BICSA Group Privacy Notice
This Privacy Notice applies to all the companies of the BICSA Group, namely:
- BANCO INTERNACIONAL DE COSTA RICA, S.A. (“BICSA”); and
- Its subsidiaries (each, a “Subsidiary”, and collectively referred to as “Subsidiaries”):
- BICSA Factoring, S. A.; and
- BICSA Capital, S. A.
For BICSA and its Subsidiaries (hereinafter collectively referred to as the “BICSA Group” or “we”), the protection of your personal data is extremely important. We are committed to safeguarding the protection and security of the personal data (as detailed in this document) that our clients, suppliers, and job applicants entrust to us or that we obtain during the course of our business or recruitment relationship.
In this Privacy Notice, the term “personal data” refers to information about our (a) clients that allows their identification (including their financial information) and that we obtain in connection with the banking products and services we provide to them; (b) suppliers, which we obtain in relation to the products and services they offer us; and (c) job applicants, in connection with their applications for such positions. For the purposes of this Privacy Notice, personal data does not include information obtained from public sources or anonymized data for historical, statistical, or scientific purposes.
Among the banking products and services that we provide directly to our clients are the following:
- Deposit accounts
- Loans
- Credit Cards
- Economic, financial or investment advice
- Electronic Banking (including Mobile Banking and Internet Banking)
- Investment Accounts
- Financial Leasing of Movable Property
- Factoring
BICSA Group reserves the right to modify and/or expand its product and service offerings; therefore, this list may be updated in future revisions of this Privacy Notice.
What regulations govern this Privacy Notice?
This Privacy Notice is governed by Law 81 of 2019, Executive Decree 285 of 2021, its eventual amendments and related Banking Agreements, including without limitation, Agreement 001-2022 of the Superintendency of Banks of Panama, and collectively referred to as the “Personal Data Protection Regime”. Additionally, the biometric validation process for activating the electronic banking access token is governed by SBP Agreement 005-2021.
Who is the Responsible for the processing of your personal data?
Depending on the nature of the product, service, communication or other activity for which your personal data is being processed in each case, the Controller of the processing of your personal data will be, independently and acting on its own account, the BICSA Group entity with which you have a relationship, namely:
- BANCO INTERNACIONAL DE COSTA RICA, S.A. (“BICSA”); and
- Its subsidiaries (each, a “Subsidiary,” and collectively referred to as “Subsidiaries”):
- BICSA Factoring, S. A.; and
- BICSA Capital, S. A.
All with registered offices at BICSA Financial Center Building, 50th Floor, Aquilino de La Guardia Street and Balboa Avenue, Panama City, Republic of Panama.
What personal data do we collect?
We obtain data about you from the following sources:
| Source | Examples |
| Information we receive from you on applications and other forms. | Contact details, demographic data and details of income and financial situation, among others. |
| Information about transactions made with us. | Details of source and destination accounts, amounts, date and time of the transaction, authorized signatures, among others. |
| Information about your transactions with nonaffiliated third parties. | Details of source and destination accounts, amounts, date and time of the transaction, authorized signatures, among others. |
| Information from public institutions and credit reporting, due diligence and tax agencies such as APC, Tribunal Electoral and Equifax, among others. | Credit and criminal history, immigration and employment status, among others. |
| Information about your use of Electronic Banking and your visits to our websites | User-id, e-mail address, IP address, browser identifiers, device and session (date/time/duration), location, biometric data for multifactor authentication (with prior consent). |
| Information to apply for job openings at BICSA Group. | Contact data, demographic data, resume, educational, professional and criminal history, personal and professional references, among others. |
Does BICSA use cookies on this website?
On our website we use the technology called “cookies” to improve the experience of our users. When you access the BICSA Group’s website, you will be presented with a small box that allows you to choose the cookies you wish to accept, from those that are strictly necessary to those that are optional. The following is a description of the cookies used on our website:
Strictly necessary:
| BICSA .com |
BICSA Factoring .com |
BICSA Capital .com |
Cookie Name | Provider | Type | Purpose Description | Expiry |
| X | _GRECAPTCHA | Google.com | HTML | Google reCAPTCHA necessary cookie for risk analysis | 179 days | ||
| X | x-ms-routing-name | Microsoft Azure | HTTP | It is used to ensure that the user’s session remains on the same server. | 1 hour | ||
| X | X | X | ARRAffinity | Own | HTTP | Allows load balancing by ensuring that the user is directed to the same server. | Session |
| X | X | X | ARRAffinity SameSite |
Own | HTTP | Ensures that the user’s requests are handled by the same server in Microsoft Azure. | Session |
| X | X | X | ARRAffinity SameSite |
s11wa004- qa.azurewebsites.net |
HTTP | Ensures that the user’s requests are handled by the same server in Microsoft Azure. | Session |
| X | visid_incap _226911 |
Own | HTTP | Maintains the user’s states across all page requests. | 1 year | ||
| X | nlbi_226911 | Own | HTTP | It is used to ensure website security and fraud detection. | Session | ||
| X | incap_ses_ 1689_226911 |
Own | HTTP | Maintains the user’s states across all page requests. | Session |
Performance Cookies (Optional):
| BICSA .com |
BICSA Factoring .com |
BICSA Capital .com |
Name | Vendor | Type | Purpose | Duration |
| X | X | X | _gid | Own | HTTP | Used by Google Analytics to count visits and page views. | 1 day |
| X | X | X | _ga_6WS3KYTG3W | Google.com | HTTP | Google Analytics cookie to maintain session state. | 13 months |
| X | X | X | _ga | Google Analytics (Google) |
HTTP | Distinguishes unique users through anonymous identifiers. | 13 months |
| X | TPMix | Microsoft Azure (CDN) |
HTTP | Related to website diagnostics for stability and performance. | 1 hour |
Cookies de segmentación (Opcionales):
| BICSA .com |
BICSA Factoring .com |
BICSA Capital .com |
Name | Vendor | Type | Purpose | Duration |
| X | _gat_gtag_UA_ 100425381_1 |
Google Analytics (Google) | HTTP | Belongs to Google Analytics. Its function is to limit the amount of data sent in a short period of time to avoid overloading the systems. | 1 minute |
Will the BICSA Group send you marketing and/or advertising communications?
