Aviso Integral de privacidad de Truora para México

Data Processing and Privacy Policy for Mexico

Thank you for using Truora!

Your trust is the most important thing to us, and we are committed to protecting the privacy and security of your personal data, as well as that of third parties about whom we are consulted. We have a dedicated privacy team committed to protecting all the personal data we collect and ensuring that it is handled properly in all the countries where we provide services. Please carefully read our Data Privacy Notice (hereinafter the “Privacy Notice”). In order to use our site and receive the services we provide, you must read and accept this Privacy Notice, as well as our Terms and Conditions available at www.truora.com.

1. Introduction and Objectives

This Privacy Notice is the document that governs the handling of all Databases and/or files of Truora that contain Personal Data of clients, contractors, suppliers, and third parties in general, which are subject to Processing by Truora, in those events in which it is considered the “Controller” and/or “Processor” of such Personal Data, in accordance with the provisions of the Federal Law on the Protection of Personal Data Held by Private Parties (hereinafter the “LFPD”), its Regulations, and the Privacy Notice Guidelines, whose purpose is the protection of individuals’ data privacy. Likewise, its objective is to establish the information management and protection policies and procedures for Truora, aligned with the Information Security Policy implemented by the company, with the purpose of preserving security in the exchange, transfer, or destruction of information.

2. Definitions

Authorization: Refers to the prior, express, and informed consent of the Data Subject to carry out the Processing of Personal Data.

Privacy Notice: Refers to this document, which is addressed to the Data Subjects whose Personal Data are being processed by Truora, informing them about the existence of the Personal Data processing policies that will apply to them, the way to access them, and the purposes for which their Personal Data will be used.

Database: Refers to the organized set of Personal Data that is subject to Processing.

Consent: Manifestation of the will of the Data Subject by means of which the processing of their data is carried out.

Request: Means the mechanism by which a Data Subject may exercise their ARCO rights, as well as request the revocation of the Authorization, in accordance with the procedure established in section 12.

Biometric Data: Refers to the following data: fingerprints, facial recognition, iris recognition, handwritten signature recognition, voice recognition.

Deleted Data: Refers to data for which the express authorization of the Data Subject to carry out its processing could not be obtained, or which, at the request of the Data Subject, must be deleted, or which Truora decides to delete from its Databases.

Personal Data: Refers to any information linked to or that may be associated with one or more determined or determinable natural persons.

Sensitive Personal Data: Sensitive data is understood to be data that affects the privacy of the Data Subject or whose improper use may affect the privacy of the Data Subject or the potential to generate discrimination against them or entail a serious risk for them, such as data revealing aspects such as racial or ethnic origin, present and future health status, genetic information, political opinions, religious, philosophical, and moral beliefs, membership in unions, social or human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual preference and life, and biometric data.

Public Data: Refers to data classified as such by law and data that is not semi-private, private, or sensitive. Public data is considered to include, among others, data relating to the civil status of persons, their profession or occupation, their status as a merchant or public servant, and data that may be obtained without any restriction. By their nature, public data may be contained, among others, in public records, public documents, gazettes, and official bulletins.

Private Data: Data that, due to its intimate or reserved nature, is only relevant to the Data Subject.

Device: The equipment that allows access to the global network called the Internet, which may be used to access Truora’s services.

Data Processor: Natural or legal person, public or private, who, by themselves or in association with others, carries out the Processing of Personal Data on behalf of the Data Controller.

Publicly Accessible Source: Those databases that may be consulted by any person, with no requirement other than, where applicable, the payment of a fee.

Geolocation: Corresponds to the geographic coordinates of latitude and longitude where the Device is located.

Remission (Transmission): The communication of Personal Data between the Controller and the Processor, within or outside Mexican territory.

Data Controller: Natural or legal person of a private nature who decides on the Database and/or the Processing of Personal Data.

