I. Identity and Domicile of the Data Controller.
Pursuant to the provisions of the Federal Law for the Protection of Personal Data (the “DP Act”), the Guidelines of Privacy Notice and other applicable provisions, we inform you that Citrofrut, S.A. de C.V. and its subsidiary entities (the “Data Controller”), domiciled at Av. Constitución 405 Pte., Col. Centro Monterrey, N.L. México 64000, is responsible for the use and protection of your personal data, which shall be used pursuant to the terms of this privacy notice (the “Privacy Notice”).
II. Contact Information
If you need any information regarding the Privacy Notice or in relation to the exercise of any of your rights derived from the processing of your personal data, you may contact the following e-mail address: email@example.com (the “Contact Person”).
III. Purposes for the Processing of your Personal Data.
Your personal data will be processed for the following purposes:
a. Necessary for the legal relationship between the Data Controller and the user (the “Data Owner”):
i. The sole registration, as well as for authentication purposes, so that the Data Owner can use the same login data and that the different systems recognize their data.
ii. Respond to the Data Owner in case he contacts the Data Controller through its customer service (or vice versa).
iii. Participate in the promotions of the Data Controller, if the Data Owner has expressed interest and consent to participate in them.
iv. Access through a social network.
v. Using and accessing the website, as well as accessing to products or services through an account.
vi. Evaluating the browsing habits of the Data Controller's websites, as well as, making improvements and optimizing the Data Controller's products and services.
vii. Registration and updating of the management system.
viii. For technical maintenance of the website.
ix. Maintain the Data Controller's systems and databases up to date.
x. To comply with the obligations contracted between the Data Controller and the Data Owner.
xi. Comply with the policies and procedures of the Data Controller.
xii. Conduct audits and investigations to prevent and/or detect fraud or other unlawful acts that may cause a claim or harm to the Data Controller and/or the Data Owner.
xiii. Carry out or reply to legal proceedings before authorities.
xiv. Compliance with applicable laws, regulations and legal provisions.
xv. Use of reorientation technologies (through such technologies, the Controller analyses the information it has collected on the interactions of the Data Controller with each of the Data Controller's platforms, including the Data Owner’s cookies).
xvi. Process the order placed by the Data Owner and provide the Data Owner with information related to it.
b. Not necessary for the legal relationship between the Data Controller and the Data Owner:
i. Sending the news bulletin of the Data Controller.
ii. Marketing or to offer, sell and commercialize the Data Controller’s products and services by sending information, promotions, offers and advertising. The Data Controller will request your consent, when required by applicable law, in order to use the contact details that the Data Owner has provided for the sending of personalized marketing communications.
iii. Inform the Data Owner about promotions related to the products and services offered by the Data Controller.
iv. Measuring the quality of the service, statistics (including the performance of internal studies on consumption habits), marketing, and reporting by the Data Controller.
You will have 5 (five) business days following the date on which this Privacy Notice has been made available to you to refuse to the processing of your personal data for purposes not necessary for the legal relationship with you, by sending an email to firstname.lastname@example.org.
Otherwise, it will be understood that the Data Owner consents the processing of his/her personal data for all purposes listed above, without prejudice of their rights to opposition or revocation of consent or opposition.
IV. Personal Data that will be Processed.
In order to achieve the purposes mentioned in Section III above, the Data Controller will process the following personal data of the Data Owner:
Regarding the users, the following personal data will be processed by the Data Controller without any limitation. i.
Identification Data: full name, age, e-mail address, IP address, reference URL (the site from which the visitor has arrived), telephone, cookies, and other similar devices used by the user, social identifier (in case that the user decides to access his account through a social network).
The Data Controller does not gather sensitive personal data from the Data Owner.
The Data Controller may collect your personal data either personally, directly or indirectly when you provide such information by using or requesting the products and/or services of the Data Controller or by participating in promotions or contests sponsored by the Data Controller, through the Data Controller’s internet sites or others sources permitted by law.
V. Options to Limit the Use or Disclosure of your Personal Data.
Data Owner may limit the use and disclosure of his/her personal data in order to not be used or disclosed for non-necessary purposes for the legal relationship between the Data Owner and the Data Controller.
If you wish to limit the use or disclosure of your personal data, you must present your request to the Contact Person in order for you to be registered in an exclusion list created by the Data Controller.
