Privacy NoticeAviso de Privacidad Integral

This Aviso de Privacidad Integral is published pursuant to Articles 8, 9, 15, 16, 17, and 18 of the Mexican Federal Law on the Protection of Personal Data Held by Private Parties ("LFPDPPP") and its Regulations. It governs the processing of personal data — including sensitive health-related data — by Corp 001 through the HGHMexico.mx pharmacy website and related services. A Spanish version of this notice is available on request and governs in case of discrepancy.

1. Identity and domicile of the responsible party

The data controller (responsable del tratamiento) is Corp 001, R.F.C. CUN1905221K7, with domicile at Carretera Libre Tijuana–Ensenada 3009, Local 2, Colonia Playa Encantada, Playas de Rosarito, Baja California, C.P. 22713, México. Corp 001 operates under the Aviso de Funcionamiento COFEPRIS (Homoclave Cofepris-05 "Insumos para la Salud") N° 200203506X0020, filed on 02/06/2020.

2. Personal data we collect

2.1 Identifying and contact data

• Full name, date of birth, gender, government-issued identification number
• Residential and billing address, email, telephone number (voice and SMS-capable)
• Account credentials (hashed passwords; we never store plaintext passwords)

2.2 Sensitive personal data (health data)

In order to lawfully dispense prescription medications, we process the following categories of sensitive personal data within the meaning of Article 3 §VI of the LFPDPPP:

• Prescription images (the receta médica issued by a physician holding a valid Mexican cédula profesional)
• Diagnosis or indication stated on the prescription
• Prescribing physician identity and cédula number
• Dosage and treatment history for refills and clinical continuity
• Basic health background voluntarily disclosed (allergies, concurrent medications) when relevant to safe dispensing

Processing of sensitive data requires your express, written consent under Article 9 of the LFPDPPP. That consent is captured via an explicit opt-in checkbox during account creation and prescription upload, and is logged with a timestamp.

2.3 Payment and transaction data

• Order history, line items, amounts, invoice numbers
• Cryptocurrency wallet addresses used for payment (public, on-chain data)
• Payment status events received from our self-hosted Shkeeper payment gateway

We do not store credit or debit card numbers. All payments settle in stablecoin (USDC on Polygon) through our self-hosted gateway; card data is never transmitted to or stored by us.

2.4 Navigation and technical data

• IP address, device type, user agent, operating system, language preferences
• Pages visited, timestamps, referrer URL, search queries on the site
• Session cookies strictly necessary for cart and authentication functionality

3. Purposes of the processing

3.1 Primary purposes (necessary — no consent needed separately)

• Validate the legal requirements for dispensing prescription medicines in Mexico (Mexican prescription, Mexican delivery address)
• Review, approve or reject uploaded prescriptions under the supervision of our Responsable Sanitario
• Fill, package and deliver orders, including cold-chain logistics
• Process payments and issue legal tax receipts (CFDI) required by SAT
• Maintain the pharmacy records mandated by NOM-059-SSA1-2015 and related health-sector norms, including the retention of dispensing records
• Provide customer service, respond to complaints, handle returns and safety concerns
• Comply with legal obligations and respond to lawful requests from competent authorities (COFEPRIS, SAT, PROFECO, judicial authorities)
• Preserve site security, detect fraud and abuse

3.2 Secondary purposes (require your separate opt-in)

• Sending non-transactional marketing or educational communications about pharmacy services
• Analytics aimed at improving the website (currently disabled — no third-party analytics are deployed)

You may opt out of secondary purposes at any time without affecting your access to the service. Opt-out mechanisms are provided in every marketing email and via the contact address in Section 12.

4. Transfers of personal data

Corp 001 does not sell your personal data. Limited data is transmitted to the following categories of service providers and third parties under confidentiality and data-protection obligations equivalent to those required by Articles 36, 37 and 68 of the LFPDPPP:

• Courier and logistics providers (for delivery within Mexico) — name, address, telephone, order reference
• SendGrid (Twilio Inc., U.S.A.) — email delivery; transmits transactional email content and metadata
• Twilio Inc. (U.S.A.) — SMS delivery; transmits phone number and SMS content
• Self-hosted Shkeeper payment gateway (operated by us on the same infrastructure) — processes payment requests and confirmations
• Cloudflare, Inc. (U.S.A.) — content delivery and DDoS protection, processes connection metadata
• SAT (Servicio de Administración Tributaria) — name, RFC, purchase details required on CFDI tax receipts
• COFEPRIS and other health authorities — dispensing records when legally compelled or required for regulatory audits
• Judicial or administrative authorities — in response to lawful orders

These transfers do not require your additional consent under Article 37 of the LFPDPPP because they are either (i) strictly necessary for the maintenance of the legal relationship between you and Corp 001 or the fulfillment of an order, or (ii) required by law.

