Aviso de Privacidad Integral

Date of last update: April 16, 2026

Through this Comprehensive Privacy Notice (the “Privacy Notice”), CM Identidad, S.A.P.I. de C.V. (“SORA”) informs you of the terms under which the Personal Data (as such term is defined below) collected through the website, the technological platform, and other means enabled for the provision of its services will be processed. 

For the purposes of this Privacy Notice, it is important to note that, depending on the context in which the Personal Data is collected and used, SORA may act: (i) as Controller (as such term is defined below), when it directly determines the purposes and means of the processing; or (ii) as Processor (as such term is defined below), when it processes Personal Data on behalf and under the documented instructions of a Client, particularly when the User is redirected by an Association or by the Client itself as a result of an Integration Project.

Therefore, we recommend that you carefully read the following information:

  1. DEFINITIONS.

Terms written with an initial capital letter shall have the meaning attributed to them in this Privacy Notice, applicable interchangeably in the singular or plural and in the feminine or masculine gender, as corresponds to the context.

“Association”: Means any legal entity, entity, organization, or association that maintains a direct relationship with the Users, whether of a labor, contractual, commercial, or any other nature, and that is linked to the Client for the purposes of accessing, using, or taking advantage of SORA's Services. The Association may redirect Users, directly or indirectly, to the Site and/or the Platform, but this does not, by itself, imply that it has the character of Controller or Processor, which will depend on the specific case and the Applicable Regulations.

“Client”: Means any natural or legal person who contracts SORA's Services and who determines the purposes and means of the processing of the Users' Personal Data in connection with said Services, and will therefore have the character of controller of the processing of such Personal Data.

“CURP”: Unique Population Registry Code.

“Biometric Data”: Personal Data obtained from a specific technical treatment, relating to the physical, physiological, or behavioral characteristics of a natural person that allow or confirm the unique identification of that person, such as facial images and/or videos.

“Personal Data”: Any information concerning an identified or identifiable natural person, including, where applicable, Sensitive Personal Data and Biometric Data.

“Sensitive Personal Data”: Those Personal Data that affect the most intimate sphere of the Owner or whose improper use may generate discrimination or imply a serious risk to them, including, but not limited to, information on racial or ethnic origin, present or future health status, genetic information, religious, philosophical, or moral beliefs, political opinions, sexual preference, and Biometric Data.

“ARCO Rights”: The rights of access, rectification, cancellation, and opposition that the Owner may exercise regarding their Personal Data, in accordance with the provisions of the Applicable Regulations.

“Documents”: Means any document, contract, agreement, form, or Data Message, in electronic or digital format, that the Client, Admin Users, and/or Users upload, generate, send, or make available through the Platform, for their electronic signature and/or the management of said documents.

“Processor”: Means SORA, who processes Personal Data on behalf of the applicable Controller, in accordance with its documented instructions and without deciding on the purposes of the processing of said Personal Data.

“Data Messages”: Means information generated, sent, received, or archived by electronic, optical, or any other technology.

“Mexico”: United Mexican States.

“Applicable Regulations”: The Federal Law on Protection of Personal Data Held by Private Parties, its Regulations, and other applicable provisions in the field.

Platform”: The technological platform, system, interface, software, administration panels, APIs, and other technological elements operated by SORA for the provision of the Services.

“Integration Project”: Any technological, operational, or contractual scheme through which the Client and/or the Association connect, link, or integrate their systems, databases, flows, applications, interfaces, or processes with the Platform, or redirect Users to it, in such a way that SORA processes Personal Data on behalf of the Client.

“Controller”: Means the person who, in each specific case, decides on the purposes and means of the treatment of Personal Data, which may be: (i) SORA, when acting in its own capacity as controller; or (ii) the Client, when SORA acts as Processor on its behalf, including those cases in which the treatment of Personal Data derives from an Integration Project.

“RFC”: Federal Taxpayer Registry.

“Services”: The services provided by SORA under the SaaS (Software as a Service) model, including, but not limited to, electronic signature services, document management, digital files, payroll receipt signing, automations, APIs, integrations, and other features associated with the Platform.

“Site”: Means the website, microsites, portals, applications, forms, landing pages, or any other digital interface operated directly by SORA or enabled by it for the promotion of its Services.