Processing: Any operation or set of operations performed on Personal Data, such as obtaining, collecting, storing, using, disclosing, storing, circulating, or deleting Personal Data, by any means. Use includes any action of access, handling, exploitation, transfer, or disposal of Personal Data.

Data Subject: The natural person to whom the Personal Data corresponds.

Data Transfer: Any communication of data made to a person other than the controller or processor.

Truora: Means the Controller or Processor of the Personal Data collected from the Data Subjects, that is: Truora Fraud Prevention, identified with RFC: TFP 191219TG0 and domiciled at Av. Ejército Nacional No. 351, P3, Col. Granada, Alcaldía Miguel Hidalgo, C.P. 11520, Mexico City.

Affiliates and/or Related Parties: Corresponds to our parent company, affiliates, related parties, subsidiaries, allies, and subordinates.

3. Processing and Scope of Personal Data

Truora, in the development of its corporate purpose and economic activity, acts as Controller and/or Processor of Personal Data provided by the Data Subjects, whether clients, employees, contractors, and/or suppliers, which will be stored in its databases and in those of parties who, by virtue of this policy, may access them.

Consequently, Truora collects, stores, uses, transmits, transfers, deletes, and, in general, processes the Personal Data provided by natural persons with whom it has or has had some type of relationship, whatever its nature (civil, commercial, and/or labor); including, but not limited to, its clients, cloud software users, allies, suppliers, contractors, workers, creditors, debtors, and shareholders.

This document covers the processing of the information managed at Truora. It covers all deliveries, transfers, or transmissions of information and/or data of medium or high confidentiality, both within the organization and with the environment of clients, suppliers, external databases, social media, and the general public.

Information exchanges may occur through the use of various types of communication, whether verbal, in-person or telephone conversations, visual, in videos, or written, on paper or digital media. It involves the obtaining, transfer, processing, storage, and deletion of the information provided by clients.

4. Guiding Principles

We are committed to ensuring that any Processing of Personal Data we carry out always respects the rights enshrined in our Constitution and the laws. Therefore, the following are the principles that guide our conduct:

Principle of quality: Truora seeks to ensure that the Personal Data processed are accurate, complete, relevant, correct, and up to date in order to fulfill the necessary purposes indicated in the comprehensive privacy notice.
Principle of confidentiality: All persons involved in the Processing of Personal Data are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks comprising such processing has ended.
Principle of consent: Truora obtains consent for the Processing of Personal Data freely, specifically, and on an informed basis, except where it is not required under article 10 of the LFPD.
Principle of information: Truora provides complete information regarding the Personal Data it processes and other requirements established by the LFPD so that Data Subjects may exercise their rights to informational self-determination, privacy, and protection of Personal Data.
Principle of purpose: The Processing of Personal Data must serve a legitimate purpose that will be communicated to the Data Subject.
Principle of freedom: The Processing of Personal Data may only be carried out with the prior, express, and informed consent of the Data Subject.
Principle of lawfulness: Truora obtains data in compliance with the applicable legislation both in Mexico and internationally.
Principle of good faith (loyalty): Truora does not use deceptive or fraudulent means to collect Personal Data, and processes it at all times in good faith and with the utmost diligence regarding the information provided by clients and users, maintaining the reasonable expectations of respect for the privacy of the Data Subjects, on the understanding that we will process their data as agreed.
Principle of proportionality: Truora only processes the Personal Data that is necessary, adequate, and relevant for the necessary purposes indicated in our comprehensive privacy notice.
Principle of responsibility: Truora has established Personal Data handling policies and procedures within its organization that are mandatory and consistent with the best international practices, allowing the Processing of Personal Data to be carried out responsibly. Likewise, it provides training, updating, and awareness for its personnel regarding the applicable provisions and obligations on the protection of Personal Data, and has established internal supervision and monitoring systems to verify compliance with the policies, which are reviewed periodically to determine whether any modification is necessary.
Principle of security: The information subject to Processing must be handled with the commercially reasonable technical, human, and administrative measures necessary to provide security to the records, preventing their alteration, loss, unauthorized or fraudulent consultation, use, or access.
Principle of truthfulness: The information subject to processing must be truthful, complete, accurate, up to date, verifiable, and comprehensible. The Processing of partial, incomplete, fragmented, or misleading Personal Data is prohibited.

