Privacy Notice

Pursuant to the Mexican Data Protection Law (LFPDPPP, for its initials in Spanish, Ley Federal de Protección de Datos Personales en Posesión de los Particulares), the Regulations thereof and the Guidelines under the Privacy Notice (the Normativity), BIPragma, S.A. de C.V. (the Controller), a company incorporated under the Mexican laws, with address located at Torre XI, Av. Pedro Ramírez Vázquez No. 200-11, Piso 1, Col. Valle Oriente, San Pedro Garza García, CP 66269, Mexico, hereby notifies the individuals who own the personal data (Data Subject(s)) referred in the Normativity, the information that is collected about them, the purposes for which it is collected and all other data set forth in this privacy notice, under the following terms:

1. PERSONAL DATA.

The Mexican Data Protection Law (the Law) and the Regulations thereof (the Regulations), define Personal Data (PD) as any information relating to an identified or identifiable individual, such as said person’s address or date of birth. The Regulations define an identifiable individual as: every individual whose identity can be determined, either directly or indirectly, through any information. A person shall not be classified as identifiable when unreasonable periods of time or activities are needed in order to verify said person’s identity. A particular type of data is provided under the Law: Sensitive Personal Data (SPD), which are defined as the personal data that affect the most intimate sphere of the Data Subject, or personal data that could entail a material risk for the Data Subject if misused. Specifically, sensitive data are deemed as data that can disclose characteristics such as race or ethnicity, current or future health state, genetic information, religious, philosophical or moral beliefs, affiliation to a union, political views, sexual preference. Patrimonial and Financial Data (PFD) that the Controller may collect from the Data subject are among the data that are regulated by the applicable Normativity. The activities of collection, use, disclosure or storage of personal data, by any means, are called processing under the Law. The same Law provides that the concept of use is any action such as accessing, handling, exploitation, transfer or alienation of personal data; and that the concept of transfer shall be understood as every data communication to a person other than the Controller or the Body Responsible for the processing.

2. PRIVACY NOTICE AVAILABILITY.

Every Data Subject who is in contact with the Controller by any means, including by accessing the website www.bipragma.com, hereby accepts that the fact that this Privacy Notice is displayed on the website www.bipragma.com means that this Privacy Notice is made available by the Controller to every Data Subject, for all conducive effects.

3. DATA TO BE PROCESSED.

The PD that the Controller would eventually use will be: name, address, telephone numbers (landline and mobile), email, and job title of the contact, Mexican Tax Identification Number (RFC); in addition to any others that , subject to the particular needs of each service, shall be collected and processed in order to provide the Data Subject with the benefits of the services that the latter may request to the Controller. The Personal Data that are eventually collected by the Controller shall relate to information of the business or the needs of the client. Said data shall be treated confidentially and only in order to comply with the purposes that are authorized by the Data Subject to the Controller.  Accessing the website www.bipragma.com does not imply the provision of personal data by the user. Visiting the website www.bipragma.com includes options for the user to provide his/her data voluntarily, which may be collected in different situations that require the Data Subject’s decision to send his/her curriculum vitae to the Controller, the registration form that is filled when sending us an email the request of information, as well as any other information that is provided to the Controller in order to establish a legal relationship, for instance, when the Data Subject decides to contract the services of the Controller or to enter into an agreement to provide services to the Controller. The Personal Data that we may collect, belong to the following categories:

• Identification details: name, personal address, date of birth, landline and mobile phone numbers, email, photograph, image.
• Job details: title, position, work address, email, landline or mobile phone number.
• Academic details: education, studies, languages, degree, professional license, specialty, certifications.
• Invoicing Data: company to which fees will be charged, tax address, RFC, CURP (Mexican Unique Population Registration Code)
• Financial Data: bank account information, payment method.

The Controller does not obtain data automatically through cookies or web beacons. On the other hand, the Controller may process personal data for the following secondary purposes: (i) delivery of information, bulletins, magazines or notifications regarding topics that, in the Controller’s opinion, could be of interest, such as news, communications or advertising about the Controller; (ii) the submission of invitations to seminars, conferences and cultural or social events where the Controller participates, and/or (iii) submission of communications and invitations to participate in Controller’s projects or in projects in which, in the opinion of the Controller, the Data Subject may be interested. If the Data Subject does not wish the Controller to process his/her personal data for the above-mentioned secondary purposes, the Data Subject may express his/her rejection for such purpose, by sending an email to datos.personales@bipragma.com. The personal data collected will be part of a data base that will remain in force during the period of time that the Controller deems necessary in order to attain the purposes for which they were collected. Upon completion of such purposes, the data shall be blocked and cancelled, for further elimination under the applicable Normativity.

