Legal
Privacy Policy
This policy explains how Vizum Technologies, S.A.P.I. de C.V. handles your personal and business data, your rights under Mexican law, and how to contact us.
Effective Date
March 1, 2026
Last updated: March 1, 2026
1. Introduction & Who We Are
Vizum Technologies, S.A.P.I. de C.V. (“Vizum,” “we,” “us,” or “our”) operates a CNBV-regulated cross-border payment infrastructure platform accessible at vizum.mx and via API. We are a Registered Money Transmitter licensed by the Comisión Nacional Bancaria y de Valores (CNBV) under folio RECC-TDD 22443.
Our registered address is: Av. Álvaro Obregón 278 Int. 801, Hipódromo, Cuauhtémoc, Mexico City, 06100, Mexico.
This Privacy Policy (“Policy”) describes how we collect, use, store, share, and protect personal data and business information in connection with our payment services, website, and APIs. It applies to all clients, prospective clients, beneficial owners, authorized users, and visitors who interact with Vizum.
This Policy is issued in compliance with Mexico's Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) and its regulations, as well as our obligations as a CNBV-regulated financial institution. Where we operate internationally, we apply equivalent or higher standards.
By using our services, you acknowledge that you have read and understood this Policy. If you do not agree with its terms, please discontinue use of our services and contact us at privacy@vizum.mx to discuss your options.
2. Data We Collect
We collect only the data necessary to provide our services and meet our regulatory obligations. The categories of data we collect are:
A. Personal Data (Datos Personales)
Information that identifies or can identify an individual, including:
- Full legal name, date of birth, nationality
- Government-issued ID (INE, passport, RFC, CURP)
- Contact information: email address, telephone number, physical address
- Biometric verification data (where applicable for identity verification)
- Employment status and source-of-funds declarations
- Politically Exposed Person (PEP) status
B. Business Data (Datos Empresariales)
For corporate clients, we collect information about the business entity, including:
- Legal entity name, type, and country of incorporation
- Tax identification number (RFC or foreign equivalent)
- Incorporation documents, certificates of good standing
- Beneficial ownership information (all UBOs with 25%+ ownership)
- Directors, officers, and authorized signatories
- Business purpose, industry classification, and anticipated transaction volumes
- Bank account information for settlement purposes
C. Payment & Transaction Data
Data generated when you use our payment services:
- Transaction amounts, currencies, and timestamps
- Sender and recipient CLABE, IBAN, SWIFT/BIC, or account numbers
- Payment purpose and reference codes
- Transaction status, confirmations, and error codes
- FX rates applied and fee details
- Completed transaction histories required for regulatory reporting
D. Technical & Usage Data
Data collected automatically when you access our platform or API:
- IP address and approximate geographic location
- Browser type, version, and operating system
- API request logs, endpoint calls, and response codes
- Session duration, page views, and navigation paths
- Device identifiers and fingerprinting data (for fraud prevention)
- Cookie and similar tracking technology data (see Section 10)
We do not intentionally collect sensitive personal data (datos personales sensibles) as defined under the LFPDPPP — such as health, racial or ethnic origin, or political opinions — unless strictly required by a specific regulatory obligation, in which case we will obtain your explicit consent.
3. How We Use Your Data
We use the data we collect for the following purposes:
Payment Processing & Settlement
To execute cross-border payment transactions, currency exchange, pay-ins, pay-outs, and settlement to your designated accounts. This is the primary purpose of our service and is necessary to perform our contract with you.
KYC / KYB & Identity Verification
To verify your identity and the identity of your business, beneficial owners, and authorized users before onboarding and on an ongoing basis, as required by our CNBV license and applicable AML law.
AML / PLD Compliance & Fraud Prevention
To screen transactions and counterparties against OFAC, EU, UN, and Mexican UIF sanctions lists; to detect and report suspicious activity; to file Suspicious Transaction Reports (STRs / RESU) with the CNBV Unidad de Inteligencia Financiera as required by law.
Account Management & Service Delivery
To create and manage your account, issue API keys, provide dashboard access, deliver webhook notifications, generate statements, and support platform functionality.
Customer Support
To respond to your inquiries, resolve disputes, process complaints, and provide technical assistance.
Communications
To send transactional notifications (payment confirmations, alerts), service updates, regulatory notices, and — where you have opted in — commercial communications about our products and services.
