Your data is yours. Period.
One commitment, three rules: you decide who gets access. You can revoke whenever you want. We never sell your data — to anyone.
TL;DR · THE 10-SECOND READ
- 01Your data is yours.Custodians, not owners.→
- 02Grants revocable within 24h.You set scope, purpose, and expiration.→
- 03We never sell your data.To anyone, under any arrangement.→
- 04LFPDPPP 2025 compliant.Calibrated to the new law, not the 2010 one.→
- 05Claude DPA signed.ZDR addendum in progress, full disclosure.→
- 06ISO 27001 underway.We show honest status, not projections.→
OWNERSHIP
Custodians, not owners.
The original documents you upload are and will remain yours. Accrove stores and processes them under a limited, revocable license. When you close your account, identifiable data is deleted.
Clauses 5 and 6 · Accrove Terms of Service v1.0CONSENT
You decide who sees what, and for how long.
By default, your financial profile is private. Every share with an institution requires your express consent, with a scope, purpose, and expiration date you define. You can revoke at any time: access is cut off in under 24 hours.
When you revoke, the institution keeps only an immutable record of the package it received at the moment of consent — not active access. That record exists solely for regulatory audit compliance.
Clause 7 · Accrove Terms of Service v1.0REGULATORY TRANSPARENCY
What we are not.
In Mexico, being clear about what you are not matters. Accrove is neutral infrastructure: we standardize credit files. Lenders decide. You decide.
- × We are not an Institución de Tecnología Financiera (ITF) under the Ley para Regular las Instituciones de Tecnología Financiera, Mexico's fintech law. We do not take funds from the public or operate electronic payments.
- × We are not a bank, a SOFOM, or a regulated financial intermediary. We do not grant credit, hold funds, or process payments. We are not supervised by CNBV, SHCP, or Banxico.
- × We are not an obligated entity under the LFPIORPI (Mexico's anti-money-laundering law). The institutions that receive credit files are — each under its own obligation.
- × We are not a financial advisor regulated by CONDUSEF. The score and the analysis are guidance inputs, not a formal opinion or advisory service.
- × We take no position. We do not decide who gets credit or on what terms. Those decisions belong exclusively to each financial institution.
HOW WE PROTECT
Financial-grade infrastructure.
AES-256 encryption
At rest and in transit. Keys rotate automatically, with strict segregation between development and production environments.
Immutable audit log
Every access to your file is recorded with timestamp, user, and institution. You can review it from the platform.
Environment separation
Production, staging, and development run on isolated infrastructure. No real data ever crosses into testing.
Secrets management
Credentials and cryptographic keys rotate automatically. Zero secrets in code, zero in commits.
Official integrations
Data sources validated through official APIs and licensed providers in Mexico. No scraping, ever.
In-country data residency
Open Finance integrations run through Belvo Technologies SAPI de CV (Mexico): a domestic handoff, not an international transfer.
LEGAL FRAMEWORK · LFPDPPP 2025
Aligned with Mexico's new data protection law.
On March 20, 2025, the new LFPDPPP — Mexico's federal data protection law — was published in the DOF (Federal Official Gazette), repealing the 2010 law and replacing INAI with the Secretaría Anticorrupción y Buen Gobierno (SABG). Our privacy framework is calibrated to that law, not the previous one.
ARCO rights
Access, Rectification, Cancellation, and Objection — Mexico's data subject rights — exercisable in the platform. 20 business days for a determination, 15 more to execute.
Objection to AI
You have the right to object to automated analysis and require human intervention. Our score is not a binding automated decision: it is a guidance input.
k≥5 de-identification
After cancellation, derived data is irreversibly de-identified with k-anonymity of at least 5 businesses per sector group, and mapping keys are destroyed.
Comprehensive notice
Privacy notice with necessary and voluntary purposes kept separate, express consent for financial data, and an auditable electronic record.
ISO 27001
Certification in progress. We mark the honest status instead of projecting something we do not have yet.
SOC 2 Type II
On our regulatory roadmap, with target dates. When we get there, you will see it here with the exact certification date.
ARTIFICIAL INTELLIGENCE
We use Claude by Anthropic. And we tell you.
Anthropic PBC, United States, as data processor.
Accrove uses Claude, Anthropic's artificial intelligence model, as the extraction and analysis engine behind your credit file. Anthropic processes the data under our documented instructions, with a Data Processing Addendum already signed, and does not use it to train its models.
We are finalizing the Zero-Data-Retention addendum with Anthropic, an additional commercial clause that eliminates any intermediate retention on their backend. Once it is in place, we will reflect it here with the date.
HARD COMMITMENTS
What we never do.
- × We never sell your data. To anyone, under any commercial arrangement. Our business model does not depend on selling it.
- × We never share without express consent. Every share with an institution requires your consent, with a defined scope and expiration.
- × No discretionary government access. We respond only to court orders with a defined scope, and we notify the data owner whenever the law allows.
- × We never train our own models on your data without separate, express consent. Analytical use is limited to your own profile.
- × We never retain identifiable data after cancellation. When you close your account, direct identifiers are deleted and derived data is irreversibly de-identified.
FULL DOCUMENTATION
Does your legal team
have questions?
The complete legal documents are available. If you need a legal review before sharing credit files, write to us: the framework is documented.