Approntix
ES EN
Open app

Legal notice

Approntix Privacy Policy

Privacy notice describing how Approntix collects, uses, protects, and transfers personal data through its public site, SaaS application, public forms, support flows, and operational systems. Includes your data rights and contact information.

Effective date: March 25, 2026 Last updated: March 25, 2026

This Privacy Policy ("Policy") describes how Approntix ("Approntix", "we", "us", or "our") collects, uses, stores, shares, and protects personal data through approntix.com, app.approntix.com, onboarding flows, public contact forms, free-trial and paid subscription flows, APIs, and all related services (collectively, the "Service").

By using the Service you acknowledge that you have read and understood this Policy. If you do not agree, please discontinue use of the Service. This Policy is incorporated by reference into the Approntix Terms of Use.

Identity of the data controller

Public brand: Approntix. Legal domicile for privacy notices: Mexico City, Mexico. Privacy contact: privacidad@approntix.com. Legal contact: legal@approntix.com.

Approntix acts as a data controller for personal data collected directly through the public site, landing forms, signup flows, and direct communications. Approntix acts as a data processor or service provider for personal data that business customers ("Customers") upload or manage within the SaaS. In the latter case, the Customer is the data controller or responsible party for that data.

Personal data we collect and legal basis

We collect only data that is adequate, relevant, and limited to what is necessary for each stated purpose ("data minimization"). The following describes our categories of collection and, where applicable, the corresponding legal basis.

  • Public landing forms — name, email, company, phone, plan of interest, message, locale, Cloudflare Turnstile anti-spam token, IP address, and user-agent. Legal basis: legitimate interest in preventing abuse; pre-contractual steps taken at your request.
  • Free-trial and paid signup — company name and owner registration data, contact details, RFC or equivalent tax identifier, timezone, language preference, business type, team size, referral source, notes, IP address, and anti-spam tokens. Legal basis: execution of a contract to which you are a party.
  • Authenticated SaaS operations — account, tenant, roles, staff profiles, client records, lead records, consent records, campaign records, appointment data, push notification subscriptions, and message recipient data, all managed at Customer direction. Legal basis: contract; legitimate interest of the Customer (controller) with respect to end-user data.
  • Communications — email address and message content for support tickets, billing inquiries, and service notifications. Legal basis: execution of a contract; legitimate interest in delivering the Service.
  • Technical and security data — HTTP request metadata, authentication and session logs, rate-limiting counters, browser fingerprinting signals for fraud prevention, service worker registration identifiers, and sanitized request payloads retained for security incident investigation. Legal basis: legitimate interest in securing the platform and complying with legal obligations.
  • Cookies and client-side storage — see Section 5 for details.

Purposes of processing

  • Operate, deliver, provision, and improve the Service, including tenant setup, user authentication, role enforcement, and feature delivery.
  • Send transactional communications: account confirmations, password resets, billing receipts, plan change notifications, service alerts, and security notices.
  • Send configured marketing messages (push notifications, WhatsApp, or email) on behalf of Customers as instructed by the Customer controller.
  • Prevent abuse, detect fraud, apply rate limits, investigate security incidents, and comply with legal obligations.
  • Provide customer support, maintain commercial follow-up records, and generate de-identified aggregated analytics to improve product quality.
  • Comply with tax, accounting, and regulatory obligations in Mexico and other applicable jurisdictions.

Sensitive personal data

Approntix does not currently require or intentionally solicit sensitive personal data (biometric identifiers, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, health data, sexual orientation, or criminal record data) through the Service.

If a Customer uses the Service to process sensitive personal data belonging to their own end users, the Customer is the responsible controller and must ensure a valid legal basis (typically explicit written consent), appropriate technical safeguards, and compliance with LFPDPPP Article 9 or the equivalent law in their jurisdiction. Approntix will process such data only as a processor at the Customer's written direction and under agreed contractual terms.

Cookies, storage, and tracking

Approntix uses the following types of storage to operate the Service:

  • Essential session cookies (httpOnly, Secure, SameSite=Strict) — required for authenticated sessions; cannot be disabled without affecting Service functionality.
  • Access tokens in memory (not localStorage or cookies) — short-lived JWT; cleared on tab close or session expiry.
  • localStorage — used for language preference, UI theme, and tab-activity coordination signals. Not used for behavioral tracking.
  • Service Worker cache — supports Progressive Web App (PWA) offline behavior and background sync.
  • Push subscription identifiers — stored server-side when you opt in to browser push notifications; you may revoke the subscription at any time through your browser settings.
  • Cloudflare Turnstile anti-bot token — processed client-side by Cloudflare's script on contact and signup forms to prevent automated abuse.

