Skip to content
OCOIngenieria Paraguay
CompanyMethodInfrastructureStudiesCooperationInnovation Let's talk
HomePrivacy

Privacy

Privacy

01 Controller and scope02 Paraguayan privacy framework03 Information processed04 Sources of information05 Purposes and grounds06 Contact-form processing07 Information not to submit08 Children and adolescents09 Cookies and analytics10 Processors and recipients11 International processing12 Retention and deletion13 Security and incidents14 Automated decisions and profiling15 Privacy rights16 Submitting a privacy request17 Complaints and authorities18 Engagement-specific processing19 Notice changes20 Sources

Effective July 13, 2026 · Version 1.1

Controller and scope

OCO Ingenieria EAS Unipersonal is responsible for the personal information it determines how and why to process through this public website and its inquiry channel. This notice applies to visits to oco.com.py and to information submitted through the public contact form.

The notice does not govern a future client system, authority integration, research data room, employment process, vendor process, or regulated engagement. Each such activity requires a separate notice, agreement, or processing schedule that identifies the responsible parties and exact data flow.

Paraguayan privacy framework

The Constitution of Paraguay protects private life and provides habeas data. Law No. 6534/2020 currently regulates personal credit data when that specialized category is involved. Consumer, electronic-commerce, civil, criminal, communications, employment, and sector-specific rules may also apply.

Law No. 7593/2025 creates a comprehensive personal-data framework. Article 57 provides that it enters into force 24 months after official publication, and MITIC states that effectiveness is expected in late 2027. OCO applies its core transparency, minimization, security, and data-subject principles to this public website during the transition, without incorrectly describing the future law or its new Agency as already fully effective.

Information processed

The website processes only the categories needed to deliver and protect the site and to receive an inquiry.

  • Request and security metadata: IP address, date and time, requested URL, request method, user agent, referrer, network and TLS information, and security or abuse signals processed by the hosting and security provider.
  • Inquiry fields: name, work email, optional organization name, organization type, inquiry type, message, submission time, and the technical result of the submission.
  • Follow-up communications: replies, meeting arrangements, and information later supplied through an agreed channel.
  • Compliance records: limited information needed to document consent, a request, complaint, restriction, deletion, legal hold, abuse event, or security incident.

Sources of information

Most inquiry information is supplied directly by the visitor. Technical metadata is generated when the visitor's device communicates with Cloudflare's network and the website. OCO may receive additional professional contact details from the organization the visitor represents or from public institutional sources when needed to verify and answer an inquiry.

If OCO obtains personal information from another source for a later engagement, the applicable engagement notice must identify that source and purpose.

Purposes and grounds

OCO uses public-site information only for defined operational, inquiry, security, and legal purposes.

  • Deliver pages, route requests, maintain availability, diagnose errors, and protect the website against abuse.
  • Validate and transmit an inquiry, reply to the sender, determine whether OCO can discuss the requirement, and arrange a separate conversation.
  • Maintain business continuity, prevent duplicate or abusive submissions, establish or defend legal claims, and comply with a binding legal request.
  • Prepare for a requested contract or act under a later written agreement when the visitor or represented organization asks OCO to proceed.

During the transition to Law No. 7593/2025, these purposes are limited by necessity, proportionality, transparency, and reasonable visitor expectations. Once the law is effective, OCO will rely on the applicable legal condition for each activity, including a requested pre-contractual step, contract performance, legal obligation, valid consent, or a documented legitimate interest that does not override the person's rights.

Contact-form processing

The browser sends a valid form to an OCO endpoint hosted on Cloudflare. The endpoint validates required fields, limits field length, rejects unrecognized organization and inquiry types, and forwards the message through Google's Gmail API to the configured OCO recipient. The website function does not intentionally create a separate public-form database.

A successful screen message means the inquiry was transmitted; it does not confirm an engagement, confidentiality, legal receipt, or a deadline. Email systems and infrastructure providers may retain operational copies and logs under their service configurations and legal duties.