VI. Period during which the Personal Data will be kept.
The gathered Personal Data will be kept for the necessary period in which the legal relationship with the Data Controller subsists, from the date in which they were obtained.
VII. Means to Exercise your ARCO Rights.
The Data Owner may exercise in any moment your rights to access, rectify, cancel or oppose the processing that we give to your personal data (the “ARCO Rights”). It is important to mention that the exercise of any of these rights is independent from each other, that is to say, it is not necessary to exhaust one in order to exercise one of the others.
Each of the rights respectively allows you to:
i. Access: The Data Owner may, at any time, request to know what data have been gathered and kept by the Data Controller in its data bases, as well as the details of their processing.
ii. Rectification: In the event that any of your data is inaccurate or incomplete, you may request the Data Controller to correct it in the databases, with the documentation supporting said modification.
iii. Cancelation: You may at any time request the cancellation of your data from the databases held by the Data Controller when you consider that they are not required for the purposes indicated in thePrivacy Notice, are being used for purposes not consented or that our legal relationship has terminated. If the request is admissible, the data will be blocked and may not be processed in any way.
iv. Opposition: At any time the Data Owner may oppose to the processing of his/her personal data for specific purposes, e.g. for sending advertising.
To exercise yourARCO Rights, the Data Owner or his/her legal representative must fulfil the“ARCO Rights Exercise Request” and send it scanned to the e-mail address: email@example.com, to the attention of theContact Person, for its attention and follow-up.
It is important that you consider the following requirements when sending or submitting your request.
i. The request must be clearly filled out in all of its blanks and with block letters;
ii. Indicate your name, address and e-mail for delivery of the response to your ARCO request;
iii. Indicate the personal data which you seek to exercise any of the rights;
iv. Attach any document or information that facilitates the location of your personal data;
v. Attach a copy of the document that evidence the identity of the Data Owner (voter’s credential, professional license, or valid passport);
vi. If the request is submitted through a legal representative, include the power of attorney attesting the power of attorney granted by the Data Owner for this procedure, or a proxy granted by the Data Owner with the signature of acceptance of the representative, granted in the presence of two witnesses, including the name, signature, address and photocopy of the official identification of each of the signatories;
vii. In the event of requesting a rectification of your personal data, you attach the documentation supporting said amendment.
Once the DataOwner has filed his/her request to the Data Controller, we suggest you to senda follow up e-mail to: firstname.lastname@example.org.
Our response will be sent to the indicated e-mail in your request no later than 20 (twenty)business days from the date on which the ARCO request was received. In the event that the ARCO request is granted, the requested changes will be made no later than 15 (fifteen) business days. In the event that you requesting access to your personal data, the DataController will inform you via the e-mail through which we communicate our response to your request, the means by which you will have access to your personal data if the request is admissible. The time periods mentioned in this paragraph may be extended by the Data Controller once for an equal period of time, which shall be informed to you.
The DataController may refuse the exercise of the ARCO Rights in the events permitted by the DP Act, and should informed the reason of its decision.
The refusal may be partial, in which case the Data Controller will grant the access, rectification, cancelation or opposition with respect to those aspects that are admissible.
The exercise of ARCO Rights will be free of charge; however, if the Data Owner repeats his request within 12 (twelve) months, the cost may be equivalent to up to 3(three) days of mandatory minimum wages applicable in Mexico City, plus ValueAdded Tax, unless there are material changes to the Privacy Notice that justify new requests. The Data Owner will have to pay the justified cost of delivery or the cost of reproduction of copies or other formats, and if applicable, the cost of document certification.
If you consider that your personal data protection rights have been impaired by any behavior of our employees or by our proceedings or responses, or you allege that there is a breach to the provisions of the DP Act with regards to the processing of your personal data, you may submit the corresponding complaint or lawsuit before theNational Institute of Transparency, Access to Information andProtection of Personal Information (INAI).
For further information, you may communicate yourself to the following e-mail: email@example.com.
To access and print the “Arco Rights Exercise Request” you must consult the web page www.citrofrut.com or communicate with the Contact Person.
The Data Controller uses various technologies to collect and store personal data of theData Owner at the time it enters the website of the Data Controller, which includes the sending of one or more cookies or other similar devices in the device.
