Skip to content
  • Businesses
  • Notaries
  • Security
  • Contact
Log in
  • Businesses
  • Notaries
  • Security
  • Contact
Log in

Terms · Privacy

Privacy Notice.

Version 1.2 · May 20, 2026 · LFPDPPP 2025

This English translation is provided for convenience. The Spanish version is the legally binding text.

Contents

  • 01Identity and address of the data controller
  • 02Personal data processed
  • 03Purposes of processing
  • 04Consent
  • 05Options to limit use or disclosure
  • 06How to exercise your ARCO rights
  • 07Use of artificial intelligence
  • 08Processor disclosures and transfers
  • 09Retention and de-identified information
  • 10Third-party data in documents
  • 10 BISData of related persons
  • 11Security measures
  • 12Cookies and similar technologies
  • 13Changes to this Privacy Notice
  • 14Minors
  • 15Contact

01Identity and address of the data controller

Accrove, S.A.P.I. de C.V. (hereinafter "Accrove"), with its establishment in Mexico City, Mexico, is the data controller responsible for the processing of the personal data you make available to the platform.

Contact channels for any matter related to this Privacy Notice, the exercise of your rights, or the processing of your personal data:

  • Personal Data Department email: privacidad@accrove.com
  • Website: https://accrove.com

Accrove has designated a Personal Data Department responsible for processing requests related to the exercise of data subjects' rights and for ensuring compliance with the Ley Federal de Protección de Datos Personales en Posesión de los Particulares — the LFPDPPP, Mexico's Federal Law on the Protection of Personal Data Held by Private Parties (hereinafter, the "Law") — its Regulations, and the applicable Guidelines.

02Personal data processed

Accrove collects and processes the following personal data, which you provide directly or which is obtained from the documents you upload to the platform:

2.1 Identification data

  • Corporate name, legal name, or trade name of the business
  • RFC (Registro Federal de Contribuyentes, Mexico's federal taxpayer ID)
  • Tax domicile
  • Economic sector and line of business
  • Date of incorporation
  • Full name, title, email address, and phone number of the legal representative and of the account's authorized administrators

2.2 Financial and asset data

Under Article 8 of the Law, this data requires the data subject's express consent, which Accrove obtains at the time of registration.

  • Financial statements (balance sheet, income statement, cash flow statement)
  • Tax information (returns, withholdings, tax compliance opinion, tax status certificate)
  • Accounting information (trial balances, journal entries, subsidiary ledgers)
  • Debts, liabilities, and credit obligations
  • Information on shareholders, partners, and equity interests contained in articles of incorporation

2.3 Data contained in documents uploaded by the client

The documents you upload to the platform (financial statements, articles of incorporation, tax certificates, accountant's opinions, among others) may contain personal data of third parties — for example, accountants, auditors, notaries, partners, employees, or legal representatives. Accrove processes such data exclusively in the context of analyzing the document in which it appears and does not use it for separate, independent purposes.

2.4 Platform usage data

  • IP addresses, browser identifier, operating system, device
  • Access logs, pages visited, actions taken
  • Technical metadata of uploaded documents (cryptographic hash, date, size, type)
  • Consent records (accepted notice version, timestamp, IP address)

2.5 Data Accrove does NOT collect

Accrove does not collect sensitive personal data as defined in Article 3 of the Law (racial or ethnic origin, health status, genetic information, religious or philosophical beliefs, union membership, political opinions, or sexual preference). Accrove does not collect biometric data. Accrove does not provide services to minors.

03Purposes of processing

In line with Article 41 of the Regulations, Accrove distinguishes between primary purposes (necessary to provide the service) and secondary purposes (optional, subject to your separate consent).

