Privacy Policy
Versão em português.
Date of publication: September, 30 2025
PRIVACY POLICY
This Privacy Policy describes how Banco Latinoamericano De Comercio exterior, S.A., New York Agency and Banco Americano de Comercio Exterior, S.A. (collectively, “BLADEX,” “we,” “our,” or “us”) collect, use, share, and protect Personally Identifiable Information (PII). This privacy Policy applies to PII collected by BLADEX in the context of our online commercial banking services. It governs the collection, use, and disclosure of information provided by individuals acting on behalf of our corporate clients, as well as general website visitors.
Controller
BLADEX, in its role of Controller, is committed to the protection of the PII and every information that may compromise the personal integrity and/or privacy of its customers representatives and with regulatory compliance in each of the jurisdictions where our organization has a presence.
PII Collected
The PII that Bladex collects and processes through your use of our Customer Care platform includes:
- Account information, (e.g. your username, selected password, and content preferences)
- Business contact information (e.g. first name, last name, identification information, telephone, email, mobile number, email address, mailing address, and any other information you choose to include when you communicate with us via email, mail, phone, or other channels.)
- Professional information (e.g.: company, job title and role within the organization you represent.)
- Transactional details (e.g., complaint or suggestion information).
- Call recording. Where local law and regulations require or permit Us to do so, we monitor or record your communications with Us, including telephone calls and emails. We will use these recordings to verify instructions to us and for other evidentiary purposes, to evaluate and improve Our services to You, and for training and quality purposes.
- We collect PII, device information and other data from individuals who use our Website, as well as our Customer Care platform, our Online Banking Platform and related digital financial services. In the event that you use our Digital Platforms, Bladex will request certain PII for the purpose of proper identification. We also collect information from individuals who visit the Site through the use of cookies and similar technology. (For more information, see our Cookie Policy).
- Video Surveillance. We use surveillance cameras in and around our facilities for crime prevention and detection, which monitor and collect images in accordance with local legal requirements.
- Survey information in response to questions we may send you, including for feedback and research purposes.
- Any additional information you choose to provide, including questions, suggestions, and feedback.
Purpose
The PII we handle at BLADEX is requested from our customers for the sole purpose of carrying out the proper provision of the financial services and products we offer to our customers and to comply with the bank's regulatory obligations..
PII will only be subject to the processing authorized by law, by the existing contractual relationship or by the prior, informed and express consent of the PII principals of the data received. In general terms, PII will be used to:
- Manage the relationship with our customers.
- Manage the products and services of our customers.
- Process instructions or requests from our customers.
- Research and analysis to improve our services.
The PII received in the terms and for the purposes mentioned in this Privacy Notice, will not be shared without prior and express authorization of the PII principals with third parties not directly related to the financial products or services originated by the contractual relationship between the holder of the PII and BLADEX.
Exceptionally, PII may be shared when there is a court order and/or mandate or in the cases established in current legislation and regulations, based on which a judicial or regulatory authority can and must have access to the PII managed by BLADEX. In these cases, access will only be allowed to the PII specifically described and indicated on the basis of the situation or subject matter and not to all personal information held by our organization.
BLADEX does not use automated decision systems, including profiling.
This Privacy Policy also applies to PII provided by individuals acting on behalf of our corporate clients, as well as general website visitors. This Privacy Policy applies to information collected by Bladex through the following channels (collectively, the “Services”):
- Our websites, including www.Bladex.com;
- Our online banking platform and related digital financial services; and
- Our email communications.
Please note that this Privacy Policy does not apply to non-Bladex websites or services that state that they are offered under a different privacy policy. Please review the privacy policies on those websites and services directly to understand their privacy practices.
Actions
Collection. We collect the PII necessary for the proper provision of the services we offer and that are covered by the existing contractual relationship between BLADEX and the organization to which the PII principal belongs. The information is collected from forms filled out by the PII principal when requesting information about a service and/or product; from the service contract, from electronic correspondence and some PII is collected from visits to our website, through cookies (see Cookies Policy at www.bladex.com).
