COMPREHENSIVE PRIVACY AND CONFIDENTIALITY NOTICE

I. IDENTITY AND ADDRESS OF THE DATA CONTROLLER.

In compliance with the applicable provisions of the Federal Law on Protection of Personal Data Held by Private Parties (published March 20, 2025), the data subject is informed that the personal data provided will be processed lawfully, in a controlled and informed manner by Strategic Business Consulting and Services, S.A. de C.V., in its capacity as Data Controller, with address at Laguna de Términos No. 221, Tower A 702, Colonia Granada, ZIP Code 11520, Miguel Hidalgo Borough, Mexico City. Contact email: contacto@sbcsa.com

II. DEFINITIONS

For the purposes of this Notice, the following definitions apply:

  • Privacy Notice: The document made available to the data subject—physically, electronically, or by any other means—from the moment their personal data is collected, for the purpose of informing them about the processing of their information.
  • Consent: The data subject’s free, specific, and informed expression of will through which they allow the processing of their data.
  • Personal Data: Any information concerning an identified or identifiable individual.
  • Sensitive Personal Data: Information that affects the most intimate sphere of the data subject or whose misuse could result in discrimination or pose a serious risk.
  • ARCO Rights: The rights of Access, Rectification, Cancellation, and Opposition.
  • Controlled Information: Any technical, legal, operational, financial, or strategic information designated as confidential by the Controller.
  • Processor: The individual or legal entity that processes personal data on behalf of the Controller.
  • Data Controller: The private legal entity responsible for the processing of personal data.
  • Data Subject: The individual or legal entity to whom the personal data pertains.

    • Processing: Any operation performed on personal data, whether manual or automated, including collection, use, registration, storage, modification, consultation, transfer, or deletion.

    III. PERSONAL DATA TO BE PROCESSED

    The Controller may collect, directly or indirectly, through physical or digital means, the following types of personal data:

    • Identification and contact information
    • Financial or patrimonial data
    • Technical, legal, regulatory, tax, and operational documentation
    • Blueprints, specialized reports, business models, commercial strategies, or any other operational data from the energy or environmental sectors

    The processing of sensitive personal data shall require the data subject’s prior, express, and written consent, in accordance with Article 8 of the Law.

    IV. PURPOSES OF PROCESSING

    The personal data and information provided will be processed in accordance with the principles of legality, purpose, loyalty, consent, quality, proportionality, information, and accountability, and used for the following primary purposes, among others:

    • Analysis, development, execution, and monitoring of the contracted professional services.
    • Fulfillment of contractual, legal, or regulatory obligations applicable to the Controller.
    • Technical, legal, tax, and administrative management of the entrusted project.
    • Protection of rights and fulfillment of obligations derived from the professional relationship.

    In the cases provided for in Article 9 of the Law, data may be processed without requiring the data subject’s consent, provided that such processing arises from a legal obligation, the performance of duties stemming from a legal relationship, or the legitimate interest of the data controller, as long as the rights of the data subject are not affected.

    Additionally, and only with express consent from the data subject, the information may be used for secondary purposes, including but not limited to:

    • Sending commercial proposals, quotes, offers, or newsletters
    • Conducting satisfaction surveys, quality analysis, or internal improvement processes
    • Promotion of services, announcements, publications, events, or institutional partnerships

    Refusal to authorize these secondary purposes shall not affect the provision of the primary services. Consent may be expressed or denied at the time of data collection.

    V. TRANSFER OF PERSONAL DATA

    Personal data may be transferred within or outside the country in the following cases:

    • Personal data may be transferred within or outside the country in the following cases:
    • To service providers, subcontractors, or Processors, with equivalent confidentiality obligations
    • When requested by a competent authority through a legally grounded order
    • With the express consent of the data subject

    The Controller ensures that all transfers will comply with Articles 35 and 36 of the Law and that appropriate protection measures will be maintained.

    VI. SECURITY MEASURES AND DATA RETENTION

    The Controller has adopted reasonable administrative, technical, and physical measures to protect personal data against damage, loss, alteration, destruction, or unauthorized access, in compliance with Article 18 of the Law.

    Personal data will be retained only for the duration necessary to fulfill the stated purposes. Afterward, it may be stored for up to 10 years following project completion or the last interaction, strictly for archival, legal, or defense purposes, unless early deletion is requested.