5. Use of the Privacy Notice and Protection of Information

All Processing of Personal Data shall be subject to this Privacy Notice; therefore, if a Data Subject does not agree with this Privacy Notice, they may not provide any information that must be recorded in one of Truora’s Databases.

Truora is committed to the security of the Data provided to it and, consequently, undertakes to make appropriate use of it, as well as to maintain the required confidentiality regarding it in accordance with the provisions of this Privacy Notice and the terms established by the Federal Law on the Protection of Personal Data Held by Private Parties (hereinafter the “LFPD”), its Regulations, and the Privacy Notice Guidelines. In accordance with the provisions of this document, at the moment the Data Subjects provide their Personal Data for collection in Truora’s Databases, it is understood that such Data Subjects accept and acknowledge that the Processing of such Personal Data shall be subject to this Privacy Notice.

The Personal Data may be transferred to its shareholders, Affiliates, and/or Related Parties, as well as to third parties and to judicial or administrative authorities, whether natural or legal persons, Mexican or foreign, in those events in which the transfer or transmission of the data is necessary to carry out the uses and activities authorized by the Data Subjects in accordance with Truora’s corporate purpose. In all events, the exchange of such information must comply with the requirements established in section 16 of this Policy. Likewise, the information must be kept under strict confidentiality and shall be subject to rigorous Processing, respecting the rights and guarantees of its Data Subjects.

Truora may use service providers and data processors that work on its behalf. Such services may include system hosting and maintenance services, encryption, analytics services, email messaging services, call-center services, delivery services, payment transaction management, and solvency and address checks, among others. Consequently, the Data Subjects understand that by providing information to Truora, they will automatically be granting these third parties authorization to access their Personal Data.

Therefore, Truora undertakes to take all necessary actions to ensure that both the service providers and the processors working on behalf of the company, as well as other third parties authorized under this Privacy Notice, protect, in all events, the confidentiality of the Personal Information in their charge.

Truora may collect information that is in the public domain to supplement the Databases. Such information will be given the same treatment indicated in this Privacy Notice.

6. Effects of the Authorization

It is understood that the Authorization granted by the Data Subjects is an express and informed authorization granted by them in favor of Truora, its Affiliates and/or Related Parties, and third parties determined by Truora by virtue of the development of its corporate purpose, to process their Personal Data, whatever the means (written, oral, or by unequivocal conduct) by which they were provided. Likewise, it implies the full understanding and acceptance of the entire content of this Privacy Notice.

In the event of a sale, merger, consolidation, change in corporate control, transfer of assets, reorganization, or liquidation of Truora and/or its Affiliated and/or Related entities, Truora may transfer the Personal Data of the Data Subjects to the parties involved, for which, through the acceptance of this document, Truora is understood to be empowered to do so.

7. Personal Data Subject to Processing

Truora collects or is transmitted the following information and Data:

Personal data belonging to the following general categories:

First and last name;
Email address;
Phone number;
Unique population registry code or country of residence and/or origin;
Federal Taxpayer Registry (RFC);
Date and place of birth;
Nationality and migratory data;
Official identification;
Sex;
Marital status;
Occupation;
Address;
Contact data;
Device location and positioning (Geolocation).

Sensitive Personal Data:

Biometric;
Fingerprints;
Facial and iris features;
Voice pattern;
Patrimonial and/or financial data.

Data of Minors:

Truora’s websites and applications are not directed at minors or persons under 18 years of age. Truora does not deliberately collect any personal information directly from minors under 18 years of age. If you believe that we are processing personal information related to a minor inappropriately, we urge you to contact Truora using the information provided in the “Contact Us” section below.

