Comprehensive Privacy Notice — apiCEP.cloud
Last updated: April 25, 2026 · Version 1.0
1. Identity and Address of the Data Controller
Oscar Maya Cuellar (the "Controller") is responsible for processing the personal data you provide when using the apiCEP.cloud platform.
- Website: https://www.apicep.cloud
- Email: privacidad@apicep.cloud
- Address: Cuauhtemoc, Chihuahua, Mexico
This Privacy Notice is made available to you from the moment your personal data is collected, in compliance with article 15 of the new Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP, in force since March 21, 2025).
2. Personal Data We Collect
2.1 Data of registered users (developers / companies)
| Category | Specific data | Sensitive? |
|---|---|---|
| Identification | Full name, business name | No |
| Contact | Email, phone | No |
| Billing | Tax ID (RFC), tax regime, tax address | No |
| Access | Generated API Keys, creation date, source IP | No |
| Service usage | Call logs, timestamps, consumed endpoints, active plans | No |
2.2 Third-party data processed through the API
When users integrate the apiCEP.cloud API to validate SPEI receipts, the platform temporarily processes personal data of third parties (beneficiaries and senders of transfers), including:
- Full name of the beneficiary and/or sender
- Interbank CLABE, phone number or card number
- RFC of the beneficiary and/or sender
- Amount, date, bank and reference of the transfer
- Digital seal and original chain of the CEP issued by Banco de México
This data is processed solely to provide the service requested by the registered user. The Controller acts as data processor regarding such third-party data; liability vis-à-vis the data subjects corresponds to the user integrating the API.
Note on sensitive data: The data listed is not considered sensitive data under article 3 of the LFPDPPP. If any future integration involves sensitive data, this notice will be updated and express written consent will be requested.
3. Purposes of Processing
The new LFPDPPP requires distinguishing between purposes that require consent and those derived from the contractual relationship.
3.1 Purposes necessary for the contractual relationship (no additional consent required)
- Creation and management of your user account and access credentials (API Keys).
- Provision of the SPEI transfer validation and verification service.
- Billing, collection and administration of subscriptions and plans.
- Handling of technical support requests and incident resolution.
- Compliance with applicable legal, tax and regulatory obligations.
- Service security: detection of fraud, API abuse or unauthorized access.
- Management of technical logs for maintenance, internal audit and error resolution.
3.2 Secondary purposes (require consent; you may refuse without affecting the service)
- Sending commercial communications, product updates, new features and apiCEP.cloud newsletters.
- Aggregated statistical usage profiling to improve the service experience.
- Invitations to participate in satisfaction surveys, beta programs or market studies.
If you do not want your data to be used for these secondary purposes, send an email to privacidad@apicep.cloud with the subject "Opposition to secondary purposes" within 5 business days following your registration, or at any time thereafter.
4. Mechanisms to Limit the Use and Disclosure of Your Data
You may limit the use or disclosure of your personal data through the following mechanisms:
- Direct request: by sending an email to privacidad@apicep.cloud with the subject "Limitation of data use".
- Registration in the Public Registry to Avoid Advertising (REPEP): managed by PROFECO, to limit the use of your data for advertising purposes by third parties.
5. ARCO Rights and Revocation of Consent
5.1 Your rights
Under the LFPDPPP, you have the right to:
- Access: know what personal data we have about you, how we process it, and for what purposes.
- Rectification: request the correction of inaccurate or incomplete data.
- Cancellation: request the deletion of your data when you consider it is not being processed in accordance with the Law, or when it is no longer necessary for the purpose for which it was collected.
- Opposition: oppose the processing of your data for specific purposes.
- Revocation of consent: withdraw at any time the consent you have granted for secondary purposes.
5.2 Procedure to exercise ARCO rights
To exercise any of these rights, send a request to privacidad@apicep.cloud with the following information:
- Full name of the data subject.
- Email used to register on the platform.
- Right you wish to exercise and a clear description of what you are requesting.
- Copy of valid official identification (INE, passport or equivalent).
- If acting through a legal representative: documents proving the representation.
Response time: The Controller will address your request within a maximum of 20 business days from receipt. If applicable, the request will be made effective within 15 business days following the response.
5.3 Restrictions on the exercise of rights
The exercise of ARCO rights may be limited when: (i) there is a legal obligation to retain the data; (ii) the data is necessary for the performance of an active contractual relationship; (iii) there is a prevailing legitimate interest, in which case you will be informed in a substantiated and motivated manner.
6. Transfer of Personal Data
For the operation of the service, the Controller may share data with the following data processors (service providers acting on its behalf and under the Controller's instructions):
| Provider | Purpose | Country |
|---|---|---|
| Cloud provider (e.g. Vercel / Supabase) | Application and database hosting | USA |
| Transactional email service | Sending notifications and confirmations | Variable |
| Banco de México (Banxico) | CEP query for transfer validation (public service) | Mexico |
These providers are contractually obligated to process your data solely for the purposes described and to maintain adequate security measures. In cases where data is transferred outside Mexico, the Controller will adopt the necessary measures to guarantee a level of protection equivalent to that provided by the LFPDPPP.
7. Security Measures
The Controller has implemented technical, administrative, and physical measures to protect your personal data against damage, loss, alteration, destruction, unauthorized access or disclosure, including:
- Encrypted communications via TLS/HTTPS on all endpoints.
- Authentication via API Keys with secure hashing; keys are not stored in plain text.
- Role-based access control for internal personnel.
- Audit logs for access and modifications.
- Automatic deletion of temporary files (images, XML, PDF) after 15 days.
- Periodic infrastructure security reviews.
In the event of a security breach that significantly affects your patrimonial or moral rights, the Controller will notify you immediately by email, in accordance with the LFPDPPP.
8. Use of Cookies and Tracking Technologies
The apicep.cloud website may use cookies and similar technologies for the following purposes:
| Type | Purpose | Consent required? |
|---|---|---|
| Essential cookies | User panel operation, authenticated session | No |
| Analytics cookies | Site usage statistics (e.g. Google Analytics) | No |
| Marketing cookies | Advertising campaign tracking (e.g. Meta Pixel) | No |
You may modify them at any time from your browser settings or from the site's preference manager.
9. Data of Minors
The apiCEP.cloud services are intended exclusively for persons over 18 years of age or legal entities. The Controller does not knowingly collect or process personal data of minors. If you are aware that a minor has provided us with data without consent, please notify privacidad@apicep.cloud to proceed with its immediate deletion.
10. Changes to the Privacy Notice
The Controller reserves the right to modify this Privacy Notice at any time, in response to legislative, operational or product changes. Modifications will be published at:
https://www.apicep.cloud/privacidad
indicating the update date. In case of substantial changes that affect the purposes of processing or the rights of data subjects, additional notification will be sent by email to the address registered in the user's account, at least 10 business days prior to its effective date.
Continued use of the platform after the update date constitutes acceptance of the modified Notice.
11. Competent Authority
If you consider that your right to personal data protection has been violated, you may file a complaint with the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI):
- Website: https://www.inai.org.mx
- Phone: 800 835 4324
12. Contact
For any inquiry, ARCO request or matter related to this Notice:
- Email: privacidad@apicep.cloud
- Suggested subject: "ARCO Request — [Type of right]" or "Privacy Notice — [Inquiry]"
- Service hours: Monday to Friday, 9:00 to 18:00 hrs (CST)