    VII. ARCO RIGHTS AND PROCEDURES

    The data subject may exercise their ARCO rights (Access, Rectification, Cancellation, and Opposition) at any time under Articles 21 to 34 of the Law.

    Requests may be submitted in writing via contacto@sbcsa.com or delivered to the Controller’s address, following the requirements set forth in Article 28. The Controller will respond within 20 business days and, if applicable, will implement the requested change within 15 business days, unless an extension is lawfully applicable.

    VIII. CONSENT REVOCATION

    The data subject may revoke their consent to the processing of their personal data at any time, without such revocation having retroactive effects on actions taken prior to the request.

    In compliance with Article 7 of the Law, the data controller provides simple and free mechanisms for the data subject to exercise this right. The revocation request may be submitted through a free-form written request sent to the email address contacto@sbcsa.com, or delivered in person at the controller’s address, accompanied by the information required under Article 28 of the same Law.

    IX. LIMITATION OF USE OR DISCLOSURE

    The data subject may request a limitation on the use or disclosure of their data by submitting a written request. The Controller will only use the data for the purposes listed in this Notice, unless express written authorization or legal mandate permits otherwise.

    X. CONFIDENTIAL AND CONTROLLED INFORMATION

    All information provided by the data subject, including but not limited to documents, strategies, technical data, reports, plans, proposals, communications, methodologies, and other materials, shall be treated as confidential and controlled information. Such information:

    • Shall not be disclosed, disseminated, or communicated to unauthorized third parties.
    • Shall be used exclusively for the fulfillment of the contractual purpose.
    • Shall be protected through appropriate physical, digital, legal, and operational measures.
    • Shall be subject to a confidentiality obligation for a minimum term of ten (10) years, or for the period established by the applicable legislation.

      XI. INDUSTRIAL SECRETS

      The Controller acknowledges that some information may qualify as industrial secrets under Article 163 of the Federal Law for the Protection of Industrial Property, and agrees to preserve its confidentiality, avoiding unauthorized disclosure or misuse.

      XII. DISCLOSURE BY ORDER OF AUTHORITY

      The Controller may disclose personal or confidential data when requested by a competent authority, through a legally founded and motivated order, and will notify the data subject unless legally prohibited.

      XIII. CONVENTIONAL PENALTY AND DAMAGES

      The data controller acknowledges the importance of ensuring the confidentiality of the information provided and undertakes to implement all reasonable measures for its protection in accordance with applicable legislation.

      In the event that a breach of confidentiality obligations attributable to the data controller is proven, and such breach causes direct harm to the data subject, the latter may, in accordance with the agreement between the parties or as determined by the competent authority, demand the payment of a contractual penalty or the compensation for damages and losses as legally applicable.

      The foregoing shall be without prejudice to any administrative, civil, or criminal liabilities that may apply under the relevant law and other applicable legal provisions.

      XIV. COMPLAINTS, COMMENTS, AND CLAIMS

      The data subject may submit complaints or claims related to misuse of their data or the exercise of ARCO rights via contacto@sbcsa.com or directly with the competent authority. In Mexico, this authority is the Secretariat of the Civil Service (SFP), specifically the Anti-Corruption and Good Governance Unit.

      XV. CHANGES TO THE PRIVACY NOTICE

      The Controller may update this Privacy Notice at any time. Changes will be communicated through the same channel used to provide the original notice or via email. If significant changes occur, the data subject will be informed in advance.

      XVI. COOKIES AND TRACKING TECHNOLOGIES

      If the data subject provides personal data through electronic means, including the data controller’s website, tracking technologies such as cookies, web beacons, or similar tools may be used for the purpose of improving the user experience, analyzing browsing patterns, and offering personalized content.

      These technologies may be disabled through the configuration settings of the browser used by the data subject. By continuing to browse the site, consent for the use of these tools shall be deemed granted, unless an express objection is made. For more information about cookies, please refer to the Cookie Notice available on our website. For more information about cookies, please refer to the Cookie Notice available on our website.

      XVII. APPLICABLE LAW AND JURISDICTION

      This Notice is governed by the laws of the United Mexican States. For any disputes, the parties agree to submit to the jurisdiction of the competent courts in Mexico City, waiving any other jurisdiction by reason of present or future domicile.

       

      Last updated: August 2025