Regulatory Reporting & Legal Obligations
To comply with CNBV reporting requirements, respond to lawful requests from financial intelligence units, courts, or other authorities, and to maintain records required by Mexican financial law.
Platform Improvement & Analytics
To analyze usage patterns, diagnose technical issues, improve our API, dashboard, and user experience using aggregated and anonymized data.
Risk Management
To assess credit and operational risk, set transaction limits, and make decisions about service eligibility based on your activity profile.
4. Legal Basis for Processing
Our processing of personal data is governed by Mexico's Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP, D.O.F. July 5, 2010) and its Reglamento (D.O.F. December 21, 2011). We rely on the following legal bases:
Contractual Necessity
Art. 9 LFPDPPP (consent implied in contractual relationship)Processing of personal data that is strictly necessary to perform the payment services agreement between you and Vizum, including account onboarding, transaction execution, and settlement.
Legal Obligation
Art. 10 LFPDPPP; LFPIORPI; CNBV Circular 2019/14Processing required to comply with our obligations as a CNBV-regulated money transmitter, including KYC/KYB verification, AML monitoring, STR filing, sanctions screening, and record-keeping obligations.
Legitimate Interest
Art. 10 LFPDPPPProcessing for fraud prevention, platform security, risk management, and service improvement, where our legitimate business interest does not override your fundamental rights and freedoms.
Consent (Consentimiento)
Art. 8-9 LFPDPPPWhere none of the above bases apply — such as for marketing communications or collection of sensitive personal data — we will obtain your explicit, informed, and revocable consent before processing.
We will notify you via our privacy notice (aviso de privacidad) if we intend to process your personal data for purposes other than those stated here, as required by Article 17 of the LFPDPPP.
5. Data Sharing
We do not sell your data. Vizum does not sell, rent, or trade personal data or business information to third parties for marketing or commercial purposes.
We share data only with the following categories of recipients, and only to the extent necessary:
Banking Partners & Payment Rails
Correspondent banks, SPEI participants, SWIFT network members, and other financial institutions involved in processing or settling your payment transactions. Sharing is necessary to execute your transactions.
CNBV & Regulatory Authorities
The Comisión Nacional Bancaria y de Valores and the Unidad de Inteligencia Financiera (UIF) as required by our license conditions, AML law, and applicable reporting obligations. We may share data in response to regulatory examinations, RESU filings, or supervisory inquiries.
Identity Verification Providers
Third-party KYC/KYB service providers who assist us in verifying identities and screening sanctions lists. These providers act as data processors (encargados) under written data processing agreements consistent with LFPDPPP requirements.
Technology & Infrastructure Providers
Cloud hosting, database, monitoring, and infrastructure providers (e.g., AWS, Google Cloud) who process data on our behalf under binding contractual obligations and industry-standard security measures.
Legal & Professional Advisors
Lawyers, auditors, and accountants who are bound by professional confidentiality obligations, when required to provide legal or financial advice or to defend our legal interests.
Law Enforcement & Courts
When required by a lawful court order, subpoena, or binding legal obligation, or when necessary to protect the rights, property, or safety of Vizum, our clients, or the public.
Successors in Business
In the event of a merger, acquisition, or sale of substantially all of our assets, personal data may be transferred to the successor entity, subject to equivalent privacy protections. We will notify you before any such transfer takes effect.
6. Data Retention
We retain personal data for as long as is necessary to fulfil the purposes for which it was collected and to comply with our legal and regulatory obligations. Specific retention periods:
| Data Category | Retention Period | Basis |
|---|---|---|
| Transaction records | 10 years from transaction date | CNBV / LFPIORPI requirement |
| KYC / KYB documents | 10 years from account closure | CNBV regulatory requirement |
| AML monitoring logs | 10 years | CNBV / UIF requirement |
| Correspondence & support | 5 years from resolution | Legitimate interest / legal claims |
| Marketing consent records | Until consent withdrawn + 3 years | LFPDPPP Art. 22 |
| Technical / server logs | 12 months rolling | Security & fraud prevention |
| Cookie analytics data | Up to 24 months | Consent |
When retention periods expire, personal data is securely deleted or anonymized so that it can no longer be associated with you. Data subject to a regulatory hold or ongoing legal proceedings will be retained for as long as the hold or proceedings require.
