Privacy Policy

Last updated: September 16, 2025

Tlaloc Web Services ("us", "we", or "our") operates the https://www.tlaloc.sh website and provides API services for Mexican data validation (the "Service").

This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Email address
Company name (optional)
Billing information for paid plans
API usage statistics

1.2 API Usage Data

We collect:

Request timestamps and frequency
API endpoint usage
Response codes and processing times
IP addresses for rate limiting and security
Anonymized usage patterns
Request data (temporarily, maximum 30 days) for diagnostics and service improvement

1.3 Website Analytics

We use analytics tools to collect:

Page views and navigation patterns
Device and browser information
Geographic location (country/city level)
Referral sources

Important: The data you send to our validation APIs (CURP, RFC, phone numbers, etc.) may be temporarily stored for a maximum of 30 days for the purpose of identifying technical issues, improving the service, and ensuring quality. After this period, the data is automatically and permanently deleted.

2. How We Use Your Information

2.1 Service Provision

Authenticate API requests
Apply usage limits and rate limiting
Process billing and payments
Provide customer support

2.2 Service Improvement

Analyze usage patterns to improve performance
Identify and resolve technical issues
Develop new features and services
Ensure system security and prevent abuse
Monitor service reliability
Optimize validation response quality

2.3 Communication

Send service updates and maintenance notices
Respond to support requests
Send billing notifications
Share important security updates

3. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in these circumstances:

3.1 Service Providers

Payment processors (Stripe, PayPal)
Email service providers (for notifications)
Analytics services (Google Analytics)
Cloud hosting providers (AWS, Google Cloud)

3.2 Legal Requirements

Compliance with legal obligations
Protection of our rights and property
Investigation of fraud or security issues
Court orders or government requests

3.3 Business Transfers

In case of merger, acquisition, or sale of assets, user information may be transferred as part of the business transaction.

4. Data Security

4.1 Technical Measures

HTTPS encryption for all data transmission
API keys for secure authentication
Regular security audits and monitoring
Secure cloud infrastructure

4.2 Access Controls

Limited employee access to personal data
Multi-factor authentication for admin accounts
Regular access reviews and updates
Encrypted data storage

4.3 Incident Response

Immediate notification of security breaches
Rapid containment and investigation
Timely communication to affected users
Continuous monitoring and improvement

5. Data Retention

5.1 Account Data

Kept for the duration of your active account
Deleted within 30 days of account closure
Billing records retained for 7 years (legal requirement)

5.2 API Usage Logs

Aggregated usage statistics kept for 12 months
Individual request logs deleted after 30 days
Validation data (CURP, RFC, etc.) stored temporarily for maximum 30 days for diagnostics and service improvement, then permanently deleted

5.3 Website Analytics

Analytics data retained for 26 months
Can be anonymized upon request
Automatically purged after retention period

6. Your Rights

6.1 Access and Portability

Request copies of your personal data
Export your account and usage information
Receive data in machine-readable format

6.2 Correction and Deletion

Update your account information anytime
Request deletion of your personal data
Close your account and remove all data

6.3 Control and Consent

Opt-out of non-essential communications
Withdraw consent for data processing
Object to automated decision-making

7. International Data Transfers

Our services are operated from Mexico. If you access our services from other countries:

Your data may be transferred to and stored in Mexico
We ensure adequate protection through contractual safeguards
We comply with applicable international data protection laws

8. Children's Privacy

Our services are not intended for children under 16. We do not knowingly collect personal information from children under 16. If we become aware of such collection, we will delete the information immediately.

9. Cookies and Tracking

9.1 Essential Cookies

Session management
Authentication
Security features
Load balancing

9.2 Analytics Cookies

Website usage analytics
Performance monitoring
User experience improvement

You can disable cookies in your browser, but this may affect service functionality.

10. Third-Party Services

10.1 Payment Processing

We use secure third-party payment processors who have their own privacy policies:

Stripe Privacy Policy
PayPal Privacy Policy

10.2 Analytics

We use Google Analytics with IP anonymization enabled. You can opt-out using Google's opt-out tools.

11. Updates to This Policy

We may update this Privacy Policy periodically. We will:

Post updates on this page
Email users about significant changes
Maintain previous versions for reference
Allow time for review before changes take effect

12. Regional Compliance

12.1 Mexico (LFPDPPP)

We comply with Mexico's Federal Law on Protection of Personal Data Held by Private Parties.

12.2 GDPR (EU)

For EU users, we provide all rights required under GDPR including portability, erasure, and objection.

12.3 CCPA (California)

California residents have additional rights including the right to know, delete, and opt-out of sale.

13. Contact Information

For questions about this Privacy Policy or to exercise your rights:

Privacy Officer: privacy@tlaloc.sh
General Contact: hello@tlaloc.sh
Address: Ciudad de México, México

Response Time: We respond to privacy requests within 30 days.