apply). We do not knowingly collect personal information from children. If you believe a child has provided us personal data, contact us and we will delete it.
12. Third-Party Sites
Our site links to external sites (client products, social media, provider policies). Their privacy practices are their own — this policy stops at our domain.
13. Changes to This Policy
If we make material changes, we will post the updated policy here with a new effective date — and for significant changes affecting how we use already-collected data, we will take reasonable steps to notify you. We won't quietly weaken your protections.
14. Contact Us
Questions about this policy or your data:
- •Email: nathan.galarza@enalca.com
- •Phone: +1 (787) 361-0791
- •Enalca LLC — San Juan, Puerto Rico · New York, NY