How Fortu collects, uses, stores and protects your personal data. The official version is in Spanish — please read carefully before using the app.
Welcome to Fortu (including its subdomains, content, brands, mobile applications, technological tools, and associated services). Fortu is a brand of FORTU S.A.S., a company legally incorporated in Colombia, identified with NIT 901932643-3 and principal domicile in Bogotá D.C.
This Privacy Policy, together with the Terms and Conditions, the Cookie Policy, the Privacy Notice, and other complementary documents published by Fortu, establishes the conditions under which FORTU S.A.S. collects, stores, uses, transmits, transfers, updates, analyzes, circulates, protects, and deletes the personal data of users, customers, visitors, suppliers, partners, contractors, and other information data subjects.
This Policy has been prepared in accordance with the Political Constitution of Colombia, Statutory Law 1581 of 2012, Law 1266 of 2008, Decree 1377 of 2013, Decree 1074 of 2015, the Single Circular of the Superintendence of Industry and Commerce, as well as other rules that amend, supplement, or replace such provisions.
Fortu recognizes the importance of privacy, confidentiality, information security, and the constitutional right to habeas data. For this reason, it implements technical, administrative, human, and legal measures aimed at guaranteeing the comprehensive protection of the personal data processed through the platform.
By registering, accessing, browsing, or using any of Fortu's services, the data subject declares to have previously, expressly, and in an informed manner read, understood, and accepted this Privacy Policy.
If the data subject does not agree with the provisions established herein, they must refrain from using the services, registering on the platform, or providing any personal data.
This Policy may be modified, updated, or adjusted by Fortu at any time to adapt to legal, regulatory, technological, operational, or commercial changes. Substantial modifications will be reported in a timely manner through the application, email, notifications, or any suitable channel.
The Privacy Policy is published in Spanish and may be translated into other languages for informational purposes only. In the event of a discrepancy between versions, the Spanish version shall prevail.
The data controller responsible for the processing of personal data is:
Fortu may designate national or international data processors to carry out certain activities related to the processing of personal data, under contracts that guarantee compliance with Colombian legislation.
For purposes of interpretation and application of this Policy, the following definitions are adopted:
“Personal data”: any information linked or associated with a specific or identifiable natural person.
“Sensitive data”: information that affects the privacy of the data subject or whose improper use could generate discrimination, including biometric data, political orientation, religious convictions, ethnic origin, health information, or sexual life.
“Data Subject”: natural person whose personal data is subject to processing.
“Processing”: any operation performed on personal data, including collection, storage, use, circulation, deletion, updating, transmission, or transfer.
“Data Controller”: legal person who decides on the database and/or the processing of the data.
“Data Processor”: natural or legal person who carries out the processing of data on behalf of the controller.
“Authorization”: prior, express, and informed consent granted by the data subject for the processing of their personal data.
“Transfer”: sending of personal data to another controller located within or outside Colombian territory.
“Transmission”: processing of data carried out by a processor on behalf of the controller.
“Bre-B”: interoperable system of immediate payments and key registration administered by financial entities and/or enabled networks in Colombia.
This Policy applies to all personal information collected by Fortu through:
The Fortu mobile application.
Associated websites, landing pages, and digital forms.
Integrations with financial entities, payment gateways, and identity validation systems.
User service tools, chat, technical support, and electronic communications.
Promotional activities, commercial campaigns, surveys, and events.
Financial validation processes, fraud prevention, SARLAFT, and regulatory compliance.
This Policy applies to registered users, visitors, potential customers, suppliers, commercial partners, contractors, employees, and any third party who provides personal information to Fortu.
Fortu may collect and process the following categories of information:
Identification data:
Contact data:
Financial data:
Technical data:
Sensitive data:
Fortu does not directly store complete bank card information. Payments are processed by authorized providers that comply with PCI-DSS security standards and other applicable standards.
Personal data will be processed for the following purposes:
Register and authenticate users within the platform.
Validate identity and prevent fraud, impersonation, money laundering, and terrorist financing.
Execute mandate services, technological intermediation, and operational management requested by the user.
Manage payments, deposits, withdrawals, bank validations, and Bre-B key registrations.