In the processing of personal data by the Controller, there is a presumption of reasonable privacy expectation, which is understood as the trust existing between two persons, that the personal data exchanged will be treated as agreed by the parties under the Law. The processing of personal data shall be subject to the Data Subject’s consent, with the exceptions provided under the Law and the Regulations. The Data Subject’s consent for the treatment of his/her personal data shall be implicit if the Data Subject does not express any objections after the Privacy Notice has been made available to the Data Subject.

4. SECURITY MEASURES.

The Controller has adopted and keeps all administrative, technical and physical security measures under its possibilities to protect the personal data against any damages, loss, alteration, destruction or unauthorized use, access or processing.

5. WEB USERS AND COOKIES.

Internet users, including those who visit the webpage www.bipragma.com are hereby informed that the Controller makes use of its best efforts to guarantee their privacy, offering the use of a Safe Server. However, the Controller does not undertake any liability for the content, audible, written or visual elements that can be randomly found on the Internet, therefore, the Controller shall not be liable for any content (text, audio, images or composite content) that could be linked to the user during access or visit to the Controller’s webpage.

The Controller does not obtain data automatically through cookies. Cookies are small text files that web browsers keep in your device when you visit a website. These files are automatically generated and allow the visited server to recognize the users who visit the website. The server of the Controller does not store or analyze cookies. Cookies do not keep or transmit confidential information or personal data whatsoever, as could be name or address of the user or Data Subject who visits the website. Cookies simply contain a code that can be read on the Controller’s website to display information. Internet users can turn off cookies in their device or allow their browser to notify them when it receives a new cookie, on the menu Tools / Preferences, contained in the webpage of your browser. For more reference you can visithttp://www.allaboutcookies.org/es/

6. TACIT CONSENT.

It is hereby understood that the Data Subject tacitly consents the processing of his/her data by the Controller, unless the Data Subject expressly objects in writing delivered to the Controller, by sending an email to datos.personales@bipragma.com as indicated in the last section of this Privacy Notice (NOTIFICATIONS), where the Data Subject shall notify the Controller in writing that the Data Subject does not consent the processing of the latter’s data. Any communication from the Data Subject to the Controller through any means that does not include the express rejection of the processing of personal data shall be understood as the tacit consent to the processing of data of any Data Subject who contacts the Controller, when the nature of the data involved allows for their processing by the Controller through tacit consent mechanisms.

Regarding Data Processing Systems (DPS) or Data Processing Functions, when the purposes are different to those that are necessary and those that originated the legal relationship between the Controller and the Data Subject, express consent in writing shall be required from the Data Subject under the Regulations. The Data Subject shall be deemed as having granted tacit consent for the processing of his/her data when, once after the Privacy Notice is made available to the Data Subject, the latter does not express opposition. If the Data Subject does not wish the effect of said tacit consent, the Data Subject may express his/her rejection for the processing of his/her personal data for purposes other than those that are necessary and those that originated the legal relationship between the Controller and the Data Subject. When the personal data of the Data Subject are obtained indirectly and there is a change in the purposes that were authorized at the time of the transfer, the Data Subject hereby understands that this Privacy Notice has been made available to him/her from the first contact of said Data Subject with the Controller, all of which shall have occurred prior to the exploitation of the personal data. When the Privacy Notice is not made available to the Data Subject either directly or personally, the Data Subject shall have five days to express, as the case may be, his/her opposition to the processing of the Data Subject’s data for purposes other than those that are necessary and those that originated the legal relationship between the Controller and the Data Subject. If the Data Subject does not express opposition to the processing of his/her personal data as provided above, tacit consent shall be deemed to have been granted for the processing of said data, unless proven otherwise.

7. REVOCATION OF CONSENT.

Consent may be revoked at any time without retroactive effects. In order to revoke his/her consent, the Data Subject shall express his wish to revoke it in writing by sending an email to datos.personales@bipragma.com, where the Data Subject shall express that he/she wishes to revoke his consent for the treatment of the data set forth in that message.

