COMPREHENSIVE PRIVACY NOTICE
FÁBRICA DE INDICADORES S.A. DE C.V.
Effective Date: 01 de marzo de 2026
Versión: 1.0
1. IDENTITY, ADDRESS AND CONTACT DETAILS OF THE DATA CONTROLLER
This Comprehensive Privacy Notice (the "NOTICE") is issued by FÁBRICA DE INDICADORES S.A. DE C.V. (Tax ID: FIN1704055Z2), with address at Calle 29 #147 Int. 3 por 32 y 34, Colonia Buenavista, Mérida, Yucatán, México, C.P. 97127 (hereinafter "YUNABAI" or the "CONTROLLER"), as personal data controller. Privacy contact: privacy@fabricadeindicadores.com.
2. APPLICABLE LEGAL FRAMEWORK
This NOTICE is issued primarily pursuant to Mexican law, specifically: (i) Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP, new law DOF Mar-20-2025, last amendment DOF Nov-14-2025); (ii) LFPDPPP Regulations; (iii) Privacy Notice Guidelines of the Secretaría Anticorrupción y Buen Gobierno (SABG); (iv) Mexican Civil Code (CCF) and Commercial Code (CCom); (v) Ley Federal del Derecho de Autor (LFDA, last amendment DOF Jan-15-2026); (vi) Ley Federal de Protección a la Propiedad Industrial (LFPPI, last amendment DOF Jan-15-2026). For users located outside Mexican territory, YUNABAI will adopt equivalent protection measures and will verify adequate protection levels for international transfers under Article 37 of the LFPDPPP.
3. GOVERNING PRINCIPLES OF PROCESSING
YUNABAI observes in all processing the principles of: (i) Lawfulness; (ii) Purpose limitation; (iii) Loyalty and fair processing; (iv) Consent; (v) Data quality and accuracy; (vi) Proportionality and data minimization; (vii) Transparency and information; and (viii) Accountability.
4. PERSONAL DATA COLLECTED AND PROCESSED
4.1 Identification and Contact Data
a) Full name or corporate name (individuals and legal entities).
b) Corporate or personal email address.
c) Phone number.
d) Country, state and city of residence or headquarters.
e) Position or role within the organization.
4.2 Account and Access Data
a) Username and authentication credentials (stored encrypted; YUNABAI does not store passwords in plain text).
b) Access tokens and active sessions.
c) IP address and approximate geolocation.
4.3 Financial and Billing Data
Financial data requires the data subject's express consent. YUNABAI collects: tax ID or equivalent; billing name; and payment data managed exclusively by certified PCI-DSS processors (YUNABAI does not store full card numbers).
4.4 Usage and Analytics Data
a) Pages and modules visited; actions performed (clicks, queries, downloads).
b) Browser type, operating system and device.
c) Session duration and frequency; error and diagnostic logs.
4.5 AI-Processed Data and Content
a) Documents, texts, images and files voluntarily uploaded for analysis.
b) Conversations and instructions sent to the conversational agent.
c) Results and recommendations generated by the AI.
YUNABAI does not request sensitive personal data. If included in processed content, processing will be limited to the requested purpose and deletion will follow section 9. Express written consent will be required for their processing.
5. PURPOSES OF PROCESSING
5.1 Primary Purposes (no additional consent required)
a) Account creation, management and authentication.
b) Provision of AI SaaS service: analysis, recommendations and conversational interaction.
c) Billing, collection and subscription management; tax receipt issuance per applicable tax law.
d) Technical support and incident resolution.
e) Compliance with legal, tax and regulatory obligations.
f) Critical security updates and policy change notifications.
Primary purposes are necessary for the legal relationship between the data subject and YUNABAI and do not require additional consent.
5.2 Secondary Purposes (require consent)
a) Sending commercial communications, newsletters and product updates.
b) Satisfaction surveys, market research and product improvement.
c) Usage profiling for experience personalization.
d) Sharing anonymized statistics with YUNABAI's academic or commercial partners.
If the data subject does not wish secondary purposes, they may indicate this at registration or by sending a request to privacy@sim1.tech. Refusal does not affect primary purposes.
6. AI DATA PROCESSING
On the matter of Artificial Intelligence processing, the CONTROLLER states:
a) AI responses are advisory and do not replace human professional judgment (legal, medical, financial, etc.).
b) YUNABAI does not use USER Content to train third-party models without express consent. Own models are only retrained with anonymized or dissociated data.
c) Uploaded documents are processed in secure environments (encrypted at rest and in transit) and not accessed by human staff except in authorized technical support.
d) The data subject may require that any decision made solely by automated systems be reviewed by a human.
The data subject may object to automated processing producing undesired legal effects or significantly affecting their interests, rights or freedoms, by writing to privacy@sim1.tech.
