Skip to main content
Privacy

Privacy Policy

How we collect, use, store, and protect personal data when you visit hiluca.com, request a demo, or use the Hi Luca platform. Written to LFPDPPP (México), GDPR (EU/EEA), and LGPD (Brazil) standards.

Effective date: 2026-04-22 · Last updated: 2026-04-22

01

Who we are

The data controller is Hi Luca Technologies, S.A.P.I. de C.V. (“Hi Luca”, “we”, “us”), a Sociedad Anónima Promotora de Inversión de Capital Variable organized under the laws of México, with registered address at Londres 219, Colonia Juárez, Alcaldía Cuauhtémoc, Ciudad de México, México.

For privacy, data-subject, and DPA requests, contact legal@hiluca.net. For security incidents, contact security@hiluca.net.

02

Scope of this policy

This policy applies to personal data we process as a controller — principally visitors to hiluca.com, prospects who contact us, customers, investors, candidates, and attendees of our events.

When we process customer-submitted data inside the Hi Luca platform on behalf of a customer, we act as a processor. That processing is governed by our Data Processing Agreement, not this policy.

03

Data we collect

Data you give us

  • Contact data — name, work email, company, role, and the body of any message or voice note you submit via our forms or WhatsApp.
  • Booking data — when you schedule a Discovery call via HubSpot Meetings, HubSpot collects calendar availability, meeting time, and call metadata.
  • Commercial data — for customers: billing details, contract terms, authorized users.
  • Voice-note content — when you attach an optional voice note to a contact form, we retain the audio file and a server-side Gemini-generated transcription for routing and follow-up.

Data we collect automatically

  • Device and usage data — IP address, user-agent, referrer, pages viewed, timestamps.
  • Cookies and similar — see our Cookies Policy for the full list. You can decline non-essential cookies at any time.
  • Captcha signals — hCaptcha collects interaction data to distinguish humans from bots.

Data from third parties

We may receive data from partners who refer you to us, from public sources (e.g., LinkedIn for prospecting), and from our integrations (HubSpot, Meta, Google) when you authorize them.

04

How we use your data

We process personal data for the following purposes and under the following legal bases:

PurposeLegal basis (GDPR Art. 6)Retention
Respond to inquiries and book Discovery callsLegitimate interest + consent3 years after last contact
Provide and improve the Hi Luca platformContract performancefor the duration of the account plus 30 days for recovery
Send marketing communications (opt-in)Consent (double opt-in)until consent is withdrawn
Transcribe and route voice notesConsent + legitimate interest90 days unless converted into a ticket or account record
Billing, tax, and accountingLegal obligation (Código Fiscal)5 years (Código Fiscal de la Federación)
Bot mitigation and fraud preventionLegitimate interest90 days

05

Who we share data with

We share personal data only with sub-processors we have vetted and under contract. Our current list is published at /sub-processors. Categories include hosting (Vercel), CRM (HubSpot), AI inference (Google, Anthropic), advertising integration (Meta — only if activated), bot mitigation (hCaptcha), and edge infrastructure (Cloudflare).

We do not sell personal data. We do not disclose personal data to third parties for their own marketing.

We may disclose data when required by law, to protect the rights or safety of users, or in connection with a corporate transaction (with notice to you).

06

International transfers

We are based in México. Several sub-processors operate in the United States and the European Union. Transfers are protected by:

  • Standard Contractual Clauses (EU → US/other third countries)
  • UK International Data Transfer Addendum (UK → third countries)
  • Data Privacy Framework certification (where the vendor is certified)
  • Adequacy decisions (where applicable)

A copy of the safeguards is available on request at legal@hiluca.net.

07

Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict, object to, or port your personal data, and to withdraw consent at any time. Under LFPDPPP these are known as the ARCO rights (Acceso, Rectificación, Cancelación, Oposición).

To exercise any of these, send a request to legal@hiluca.net. We respond within 20 business days under LFPDPPP / within one calendar month under GDPR, whichever applies.

You also have the right to lodge a complaint with your supervisory authority — the INAI in México, your national Data Protection Authority in the EU/EEA, or the ANPD in Brazil.

08

Security

We document our security posture at /security. Measures include encryption in transit and at rest, role-based access control, audit logging, SSO / SCIM for enterprise customers, and a published sub-processor list.

If we become aware of a personal-data breach likely to result in risk to your rights, we notify the controller (enterprise customers) and/or the supervisory authority within 72 hours of discovery, consistent with GDPR Art. 33 and LFPDPPP Art. 64.

09

Children

Hi Luca is a B2B platform. We do not direct our services to, or knowingly collect data from, children under 16 years of age. If you believe we have collected data from a minor, contact legal@hiluca.net and we will delete it.

10

Changes to this policy

We may update this policy to reflect product, legal, or operational changes. When changes are material, we notify active customers by email at least 30 days before the new version takes effect. The “Last updated” line at the top always reflects the current version.

11

Contact

Hi Luca Technologies, S.A.P.I. de C.V.
Londres 219 · Colonia Juárez · Alcaldía Cuauhtémoc · Ciudad de México · México
Privacy requests: legal@hiluca.net
Security disclosures: security@hiluca.net