8. TRANSFER.

PD shall not be transferrable. PD shall not be shared or disclosed, however, data may be submitted to the officers in charge for the purpose of attaining the goals for which they were collected, and which are described in detail in item 3. Consent from the Data Subject shall not be required for national or international transfers of PD and DPF in the following cases:

• When the transfer is required under the Law or an International Treaty to which Mexico is a party;
• When the transfer is necessary for the prevention or diagnosis of medical issues, the provision of health care, medical treatment or the management of health services;
• When the transfer is made to a responsible body, this is, controlling companies, subsidiaries or affiliates under common control of the Controller, or a parent company or to any company of the same group as the controller who operates under the same internal procedures and policies;
• When the transfer is necessary by virtue of an agreement executed or to be executed for the best interest of the Data Subject, between the Controller and a third party;
• When the transfer is necessary or legally required in order to safeguard the public interest, or for purposes of law enforcement;
• When the transfer is necessary for the recognition, exercise or defense of rights in a judicial proceeding, and
• When the transfer is necessary in order to maintain or comply with a legal relationship between the Controller and the Data Subject.

PD that are collected by the Controller and, as the case may be, processed by the responsible officers, shall not be assigned, sold, shared or transferred, except as may be necessary in the cases provided in the applicable Normativity. The Controller hereby reserves the right to share your personal data with officers, directors and partners of the Controller or with third parties who process your personal data on behalf of the Controller and subject to this Privacy Notice and the instructions provided by the Controller, including companies that are engaged in the provision of services in Mexico or abroad, who work jointly with the Controller, Notaries Public and Public Certifying Officers or IT companies that provide computing services to the Controller. The officers in charge of processing your personal data shall act on behalf of the Controller and shall be subject at all times to the provisions of this Privacy Notice.

When consent from the Data Subject is required for purposes of conducting a data transfer, consent shall be deemed as granted unless the Data Subject expressly rejects such consent as provided in this Privacy Notice, and in compliance with the applicable Normativity.

If the Data Subject refuses to consent the transfer of his/her personal data when said transfer requires consent from the Data Subject, the latter shall notify the Controller, by sending an email to datos.personales@bipragma.com containing the express opposition and indicating that the personal data identified in the message the transfer of which requires consent from the Data Subject shall not be transferred by the Controller. The analysis and implementation of said request shall be conducted under the procedure of the ARCO rights as provided in this Privacy Notice.

9. PURPOSES.

The PD, the processing of which requires consent from the Data Subject, that are collected by the Controller, shall be used for purposes related to the purpose of the Controller and the services provided thereby as shown in www.bipragma.com and include added-value consulting in business processes and information technologies, software development and tailored analytic solutions, as well as sales, maintenance and support of business intelligence commercial software licenses, advanced data integration and analytics. The purpose of the collection of the PD includes all kinds of activities that are directly or indirectly related to the services, activities and purposes of the Controller, as generally mentioned above.

The Controller may collect information of the Data Subject through different sources, either personally from the Data Subject and/or indirectly through any other sources of information that are commercially available or that are allowed under the applicable Law. The collection and Processing of personal data of the Data Subject, including sensitive personal data that may be eventually collected, and unless otherwise agreed by the Data Subject in the manner described in this Privacy Notice, has the purpose of assessing job applications, hiring of employees, assessment of contractors, proposals and hiring of service and product providers, commercial contract drafting and management, payment procedures, as well as the performance of labor, administrative, commercial and tax obligations, the establishment of suppliers data bases, development of new products and services, consultancy, marketing, promotion, contracting and placement of all kinds of services and products and/or the improvement of products and services and other obligations derived from any legal relationship between the Data Subject and the Controller or the affiliated and subsidiary companies of the Controller.

Personal data may also serve the following purposes:

• Comply with legal requirements from competent authorities;
• Inform you about new products and services, as well as benefits, discounts, promotions, market surveys, promotions, notifications regarding change of conditions and, in general, all publicity derived from the products and services offered by the Controller and/or the affiliates and subsidiaries of the Controller;
• Product and suppliers analysis and development, as well as the use of the products and services of the Controller; and
• For the performance of the terms and conditions of the Controller in connection with obligations, agreements, contracts, and the development of products, sales of products or provision of services; and, as the case may be, for use by the human resources and sales departments of the Controller, as provided in the policies of such departments. Sensitive data that may be collected may be used for the attainment of our legal, tax or commercial purposes.

Third parties and entities who receive the PD shall undertake the same obligations and/or liabilities of the Controller, as described in this Privacy Notice.

The Controller may use personal data for several purposes, depending on the specific circumstances under which they are collected, but always honoring the relationship between the Controller and the Data Subject, and in compliance with the specific privacy notice that had been made available thereto, as the case may be.

