BICSA Group Privacy Notice

This Privacy Notice applies to all the companies of the BICSA Group, namely:

  1. BANCO INTERNACIONAL DE COSTA RICA, S.A. (“BICSA”); and
  2. Its subsidiaries (each, a “Subsidiary”, and collectively referred to as “Subsidiaries”):
    • BICSA Factoring, S. A.; and
    • BICSA Capital, S. A.

For BICSA and its Subsidiaries (hereinafter collectively referred to as the “BICSA Group” or “we” or “us”), the protection of your personal data is extremely important. We are committed to ensuring the protection and security of the personal data (as detailed in this document) that our customers and suppliers entrust to us or that we obtain in the course of our business engagement.

In this Privacy Notice, the term “personal data” refers to information about our customers that allows us to identify them (including their financial information), and that we obtain in connection with the banking products and services we provide to them or, in the case of our suppliers, the products and services they provide to us. For the purposes of this Privacy Notice, personal data will not be considered to be data obtained from public sources of information, nor anonymized information, for historical, statistical or scientific purposes.

Among the banking products and services that we provide directly to our clients are the following:

  • Deposit accounts
  • Loans
  • Credit Cards
  • Economic, financial or investment advice
  • Electronic Banking (including Mobile Banking and Internet Banking)

This Privacy Notice also applies to personal data received from applicants who apply for job vacancies with us, as described below.

This Privacy Notice is governed by Law 81 of 2019, Executive Decree 285 of 2021, its eventual amendments and related Banking Agreements, including without limitation, Agreement 001-2022 of the Superintendency of Banks of Panama, and collectively referred to as the “Personal Data Protection Regime”.

Depending on the nature of the product, service, communication or other activity for which your personal data is being processed in each case, the Controller of the processing of your personal data will be, independently and acting on its own account, the BICSA Group entity with which you have a relationship, namely:

  • BICSA Factoring, S. A.; and
  • BICSA Capital, S. A.

All with registered offices at BICSA Financial Center Building, 50th Floor, Aquilino de La Guardia Street and Balboa Avenue, Panama City, Republic of Panama.

We obtain data about you from the following sources:

Source Examples
Information we receive from you on applications and other forms. Contact details, demographic data and details of income and financial situation, among others.
Information about transactions made with us. Details of source and destination accounts, amounts, date and time of the transaction, authorized signatures, among others.
Information about your transactions with nonaffiliated third parties. Details of source and destination accounts, amounts, date and time of the transaction, authorized signatures, among others.
Information from public institutions and credit reporting, due diligence and tax agencies such as APC, Tribunal Electoral and Equifax, among others. Credit and criminal history, immigration and employment status, among others.
Information about your use of Electronic Banking. User-id, e-mail address, IP address, browser identifiers, device and session (date/time/duration), location, biometric data for multifactor authentication.
Information to apply for job openings at BICSA Group. Contact data, demographic data, resume, educational, professional and criminal history, personal and professional references, among others.

On our website we use the technology called “cookies” to improve the experience of our users. When you access the BICSA Group’s website, you will be presented with a small box that allows you to choose the cookies you wish to accept, from those that are strictly necessary to those that are optional. The following is a description of the cookies used on our website:

Strictly necessary:

Cookie Name Provider Type Purpose Description Expiry
_grecaptcha Bicsa.com HTML This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website. Persistente
_GRECAPTCHA Google.com HTTP This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website. 179 days
ARRAffinity Bicsa.com HTTP Used to distribute traffic to the website on several servers in order to optimize response times. Session
ARRAffinitySam
eSite
Bicsa.com HTTP Used to distribute traffic to the website on several servers in order to optimize response times. Session
incap_ses_# Bicsa.com HTTP Preserves users states across page requests. Session
nlbi_# Bicsa.com HTTP Used to ensure website security and fraud detection. Session
rc::a Google.com HTML This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website. Persistent
rc::b Google.com HTML This cookie is used to distinguish between humans and bots. Session
rc::c Google.com HTML This cookie is used to distinguish between humans and bots. Session
rc::d-15# Google.com HTML This cookie is used to distinguish between humans and bots. Persistent
visid_incap_# Bicsa.com HTTP Preserves users states across page requests. 1 year
_ga Bicsa.com HTTP Registers a unique ID that is used to generate statistical data on how the visitor uses the website. 2 year
_gat Bicsa.com HTTP Used by Google Analytics to throttle request rate. 1 day
_gid Bicsa.com HTTP Registers a unique ID that is used to generate statistical data on how the visitor uses the website. 1 day

Optional:

Cookie Name Provider Type Purpose Description Expiry
___utmvc Bicsa.com HTTP Collects information on user behaviour on multiple websites. This information is used in order to optimize the relevance of advertisement on the website. 1 day

Through the means that we have enabled for these purposes, you may grant your consent to be contacted by email, SMS, or any other equivalent means of electronic communication, to send you marketing and/or advertising communications.