3.1 Primary purposes

These are the purposes without which Accrove cannot provide the contracted service. You grant your express consent to these purposes at the time of registration:

  1. Create, maintain, and update your business's digital financial file.
  2. Process the documents you upload using artificial intelligence techniques to extract, classify, and structure the information they contain (see Section 7).
  3. Generate the financial profile, financial health indicators, financial ratios, and derived analyses.
  4. Enable account management, the creation of users you authorize, and permission control.
  5. Facilitate, when you expressly authorize it by issuing a sharing grant, the delivery of your file or its derivatives to financial institutions so they can evaluate credit or financing applications you initiate.
  6. Preserve the historical integrity of the file by recording changes, versions, and revisions to documents.
  7. Provide technical support, respond to requests, and manage service billing.
  8. Comply with the legal, tax, and regulatory obligations applicable to Accrove.

3.2 Secondary purposes

These are optional purposes that you may authorize or decline without affecting the provision of the service. Accrove requests your express, separate consent for these purposes through an independent checkbox at the time of registration:

  1. Build aggregated, anonymized sector benchmarks for statistical and market research purposes.
  2. Train, validate, and improve the analysis, scoring, and data extraction models Accrove develops.
  3. Generate reports and insights on the Mexican credit ecosystem from irreversibly de-identified information (see Section 9).
  4. Notify the client when third parties show interest in businesses in their sector, through aggregated mechanisms and without revealing identities.
  5. Inform you about credit opportunities, financial products, or related services (opt-in).

3.3 Right to object to secondary purposes

You have the right to object at any time to the processing of your data for the secondary purposes described, without this constituting grounds to terminate, degrade, or modify the service contracted with Accrove. Exercising this right is free of charge and can be done from Account settings → Privacy → Secondary purposes or by emailing privacidad@accrove.com.

04Consent

4.1 Express consent for financial data

Under Article 8 of the Law, the processing of financial and asset data requires the data subject's express consent. You grant that consent at the time of registration by checking a specific box, separate from the acceptance of the Terms of Service.

Accrove keeps a record of each consent granted, including the accepted notice version, timestamp, IP address, and browser identifier, as documentary evidence.

4.2 Revocation of consent

You may revoke your consent at any time through the channels described in Section 6. Revocation will not have retroactive effects on processing already lawfully carried out, nor will it affect information that has undergone irreversible de-identification under Section 9.

05Options and means to limit use or disclosure

Accrove makes the following mechanisms available to you:

  1. Sharing control panel (grants): from your account you can review, grant, modify, or revoke at any time the specific authorizations to share your file with financial institutions or other recipients.
  2. Secondary purpose settings: individual toggles for each secondary purpose.
  3. REPEP (Profeco): you may register your data in the REPEP, the do-not-market registry operated by Profeco, Mexico's consumer protection agency, to limit use for advertising purposes (https://repep.profeco.gob.mx/).
  4. Direct request: write to privacidad@accrove.com.

06How to exercise your ARCO rights

You have the right to Access, Rectify, or Cancel your personal data, and to Object to its processing, at any time — the "ARCO" rights, after their initials in Spanish.

6.1 Primary channel (digital)

Send your request to privacidad@accrove.com from the email address registered on your account. The request must include:

  • Name and identification details of the data subject (or legal representative)
  • A copy of a valid official ID
  • A clear description of the right being exercised and the data it refers to
  • Supporting documents (where applicable)
  • Preferred means of receiving the response

6.2 Timelines and response

Accrove will respond to your request within a maximum of 20 business days from receipt, under Article 32 of the Law. If the request is granted, it will be carried out within the 15 business days following notification of the response. Requests are handled free of charge.

6.3 Competent authority

If you believe your right to personal data protection has been violated, you may file a complaint with the Secretaría Anticorrupción y Buen Gobierno (SABG), Mexico's federal Anticorruption and Good Government Ministry, the competent authority for the protection of personal data held by private parties following the constitutional reform published in the Official Gazette (DOF) on December 20, 2024, and the entry into force of the LFPDPPP on March 21, 2025. Website: https://www.gob.mx/buengobierno.