7. INTELLECTUAL AND INDUSTRIAL PROPERTY
When YUNABAI transfers data to third parties other than data processors, it will communicate this NOTICE and the purposes authorized by the data subject.
a) Cloud infrastructure providers acting as data processors under confidentiality agreements equivalent to applicable law.
b) PCI-DSS certified payment processors.
c) Email, communications and technical support service providers.
d) Tax, judicial or administrative authorities when legally required.
e) Companies of the same YUNABAI corporate group under equivalent internal policies.
For international transfers, YUNABAI will verify adequate protection levels or implement standard contractual clauses or other legally recognized mechanisms.
8. DATA SUBJECT RIGHTS AND PROCEDURE
The data subject has the right to:
a) Access: know what data YUNABAI holds and the conditions of their processing.
b) Rectification: request correction of inaccurate, incomplete or outdated data, with supporting documentation.
c) Cancellation/Erasure: request deletion of data when no longer necessary. This gives rise to a blocking period prior to definitive deletion.
d) Objection: object to processing for legitimate reasons or automated processing with undesired legal effects.
e) Withdrawal of consent: withdraw authorization for secondary purposes at any time, without retroactive effects.
8.1 Exercise Procedure
Send your request to privacy@sim1.tech indicating: (i) full name and contact details; (ii) copy of current official ID; (iii) legal representation instrument, if applicable; (iv) clear description of the right to exercise and data involved; and (v) any document facilitating data location. YUNABAI will respond within 20 business days. The applicable measure will be implemented within the following 15 business days. Exercise of rights is free of charge, except for reproduction or shipping costs.
9. RETENTION PERIODS AND DELETION POLICY
Data will be retained only for the time necessary to fulfill the purposes for which they were collected and will be deleted after blocking once that period concludes.
a) Active account data: during the subscription and up to 3 years after cancellation.
b) AI-processed documents and content: deleted from active servers within 30 days after cancellation. Backup copies deleted in ordinary purge cycles.
c) Financial and tax data: 5 years per Art. 30 CFF, or the period required by the USER's country tax law.
d) Security and audit logs: up to 2 years.
e) Contract breach data: up to 72 months from the breach date per applicable personal data protection law.
10. SECURITY MEASURES
YUNABAI implements administrative, technical and physical security measures appropriate to the processing risk:
a) Encryption in transit: TLS 1.2 or higher.
b) Encryption at rest: AES-256 or equivalent.
c) Multi-factor authentication (MFA) available for all accounts.
d) Role-based access control (RBAC) with least-privilege principle for YUNABAI staff.
e) Internal and external audits and periodic penetration testing.
f) Confidentiality policies and ongoing training for staff with data access.
In the event of a security breach significantly affecting data subject rights, YUNABAI will notify immediately so appropriate defensive measures may be taken.
11. USE OF COOKIES AND TRACKING TECHNOLOGIES
The Platform uses cookies and similar technologies (web beacons, pixels, session identifiers) to: (i) maintain active sessions; (ii) remember language and configuration preferences; (iii) analyze performance and usage; and (iv) measure communication effectiveness. Users may manage or reject non-essential cookies from the cookie banner upon entry or from browser settings, which may affect functionality. Full policy: www.yunabai.ai/cookies.
12. MODIFICATIONS TO THE PRIVACY NOTICE
YUNABAI may update this NOTICE at any time. Modifications will be notified via: (i) email to the registered address; (ii) prominent notice on the Platform at login; and (iii) publication at www.yunabai.ai/privacy. The version and date published on the portal are the only current ones. Continued use implies tacit acceptance.
13. DATA SUBJECT CONSENT
By registering or providing data through any YUNABAI-enabled means, the data subject acknowledges having read, understood and accepted this NOTICE, constituting tacit consent for primary purposes. Express consent will be required for secondary purposes and financial data.
14. COMPETENT AUTHORITY
If you believe your personal data protection right has been violated, you may file a complaint with the Secretaría Anticorrupción y Buen Gobierno (SABG), the competent authority under Articles 2(XV) and 43 of the LFPDPPP (last amendment DOF Nov-14-2025). The SABG assumed all functions of the former INAI pursuant to the March 2025 Decree transitional provisions. Website: www.sabg.gob.mx. For matters related to operations in United States territory, you may additionally contact the Office of the Attorney General of Texas or the Federal Trade Commission (FTC).
15. APPLICABLE LAW AND JURISDICTION
This NOTICE is governed primarily by the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP, new law DOF Mar-20-2025, last amendment DOF Nov-14-2025), its Regulations and the guidelines of the Secretaría Anticorrupción y Buen Gobierno (SABG). SIM TECH HOLDINGS LLC, by operating services to users in Mexican territory, is subject to Mexican personal data protection law under Article 3 of the LFPDPPP. For disputes, the parties submit to the federal courts sitting in Mérida, Yucatán, México, with the Código Civil Federal applying suppletorily. Texas law (TDPSA) applies solely to operations in United States territory.
Version 1.0 — Effective Date: 01 de marzo de 2026