Data controller responsible for personal data
SYAD Organización Integral de Negocios, S.A. de C.V. (hereinafter “SYAD”), with domicile at Calle Guillermo González Camarena 900, Col. Santa Fe, C.P. 01210, Alcaldía Álvaro Obregón, Mexico City, and website www.syad.com.mx, is the party responsible for the use, processing and protection of your personal data, in compliance with the Mexican Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, “LFPDPPP”) and its Regulations.
1. Privacy Notice for Clients
What purposes will we use your personal data for?
The personal data we collect from you will be used for the following purposes, which are necessary for the proper provision of the services you contract with SYAD:
- Registration as a supplier
- Engagement of our consulting services
- Contact with our potential clients
- Responding to any information requests
- Drafting of contracts or agreements
- Processing payments to suppliers
- Addressing any inquiries or requests
- Preparing a service proposal
- Carrying out the hiring of an employee
Additionally, we will use your personal information for the following non-essential purposes, which allow us to provide you with better service:
- Conducting surveys and obtaining feedback to improve our services
- Sending relevant information about the solutions we represent or about our organization
What personal data will we use?
To carry out the purposes described above, SYAD will use the following personal data:
- Identification data: name, legal entity name, RFC (tax identification number).
- Contact data: phone number, email address, fiscal domicile.
- Financial data: invoices, bank statements, banking information used exclusively for billing or payments.
- Operational data: information necessary for the integration and use of the iVal platform and connection with Coupa.
With whom will we share your personal information and for what purposes?
We hereby inform you that your personal data may be shared with the following persons, companies, organizations and authorities, for the following purposes:
- External auditors
- Compliance with tax provisions applicable to SYAD
- Third parties that have entered into collaboration agreements with SYAD
- Authorities to which SYAD is legally required to disclose information
Primary purposes
- Fulfillment of the contractual relationship and provision of consulting services and access to the iVal platform
- Billing and collection
- Account management, support and technical assistance
- Compliance with legal and tax obligations
Secondary purposes (require consent)
- Sending updates about improvements or changes to contracted services
- Satisfaction surveys
Transfers
- Tax and regulatory authorities when legally required
- Technology service providers (such as Coupa) to enable the functionality of the iVal platform
- Auditing or consulting firms under confidentiality agreements
No additional transfers are made without your consent.
Collection channels
Web forms, iVal portal, Coupa integrations, contracts and proposal-engagement processes. Simplified notice in forms/email; consent log. For financial/payment data: express consent (check-box capture with two-factor authentication, or electronic signature) and logical segregation (PCI-like).
2. Privacy Notice for Suppliers
Data Controller: SYAD Organización Integral de Negocios, S.A. de C.V., with the details stated above.
Personal data processed
- Identification data: name, legal entity name, RFC (tax identification number)
- Contact data: email address, phone number, fiscal domicile
- Financial data: invoices, banking information for payments
Primary purposes
- Fulfillment of the contractual relationship and procurement/service management
- Invoice payment and accounting management
- Compliance with tax and legal obligations
Secondary purposes (require consent)
- Registration in our database for future engagements or tenders
Transfers
- Tax authorities for compliance with tax obligations
- External accountants and auditors, under confidentiality agreements
Supplier onboarding and KYC
Direct collection (in-person/digital); if we obtain indirect references, we inform the data subject of the main processing characteristics and the means to consult this notice; compensatory measures apply where applicable. For payments: express consent and access minimization in accounting systems.
3. Privacy Notice for Employees
Data Controller: SYAD Organización Integral de Negocios, S.A. de C.V., with the details stated above.
Personal data processed
- Identification data: name, CURP (unique population registry code), RFC (tax identification number), date and place of birth, nationality
- Contact data: address, phone number, email address
- Employment data: employment history, references
- Academic data: education level, certificates, degrees
- Financial data: bank account for payroll
- Sensitive data: health status, beneficiaries, economic dependents (only if required by law or for employment benefits)
Primary purposes
- Compliance with labor and contractual obligations
- Payroll and benefits administration
- Compliance with tax, social security and regulatory obligations
- Performance evaluation and professional development
Secondary purposes (require consent)
- Participation in team-building activities or corporate events
- Internal publication of achievements or awards
Transfers
- IMSS (Mexican Social Security Institute), INFONAVIT (National Workers Housing Fund), SAT (Tax Administration Service) and other competent authorities
- Payroll and benefits service providers
- Insurance companies (life, medical expenses) where benefits apply
Direct collection during onboarding; electronic records with express written consent for sensitive data (health, beneficiaries). Retention in accordance with labor/tax retention periods followed by blocking; secure destruction upon expiration.
How can you access, rectify or cancel your personal data, or oppose its use?
You have the right to know what personal data we hold about you, how we use it and the conditions of such use (Access). You also have the right to request the correction of your personal information if it is outdated, inaccurate or incomplete (Rectification); to request its deletion from our records or databases when you consider it is not being used in accordance with the principles, rights and obligations set forth by law (Cancellation); and to oppose the use of your personal data for specific purposes (Opposition). These rights are known as ARCO Rights (Access, Rectification, Cancellation, Opposition).
