Mexico Privacy Notice

Who is the Company?

Unlimint MX S.A.P.I de C.V (“Company” or “we” or “us”) provides payment services, for customers and merchants or clients through our platforms and applications (“services”). If you want to know more about our services then please visit our website.

The Company and its affiliates or businesses are part of a global payments and technology organization holding various licenses and authorizations as each business is obliged to under the laws and regulations it operates in.

The Company is a registered legal entity with the address Av. Paseo de la Reforma 296, Col. Juárez, Del. Cuauhtémoc, C.P. 06600, CDMX, Mexico is constituted under the Laws of the United Mexican States.

The Company is dedicated to protecting the privacy and confidentiality of information in its possession and is committed to the appropriate use and protection of personal data, with transparency and respect for rights in line with Federal Law on Protection of Personal Data Held by Private Parties (the “Law”) The Company is responsible for the use and protection of your personal data that you (“ Data Owner” or “you”) have provided to us directly or indirectly as permitted by the Law.

In this Privacy Notice, we aim to provide information about how our Company collects and processes your personal data when you correspond with us, apply for our services, establish relations with us as a customer or merchant or client, submit a request for our services, or use our website.

The Company makes this Privacy Notice available digitally and if the Data Owner does not express any opposition, it will be understood that the Data Owner grants the Company his consent to carry out the processing of the personal data that has been provided and/ or that with reason for any of the purposes established in the present provide in the future by way of agreeing to this Privacy Notice. If you do not wish to provide your consent, please refer to Section 7 of this Notice.

When our services are used, we act as a provider of payment services and payment methods to merchants or clients of services and goods. For example, the Company performs card or online payment processing on behalf of the client or merchant and therefore we process personal data from merchant or clients, and we can complete payments from payers to merchants or clients. We require to process your personal data to provide our services to you. In case you are a website visitor, we collect your data directly from you as the Data Owner.

If you are a potential employee or job applicant, please refer to our Global Talent Acquisition Notice.

Scope and General Provisions

1. You should read this Privacy Notice together with the relevant terms and conditions of the service/product (as applicable) provided by the Company and also applies to the use of our website and online systems under the relevant Terms.

2. Some links on our website may contain links or lead to or originate from third party websites with their own privacy notices. The Company does not accept any responsibility or liability for third-party websites. Please refer to the privacy policy of your personal data’s relevant data controller (entity) to learn more about how the entity processes it.

Collection and Use of Personal Data

We collect your personal data through the following modes of collection:

  • We collect personal data provided or shared by you during account opening when you wish to establish a relationship with us. In some cases, you may have previously provided your personal data to us.
  • Our primary means of collecting personal data is through personal data you share and when we provide our services. If you want to learn more about our services, please refer to our website.
  • We may collect third-party or public data described below.
    • Third-party data: We may collect your personal data from other entities such as service providers, public authorities, persons that refer you to us with your permission where required, our group companies, and companies processing payments. We may also collect certain categories of your personal data depending on the payment method you choose e.g., via cards, digital wallets, online banks, etc.
    • Public Data: We may collect your personal data from publicly available databases and publicly accessible sources (e.g., relevant or applicable State Registry, screening databases (e.g., sanctions/AML), media, and the Internet).

What Personal Data is processedby the Company?

Category of Data Type of Data
Your identity information Full name: Paternal surname, maternal surname and name(s) without abbreviations; Gender; Birthdate; Federative entity of birth; Country of birth; Nationality; Private address in your place of residence; Telephone number(s) where you can be reached; Email address; CURP If you hold prominent public functions (PEPs); Serial number of the electronic signature and/or handwritten signature.
Relevant financial information Personal bank details, professional status, employment field, employer details (including, for example, information such as certificates of directors).
Specific authentication personal data (“Patrimonial Data”) A signature or your user login to access our service dashboards.
Communications Personal data that you may provide by filling in forms or by communicating with us (e.g., directed to us in letters, emails, via our electronic channels).
Transactional and other/ documents information Personal Data arising for the execution of payment transactions (including data such as date, time, amount, currencies, beneficiary details, location information and merchant details), supplementary/supporting documentary evidence related to transactions, and further information arising from contractual obligations between Unlimint and merchants.
Location and technical information Location data (for example, at the time of login or a transaction); IP addresses and device information, visitor’s information and similar information subject to our Cookie Policy.
Publicly available Personal Data Details about you from public records and available in publicly accessible databases.
Investigations data/ results of due diligence and enhanced due diligence (“CDD and KYC”) Personal data regarding criminal convictions and offences (special category of data), as part of its compliance measures with regulatory obligations, as well as other supporting documents and personal data related to the categories above.
Consents Communications with customer service support, behavioural

