Integral Privacy Notice

Responsible Party: Eduardo Rodrigo Silva Orozco (EDIRA)Effective Date: May 12, 2026Version: 1.0

This Privacy Notice is issued by Eduardo Rodrigo Silva Orozco, an individual with business activities operating under the trade name “EDIRA”, with a registered address for notifications in the city of Santiago de Querétaro, State of Querétaro, Mexico (hereinafter referred to as “the Responsible Party” or “EDIRA”).

For communication purposes regarding the processing of personal data, the Responsible Party provides the following channels of contact:

EDIRA is a specialized technology consulting firm focusing on data analytics, artificial intelligence, and digital architecture. The services rendered include, but are not limited to: cloud data architecture, data engineering (ETL/ELT processes and integrations), advanced analytics (dashboards and KPIs), predictive AI, data governance, and C-Suite executive decision intelligence advisory (“Decision Intelligence”). Providing these services strictly requires the processing of personal data, and thus this document comprehensively regulates such processing.

SECOND. PERSONAL DATA COLLECTED

The Responsible Party collects, stores, and, when applicable, processes the following categories of personal data, adhering to the principles of necessity and proportionality outlined in Articles 6 and 12 of the LFPDPPP:

A) PERSONAL IDENTIFICATION DATA

  • Full name of the data subject or legal representative
  • Job title or position within the organization
  • Name of the company or organization to which they belong

B) CONTACT DATA

  • Corporate or personal email address
  • Telephone number (landline or mobile)
  • City, state, and country of residence or corporate address
WARNING TO THE DATA SUBJECT: The Responsible Party strictly prohibits the data subject from sending sensitive personal data—whether through web forms, email, or any other communication channel—without prior written authorization from EDIRA. The unauthorized submission of sensitive data shall be the sole responsibility of the sender, and EDIRA shall be released from any liability or obligations resulting from such actions, without prejudice to the legal requirements applicable to the Responsible Party under current laws.

THIRD. PURPOSES OF PROCESSING

The processing of personal data collected by EDIRA is carried out solely for the purposes described below, which are classified as: (A) primary or necessary purposes to fulfill the contractual or pre-contractual relationship, and (B) secondary purposes of a commercial nature or for service improvement, for which the data subject may withhold consent pursuant to the Fourth Clause of this Notice.

A) PRIMARY PURPOSES (NECESSARY)

The following purposes are indispensable to provide EDIRA\'s services and to comply with the Responsible Party\'s legal and contractual obligations. Withholding consent for these purposes will make it impossible to establish or continue the service relationship:

  • Attend, register, and follow up on requests for information received through web forms, email, and direct communication.
  • Comply with the legal and regulatory obligations applicable to the Responsible Party under tax, commercial, civil, and data protection laws.
  • Resolve disputes, claims, or controversies arising from the commercial relationship.
  • Maintain operational communication with the data subject during the term of the service agreement.

B) SECONDARY PURPOSES (COMMERCIAL AND IMPROVEMENT)

The following purposes are not indispensable for the service relationship, but they allow EDIRA to improve its services, personalize communication, and develop new solutions. The data subject may withhold consent for these purposes using the mechanism established in the Fourth Clause without affecting the rendering of the contracted services:

  • Send information about new services, methodology updates, case studies, and specialized materials on data analytics and artificial intelligence.
  • Conduct internal market research, customer satisfaction surveys, and commercial positioning studies for EDIRA.
  • Develop general (non-individualized) profiles on industrial sectors and technology needs to improve the service portfolio.
  • Contact the data subject to offer complementary services, updates, or renewals of previously executed projects.
  • Use testimonies or references of the data subject (with prior express consent) in EDIRA\'s commercial materials or institutional communications.

FOURTH. MECHANISM TO WITHHOLD CONSENT FOR SECONDARY PURPOSES

In compliance with Article 8 of the LFPDPPP, the data subject has the right to withhold consent for the processing of their personal data for secondary or accessory purposes, without such refusal affecting the service relationship with EDIRA.

To exercise this right, the data subject must:

  • Send an email to info@edira.dev with the subject line: “SECONDARY PURPOSES OBJECTION – (FULL NAME)”.
  • Indicate in the body of the message: full name, company name, and a specific description of the secondary purposes for which consent is withheld.
  • Attach a copy of a valid official identification to verify their identity.

The Responsible Party will process the request within a maximum of fifteen (15) business days from the receipt of the email, confirming the update of processing preferences to the data subject.

FIFTH. USE OF COOKIES AND TRACKING TECHNOLOGIES

EDIRA\'s website (www.edira.dev) may use cookies, web beacons, and similar tracking technologies to improve the browsing experience and analyze site traffic. The typology of these technologies is described below:

A) ESSENTIAL OR TECHNICAL COOKIES

These are indispensable for the correct functioning of the website. They enable basic navigation and access to portal sections. They cannot be deactivated without affecting site functionality. They do not require the prior consent of the user, as their installation is strictly for technical purposes.