ARCO Rights requests may be submitted in writing by sending an email to customer.support@syad.com.mx.
The request must include:
- The name of the data subject and an email address for communicating the response
- Documents proving identity (voter ID, valid passport, professional license, military service card, or resident card for foreign nationals), or, where applicable, proof of legal representation
- A clear and precise description of the personal data with respect to which any of the rights is to be exercised
- Any other element or document that facilitates the location of the personal data
- For rectification requests: indicate the modifications to be made and provide supporting documentation
SYAD will notify the data subject within 20 business days of the decision adopted, so that, if granted, it may be carried out within the following 15 days. These periods may be extended once for an equal period when the circumstances of the case so justify.
SYAD Personal Data Department
The Personal Data Department provides the necessary assistance for the exercise of your ARCO Rights, revocation of consent and limitation of use and disclosure.
Address: Calle Guillermo González Camarena 900, Col. Santa Fe, C.P. 01210, Alcaldía Álvaro Obregón, Mexico City.
Email: customer.support@syad.com.mx
Business hours: 09:00 to 18:00, Monday through Friday
How can you revoke your consent?
You may revoke the consent you have granted us for the processing of your personal data. However, please note that we may not be able to honor your request or cease processing immediately in all cases, as a legal obligation may require us to continue processing your personal data.
Revocation of consent may be exercised at any time, without retroactive effect. To initiate the process, send an email to customer.support@syad.com.mx with the same requirements as an ARCO Rights request.
How can you limit the use or disclosure of your information?
In order for you to limit the use and disclosure of your personal information, we offer you the following means:
- Public Registry to Avoid Advertising (PROFECO) — visit repep.profeco.gob.mx
- Registration on SYAD's own exclusion list — send an email to customer.support@syad.com.mx
Use of tracking technologies
In order to provide you with a more personalized and responsive service, we store information about how you use the SYAD website through cookies. Cookies contain small amounts of information and are downloaded to your device by a server on our website. Your browser sends these cookies on each subsequent visit to recognize you and remember your preferences.
Cookies may be disabled from your browser or managed through the Preferences Center accessible on our website.
How is personal data collected?
SYAD obtains personal data through direct, indirect and automated means, in accordance with the principles of lawfulness, loyalty, information and accountability. We do not obtain data through deceptive or fraudulent means.
a) Direct collection (in the presence of the data subject)
- In-person: printed forms, contracts, service orders and onboarding processes (clients/suppliers/employees)
- Electronic: web forms, iVal portal, Coupa integrations, support channels (corporate email, chats), video calls and recordings with prior notice
- Telephone: inbound/outbound calls managed by SYAD or by processors; reading of the simplified notice and reference to the comprehensive notice
b) Indirect collection (not obtained directly)
Business references, group partners/affiliates, contractual counterparties, and lawful publicly accessible sources (e.g., registries or public records permitted by law). When data is not obtained directly, we inform the data subject of the main processing characteristics and the means to consult this notice.
c) Automated collection (cookies and tracking technologies)
On SYAD websites and portals we use cookies and similar technologies to (i) ensure basic functionalities; (ii) remember preferences; (iii) analytics; (iv) advertising (own/third-party). These technologies operate in accordance with our Cookie Policy and may be configured or revoked at any time through the Preferences Center.
Lawful basis and consent
As a general rule, processing is subject to the consent of the data subject — tacit where applicable; for financial/patrimonial data we require express consent and, for sensitive data (e.g., health data in HR), express written consent (handwritten or electronic signature).
Evidence and traceability (ISO/IEC 27001)
We maintain records of collection and consent (timestamps, form hashes, portal acceptance logs, recordings with notice, dispatch and read logs), integrated into our ISMS, for audit and accountability purposes.
Retention, blocking and deletion
We will retain data only for the time necessary to fulfill the stated purposes and applicable legal retention periods; thereafter we will apply blocking and secure deletion. Data relating to contractual breaches will be deleted 72 months after the breach.
Transfers and processors
We distinguish between processors (who process data on behalf of SYAD) and third-party recipients. For domestic or international transfers, we disclose the category of recipient, country, purpose and, where applicable, obtain consent; the recipient assumes obligations equivalent to those of SYAD.
Security measures and ISMS + breach notification
SYAD maintains an Information Security Management System (ISMS) aligned with ISO/IEC 27001:2022, with administrative, technical and physical safeguards proportionate to the risk: access controls, encryption, vulnerability management, monitoring, business continuity and periodic assessment.
In the event of a security breach that significantly affects the rights of data subjects, we will promptly notify the incident, its scope, the measures taken and recommendations, together with a dedicated contact channel.
Automated decisions and profiling
SYAD currently does not make automated decisions that produce legal effects or significantly affect data subjects. Should such mechanisms be implemented in the future, we will disclose the mechanism, the applied logic, and enable objection and human review.
How can you learn about changes to this privacy notice?
This privacy notice may be subject to modifications, changes or updates arising from new legal requirements; our own needs related to the products or services we offer; changes to our privacy practices; changes to our business model; or other causes.
SYAD will notify you of any changes to this privacy notice through its main website www.syad.com.mx.