data (for example, data collected using cookies as per our Cookie  Notice), information about promotions, surveys, promotional campaigns and records of your decision(s) to subscribe or to withdraw from receiving marketing materials, if any.
Profile and Usage Data We may collect data from devices you use to connect use our services.

We do not collect or process sensitive personal data. In accordance with the Law for the processing of your personal financial or patrimonial data we require your express written consent, so by accepting this privacy notice by electronic means, you also accept the processing of your financial or patrimonial data.

What are the purposes for which Personal Data is processed?

1. Primary Purposes:

  • To verify your identity;
  • To provide our services (this includes activating an account associated with you or the legal entity that contracts for our services);
  • To provide delivery channels (e.g., online systems);
  • To execute transactions;
  • To execute your requests or act upon instructions;
  • To perform our contractual obligations;
  • To perform anti-money laundering or fraud checks and evaluations;
  • For crime prevention purposes or cooperation with authorities;
  • To provide ongoing support and handle inquiries, complaints and similar issues;
  • To provide information about the requested/provided products and services;
  • To enforce internal procedures and protective measures against fraud, risk and financial crime;
  • To report to relevant authorities;
  • For internal operational support and administrative purposes;
  • To obtain reports/tickets about an online problem;
  • To comply with our legal and regulatory obligations;
  • To enforce or defend the rights of the Company or the Company group/affiliates;
  • To ensure security and business continuity.

2. Secondary Purposes:

  • To maintain communication with you and provide you with up-to-date information;
  • For data analytics to improve research, statistics, products, and services that Unlimit and other third-party providers (such as for AML/KYC providers);
  • To provide information on products/services (this may be advertising/marketing);
  • For service quality management and product improvement.

If you do not want your personal data to be processed for the primary and secondary purposes mentioned under this Section, then you can express your refusal by contacting us through the details provided under Section 7 of this Notice.

Mechanism for Acceptance and Refusal of Processing of Personal Data

For the purposes of the provisions of the Law and other applicable legislation, the Data Owner agrees:

1. You have read and are aware of this Privacy Notice made available to you by the Company.
2. You understand and agree to the terms of this Privacy Notice.
3. You provide your consent to the processing of your personal data.
4. You provide your consent to the Company so that it can collect your personal data by any means (including digitally or physically).
5. You provide your consent to the Company so that your personal data is processed in accordance with what is indicated in this Privacy Notice.

Revocation of Consent

You can revoke or limit your consent at any time. Your right to revoke your consent must meet the minimum requirements set out in the Law and its Regulations. This means that you need to provide us with your name and address, copy of a document that proves your identity, clear and precise description of the personal data on which you seek to exercise this right and description of your request) and that it be sent to the email address [email protected].

The processing of your personal data is essential to be able to provide you with our services; Revoking your consent could mean that you cannot use our services. We would provide you with further instructions if this is the case.

What are the means and options offered by the Company to limit the use and discussion of personal data?

We have taken adequate safeguards to ensure the confidentiality and security of your personal data. We have implemented appropriate technical, physical, and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access, as well as all other forms of unlawful processing (including, but not limited to, unnecessary collection) or further processing.

Where the Company processes card data, we adhere to the highest level of protection available by the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a global standard for securely accepting and processing credit card payments. Launched in 2006 by an alliance of major credit card companies, PCI DSS encompasses 12 key requirements as well as more than 400 sub-requirements and test procedures which are audited for compliance annually by an external auditor. Being PCI-compliant requires not just meeting these requirements but continually identifying, documenting, and (if necessary) remediating business-level systems and processes that involve the handing of user credit card data.

Where you have access to our resources via user authentication means (e.g., user credentials), you are responsible for keeping your user credentials secure and confidential and not disclosing them to anyone.