07Use of artificial intelligence

Accrove uses artificial intelligence models from Anthropic PBC (the Claude model), accessed through its commercial API, to extract and structure information contained in the documents you upload to the platform. To protect the confidentiality of your information:

  1. Processing is performed exclusively from Accrove's servers through Anthropic's commercial API. Accrove does not use consumer products (Claude.ai) to process client data.
  2. Anthropic does not use the data submitted through its API to train its models.
  3. Accrove maintains a zero data retention agreement with Anthropic (Zero Data Retention Addendum), under which the documents and prompts submitted are not stored by Anthropic once the response is returned.
  4. Final decisions on the financial profile and any derived analysis are not purely automated: Accrove maintains human review and quality control processes over the results.
  5. You have the right to request human review of any result produced by automated processing that affects you, through the same ARCO channel described in Section 6.

08Processor disclosures and transfers

Accrove distinguishes between processor disclosures (remisiones: service providers that process data on Accrove's behalf and under its instructions) and transfers (third parties that process data for their own purposes).

8.1 Disclosures to data processors (do not require your consent)

Accrove uses the following providers as data processors within the meaning of Article 49 of the Regulations. Accrove has signed a data processing agreement (DPA) with each of them:

ProcessorCountryPurpose
Supabase Inc.United StatesFile storage, database, and authentication
Vercel Inc.United StatesWeb application hosting
Anthropic PBCUnited StatesAI-based structured data extraction (see Section 7)
Belvo Technologies, S.A.P.I. de C.V.MexicoIntegration with the SAT (Mexico's tax authority) to retrieve tax information
Resend, Inc.United StatesTransactional email delivery
Functional Software, Inc. (Sentry)United StatesTechnical error monitoring (no access to document contents)

8.2 Transfers to third parties (require consent or a legal exception)

Accrove transfers your personal data to third parties only in the following cases:

(a) Financial institutions authorized by you (grants): when you expressly authorize the delivery of your file to a financial institution so it can evaluate a credit application you initiate. This transfer is grounded in Article 36, Section IV of the Law, as it is necessary for a contract entered into, or to be entered into, in the interest of the data subject. You control this authorization case by case from your account's sharing panel and may revoke it at any time.

(b) Competent authorities: where there is a formal, duly grounded requirement from a competent judicial, tax, regulatory, or administrative authority.

(c) Accrove's successors in merger, acquisition, or restructuring processes: in such case, the recipient assumes the same personal data protection obligations.

09Data retention and processing of de-identified information

9.1 General retention table

CategoryPeriodTrigger
Original documents (PDFs)5 years from upload or until account closure, whichever comes firstClosure / deletion
Structured data in the active fileLife of the account + 1-year blocking periodClosure
Identification data (legal name, RFC, contacts)Until closure + 1-year blocking periodClosure
Access and audit logs12 monthsScheduled rotation
Marketing and commercial communications dataUntil consent is revokedOpt-out
Consent records (documentary evidence)5 years from revocationLegal defense
Irreversibly de-identified informationIndefinite (see Section 9.2)Not applicable

9.2 Retention and processing of de-identified information after account cancellation

When you exercise your right of cancellation or delete your account, Accrove will delete or block your identifiable personal data (legal name, RFC, contacts, original documents, and any other attribute that links the data to you or your business) within the periods described in Section 9.1.

Under Article 10, Section IV of the Law, Accrove will retain indefinitely the de-identified financial facts derived from your documents — figures, ratios, sector classifications, and structural metadata — after subjecting them to an irreversible de-identification procedure that prevents re-identification by structure, content, or level of disaggregation, within the meaning of Article 3, Section V of the Law.

The purpose of this retention is exclusively statistical and to improve analysis models. De-identified information will never be used to direct actions, communications, or offers to you or your business, nor will it be shared with third parties in a form that allows re-identification.

