Privacy Policy

In accordance with the provisions of the Federal Law on Protection of Personal Data Held by Private Parties, its Regulations and other applicable and related regulations ("Personal Data Legislation"), this Privacy Notice is issued.

1. Identity and Address of the Controller

Hermes AI, S.A.P.I. de C.V., commercially known as IcloneU (the "Controller" or "We", interchangeably) collects, uses, discloses, and stores (hereinafter the "Processing") personal data ("Personal Data") from you ("You" or the "Data Subject"), and has the address for purposes of hearing and receiving notifications related to this document at Paseo de los Laureles 404 - 201. Mexico City, 05120, Mexico.

2. Personal Data Processed by the Controller

For the purposes set forth in this Privacy Notice, the Controller processes the following categories and specific types of Personal Data:

1. Identification and contact data.
2. Employment data.
3. Financial or asset data.
4. Legal data.
5. Video recordings in our offices.
6. Social Media Platform Data:
   • User profile information (full name, email, profile picture, Platform User ID)
   • Contact information (Platform Contact ID, names, email, profile pictures)
   • Communication data (message content, timestamps, Platform message IDs)
   • Post data (Platform post ID, media, profile images, titles, messages)
   • Access tokens and account identifiers (encrypted storage)
   • Authentication data from Facebook Login for Business and Google Login

Platform Data is collected through official APIs of each platform and is processed in accordance with each platform's terms and applicable data protection legislation.

The Controller will obtain the necessary consent in accordance with the Personal Data Legislation for the processing of your Personal Data.

3. Purposes of the Processing

We will process Personal Data for the following primary and necessary purposes:

1. Comprehensive management of our relationship: includes handling our relationship and any related activities, recording it in the Controller's databases and files, managing billing and receipt of payments, and handling judicial procedures (fiscal, administrative, labor, and civil).
2. Legal and regulatory compliance: includes responding to legal requests from competent authorities, compliance with applicable legal provisions and obligations for the Controller and its affiliates, and managing the Data Subjects' obligations via judicial and administrative procedures.
3. Corporate restructurings: includes processes related to the Controller's corporate restructurings (such as mergers, consolidations, sales, liquidations, or asset transfers).
4. Information and database management: includes the management, administration, and security of Data Subjects' data, maintenance of physical, electronic, and procedural safeguards, and management and updating of the Controller's databases.
5. Data verification: includes conducting investigations and actions to verify the accuracy of the data provided by the Data Subjects, by any means.
6. Transfers: carry out the transfers mentioned in Section 5.
7. Complementary activities: includes any other activity compatible or analogous to the above purposes.

The Controller may use video surveillance systems inside and outside its offices, construction sites and/or facilities. The images and/or sounds captured by the cameras will be used for security, as well as for the monitoring and physical access control of such offices, sites, and/or facilities.

We will process Personal Data for the following secondary or ancillary purposes:

• Marketing, advertising, promotions, newsletters, data profiling, advertising messages, news, event invitations, commercial prospecting and offering of services or products, ours or those of other companies in our corporate group, either general or personalized, and sent through any other means.

If you do not wish for your personal data to be processed for these secondary or ancillary purposes, you may follow the procedure referred to in Section 6 of this Privacy Notice.

In accordance with the above, the Controller commits to the following:

• not to use your Personal Data to discriminate or incite discrimination;
• not to use your Personal Data to conduct, facilitate or provide surveillance tools;
• not to sell, license or purchase your Personal Data; and
• not to use your Personal Data to determine a person's eligibility for insurance, employment, financing, housing or other similar sensitive decisions based on that individual's characteristics.

4. Options and Means We Offer to Limit the Use or Disclosure of Your Personal Data

You may submit a request to limit the use or disclosure of your Personal Data through the procedure established in Section 6 of this Privacy Notice, unless there are reasons for which such limitation or use is legally inadmissible.