Processing. PPII is processed for the purpose of providing the contracted services or carrying out the operations and/or transactions that the PII principal requires. They may also be used to improve our websites and other digital applications available to our customers and to keep them informed about changes in our opening hours and other banking services that should be informed in a timely manner for their benefit. In any case, our policy limits access to the PII managed and access to such information is only allowed to collaborators and third parties who, for legitimate purposes, need access to such personal information. For more information on the processing carried out by BLADEX, please refer to our data protection policy published at www.bladex.com.
We use the PII we collect from you to:
- Provide and deliver our Services; manage and service client accounts; and create and maintain login credentials.
- Respond to requests and questions; communicate with you about the Services; provide troubleshooting and other support; and provide important notices.
- Manage, maintain, and operate the Services; diagnose or fix technology problems; monitor the performance of the Services; protect the security of the Services; detect and prevent fraud and other harmful activities; and understand how you access and use the Services.
- Improve the Services and grow our business; better understand our client base; develop new products and services; and analyze trends and monitor usage.
- Design and administer marketing and promotional campaigns and evaluate the effectiveness of these campaigns; send announcements and other promotional materials; and administer surveys for market research and client satisfaction purposes.
- Comply with legal requirements (including but not limited to with respect to FATCA and AMLA2020); defend against legal claims or other demands; respond to subpoena, court order, or other legal process or request; protect the rights of Bladex, you, our clients, or others; and detect, investigate, and prevent activities that may violate our policies or be fraudulent or illegal.
- Perform internal administration, auditing, risk management, compliance, and operations activities.
We may use information in an aggregated or de-identified manner data at our discretion, including for research, analysis, modeling, marketing, and improvement of our Services. In all these cases the PII will be anonymized before being used.
Transfer. Bladex operates internationally, so we will need to share information with our other offices in order to conduct our business and support our customers.
When providing a global service to our customers, PII may be accessed from Bladex offices internationally when necessary for the completion of a transaction with the customer, or to comply with legal or regulatory requirements imposed on us. Any other transfer of PII must be expressly authorized in advance by the PII principal. (A complete list of our locations is available on our website but may be revised and updated at any time).
For the contracting of external hosting services, BLADEX will require its suppliers to comply with equal or higher levels of PII protection and will not host information on servers located in countries that do not have PII protection laws similar or more stringent than those established in the Republic of Panama. In any case, the communication between our systems and external servers, whether they are inside or outside the territory of the Republic of Panama, will be carried out using the highest standards of information security in the industry.
Share. We may share the information we collect only in the following instances:
- With service providers that we believe need the information to perform a technology, business, or other professional function for us such as IT services, accounting, auditing, and tax services, and other professional services. In these cases, we will only share the strictly necessary information, based on the legitimate interest established by regulation or in the service contract.
- With our corporate clients, if you are a representative of the client, as necessary to provide the Services. In these cases, we will only share business contact information.
- With entities in our corporate family, for purposes consistent with the service contract and this Privacy Policy, to carry out our business activities, and to the extent permitted by law and regulations.
- When a corporate event occurs, we reserve the right to transfer to another entity or its affiliates or service providers our corporate customers information in connection with, or during negotiations of, any merger, acquisition, sale of assets or any line of business, change in ownership control, or financing transaction. In these cases, some or all of your PII may be shared. However, if this occurs, we will require the third party to adhere to protection measures that are equivalent to or exceed our own.
- For legal purposes with government entities or others; where necessary to comply with the law; in response to court orders, subpoenas, law enforcement or legal process, including for national security purposes; to establish, protect, or exercise our legal rights; as required to enforce our terms or other contracts; to defend against legal claims or demands; or to detect, investigate, prevent, or take action against illegal activities, fraud, or situations involving potential threats to the rights, property, or personal safety of any person.
Retention and Removal. PII will be retained based on the existing contractual relationship and the legal and/or regulatory retention periods established for this purpose. Upon expiration of these terms and within the term established by the laws in force, PII will be securely removed from our systems and/or returned to their holders upon express request. Unless expressly authorized by the PII Principals, Law 81 of 2019 establishes that Bladex may not carry out any processing on the PII stored and there is no legitimate interest to carry out processing.