As technical safeguards for de-identification, Accrove implements:

  • k-anonymity with k≥5: no segments with fewer than five businesses are published.
  • Suppression of outliers that could allow identification through a unique combination.
  • Physical and logical segregation of the analytics repository from the operational systems containing identifiable data.
  • Regeneration of identifiers at the time of cancellation to break any correlation with the operational record.
  • Periodic, documented technical audits of the de-identification procedure.

You may object to this secondary purpose at any time, before cancellation or as part of the cancellation process, by checking the corresponding box in your account settings or by sending a request to privacidad@accrove.com.

10Third-party personal data contained in documents

The documents you upload to the platform may contain personal data of third parties — for example, accountants, auditors, notaries, partners, legal representatives, or employees. Accrove processes such data exclusively in the context of analyzing the document in which it appears and does not use it for separate, independent purposes.

By uploading such documents, you represent that you have the necessary authorizations to incorporate them into the platform and will hold Accrove harmless against any resulting claim.

Accrove makes this Privacy Notice publicly and permanently available as a compensatory measure under Article 17 of the Law, acknowledging the practical difficulty of individually notifying each third-party data subject. Third parties may exercise their ARCO rights by writing to privacidad@accrove.com.

10 bisPersonal data of persons related to the client company

10-bis.1 Who the covered third parties are

This section governs the processing of personal data of individuals related to the client company (hereinafter, the "Third Parties"), including, but not limited to:

  • Legal representatives and attorneys-in-fact of the company.
  • Directors, members of the board of directors or supervisory board.
  • Shareholders, partners, or holders of equity in the company.
  • Beneficial Owners (Beneficiarios Controladores) identified under Article 32-B Quáter of the Código Fiscal de la Federación (CFF, Mexico's Federal Tax Code), Article 18, Section VI of the Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita (LFPIORPI, Mexico's anti-money-laundering law), and Chapter IV Bis of the Ley General de Sociedades Mercantiles (LGSM, Mexico's General Law of Commercial Companies).
  • Authorized signatories for specific acts (signing contracts, granting powers of attorney, etc.).
  • Individuals whose personal data appears in documents uploaded by the client company to the platform (articles of incorporation, notarized powers of attorney, IDs, proof of address, Beneficial Owner declarations, among others).

This section complements — and does not replace — Section 10 above, which governs incidental third-party data contained in documents.

10-bis.2 Data controllers and processors

The processing of the Third Parties' personal data involves different legal roles under the Law and its Regulations:

PartyLegal capacityMain obligation
Client company (holder of the Accrove account)Data controller for its Third Parties' dataObtain and maintain each Third Party's authorization to incorporate their data into Accrove (Article 18 of the Law)
Accrove, S.A.P.I. de C.V.Data processor under Article 50 of the RegulationsProcess the data solely under the client company's instructions and comply with security obligations
Notary (fedatario público: notary or public broker office, where applicable to the Beneficial Owner module)Data controller for the physical and digital file under LFPIORPI Art. 25 and CFF Art. 32-B QuáterKeep the Beneficial Owner file for 10 years; identify and validate the BC before the authorities

Accrove does not act as a data controller of the Third Parties' data for its own purposes. Accrove acts as the client company's data processor and, in the Beneficial Owner module, provides technology infrastructure services to the notary without becoming a regulated entity under the LFPIORPI.

10-bis.3 Express representation by the client company

By incorporating any Third Party's personal data into the Accrove platform (directly or by uploading documents), the client company expressly represents that:

  1. It has the Third Party's authorization to process their personal data and to incorporate it into the platform, whether express, implied, or arising from the legal relationship between the client company and the Third Party.
  2. It has informed the Third Party of the contents of this Privacy Notice and of the channels for exercising their ARCO rights (Section 10-bis.7).
  3. It assumes responsibility toward the Third Party for incorporating their data into the platform and will hold Accrove harmless against any claim arising from the lack of the Third Party's authorization.

The client company acknowledges that, under Article 17 of the Law, Accrove makes this Privacy Notice publicly and permanently available as a compensatory measure, given the practical difficulty of individually notifying each Third Party.