“SORA”: CM Identidad, S.A.P.I. de C.V.

“Owner”: The natural person to whom the Personal Data corresponds.

“Users”: Persons who access, register, use, interact, and/or browse the Site and/or the Platform, either directly with SORA or by instruction, authorization, or redirection of the Client and/or the Association.

“Admin Users”: Means the natural persons designated by the Client, under their sole responsibility, with authority to manage the use of the Platform in connection with the applicable Integration Project, including, but not limited to: (i) managing, uploading, and organizing Documents; (ii) registering, enabling, modifying, or removing Users; (iii) defining signature flows; and (iv) performing any other administrative actions necessary for the operation of the Integration Project.

For the purposes of this Privacy Notice, the terms “we” or “our” shall refer to SORA only when it acts in its capacity as Controller. When SORA acts as Processor, any reference to the controller of the processing shall be understood to refer to the Client.

  1. OF THE CONTROLLER AND THE PROCESSOR.

SORA is a legally constituted and existing corporation under Mexican law and, when acting as the Controller, will be responsible for the processing of your Personal Data, designating as its address at C. 20 de Noviembre #748 Sur, Col. Ex Seminario, Monterrey, Nuevo León, Mexico, C.P. 64049 and as privacy contact email legal@sora.mx.

This Privacy Notice contemplates the following scenarios:

(a) SORA as Controller: SORA will have the character of Controller when it collects and processes Personal Data directly for its own purposes, including, but not limited to, the administration of its relationship with Clients and prospects, the direct provision of its Services, account management, support service, the security of its technological infrastructure, compliance with legal and contractual obligations, billing, collection, and the improvement of its Site, Platform, and Services.

(b) SORA as Processor: SORA will have the character of Processor when it processes Personal Data on behalf of the Client, in accordance with its documented instructions, particularly when the User: (i) is redirected by an Association or by the Client; (ii) accesses the Platform within the framework of an Integration Project; or (iii) uses the Services by virtue of a legal, labor, commercial, or other relationship that they maintain directly or indirectly with the Client or with the Association linked to it.

In the scenarios provided in section (b) above, the applicable Controller will be the Client, whose identity, address, and means of contact must be made available to the Owner by said Client, by the corresponding Association, or through the specific redirection, registration, invitation, recruitment, document, interface, or complementary notice flow that may apply.

To provide the Services, the processing of Personal Data may be carried out through the Site and/or the Platform, either directly by SORA in its capacity as Controller or by SORA in its capacity as Processor on behalf of the Client. In both cases, SORA may rely on third-party providers acting as processors or sub-processors, in accordance with the Applicable Regulations and, where applicable, the authorizations and instructions of the applicable Controller.

  1. PERSONAL DATA PROCESSED.

Depending on the applicable scenario, the nature of the Services, and the flow of use of the Site and/or the Platform, SORA may collect and process, directly or indirectly, on behalf of and in accordance with the instructions of the applicable Controller when acting in its capacity as Processor, or in its own capacity as Controller when corresponding to the scenario provided in Section 2 (two) above, the following categories of Personal Data:

(a) Identification and contact data: full name; gender; age; official identifications; email; CURP; and telephone number.

(b) Tax data: corporate or business name; RFC tax key; tax address; tax regime; and line of business or main economic activity. 

(c) Access and authentication data: username; password; and any other additional authentication mechanisms that, where applicable, are implemented for access to the Site and/or the Platform.

(d) Technological and usage data: date and time of access; browsing, scrolling, and interaction records within the Site and/or the Platform; features accessed and used; and time and/or frequency of use of the Site and/or the Platform.

(e) Biometric Data: Information about your physical characteristics, such as elements of your facial recognition, which will be processed through the Platform by the Processor and, where applicable, by its sub-processors, with the purpose of validating the User's identity and guaranteeing security in the provision of the Services.

(f) Data relating to the digital security certificate: serial number; certifying authority that issued it; signature algorithm; validity; name of the holder of the digital certificate; email address of the holder of the digital certificate; CURP of the holder of the digital certificate; public key; and any other data that as additional requirements are established by the Advanced Electronic Signature Law.

