Effective July 13, 2026 · Version 1.1
Controller and scope
OCO Ingenieria EAS Unipersonal is responsible for the personal information it determines how and why to process through this public website and its inquiry channel. This notice applies to visits to oco.com.py and to information submitted through the public contact form.
The notice does not govern a future client system, authority integration, research data room, employment process, vendor process, or regulated engagement. Each such activity requires a separate notice, agreement, or processing schedule that identifies the responsible parties and exact data flow.
Paraguayan privacy framework
The Constitution of Paraguay protects private life and provides habeas data. Law No. 6534/2020 currently regulates personal credit data when that specialized category is involved. Consumer, electronic-commerce, civil, criminal, communications, employment, and sector-specific rules may also apply.
Law No. 7593/2025 creates a comprehensive personal-data framework. Article 57 provides that it enters into force 24 months after official publication, and MITIC states that effectiveness is expected in late 2027. OCO applies its core transparency, minimization, security, and data-subject principles to this public website during the transition, without incorrectly describing the future law or its new Agency as already fully effective.
Information processed
The website processes only the categories needed to deliver and protect the site and to receive an inquiry.
- Request and security metadata: IP address, date and time, requested URL, request method, user agent, referrer, network and TLS information, and security or abuse signals processed by the hosting and security provider.
- Inquiry fields: name, work email, optional organization name, organization type, inquiry type, message, submission time, and the technical result of the submission.
- Follow-up communications: replies, meeting arrangements, and information later supplied through an agreed channel.
- Compliance records: limited information needed to document consent, a request, complaint, restriction, deletion, legal hold, abuse event, or security incident.
Sources of information
Most inquiry information is supplied directly by the visitor. Technical metadata is generated when the visitor's device communicates with Cloudflare's network and the website. OCO may receive additional professional contact details from the organization the visitor represents or from public institutional sources when needed to verify and answer an inquiry.
If OCO obtains personal information from another source for a later engagement, the applicable engagement notice must identify that source and purpose.
Purposes and grounds
OCO uses public-site information only for defined operational, inquiry, security, and legal purposes.
- Deliver pages, route requests, maintain availability, diagnose errors, and protect the website against abuse.
- Validate and transmit an inquiry, reply to the sender, determine whether OCO can discuss the requirement, and arrange a separate conversation.
- Maintain business continuity, prevent duplicate or abusive submissions, establish or defend legal claims, and comply with a binding legal request.
- Prepare for a requested contract or act under a later written agreement when the visitor or represented organization asks OCO to proceed.
During the transition to Law No. 7593/2025, these purposes are limited by necessity, proportionality, transparency, and reasonable visitor expectations. Once the law is effective, OCO will rely on the applicable legal condition for each activity, including a requested pre-contractual step, contract performance, legal obligation, valid consent, or a documented legitimate interest that does not override the person's rights.
Contact-form processing
The browser sends a valid form to an OCO endpoint hosted on Cloudflare. The endpoint validates required fields, limits field length, rejects unrecognized organization and inquiry types, and forwards the message through Google's Gmail API to the configured OCO recipient. The website function does not intentionally create a separate public-form database.
A successful screen message means the inquiry was transmitted; it does not confirm an engagement, confidentiality, legal receipt, or a deadline. Email systems and infrastructure providers may retain operational copies and logs under their service configurations and legal duties.
Information not to submit
The public form is designed for ordinary professional contact information and a non-sensitive description of a regulatory requirement. Do not submit passwords, tokens, private keys, identity documents, credit reports, banking data, health data, biometric or genetic data, political or union information, information about children, legal case files, regulated evidence, production records, trade secrets, or detailed vulnerability material.
If OCO needs controlled material, it will first confirm the lawful purpose, responsible parties, minimum data, transfer channel, access restrictions, retention, deletion, and incident process. OCO may delete an unsolicited high-risk submission without evaluating its substance, subject to legal preservation duties.
Children and adolescents
The website is directed to organizations and adult professionals. OCO does not knowingly solicit personal information from children or adolescents through the public inquiry form.
A person must not submit information about a minor unless authorized and directed through a process specifically designed for that purpose. Law No. 7593/2025 establishes enhanced consent and comprehensibility requirements for minors, including special rules for persons under sixteen and for sensitive data concerning older adolescents.
Processors and recipients
Cloudflare, Inc. and its affiliates process website requests, delivery, security signals, Function execution, and the private service binding used by the contact channel. Google LLC and its affiliates process consented Google Analytics events and the Gmail transmission, routing, and mailbox storage used for valid inquiries. Authorized OCO personnel may access an inquiry only for the purposes stated in this notice.
OCO does not sell, rent, or disclose public-site personal information for targeted advertising. OCO may disclose minimum necessary information to a professional adviser, service provider, affected system owner, competent authority, court, or law-enforcement body when authorized, required by law, needed to protect rights or systems, or necessary to address an inquiry.