Through the means that we have enabled for these purposes, you may grant your consent to be contacted by email, SMS, or any other equivalent means of electronic communication, to send you marketing and/or advertising communications.
However, if at any given time you no longer wish to receive communications of this nature, you may revoke your consent by exercising your ARCO Rights (as defined below), according to the procedure indicated in the “How can you exercise your ARCO Rights?” section of this Privacy Notice.
Once you have unsubscribed from marketing communications, we may continue to send you operational and transactional communications, such as, for example, related to customer service, fraud detection and prevention, and related to activities on the products and services you maintain with us
What do we use your personal data for?
The personal data collected is used to provide you with our products and services. This includes pre- and ongoing due diligence, fraud detection and prevention, identity verification, transaction and transaction processing, customer service, product and service related surveys, collection, analysis and research, improving our products and services, and sending operational and transactional communications.
To the extent that you have given us your express consent to do so, we will also use your personal data to send you marketing and/or advertising communications.
Biometric data collected for the purpose of activating the Online Banking access token will be used solely for verifying your identity and for fulfilling our legal and contractual obligations. This biometric data will not be used for any other purpose.
Additionally, if you apply for job vacancies with us, we will use your personal data to communicate with you, verify your eligibility for the vacancy applied for and, if hired, to prepare your employee file. The personal data contained in the resumes of applicants who are not hired will remain for future job vacancies with us, unless you request the cessation of our processing of your personal data for that purpose, by exercising your ARCO Rights (as defined below), according to the procedure indicated in the How can you exercise your ARCO Rights? section of this Privacy Notice.
Do we use automated decision-making mechanisms with your personal data?
The BICSA Group does not use any type of automated decision-making mechanism with your personal data. Your personal data is processed directly by our staff and authorized representatives. Should you have any questions in this regard, please do not hesitate to contact our Data Protection Officer at seguridadyprivacidad@bicsa.com.
Do we transfer your personal data outside the Republic of Panama?
As part of the process of executing financial transactions (including, without limitation, SWIFT and SINPE transfers) requested by our clients, Grupo BICSA may need to carry out international transfers of personal data through interbank networks. In accordance with its personal data protection and security policies, Grupo BICSA limits itself to transferring only those personal data strictly necessary for the execution of such transfers. If you have any questions regarding this matter, please do not hesitate to contact our Data Protection Officer by writing to seguridadyprivacidad@bicsa.com.
With whom do we share your personal data and how do we protect it?
We limit access to your personal data and confidential information to those employees, subsidiaries, affiliates and suppliers who require the information to provide our products and services. We will not disclose any personal data or confidential information about you without your consent or as permitted by law.
We maintain the administrative, organizational and technical controls established by law and industry standards for the protection of personal data, and we also contractually require our suppliers to do so. Specifically, we implement the following information security measures:
- Comprehensive security monitoring system for the Bank’s entire technological platform and applications (SIEM), in which all events are analyzed and correlated to see attack patterns. This also includes analysis of all the Bank’s workstations and servers for artificial intelligence detection of cyber attacks.
- Intrusion detection systems
- Detection service for malicious websites like BICSA.COM.
- Distributed Denial of Service (DDoS) attack detection tool.
For further information, please contact our Data Protection Officer at seguridadyprivacidad@bicsa.com .
How long do we retain your personal data?
Depending on the product or service you maintain with us, the retention period of your data may vary. Unless otherwise provided by law, we will retain your personal data for a period of fifteen (15) years after the end of the business relationship.
In the case of personal data of un-recruited job applicants, we will retain your personal data for a period of seven (7) years after receipt of the last job application.
What are your rights when you provide us with your personal data?
Under the Personal Data Protection Regime, you have the following rights of access, rectification, cancellation, opposition and portability (collectively referred to as the “ARCO Rights”)
| Rigth | Content |
| Access | Consultation of personal data included in our files. |
| Rectification | Modification of your personal data when it is inaccurate. |
| Cancellation | Request that we delete your personal data. |
| Opposition | Request that your personal data not be processed. |
| Portability | Obtain a copy of your personal data. |
How can you exercise your right?
You may exercise your ARCO Rights by visiting any BICSA branch office, writing to our Data Protection Officer at the address or mailbox servicioalcliente@bicsa.com, and completing the ARCO Rights Request Form. Remember to attach your request with a copy of your identity document. We will respond to your request within five (5) to ten (10) business days with the next steps or if we require any additional information or documentation.
Likewise, you may file a claim to the Superintendency of Banks of Panama, in case you are not satisfied with the attention provided by us regarding your request to exercise your ARCO Rights, within thirty (30) calendar days, counted from the date of our formal response.
Please note that, in cases where you have provided us with your personal data for the procurement of banking products and services, the exercise of your ARCO Rights may affect our ability to provide you with such products and services. In such a case, we will inform you of the possible impact of exercising your ARCO Rights, in order to allow you to make an informed decision before proceeding.
How often do we update this Privacy Policy?
We update our Privacy Policy annually, or more frequently if there is a legal requirement or organizational change that warrants it.
Last update: July 24, 2025.