B) ANALYTICAL COOKIES

These allow us to quantify the number of visitors, analyze browsing behavior, and evaluate the effectiveness of the published content. The collected data is aggregated and does not allow direct user identification. EDIRA may use third-party tools or equivalent platforms for this purpose. The use of these cookies requires the user\'s consent.

C) MARKETING OR PERSONALIZATION COOKIES

These allow the display of relevant content and personalized offers based on the user\'s browsing profile.

The user can manage and disable cookies through their web browser settings. However, disabling essential cookies may prevent the website from functioning correctly. For more information on managing cookies in major browsers, the data subject may consult their browser\'s privacy settings.

SIXTH. TRANSFER OF PERSONAL DATA

The Responsible Party may transfer personal data to third parties solely under the assumptions and conditions described below, pursuant to Articles 36 to 43 of the LFPDPPP and Articles 67 to 75 of its Regulations:

A) TRANSFERS TO TECHNOLOGY PROVIDERS AND DATA PROCESSORS

To render its services, EDIRA uses technological platforms and providers that act as data processors under Article 3, Section IV of the LFPDPPP. These providers may include, but are not limited to:

  • Cloud computing services: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform, or equivalent providers, subject to their own privacy policies and international security certifications.
  • Productivity and collaboration tools: Microsoft 365 (including Outlook and OneDrive), Teams, or other collaborative platforms.
  • Form and lead generation platforms: Microsoft Forms or equivalent tools used to receive information requests.
  • Analytics and business intelligence tools: data visualization software, BI (Business Intelligence) platforms, and artificial intelligence solutions, selected according to project requirements.
  • Application Programming Interfaces (APIs): connections with third-party systems required to execute data integrations contracted by the client.

All technology providers acting as data processors are bound by contractual confidentiality and data protection obligations, pursuant to Article 50 of the Regulations of the LFPDPPP.

B) TRANSFERS PERMITTED WITHOUT THE DATA SUBJECT\'S CONSENT

Pursuant to Article 37 of the LFPDPPP, the data subject\'s consent is not required for transfers carried out under the following circumstances:

  • When the transfer is provided for in a law or treaty to which Mexico is a party.
  • When the transfer is made to parent companies, subsidiaries, or affiliates under the common control of the Responsible Party, or to a parent company or any group company operating under the same internal processes and policies.
  • When the transfer is necessary by virtue of an agreement entered into or to be entered into in the interest of the data subject, between the Responsible Party and a third party.
  • When the transfer is necessary or legally required to safeguard a public interest or for the administration of justice.
  • When the transfer is precise for the recognition, exercise, or defense of a right in a judicial process.
  • When the transfer is precise to maintain or fulfill a legal relationship between the Responsible Party and the data subject.

C) PROHIBITION ON THE SALE OF DATA

EDIRA expressly declares that it DOES NOT sell, lease, or commercialize the personal data of its data subjects to any third party. Any transfer of data will be carried out solely to fulfill the objectives established in this Privacy Notice.

SEVENTH. STORAGE, SECURITY, AND PROTECTION MEASURES

EDIRA implements administrative, technical, and physical security measures to protect personal data against damage, loss, alteration, destruction, unauthorized use, access, or processing, pursuant to Article 19 of the LFPDPPP and Articles 57 to 63 of its Regulations.

A) ADMINISTRATIVE MEASURES

  • Application of the principle of least privilege: only strictly necessary personnel or collaborators have access to the personal data of data subjects, to the extent indispensable to perform their duties.
  • Data protection training and awareness for EDIRA staff.
  • Establishment of internal policies for the handling, processing, and deletion of personal data.
  • Signing confidentiality agreements with employees, contractors, and providers who have access to personal data.

B) TECHNICAL MEASURES

  • Use of platforms with encryption in transit (TLS/SSL) and at rest for information storage.
  • Access to systems protected by multi-factor authentication (MFA) when supported by the platform.
  • Configuration of permissions and access roles in cloud storage tools (OneDrive, AWS, Azure, or others).
  • Regular backups of the stored information.

C) CONSIDERATIONS REGARDING CURRENT STORAGE

EDIRA acknowledges that its current operational model involves storing personal data mainly in: (i) corporate email (Microsoft Outlook or equivalent platform), and (ii) digital files on Microsoft 365\'s OneDrive platform. The Responsible Party commits to:

  • Maintain these platforms under the security standards offered by the service provider, including encryption and access controls.
  • Progressively migrate toward structured storage solutions with greater access controls as the business grows.
  • Not store sensitive or confidential information in unprotected or publicly accessible formats.

