☁️Clauhub

Comprehensive Privacy Notice

Privacy Policy

Last updated: May 11, 2026

1. Data controller

Your organization is the data controller for the personal data it collects through the platform. Clauhub acts as a data processor (technology provider) under a written agreement.

2. Data we collect

To make the portal work, we collect the following categories of data:

  • Tax identification: RFC, legal name, tax regime, tax address.
  • Contact: email, phone, contact name.
  • Banking: CLABE, bank, account number (encrypted at rest).
  • Documents: Tax Status Certificate (Constancia de Situación Fiscal), compliance opinions, proof of address and other documents uploaded to the file.
  • Operations: upload history, validation status, comments.

3. Purposes

We use your data exclusively to:

  • Operate the supplier portal: registration, records, tax (SAT) and banking validations.
  • Meet the contracting organization's contractual and tax obligations.
  • Notify status changes, update requirements and document expirations.
  • Keep audit logs required for regulatory compliance.

We do not use your data for marketing or advertising, nor do we share it with third parties beyond the subprocessors listed.

4. Legal basis

We process your data on the basis of the performance of a contractual relationship (supplier-customer) and compliance with legal tax obligations. For customers in applicable jurisdictions, we also rely on the corresponding legal bases of the GDPR (Art. 6.1.b and 6.1.c) and CCPA/CPRA.

5. Transfers and subprocessors

We share personal data only with the following processors, all under contract with equivalent protection clauses:

  • Convex Cloud — database and backend
  • Cloudflare — CDN, document storage and workers
  • Resend — transactional email
  • Stripe — payment processing (where applicable)
  • SAT — for tax validation of RFCs and compliance opinions (public data only)

Some subprocessors are located outside Mexico; transfers are carried out with contractual safeguards in accordance with the LFPDPPP.

6. Retention period

Records are retained for the duration of the business relationship with the contracting organization and for the minimum legal periods thereafter (at least 5 years for tax documents under the CFF). Audit logs are retained for at least 12 months.

7. ARCO rights

As the data subject, you may exercise the following rights at any time:

  • Access — know what data we hold about you.
  • Rectification — correct inaccurate or outdated data (via a Change Request in the portal).
  • Cancellation — request deletion of data when it is no longer necessary.
  • Opposition — object to processing for specific purposes.

To exercise them, contact your organization's administrator at the support email shown in your portal. We respond within a maximum of 20 business days. If you believe your rights are not being respected, you may turn to the INAI (inai.org.mx).

8. Security

For full details of the technical and organizational measures we apply, see the Security and Trust page.

9. Changes to this notice

If we make material changes to this notice, we will notify you by email or through a prominent notice in the portal before they take effect. The “last updated” date always reflects the current version.