Information not to submit

The public form is designed for ordinary professional contact information and a non-sensitive description of a regulatory requirement. Do not submit passwords, tokens, private keys, identity documents, credit reports, banking data, health data, biometric or genetic data, political or union information, information about children, legal case files, regulated evidence, production records, trade secrets, or detailed vulnerability material.

If OCO needs controlled material, it will first confirm the lawful purpose, responsible parties, minimum data, transfer channel, access restrictions, retention, deletion, and incident process. OCO may delete an unsolicited high-risk submission without evaluating its substance, subject to legal preservation duties.

Children and adolescents

The website is directed to organizations and adult professionals. OCO does not knowingly solicit personal information from children or adolescents through the public inquiry form.

A person must not submit information about a minor unless authorized and directed through a process specifically designed for that purpose. Law No. 7593/2025 establishes enhanced consent and comprehensibility requirements for minors, including special rules for persons under sixteen and for sensitive data concerning older adolescents.

Cookies and analytics

The website loads Google Analytics 4 only after a visitor chooses “Allow analytics.” Before that choice, no Google Analytics tag is loaded and no analytics request is sent. OCO uses aggregated measurements to understand page use and improve the public website. OCO does not enable advertising features, Google Signals, ads personalization, or cross-site profiling.

The visitor’s choice is stored in that browser as an analytics preference. A visitor may decline analytics and continue using the full public website. The choice can be reviewed or changed from this section.

Cloudflare may use strictly necessary cookies or equivalent signals for security, traffic management, bot protection, or access control when those features are active. A protected development environment may require an authentication cookie. These infrastructure controls are not used by OCO for advertising or cross-site behavioral profiling.

Processors and recipients

Cloudflare, Inc. and its affiliates process website requests, delivery, security signals, Function execution, and the private service binding used by the contact channel. Google LLC and its affiliates process consented Google Analytics events and the Gmail transmission, routing, and mailbox storage used for valid inquiries. Authorized OCO personnel may access an inquiry only for the purposes stated in this notice.

OCO does not sell, rent, or disclose public-site personal information for targeted advertising. OCO may disclose minimum necessary information to a professional adviser, service provider, affected system owner, competent authority, court, or law-enforcement body when authorized, required by law, needed to protect rights or systems, or necessary to address an inquiry.

International processing

Cloudflare and Google operate distributed infrastructure, so website and inquiry information may be processed or stored outside Paraguay. The laws of a processing location may differ from Paraguayan law.

OCO limits transferred data to the service purpose and evaluates provider terms, access controls, and available contractual safeguards in proportion to risk. Before Law No. 7593/2025 becomes effective, OCO will review the applicable adequacy, contractual, consent, necessity, or other lawful transfer mechanism required for each continuing international transfer.

Retention and deletion

OCO retains a valid preliminary inquiry for no longer than 24 months after the last substantive communication when no engagement begins, unless a shorter period is appropriate or a legal claim, fraud review, security event, or binding obligation requires longer preservation.

If an engagement begins, relevant correspondence moves into the engagement record and follows the contract, accounting, tax, professional, evidence, and legal-retention schedule applicable to that work. Invalid or incomplete form payloads are not intentionally stored by OCO beyond transient processing, although infrastructure providers may retain security and operational logs under configured service periods.

When retention ends, OCO deletes or renders the information no longer reasonably identifiable, subject to backups, legal holds, and provider deletion cycles. OCO does not copy ordinary Cloudflare browsing logs into a separate visitor database. Consented Google Analytics data follows the retention settings configured for the OCO Ingenieria property.

Security and incidents

OCO uses technical and organizational measures proportionate to the public site's limited data flow. Current controls include encrypted transport provided by the hosting platform, a restrictive Content Security Policy, framing and content-type protections, limited browser permissions, server-side field validation, controlled provider credentials, and separation between the public site and future engagement systems.

No internet transmission or provider is risk-free. OCO assesses a suspected incident, limits access, preserves necessary evidence, coordinates with affected providers or owners, and gives any notice required by applicable law or contract. Once Law No. 7593/2025 is effective, its Article 17 requires notification to the control authority and, where applicable, the data subject within no more than 72 hours after awareness of a qualifying personal-data security incident.