Your ARCO Rights

Under the Law you or your accredited legal representative have the right to:

  • Access: know what personal data we have about you, what we use them for and the conditions of use that we give them;
  • Rectification: request the correction of your personal information in case it is outdated, inaccurate or incomplete;
  • Cancellation: request that said information be removed from our records or databases when you consider that it is not being used properly;
  • Opposition: oppose the use of your personal data for specific purposes. You may reach out to us at the details provided under Section 11.

If you want to exercise your ARCO rights, you or legal representative must submit a written request to us with the following information and documentation so that we may process your request efficiently and quickly:

  1. Your name and address along with the email address through which we can communicate with you;
  2. The documents that prove your identity or that of your legal representative;
  3. Description of the personal data in respect of the ARCO right you wish to exercise;
  4. Any other element or document that facilitates the location of your personal data.

If the Owner does not personally submit the request, whoever does so must prove their representation. He may do so by means of a public deed or power of attorney signed before two witnesses, along with official identification of the Owner and representative.

If a data rectification is requested, the modifications to be made must be indicated and documentation must be provided that proves the reason for the requested changes.

We will require maximum period of 20 business days from the request, to inform about its origin. We may require longer (up to 15 business days) as permitted under the Law if we do not receive the sufficient information from you.

Right to file a complaint

If you believe we have not resolved your complaint, you have the right to submit a complaint to the Instituto Nacional de Transparencia, Acceso a la Información y Protección  de Datos Personales (“INAI”).

Data Protection Officer Contact details

You can address questions and concerns to the Data Protection Function as follows: Unlimint MX SAPI de CV

Av. Paseo de la

Reforma 296, Col. Juárez, Del. Cuauhtémoc,

C.P. 06600, CDMX,

Mexico Email: [email protected]

Transfers of Personal Data

The Company may transfer the personal data internally within its Group (i.e. holding companies, subsidiaries and/or affiliates) to facilitate our operations. The Company’s functions or departments receive only specific categories and types of personal data depending on their organizational roles and responsibilities.

If there is a transfer to third parties (national or foreign), then the Company transfers the personal data in accordance with your consent or in terms of the provisions of the Law.

The following types of external parties may receive your personal data:

  • Service providers, auditors and consultants:
    • As a regulated organization, we may disclose personal data for purposes and in the context of audits (e.g., external audits, security audits, compliance audits);
    • We will disclose personal data to third-party partners and service providers (processors) so they can process it on our behalf where required;
    • Provide support services and technical services to these internal third parties and receive some of these services from them;
    • Contribute to the research, data analytics, and studies to improve the products and services that the Company and other internal third parties provide;
    • etc.
  • Regulatory authorities, law enforcement, courts: We may disclose personal data to comply with applicable legislation and regulatory obligations, to respond to requests of regulatory authorities, government and law enforcement agencies, courts, and court orders

Retention period

  1. Our retention period is primarily determined by our obligations under applicable legislation to retain data for a specific time. Destruction will only be possible after the lapse of this period.
  2. We are obliged to keep customer data (including personal data) during the business relationship and for a minimum period of 10 years after business relationship termination, or after customer application rejection/withdrawal, under applicable laws and other requirements applicable to our business.
  3. We may retain your personal data for longer than the minimum retention period above if there are other lawful reasons justifying an extended retention period (such as for complaints handling, legal proceedings, investigations, regulatory, tax, money laundering and crime and fraud prevention purposes).

Use of Cookies

The Company’s website contains forms that website visitors may use. When website visitors send us information online via forms on the website, in the context of the provision of services, we will use the information as set out in this Privacy Notice.

In some instances, the Company and other entities (such as service providers) may use cookies and other technologies to automatically collect certain types of data when you visit our websites and online platforms. The collection of this data enables us to improve the security and usability of our websites and online resources and to measure the effectiveness of marketing activities.

For detailed information on cookies and their purposes, please refer to our Cookie Notice on our website.

Changes to the Privacy Notice

We may revise or update our Privacy Notice from time to time. In such a case, we make the most recent version of the Privacy Notice available on our website, informing you accordingly by displaying in the updated version and relevant date of update.

Privacy Notice
UNL.MX_DP_PN_CUST-01/2024		 Current Version
July 2024
Region Products may vary
Language Select language
We’ve got all your details, thanks!
We’ve received your application form.

One of our sales team will be
in touch ASAP.

Close