Data from Publicly Accessible Sources:

Truora obtains data through remote or local means of electronic, optical, and other technological communication from publicly accessible sources, that is, sources to which any person may have access, including telephone directories, newspapers, gazettes, official bulletins, and social communication media, all in compliance with the applicable regulations. Therefore, Truora does not require your consent to obtain personal data from publicly accessible sources.

I consent to and authorize that the data mentioned in this section, whether personal data, sensitive personal data, or geolocation data, be processed in accordance with the provisions of this Privacy Notice.

8. Primary Purposes of the Use of Information

The personal data provided to Truora will be processed in accordance with the purposes established in this section.

The primary purposes of the Processing are:

1. The correct execution of the contract formalized between the Data Subject and Truora.

2. Creation of an account to access the Truora Platform.

3. Identity verification, whether with any valid official document that serves to prove identity.

4. Facilitation of contact between Truora and the Data Subject.

5. Sending information or text messages to the mobile phone provided, email, regarding new services, changes in service and rates, payment reminders, promotions, events, and information of interest to Data Subjects in general.

6. Invoicing and other tax-related effects, in which case it will be shared with the State entities responsible for carrying out such work.

7. Completing the profile information on the Truora Platform.

8. Processing payment for the services acquired.

9. Identity validation.

10. Obtaining information from other sources and combining it with the information Truora collects through the Truora Platform.

11. Reviewing the history of police or criminal records or inclusion in sex offender registries.

12. Reviewing fraud detection and security matters.

13. Receiving the results of criminal background checks or fraud warnings from identity verification services for the purposes of Truora’s work in preventing fraudulent practices and assessing risks.

14. Verification of the data contained in the Voter ID Card and of the Data Subject’s facial biometrics before the National Electoral Institute, in order to confirm that the Voter ID Card presented for procedures or services is authentic and corresponds to the one found in the database of the National Electoral Institute, in order to protect their identity and prevent its usurpation or theft and, thereby, the possible commission of an unlawful act by third parties.

Geolocation: The geolocation data of the Data Subject’s device will be processed to comply with the applicable legislation when the Data Subject enters into a contract or carries out a transaction through a device on a non-face-to-face basis. Likewise, it will be processed as a measure to prevent and detect money laundering, terrorist financing, or other unlawful acts. Use of the information collected as a measure to prevent and detect money laundering, terrorist financing, or other unlawful acts.

9. Secondary Purposes and Uses of Information

The personal data provided to Truora will be processed in accordance with the following purposes for the use of information, as applicable to each Data Subject:

1. Improvement of Truora’s commercial and promotional initiatives, as well as analysis of the pages visited and the searches performed, to improve Truora’s offering of content and articles and personalize such content, its presentation, and services.

2. Developing measurement studies regarding the participation of different sectors of the population in Truora.

3. Analysis of the Personal Information by Truora, its shareholders, Affiliates and/or Related Parties, and third parties contracted for the development and promotion of the sale of its services.

4. Collection of the services that the Data Subjects use and the manner in which they use them.

5. Receiving information about the Data Subject, their activities inside and outside the Truora Platform through its partners, or information about the experiences and interactions the Data Subject has had through our network from associated advertisers.

6. Processing for marketing, advertising, or commercial prospecting purposes of Truora.

7. Other communications and activities related to Truora’s corporate purpose.

In the event that you, as the Data Subject of the Personal Data, do not agree with any of the secondary purposes established in this Notice, please write in the ChatBot available in the lower right corner the purposes for which you do not approve their Processing.

