Comprehensive Privacy Notice
Privacy Policy
Last updated: May 11, 2026
1. Data controller
Your organization is the data controller for the personal data it collects through the platform. Clauhub acts as a data processor (technology provider) under a written agreement.
2. Data we collect
To make the portal work, we collect the following categories of data:
- Tax identification: RFC, legal name, tax regime, tax address.
- Contact: email, phone, contact name.
- Banking: CLABE, bank, account number (encrypted at rest).
- Documents: Tax Status Certificate (Constancia de Situación Fiscal), compliance opinions, proof of address and other documents uploaded to the file.
- Operations: upload history, validation status, comments.
3. Purposes
We use your data exclusively to:
- Operate the supplier portal: registration, records, tax (SAT) and banking validations.
- Meet the contracting organization's contractual and tax obligations.
- Notify status changes, update requirements and document expirations.
- Keep audit logs required for regulatory compliance.
We do not use your data for marketing or advertising, nor do we share it with third parties beyond the subprocessors listed.
4. Legal basis
We process your data on the basis of the performance of a contractual relationship (supplier-customer) and compliance with legal tax obligations. For customers in applicable jurisdictions, we also rely on the corresponding legal bases of the GDPR (Art. 6.1.b and 6.1.c) and CCPA/CPRA.
5. Transfers and subprocessors
We share personal data only with the following processors, all under contract with equivalent protection clauses:
- Convex Cloud — database and backend
- Cloudflare — CDN, document storage and workers
- Resend — transactional email
- Stripe — payment processing (where applicable)
- SAT — for tax validation of RFCs and compliance opinions (public data only)
Some subprocessors are located outside Mexico; transfers are carried out with contractual safeguards in accordance with the LFPDPPP.
6. Retention period
Records are retained for the duration of the business relationship with the contracting organization and for the minimum legal periods thereafter (at least 5 years for tax documents under the CFF). Audit logs are retained for at least 12 months.
7. ARCO rights
As the data subject, you may exercise the following rights at any time:
- Access — know what data we hold about you.
- Rectification — correct inaccurate or outdated data (via a Change Request in the portal).
- Cancellation — request deletion of data when it is no longer necessary.
- Opposition — object to processing for specific purposes.
To exercise them, contact your organization's administrator at the support email shown in your portal. We respond within a maximum of 20 business days. If you believe your rights are not being respected, you may turn to the INAI (inai.org.mx).
8. Security
For full details of the technical and organizational measures we apply, see the Security and Trust page.
9. Changes to this notice
If we make material changes to this notice, we will notify you by email or through a prominent notice in the portal before they take effect. The “last updated” date always reflects the current version.