The Data Controller’s parent companies or affiliates may use these technologies to collect personal data, which will be informed through the corresponding privacy notice.
IX. Means to revoke the consent for the processing of your personal data.
To revoke your consent for the processing of your personal data, you must present a request to the Contact Person by sending an email to the following address: firstname.lastname@example.org.
If after the revocation you request confirmation of the same, the Data Controller will expressly respond to you. We inform you that we may not be able to attend to your request or conclude the processing of your personal data immediately in every case since it is possible that due to a legal obligation we require to continue processing your personal data.
Revoking your consent for the processing of your personal data may result in the impossibility of continuing with our legal relationship.
X. Transfer of Personal Data.
We inform you that the Data Controller may transfer your personal data within Mexico and outside of the country for the following purposes:
Potential buyers or commercial partners of the Data Controller
To provide information to potential buyers or commercial partners of the Data Controller.
Entities with which they enter into collaboration agreements.
Receive the benefits resulting from collaboration agreements.
To national or foreign third parties.
When the Data Controller requires their support for the provision of their services.
To the controlling entity or to the subsidiaries, affiliates, affiliates or companies belonging to the same group as the Data Controller.
To carry out the primary purposes established above, when the Data Controller requires their support for the provision of its services or when the Data Controller enters into mergers and/or divisions in which such companies are involved.
Companies not belonging to the Data Controller that use tracking technologies to publish advertisements on behalf of the Data Controller on the Internet.
Publish advertisements on the Internet.
Occasionally, the Data Controller’s website, as well as its applications, provide social plugins from various social networks. If the Data Owner decides to interact with a social network (for example, by registering an account), his activity on the website or through the applications of the Data Controller will also be available for that social network. In the event that the Data Owner is connected to a social network during his visit to one of the Data Controller’s websites or applications, or if he is interacting with one of the social plugins, the social network may add this information to his respective profile on this network in accordance with his privacy settings. In the event that the Data Owner wishes to avoid this type of data transfer, the Data Owner must log out of his social network account before entering one of the Data Controller’s websites or applications, or change the application's privacy settings, whenever possible.
To any authority.
For the purpose of complying with any applicable law, regulation or legal provision when the transfer is mandatory.
We inform that, in order to comply with the purposes mentioned in section III above, the Data Controller may transfer the personal data of the Data Owner without your consent:
i. When the transfer is provided for in a law or treaty to which Mexico is a party.
ii. When the transfer is necessary for the prevention or medical diagnosis, the provision of health care, medical treatment or the management of health services.
iii. When the transfer is made to controlling entities, subsidiaries or affiliates of the Data Controller, or to a parent entity or to any entity of the same group of the Data Controller operating under the same internal processes and policies.
iv. When the transfer is necessary by virtue of a contract entered into or to be entered into in the interest of the Data Owner, by the Data Controller and a third party.
v. When the transfer is necessary or legally required for the safeguarding of a public interest, or for the procurement or administration of justice.
vi. When the transfer is necessary for the recognition, exercise or defense of a right n a judicial process.
vii. When the transfer is necessary for the maintenance or fulfilment of the legal relationship between the Data Controller and you.
XI. Safety Measures
Your personal data will be protected pursuant to the safety, administrative, technical, and physical measures implemented by the Data Controller. These measures include policies, procedures, employee training, video surveillance systems, control of physical access and technical elements related to the information access controls.
In the event of a security breach in any of the phases of the processing of your personal data which significantly affects your moral or economic rights, the Contact Person will notify you immediately by e-mail, or, if the Data Controller is unable to contact you by e-mail, then it will use standard mail to do so in order for theData Owner to be able to take the corresponding necessary measures for the defense of your rights.
XII. Changes and modifications to the Privacy Notice.
The DataController reserves the right to make at any moment amendments or updates tothe Privacy Notice, upon understanding that the Data Owner will be notified ofany such modifications by the visible publication of a new privacy notice onour website www.citrofrut.com, so we recommend to reviewit often.
By using the website you give your express consent for the processing of your personal data. As long as you do not object to the processing of your personal data, including financial and economic data, you are giving your consent to the processing of such data in the terms of this Privacy Notice. Denying your consent to the processing of your personal data by the Data Controller may result in the impossibility of establishing or continuing the legal relationship with the Data Controller.