10. Rights and Duties of the Data Subjects

The Data Subjects of the Personal Data provided to Truora shall have the following rights:

1. The right to Access, Rectify, Cancel, and Object to the Processing of their Personal Data free of charge;

2. The right to request proof of the existence of the authorization granted to Truora, except when expressly exempted by law as a requirement for Processing;

3. The right to be informed, upon request, regarding the use that has been made of their Personal Information;

4. The right to file complaints with the Superintendence of Industry and Commerce or the competent authority for violations of the provisions of the applicable Law and other regulations that amend, add to, or supplement it;

5. The power to revoke the authorization and request the deletion of the data when it is not used in accordance with the authorized uses and purposes. The revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce or the competent authority has determined that in the Processing Truora has engaged in conduct contrary to the law;

6. The right to submit requests and complaints regarding the Personal Data.

The Data Subjects of the personal information provided to Truora shall have the following duties:

1. The duty to provide truthful information, which may be verified by Truora for control and validation purposes. Truora shall have the power to deny requests when it is verified that the information provided by the Data Subject is false or presents inconsistencies.

2. The duty to keep contact information up to date, in order to ensure a more effective and timely provision of the service, as well as to allow a channel of direct communication and information between Truora and the Data Subject.

11. Procedure to Exercise Your ARCO Rights and Objection to Non-Necessary Purposes

Truora has the tools and means of communication for Data Subjects or their legal representatives to exercise their rights of Access, Rectification, Cancellation, or Objection, the last two being applicable only when the current regulations allow it (hereinafter “ARCO Rights”), as well as for them to object to the processing of their Personal Data for non-necessary purposes, revoke the Authorization for Processing, and limit the use or disclosure of their Personal Data.

Truora has created an area exclusively designated for the handling of Personal Data called Privacy Truora, responsible for the protection of your data. In the event of any doubt or concern about this Privacy Notice or the Processing and use of Personal Information, please direct your inquiries, requests, complaints, or claims to:

Email: privacy@Truora.com
Address: Av. Ejército Nacional No. 351, P3, Col. Granada, Del. Miguel Hidalgo, C.P. 11520, Mexico City.

The Data Subject or their legal representative may request that Truora allow the exercise of their ARCO rights, as well as request the revocation of consent regarding the Processing of the Data Subject’s Personal Data that is subject to Processing, by submitting a Request following the procedure described in this section.

11.1. The Data Subject must make the request by means of a written application addressed to any of the following channels:

Physical address: Av. Ejército Nacional No. 351, P3, Col. Granada, Del. Miguel Hidalgo, C.P. 11520, Mexico City.
Email: privacy@truora.com
Person in charge: Director of Privacy Compliance.

11.2. Requests will be addressed within a maximum period of twenty (20) business days counted from the date of receipt. When it is not possible to address the request within that period, the interested party will be informed, stating the reasons for the delay and indicating the date on which the request will be addressed, which in no case may exceed five (5) business days following the expiration of the first period.

11.3. Every Request must contain the information corresponding to the Data Subject’s valid official identification, that is: full name, identification number (as well as a copy of such document), email address, and signature. In the event that the Request was submitted by the Legal Representative of the Data Subject, it must be accompanied by the document proving the capacity of the Legal Representative, as well as the official identification of the latter.

11.4. The responses to the Request submitted by the Data Subject will be made through the same means selected by the Data Subject to make the Request.

11.5. In the event that you wish to limit the use or disclosure of your Personal Data, this may be done through the following means:

Formal letter to the address: Av. Ejército Nacional No. 351, P3, Col. Granada, Alcaldía Miguel Hidalgo, C.P. 11520, Mexico City.

12. Confidentiality of Personal Data

The Personal Data provided by the Data Subjects will be used only by Truora, its shareholders, Affiliates and/or Related Parties, and the third parties authorized for such purposes, in accordance with the provisions of this Privacy Notice. The Data will not be intended, under any circumstances, for purposes other than those for which they were provided, which is why Truora will protect the privacy of the Personal Information and will make its best efforts to keep it under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access, as well as respect for the rights of the Data Subjects.

If for any circumstance a competent authority requests that the Personal Information held by Truora be disclosed and, consequently, it is its legal obligation to provide it, Truora will proceed to deliver such Information, a situation that the Data Subjects accept and authorize Truora to do so; in any case, the Data Subject of such information will be informed.