Facilitate purchase, custody, collection, and deposit processes related to the services offered by Fortu.
Administer raffles, promotional services, loyalty campaigns, and commercial benefits.
Contact the user with operational, transactional, commercial, or promotional information.
Comply with legal, regulatory, and tax obligations and requirements from administrative or judicial authorities.
Perform statistical analysis, data analytics, and user experience improvements.
Manage requests, petitions, inquiries, complaints, claims, and disputes.
Detect suspicious activities, operational risks, or contractual breaches.
Guarantee the security of the platform and protect the legitimate interests of Fortu and its users.
The processing of personal data by Fortu requires the prior, express, and informed authorization of the data subject, except for the legal exceptions provided for under Colombian law.
The authorization may be obtained through:
The data subject declares that the information provided is truthful, complete, and up to date.
Fortu shall retain proof of the authorization granted by the data subject for the period required by law.
The data subject may revoke the authorization or request the deletion of their data when there is no legal or contractual duty requiring their retention.
The data subject of the personal data has the right to:
Know, update, and rectify their personal data.
Request proof of the authorization granted.
Be informed about the use given to their data.
Submit inquiries, requests, or complaints.
Request the deletion of their data when applicable.
Revoke the authorization granted.
Access their personal data free of charge.
Submit complaints to the Superintendence of Industry and Commerce (SIC).
The data subject may exercise their rights by submitting a request through Fortu’s official support channels.
The request must include:
Inquiries shall be answered within ten (10) business days following their receipt.
Complaints shall be answered within fifteen (15) business days following their receipt, extendable in accordance with the law.
When Fortu is not competent to resolve the request, it shall inform the data subject and forward the request to the appropriate party when possible.
Fortu adopts reasonable physical, technical, administrative, and legal security measures to protect personal data.
The measures implemented include:
Despite the measures implemented, the data subject acknowledges that no system is completely invulnerable and that there are inherent risks associated with the use of digital technologies and communication networks.
Fortu may transmit or transfer personal data to third-party partners, technology providers, financial institutions, payment operators, identity validation providers, and competent authorities.
Every transmission or transfer shall be carried out under contracts that guarantee adequate levels of data protection.
The data subject expressly authorizes the national and international transmission and transfer of their data when necessary for the proper provision of the services.
Fortu’s services are not directed at minors under eighteen (18) years of age.
Fortu does not deliberately collect personal data of minors.
If Fortu detects the unauthorized processing of minors’ data, it may suspend accounts, delete information, and adopt the corresponding measures.
Fortu may use cookies, SDKs, pixels, and similar technologies to:
The user may configure their device or browser to block certain cookies; however, some functionalities could be affected.
Personal data will be retained for the time necessary to fulfill the purposes described in this Policy and the applicable legal obligations.
Fortu may retain information even after the contractual relationship has ended when there is a legal obligation, regulatory duty, legitimate interest, or evidentiary need.
Once the need for Processing has ended, the data may be deleted, anonymized, or blocked in a secure manner.
Fortu may implement monitoring, validation, transactional analysis, and document verification mechanisms to prevent fraud, identity theft, money laundering, terrorist financing, and unlawful activities.
The user expressly authorizes Fortu to validate information against financial operators, credit bureaus, restrictive lists, technology providers, and public or private databases legally enabled for such purpose.
Fortu may temporarily suspend operations, withdrawals, access, or accounts when there are signs of risk, inconsistencies, or suspicious activities.
Fortu will make reasonable efforts to protect the personal information processed within the platform.
Notwithstanding the foregoing, the user acknowledges that:
Fortu will not be liable for unauthorized access resulting from:
This Policy enters into force as of its publication.
Fortu may modify it at any time. Substantial modifications will be communicated through the available official channels.
Continued use of the platform after the publication of changes will constitute acceptance of the updated version.
This Privacy Policy is governed by the laws of the Republic of Colombia.
Any dispute related to the Processing of personal data will be heard by the competent authorities of Colombia, especially the Superintendence of Industry and Commerce (SIC), without prejudice to other authorities that may have jurisdiction under the law.
Check the FAQs to clear up your questions before continuing.