BodegaX operates within a defined legal and regulatory framework that governs how personal data is collected and stored, how electronic transactions are validated, and how the software itself may be distributed and documented. Because the platform handles user identities, financial records, and commercial transaction histories, every operator deploying BodegaX must understand and actively comply with the applicable norms described on this page. The requirements span both Colombian national law and, where EU citizens are involved, the General Data Protection Regulation.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Edwin950821/BodegaX/llms.txt
Use this file to discover all available pages before exploring further.
The legal summaries on this page are informational and reflect the regulatory framework documented in the BodegaX project specification. Operators should consult qualified legal counsel in their jurisdiction to verify full compliance, especially when processing data belonging to EU residents or when operating in jurisdictions beyond Colombia.
Applicable Legal Norms
The following laws and regulations directly apply to the development, deployment, and operation of BodegaX:| Norm | Scope | Description |
|---|---|---|
| Ley 1581 de 2012 — Personal Data Protection | Colombia | Recognizes and protects the right of all persons to know, update, and correct information collected about them in databases or files held by public or private entities. |
| GDPR — EU General Data Protection Regulation | European Union | Regulates the protection of personal data within the EU, establishing user rights (access, rectification, erasure, portability) and obligating companies that handle personal data to implement appropriate safeguards. |
| Ley 527 de 1999 — Electronic Commerce | Colombia | Regulates the legal validity of electronic data messages and the use of digital signatures in electronic transactions, providing the legal basis for BodegaX’s digital order and invoicing workflows. |
| Ley 962 de 2005 — Administrative Simplification | Colombia | Promotes the optimization and digitalization of administrative processes in public and private sectors, supporting BodegaX’s mandate to replace manual warehouse management with a digital platform. |
| Ley 1266 de 2008 — Hábeas Data | Colombia | Regulates the administration of financial, commercial, and credit data, guaranteeing citizens’ rights to privacy and to a good name when their data is processed for commercial purposes. |
Compliance Implementation
BodegaX’s architecture and data model are designed to align with each applicable norm. The following sections explain how compliance is achieved in practice.Data Protection (Ley 1581 de 2012 & GDPR)
Personal Data Covered
The session object stores
uuid, nombre, id, direccion, and role. All of these fields constitute personal data under Ley 1581 and, where the data subject is an EU resident, under the GDPR as well.Security Measures
Personal data at rest is encrypted with AES-256. Passwords are hashed with bcrypt. Data in transit is protected by HTTPS in production. These measures satisfy the security obligations imposed by both laws.
Data Subject Rights
Operators must implement processes allowing users to access their stored data, correct inaccuracies (available through the user administration module), and request deletion — all rights granted by Ley 1581 and the GDPR.
Data Minimisation
BodegaX stores only the fields operationally necessary: identifier, name, address, password (hashed), and role. No additional personal attributes should be collected without a corresponding lawful basis.
Electronic Transaction Validity (Ley 527 de 1999)
BodegaX conducts all order creation, modification, and invoicing workflows digitally. Ley 527 de 1999 establishes that electronic data messages carry legal validity equivalent to paper documents when properly authenticated. Because every transaction is tied to an authenticated user session — enforced by Angular route guards on the frontend and JWT validation on the Spring Boot backend — orders and invoices generated by the platform meet the legal standard for electronic commercial records in Colombia.Financial & Commercial Data (Ley 1266 de 2008 — Hábeas Data)
BodegaX manages commercial data about clients: order histories, invoices, and payment records. Ley 1266 de 2008 requires that this data be handled with strict confidentiality, that it only be shared with parties who have a legitimate purpose, and that affected individuals may challenge the accuracy of data held about them. Operators must define internal data access policies that restrict who within their organization can query client financial records.Software Restrictions
The following constraints are defined in the BodegaX project specification and are binding for all deployments:Technical Constraints
| ID | Constraint |
|---|---|
| RT01 | The system must be developed using Angular for the frontend and Spring Boot for the backend. Substituting either framework requires a new compliance review. |
| RT02 | The database must be PostgreSQL. Migrating to another RDBMS or a NoSQL engine is not permitted without re-validating all data integrity guarantees. |
| RT03 | The application is optimized for execution on Windows environments. Server-side deployment on Linux is supported for cloud targets (GCP, AWS). |
| RT04 | All communication between the frontend and backend must use REST API with JSON payloads. No other communication protocol is permitted. |
| RT05 | User authentication must be implemented using JWT (JSON Web Tokens). Session cookies or other token formats are not permitted as the primary auth mechanism. |
Legal & Operational Constraints
| ID | Constraint |
|---|---|
| RL01 | The software must comply with applicable local e-commerce and personal data protection regulations in the jurisdiction of deployment. |
| RL02 | All system documentation must be written in Spanish. Technical documentation produced for international contexts may include translations but Spanish must remain the authoritative version. |
| RL03 | No resale or redistribution of BodegaX is permitted without prior written authorization from the rights holder. Unauthorized distribution constitutes a violation of intellectual property rights. |
Legal Compliance FAQ
What user data does BodegaX collect and store?
