Privacy Policy

1. Introduction

At buyve.me ("we", "our" or "the Platform"), we are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our quotation and procurement platform.

1.1 Data Controller

Company Name: Buyve
Address: Circuito Circunvalacion Poniente. 4-B Ciudad Satelite Naucalpan, 53100 Estado de Mexico, Mex.
Email: [email protected]
Website: https://buyve.me

2. Information We Collect

2.1 Account Information

• Username and password (encrypted)
• Email address
• Full name
• Company information (name, address, tax details)
• Phone number (for WhatsApp integration)

2.2 Business Information

• Request for quotations (RFQ)
• Bill of materials (BOM)
• Supplier and vendor information
• Quotation history and comparisons
• Procurement and acquisition data

2.3 Communication Information

• Messages sent and received through the platform
• Conversations with AI agents
• WhatsApp messages and attached multimedia files
• Complete interaction history

2.4 Technical Information

• IP address and connection data
• Browser type and operating system
• Cookies and similar technologies
• Platform activity logs
• Session and authentication tokens

2.5 Files and Documents

• Uploaded Excel files (bill of materials)
• Generated PDFs (quotations, reports)
• Images and documents sent via WhatsApp

3. Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract performance: To provide quotation and procurement services
• Consent: For marketing communications and non-essential cookies
• Legitimate interest: To improve our services and prevent fraud
• Legal obligation: To comply with tax and legal requirements

4. How We Use Your Information

We use your personal information to:

• Provide and maintain the quotation platform
• Process quotation requests through AI agents
• Facilitate communication between buyers and suppliers
• Generate quotation reports and analysis
• Send notifications about your request status
• Improve our services through usage analysis
• Prevent fraud and ensure security
• Comply with legal obligations
• Train and improve our AI models (in aggregate and anonymized form)

5. Third-Party Services and International Transfers

To operate our platform, we share your data with the following service providers:

5.1 Artificial Intelligence Processing

Your messages and business data may be processed by the following AI services:

• Anthropic Claude (United States) - Natural language processing
• OpenAI GPT (United States) - Quotation analysis
• Google Gemini (United States) - AI assistance
• Mistral AI (France) - Text processing
• Cohere (Canada) - Semantic analysis
• Groq (United States) - AI inference
• HuggingFace (United States) - Language models

Important: Data sent to these services is subject to their respective privacy policies. We take measures to minimize personal information shared.

5.2 Communications

• Twilio (United States) - SMS and WhatsApp services
• WhatsApp Cloud API / Meta (United States) - Instant messaging

5.3 Infrastructure and Storage

• Render.com (United States) - Application hosting
• PostgreSQL - Database (hosted on Render)
• Redis - Cache and processing queues
• Amazon Web Services (AWS) S3 (United States) - File storage

5.4 Monitoring and Analytics

• Logfire / OpenTelemetry (United States) - Performance monitoring

5.5 International Transfers

Your data may be transferred and processed in the United States, the European Union, and other countries. We implement appropriate security measures such as:

• EU-approved standard contractual clauses
• Data transfer assessments
• Encryption in transit and at rest

6. WhatsApp Integration

Our platform integrates with WhatsApp Cloud API to facilitate communication:

• Messages sent via WhatsApp are processed by Meta Platforms, Inc.
• We store message history to provide the service
• Multimedia files sent are stored in AWS S3
• By using WhatsApp, you are also subject to WhatsApp's Terms
• You may opt out of WhatsApp and communicate through the web platform

7. Data Retention

We retain your personal data for:

• Account data: While your account is active and up to 5 years after closure
• Conversation history: Up to 3 years from the last interaction
• Quotation data: Up to 7 years to comply with tax obligations
• Audit logs: Up to 2 years for security purposes
• Anonymized data: Indefinitely for statistical analysis

You may request early deletion of your data by exercising your rights (see section 9).

8. Security Measures

We implement technical and organizational measures to protect your data:

• TLS/SSL encryption for all transmissions
• Password encryption with bcrypt
• JWT token authentication
• Role-based access control (RBAC)
• Row-level security policies (RLS) in the database
• Continuous auditing and monitoring
• Regular encrypted backups
• Session tokens with automatic expiration
• Blocklist for revoked tokens

9. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a structured, readable format
• Objection: Object to the processing of your data
• Restriction: Request restriction of processing
• Withdraw consent: At any time, without affecting the legality of prior processing
• Lodge a complaint: With the data protection authority in your jurisdiction

To exercise your rights, contact us at: [email protected]

We will respond to your request within 30 days.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to:

10.1 Essential Cookies

• Keep your session active
• Remember language preferences
• Ensure platform security

10.2 Performance Cookies

• Analyze platform usage
• Identify technical errors
• Improve user experience

10.3 Cookie Controls

You can configure your browser to reject cookies, but this may affect platform functionality. Essential cookies are necessary for basic service operation.

