Privacy Notice - THOMSON BUSINESS MANAGEMENT GROUP

COMPLETE PRIVACY NOTICE

THOMSON BUSINESS MANAGEMENT GROUP S.A. DE C.V., commercially known and hereinafter referred to as THOMSON BUSINESS MANAGEMENT GROUP, which has a registered address for notifications at Calle Giotto Número 175, Colonia Alfonso XIII, Alcaldía Álvaro Obregón, Mexico City, C.P. 01460, is responsible for the use and protection of your personal data. In this regard, we hereby inform you of the following:

This privacy notice has been prepared in compliance with the legal provisions on personal data protection contained in the Mexican Federal Law on Protection of Personal Data Held by Private Parties [Ley Federal de Protección de Datos Personales en Posesión de Particulares (LFPDPPP)], its regulations, and the Privacy Notice Guidelines issued by the National Institute of Transparency for Access to Information and Protection of Personal Data [Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI)], as well as our internal policies on transparency and the ethical use of information. The privacy and information of our clients are of the utmost importance to us.

At THOMSON BUSINESS MANAGEMENT GROUP, we take the security of your personal data very seriously. We have technological, physical, administrative, and legal mechanisms in place to protect your personal and sensitive data. These measures are designed to prevent damage, loss, destruction, theft, misplacement, or alteration, as well as any unauthorized processing.

THOMSON BUSINESS MANAGEMENT GROUP provides this privacy notice in order to inform you of how we collect, transfer, and use your confidential information. You can find it on our website and application.

The purposes for processing personal data are as follows:

Review, analysis, processing, and use of formats, reports, and diagnostics related to the services offered by THOMSON BUSINESS MANAGEMENT GROUP, as well as those shared with authorized third parties.
Diagnosis and evaluation of business systems, processes, and platforms, which may be executed by THOMSON BUSINESS MANAGEMENT GROUP or authorized third parties.
Implementation of regulations, standards, and policies necessary for the platform and the commercial operations of the client.
Preparation and monitoring of documentation and processes related to the transformation and optimization of business models.
Preparation for audits, diagnostics, approvals, and certifications.
Response to requests, clarifications, inquiries, complaints, comments, petitions, and any other matters related to providing customer service.
Analyze trends, uses, and activities related to our services, as well as to monitor them.
Prevent illegal activities and fraudulent transactions in order to ensure the continuity and security of the payment system.
Provide clients with information about our services, products, partnerships, promotions, news, events, and information that we believe may be of interest to them.
Provide personalized content about our services according to client preferences and interests.
Offer better service by linking information we obtain from third parties to help us better understand our clients’ needs.
Create databases for market research purposes.
Send notifications, notices, promotional messages, or communications for marketing, advertising, or telemarketing purposes about new or existing products and services offered by THOMSON BUSINESS MANAGEMENT GROUP or through commercial partnerships.
Conduct surveys, statistical analysis, market research, and to record consumption habits through automatic data capture tools, interests, and behavior.

If you do not want your personal data to be processed for the purposes set out in the two preceding paragraphs, you may notify us of this at any time by sending an email to the following address: website@thomson-bmg.com, stating your request to exclude your personal data from being processed for additional purposes. Upon receipt of your email, THOMSON BUSINESS MANAGEMENT GROUP shall have a maximum of 15 business days to inform you of its decision and, where applicable, to implement it within a maximum of 15 additional business days. Once these deadlines have passed, THOMSON BUSINESS MANAGEMENT GROUP undertakes not to process personal data for the aforementioned purposes, without this implying that our privacy notice ceases to be in force. The objection provided for in this paragraph only constitutes a restriction on the processing of the client’s personal data for purposes not necessary for the provision of the service offered by THOMSON BUSINESS MANAGEMENT GROUP. Therefore, this objection cannot be a determining factor in our refusal to provide the services requested or contracted with THOMSON BUSINESS MANAGEMENT GROUP.