10-bis.4 Just-in-time consent from the Third Party

When a Third Party accesses the Accrove platform directly — for example, to electronically sign a document, validate their identity, or grant a specific consent authorized by the client company — Accrove will ask the Third Party, at that moment (just-in-time), for a specific consent that will include:

  1. The identity of the controller that invited the Third Party (the client company and, where applicable, the notary).
  2. The specific purpose of the Third Party's intervention.
  3. A list of the personal data to be processed in that intervention.
  4. The applicable retention period.
  5. The channels for exercising ARCO rights.

This just-in-time consent does not replace the client company's representation (Section 10-bis.3); it complements it where the operation allows.

10-bis.5 Purposes of processing the Third Parties' data

Accrove processes the Third Parties' personal data for the following purposes, all of them primary (necessary for the provision of the service):

  1. Identification of the Third Party and validation of their capacity to represent the client company (attorney-in-fact, director, signatory, etc.).
  2. Document validation: verification of the integrity and authenticity of the documents in which the Third Party appears.
  3. Beneficial Owner certification: generation of the BC file for delivery to the notary, including the assembly of the immutable certification seal that serves as a historical record of the BC's identification status at a given point in time.
  4. Regulatory audit trail: issuance and retention of events documenting the designation, modification, and revocation of the Third Party's roles with respect to the client company, in compliance with the security obligations of Article 19 of the Law.
  5. Compliance with legal obligations: responding to requirements from competent authorities (SAT, UIF, CNBV, SABG, courts) that demand access to the Third Party's information under applicable law.
  6. Defense of rights: retention of evidence for the defense of the client company, the notary, or Accrove against claims by the Third Parties themselves or by regulatory authorities.

Accrove does not use the Third Parties' personal data for separate, independent purposes, or for secondary purposes (benchmarks, model improvement, marketing, commercial communications) without the Third Party's express consent.

10-bis.6 Retention periods and legal-obligation retention exception

The Third Parties' personal data is retained according to the following table:

CategoryPeriodLegal basis
Record of the person and their active rolesFor as long as the relationship between the Third Party and the client company lasts, plus a 1-year blocking periodArticle 11 of the Law (data quality and proportionality)
Historical record of expired or revoked roles10 years from revocationCódigo de Comercio (Commercial Code) Arts. 46 and 49; CFF Art. 30
Beneficial Owner certification seal10 years from the seal date (non-negotiable regulatory minimum)LFPIORPI Art. 25 (DOF July 16, 2025) + CFF Art. 32-B Quáter + LGSM Chapter IV Bis
Credit documents and associated data (where the Third Party appears in credit files)10 years from cancellation of the credit transactionCNBV CUB Art. 320 Bis + Art. 115 LIC + Código de Comercio Arts. 46, 49, and 1047 + Ley General de Títulos y Operaciones de Crédito (LGTOC)
Activity log events (audit trail)For as long as the retention obligation of the record they refer to remains in forceArticle 19 of the Law + auditability principle
Third Party just-in-time consent records5 years from revocationLegal defense

The BC certification seal contains only the fields required by the regulatory regime (full name, RFC, CURP — Mexico's national population registry code — date of birth, nationality, and percentage and type of control). Fields not required by the specific legal obligation of the notary or the client company are not replicated in it.

Legal-obligation retention exception: Article 10, Section IV of the Law. When a Third Party exercises their ARCO right of Cancellation over their personal data, Accrove will proceed according to the following canonical principle:

The Third Party's current-state record on the Accrove platform (data in active operational records) will be deleted and their active roles revoked. However, the Third Party's data contained in Beneficial Owner certification seals and in credit files whose transaction is still active, or whose 10-year period from cancellation has not yet elapsed, will be kept whole and immutable. This retention is grounded in Article 10, Section IV of the Law, which waives consent where processing is necessary to comply with a legal obligation in force binding the controller of the file (the notary in the BC case; the client and, where applicable, the financial institution in the credit case).