7. Your Rights (Derechos ARCO)
Under Mexico's LFPDPPP (Articles 22–36), you have the following rights with respect to your personal data, collectively known as ARCO rights (Derechos de Acceso, Rectificación, Cancelación y Oposición):
Acceso (Access)
You have the right to request confirmation of whether we hold your personal data, what data we hold, how it is being used, and to receive a copy of it in a legible format.
Rectificación (Rectification)
You have the right to request correction of inaccurate, incomplete, or outdated personal data we hold about you.
Cancelación (Erasure)
You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to our legal retention obligations as a regulated institution.
Oposición (Objection)
You have the right to object to processing of your personal data for specific purposes, including direct marketing communications. This right does not apply to processing required by law.
Additionally, you have the right to revoke consent at any time for processing based on consent, and the right to opt out of marketing communications at any time by using the unsubscribe link in our emails or contacting us directly.
How to Exercise Your Rights
To submit an ARCO rights request, contact our Data Protection Officer at:
Email: privacy@vizum.mx
Post: Vizum Technologies, S.A.P.I. de C.V., Attn: Data Protection Officer, Av. Álvaro Obregón 278 Int. 801, Hipódromo, Cuauhtémoc, Mexico City, 06100, Mexico
We will acknowledge your request within 5 business days and respond substantively within 20 business days, as required by Article 32 of the LFPDPPP. We may require you to verify your identity before processing your request. Note that certain data cannot be deleted due to our regulatory retention obligations — we will inform you if this is the case.
If you believe we have not adequately responded to your request, you have the right to file a complaint with Mexico's data protection authority, the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) at inai.org.mx.
8. International Transfers
As a cross-border payments company, certain payment transactions require us to transmit data to financial institutions, correspondent banks, and payment processors located outside of Mexico, including in the United States, the European Union, and the United Kingdom.
International transfers of personal data are governed by Article 36 of the LFPDPPP, which requires us to ensure that the recipient provides equivalent levels of protection. We achieve this through:
- Standard contractual clauses or data transfer agreements with the recipient entity
- Adequacy determinations where the recipient country provides comparable protections
- Your explicit consent where required for a specific transfer
- Transfers that are necessary to perform your payment transaction (the primary legal basis for cross-border payment data flows)
Our cloud infrastructure providers maintain data centers in multiple regions. Where possible, we configure storage in Mexican or North American regions. All transferred data is protected by the same security standards described in Section 9.
You may request information about specific transfer safeguards applicable to your data by contacting privacy@vizum.mx.
9. Security Measures
We implement administrative, technical, and physical security measures appropriate to the nature of the personal data we process and the risks involved, in accordance with Article 19 of the LFPDPPP.
Encryption in Transit
All data transmitted between your systems and ours is encrypted using TLS 1.3. Older protocol versions are rejected at the network edge.
Encryption at Rest
All stored data — including personal data, transaction records, and KYC documents — is encrypted using AES-256.
Access Control
Strict role-based access control (RBAC) with least-privilege principles. No standing privileged access to production systems.
Infrastructure Security
ISO 27001-aligned practices, continuous 24/7 monitoring, automated anomaly detection, and intrusion detection systems.
Penetration Testing
Regular third-party penetration testing of API endpoints, web interfaces, and internal infrastructure.
Incident Response
Documented incident response plan. In the event of a personal data breach, we will notify affected individuals and the INAI as required by the LFPDPPP within the legally prescribed timeframes.
No method of electronic transmission or storage is 100% secure. While we use commercially reasonable safeguards, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at legal@vizum.mx.
11. Contact & Data Protection Officer
Vizum Technologies has designated a Data Protection Officer (DPO) responsible for overseeing compliance with this Policy and the LFPDPPP. You may contact our DPO or our legal team using the following details:
Registered Address
Av. Álvaro Obregón 278 Int. 801, Hipódromo, Cuauhtémoc, Mexico City, 06100, Mexico
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. We will notify you of material changes by email or by posting a prominent notice on our website at least 30 days before they take effect. Continued use of our services after the effective date of any update constitutes acceptance of the revised Policy.
If you have questions or concerns about this Policy or our data practices, we encourage you to contact us directly before filing a complaint with the INAI. We are committed to resolving privacy concerns promptly and transparently.