5. Disclosure of Personal Data

Your Personal Data may be transferred within the national territory or abroad, as follows:

1. To controlling, controlled or commonly controlled companies with the Controller, operating under the same internal processes and policies of the Controller, for centralized information storage, service provision, administration and security purposes, analytics, profiling, statistics and registration, regulatory compliance and other internal processes of the Controller and its corporate group.
2. To authorities, agencies or government entities: (i) in compliance with or related to obligations under applicable law to the Controller, its subsidiaries and/or affiliates, as well as to respond to their requests; (ii) to fulfill obligations arising from a legal relationship between the Data Subject and the Controller; and (iii) when the transfer is necessary for maintaining or fulfilling the relationship between the Controller and the Data Subject.
3. To authorities, agencies or government entities, notaries public and public brokers, when the transfer is required for the recognition, exercise or defense of a right of the Controller, its subsidiaries and/or affiliates in a judicial proceeding.
4. To doctors, police, firefighters, paramedics or healthcare service providers, to assist you in case of accident, emergency or health situation.
5. To advisors, suppliers and service providers of the Controller, when the transfer is necessary due to a contract entered into or to be entered into in the interest of the Data Subject and for purposes related to the management of their legal relationship with the Controller.
6. To potential third-party acquirers, due to a corporate restructuring of the Controller, including merger, consolidation, sale, liquidation or asset transfer, when the transfer is necessary for maintaining or fulfilling the relationship between the Controller and the Data Subject or when it is in the Data Subject's interest.
7. Based on the other cases established in the Personal Data Legislation, which do not require your consent.

We will only share your Personal Data with the third parties described in points d. to f. of the previous paragraph if they are obligated to protect your Personal Data in accordance with this Privacy Notice and the Personal Data Legislation.

The above transfers do not require your consent under the Personal Data Legislation.

6. Means for Exercising Your Rights

In all legally appropriate cases, you may exercise the following rights regarding your Personal Data at any time through the procedure established later in this section: (i) rights of Access, Rectification, Cancellation (including deletion) or Opposition ("ARCO Rights"); (ii) revoke the consent granted to the Controller for the processing of Personal Data; (iii) limit the use or disclosure of Personal Data; and (iv) express your refusal to process your personal data for the aforementioned secondary and ancillary purposes.

To exercise your rights related to your Personal Data, you must send a request to our Privacy Officer, available at wecare@icloneu.ai. You may request the application form by email. Once received, you must print, complete by hand or machine, sign and return it to the same email address. In the subject line of the email, write "Exercise of rights over personal data" and attach the following information and documentation:

• your name and address or another means to communicate the response to your request and receive notifications, understanding that the Controller may respond to the email from which the request was sent even if you did not specify it as a response method;
• documents proving your identity (valid official ID with photograph);
• in case of legal representation, the full name of your legal representative, document proving their identity (valid official ID with photograph) and the instrument proving their authority (e.g., public deed or power of attorney signed by two witnesses), in accordance with the terms established in the Personal Data Legislation;
• a clear and precise description of the rights you wish to exercise or what you are requesting;
• for rectification requests, the changes to be made and supporting documentation;
• any other element or document that facilitates locating your Personal Data.

We will process requests for the exercise of Data Subject rights within no more than 20 (twenty) business days from receipt, and, if applicable, comply with the requirement within 15 (fifteen) business days after our response. The Controller may extend this period by an additional 20 (twenty) business days when justified, upon notification to the Data Subject.

You may receive the requested information or Personal Data through electronic documents in standard formats or any other legitimate means that ensures and proves the effective exercise of the requested right. Our Privacy Officer is responsible for handling any Data Subject requests regarding the exercise of their rights and can be contacted at wecare@icloneu.ai.

7. Means for Automatically Collecting Personal Data

We inform you that our website and our Software as a Service platform (collectively, the "Platform") use cookies and other technologies that allow automatic monitoring of your behavior, provision of our products and/or services, and offer an optimal and personalized experience, as well as suggest new products and services based on your preferences. Personal Data collected includes: session data, user preferences, browsing history on the Platform, information about ads viewed or clicked, and information about your IP address or tracking identifiers.

