Privacy Notice

In connection with the activities and services provided by the Controller, Personal Data will be processed according to the types and categories set out below.

In compliance with applicable legal provisions, including the Civil Code, the Tax Code, and other applicable regulations, the Controller may transfer Personal Data to the following government authorities and agencies: the National Electoral Institute and the National Institute for Transparency, Access to Information and Personal Data Protection, as well as local or federal authorities that have requested such data as part of a legal proceeding or pursuant to a judicial order. The Controller may also transmit Personal Data to Law Firms, Market Research Agencies, Digital Marketing Agencies, Online Advertising Agencies, Advertising Agencies, Promotional Companies, and Suppliers for the purpose of fulfilling obligations arising from the services and public functions formalised or provided by the Data Subject with and before the Controller.

The Data Subject acknowledges and accepts that the Controller does not require their consent to carry out national or international transfers of Personal Data, pursuant to Article 37 of the LFPDPPP or any other exception provided by applicable law. The Controller may transfer Personal Data to third parties provided that such parties process the Personal Data in accordance with this Privacy Notice and for the following purposes:

• When the transfer is made to parent, subsidiary, or affiliated companies under common control of the Controller, or to any company within the same corporate group, operating under the same internal processes and policies.
• When the transfer is in the interest of the Data Subject, pursuant to a contract entered into or to be entered into between the Controller and a third party, in fulfilment of the primary purposes of the Privacy Notice.
• When the transfer is necessary to safeguard the public interest or to pursue or administer justice.
• When the transfer is necessary for the recognition, exercise, or defence of a right in a judicial proceeding.
• When the transfer is necessary to maintain or fulfil the legal relationship arising from the services formalised with the Controller.

The Controller makes available to the Data Subject the email address datos.personales@irpmex.com so that they may at any time object to receiving further promotional communications from the Controller. To restrict, limit, or control the processing of Personal Data, the Controller has administrative, physical, and technical security measures in place, as well as internal privacy policies and programs to prevent the disclosure of Personal Data. Personal Data will be treated in strict confidence; its collection, transfer, and exercise of related rights is carried out through appropriate, legitimate, and lawful means, permanently upholding the principles of lawfulness, consent, information, quality, purpose, loyalty, proportionality, and accountability.

The Data Subject may at any time revoke the consent granted for the processing of their Personal Data, except in the cases established by Article 10 of the LFPDPPP, by submitting the corresponding request to the Personal Data Department at datos.personales@irpmex.com. The request must include the requirements set out in the Privacy Notice and identify the Personal Data for which consent is being revoked. The Controller will carry out the revocation within no more than 15 business days from receipt of the request.

To further limit the use and disclosure of Personal Data, the Data Subject may register in the Public Registry to Avoid Publicity (REPEP), administered by Profeco, to prevent Personal Data from being used to receive advertising or promotions from suppliers or companies in their marketing activities. For more information about this registry, the Data Subject may visit the Profeco website. www.gob.mx/profeco.

The Data Subject may at any time exercise their ARCO Rights with respect to Personal Data held by the Controller, either personally or through their legal representative, by submitting the corresponding request to datos.personales@irpmex.com. The request must include the following information and documentation:

• Name of the Data Subject.
• Address and/or email address for communicating the response to the request.
• Relationship with the Controller.
• Documents establishing identity, as required by the LFPDPPP and the RLFPDPPP.
• A clear and precise description of the Personal Data for which one or more of the above rights is being exercised.
• Any other element, information, or document that facilitates the location of the Personal Data.

For access requests, the identity of the Data Subject or their legal representative must first be verified, after which simple copies or electronic documents held by the Controller will be provided free of charge, except for shipping costs and the cost of reproduction in copies or other formats. If the Data Subject resubmits the request within a period of less than twelve months, they must cover the corresponding costs equivalent to no more than three days of the Minimum Wage in Mexico City, pursuant to the LFPDPPP.

For rectification requests, the Data Subject must indicate the modification to be made and provide documentation supporting the request.

For cancellation requests, in addition to the provisions of this Privacy Notice, the Controller will comply with Article 26 of the LFPDPPP, including the exceptions to cancellation set out therein.

For opposition requests, the Data Subject has the right at any time to object to the processing of their Personal Data on legitimate grounds. If the objection is upheld, the Controller may no longer process the data. The right to oppose may not be exercised where processing is necessary to comply with a legal obligation imposed on the Controller.

Pursuant to the LFPDPPP and the RLFPDPPP, the Controller will inform the Data Subject of its decision within a maximum of 20 business days from receipt of the request, so that, if applicable, the decision is carried out within the following 15 business days.

The Controller may deny access to Personal Data or refuse to carry out rectification, cancellation, or grant opposition to processing in the following cases:

• When the applicant is not the Data Subject or their legal representative has not been duly verified.
• When the Personal Data is not found in the Controller's database.
• When the rights of a third party would be harmed.
• When a legal impediment or ruling by a competent authority restricts access to the Personal Data or prevents its rectification, cancellation, or opposition.
• When the access, rectification, cancellation, or opposition has already been carried out.

The denial may be partial, in which case the Controller will carry out the access, rectification, cancellation, or opposition requested by the Data Subject. In all cases, the Controller will duly inform the Data Subject or their legal representative of the reasons for its decision, through the same means used to submit the request. If the Data Subject considers that the Controller's resolution has caused harm, they may file a complaint with the National Institute for Transparency, Access to Information and Personal Data Protection (INAI).

The right to be forgotten is not considered an autonomous right separate from the ARCO Rights, but rather the consequence of exercising the right to cancellation or opposition of Personal Data in the online environment. It therefore follows the same procedure as the right to cancellation of Personal Data.

For any clarification, comment, complaint, or grievance regarding the Controller's privacy policy, the Data Subject may submit their request to the Personal Data Department at datos.personales@irpmex.com, which will respond within a maximum of 20 business days.

The Controller will retain Personal Data for as long as necessary to process requests for the products and/or services offered, fulfil the legal relationship entered into between the Data Subject and the Controller, and maintain accounting, financial, and audit records as required by the LFPDPPP and applicable commercial, tax, and administrative legislation.

Personal Data processed by the Controller will be protected by appropriate administrative, technical, and physical security measures against damage, loss, alteration, destruction, unauthorised use, access, or processing, in accordance with the LFPDPPP, the RLFPDPPP, the administrative regulations derived therefrom, commercial legislation, and secondary regulations issued by competent authorities.

If the Data Subject believes that their right to personal data protection has been infringed by improper processing, they may file the corresponding complaint or report with the INAI. www.inai.org.mx.

The Controller reserves the right to periodically update this Privacy Notice in response to changes in information practices, legislative developments, internal policies, or new service requirements. Such updates will be made publicly available and the Data Subject may consult them at the Controller's address. In the event of changes, the Controller may also send updates to the Data Subject's email address. The Data Subject is advised to review the Privacy Notice at least every six months to stay informed of its terms and conditions.

The Data Subject declares that they have read, understood, and accepted the terms set out in this Privacy Notice, which constitutes their free, specific, unambiguous, and informed consent, including with respect to any changes made in future updates, regarding the processing of their Personal Data in compliance with the LFPDPPP, the RLFPDPPP, and the Guidelines.