Privacy Policy

Last updated:

A comprehensive notice explaining how Metanoia collects, uses, stores, shares, protects, and retains personal data when you interact with the website, user account, and related digital services.

This Privacy Policy describes the processing of personal data carried out by Metanoia and is intended to clearly explain the purposes of processing, the categories of data collected, the data subject's rights, and the available mechanisms to exercise them.

This document is designed for operations in Mexico and should be read together with the Terms of Service, any specific contract entered into with Metanoia, and any short or contextual notices displayed when data is collected.

When services, campaigns, forms, or processes have specific purposes, Metanoia may supplement this notice with specific clauses while respecting the general framework described here.

1. Identity and address of the controller

Metanoia, acting as a digital platform and as the controller of personal data collected through its website, forms, authentication flows, user accounts, and related services. It operates primarily under a Mexican regulatory focus and handles legal communications through the official contact channels published by Metanoia on the website, inside the user account, or through any corporate channel enabled for support and legal matters.

If the service is operated by an individual with business activity or by a specific legal entity different from the trade name shown, this policy should be understood as referring to that operating entity, which will act as the data controller.

2. Personal data collected

Depending on the data subject's interaction with Metanoia, identification and contact data, authentication and account data, technical and usage data, files and metadata uploaded by the user, support information, and, when paid services exist, minimum billing and compliance data may be collected and processed.

  • Name, email, company, role, phone number, or information voluntarily provided.
  • User identifiers, sessions, roles, permissions, and authentication status.
  • IP address, browser, operating system, access date and time, and security logs.
  • File names, content type, size, storage locations, and data contained in materials the user chooses to upload.

3. Sensitive data and third-party data

Metanoia does not deliberately request sensitive personal data for ordinary service operation. The data subject should avoid uploading sensitive, financial, health, biometric, union, religious, minor-related, or other high-risk information unless there is a legitimate need, sufficient legal basis, and expressly authorized enhanced safeguards.

When the user uploads third-party personal data, they represent that they have the required authority and notices to do so and assume responsibility for that processing before Metanoia and the relevant data subjects.

4. Primary and secondary purposes

Personal data is used primarily to identify users, create and manage accounts, authenticate access, host files, operate private dashboards, process requests, provide support, prevent fraud, and comply with legal, regulatory, tax, and contractual obligations.

Additionally, when the relationship with the data subject allows it or the law authorizes it, Metanoia may process data to send product updates, related commercial information, aggregated usage analysis, experience improvements, new feature development, and de-identified statistics.

If the data subject does not want their data used for secondary purposes, they may request exclusion at any time through the official service channels, without affecting the main contracted service.

5. Legal bases, processors, and transfers

The processing of personal data by Metanoia is based, as applicable, on the legal relationship arising from registration or service use, the data subject's consent when required, compliance with legal obligations, and the legitimate interest of security and operational continuity within the limits permitted by Mexican law.

Metanoia may share personal data with providers acting on behalf of the controller to provide the service. Technology providers currently identifiable from the product architecture include authentication, reactive backend, and file storage services such as Clerk, Convex, and Vercel Blob, in addition to equivalent hosting, security, email, or support services when necessary.

Metanoia does not sell personal data. It will only transfer data to third parties outside the operating scheme when there is data subject consent, a legal obligation, a competent authority request, or an exception provided by applicable law.

6. Cookies, security, and retention

Metanoia may use cookies, local storage, session tokens, and similar technologies to authenticate users, maintain active sessions, remember basic preferences, prevent fraud, balance load, and improve the technical website experience.

Metanoia adopts reasonable administrative, technical, and physical measures to protect personal data against damage, loss, alteration, destruction, use, access, or unauthorized processing.

Data will be retained only for the time necessary to fulfill the stated purposes, maintain the legal relationship, address legal obligations, resolve disputes, run backups, and document compliance. If a security breach significantly affects the data subject's property or moral rights, Metanoia will seek to notify them through reasonably available means as required by law.

7. ARCO rights, withdrawal, and use limitation

The data subject or their legal representative may exercise rights of access, rectification, cancellation, and opposition, and may request withdrawal of consent where appropriate, by submitting a request through the official service channels.

The request must identify the data subject, clearly describe the right to be exercised, and specify the data covered by the request. Metanoia will respond within the applicable legal term, currently up to 20 days, and, if the request is valid, will carry it out within the following 15 days, except for extensions allowed by law.

The data subject may also request limitation of the use or disclosure of their data for secondary purposes and may unsubscribe from promotional communications sent by Metanoia.

8. Minors, changes, and authority

Metanoia is not designed to be used autonomously by minors without sufficient supervision or legal representation. If Metanoia detects that it has received a minor's data contrary to this principle, it may delete it, restrict its processing, or request additional information to validate the relevant authority.

Metanoia may modify this Privacy Policy to reflect legal, regulatory, technological, operational, or business changes. The current version will be the one published on the website with its last updated date.

If the data subject believes that their personal data protection rights have been violated and does not receive a satisfactory response, they may contact the competent Mexican authority for personal data protection held by private parties, currently the Ministry of Anti-Corruption and Good Government or the authority that legally replaces it.

Before publishing in production, replace the trade name "Metanoia" with the exact legal entity name, physical address, privacy email, and tax information of the operating entity if they differ from the trade name shown on the website.