Automated decisions and profiling

OCO does not use public-site information to make a solely automated decision that produces legal or similarly significant effects on a visitor. The contact endpoint performs validation and spam-oriented checks but does not approve a study, select a client, determine legal eligibility, or assign a regulatory status.

OCO does not create advertising or behavioral profiles from public-site visits. A future use of material automated decision-making requires a separate documented purpose, legal basis, explanation, review path, and applicable rights.

Privacy rights

A person may ask OCO whether it holds public-site information about them and may request access, correction, deletion, restriction or opposition, and a portable copy where technically and legally applicable. A person may withdraw consent for future processing when consent is the relevant ground; withdrawal does not invalidate earlier lawful processing.

OCO offers these request paths during the transition to Law No. 7593/2025. Once that law is effective, its statutory access, rectification, suppression, opposition, and portability rights, exceptions, and procedures apply according to their scope. The law sets a maximum response period of 30 calendar days, unless regulation establishes a shorter period.

Submitting a privacy request

Use the public contact form to request the privacy channel and choose “Other” as the inquiry type. State the right requested and the email used in the original inquiry, but do not attach identity documents or sensitive records to the first message.

OCO may request proportionate identity or authority verification before disclosing, changing, exporting, or deleting information. OCO may preserve information that must be retained by law, is needed for a legal claim, belongs to another person, or falls within another lawful exception, and will explain the applicable limit when permitted.

Complaints and authorities

A person may first raise a privacy concern with OCO through the request process. Constitutional habeas data remains available according to Paraguayan law. Where personal credit data is involved, Law No. 6534/2020 and the currently competent institutions apply.

Law No. 7593/2025 creates the National Personal Data Protection Agency and transfers specified credit-data functions from SEDECO when the new law enters into force. The future Agency must not be described as presently exercising powers before its legal effectiveness and implementation. General consumer complaints remain within SEDECO's authority according to consumer law.

Engagement-specific processing

A regulatory study or operating system may involve OCO as an independent controller, joint participant, processor, technical provider, or party with no authority over the source data. The written engagement must identify that role rather than relying on this public notice.

The engagement documentation must define the legal purpose, data categories, source, data subjects, authority, recipients, international transfers, professional and official roles, security controls, incident duties, retention, deletion, audit rights, subcontractors, return of data, and exit process. Public or immutable verification layers must not receive raw personal or confidential data unless the exact lawful design expressly requires it.

Notice changes

OCO will update this notice before materially changing the public site's data categories, purposes, providers, automated decisions, or transfer model. The effective date and version identify the current notice.

A changed public notice does not replace a signed data-processing agreement or engagement-specific notice. Material changes to those documents follow their stated amendment process.

Official legal sources

These links are provided for verification and lead to official Spanish-language sources. The official published text, competent authority, and binding decision control. The list identifies the principal sources relevant to this public notice; it is not a complete legal inventory for a particular engagement.

  1. Constitution of the Republic of Paraguay — Articles 33 and 135Privacy, private life, and habeas data.
  2. Law No. 6534/2020 — Personal Credit Data ProtectionCurrent specialized rules for personal credit data.
  3. Law No. 7593/2025 — Personal Data ProtectionComprehensive personal-data framework; effective 24 months after official publication.
  4. MITIC — Scope and transition for Law No. 7593/2025Official transition notice stating that the law is expected to take effect in late 2027.
  5. Law No. 4974/2013 — SEDECONational consumer-protection authority and complaint powers.
OCO © 2026 OCO Ingenieria EAS Unipersonal. All rights reserved.
GovernanceLegalTermsPrivacySecurityLet's talk

OCO validations are not official approvals. The competent authority or legally authorized professional remains the authoritative source.

Analytics preferences

Choose whether OCO may measure website use.

Google Analytics is loaded only after consent. OCO uses aggregated measurements to improve the public website and does not enable advertising, Google Signals, or cross-site profiling. Read the privacy notice.