International processing
Cloudflare and Google operate distributed infrastructure, so website and inquiry information may be processed or stored outside Paraguay. The laws of a processing location may differ from Paraguayan law.
OCO limits transferred data to the service purpose and evaluates provider terms, access controls, and available contractual safeguards in proportion to risk. Before Law No. 7593/2025 becomes effective, OCO will review the applicable adequacy, contractual, consent, necessity, or other lawful transfer mechanism required for each continuing international transfer.
Retention and deletion
OCO retains a valid preliminary inquiry for no longer than 24 months after the last substantive communication when no engagement begins, unless a shorter period is appropriate or a legal claim, fraud review, security event, or binding obligation requires longer preservation.
If an engagement begins, relevant correspondence moves into the engagement record and follows the contract, accounting, tax, professional, evidence, and legal-retention schedule applicable to that work. Invalid or incomplete form payloads are not intentionally stored by OCO beyond transient processing, although infrastructure providers may retain security and operational logs under configured service periods.
When retention ends, OCO deletes or renders the information no longer reasonably identifiable, subject to backups, legal holds, and provider deletion cycles. OCO does not copy ordinary Cloudflare browsing logs into a separate visitor database. Consented Google Analytics data follows the retention settings configured for the OCO Ingenieria property.
Security and incidents
OCO uses technical and organizational measures proportionate to the public site's limited data flow. Current controls include encrypted transport provided by the hosting platform, a restrictive Content Security Policy, framing and content-type protections, limited browser permissions, server-side field validation, controlled provider credentials, and separation between the public site and future engagement systems.
No internet transmission or provider is risk-free. OCO assesses a suspected incident, limits access, preserves necessary evidence, coordinates with affected providers or owners, and gives any notice required by applicable law or contract. Once Law No. 7593/2025 is effective, its Article 17 requires notification to the control authority and, where applicable, the data subject within no more than 72 hours after awareness of a qualifying personal-data security incident.
Automated decisions and profiling
OCO does not use public-site information to make a solely automated decision that produces legal or similarly significant effects on a visitor. The contact endpoint performs validation and spam-oriented checks but does not approve a study, select a client, determine legal eligibility, or assign a regulatory status.
OCO does not create advertising or behavioral profiles from public-site visits. A future use of material automated decision-making requires a separate documented purpose, legal basis, explanation, review path, and applicable rights.
Privacy rights
A person may ask OCO whether it holds public-site information about them and may request access, correction, deletion, restriction or opposition, and a portable copy where technically and legally applicable. A person may withdraw consent for future processing when consent is the relevant ground; withdrawal does not invalidate earlier lawful processing.
OCO offers these request paths during the transition to Law No. 7593/2025. Once that law is effective, its statutory access, rectification, suppression, opposition, and portability rights, exceptions, and procedures apply according to their scope. The law sets a maximum response period of 30 calendar days, unless regulation establishes a shorter period.
Submitting a privacy request
Use the public contact form to request the privacy channel and choose “Other” as the inquiry type. State the right requested and the email used in the original inquiry, but do not attach identity documents or sensitive records to the first message.
OCO may request proportionate identity or authority verification before disclosing, changing, exporting, or deleting information. OCO may preserve information that must be retained by law, is needed for a legal claim, belongs to another person, or falls within another lawful exception, and will explain the applicable limit when permitted.
Engagement-specific processing
A regulatory study or operating system may involve OCO as an independent controller, joint participant, processor, technical provider, or party with no authority over the source data. The written engagement must identify that role rather than relying on this public notice.
The engagement documentation must define the legal purpose, data categories, source, data subjects, authority, recipients, international transfers, professional and official roles, security controls, incident duties, retention, deletion, audit rights, subcontractors, return of data, and exit process. Public or immutable verification layers must not receive raw personal or confidential data unless the exact lawful design expressly requires it.
Notice changes
OCO will update this notice before materially changing the public site's data categories, purposes, providers, automated decisions, or transfer model. The effective date and version identify the current notice.
A changed public notice does not replace a signed data-processing agreement or engagement-specific notice. Material changes to those documents follow their stated amendment process.
Official legal sources
These links are provided for verification and lead to official Spanish-language sources. The official published text, competent authority, and binding decision control. The list identifies the principal sources relevant to this public notice; it is not a complete legal inventory for a particular engagement.
- Constitution of the Republic of Paraguay — Articles 33 and 135Privacy, private life, and habeas data.
- Law No. 6534/2020 — Personal Credit Data ProtectionCurrent specialized rules for personal credit data.
- Law No. 7593/2025 — Personal Data ProtectionComprehensive personal-data framework; effective 24 months after official publication.
- MITIC — Scope and transition for Law No. 7593/2025Official transition notice stating that the law is expected to take effect in late 2027.
- Law No. 4974/2013 — SEDECONational consumer-protection authority and complaint powers.