(g) Additional data: comments, opinions, queries, or feedback you provide; support requests raised and communication messages sent; information you voluntarily share during the ordinary use of the Site and/or the Platform; and information or documentation you manually upload to the Site and/or the Platform.

Personal Data may be obtained by the applicable Controller through any of the following means: (i) directly from the Owner; (ii) indirectly through the Client, the Association, admin users, representatives, authorized third parties, or integrated systems; or (iii) automatically through the use of the Site, the Platform, and the technologies enabled on them. However, the Personal Data referred to in paragraphs (e) and (f) will be collected directly through the Platform. 

In the case of Documents, files, receipts, agreements, forms, Data Messages, PDF files, XML, videos, evidence, contracts, and other content that the Client, the Association, the Admin Users, or the Users themselves upload, generate, send, or make available through the Platform, such content may contain additional categories of Personal Data determined by the Client. In such cases, when SORA acts as Processor, it will not define the substantive content of such documents nor the purposes of their processing, limiting itself to treating them in accordance with the Client's instructions and the functionality of the corresponding Integration Project.

In the event that the User voluntarily provides Sensitive Personal Data additional to those expressly requested, the Controller will endeavor to preserve its confidentiality as much as possible and may, where applicable, delete said information unilaterally and without prior notice to the corresponding User.

By accessing the Services and/or using the Platform, the User grants their consent for the Controller and its Processor to carry out the processing of their Personal Data in accordance with the provisions of this Privacy Notice, without prejudice to their right to revoke said consent, at any time, through the procedure set forth in Section 8 (eight) of this Privacy Notice.

When SORA acts as Processor, it will not use Personal Data for its own purposes incompatible with the Client's instructions, nor will it assume the character of Controller solely for providing technical, operational, storage, hosting, support, authentication, signature, safeguarding, or transmission processing of said Personal Data on behalf and for the account of the Client.

  1. PURPOSES OF PERSONAL DATA PROCESSING.

The purposes of the processing will depend on the capacity in which SORA intervenes in each specific case:

(a) When SORA acts as Controller, your Personal Data may be processed for the following:

Primary purposes:

  • Contractual and legal: (i) comply with the contractual and legal obligations of SORA towards the Client; and (ii) notify the User of any update, modification, or change to this Privacy Notice, as well as to other corresponding legal agreements.

  • Operational: (i) properly provide, operate, manage, and/or execute the Platform's Services; (ii) process the User's Personal Data for the correct provision of the Services; (iii) manage the commercial relationship with the Client; (iv) create, manage, and maintain User accounts on the Platform; (v) communicate information related to the Services contracted by the Client; and (vi) provide customer service, technical support, and operational assistance in connection with the Platform.

  • Maintenance, improvement, and optimization: (i) monitor the performance of the Services and/or the Platform; (ii) detect errors, technical failures, or vulnerabilities; (iii) validate and optimize processes, calculation mechanisms, and features; (iv) identify potential areas for correction, continuous improvement, and updating of the Services and/or the Platform; (v) detect potential areas for training, validation, and algorithmic improvement; and (vi) improve the User experience in connection with the Services.

  • Security: (i) authenticate and validate the identity of the User on the Platform; (ii) prevent, detect, and mitigate unauthorized access, fraud, misuse, or illegal activities; and (iii) implement, maintain, and strengthen security measures.

  • Analogous or compatible: Purposes that, without being identical, are compatible or analogous to those described above, provided they do not require obtaining the User's consent again.

Secondary purposes:

  • Marketing, advertising, and commercial prospecting: (i) inform about promotions, discounts, benefits, and offers; (ii) carry out cross-selling and/or upselling activities; (iii) use the Client's image in promotional material; (iv) disseminate testimonials, reviews, and success stories; and (v) publish content on SORA's social networks, digital, or institutional media.

  • Statistical and analytical: (i) conduct market studies; (ii) analyze consumer habits and behavior of Users; (iii) identify trends and usage patterns; (iv) generate internal metrics, reports, and indicators; (v) improve features, processes, and Services; and (vi) conduct surveys, evaluations, and measurements of User satisfaction.