To ensure compliance with the regulations in force and based on the security standards recognized by the industry, as soon as the legitimate interest for processing disappears the PII and the documents that include PII will be deleted. During the deletion process, PII will be extracted from the Databases and repositories used by BLADEX operating platforms and applications and securely stored to initiate the secure deletion protocol that ensures that PII cannot be recovered once deleted.
PII collected in physical format is always stored securely and our employees have been instructed not to leave it unsupervised, or pile it up in places of passage, or in open places within the facilities. For information in physical format, there is a disposal protocol with adequate security measures that guarantee its protection until the moment of its final disposal.
STORAGE AND PROTECTION
We use a combination of physical, technical, and administrative safeguards to protect the PII we collect through our services, websites, online banking platform and related digital financial services. While we use these precautions to safeguard your information, we cannot guarantee the security of the networks, systems, servers, devices, and databases we operate or that are operated on our behalf. If you access or use our Services you understand that we may collect, process, and store your personal information in the United States and other countries.
In any event, should a security incident occur despite our commitment to maintaining the integrity and protection of the collected PII, we will promptly notify the affected PII Principals
PII Principals Rights and Actions
For the purposes of this Privacy Policy, PII principal are the natural persons whose PII are subject to any processing by BLADEX. Bladex guarantees to PII principals the exercise of the ARCOP Rights so that, with prior proof of their identity, legitimacy and at no cost, they may have full access to their PII, through the exercise of the ARCOP Rights.
Rights. TThe regulations in force in the Republic of Panama recognize and establish the rights of PII Principals, called ARCOP Rights (Access, Rectification, Cancellation, Object and Portability).
Privacy choices using the services through our website. You have the following choices when it comes to how we collect and use your information:
- Change cookie preferences: You can modify your browser setting to disable or reject cookies across the internet; but if you do so, some features of our Services may not function properly or be available. Please note that you will need to set preferences on each device you use to visit our Services.
- Opt-out of email marketing: If you no longer wish to receive marketing emails from us, you can click the unsubscribe link at the bottom of our marketing emails.
- Opt-out of text messages: If you no longer wish to receive transactional text messages, such as account notifications, from us, you may opt-out by replying STOP to any message or adjusting your communication preferences in your account settings. Please note that opting out of transactional messages may impact your ability to use certain features of the Services.
- Update account information: If you have a Bladex account, you can see, review, and update certain information associated with your account, such as your contact information, by logging in to your account.
Enforcement and Actions. Based on the aforementioned rights, BLADEX declares that PII Principals have the right to:
- Know and access, free of charge, the PII which BLADEX is processing in any way. When the PII principal requests that the information be provided in a technological storage device (USB, compact disc, etc.), He/She must provide the support to which the information will be transferred or bear the cost of this request. The support provided by the PII principal must be supplied unformatted, without any information. Based on current regulations, if the Controller obtained the PII from a source other than the PII principal, whether public or private, with or without legitimate interest, the PII principal may exercise the rights of Opposition and/or cancellation, but not the right of portability.
- Request, at any time, that his/her PII be updated or rectified when the PII is incomplete, incorrect, inaccurate, fragmented, irrelevant, incomplete, outdated, false or irrelevant.
- Be informed by BLADEX of the use given to their PII.
- Object any PII processing that has not been authorized or has been expressly prohibited.
- Withdraw, without justification, their consent to the processing and/or request the deletion of the PII when the extent of the processing consent expressly indicated, the ARCOP Rights, or the applicable regulations are not respected.
- Request and verify at any time the express consent form delivered to BLADEX for the processing of PII.
Procedure for exercising ARCOP Rights
PII principal must access the request form available at www.bladex.com or in printed form at BLADEX offices in order to be informed which PII is stored and/or to have his/her PII updated, corrected, rectified and/or deleted.
Each request for the exercise of ARCOP Rights will have an internal number that will be used by the PII principal when requesting information on the status of his request. BLADEX will have a period of two (2) business days to acknowledge receipt of the request submitted through the website and/or e-mail, enter it in the request register and indicate the number of the request to the PII Principals. When the request is made on a paper form, the internal number will be assigned at the time of submission.
