Privacy Notice

Privacy notice in compliance with Mexico's LFPDPPP

Last updated: April 2, 2026

Data Controller Identity

TLALOC WEB SERVICES, Sociedad por Acciones Simplificada de Capital Variable ("Tlaloc", "we", "us"), with RFC TWS241119PK0 and domicile in Zapopan, Jalisco, Mexico, is responsible for the processing of your personal data in accordance with Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) and its Regulations.

Data protection contact: hello@tlaloc.sh

1. Personal Data We Collect

1.1 Registration and account data

Email address
Password (stored hashed, never in plain text)
Company or organization name (optional)

1.2 Fiscal data (when the Client requests invoicing)

Business name
RFC (tax ID)
Tax regime
Fiscal postal code
CFDI usage

1.3 Service usage data

API request timestamps and frequency
Endpoints used
Response codes and processing times
IP address (for access control and security)
Service unit consumption

1.4 API request data (temporary storage)

Data that the Client sends through the validation APIs (CURP, RFC, phone numbers, postal codes, etc.) is temporarily stored for a maximum of 30 days exclusively for technical diagnostics and service improvement purposes. After this period, it is automatically and permanently deleted.

1.5 AI assistant data (Tlaloque)

Conversations and configurations of AI assistants are stored while the assistant is active and are permanently deleted when the assistant is removed.

1.6 Website browsing data

Through Google Analytics we collect browsing data not linked to user identity: pages visited, device/browser type, approximate country/city, referral source. Google Analytics does not have access to personal data from user accounts.

2. Purposes of Processing

2.1 Primary purposes (necessary for Service delivery)

These purposes do not require additional consent and are essential for the contractual relationship:

Create and manage your user account.
Authenticate API requests through API keys.
Process SPEI deposits and credit service units.
Issue CFDI in accordance with current tax regulations.
Control unit consumption and enforce balance validity.
Provide data validation services (Mexico-API) and AI assistants (Tlaloque).
Send operational notifications: deposit confirmation, low balance alerts, unit expiration notices (30 days in advance), assistant suspension or deletion, scheduled maintenance.
Handle technical support requests.
Prevent fraud, abuse, and unauthorized use of the Service.

2.2 Secondary purposes (not necessary for the Service)

You may deny or revoke your consent for these purposes without affecting Service delivery:

Send communications about new services, features, or platform updates.
Analyze aggregated usage patterns to improve the Service.

To deny or revoke consent for secondary purposes, send an email to hello@tlaloc.sh with the subject "Consent revocation — secondary purposes".

3. Data Transfers

Tlaloc may transfer personal data to the following third parties for the indicated purposes:

Recipient	Country	Purpose	Data type
OpenAI	United States	Processing AI assistant queries (Tlaloque)	Conversation content
Anthropic	United States	Processing AI assistant queries (Tlaloque)	Conversation content
OpenRouter	United States	Routing AI assistant queries (Tlaloque)	Conversation content

These transfers are necessary for the delivery of the Tlaloque service. Providers operate under their own privacy policies and data processing terms.

Transfers that do not require consent (Art. 37 LFPDPPP):

When required by a competent authority through a judicial or administrative order.
When necessary for the fulfillment of tax obligations.

Tlaloc does not sell, rent, or trade personal data with third parties for marketing or advertising purposes.

4. Security Measures

4.1 Technical measures

TLS/HTTPS encryption for all communication with the platform.
Encrypted data storage at rest.
Hashed API keys for secure authentication.
Own bare-metal server infrastructure located in Mexico, not dependent on public cloud providers.
Continuous security and access monitoring.

4.2 Administrative measures

Restricted access to personal data based on need-to-know principle.
Internal information handling policies.

4.3 Incident response

In the event of a security breach that significantly affects the property or moral rights of data subjects, Tlaloc will:

Immediately notify the affected individual by email.
Describe the nature of the incident and the data compromised.
Indicate the corrective actions implemented.
Provide recommendations for the individual to protect their interests.

5. Data Retention

Data type	Retention period	Reason
Account data	While the account is active + 30 days after closure	Service delivery
Fiscal data	5 years after CFDI issuance	Tax obligation (Art. 30 CFF)
Billing records	5 years	Tax obligation (Art. 30 CFF)
API request data	Maximum 30 days	Diagnostics and service improvement
AI assistant data	While the assistant is active	Service delivery
Aggregated usage statistics	12 months	Service improvement
Website browsing data	14 months	Site usage analysis

6. ARCO Rights

You have the right to Access, Rectify, Cancel, or Object to the processing of your personal data (ARCO rights), in accordance with articles 28 to 35 of the LFPDPPP.

6.1 Procedure

To exercise your ARCO rights, send a request to hello@tlaloc.sh with the subject "ARCO Request" containing:

Full name of the data subject and email address associated with the account.
Clear description of the right you wish to exercise (access, rectification, cancellation, or objection).
Description of the personal data for which you wish to exercise the right.
Any document or information that facilitates locating the data.

6.2 Response times

Acknowledgment of receipt: 5 business days from receipt of the request.
Substantive response: 20 business days from receipt of the request.
Execution (if applicable): 15 business days from the communication of the response.

6.3 Means to revoke consent

You may revoke your consent for the processing of personal data at any time by sending an email to hello@tlaloc.sh with the subject "Consent revocation". Revocation will not affect the lawfulness of processing carried out prior to revocation. Please note that revoking consent for primary purposes will result in the inability to provide the Service and termination of your account.

7. Cookies

7.1 Essential cookies

We use strictly necessary cookies for:

User session management (authentication).
Security (CSRF protection).

These cookies do not require consent as they are essential for Service operation.

7.2 Analytics cookies

Google Analytics uses cookies to collect anonymized browsing data. You can disable these cookies by configuring your browser or using the Google Analytics opt-out add-on.

8. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not intentionally collect personal data from minors. If we detect that we have collected data from a minor, we will delete it immediately.

9. International Transfers

Your personal data is stored and processed on infrastructure located in Mexico. International transfers are made only to the AI service providers indicated in Section 3, as necessary for the delivery of the Tlaloque service.

10. Changes to This Privacy Notice

Tlaloc may modify this Privacy Notice at any time. Changes will be published at console.tlaloc.sh and notified by email. The current version will always be available at www.tlaloc.sh/en/legal/privacy.

11. Competent Authority

If you believe your right to personal data protection has been violated, you may contact Mexico's National Institute for Transparency, Access to Information and Personal Data Protection (INAI) — www.inai.org.mx.

12. Contact

For any inquiries about this Privacy Notice or to exercise your rights:

Email: hello@tlaloc.sh
Address: Zapopan, Jalisco, Mexico
Response time: Acknowledgment within 5 business days, response within 20 business days.