Comprehensive privacy notice – Mexico

COMPREHENSIVE PRIVACY NOTICE FOR SERVICE PROVIDERS OF RIBO HERMANOS INGENIERÍA EN SISTEMAS DE COMERCIO S.A. de C.V. (RHISCOM MÉXICO)

RIBO HERMANOS INGENIERÍA EN SISTEMAS DE COMERCIO S.A. de C.V., also known as RHISCOM MÉXICO, is a company dedicated to the analysis, design, development, programming, creation, and distribution of all types of software for information management and data administration, internet portals, design and development of general and specific computer programs; as well as the creation and commercialization of computer software, production of graphic and audiovisual materials, among other activities. Its address is Calle Gabriel Mancera 146 Planta Alta, Col. Del Valle Norte, Alcaldía Benito Juárez, C.P. 03103, CDMX. It is responsible for the use and protection of your personal data, and in this regard, we inform you of the following:

The company collects your personal data for the following purposes:

  • I. To identify you and prevent identity theft.
  • II. To fulfill the obligations that RHISCOM MÉXICO has with you.
  • III. To inform you of any situation or change regarding our events, services, and/or products.
  • IV. For the issuance of corresponding invoices.
  • V. To create your administrative file and register you as a service provider of RHISCOM MÉXICO, maintaining an updated, secure, and reliable database, thus streamlining control and optimizing resources in a timely manner.
  • VI. To inform our clients, suppliers, business partners, and/or collaborators about the service providers currently carrying out projects and/or activities with us (to notify your entry and departure once the relationship established in your professional services contract has ended).
  • VII. To validate your service provider process, avoiding misunderstandings.
  • VIII. To follow up on RHISCOM MÉXICO's internal processes.
  • IX. To comply with the provisions of the contract you have signed with us and any other documentation you have executed with RHISCOM MÉXICO.
  • X. To maintain a database of our service providers.
  • XI. To create a portfolio.
  • XII. To carry out the relevant procedures once your commercial and/or contractual relationship with RHISCOM MÉXICO begins.
  • XIII. To carry out the relevant procedures once your service provider relationship with us has ended.
  • XIV. To generate reports, performance statistics, and compliance with RHISCOM MÉXICO's processes, policies, and standards.
  • XV. To maintain internal communication for the proper development of your functions, as well as coordination of activities among service providers.
  • XVI. To make publications on our social networks and/or communication media, known or to be known, regarding your participation in events.
  • XVII. To respond to your questions, clarifications, and complaints.
  • XVIII. To carry out all necessary activities for the administration and management of your service provision.
  • XIX. To maintain permanent contact allowing us to inform you about circulars and important updates related to your role as a service provider, during and after your contractual relationship with RHISCOM MÉXICO.
  • XX. To evaluate your performance.

If you do not wish us to use this information for these main purposes, you must refrain from providing services to RHISCOM MÉXICO. You may communicate your refusal to consent to the processing of your personal data within five (5) days by emailing [email protected]

Additionally, we will use your personal information for the following secondary purposes, which are not necessary for your role as a service provider at RHISCOM MÉXICO, but which allow us to provide you with better service:

  • I. To maintain permanent contact and inform you of our service updates, such as promotions, schedules, payment methods, newsletters, and any other matters that may arise from our commercial relationship.
  • II. To send you advertising and communications for marketing, newsletters, telemarketing, and/or campaign purposes.

If you do not wish your personal data to be used for these additional purposes, you may inform us by sending an email to: [email protected]

Refusal to use personal data for these secondary purposes will not be a reason to deny you the ability to provide services to RHISCOM MÉXICO.

What personal data will we use for these purposes?

The personal data collected from you as the data subject are as follows:

TYPE OF DATA DATA REQUESTED PURPOSE FOR WHICH IT IS REQUESTED
General Personal Data ● Full name of the holder
● Home address (street, number, neighborhood, municipality or borough, postal code, state, and country).
● CURP
● INE
● RFC
● Email address
● Contact phone number
● Nationality
● Age		 Primary and secondary
Business and/or Work Data ● Work references
● Institutional email
● Office contact number		 Primary and secondary
Academic Data ● Educational background
● Professional degrees
● Professional license		 Primary
Financial and Tax Data ● Bank account number
● Name of the company and/or individual to whom the invoice will be issued
● Federal Taxpayer Registry (RFC)
● Tax situation certificate		 Primary
Sensitive Data ● Blood type
● Photograph
● Biometric and image data

Table 1.

The collected personal data will be retained for a period of five (5) years in electronic and physical media. Once the purposes outlined in our privacy policies, including this Privacy Notice, have been fulfilled, they will be discarded to prevent any improper use, in accordance with our deletion policy.

All collected data are handled in accordance with this Privacy Notice and aligned with Mexican legislation, pursuant to the Political Constitution of the United Mexican States, and in compliance with the general guidelines contained in Articles 7, 8, 9, 10, 14, 15, 16, 17, 32, 35, and 36 of the new Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), as well as Articles 14, 24, 26, 27, 28, 30, 40, 41, 68, 90, and 102 of the Regulation of said Law (RLFPDPPP), and other applicable laws regarding personal data processing.

Sensitive Personal Data

Sensitive data refers to personal information that affects the most intimate sphere of the data subject, or whose improper use could result in discrimination or a serious risk. Sensitive data includes, but is not limited to, information that reveals racial or ethnic origin, present and future health status, genetic information, religious, philosophical, and moral beliefs, trade union affiliation, political opinions, or sexual preference.