13. Information Security

In compliance with the provisions of the Federal Law on the Protection of Personal Data Held by Private Parties (for the case of Mexico), Statutory Law 1581 of 2012 (for the case of Colombia), the General Personal Data Protection Law – Lei Geral de Proteção de Dados Pessoais (for the case of Brazil), Law 19,628 (for the case of Chile), the General Data Protection Regulation (GDPR), and other legislation, international treaties, decrees, circulars, manuals, recommendations, and/or regulations relating to and applicable to the Protection and Privacy of Personal Data, Truora has implemented administrative security measures to establish, at the organizational level, the management, support, and review of the security of Personal Data, the identification and classification of information, as well as the awareness, training, and education of its personnel in the area of personal data protection. Likewise, Truora has established physical security measures using state-of-the-art technology to prevent unauthorized access, damage, or interference to its physical facilities, critical areas, equipment, and information, to protect mobile computing equipment from any unauthorized access, and has also implemented technical security measures so that access to our databases is performed only by authorized users. Therefore, in the event of a breach of your personal data, we will analyze the causes of such breach and implement the corrective, preventive, and improvement actions necessary to make the necessary security adjustments to reduce the risk of a new breach.

Security breaches occurring at any stage of the processing that significantly affect the patrimonial or moral rights of the Data Subjects will be reported immediately to the Data Subject, so that the latter may take the appropriate measures for the defense of their rights.

Notwithstanding the foregoing, and taking into account that the services provided by Truora are carried out through the internet and that personal information is likewise collected, there may be illegal interceptions or violations of the systems and databases by unscrupulous or unauthorized persons. In this event, Truora is not responsible for the improper use of the information obtained by such means. The Data Subjects declare that they understand the risk involved in disclosing, sharing, or allowing access to information by electronic means, and therefore release Truora from all liability when unforeseen situations infringe the rights of the Data Subjects.

12.1. The files under Truora’s responsibility must comply with the protocols and procedures established by the information security policy regarding asset management and information classification, in addition to complying with the following specifications:

1. The data of the owner of the information will be stored in separate instances, with access controls for reading.

2. Consultation of the information by unauthorized personnel must be avoided.

3. All files are encrypted when stored in the repository designated for that purpose.

4. Transfers of sensitive or restricted files must be carried out through reliable messaging systems, with information encryption where possible.

14. Media Handling

Truora will implement procedures for the management of removable media in accordance with the classification scheme adopted by Truora. In any case, such procedures shall correspond to the duties established below:

Truora will destroy the media on which it stores confidential information when it is no longer necessary to keep it for business reasons, in such a way that the information is unrecoverable.
Controls will be defined and implemented to protect media with information that must be transported.
Strict control will be kept of the internal or external distribution of all types of media on which confidential information is stored.
A classification of the media will be carried out in order to determine the confidentiality of the Data.
It will ensure that all transfers of media are approved before being moved from a secure area (including when media is distributed to individuals).
It will keep a detailed record of the inventory of all media.
The use of mobile devices must be explicitly authorized, and they must comply with all security policies, standards, and norms defined at Truora, so as not to introduce risks within the corporate network.

15. Transfers and Transmissions

Truora carries out national and international transmissions and transfers of its Personal Data in the terms of the comprehensive privacy notice and in compliance with the applicable legal provisions. The communications of Personal Data made between Truora and the data processors do not require consent (article 2, section IX, and 53 of the Regulations of the LFPD), and the transfers carried out within the provisions of article 37 of the LFPD do not require it either.

