Payorana®

Comprehensive Privacy Notice

Last updated: February 2026

Identity and address of the data controller

Martín Francisco Pacheco Ochoa, a sole proprietor operating under the trade name Payorana (hereinafter "the Controller", "we", or "Payorana"), with address at Diamante 228, Fraccionamiento Joyas de Mocambo, C.P. 94298, Boca del Río, Veracruz, Mexico, is responsible for the processing of your personal data in accordance with the applicable data protection legislation in your jurisdiction, including but not limited to:

  • Mexico: Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP)
  • Brazil: General Data Protection Law (LGPD, Law 13.709/2018)
  • Colombia: Law 1581 of 2012 (General Data Protection Regime)
  • Argentina: Law 25.326 on Personal Data Protection
  • Chile: Law 19.628 on the Protection of Private Life
  • Peru: Law 29733 on Personal Data Protection

This Privacy Policy applies to all Payorana users in Latin America.

Contact email: martin@heylellabs.com

1. Personal data we collect

1.1 Merchant data (Shopify user)

When you install Payorana on your Shopify store, we collect:

  • Store name and Shopify URL
  • Store owner's name and email address
  • Shopify API access token (granted during installation)
  • Shopify plan and store configuration
  • Billing information processed through Shopify Billing API

1.2 Order data

To provide our payment recovery service, we access:

  • Order number and unique identifier
  • Payment status (pending, paid, canceled)
  • Payment method used (OXXO, SPEI, Boleto Bancario, etc.)
  • Total order amount and currency
  • Payment reference or generated voucher
  • Order creation date and payment expiration date

1.3 End customer data

From your store's customers who have orders with pending payments, we collect:

  • Full name
  • Email address
  • Phone number (when available, for WhatsApp messaging)
  • Preferred language

1.4 Usage data

We collect anonymized data about application usage:

  • Message delivery metrics (sent, delivered, read)
  • Payment recovery rates
  • Pages visited within the dashboard
  • Actions performed in settings

Sensitive data: Payorana does not collect sensitive personal data (racial or ethnic origin, health status, religious beliefs, sexual preference, biometric data, among others).

2. Purposes of processing

2.1 Primary purposes (necessary for service delivery)

  • Sending reminders: Send WhatsApp messages and emails to customers with pending payments, including the payment reference, amount, and deadline.
  • Dashboard and metrics: Display recovery statistics, pending orders, and reminder performance to the merchant.
  • Automatic detection: Identify orders with pending payments and determine when a payment has been completed to stop reminders.
  • Customer support: Respond to inquiries and resolve technical issues.
  • Billing: Process service payments through the Shopify Billing API.

2.2 Secondary purposes (not required, consent needed)

  • Service improvement: Analyze anonymized usage patterns to improve reminder timing and service effectiveness.
  • Informational communications: Send notifications about updates, new features, or changes to the terms of service.

If you do not wish for your personal data to be processed for secondary purposes, you may notify us at martin@heylellabs.com. Refusal will not affect service delivery.

3. Use of WhatsApp Business API

Payorana uses the official WhatsApp Cloud API from Meta Platforms, Inc. for sending payment reminder messages. By using this service:

  • Messages are sent from Payorana's official WhatsApp Business account, through Meta's infrastructure, and are subject to WhatsApp's Privacy Policy.
  • Message data (recipient phone number, message content, delivery status) is processed by Meta on servers located in the United States and other countries.
  • Messages sent are exclusively transactional in nature (pending payment reminders) and not for advertising purposes.
  • End customers can opt out of receiving WhatsApp messages by replying "STOP" to the message received or by contacting the merchant directly.

Consent for WhatsApp messages (Opt-in/Opt-out)

The merchant is responsible for obtaining prior consent from their end customers to receive messages through WhatsApp, in accordance with Meta's policies and applicable legislation. End customers may revoke their consent at any time through the following mechanisms:

  • Replying "DETENER" or "STOP" to any WhatsApp message received.
  • Contacting the merchant directly.
  • Sending an email to martin@heylellabs.com.

4. Third-party services and data transfers

Payorana shares personal data with the following third parties, exclusively for service delivery:

Third PartyPurposeData SharedLocation
Meta Platforms (WhatsApp Cloud API)Sending WhatsApp messagesPhone number, message contentUnited States
ResendSending emailsEmail, message contentUnited States
Shopify Inc.E-commerce platformStore data, orders, billingCanada / United States

We do not sell, rent, or share personal data with third parties for marketing or advertising purposes.