The Responsible Party warns data subjects that email, as a communication channel, carries inherent security risks. EDIRA implements best practices on its platform but cannot guarantee absolute security for external transit communications. The data subject is advised to refrain from sending highly confidential information via email without additional encryption.

EIGHTH. ARCO RIGHTS (ACCESS, RECTIFICATION, CANCELLATION, AND OBJECTION)

Pursuant to Articles 22 to 35 of the LFPDPPP and Articles 76 to 108 of its Regulations, the data subject is entitled to the following rights:

A) DESCRIPTION OF ARCO RIGHTS

  • ACCESS: The right to know what personal data the Responsible Party holds, the purposes for which it is processed, and the third parties to whom it has been transferred.
  • RECTIFICATION: The right to request the correction or update of inaccurate, incomplete, or outdated personal data.
  • CANCELLATION: The right to request the deletion of personal data from the Responsible Party\'s systems once it is no longer necessary for the purposes for which it was collected, or when the data subject revokes their consent.
  • OBJECTION: The right to object to the processing of personal data for specific purposes under legitimate grounds, or when processed for secondary purposes.

B) PROCEDURE TO EXERCISE ARCO RIGHTS

To exercise any of the rights described above, the data subject must send a request to the Responsible Party through the following channel:

  • Email: info@edira.dev
  • Subject Line: “ARCO RIGHTS REQUEST – (RIGHT REQUESTED) – (FULL NAME)”

The request must contain, at a minimum, the following elements:

  • Full name of the data subject and, if applicable, the legal representative\'s name with proof of power of attorney.
  • Clear and precise description of the ARCO right to be exercised.
  • Indication of the personal data in question, or the processing to be limited or objected to.
  • A copy of a valid official identification of the data subject (INE/IFE, passport, professional license, or equivalent).
  • Any document that facilitates locating the personal data subject to the request.
  • Address or email address to receive the response from the Responsible Party.

C) LEGAL TIMEFRAMES

The Responsible Party will respond to requests within the following timeframes under Article 32 of the LFPDPPP:

  • Timeframe to resolve request admissibility: twenty (20) business days from the date of receipt.
  • Timeframe to implement resolution: fifteen (15) additional business days from the communication of the response.
  • In the case of Access requests, the Responsible Party will make the personal data available in an understandable format within the indicated timeframe.

A data subject who considers their request has been handled incorrectly or that their rights have not been properly safeguarded may file a complaint with the National Institute for Transparency, Access to Information and Personal Data Protection (INAI) through its website www.inai.org.mx, pursuant to the procedure set forth in Articles 94 to 107 of the LFPDPPP.

NINTH. REVOCATION OF CONSENT

The data subject may revoke their consent for personal data processing at any time, without retroactive effects, pursuant to Article 8, fourth paragraph of the LFPDPPP. The revocation of consent must be submitted via written letter or email to info@edira.dev indicating:

  • Full name of the data subject.
  • Description of the consent to be revoked and the personal data in question.
  • A copy of a valid official identification.

The Responsible Party will analyze the request and notify its decision within twenty (20) business days. In cases where data processing is indispensable to fulfill an active contractual relationship, revocation may lead to the termination of the contract without liability for the Responsible Party.

Consent revocation does not have retroactive effects on processing carried out prior to the date the request is determined to be valid. The Responsible Party may retain personal data necessary to comply with pending legal or contractual obligations even after consent is revoked.

TENTH. LIMITING THE USE OR DISCLOSURE OF PERSONAL DATA

The data subject may request the restriction of the use or disclosure of their personal data when: (i) a cancellation request has been filed but not yet resolved, or (ii) a controversy regarding processing must be settled beforehand. The request must be made in writing via email to info@edira.dev with the subject line: “RESTRICTION OF USE AND DISCLOSURE”.

The Responsible Party will resolve the request within twenty (20) business days. During the resolution period, the Responsible Party will restrict the use of data to purposes strictly necessary to comply with active legal or contractual obligations.

The Responsible Party maintains a registry of data subjects who have requested the restriction of use or disclosure of their data to ensure compliance within its processing systems.

ELEVENTH. RETENTION AND DELETION OF PERSONAL DATA

Personal data collected by EDIRA will be retained only for the time necessary to fulfill the purposes for which it was collected and, in any case, as long as legal, tax, contractual, or other obligations requiring its storage persist. The retention criteria are as follows:

  • Contact and commercial prospecting data (without a formalized agreement): up to twelve (12) months from the last contact, unless the data subject requests prior cancellation.
  • Data with tax relevance: up to the maximum term established by the Federal Fiscal Code for storing accounting and tax records (currently five years, with possible extensions in specific cases).
  • Browsing data and analytical cookies: pursuant to the policies of the provider of the analytics tool used, not exceeding twenty-four (24) months.