In the same e-mail in which the number assigned to the request is indicated electronically, or in an e-mail sent within two (2) days following the personal submission of the printed form, the applicant will be informed if it is necessary to correct the request and/or clarify any point of the request and/or attach any document. The PII principal shall have a term of ten (10) business days, counted as of the day following the day the e-mail is sent, to comply with the request. Upon expiration of the aforementioned term, if no response has been received or if the non-compliance with the requirements is insisted upon, a status report will be drawn up and it will be noted in the Register of Requests that the PII principal has not corrected his request.
Processing of requests for the exercise of ARCOP Rights
BLADEX will respond to any request for access within ten (10) business days of its submission. If the request is admissible, BLADEX will execute the action within a maximum period of five (5) business days, counted from the day following the receipt of the request or within the same period, it will indicate to the PII principal the reasons why the request is inadmissible.
In the events that the bank does not comply with the request regarding the exercise of ARCOP right or the client is dissatisfied with the decision adopted by the bank, it may file a claim with the Superintendency of Banks. For such purposes, the client will have a period of 30 calendar days, which will begin to be counted from the date on which he obtained a formal response from the bank or when the bank has not complied with resolving the request or claim within the corresponding period.
Withdrawal of PII Processing Consents
The PII principal may, at any time, withdraw his or her consent for any processing of his or her PII by BLADEX. For such purpose, he/she shall complete the PII principal Consent Withdrawal Form available at www.bladex.com and send it via e-mail, duly signed to oficialpdp@bladex.com or deliver it personally at BLADEX offices.
PII Protection Officer
BLADEX, as Controller and in compliance with the regulations in force, has appointed a PII Protection Officer, whose duties are as follows:
- Keep a record of any event affecting the protection of PII processed by the Bank;
- Report any deficiency detected in the PII protection measures to Senior Management, as well as to the Risk Management Unit and the Internal Audit Unit;
- Coordinate with the Information Security area the security events that impact the protection of PII;
- Provide suggestions regarding corrective measures that can be implemented to remedy the deficiencies detected in the processing of PII;
- Maintain communication with the risk, internal audit and compliance areas in order to identify the necessary improvements in PII protection controls;
- Cooperate with the Information Security Officer in the handling of security incidents that impact the processing of PII;
- Be the liaison unit with the Superintendency of Banks on issues related to the processing of PII;
- Coordinate the annual training plan on PII protection;
- Be the liaison unit with the PII principals, notwithstanding the fact that administratively, when applicable, it may be supported by the head of the Claims Management System
To contact the PDP Officer, write to oficialpdp@bladex.com or call: Panamá: +(507) 210-8500
Disclaimer regarding the use of social networks and instant messaging
Social networks and instant messaging applications are complementary platforms for dissemination of information and exchange of communication through digital media with customers and the general public but are not under the responsibility of BLADEX. Consequently, any information that users provide through these platforms does not constitute, nor is it part of the PII principal to the protection of BLADEX, being the full responsibility of the person who provides the information and the companies that manage these platforms
Use of Social Networks
BLADEX may use these communication platforms as a complementary means of promoting products and services. These communications published through social networks are aimed at the general public. The profiles that BLADEX uses in social networks are open and use the channels offered by the companies that manage these networks, which make the publications appear more frequently for certain types of customers based on the PII processing consents given by users at the time of subscribing to such networks.
Use of Instant Messaging Applications
BLADEX may use these instant messaging platforms as a tool to streamline communications among employees and between employees and customers. However, since BLADEX has no control over the access and use of the information by the company that owns the application, BLADEX discourages its employees and customers from exchanging sensitive information and documents containing PII through these networks. This information should be shared through secure e-mail or any other secure communication channel implemented by BLADEX.
Right to file claims for non-compliance with regulations. Based on the provisions of paragraph 6, article 11 of SBP Agreement 001-2022, BLADEX informs the PII principals that in the event of any breach by us of the regulations in force and/or the provisions in this document, they may file claims with the Superintendency of Banks of Panama.
If the PII principal is located in a jurisdiction other than the Republic of Panama, he/she may appeal to the PII Protection Authority of the jurisdiction where he/she is located.
Updates to this privacy policy. We may make changes to this Privacy Policy from time to time. The date at the top of this Privacy Policy indicates when this Privacy Policy was last revised. If we make material changes to this Privacy Policy, we will notify you as required through written, electronic, or other means.