(b) When SORA acts as Processor on behalf of the Client, in such cases, SORA will process Personal Data exclusively on behalf of the Client and in accordance with its documented instructions, for the purposes that said Client determines in connection with its link with the Users and with the contracted Services. In this scenario, it will correspond exclusively to the Client, in its capacity as Controller, to specifically inform the Owner of the primary and, where applicable, secondary purposes of the processing of their Personal Data, as well as any other information that must be made available to them pursuant to the Applicable Regulations.

Such purposes may include, but are not limited to, the following:

  • Create, manage, and maintain User accounts;

  • Allow access, authentication, and use of the Platform;

  • Enable electronic signature flows, identity validation, safeguarding, consultation, administration, and organization of Documents or files;

  • Manage labor, administrative, contractual, corporate, fiscal, or document processes of the Client;

  • Upload, process, transmit, store, query, and organize Documents, digital files, payroll receipts, evidence, data messages, and other files;

  • Provide technical support and operational assistance related to the Platform;

  • Maintain, secure, and technically improve the operation of the Platform for the benefit of the Client;

  • Prevent, detect, and mitigate unauthorized access, fraud, misuse, or security incidents; and

  • Comply with contractual, regulatory, or legal obligations corresponding to the Client.

You have a period of 5 (five) business days from the date of receipt of this Privacy Notice to express your refusal to process your Personal Data for secondary purposes, in accordance with the procedure set forth in Section 8 (eight) of this Privacy Notice.

The refusal to process for secondary purposes will not affect the processing of Personal Data for primary purposes. Under no circumstances will access to the Platform be conditioned on authorization for the processing of Personal Data for secondary purposes.

When SORA acts as Processor, it will retain Personal Data only for the period necessary to comply with the Client's instructions, with the contract concluded with the Client, with the Applicable Regulations, and with the legal obligations enforceable on SORA. Once the processing or the corresponding relationship has ended, SORA will proceed with the return, deletion, blocking, removal, or restricted preservation of the information, as appropriate in accordance with the Client's instructions, the Applicable Regulations, and its legal obligations.

  1. LIMITATION ON THE REMISSION OF PERSONAL DATA. 

(a) When SORA acts as Controller: it may remit the Owner's Personal Data, inside or outside of Mexico, to third-party processors, provided that such processing is carried out in accordance with its instructions and exclusively for the fulfillment of the purposes provided in Section 4 (four) of this Privacy Notice and in accordance with the Applicable Regulations.

In that regard, Personal Data may be made available to: (i) providers of operational, technological, computing, or information processing services, derived from the contracting of subrogated services; (ii) third-party service providers or vendors necessary for the operation, functioning, or administration of the Services, the Site, and/or the Platform; and (iii) competent administrative, governmental, or judicial authorities, when there is a duly founded and motivated legal request.

(b) When SORA acts as Processor: any transfer of Personal Data decided by the applicable Controller shall correspond to the Client, who will be responsible for informing the Owner and, where applicable, obtaining the necessary consent. Likewise, the User is informed that, for the proper provision of the Services and the execution of the Integration Project, SORA has the authorization of the applicable Controller to subcontract or rely on certain service providers, third-party service providers, sub-processors, and other auxiliary third parties necessary for the operation, functioning, support, maintenance, security, identity validation, processing, storage, or administration of the Site, the Platform, and/or the Services, who will process the Personal Data on behalf of the applicable Controller and in accordance with the corresponding instructions.

In both scenarios, SORA may rely on processors and/or sub-processors. Access to Personal Data by such third parties will not be considered a transfer under the terms of the Applicable Regulations, to the extent that they act on behalf of the applicable Controller and in accordance with the corresponding instructions.

The communication of Personal Data to authorities may be carried out, among other scenarios: (i) when there is a legal obligation; (ii) when it is necessary for the attention, investigation, prevention, or prosecution of allegedly illegal conduct, fraud, or other crimes; or (iii) when it is essential to safeguard the security, integrity, or operation of the Services and/or the Platform.

Under no circumstances will SORA sell, assign, or lease Personal Data for commercial, advertising, or marketing purposes unrelated to the authorized purposes.

When SORA acts as Controller, the Owner will have a period of 5 (five) business days from the date they become aware of this Privacy Notice to express their refusal regarding the transfer of their Personal Data, by sending the corresponding request to SORA in accordance with the procedure set forth in Section 8 (eight) of this Privacy Notice. If no statement is received within the specified period, it will be understood that the Owner has granted their consent for such transfers, except in those cases where, in accordance with the Applicable Regulations, the Owner's consent is not required.