In accordance with the provisions of the LFPD, Truora informs you that with the acceptance of this Privacy Notice it is understood that the Data Subject grants their consent for Truora to transfer their Personal Data to third parties, whether Mexican or foreign, to its shareholders, Affiliates and/or Related Parties, as well as to third parties and to judicial or administrative authorities, whether natural or legal persons, Mexican or foreign, in those events in which the transfer or transmission of the data is necessary to carry out the uses and activities authorized by the Data Subjects in accordance with Truora’s corporate purpose. Likewise, the information must be kept under strict confidentiality and shall be subject to rigorous Processing, respecting the rights and guarantees of its Data Subjects.

15.1. Exchange of Personal Data.

When formal information exchange agreements are entered into with third parties, Personal Data transfer procedures and/or protocols must be established that include, as a minimum requirement, the following security conditions:

Establish responsibilities for control, dispatch, and reception.
Mechanisms to ensure traceability and non-repudiation.
Establish responsibilities and obligations in the event of information security incidents, such as data loss.
Establish contractual safeguards regarding the ownership of information, the care of personal data, respect for copyright, software licenses, and similar legal considerations.
Establish formal confidentiality agreements with recipients of information.

15.2. Collection of Information in Exchanges.

All information to be managed or processed by Truora that is considered to be of high and medium confidentiality, or its equivalent, will be received in a previously established format for such transmission between Truora and its clients and/or suppliers, through secure and encrypted means, taking into account the following considerations:

The exchange medium must be encrypted and have an authentication system, in addition to an access log to the medium.
The transmission of information must be done through a protocol that guarantees the encryption of the data at the time of carrying out the transmission of the information.
The exchange medium must have access control limited by IP address, and only the IP addresses previously reported by written communication from the owner of the information must be enabled.
The deposited information must be stored on such exchange medium for a maximum of 24 hours. It is necessary to delete, at least once a day, all the information contained in the exchange media.
In the event that the owner of the information is unable to provide an information exchange medium with the characteristics described above, Grupo Truora may provide such medium, complying with all the parameters described.
The use of the protocol of the client or supplier that respects the highest level of security may be assessed.
When information reception mechanisms are established, Truora will establish controls to prevent the entry of viruses or malware into its data network.
The exchange of information via email or instant messaging must be carried out in accordance with the guidelines and parameters established in this policy.
In the event that confidential data and/or information is shared through telephone calls or video meetings, collaborators are required to take special care regarding when, where, and how the information is shared or commented on, to prevent it from being overheard by unauthorized persons or the general public. Where necessary, private places will be sought to prevent the disclosure of such information. If for any reason it is necessary to transport and/or store physical information, the packaging or file must be strong enough to protect the contents from any damage that may arise, in accordance with the corresponding environmental specifications, for example, to prevent damage from heat or humidity, and prioritizing the security of the physical media through locks and the use of good practices.

16.3. Information Loading

The information received through exchanges is processed by means of extraction, transformation, and loading processes, taking into account the following specifications:

Sensitive Data is encrypted before loading the information into the databases of Grupo Truora.
Client data must be stored in different databases.
All databases are encrypted at rest.
The extraction, transformation, and loading processes should be executed in different instances.
Validations of the integrity of the loaded data are carried out, taking into account the original database.

16. Cookies and Other Technological Tools

Truora uses cookies and similar technologies to personalize and improve the experience of clients, as well as to show you relevant online advertising. Cookies are small text files containing a unique identifier that is stored on the computer or mobile device through which you access the website and/or mobile applications, so that they can be recognized each time you use the website and/or mobile applications. The Data Subject of the Personal Data may choose to disable some or all of the cookies we use at any time. However, this could restrict your use of the sites and limit your experience on them. The use of cookies does not contain or affect Personal Data and does not represent a danger of viruses.