The purposes referred in this Privacy Notice may include the purposes that are necessary when the Data Subject visits the facilities of the Controller in order to control access and remain safe inside the Controller’s facilities; when the Data Subject contacts the Controller in the following cases: i) in order to request a response to doubts and comments; ii) in order to establish a legal relationship; iii) in order to keep in touch with the Data Subject, when the Data Subject spontaneously provides the Controller with data that enable access to the Data Subject’s Profile, as well as the characteristics of the website that are exclusively developed for users. The data may also be used for the following secondary purposes, provided the Data Subject grants consent, consistent with the delivery of informative bulletins and the submission of information that may be relevant for the Data Subject. Personal data may be used for purposes that are compatible with those described above and those that may be considered similar.

10. WAYS TO EXERCISE ARCO RIGHTS.

As the owner of your personal data, you (the Data Subject), may exercise your rights of access, rectification, cancellation and opposition (ARCO rights) before the Controller. You may also revoke any consent you may have granted if it was necessary for the processing of your data, and limit the use or disclosure thereof. This, can be done by directly contacting the responsible officer at the email datos.personales@bipragma.com as provided in the section COMMUNICATIONS WITH THE CONTROLLER of this Privacy Notice.

In sum, the ARCO rights can be described as follows: Access: Right of the Data Subject to be informed about the personal data that are contained in the data bases of the Data Subject, the purpose for which said data are used, the origin and the communications that contain them and, in general, the conditions and general aspects of the processing: Rectification: Right of the Data Subject to request the correction or updating of his/her personal data, in case they are inaccurate or incomplete. Cancellation: Right of the Data Subject to request the total or partial elimination of his/her personal data, from the Controller’s data bases when the Data Subject considers that his/her personal data are not being processed in compliance with the principles and duties provided under the Law. Opposition: Right to oppose for just cause to the treatment of the Data Subject’s personal data.

11. WAY TO LIMIT THE USE OR DISCLOSURE OF PERSONAL DATA.

The Data Subject is entitled to limit the use or disclosure of his/her personal data for purposes that are not necessary for a legal relationship between the Data Subject and the Controller. Therefore, if the Data Subject wishes to stop receiving information, articles and/or news by the Controller, the Data Subject shall directly contact the Controller at the email datos.personales@bipragma.com as provided in the section NOTIFICATIONS of this Privacy Notice. A request from the Data Subject shall be used to enter the corresponding registration in a list of excluded subjects, which shall be evidenced in a digital certificate that shall be delivered to the Data Subject, as requested by the latter to the Controller. Likewise, the Data Subject is hereby informed about his/her right to refuse to be contacted by phone by the Controller for purposes of advertising.

12. AMENDMENTS TO THE PRIVACY NOTICE.

Using the website www.bipragma.com implies the recognition and acceptance of this Privacy Notice. The Controller shall be entitled at all times to modify the terms and conditions of this Privacy Notice.

Material changes to this Privacy Notice may be notified to the email that the Data Subject had designated and/or through the website www.bipragma.com, to which any interested person shall have access. We strongly advice to review this Privacy Notice every time you access the website www.bipragma.com in order to know about any changes, amendments or updates.

For the avoidance of doubt, BIPragma S.A. de C.V. shall not be liable for the lack of receipt of any changes to the privacy notice due to any issues with the email address provided or due to technical issues in the transmission thereof via the Internet.

13. CLAIMS AND COMPLAINTS.

If a Data Subject had reason to assume the existence of a breach against the applicable Normativity regarding the processing of the personal data of the Data Subject, the latter may file a claim or complaint before the Mexican Institute for Access to Information and Data Protection (Instituto Federal de Acceso a la Información y Protección de Datos). For more information, visit www.ifai.org.mx. This Privacy Notice shall be governed by the applicable Normativity and all other laws applicable in Mexico, and the acceptance of this Privacy Notice shall imply the user’s express submission to the jurisdiction of the Controller’s address, in case of any dispute or claim derived from this Privacy Notice.

14. COMMUNICATION WITH THE CONTROLLER

Every communication that shall be submitted to the Controller under this Privacy Notice shall be addressed to: datos.personales@bipragma.com

15. NOTIFICATIONS:

Pursuant to Article 35, Section II of the Mexican Federal Procedural Law (Ley Federal de Procedimiento Administrativo), all notifications, summons, subpoenas, requirements, requests of information or documents, and final administrative resolutions shall be made exclusively through the electronic means of communication set forth in item 14 of this Long-Form Privacy Notice.

This Privacy Notice is issued in compliance with Articles 8, 15, 16, 33 and 36 LFPDPPP, as well as Articles 11, 14, 23, 30, 40, 41 and 90 of the Regulations and any other applicable provisions.

Place of Issue: San Pedro, Garza García, Nuevo León – July, 27th, 2020.