5. International data transfers

Some of the processors above are located outside Mexico (U.S.A.). Such transfers are made under contractual terms that impose obligations substantively equivalent to those required by the LFPDPPP, and are limited to the data necessary for the stated service.

6. Your ARCO rights (Access, Rectification, Cancellation, Opposition)

You have the right, under Articles 22–27 of the LFPDPPP, to:

• Access the personal data we hold about you and know how we are processing it
• Rectify data that is inaccurate or incomplete
• Cancel data that is no longer needed for the purposes for which it was collected (subject to mandatory retention — see Section 9)
• Oppose processing for specific purposes

To exercise these rights, send a written request to [email protected] (or by post to the domicile in Section 1, to the attention of the Data Protection Officer). Your request must include:

1. Your full name and a reply address (email or postal)
2. A copy of an official identification confirming your identity (or your legal representative's identification and power of attorney)
3. A clear description of the personal data and the right you are exercising
4. Any element that helps us locate the relevant data

Because prescription records are sensitive and constitute part of regulated pharmacy documentation, we may apply additional identity-verification steps before releasing copies of medical or dispensing records. We will respond within twenty (20) business days; if we grant the request, we will give effect to it within fifteen (15) additional business days.

If you are not satisfied with our response, you may file a complaint with the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI), home.inai.org.mx.

7. Revocation of consent

Where processing is based on your consent (in particular, processing of sensitive health data under Article 9), you may revoke that consent at any time by writing to the address in Section 12. Revocation does not affect the lawfulness of processing performed before revocation, and it does not prevent ongoing processing for purposes that the LFPDPPP and sector-specific regulations permit without consent (e.g., retention of dispensing records under pharmacy law).

8. Limitation of use or disclosure

You may request that we limit the use or disclosure of your personal data. We maintain an internal register of limitations; personal data subject to limitation is excluded from promotional communications and from secondary-purpose processing.

9. Data retention

• Prescription images and dispensing records: retained for the minimum period required by Mexican pharmacy law (at least five (5) years from the date of dispensing under NOM-059-SSA1-2015 and related norms), after which they are securely destroyed.
• Billing and tax records: retained for the periods required by Mexican fiscal law (generally five (5) years under Article 30 of the Código Fiscal de la Federación).
• Account data: retained while your account is active plus a reasonable period thereafter; you may request earlier cancellation subject to the retention obligations above.
• Server connection logs: retained for up to ninety (90) days for security and diagnostic purposes, then deleted or anonymized.

10. Security measures

We apply physical, technical and administrative safeguards to protect personal data against loss, misuse, unauthorized access, alteration or disclosure. These include: TLS encryption in transit; AES-256-GCM encryption at rest for prescription images; role-based access control to dispensing systems; audit logging of access to sensitive records; periodic review of processor relationships. In the event of a security breach that materially affects your rights, we will notify you without undue delay, as required by Article 20 of the LFPDPPP.

11. Cookies and similar technologies

We use cookies strictly necessary for the operation of the site (session authentication, shopping cart, locale preference). We do not set tracking, advertising, or third-party analytics cookies. You may configure your browser to refuse or delete cookies; doing so may impair cart and account functionality.

12. Data Protection Officer — contact

Data Protection Officer (Responsable de Protección de Datos Personales)
Corp 001
Email: [email protected]
Postal: Carr. Libre Tijuana–Ensenada 3009, Local 2, Playa Encantada, Playas de Rosarito, Baja California, 22713, México

13. Changes to this notice

We may update this Aviso de Privacidad to reflect changes in our practices or applicable law. The current version will always be posted at this URL with a "Last updated" date. Material changes will be announced on the site for a reasonable period; for material changes affecting sensitive data, we will additionally notify registered customers by email.

Last updated: 2026-04-23 · Governing language: Spanish. In case of discrepancy between the Spanish original and this English translation, the Spanish version prevails.