For reasons of security, loyalty, and transparency with our clients, collaborators, service providers, and suppliers, we require the following data, which may be considered sensitive but are necessary for good business practices:

  • I. Photographs and videos showing your physical features such as face, posture, skin color, and other identifying characteristics (due to recordings and photographs that may take place during your activities as a service provider, for later publication on RHISCOM MÉXICO’s social networks and other communication media, as well as for the dissemination of events, public recognitions, present and/or future, where your personal image may be used).
  • II. Blood type (for the purpose of providing support in case of a medical emergency where knowing your blood type is essential to safeguard your life) while you are providing services with us.

These are the sensitive personal data we may collect from you. By providing any of this data, you declare that you understand its scope and implications, and you freely and voluntarily grant your consent for RHISCOM MÉXICO to process your personal data as stated in its privacy policies and contracts to which this notice is attached.

Transfer of Personal Data

RHISCOM MÉXICO informs you that it may share personal data with the following third parties, in order to comply with the terms of our contract and other documents signed with you:

  • To inform clients, potential clients, and suppliers that you are providing professional services to us, and likewise, to notify them when you cease to do so.

We may also share personal data in the following cases:

  • I. To process payment requests through collection agencies;
  • II. When required by law or by a competent authority with a duly founded and justified order; and
  • III. When required by law or competent authority under the provisions of Article 36 of the LFPDPPP.

What security and protection measures will your personal data have?

Files are stored on information servers with password-restricted access. Backup copies of the information are kept on hard drives, as well as in physical files (for some frequent service providers), all duly protected as indicated herein.

How can you access, rectify, or cancel your personal data?

You have the right to know what personal data we have about you, how we use it, and under what conditions (Access). You also have the right to request correction of your personal data if it is outdated, inaccurate, or incomplete (Rectification); to have it deleted from our records or databases if you believe it is not being used in accordance with legal principles, duties, and obligations (Cancellation); and to oppose the use of your personal data for specific purposes (Opposition). These rights are collectively known as ARCO RIGHTS.

Procedure to Exercise ARCO Rights

To exercise any of the ARCO rights, or to clarify doubts about data processing as outlined in the Internal Manual for Personal Data Protection, you must submit your request to our privacy department via email at: [email protected]

Your ARCO Rights request must include the following information:

  • I. Full name of the applicant (data subject).
  • II. Official identification with photograph proving you are the data subject.
  • III. Contact email to respond to your request.
  • IV. Your relationship with “RHISCOM MÉXICO.”
  • V. The personal data for which you wish to exercise any ARCO rights.
  • VI. Which ARCO right you wish to exercise.
  • VII. The reason for exercising this ARCO right.

This request will be answered by the Privacy Department within a maximum of 20 business days from the business day following the receipt of your request. The only contact method for questions or updates is our email: [email protected]

Regarding the cancellation of your personal data, please note that RHISCOM MÉXICO may not automatically delete it due to ongoing commercial relationships, but once these have concluded, your data will be deleted in accordance with our deletion policy.

Revocation of Consent and Limitation on Data Processing and Use

Revocation of Consent

You may revoke the consent granted for processing your personal data at any time. However, please note that we may not always be able to immediately honor your request or cease data processing, as legal obligations may require continued processing.

To revoke your consent, you must meet the following requirements for your request to be valid:

  • Provide the Responsible Party with any of the following documents:
    • Valid Official Identification and/or
    • Passport
      To verify your identity as the data subject.
  • If applicable, name of your representative and documents proving their identity and authority, which shall include:
    • Representative’s Identification (INE or Passport)
    • Simple Power of Attorney signed by two witnesses, attaching identification of each witness (INE or Passport)
    • Identification of the Data Subject being represented (INE or Passport)
  • Email address for responses and notifications.
  • Clear and precise description of the personal data for which you wish to revoke consent, which the “Responsible Party” is currently processing.
  • If applicable, documents or information that help locate the personal data, including the area in charge of processing for revocation purposes.

All documentation must be submitted in PDF and/or scanned format. Both the documentation and your request should be sent to: [email protected]

Limitation of Personal Data Processing

Limiting the processing of your personal data concerns the third parties with whom the Responsible Party shares your information. If you do not wish your data to be shared with any of the third parties listed in this Privacy Notice, you may limit such transfer (except in cases provided under Article 37 of the Federal Law on Protection of Personal Data Held by Private Parties) by submitting your request as follows:

  • A written free-form request identifying which transfer you wish to limit and why.
  • Provide the Responsible Party with any of the following documents:
    • Valid Official Identification and/or
    • Passport
    • To verify your identity as the data subject.
  • If applicable, name of your representative and documents proving their identity and authority, which shall include:
    • Representative’s Identification (INE or Passport)
    • Simple Power of Attorney signed by two witnesses, attaching identification of each witness (INE or Passport)
    • Identification of the Data Subject being represented (INE or Passport)
  • Email address for responses and notifications.
  • Clear and precise description of the personal data for which you wish to limit processing.
  • If applicable, documents or information to help locate the personal data, including the processing area responsible for the limitation.

All required documentation must be submitted in PDF and/or scanned format. Both the documentation and your request should be sent to: [email protected]

Changes to this Privacy Notice

Any changes to this Privacy Notice will be communicated to you via the email address or contact number you have provided. You may also request this information directly by emailing: [email protected]

General Glossary:

Consent: The free, specific, and informed expression of will by the data subject through which their data is processed.
Personal Data: Any information relating to an identified or identifiable individual. A person is considered identifiable when their identity can be determined directly or indirectly through any information.
Data Processor: A natural or legal person who, alone or jointly with others, processes personal data on behalf of the controller.
Controller: Regulated entities.
Regulated Entities: Natural or legal private persons who process personal data.
Data Subject: The person to whom the personal data belongs.

Last updated: June 1, 2025