On the other side, when SORA acts as Processor, any refusal regarding transfers must be expressed to the Client who has the character of applicable Controller, in accordance with the procedures established by the latter.

  1. USE OF TRACKING TECHNOLOGIES.

The Site and the Platform use tracking technologies, such as cookies and web beacons, to collect information about the User's navigation.

These technologies may collect data such as browser type, operating system, pages visited, IP address, and usage patterns, with the purpose of facilitating the operation of the Platform, improving the User experience, and guaranteeing the security of the Services, in accordance with the purposes defined by the Controller.

The use of such technologies may be implemented by the Processor, who acts on behalf of the Controller and in accordance with their instructions.

The User can disable the use of these technologies through their internet browser settings.

The use of the Site and/or the Platform implies acceptance of the use of these technologies under the terms of this Privacy Notice.

  1. PROTECTION OF PERSONAL DATA.

With the purpose of guaranteeing the protection and confidentiality of Personal Data, SORA has adopted and maintains administrative, technical, and physical security measures, implemented in accordance with industry standards and best practices, with the aim of preventing damage, loss, alteration, destruction, misuse, unauthorized access, or unlawful processing of such Personal Data.

In particular, measures have been implemented that include, among others, restricted access control schemes based on profiles and roles, which ensure that only properly authorized personnel can access Personal Data and only to the extent strictly necessary for the fulfillment of the purposes provided in this Privacy Notice.

  1. ARCO RIGHTS.

You, or your legal representative, have the right to: (i) access your Personal Data in the possession of the Controller and know the details of its processing; (ii) rectify it when it is inaccurate, incomplete, or out of date; (iii) cancel it when you consider that it is not required for the purposes set forth in this Privacy Notice; and (iv) oppose its processing for specific purposes. Likewise, you may request the limitation of its use or disclosure, as well as revoke the consent previously granted for its processing, except in those cases where the Applicable Regulations provide otherwise.

a) When SORA acts as Controller, to exercise ARCO Rights, the Owner must submit a written request addressed to SORA at the following email: legal@sora.mx, which must contain, at a minimum, the following information:

  1. Full name, address, and email address to receive notifications. 

  2. Valid official documents proving the identity of the Owner or, where applicable, documents proving their legal representation.

  3. Clear and precise description of the Personal Data regarding which any of the ARCO Rights are to be exercised.

  4. Specification of the ARCO Right they wish to exercise.

  • In case of cancellation, revocation of consent, or opposition to the processing of Personal Data, it must be indicated whether the request is total or partial.

  • In case of rectification, the requested modification must be specified and accompanied by supporting documentation. 

  1. Any other element or document that facilitates the location of the Personal Data.

SORA will respond to the request within a maximum period of 20 (twenty) business days from its receipt, indicating the determination adopted. If deemed appropriate, the request will be made effective within 15 (fifteen) business days following the communication of the response. These periods may be extended only once for an equal period when circumstances justify it.

The exercise of ARCO Rights is free of charge; however, the Owner must cover the justified expenses of shipping or reproduction of copies or formats that, where applicable, are generated. When the User repeats their request in a period of less than 12 (twelve) months, SORA may apply an additional cost in accordance with the limits established in the Applicable Regulations.

(b) When SORA acts as Processor on behalf of the Client: In this scenario, the request to exercise ARCO Rights, limit the use or disclosure of Personal Data, or revoke consent must be addressed to the Client who has the character of applicable Controller, under the terms of the privacy notice, mechanisms, or procedures that the latter has made available to the Owner.

Notwithstanding the foregoing, if the Owner sends a request directly to SORA in a case where SORA acts solely as a Processor, SORA may: (i) inform the Owner that they must direct their request to the Client; and/or (ii) when reasonable and possible, channel the request to the corresponding Client, without this implying assuming the character of Controller or replacing the Client in its resolution.

In any case, when SORA acts as Processor, it will assist the Client in responding to requests related to ARCO Rights, limitation of use, opposition, or revocation, in accordance with the instructions provided by the Client and the applicable contractual obligations.