The personal data that THOMSON BUSINESS MANAGEMENT GROUP collects from clients and users, which is necessary for providing the service, are as follows:

Father’s surname, mother’s surname, and first name(s) without abbreviations, as well as an email address.

THOMSON BUSINESS MANAGEMENT GROUP shall not request sensitive personal data, which, in accordance with Article 2, section VI of the current Mexican Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), may be personal data that affects the most intimate sphere of its owner, or whose misuse could give rise to discrimination or entail a serious risk to the owner. In particular, data that may reveal aspects such as racial or ethnic origin, present and future health status, genetic information, religious, philosophical, and moral beliefs, union membership, political opinions, and sexual preference are considered sensitive and shall not be requested from users.

Transfer of personal data

We inform you that your personal data is shared within and outside the country with various suppliers and related parties, including, but not limited to, the following companies:

Banks, financial institutions, credit institutions, and credit or financial information companies.
As well as any other commercial entity or company that allows THOMSON BUSINESS MANAGEMENT GROUP to fulfill its corporate purpose. This includes national and international technology providers, hosting storage providers, financial and banking service providers, and intermediaries recognized by Mexican authorities.

The transfer of data to the aforementioned companies shall be carried out on the understanding that the data shall be processed by the same data controller, since the aforementioned companies or commercial groups are part of the same business group as THOMSON BUSINESS MANAGEMENT GROUP and maintain the same internal processes and policies. Therefore, and in accordance with the provisions of Article 36, section III of the current Mexican Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), such transfer is not subject to the client’s consent, and refusal to allow this transfer of personal data constitutes grounds for THOMSON BUSINESS MANAGEMENT GROUP to deny the provision of the requested or contracted services.

They are also shared with companies that provide THOMSON BUSINESS MANAGEMENT GROUP with services for the transformation and optimization of business models, processes, information storage, approval, reviews, and the implementation of platforms to achieve compliance.

The foregoing is for the proper and full compliance with the obligations set forth in current regulations and their secondary provisions, as well as to be able to comply with the services offered and contained in the Terms and Conditions. Therefore, and in accordance with the provisions of Articles 36, sections IV and VII, and 9, sections I and IV, of the current Mexican Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), such transfer is not subject to the client’s consent, and a refusal to allow this transfer of personal data constitutes grounds for THOMSON BUSINESS MANAGEMENT GROUP to deny the provision of the requested or contracted services.

THOMSON BUSINESS MANAGEMENT GROUP shall not sell, assign, or transfer the personal data of clients or users to third parties outside the company, its affiliates, subsidiaries, and related parties, or third parties other than those mentioned above without their prior consent. THOMSON BUSINESS MANAGEMENT GROUP may transfer any personal data necessary for fulfilling its obligations in connection with the provision of services, as well as for commercial, informational, and advertising activities, without the need for prior consent from the client. This transfer is subject to a prior dissociation procedure. The transfer is also permitted for the recognition, exercise, or defense of a right in a judicial proceeding or trial, as well as for information requested by authorities duly empowered to require such information.

ARCO rights

Clients have the right to know what personal data is stored about them and how it is processed (Access). Likewise, they have the right to request the correction of their personal information if it is outdated, inaccurate, or incomplete (Rectification); to have it removed from our records or databases when requested and/or when they consider that it is not being used in accordance with the principles, duties, and obligations set forth in the regulations (Cancellation); and to oppose the use of their personal data for specific purposes (Opposition). These rights are known as ARCO rights and clients may exercise them freely as long as their corresponding requests do not contravene applicable legal provisions and comply with the formalities set forth in this privacy notice.

To exercise any of their ARCO rights, the client must submit a request via email to website@thomson-bmg.com. This request must contain the following information: (i) name of the owner of the information and their address, as well as an email address or other means of communicating a response; (ii) documents proving their identity or that of their legal representative; (iii) a clear and precise description of the personal data in respect to which the corresponding right is being exercised; and (iv) any other information that facilitates the localization of the personal data. Clients are obliged to comply with the relevant requirements for exercising their ARCO rights. Likewise, the right of rectification may be exercised by sending a message through a widely known and worldwide smartphone messaging application that sends and receives messages via the internet or from our website www.thomson-bmg.com. Upon receiving a request, THOMSON BUSINESS MANAGEMENT GROUP shall have 20 business days to respond by the method specified by the client.