17. Deletion of Information

Any information storage device that, by the Data Subject’s definition, has become obsolete or has been decommissioned, must be securely deleted in the terms established in the Procedures Manual for the Collection, Storage, Use, and Deletion of Information and the following aspects:

17.1. Deletion Procedure

The files will be stored for as long as the Data Subject requests, with prior notice given by means of written communication addressed to the information security committee.
On an extraordinary basis, the partial or total deletion of the Data Subject’s information may be requested, which will affect both the files received and all data subsequently generated as a result of the management and Processing carried out by Truora. For this, it is necessary that a request be sent to the Privacy Truora area, which will analyze whether there is any legislation that does not allow its deletion or that requires its retention for a period of time. If applicable, the Privacy Truora area will request the OSI to delete the information from Truora’s databases.
When the deletion or destruction of personal information is carried out, a deletion record must be drawn up, with the signature of the areas present and involved in the process, and detailing the fields that were processed for their destruction; in any case, Truora will retain Personal Data of a public nature for purposes of information traceability.
Magnetic (electronic) media must be destroyed before being discarded, ensuring that they cannot be read by third parties.
In the case of decommissioned computers, their hard drive must be formatted or destroyed, so that the stored information and installed software are logically and physically removed from the equipment.
Documents to be deleted must be destroyed by means of paper shredders, which must be available in suitable locations within Truora’s offices.

17.2. Destruction of Backup Media.

Physical Media:

This type of media are physical representations of data, generally associated with paper copies (whether handwritten or printed), payment card plastics, FAX, photos, tapes, drums, plates, and printing plates, as well as any other physical device that serves as support for the storage of logical data, among which are:

Magnetic media: diskettes, hard drives, magnetic tapes, etc.
Optical media: CD, DVD, etc.
Magneto-optical media: Zip disks, Jaz disks, SuperDisk, etc.
Electronic media: flash memories, ROM and RAM memories, solid-state drive (SSD) units, etc.

Logical Media:

This type of media stores the logical representations of data in the form of bits and bytes and their corresponding structures (files, filesystems, units, etc.).

17.3. Deletion of Logical Data

Redact: This technique is used to remove certain parts of a digital document to prevent the display of confidential data during a declassification process, including the deletion of metadata and the removal/truncation of images and text.
Delete (Erase): This technique simply performs a simple deletion in which the reference to files at the operating system level is removed (de-indexing), but their data remains on the storage medium and can be obtained again using computer forensics techniques.
Clear: This method uses logical procedures (software-based) to securely erase data in storage locations to prevent such data from being recovered using computer forensics techniques. Generally, such secure erasure procedures are applied through standard read/write commands on the storage device using overwriting of data with a new value in several passes or applying the factory default values (where overwriting is not supported). Use a secure erasure tool that implements at least one overwrite pass.
Purge: This method uses physical or logical techniques to prevent the data on the storage device from being recovered using laboratory techniques (for example, recovery through magnetic remanence), especially when such a device will be reused, recycled, or discarded. It is recommended to use at least one of the degaussing or purging equipment.

17.4. Deletion of Physical Data

Redact: This action applies to written physical media and consists of the sanitization/truncation of certain parts of a document in order to prevent potential disclosures of confidential information (declassification).
Destroy: This last method eliminates the data through a physical destruction of the medium that stores them, leaving this support unusable using techniques such as disintegration, incineration, pulverization, shredding, or melting. The NSA publishes a list of products approved for physical destruction. It is recommended to use at least one destruction device with a security level of 3 (DIN).

18. Modifications to the Privacy Notice

Truora is fully empowered to modify this Privacy Notice. Any change will be published on our website and/or mobile applications. The granting of the Authorization, by whatever means, will be understood as an express manifestation of acceptance of this Privacy Notice. It is the Data Subject’s responsibility to frequently review these Privacy and Personal Data Protection Policies.

20. Term (Validity)

This Privacy Notice is in force as of October 2022 and will be reviewed periodically in the second week of March each year.

21. Issuing, Reviewing, and Publishing Authority

This Privacy Notice has been developed by our Privacy Truora area, led by Gabriela Cala – Legal Counsel; this area is exclusively responsible for the protection of Personal Data and for ensuring the exercise of the rights of the Data Subjects. The Privacy Notice was approved by David Alejandro Cuadrado Cabrera – CTO/OSI.