  1. MODIFICATIONS TO THE PRIVACY NOTICE.

SORA reserves the right to modify, update, or add to this Privacy Notice, in whole or in part, at any time.

Any modification will be made available to Users by posting it on the Site and/or the Platform and, where applicable, by notification sent to the email address that the Owners have provided for the registration of their respective User.

When SORA acts as Controller, such modifications will take effect on the business day following their publication.

When SORA acts as Processor, the Client will be responsible for informing the Owner of those specific modifications related to: (i) its identity and contact details as the applicable Controller; (ii) the purposes it determines; (iii) the transfers it decides to carry out; and (iv) any other particular condition of the processing that depends on said Client. The foregoing is without prejudice to SORA's ability to publish or display such updates on the Site and/or the Platform when so instructed or when necessary for the operation of the Service.

The use, access, or utilization of the Site and/or the Platform by the User, as well as the existence of active or inactive accounts in the Platform after the publication or notification of said modifications, will constitute a statement of compliance and acceptance of the current version of this Privacy Notice, to the extent permitted by Applicable Regulations.

10. ACCEPTANCE OF THE PRIVACY NOTICE.

The Owner declares they have read, understood, and accepted this Privacy Notice.

When the Applicable Regulations require the Owner's consent for the processing of their Personal Data, such consent may be collected through physical, electronic, optical, sound, visual means, or any other legally permitted technology, including, but not limited to, acceptance buttons, checkboxes, electronic signatures, biometric mechanisms, validations within the Integration Project, the Site, and/or the Platform, or any other procedure that allows identifying the Owner and retaining evidence of their expression of will.

In that regard:

(a) When SORA acts as Controller, it will be understood that the Owner manifests their consent and acceptance of this Privacy Notice, as appropriate in accordance with the Applicable Regulations, through any of the following acts:   (i) the utilization, access, or use of the Integration Project, the Site, and/or the Platform; (ii) the contracting or use of the Services; (iii) the creation or possession of an account, whether active or inactive, on the Platform; (iv) the selection of buttons identified with legends such as “Enter”, “Accept”, “Continue”, or equivalents; or (v) the execution of any act that implies their acceptance.

(b) When SORA acts as Processor, the Owner's consent regarding the processing of their Personal Data must be collected by the Client acting as Controller or on their behalf, through the mechanisms determined by the latter, including those that, where applicable, are enabled by SORA within the Platform by instruction of the Client.

Likewise, the Owner acknowledges that their expression of will may be collected by electronic means and that a digital or printed version of this Privacy Notice and the corresponding evidence may be admissible as evidence in any judicial or administrative proceeding.

In case of disagreement with this Privacy Notice, the Owner must refrain from accessing, using, or continuing to use the Site, the Platform, and/or the Services.

11. ADDITIONAL INFORMATION.

(a) Headings: The references to headings contained in this Privacy Notice are for reference purposes only and will not affect the interpretation, scope, or application of any of the provisions set forth herein.

(b) Minors under 18 years of age: SORA does not intentionally collect Personal Data from minors under 18 (eighteen) years of age. In the event that SORA becomes aware that a minor under said age has provided Personal Data to it, the necessary measures will be adopted to delete such information from our records as soon as possible. If you believe that we may have information of this nature, we ask that you contact us through the email address legal@sora.mx of the Privacy Department:

(c) Applicable Legislation and Jurisdiction: This Privacy Notice shall be governed, interpreted, and applied in accordance with the federal laws in force in Mexico and, complementarily and where appropriate, by the applicable legislation of the State of Nuevo León, Mexico. For the interpretation, compliance, execution, and validity of this Privacy Notice, the parties expressly submit to the jurisdiction of the competent courts of the city of Monterrey, Nuevo León, Mexico, expressly waiving any other jurisdiction that may correspond to them by reason of their present or future domicile, or for any other cause.

(d) General questions, concerns, or complaints: If you have comments or questions about our privacy practices, concerns related to your Personal Data, or wish to present a complaint regarding the processing of the same: (i) when SORA acts as Controller, you may communicate with SORA through the email address: legal@sora.mx; and (ii) when SORA acts as Processor, you must communicate with the Client who has the character of Applicable Controller, without prejudice to also being able to contact SORA for purposes of guidance or reasonable forwarding of your request.

¡Hablemos por WhatsApp!