Privacy Policy.

1. Who we are

Business Design LLC (“Business Design”, “we”, “us”) is a brand & systems firm registered in Puerto Rico, USA. Founder and operating principal: Rubén Cepeda. We operate the website businessdesignpr.com, the lead-management platform ok200leads.com, and the client portal at clientes.businessdesignpr.com. This policy covers the businessdesignpr.com properties and the social automation app described in Section 5. ok200leads has its own privacy policy at ok200leads.com/privacy.

2. Data we collect

From site visitors

• IP address, user agent, referrer, page paths visited (standard web-server logs and basic analytics).
• Device language, screen size, and time zone for content rendering.
• If you accept cookies, a session identifier so we can remember your theme preference and form state.

From people who fill out our forms

• Name, business name, email, phone (WhatsApp), area of practice, anything you choose to write in a message field.
• Form submissions flow to our internal lead-management platform (ok200leads). They are seen by Rubén Cepeda and any authorized team member.

From clients in an active engagement

• Contract data: legal entity, billing contact, signature.
• Operational data the client shares for the engagement (existing brand assets, client lists if relevant, social account access for content automation).
• Communications: emails, WhatsApp messages, meeting notes.

3. How we use it

• To respond to inquiries and propose engagements.
• To deliver the contracted service (brand work, system build, content publishing).
• To improve the website and our products.
• To send service emails (invoices, contract updates) — not marketing emails, unless you opt in.
• To comply with legal obligations (tax records, contracts).

We do not sell personal data. We do not share data with third parties for their marketing.

4. Cookies

The site uses a minimal set of first-party cookies (theme preference, session). We do not currently load third-party advertising trackers. Browser-level “Do Not Track” signals are honored where applicable.

5. Third-party services we integrate with

We share the minimum data necessary with these processors. Each is contractually bound or governed by its own published terms.

• Meta Platforms (Facebook, Instagram). Our Meta app publishes posts authored by our team to our own Facebook Page and Instagram Business account (facebook.com/businessdesignpr, @businessdesign.pr). The app reads only metadata about our own pages (account name, page id, post performance for our own posts) and writes content we authored. The app does not read user DMs at scale, scrape follower lists, or message other users. Tokens are stored encrypted at rest.
• LinkedIn. Our LinkedIn app publishes posts authored by our team to the Business Design Company Page. Scope requested: w_organization_social, r_organization_admin, openid, profile. The app does not read connection lists or message LinkedIn members.
• WhatsApp Business (Meta Cloud API). Used for direct client and prospect communication initiated by a click-to-chat link on our pages. Messages are stored in our CRM (ok200leads). Senders consent to communication by initiating the conversation.
• ok200leads (operated by us). Our own CRM. Lead and client records live here. Data residency: US (Supabase Postgres, AWS us-east-1). Encryption at rest and in transit.
• Resend. Transactional email delivery for invoices, contracts, system notifications.
• Stripe. Payment processing for clients on retainer. We never see full card numbers — Stripe does. We see the last 4 digits and the brand.
• Hostinger / GoDaddy. Web hosting and DNS for businessdesignpr.com. Standard server logs.
• Vercel. Hosting for ok200leads and the client portal. Standard request logs.
• Anthropic (Claude API), OpenAI. The content automation pipeline uses these for copy generation. Public-facing post copy and our pillar definitions are sent for inference; lead PII and client confidential material are not.

6. Data retention

• Web-server logs: 90 days.
• Form submissions that do not convert: 24 months, then deleted on request or auto-archived.
• Active client records: retained for the duration of the engagement plus 7 years (US tax-record requirement).
• Social posts published by our automation pipeline: retained indefinitely as they are part of our public brand record.

7. Your rights

You may, at any time, request:

• A copy of the personal data we hold about you.
• Correction of inaccurate data.
• Deletion of your data, subject to our retention obligations (Section 6).
• Withdrawal of consent for marketing communication (if you ever opted in).
• Portability — we will export your data in CSV or JSON within 30 days.

Send the request to ruben@businessdesignpr.com. We will reply within 30 days. Residents of California, the EU, and the UK have additional rights under CCPA / GDPR / UK-GDPR; we honor those equivalently regardless of jurisdiction.

8. Security

Our internal platforms (ok200leads, client portal) use Supabase Auth with hashed passwords, Row-Level Security on the database, AES-256 encryption at rest for sensitive tokens (AI keys, social account tokens), and TLS in transit. We restrict access to authorized team members only. Despite reasonable measures, no service is impervious — if a breach affects your data we will notify you in line with applicable law.

9. Children

Our services are not directed to people under 18. We do not knowingly collect personal data from children.

10. International transfers

Data is stored in the United States. If you contact us from outside the US, you consent to this transfer.

11. Changes to this policy

We update this policy when our practices or applicable law change. The “Effective” date at the top of this page reflects the most recent version. Material changes will be announced on our site at least 30 days before they take effect.

12. Contact

Business Design LLC
Founder & Data Controller: Rubén Cepeda
Email: ruben@businessdesignpr.com
WhatsApp: +1 (787) 218-4422
San Juan, Puerto Rico, USA