These technologies can be disabled through the Privacy and/or Security options in the Internet browser's Options, Tools, or Internet Preferences menus, or through the device's settings icon, tools, or similar if the Apps are installed. However, please note that disabling them may affect full functionality of the Platform. For more information about cookies in this section, visit www.icloneu.ai/cookies.

8. Changes to the Privacy Notice

This Privacy Notice may be modified, changed, or updated due to new legal requirements, service-related needs, our privacy practices or policies, changes to our business model, or other reasons.

We are committed to keeping you informed about any changes through our website.

9. Data Retention and Deletion Policies

To the extent permitted by applicable law, we will delete Personal Data:

• when it is no longer necessary to fulfill the purposes outlined in this Privacy Notice;
• when we stop operating the product or service for which the Personal Data was collected;
• as required by law or request from a competent authority; and
• when you request the Cancellation of Personal Data (including its deletion) in accordance with Section 6 of this Privacy Notice or close your account with Us, unless you request otherwise.

Social Media Platform Data Retention

We retain Social Media Platform Data only as long as necessary for legitimate business purposes and in compliance with Platform Terms:

Automatic Deletion Requirements:

• When retaining data is no longer necessary for declared business purposes
• When we stop operating the product or service through which data was acquired
• When the Platform requests deletion for user protection (at Platform's sole discretion)
• When a user requests deletion or no longer has an account with us
• When required by applicable law or regulations
• Upon termination of these Terms or cessation of Platform access
• When Platform APIs, permissions, or features are unused for 28+ days

User Rights for Social Media Platform Data:

• Users can request copies of their stored Social Media Platform Data
• Account deletion automatically removes all associated Social Media Platform Data
• Data retention follows user account lifecycle
• Users may request modification or deletion through wecare@icloneu.ai or directly on the IcloneU platform

Compliance Monitoring:

• No temporary caching of Social Media Platform Data
• No API request/response logging for Platform data
• Data purged immediately upon account deletion
• Regular audits to ensure proper data retention compliance
• Documentation maintained for legal requirements to retain data

10. Personal Data Security

We commit to establishing and maintaining the administrative, physical and, where applicable, technical security measures necessary to protect Personal Data.

Enhanced Security for Social Media Platform Data

Administrative Safeguards:

• Service account authentication with restricted permissions
• Firewall rules limiting access to authorized IP addresses only
• Regular security updates and monitoring protocols

Physical Safeguards:

• Infrastructure security
• Restricted physical access to data centers
• Environmental controls and monitoring

Technical Safeguards:

• Data encrypted at rest in database
• Data encrypted in transit via HTTPS/TLS protocols
• Access tokens encrypted in database storage
• Secure API key storage
• Load balancer with security policies
• No client-side token storage - all authentication server-side
• No temporary caching of Social Media Platform Data
• No API request/response logging for Platform Data

Incident Response:

• Security vulnerability reporting system accessible to users
• Immediate incident notification to Platforms using official channels
• Remediation procedures for unauthorized data access or breaches
• Cooperation with Platform compliance reviews and audits
• Detailed incident documentation and corrective action reporting

11. Requests and Contact Information

If you believe we have not complied with applicable data protection law, you may file a complaint with the appropriate authority. However, we encourage you to first contact our Privacy Officer at wecare@icloneu.ai if you have any suggestions, inquiries, questions, or complaints regarding the Processing of your Personal Data.

12. Social Media Platform Data Processing

IcloneU integrates with social media platforms (Facebook, Instagram, WhatsApp, Messenger, YouTube, Telegram, Mercado Libre, etc.) through official APIs to provide AI-powered customer communication management services.

