Legal
Privacy Notice
Last updated: June 2026 · Version 1.2
1. Data Controller
ProveedorMX (hereinafter "ProveedorMX" or the "Controller"), operated from Mexico, is responsible for processing the personal data it collects through the proveedormx.lat platform and its associated services, in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) and its Regulations.
Controller contact and channel to receive privacy requests, ARCO rights, and notices: soporte@proveedormx.lat
When it is legally necessary to identify a physical address or additional corporate data of the Controller, ProveedorMX will provide them through the same contact channel and will update this Notice.
2. Personal Data We Collect
2.1 Identification and contact data:
- Full name
- Email address
- Phone number (optional)
2.2 Company data (legal entity):
- Legal name and trade name
- RFC (Federal Taxpayer Registry)
- Tax and commercial address
- City, state, and country
- Company website
- Logo and corporate images
- Banking data needed for payments, refunds, reconciliation, or verification (for example, bank and CLABE)
- Tax documents, receipts, certifications, factory evidence, or supplier verification information
2.3 Operational and commercial data:
- Technical specifications of requests for quotation (RFQs)
- Quotes, prices, and commercial terms
- Purchase order information
- Message history on the platform
- Sample requests and shipping addresses
2.4 Payment data:
Credit or debit card data is processed directly by Stripe through its PCI-DSS-certified infrastructure. ProveedorMX does not store, transmit, or have access to full payment card data. We only retain the Stripe session identifiers needed to reconcile payments, refunds, disputes, fees, and operational tracking.
2.5 Browsing and technical data:
- IP address and approximate location
- Browser type and operating system
- Pages visited and actions on the platform (aggregated analytics)
- Session tokens (stored in a PostgreSQL database)
2.6 Waitlist:
If you join the waitlist, we collect only your email address and the source of the registration (e.g., the website banner).
We do not collect sensitive data as defined by the LFPDPPP (racial origin, genetic data, health, religion, political opinions, sexual preference).
3. Processing Purposes
3.1 Primary purposes (necessary for the service):
- Create, authenticate, and manage user accounts via email OTP
- Facilitate commercial connection between buyers and suppliers through RFQs
- Process quotes, purchase orders, and payments
- Manage the internal messaging system tied to active RFQs
- Verify the identity and operational capacity of registered suppliers
- Coordinate product sample requests
- Send transactional notifications related to your activity (new quotes, messages, payment confirmations)
- Comply with applicable legal, tax, and regulatory obligations
3.2 Secondary purposes (optional — they do not affect the core service):
- Sending newsletters, platform updates, and supplier offers
- Aggregated statistical analysis to improve the platform
- Internal market research (without individual identification)
If you do not want your data to be used for secondary purposes, you may state so by sending an email to soporte@proveedormx.lat with the subject "Objection to secondary purposes". This refusal will not affect access to the service.
4. Legal Basis for Processing
- Contract performance: data necessary to provide the contracted service (Art. 8 LFPDPPP)
- Consent: for secondary purposes and marketing communications
- Legal obligation: to comply with tax requirements or those of competent authorities
- Legitimate interest: for fraud prevention, platform security, and aggregated usage analysis
5. Transfers and Data Processors
ProveedorMX does not sell or transfer personal data to third parties for its own commercial purposes. However, to operate the Platform we rely on technology providers that act as data processors:
| Provider | Purpose | Country |
|---|---|---|
| Neon (AWS) | PostgreSQL database storage | EUA |
| Vercel | Hosting and execution of the web application | EUA |
| Stripe, Inc. | Card payment processing | EUA |
| Resend | Sending transactional emails | EUA |
| Vercel Analytics | Platform usage statistics (aggregated data) | EUA |
These transfers are carried out under contractual clauses that require processors to treat data confidentially and exclusively for the stated purposes. As international transfers, the data subject is informed in accordance with the LFPDPPP. By using the Platform and providing data necessary for payments, hosting, authentication, transactional email, or analytics, the data subject acknowledges that such data may be processed or stored outside Mexico by the processors indicated.
Additionally, we may disclose data when required by an authority with legal powers (court order, tax requirement, PROFECO, CONDUSEF, or an equivalent body).