This exception is temporary and proportional: once the applicable 10-year period has elapsed, the Third Party's data in expired seals may be irreversibly de-identified or purged under Accrove's retention policies, subject to the original controller's decision.

10-bis.7 The Third Party's ARCO rights

The Third Party has the right to Access, Rectify, or Cancel their personal data, and to Object to its processing, at any time, under Articles 21-34 of the Law.

Primary channel: send your request to privacidad@accrove.com including:

  1. The Third Party's name and identification details.
  2. A copy of a valid official ID.
  3. Identification of the client company with which the Third Party is related (if known) or of the documents in which they appear (if known).
  4. A clear description of the right being exercised.
  5. Preferred means of receiving the response.

Response time: 20 business days from receipt (Article 32 of the Law). Requests are handled free of charge.

Limits on Cancellation where an active Beneficial Owner seal exists. Under Section 10-bis.6, the Third Party's Cancellation will not delete the data contained in active BC seals or in credit files within the 10-year period. Accrove will issue a documented response to the Third Party explaining this limitation and citing the applicable legal basis. The current-state record will be deleted and active roles revoked.

Competent authority. If the Third Party believes their right to personal data protection has been violated, they may file a complaint with the Secretaría Anticorrupción y Buen Gobierno (SABG) of the Federal Government, as described in Section 6.3 of this Notice.

10-bis.8 Security and confidentiality

Accrove implements administrative, technical, and physical measures under Article 19 of the Law and the provisions of the SABG, including:

  • Encryption in transit (HTTPS/TLS) and at rest.
  • Role-based access control (RBAC) and strong authentication.
  • Row Level Security at the database level for strict isolation between client companies: a Third Party registered under Company A is not visible to users of Company B.
  • Audit logs of access and operations, with metadata that does not replicate the Third Party's literal personal data — only identifiers and cryptographic integrity fingerprints.
  • Immutability of BC certification seals through database mechanisms and granular revocation of modification permissions.

10-bis.9 Compensatory measure and permanent publication

Under Article 17 of the Law, Accrove makes this Privacy Notice publicly and permanently available at https://accrove.com/privacidad as a compensatory measure, given the practical difficulty of individually notifying each Third Party whose data may be incorporated into the platform by a client company.

The client company undertakes to inform its Third Parties of the existence of this Notice and to provide them with a copy upon request.

11Security measures

  • Encryption in transit (HTTPS/TLS 1.2 or higher)
  • Encryption at rest for stored files and databases
  • Role-based access control (RBAC) and strong authentication
  • Row Level Security at the database level for isolation between accounts
  • Audit logs (audit logs) of access and operations
  • Internal least-privilege policies and team training
  • Data processing agreements (DPAs) with all processors
  • Security incident response procedure

12Use of cookies and similar technologies

  • Strictly necessary: session, security, and basic operation. Cannot be disabled.
  • Functional: interface preferences and settings.
  • Analytics: measuring aggregate usage to improve the platform.

You can manage your consent to non-essential cookies from the initial banner and from your browser.

13Changes to this Privacy Notice

Accrove may modify this Privacy Notice at any time. Changes will be notified by publication on this page with the date of last update, by email to the registered address (for substantial changes), and by notification within the platform.

14Minors

Accrove's services are directed exclusively to legal entities and to the adults who represent them. Accrove does not knowingly collect personal data from minors.

15Contact

  • Email: privacidad@accrove.com

Accrove will respond to your communication within a maximum of 20 business days.

To review the Terms of Service, visit the corresponding page.

Infrastructure for the business file in Mexico.

PRODUCT

  • Businesses
  • For notaries
  • Security

LEGAL

  • Terms of Service
  • Privacy Notice

CONTACT

  • Contact us

LANGUAGE

ES · EN
© 2026 Accrove SAPI de CV · All rights reserved