11. Children's Privacy

Our services are intended for businesses and professionals. We do not intentionally collect information from minors under 18 years of age. If we discover that we have collected data from a minor, we will delete it immediately.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes through:

• Prominent notice on the platform
• Email to your registered address
• Updating the "Last updated" date at the beginning of this document

We recommend reviewing this policy periodically.

13. Security Breach Notification

In the event of a security breach affecting your personal data, we will notify you within 72 hours of becoming aware of the incident, as required by GDPR.

14. Use of Data for AI Training

Your data may be used in aggregate and anonymized form to:

• Improve our procurement AI agents
• Train product categorization models
• Optimize quotation comparison

Important: We never share your specific business data or identifiable information with third parties for AI training without your explicit consent.

15. Contact

For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, you may contact us:

• Email: [email protected]
• Postal address: Circuito Circunvalacion Poniente. 4-B Ciudad Satelite, Naucalpan, 53100 Estado de Mexico, Mexico
• Data Protection Officer (DPO): [email protected]

16. Compliance with Mexican Data Protection Law

As a company established in Mexico, we comply with the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) and its Regulations.

16.1 Privacy Notice

This document constitutes our comprehensive Privacy Notice pursuant to article 15 of the LFPDPPP. It establishes the terms and conditions under which we process your personal data.

16.2 Sensitive Personal Data

We do not intentionally collect sensitive personal data as defined by the LFPDPPP (racial or ethnic origin, health status, genetic information, religious, philosophical, and moral beliefs, union membership, political opinions, sexual preference).

If we ever need to process sensitive data, we will request your express written consent in advance.

16.3 Processing Purposes

Primary Purposes (necessary for the service):

• Account management and authentication
• Processing quotation requests
• Communication with suppliers and buyers
• Compliance with tax and legal obligations

Secondary Purposes (require your consent):

• Sending commercial and promotional communications
• Preference analysis and service improvement
• Market and statistical studies

You may deny or object to the processing of your data for secondary purposes without affecting the provision of the main service.

16.4 ARCO Rights

In accordance with the LFPDPPP, you have the right to:

• Access: Know what personal data we have and how we use it
• Rectification: Request correction of inaccurate or incomplete data
• Cancellation: Request deletion of your data when you consider it unnecessary
• Opposition: Object to the processing of your data for specific purposes

16.5 Exercising ARCO Rights

To exercise your ARCO rights, you must send a request to [email protected] with:

• Full name and registered email address
• Clear description of the right you wish to exercise
• Documents proving your identity (INE/IFE or passport)
• Any document that helps locate your data

We will respond to your request within a maximum of 20 business days from the date of receipt. If your request is granted, we will execute it within 15 business days following the response date.

16.6 Consent Revocation

You may revoke your consent for the processing of your personal data at any time, following the same procedure as for exercising ARCO rights.

Revocation will not have retroactive effects and may limit our ability to provide certain services.

16.7 Limitation of Use and Disclosure

You may limit the use and disclosure of your personal data by contacting us at [email protected]. We will inform you if it is possible to comply with your request and the mechanisms for doing so.

16.8 Data Transfers

Data transfers to third parties described in section 5 are made under the protection of article 37 of the LFPDPPP (national and international transfers necessary for service provision).

16.9 National Transparency Institute (INAI)

If you believe your right to personal data protection has been violated, you may contact the National Institute of Transparency, Access to Information, and Personal Data Protection (INAI):

• Website: https://home.inai.org.mx
• Phone: 800 835 4324
• Email: [email protected]

16.10 Changes to Privacy Notice

Any substantial changes to this Privacy Notice will be communicated through:

• Publication on our website: https://buyve.me/privacy.html
• Email to your registered account
• Notification within the platform

17. Applicable Law and Jurisdiction

This Privacy Policy is governed by the laws of the United Mexican States, particularly:

• Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP)
• LFPDPPP Regulations
• General Data Protection Regulation (GDPR) of the European Union (when applicable to European users)

For any dispute related to the processing of personal data, the parties submit to the jurisdiction of the competent courts in Naucalpan de Juarez, State of Mexico, Mexico, expressly waiving any other jurisdiction that may correspond to them.

18. Links to Third-Party Sites

Our platform may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We recommend reading their privacy policies.