Revocation of client consent for the use of their personal data

Clients may revoke any consent they may have given us for the processing of their personal data. However, it is important to note that THOMSON BUSINESS MANAGEMENT GROUP may not be able to comply with your request or terminate processing immediately in all cases, as we may be required to continue processing your personal data due to legal obligations. Likewise, clients should consider that, for certain purposes, revoking their consent may mean that we shall no longer be able to provide the service they requested, or that their relationship with us shall be terminated.

To revoke your consent, you must submit your request to the following email address: website@thomson-bmg.com. Your request must contain the following information: (i) the name and address of the owner of the information, as well as an email address or other contact information of the owner of the information; (ii) documents proving the owner’s identity or legal representation; (iii) a clear and precise description of the personal data for which the right of revocation is being exercised; and (iv) any other information that facilitates the localization of the personal data.

Protective measures

To safeguard the personal data of our users, THOMSON BUSINESS MANAGEMENT GROUP constantly implements and maintains full compliance with administrative, technical, and physical security measures. However, we cannot guarantee that the processing of their personal data shall be completely free from harm. Therefore, if we detect a security breach that significantly affects the rights of data subjects, we shall notify them in accordance with the provisions of the applicable regulations.

Contact

Clients may contact the head of the Personal Data Department at THOMSON BUSINESS MANAGEMENT GROUP via the email address provided below, with any questions, or concerns, or comments regarding data processing or the exercise of any rights set forth in this privacy notice.

Email address: website@thomson-bmg.com

Limiting the use or disclosure of your personal information

If you wish to limit the processing of your personal information, the following additional options are available to you:

You may register with the Public Registry to Avoid Advertising [Registro Público para Evitar Publicidad (REPEP)], a registry provided by the Mexican Federal Consumer Protection Agency [Procuraduría Federal del Consumidor (PROFECO)], which contains a list of consumers who do not wish to receive calls or advertising messages and/or promotions by companies other than financial institutions as part of their marketing practices.

The provisions of the two preceding paragraphs do not apply to telephone calls you may receive for the purposes of debt collection, politics, charity, benevolence, or telephone surveys.

For more information about these registers, please consult the PROFECO website or contact them directly.

Changes to the privacy notice

We may modify, change, or update this privacy notice due to new legal requirements, changes in our business model or our privacy practices, or changes in the products or services we offer; or for other reasons.

We are committed to keeping you informed of any changes to this privacy notice through our website www.thomson-bmg.com and our application.

We shall publish all changes to this privacy notice on our website, www.thomson-bmg.com, as well as through our application. It is the responsibility of clients to frequently review our policies in order to stay informed of possible changes. Changes to this privacy notice take effect 10 days after publication. Within five days of publication, clients must indicate whether they agree or disagree with the changes. If they do not agree, their provision of services shall be suspended. After this period expires, clients shall be considered to have accepted the changes to the privacy notice.

Acceptance

This privacy notice is linked to the Terms and Conditions made available on our website www. thomson-bmg.com and through our application, which constitute a legal agreement between the client and THOMSON BUSINESS MANAGEMENT GROUP. Use of the services provided by THOMSON BUSINESS MANAGEMENT GROUP constitutes tacit acceptance of this privacy notice. This does not exclude the possibility of additional express forms of acceptance.

Authority

The National Institute of Transparency for Access to Information and Protection of Personal Data [Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI)] is the competent authority for personal data protection in Mexico. Clients who believe their rights are being violated can contact the INAI for more information and assistance.

LAST UPDATED: MARCH 20, 2025.

DISCLAIMER: The English version of our privacy notice, which is a translation of our original Spanish version, has been provided for information purposes only. In the event of a discrepancy, the original Spanish version shall prevail.