apiCEP

    Comprehensive Privacy Notice — apiCEP.cloud

    Last updated: April 25, 2026 · Version 1.0

    1. Identity and Address of the Data Controller

    Oscar Maya Cuellar (the "Controller") is responsible for processing the personal data you provide when using the apiCEP.cloud platform.

    This Privacy Notice is made available to you from the moment your personal data is collected, in compliance with article 15 of the new Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP, in force since March 21, 2025).

    2. Personal Data We Collect

    2.1 Data of registered users (developers / companies)

    CategorySpecific dataSensitive?
    IdentificationFull name, business nameNo
    ContactEmail, phoneNo
    BillingTax ID (RFC), tax regime, tax addressNo
    AccessGenerated API Keys, creation date, source IPNo
    Service usageCall logs, timestamps, consumed endpoints, active plansNo

    2.2 Third-party data processed through the API

    When users integrate the apiCEP.cloud API to validate SPEI receipts, the platform temporarily processes personal data of third parties (beneficiaries and senders of transfers), including:

    • Full name of the beneficiary and/or sender
    • Interbank CLABE, phone number or card number
    • RFC of the beneficiary and/or sender
    • Amount, date, bank and reference of the transfer
    • Digital seal and original chain of the CEP issued by Banco de México

    This data is processed solely to provide the service requested by the registered user. The Controller acts as data processor regarding such third-party data; liability vis-à-vis the data subjects corresponds to the user integrating the API.

    Note on sensitive data: The data listed is not considered sensitive data under article 3 of the LFPDPPP. If any future integration involves sensitive data, this notice will be updated and express written consent will be requested.

    3. Purposes of Processing

    The new LFPDPPP requires distinguishing between purposes that require consent and those derived from the contractual relationship.

    3.1 Purposes necessary for the contractual relationship (no additional consent required)

    • Creation and management of your user account and access credentials (API Keys).
    • Provision of the SPEI transfer validation and verification service.
    • Billing, collection and administration of subscriptions and plans.
    • Handling of technical support requests and incident resolution.
    • Compliance with applicable legal, tax and regulatory obligations.
    • Service security: detection of fraud, API abuse or unauthorized access.
    • Management of technical logs for maintenance, internal audit and error resolution.

    3.2 Secondary purposes (require consent; you may refuse without affecting the service)

    • Sending commercial communications, product updates, new features and apiCEP.cloud newsletters.
    • Aggregated statistical usage profiling to improve the service experience.
    • Invitations to participate in satisfaction surveys, beta programs or market studies.

    If you do not want your data to be used for these secondary purposes, send an email to privacidad@apicep.cloud with the subject "Opposition to secondary purposes" within 5 business days following your registration, or at any time thereafter.

    4. Mechanisms to Limit the Use and Disclosure of Your Data

    You may limit the use or disclosure of your personal data through the following mechanisms:

    • Direct request: by sending an email to privacidad@apicep.cloud with the subject "Limitation of data use".
    • Registration in the Public Registry to Avoid Advertising (REPEP): managed by PROFECO, to limit the use of your data for advertising purposes by third parties.

    5. ARCO Rights and Revocation of Consent

    5.1 Your rights

    Under the LFPDPPP, you have the right to:

    • Access: know what personal data we have about you, how we process it, and for what purposes.
    • Rectification: request the correction of inaccurate or incomplete data.
    • Cancellation: request the deletion of your data when you consider it is not being processed in accordance with the Law, or when it is no longer necessary for the purpose for which it was collected.
    • Opposition: oppose the processing of your data for specific purposes.
    • Revocation of consent: withdraw at any time the consent you have granted for secondary purposes.

    5.2 Procedure to exercise ARCO rights

    To exercise any of these rights, send a request to privacidad@apicep.cloud with the following information:

    1. Full name of the data subject.
    2. Email used to register on the platform.
    3. Right you wish to exercise and a clear description of what you are requesting.
    4. Copy of valid official identification (INE, passport or equivalent).
    5. If acting through a legal representative: documents proving the representation.

    Response time: The Controller will address your request within a maximum of 20 business days from receipt. If applicable, the request will be made effective within 15 business days following the response.

    5.3 Restrictions on the exercise of rights

    The exercise of ARCO rights may be limited when: (i) there is a legal obligation to retain the data; (ii) the data is necessary for the performance of an active contractual relationship; (iii) there is a prevailing legitimate interest, in which case you will be informed in a substantiated and motivated manner.

    6. Transfer of Personal Data

    For the operation of the service, the Controller may share data with the following data processors (service providers acting on its behalf and under the Controller's instructions):

    ProviderPurposeCountry
    Cloud provider (e.g. Vercel / Supabase)Application and database hostingUSA
    Transactional email serviceSending notifications and confirmationsVariable
    Banco de México (Banxico)CEP query for transfer validation (public service)Mexico

    These providers are contractually obligated to process your data solely for the purposes described and to maintain adequate security measures. In cases where data is transferred outside Mexico, the Controller will adopt the necessary measures to guarantee a level of protection equivalent to that provided by the LFPDPPP.

    7. Security Measures

    The Controller has implemented technical, administrative, and physical measures to protect your personal data against damage, loss, alteration, destruction, unauthorized access or disclosure, including:

    • Encrypted communications via TLS/HTTPS on all endpoints.
    • Authentication via API Keys with secure hashing; keys are not stored in plain text.
    • Role-based access control for internal personnel.
    • Audit logs for access and modifications.
    • Automatic deletion of temporary files (images, XML, PDF) after 15 days.
    • Periodic infrastructure security reviews.

    In the event of a security breach that significantly affects your patrimonial or moral rights, the Controller will notify you immediately by email, in accordance with the LFPDPPP.

    8. Use of Cookies and Tracking Technologies

    The apicep.cloud website may use cookies and similar technologies for the following purposes:

    TypePurposeConsent required?
    Essential cookiesUser panel operation, authenticated sessionNo
    Analytics cookiesSite usage statistics (e.g. Google Analytics)No
    Marketing cookiesAdvertising campaign tracking (e.g. Meta Pixel)No

    You may modify them at any time from your browser settings or from the site's preference manager.

    9. Data of Minors

    The apiCEP.cloud services are intended exclusively for persons over 18 years of age or legal entities. The Controller does not knowingly collect or process personal data of minors. If you are aware that a minor has provided us with data without consent, please notify privacidad@apicep.cloud to proceed with its immediate deletion.

    10. Changes to the Privacy Notice

    The Controller reserves the right to modify this Privacy Notice at any time, in response to legislative, operational or product changes. Modifications will be published at:

    https://www.apicep.cloud/privacidad

    indicating the update date. In case of substantial changes that affect the purposes of processing or the rights of data subjects, additional notification will be sent by email to the address registered in the user's account, at least 10 business days prior to its effective date.

    Continued use of the platform after the update date constitutes acceptance of the modified Notice.

    11. Competent Authority

    If you consider that your right to personal data protection has been violated, you may file a complaint with the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI):

    12. Contact

    For any inquiry, ARCO request or matter related to this Notice:

    • Email: privacidad@apicep.cloud
    • Suggested subject: "ARCO Request — [Type of right]" or "Privacy Notice — [Inquiry]"
    • Service hours: Monday to Friday, 9:00 to 18:00 hrs (CST)