Data sharing, processors, and international transfers

Approntix does not sell personal data. We may share personal data with the following categories of recipients, each bound by contractual data protection obligations:

  • Infrastructure and hosting providers (e.g., Microsoft Azure) — for cloud hosting, storage, and computing services.
  • Cloudflare — for CDN, DDoS protection, and Turnstile anti-bot verification.
  • Email delivery providers — for transactional and service emails.
  • Meta Platforms (WhatsApp Cloud API) — when Customers configure WhatsApp messaging through the Service.
  • Browser push notification services (e.g., Web Push via browser vendor APIs) — when end users subscribe to push notifications.
  • Professional advisers — lawyers, accountants, and auditors under confidentiality obligations.
  • Public authorities and regulators — when disclosure is required by applicable law, court order, or to protect the rights and safety of Approntix or third parties.

International data transfers

Some of our processors are located outside Mexico, including in the United States and the European Economic Area. When personal data is transferred internationally, Approntix ensures appropriate safeguards are in place, which may include: standard contractual clauses approved by the relevant authority; the processor's adherence to a recognized certification framework (e.g., EU-U.S. Data Privacy Framework); or your explicit consent where required.

For transfers of personal data from EEA or UK data subjects, Approntix relies on applicable adequacy decisions or Standard Contractual Clauses (SCCs) as the legal transfer mechanism.

Data retention

We retain personal data for no longer than necessary to fulfill the stated purposes, comply with legal obligations, resolve disputes, and enforce agreements. Indicative retention periods:

  • Active account data — retained for the duration of the subscription plus a 90-day grace period after termination, after which it is deleted or anonymized.
  • Security and audit logs — retained for approximately 90 days unless a longer retention period is required by applicable law or is necessary for an ongoing security investigation.
  • Billing and tax records — retained for the minimum period required by Mexican tax law (currently five years under the SAT requirements) or the applicable law in your jurisdiction.
  • Marketing lead inquiries — retained for up to two years from last contact or until you request deletion.
  • Customer-uploaded end-user data — retained according to the Customer's instructions and deleted upon Customer's written request or account termination, subject to legal holds.

Security measures

Approntix implements administrative, technical, and organizational security measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. Measures include: encryption of data in transit (TLS 1.2+) and at rest; httpOnly and Secure cookie flags; short-lived JWT with in-memory storage; role-based access control and tenant isolation; rate limiting and anti-brute-force controls; and security logging and monitoring.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Approntix will notify affected Customers and, where required by applicable law, the relevant supervisory authority (e.g., INAI) within the legally mandated timeframe. Approntix will cooperate with Customers to enable them to fulfill their own breach notification obligations to data subjects.

No system can guarantee absolute security. You are responsible for maintaining the confidentiality of your credentials and for securing devices used to access the Service.

Your rights as a data subject

Depending on your jurisdiction, you may have the following rights with respect to your personal data and Approntix's direct processing activities:

  • Access (Acceso) — request confirmation of whether we process your data and obtain a copy.
  • Rectification (Rectificación) — request correction of inaccurate or incomplete data.
  • Cancellation / Erasure (Cancelación / Supresión) — request deletion of your data when it is no longer necessary, subject to legal retention obligations.
  • Objection (Oposición) — object to processing based on legitimate interest, including direct marketing.
  • Restriction — request limitation of processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format where technically feasible.
  • Withdrawal of consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

How to exercise your rights and ARCO timelines

To exercise any of the rights described above, send a written request to privacidad@approntix.com. Your request must include: your full name; a copy of a valid identity document; a clear description of the right you wish to exercise; and, if requesting access or correction, the specific data involved.

In accordance with Mexico's LFPDPPP and its Regulations, Approntix will respond within 20 business days of receiving a complete, valid request. If your request is approved, it will be executed within 15 additional business days, or within the extended period as permitted by law. If your request is denied, we will provide written reasons.

If you reside in the EEA, UK, or another jurisdiction with a data protection supervisory authority, and you are not satisfied with our response, you have the right to lodge a complaint with the competent supervisory authority (e.g., INAI in Mexico; the relevant Data Protection Authority in your EU member state).

Note: If your personal data is managed within the SaaS by a business Customer, that Customer is the data controller for that data. Requests relating to that data must be directed to the Customer. Approntix will assist Customers in responding to such requests where required.

Minors

The Service is not directed to individuals under the age of 18, and Approntix does not knowingly collect personal data from minors. If you believe we have inadvertently collected personal data from a minor, please contact privacidad@approntix.com immediately and we will take steps to delete it.

Business Customers who use the Service to manage data of end users under the age of digital consent in their jurisdiction are solely responsible for obtaining legally required parental consents and for compliance with applicable child privacy laws.

Changes to this Policy

Approntix may update this Privacy Policy to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes by posting the updated Policy on this page with a revised effective date, and by sending an email notice to the address associated with your account at least fifteen (15) days before the changes take effect.

We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes.

Contact

For privacy or data protection inquiries, ARCO requests, or to report a potential data incident: privacidad@approntix.com.

For legal matters, compliance questions, or contractual notices: legal@approntix.com.

Registered domicile for official notices: Mexico City, Mexico.