Security
Khipu's privacy policies
Taking care of user data is the most important thing.
Khipu is an electronic payment platform that requires the use of personal data to function. At Khipu, we care about protecting the data of our users, preventing third parties from using it for purposes other than those for which it was provided.
The most important thing you should know about Khipu's privacy policies is that we consider our users' bank passwords to be the most sensitive data that our platform interacts with.
For this reason, we have designed the system so that users can enter their bank passwords exclusively in Khipu applications, and that these travel through channels that meet or exceed the security standards of the banking industry. This is thanks to the use of double encryption, HSTS, and the best practices recommended by the PCI standard.
Khipu does not store on its servers the bank access passwords of its clients.
Our policies
Scope of the Khipu platform
The Khipu platform includes web pages, databases on servers, applications that run on servers managed by Khipu or on the mobile devices of users.
This privacy policy governs the behavior of human personnel and Khipu applications in all contexts controlled by the company.
Khipu users
Khipu users are the people or systems that use the platform to pay, collect, and manage their information in Khipu.
This privacy policy is valid for all types of Khipu users.
Khipu Servers
To provide the Khipu service, hardware components leased from IBM Cloud are used, a world-class company that provides the data center, servers, firewalls, and other hardware components. These servers are managed by Khipu personnel, and IBM Cloud personnel do not have access keys.
Additionally, some subsystems are leased as a service to other companies, including SMTP to Amazon, file storage to Amazon, ticketing systems to Zendesk, and Google Analytics.
On the other hand, Khipu uses services from other providers for source and compiled code management, which are not detailed in this document as they do not receive Khipu user data.
When it mentions “Khipu's servers,” it refers to all servers and services indicated in this section.
Collected data
Khipu collects data from its users in the following ways:
When paying: To pay, users use a Khipu payment terminal, which is a web browser accessed through a mobile application or the merchant's website. When paying, the user must enter their bank authentication credentials and frequently additional validation data, such as dynamic keys printed on cards, dynamic keys displayed by devices provided by the bank, mobile applications called "Soft tokens" or messages sent by the bank via email or SMS, among others. If the payment terminal is installed in the user's mobile application, the users' keys are sent directly to the bank's server, without passing through Khipu's servers. If the terminal is on the merchant's website, the keys are transmitted to Khipu's microservice with double encryption, over secure communication channels TLS 1.3, and these are not stored on persistent media. In any case, Khipu does not store users' keys on its servers. When paying, the Khipu payment terminal sends the necessary data to Khipu's servers to identify the payment corresponding to the generated transfer, including the checking account used to perform the transfer. Browsing data on the bank's portal is also sent to allow analysis aimed at improving the user experience during payment, such as page name or time spent. A subset of this information is sent to Google Analytics services, which facilitates analysis by the Khipu team on what is happening with the use of the system. Exceptionally, the Khipu payment terminal may encounter a bank page for which it cannot make an action decision to automate the transfer. In this case, the encountered page is sent to Khipu's servers to be analyzed so that the system can be reconfigured to behave appropriately on that page. Once the page has been used to reconfigure the system, it is stored on Khipu's servers, without identifying the account holder or payment data that generated its sending to the servers. Pages stored under these conditions are used to perform automatic quality control of all new versions of Khipu and are not shared with third parties. Payment data is used to verify the receipt of the corresponding funds at Khipu and to present reports to the same users who pay or collect using Khipu.
When collecting: Before they can collect with Khipu, individuals or companies must create a record that identifies them and make a payment to verify the data of the collection account. Part of the data entered during registration in the system and the name registered by the bank for the individual or company that made the verification payment is used by Khipu to show payers the data of the individual or company to whom the collected funds will be delivered. The data entered during registration in Khipu, including an optional photo and the collector's contract, is stored by Khipu on its servers. In the case where the Khipu payment terminal is in the merchant's mobile application, the system allows the user to request to store some of their authentication credentials with their bank. This option results in the encrypted storage of such passwords on the user's own device, not on Khipu servers.
Browsing without logging into the Khipu portal or mobile applications: Both the Khipu portal and its mobile applications offer information and some basic functionalities that are available to users who have not logged in and therefore have not identified themselves in the system. In this case, the system uses cookies to enhance the user experience and to update browsing statistics. For example, the system remembers the payment bank and email for payment receipts so that the user does not have to re-enter them when paying on the same device.
Browsing with a connection: In the case of users logged into the Khipu web portal or mobile applications, in addition to the cookies used, the data entered by users in forms is stored.
Connection using Google or Facebook: To connect to the Khipu web portal and mobile applications, users can create authentication credentials in Khipu, or use their Facebook or Google credentials in a one-click sign-on mode, a system known as SSO for the acronym of Single Sign On in English. In this case, the user must allow Khipu to access some of their data in Google or Facebook. Khipu will obtain from these systems the email, name, and profile picture and will store this data on Khipu's servers. Khipu will not post on Facebook on behalf of the user. The user can request at any time to disable this data by entering the Support and Suggestions section available at the bottom of all pages on the Khipu web portal, filling out the form available in the "Submit a request" option.
Use of information
Khipu will use the information collected to fulfill the action directly executed by the user, such as making a payment or requesting a payment.
In the case of payments, this data will be emailed to the payer and optionally to the accounts that the collector has configured in Khipu.
The data collected will be safeguarded by Khipu so that both payer and collector can later consult reports of their own activity in the system.
This data will also be used by Khipu staff to provide support.
Additionally, the system generates indicators and other statistics.
Disclosure of personal data
Khipu does not disclose the personal data of its users. It does not provide it to third parties, except for those that are strictly necessary to fulfill the committed service, such as bank credentials, which are delivered to the bank, and the data from payment receipts, which pass through the email server whose services are managed by Amazon.
Khipu may disclose usage statistics of the system without compromising the confidentiality of its users' data.
Upon an order from a competent court, Khipu will deliver the requested data to that court and will notify the affected users via email about such fact.