Data Collected from Social Media Platforms

• User profile information: Full name, email address, profile picture URL, Platform User ID
• Contact information: Platform Contact ID, first and last names, email addresses, profile pictures
• Communication data: Message content, message timestamps, Platform message IDs
• Post data: Platform post ID, media, profile images, titles, messages
• Access tokens: User access tokens and Account access tokens (encrypted storage)
• Account identifiers: Platform Account IDs and Account Access Tokens

Purposes for Social Media Platform Data Processing

• Customer communication management through social media channels
• AI-powered response generation for business communications
• User account management and authentication
• Platform integration maintenance and functionality

Data Processing Methods

• Real-time data collection via webhook endpoints (HTTPS)
• Bidirectional communication through Platform APIs
• OAuth 2.0 authentication flow for secure token management
• Server-side processing with no client-side token storage

Prohibited Uses

We commit to never:

• Use Platform Data for discrimination based on protected characteristics
• Make eligibility determinations for housing, employment, insurance, credit, or government benefits
• Provide surveillance tools or facilitate surveillance activities
• Sell, license, or purchase Platform Data
• Build user profiles without explicit consent
• Reverse engineer, decode, or de-anonymize Platform Data
• Change core functionality without re-approval from Platforms

13. Third-Party Service Providers and Data Sharing

Platform Data Sharing

We share Platform Data only in the following limited circumstances:

• Stripe Payment Processing: Email addresses obtained through Facebook Login and Google Login are transmitted to Stripe API solely for customer account creation and payment processing
• OpenAI API Integration: Message and comment content only (no personally identifiable information) is sent to OpenAI for AI-powered response generation
• No other third-party sharing: We do not share Platform Data with analytics platforms, CRM systems, or business partners

Service Provider Requirements

All service providers processing Platform Data must:

• Process data solely at our direction for specified services
• Comply with Platform Terms and applicable data protection laws
• Implement appropriate technical and organizational security measures
• Delete data immediately upon termination of services
• Provide proof of compliance upon request

We maintain written agreements with all service providers and sub-service providers handling Platform Data, ensuring they meet Platform requirements for data protection and security.

14. International Data Transfers

EEA Data Transfers

For transfers of data from Ireland controlled by the Platforms to territories outside the European Economic Area without European Commission adequacy decisions, we comply with Standard Contractual Clauses (Module One - controller to controller transfers) as specified in European Commission Decision (EU) 2021/914.

For EEA transfers:

• Platforms in Ireland are the data exporters; IcloneU is the data importer
• Data subjects include users who interact with our App and Platforms
• Transferred data categories include Platform Data as defined in this policy
• Transfer frequency is continuous as required for service provision
• Purpose is AI-powered customer communication management
• Retention period follows our data retention policies unless required longer by law
• Competent supervisory authority is the Data Protection Commission in Ireland
• We implement Platform Technical and Organisational Measures

UK Data Transfers

For transfers of UK data controlled by Platforms subject to UK GDPR to territories without UK adequacy decisions, we comply with the International Data Transfer Addendum to the EU Standard Contractual Clauses as approved by the UK Information Commissioner.

For UK transfers:

• UK Platforms are the data exporters; IcloneU is the data importer
• We follow Module 1 (controller to controller) of the Approved EU SCCs
• UK-specific technical and organizational measures are implemented
• Data retention follows UK data protection requirements

15. Compliance Monitoring and Audit Cooperation

App Review and Monitoring

• We submit our App for review and approval of Platforms at their discretion
• We cooperate fully with Platform technical and operational monitoring
• We provide requested information and access during reviews
• We maintain accurate and complete App Dashboard information
• We acknowledge Platform rights to verify all provided information

Audit Rights

We acknowledge and agree to Platform audit rights:

• Platforms or third-party auditors may conduct compliance audits up to once per calendar year
• Additional audits permitted when necessary conditions exist (violations, legal requirements, change of control, etc.)
• We will provide at least 10 business days' notice for audits unless immediate access required
• We will provide full cooperation including physical and remote access to IT systems and records
• We will make knowledgeable personnel available for questioning
• We will remedy any non-compliance as soon as reasonably practicable

Certifications and Attestations

• We provide requested certifications regarding compliance with Platform Terms
• We certify appropriate purposes and uses for Platform Data access
• All certifications provided by authorized company representatives
• We maintain documentation to support all certifications

Rights Survival

Platform audit rights survive termination of Platform access until one year after we demonstrate cessation of all Platform Data processing and deletion of all Platform Data.