However, if at any given time you no longer wish to receive communications of this nature, you may revoke your consent by exercising your ARCO Rights (as defined below), according to the procedure indicated in the “How can you exercise your ARCO Rights?” section of this Privacy Notice.

Once you have unsubscribed from marketing communications, we may continue to send you operational and transactional communications, such as, for example, related to customer service, fraud detection and prevention, and related to activities on the products and services you maintain with us.

The personal data collected is used to provide you with our products and services. This includes pre- and ongoing due diligence, fraud detection and prevention, identity verification, transaction and transaction processing, customer service, product and service related surveys, collection, analysis and research, improving our products and services, and sending operational and transactional communications.

To the extent that you have given us your express consent to do so, we will also use your personal data to send you marketing and/or advertising communications.

Additionally, if you apply for job vacancies with us, we will use your personal data to communicate with you, verify your eligibility for the vacancy applied for and, if hired, to prepare your employee file. The personal data contained in the resumes of applicants who are not hired will remain for future job vacancies with us, unless you request the cessation of our processing of your personal data for that purpose, by exercising your ARCO Rights (as defined below), according to the procedure indicated in the How can you exercise your ARCO Rights? section of this Privacy Notice.

The BICSA Group does not use any type of automated decision-making mechanism with your personal data. Your personal data is processed directly by our staff and authorized representatives. Should you have any questions in this regard, please do not hesitate to contact our Data Protection Officer at seguridadyprivacidad@bicsa.com.

The BICSA Group does not carry out any kind of extra-border transfer of your personal data. Should you have any questions in this respect, please do not hesitate to contact our Data Protection Officer at seguridadyprivacidad@bicsa.com.

We limit access to your personal data and confidential information to those employees, subsidiaries, affiliates and suppliers who require the information to provide our products and services. We will not disclose any personal data or confidential information about you without your consent or as permitted by law.

We maintain the administrative, organizational and technical controls established by law and industry standards for the protection of personal data, and we also contractually require our suppliers to do so. Specifically, we implement the following information security measures:

  • Comprehensive security monitoring system for the Bank’s entire technological platform and applications (SIEM), in which all events are analyzed and correlated to see attack patterns. This also includes analysis of all the Bank’s workstations and servers for artificial intelligence detection of cyber attacks.
  • Intrusion detection systems
  • Detection service for malicious websites similar to BICSA.COM.
  • Distributed Denial of Service (DDoS) attack detection tool.

For further information, please contact our Data Protection Officer at seguridadyprivacidad@bicsa.com.

Depending on the product or service you maintain with us, the retention period of your data may vary. Unless otherwise provided by law, we will retain your personal data for a period of fifteen (15) years after the end of the business relationship.

In the case of personal data of un-recruited job applicants, we will retain your personal data for a period of seven (7) years after receipt of the last job application.

Rigth Content
Access Consultation of personal data included in our files.
Rectification Modification of your personal data when it is inaccurate.
Cancellation Request that we delete your personal data.
Opposition Request that your personal data not be processed.
Portability Obtain a copy of your personal data.

You may exercise your ARCO Rights by visiting any BICSA branch office, writing to our Data Protection Officer at the address or mailbox servicioalcliente@bicsa.com, and completing the ARCO Rights Request Form. Remember to attach your request with a copy of your identity document. We will respond to your request within five (5) to ten (10) business days with the next steps or if we require any additional information or documentation.

Likewise, you may file a claim to the Superintendency of Banks of Panama, in case you are not satisfied with the attention provided by us regarding your request to exercise your ARCO Rights, within thirty (30) calendar days, counted from the date of our formal response.

Please note that, in cases where you have provided us with your personal data for the procurement of banking products and services, the exercise of your ARCO Rights may affect our ability to provide you with such products and services. In such a case, we will inform you of the possible impact of exercising your ARCO Rights, in order to allow you to make an informed decision before proceeding.

We update our Privacy Policy annually, or more frequently if there is a legal requirement or organizational change that warrants it.

Last update: September 1, 2023.