PRIVACY AND DATA PROTECTION POLICY

‍
Quantiica Global Solutions, S.A.P.I. de C.V. (hereinafter “Quantiica”) is a technology company specialized in artificial intelligence solutions, advanced data analytics, process automation, and regulatory compliance services.
The protection of personal data and information security are fundamental components of Quantiica’s technological governance and risk management framework.
This Privacy Policy describes how Quantiica collects, processes, safeguards, and manages personal data in compliance with applicable data protection laws.

‍
1. Applicable Legal Framework

Quantiica operates in accordance with applicable data protection and privacy regulations, including:
Mexico
● Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP)
● Regulations of the LFPDPPP
● Guidelines issued by the National Institute for Transparency, Access to Information and Personal Data Protection (INAI)
United States
Where applicable, Quantiica aligns its data processing practices with U.S. privacy frameworks including:
● California Consumer Privacy Act (CCPA)
● California Privacy Rights Act (CPRA)
● Virginia Consumer Data Protection Act (VCDPA)
● Colorado Privacy Act (CPA)
● Other applicable U.S. state privacy laws
International Clients
When processing personal data originating from the European Economic Area or other jurisdictions with equivalent requirements, Quantiica operates in accordance with the General Data Protection Regulation (GDPR) and other applicable international privacy standards.

‍
2. Core Data Protection Principles

Quantiica processes personal data in accordance with the following principles:
● Transparency
● Purpose limitation
● Data minimization
● Accuracy and data quality
● Security and confidentiality
● Accountability and responsible governance
These principles are interpreted consistently with both Mexican data protection law and international privacy standards.

‍
3. Role of Quantiica in Data Processing

Depending on the nature of the services provided, Quantiica may act as:
Data Controller / Business
When Quantiica determines the purposes and means of processing personal data, including when data is collected through:
● Company websites
● contact forms
● commercial relationships
● professional engagements
Data Processor / Service Provider

‍
When Quantiica processes personal data on behalf of corporate clients under technology services agreements.
In this role, Quantiica:
● Processes personal data solely under documented instructions from the client
● Does not use personal data for its own purposes
● Does not disclose personal data without contractual authorization
● Implements appropriate technical and organizational safeguards

‍
4. Artificial Intelligence and Automated Data Processing

Quantiica develops and implements technology solutions that may involve:
● Machine learning models
● predictive analytics
● automated monitoring systems
● algorithmic risk classification
● automated data analysis

‍
Automated processing is carried out:
● under parameters defined jointly with the client
● for specific contractual purposes
● under documented and auditable methodologies
● with traceability and execution logging mechanisms
Where applicable, Quantiica implements Explainable Artificial Intelligence (XAI) frameworks designed to allow clients to understand and interpret algorithmic outcomes.

‍
5. No Fully Automated Decision-Making Without Human Oversight

Quantiica does not make final automated decisions that produce legal effects or significantly impact individuals without human review.
Outputs generated by Quantiica systems, such as:
● risk alerts
● automated classifications
● operational recommendations
are designed as decision-support tools.

‍
Final interpretation, validation, and decision-making authority remains with the client or designated human personnel.
Where services fall under jurisdictions that regulate automated decision-making (such as GDPR Article 22), Quantiica will implement appropriate safeguards including:
● human review mechanisms
● explainability of algorithmic outcomes
● procedures for review or challenge where applicable

‍
6. Confidentiality and Information Protection

Quantiica maintains strict confidentiality obligations with respect to all information that may be:
● personal
● commercial
● financial
● regulatory
● technical

‍
All employees, contractors, consultants, and service providers:
● execute confidentiality agreements
● are subject to access restrictions under the need-to-know principle
● must comply with internal secure information management protocols

‍
Information processed by Quantiica is not used for purposes other than those expressly authorized by clients or required by law.
‍

7. Cloud Infrastructure and Technological Environments

Quantiica may operate under different infrastructure configurations depending on client requirements.
Client-Controlled Infrastructure
Services may be deployed directly within the client’s:
● private cloud environments
● internal infrastructure
● hybrid technological environments

‍
In such cases, primary control over infrastructure security and data localization remains with the client.
Deployment on Cloud Service Providers
Quantiica may implement services on platforms such as:
● Amazon Web Services (AWS)
● Microsoft Azure
● Google Cloud Platform
● other cloud providers approved by the client

‍
Under these models:
● infrastructure is configured according to recognized security standards
● access controls and encryption mechanisms are implemented
● technological architecture is documented and auditable

‍
Quantiica does not host client data on unauthorized infrastructure.

‍
8. Information Security Measures

Quantiica implements a comprehensive information security framework including:
● encryption in transit and at rest where applicable
● multi-factor authentication
● role-based access control
● segregation of production and testing environments
● security monitoring and audit logs
● periodic vulnerability assessments
● internal incident response procedures
● data protection governance policies aligned with international security standards

‍
9. Cross-Border Data Transfers

Where personal data is transferred across jurisdictions, Quantiica implements safeguards consistent with applicable regulations.
For European data subjects, such safeguards may include:
● Standard Contractual Clauses (SCC)
● Data Processing Agreements (DPA)
● additional contractual or technical safeguards

‍
10. Consumer and Data Subject Rights

Individuals may have rights regarding their personal data depending on the applicable jurisdiction, which may include:
● access to personal data
● correction of inaccurate data
● deletion of personal data
● restriction of processing
● data portability
● the right to opt out of certain data processing activities
Requests related to data rights may be submitted through the contact channels provided by Quantiica.

‍
11. Data Retention

Personal data is retained only for the period necessary to:
● fulfill contractual obligations
● comply with regulatory or legal requirements
● support legitimate business operations
Once the retention period expires, personal data will be securely deleted, anonymized, or archived in accordance with applicable regulations.

‍
12. Policy Updates

Quantiica may update this Privacy Policy periodically to reflect:
● regulatory changes
● technological developments
● contractual or operational modifications
The current version of the Policy will be made available through official company channels.

‍