What user data does BodegaX collect and store?
BodegaX stores the following personal data fields for each registered user: a unique UUID, the user’s display name (
nombre), a national or business ID (id), a physical address (direccion), a hashed password, and a role (admin or user). This data is used exclusively to authenticate users, enforce access control, and associate transactions with the correct account. No data is shared with third parties without a documented lawful basis.What rights do users have over their personal data?
What rights do users have over their personal data?
Under Ley 1581 de 2012, Colombian users have the right to know what data is held about them, to update or correct that data, and to request its deletion when there is no longer a lawful basis for retention. Under the GDPR, EU residents additionally have the rights to data portability and to object to certain types of processing. Operators must provide a clear process — and a contact point — for users to exercise these rights. The user administration module supports editing and deactivating user accounts as part of this workflow.
Is the BodegaX invoicing system legally valid in Colombia?
Is the BodegaX invoicing system legally valid in Colombia?
Yes. Ley 527 de 1999 establishes that electronic data messages have the same legal validity as paper documents in Colombia, provided they are properly authenticated and attributable to the issuing party. Because every BodegaX invoice is generated from an authenticated user session — with route-level enforcement on the Angular frontend and JWT validation on the Spring Boot backend — the resulting PDF documents meet the requirements for legally valid electronic commercial records. Operators handling regulated industries (e.g., DIAN-registered taxpayers) should also verify compliance with electronic invoicing mandates specific to their tax category.
Does GDPR apply to our BodegaX deployment?
Does GDPR apply to our BodegaX deployment?
The GDPR applies to any organisation that processes the personal data of individuals located in the European Union, regardless of where the organisation itself is based. If your BodegaX deployment serves EU-based clients, employees, or partners whose personal data is stored in the system, GDPR obligations apply in full. This includes appointing a Data Protection Officer (where required), maintaining a record of processing activities, implementing a data breach notification process (72-hour window), and ensuring cross-border data transfers comply with GDPR Chapter V.
Can we resell or white-label BodegaX for other customers?
Can we resell or white-label BodegaX for other customers?
No. Constraint RL03 explicitly prohibits the resale or redistribution of BodegaX without prior written authorization from the rights holder. Operating BodegaX as a managed service for third parties, white-labelling it under another brand, or redistributing the source code constitutes a breach of the software’s licensing terms and may give rise to intellectual property claims. Contact the rights holder to discuss licensing arrangements before any commercial redistribution.
What language must our documentation be in?
What language must our documentation be in?
Constraint RL02 requires that all system documentation be written in Spanish. This applies to user manuals, technical configuration guides, operational runbooks, and any training materials produced for BodegaX. If your organization produces parallel documentation in other languages (English, Portuguese, etc.) for international teams, the Spanish version remains the legally authoritative reference in case of ambiguity or dispute.
How long may we retain user personal data?
How long may we retain user personal data?
Neither Ley 1581 de 2012 nor the GDPR specifies a universal retention period. The general principle is that personal data may be retained only for as long as it is necessary to fulfil the purpose for which it was collected, or as required by law. For BodegaX, active user accounts and their associated transaction history should be retained for the duration of the commercial relationship. Upon account deactivation or a user’s deletion request, personal identifiers should be anonymised or purged, subject to any mandatory record-keeping obligations under Colombian commercial or tax law.