Once the applicable retention periods expire and all related obligations are satisfied, the Responsible Party will proceed with the secure and irreversible deletion of the personal data, using methods that prevent its recovery.

TWELFTH. CHANGES TO THE PRIVACY NOTICE

EDIRA reserves the right to update, modify, or extend this Privacy Notice at any time to reflect changes in its processing practices, applicable legislation, or services offered. These changes will be effective upon publication on the website www.edira.dev.

The mechanism for notifying changes to this Notice will be as follows:

  • Publication of the updated version on the website www.edira.dev, indicating the effective date of the new version.
  • When changes are substantial—especially if they involve processing data for purposes other than those originally disclosed or transferring it to third parties not listed in the original notice—the Responsible Party will notify the data subject via the email address on file.

Continued use of EDIRA\'s services or the absence of an express objection within fifteen (15) business days following the notification shall be understood as acceptance of the updated terms, to the extent permitted by applicable laws, pursuant to Article 14 of the LFPDPPP.

THIRTEENTH. DATA SUBJECT\'S LIABILITY FOR THE DATA PROVIDED

The data subject is solely responsible for the truthfulness, accuracy, validity, and legality of the information provided to EDIRA through any means, including web forms, email, and direct communication. To define liabilities, the data subject acknowledges and accepts the following:

  • Third-party data: The data subject must not provide personal data of third parties without proper legal authorization. If the data subject shares personal data of collaborators, employees, or others within a consulting project, they declare having the corresponding consent or a valid legal basis under the LFPDPPP. The Responsible Party assumes no liability for processing third-party data provided without authorization.
  • Open text fields in forms: EDIRA\'s contact and diagnostic forms may contain open text fields. The data subject undertakes, under their own responsibility, not to include sensitive personal data, third-party confidential information, trade secrets, or information whose disclosure implies breaching the data subject\'s own legal or contractual obligations. EDIRA shall not be responsible for content the data subject chooses to include in unstructured fields.
  • Accuracy of information: The data subject is obligated to notify the Responsible Party of any relevant changes to their personal data (especially contact details) to keep the information updated. The failure to notify changes in a timely manner shall not be attributable to the Responsible Party.
  • Improper use of communication channels: The data subject shall refrain from using EDIRA\'s contact channels (email, forms) to send spam, malicious code, or any illicit content. EDIRA reserves the right to take appropriate legal and technical measures in the event of any improper use.

FOURTEENTH. USE OF THIRD-PARTY SERVICES AND LIMITATION OF LIABILITY

EDIRA uses third-party services, platforms, and tools for its business operations and consulting services. To define liabilities, the data subject acknowledges and accepts the following:

A) CLOUD TECHNOLOGY PROVIDERS

The storage and processing of data in cloud platforms (AWS, Azure, Google Cloud, or others) are governed by the terms, conditions, and privacy policies of each provider, which are external to EDIRA. The Responsible Party will select providers that offer reasonable security guarantees and possess internationally recognized certifications (ISO 27001, SOC 2, or equivalent), but cannot guarantee third-party conduct beyond the contractual terms agreed upon.

B) THIRD-PARTY WEBSITES

EDIRA\'s website may contain links or references to third-party websites. These sites have their own privacy policies, and the Responsible Party assumes no liability for the data processing they carry out. The data subject is advised to review the privacy policies of any site they visit.

C) FORCE MAJEURE AND ACCIDENTAL EVENTS

The Responsible Party shall not be liable for security breaches, loss, or alteration of personal data resulting from force majeure or accidental events, including but not limited to: massive cyberattacks, telecommunication provider failures, or catastrophic events affecting cloud providers. In such cases, the Responsible Party will notify the data subject in a timely manner under Article 20 of the LFPDPPP.

FIFTEENTH. JURISDICTION AND APPLICABLE LAW

This Privacy Notice is governed in its interpretation and application by the provisions of Mexican legislation, in particular:

  • The Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP).
  • The Regulations of the Federal Law on the Protection of Personal Data Held by Private Parties.
  • The Privacy Notice Guidelines issued by the competent authority in Mexico.
  • Personal data security recommendations issued by the competent authority in Mexico.
  • The Federal Civil Code and the Commercial Code, where applicable.
  • Other federal regulations applicable to data protection, privacy, telecommunications, and e-commerce.

For any controversy arising from this Privacy Notice or the processing of personal data by EDIRA, the parties submit to the jurisdiction of the competent administrative authority and, judicially, to the competent Federal Courts in the city of Santiago de Querétaro, Querétaro, Mexico, expressly waiving any other jurisdiction that may correspond to them by reason of their present or future domiciles.

Eduardo Rodrigo Silva Orozco
Responsible for Personal Data Processing
EDIRA — Technology Consulting in Analytics and Artificial Intelligence
Santiago de Querétaro, Querétaro, Mexico | www.edira.dev | info@edira.dev