6. Data Visible to Third Parties
Registered suppliers agree that the following information may be publicly visible in the Platform directory: company name, general description, city, verification, production capabilities, and packaging types. The contact's personal data (the representative's name and email) is not displayed publicly and is only accessible to counterparties with an active RFQ or an initiated conversation.
7. Retention Period
- Account data: while the account is active, plus an additional 12 months after cancellation to comply with legal obligations
- Transaction and payment records: 5 years (tax period under the CFF)
- Messages and RFQs: 2 years from the transaction close date
- Sent email records (logs): 90 days
- Waitlist: until the data subject requests deletion or until the public launch of the Platform, whichever comes first
- Session data: automatically deleted when the session expires
8. Information Security
We implement technical and administrative security measures that include:
- Encryption in transit via HTTPS/TLS on all communications
- Authentication via a one-time verification code (OTP), with no static passwords
- Data storage in a PostgreSQL database with access restricted by rotating credentials
- Role-based access control in the application (buyer, supplier, administrator)
- No storage of payment card data in our systems
- Logging of critical operations (payment creation, verification changes, administrative access)
No internet-connected system can guarantee absolute security. In the event of a security breach that significantly affects your property or moral rights, ProveedorMX will notify you without unreasonable delay through your registered email, in accordance with the information available and applicable law.
9. ARCO Rights and Withdrawal of Consent
As the owner of personal data, you have the right to:
- Access: know what personal data we hold about you and what we use it for
- Rectification: request the correction of incorrect or incomplete data
- Cancellation: request the deletion of your data when it is no longer necessary, subject to legal retention obligations
- Objection: object to the processing of your data for specific purposes
- Withdrawal of consent: withdraw your consent for secondary purposes at any time
To exercise any of these rights, send an email to soporte@proveedormx.lat with the subject "ARCO Rights", including:
- Your full name and the email registered on the platform
- A clear description of the right you wish to exercise
- A copy of valid official identification
We will respond within a maximum of 20 business days from receipt of the complete request. If the request is granted, we will make it effective within the following 15 business days.
Withdrawal of consent will not have retroactive effects nor affect the processing carried out before its submission. In some cases, the cancellation of data may make it impossible to continue providing the service.
When technically feasible and where it does not affect third-party rights, trade secrets, security, investigations, legal compliance, or transaction records, we may provide a structured copy of certain account data in CSV or JSON format.
10. Cookies and Tracking Technologies
We use the following cookies and technologies:
| Type | Purpose | Required |
|---|---|---|
| Sesión (better-auth) | Maintain the user's authenticated session | Yes |
| localStorage (banner) | Remember whether the user dismissed the waitlist banner | No |
| Vercel Analytics | Aggregated, anonymous visit statistics | No |
We do not use advertising, retargeting, or third-party behavioral tracking cookies. You can configure your browser to reject or delete cookies; however, the authenticated session requires the session cookie to work correctly.
11. Minors
The Platform is intended exclusively for persons over 18 years of age acting on behalf of legal entities or as individuals with business activity. ProveedorMX does not intentionally collect personal data from minors. If we detect that a minor has provided data without the consent of their guardian, we will proceed to delete it immediately.
12. Data Protection Authority
If you believe that your ARCO rights request was not handled correctly, you have the right to file a complaint, report, or proceeding before the competent authority for personal data protection in Mexico. Under the framework in force as of 2025, federal functions in this area fall within the scope of the Secretariat for Anti-Corruption and Good Governance and the competent units or successors as applicable. Its official website is gob.mx/buengobierno.
13. Changes to the Privacy Notice
ProveedorMX reserves the right to update this Privacy Notice. Any modification will be published at www.proveedormx.lat/privacidad with the new update date. For material changes that affect your rights, we will notify you by email at least 10 days before they take effect. Continued use of the Platform after the changes take effect implies your acceptance.
14. Contact
For any inquiry related to this Privacy Notice or the processing of your personal data:
Email: soporte@proveedormx.lat
Suggested subject: "Privacy Notice" or "ARCO Rights"