5. International data transfers

Your personal data may be transferred to and processed on servers located in the United States, Canada, and the European Union by the service providers mentioned in the previous section. These transfers are carried out in accordance with the applicable legislation in your jurisdiction:

  • Mexico: In accordance with Article 37 of the LFPDPPP, being necessary for the fulfillment of the contractual relationship.
  • Brazil: In accordance with Article 33 of the LGPD, under the data subject's consent and the need for contractual execution.
  • Colombia: In accordance with Law 1581 of 2012, with the data subject's authorization.
  • Other countries: In accordance with applicable local data protection legislation.

6. Data storage and security

6.1 Security measures

We implement administrative, technical, and physical security measures to protect your data:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Restricted access through secure credentials and private networks
  • Shopify access tokens stored in encrypted form
  • Continuous security monitoring and access logs
  • Automatic encrypted backups
  • Principle of least privilege for data access

6.2 Data retention

We retain personal data while the Payorana account is active. Individual order data is automatically deleted 90 days after the order is completed or canceled. When Payorana is uninstalled, we delete all data within 30 days.

7. Your rights over your personal data

Depending on your country of residence, you have the following rights over your personal data:

  • Access: Know what personal data we hold about you and the conditions of its processing.
  • Rectification: Request the correction of inaccurate or incomplete personal data.
  • Cancellation / Deletion: Request the deletion of your personal data.
  • Opposition: Object to the processing of your personal data for specific purposes.
  • Portability: Request a copy of your data in a structured and commonly used format (applicable under Brazil's LGPD and legislation that provides for it).
  • Revocation of consent: Withdraw your consent at any time without affecting the lawfulness of prior processing.

Rights by jurisdiction

  • Mexico (LFPDPPP): ARCO Rights (Access, Rectification, Cancellation, and Opposition). Response period: 20 business days. Authority: INAI (www.inai.org.mx).
  • Brazil (LGPD): Confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, revocation of consent. Response period: 15 days. Authority: ANPD (www.gov.br/anpd).
  • Colombia (Law 1581): Know, update, rectify, request proof of authorization, revoke authorization, file complaints with the SIC. Authority: SIC (www.sic.gov.co).
  • Argentina (Law 25.326): Access, rectification, deletion, confidentiality. Response period: 10 days. Authority: AAIP.
  • Chile (Law 19.628): Access, modification, deletion, blocking. Response period: 2 business days.
  • Peru (Law 29733): Access, rectification, cancellation, opposition. Response period: 8 business days. Authority: ANPD Peru.

Procedure to exercise your rights

To exercise any of these rights, send a request to martin@heylellabs.com with the following information:

  1. Full name of the data subject
  2. Country of residence
  3. Clear description of the right you wish to exercise and the personal data involved
  4. Document proving your identity (copy of official identification)
  5. Email address to receive the response

We will respond to your request within the period established by the legislation of your country of residence. If you do not receive a satisfactory response, you may contact the competent data protection authority in your jurisdiction.

8. Revocation of consent

You may revoke the consent granted for the processing of your personal data at any time by sending a request to martin@heylellabs.com. Please note that in certain cases we may not be able to fulfill your request immediately if the data is necessary for the fulfillment of legal or contractual obligations. Revocation will not affect the lawfulness of processing carried out prior to the revocation.

9. Rights of end customers

End customers of stores using Payorana may exercise their rights by contacting the merchant (store owner) directly or the Controller at martin@heylellabs.com. Customers may request:

  • To stop receiving payment reminders (opt-out)
  • To access stored personal data
  • To request deletion of their data

10. Shopify compliance

Payorana complies with Shopify's data privacy requirements for apps:

  • Responding to customer data erasure requests (Customer Data Erasure)
  • Responding to customer data requests (Customer Data Request)
  • Deleting store data upon app uninstallation (Shop Data Erasure)

11. Cookies and tracking technologies

The Payorana dashboard uses strictly necessary cookies for session functionality. We do not use tracking, advertising, or third-party analytics cookies. Our website (payorana.com) may use anonymized analytics cookies. You can disable cookies in your browser settings.

12. Minors

Payorana is not intended for individuals under 18 years of age. We do not intentionally collect information from minors. If we discover that we have collected data from a minor, we will delete it immediately.

13. Changes to this privacy notice

We reserve the right to make modifications or updates to this Privacy Notice. Changes will be made available at payorana.com/legal/privacidad/ and will be notified to the registered email address in the event of substantial changes.

14. Contact

For any questions or requests related to this Privacy Notice:

  • Controller: Martín Francisco Pacheco Ochoa
  • Trade name: Payorana
  • Email: martin@heylellabs.com
  • Address: Diamante 228, Fraccionamiento Joyas de Mocambo, C.P. 94298, Boca del Río, Veracruz, Mexico
  • Website: payorana.com