Privacy Policy

Vorqon AI4Studio — Vorqon AI4Studio-Build®, Vorqon AI4Studio-DOC® and Vorqon AI4Studio-XL®
SCS BMS México SA de CV — Last updated: April 2026

1. Identity of the Data Controller

The data controller responsible for the processing of personal data collected through the Vorqon AI4Studio-Build®, Vorqon AI4Studio-DOC® and Vorqon AI4Studio-XL® applications (hereinafter, the “Software”) and the associated website is:

SCS BMS México SA de CV
Privacy contact email: [email protected]
Website: https://vorqonai.com

Hereinafter, “SCS BMS México SA de CV” or the “Data Controller.”

2. Scope of This Policy

This Privacy Policy (hereinafter, the “Policy”) describes how the Data Controller collects, uses, stores, protects, and, where applicable, deletes the personal data of users of the Software and the Data Controller’s website (hereinafter, the “Site”). This Policy applies to all Software applications: Vorqon AI4Studio-Build®, Vorqon AI4Studio-DOC® and Vorqon AI4Studio-XL®, as well as any user interaction with the Site, including the purchase process, registration, and technical support.

By using the Software or the Site, the user accepts the practices described in this Policy. If the user does not agree with any of the provisions set forth herein, they must refrain from using the Software and the Site.

3. Personal Data We Collect

The Data Controller collects only the personal data strictly necessary for the provision of the service, invoicing, and compliance with legal obligations. The personal data we collect includes:

Full name of the user or legal representative.
Name of the company or organization to which the user belongs.
Physical address (fiscal or commercial domicile).
Contact telephone number.
Tax identification number (RFC, NIT, RIF, VAT, or equivalent according to the user’s jurisdiction).
Email address.

Additionally, automatically and as part of the technical operation of the Software and the Site, we may collect:

IP address from which the Software or the Site is accessed.
Browsing data and essential technical cookies for the operation of the Site.
Software usage logs, including date, time, session duration, and Processing Time volume consumed, exclusively for billing and technical support purposes.

WE DO NOT COLLECT SENSITIVE PERSONAL DATA, BIOMETRIC DATA, HEALTH DATA, CREDIT OR DEBIT CARD FINANCIAL DATA (THESE ARE PROCESSED DIRECTLY BY OUR PAYMENT PROVIDER), NOR DATA REGARDING ETHNIC ORIGIN, RELIGIOUS BELIEFS, POLITICAL AFFILIATION, OR SEXUAL ORIENTATION.

3.1 Access Credentials Stored in the Software

For its operation, the Software stores locally in the user’s application the following access credentials:

Access credentials to the user’s Odoo® ERP instance (URL, username, and password or authentication tokens).
API keys for the user’s Odoo® ERP instance.
AI provider API keys, in the case of users under BYOK Mode.

THESE CREDENTIALS ARE STORED EXCLUSIVELY IN THE APPLICATION INSTALLED IN THE USER’S ENVIRONMENT. THE DATA CONTROLLER OFFERS THE OPTION TO ENCRYPT THESE CREDENTIALS WITHIN THE APPLICATION. AT NO TIME ARE THESE CREDENTIALS TRANSMITTED, SENT, COPIED, OR ACCESSED BY THE LICENSOR. THE LICENSOR DOES NOT HAVE ACCESS TO THE USER’S ODOO® KEYS OR AI PROVIDER API KEYS.

The security of these credentials is the sole responsibility of the user, who must adopt the necessary measures to protect them, including the use of the encryption option available in the Software and the protection of the environment where the application is installed.

4. Purposes of Data Processing

The personal data collected is used exclusively for the following purposes:

4.1 Primary Purposes (necessary for service provision)

Create and manage the user’s account on the Software platform.
Process the purchase of licenses and Processing Time (Processing Hours).
Issue invoices and tax receipts in accordance with applicable legislation.
Provide technical support to the user.
Communicate relevant information about the user’s account, including purchase confirmations, service notifications, security alerts, and notices of changes to the Terms and Conditions or this Policy.
Verify the user’s identity and their status as an independent professional, when applicable under the Software’s Terms and Conditions.

4.2 Secondary Purposes

Additionally, the user’s personal data may be used for the following secondary purposes:

Send commercial communications, promotions, offers, and news about the Software and other products or services of the Data Controller.
Conduct market analysis and internal statistics to improve the Data Controller’s products and services.
Send satisfaction surveys and feedback requests about the Software.

The user may object to the processing of their data for secondary purposes at any time, without affecting the provision of the service, by sending a request via email to [email protected] or by clicking the “unsubscribe” link included in each commercial communication.

5. We Do Not Share or Sell Your Personal Data

SCS BMS MÉXICO SA DE CV DOES NOT SELL, RENT, COMMERCIALIZE, ASSIGN, TRANSFER, OR SHARE THE PERSONAL DATA OF ITS USERS WITH THIRD PARTIES, UNDER ANY CIRCUMSTANCES AND FOR ANY REASON.

The only exceptions to the above, which do not constitute “sharing” or “selling” data, are:

Payment service providers: The data strictly necessary to process payments (name, email, tax ID) is transmitted to our payment processor (currently Stripe) exclusively to complete the transaction. Credit or debit card data is processed directly by the payment provider and is never stored or accessed by the Data Controller.
Tax and regulatory authorities: We may provide personal data to governmental authorities when there is a legal obligation to do so, such as in the case of duly substantiated and motivated fiscal, judicial, or administrative requirements.
AI providers (Standard Mode only): The instructions and data that the user enters into the Software are transmitted to AI model providers for processing. This data is treated in accordance with the AI provider’s terms of service and does not include the user’s registration data (name, address, phone, etc.), but only the content of the technical instructions sent to the Software.

Under no circumstances will the user’s personal data be used to train, improve, or develop artificial intelligence models, whether proprietary or third-party.

6. Data Storage and Security

6.1 Storage

The user’s personal data is stored on secure servers provided by Microsoft Azure as a cloud infrastructure provider. The website and product download files are hosted on Microsoft Azure servers (the exact location of the data centers is determined by the provider). The Software, once downloaded, runs locally in the user’s environment and does not operate on the Data Controller’s servers. The AI providers used by the Software operate their own servers, whose location is determined by each provider and is neither known nor controlled by the Data Controller. Data may be stored or processed on servers located outside of Mexico, in jurisdictions that offer adequate levels of data protection.

6.2 Security Measures

The Data Controller implements reasonable technical, administrative, and physical security measures to protect personal data against unauthorized access, loss, alteration, destruction, or unauthorized processing, including:

Data-in-transit encryption using TLS/SSL protocols.
Data-at-rest encryption in storage systems.
Access control restricted to authorized Data Controller personnel.
Secure authentication for access to the Software platform.
Activity monitoring and anomalous access detection.
Periodic data backups.

Despite these measures, no data transmission or storage system is completely secure. The Data Controller cannot guarantee the absolute security of personal data, but commits to notifying the user of any security breach affecting their data within seventy-two (72) hours following confirmation of the incident, as established in the Software’s Terms and Conditions.

7. Data Retention

The user’s personal data will be retained for as long as necessary to fulfill the purposes described in this Policy and, in any case:

While the user maintains an active account or has available Processing Time.
For an additional period of ninety (90) calendar days following the termination of the contractual relationship, as established in the Software’s Terms and Conditions.
For the additional periods required by fiscal, accounting, or legal obligations applicable in the Data Controller’s jurisdiction. In particular, pursuant to Article 30 of Mexico’s Federal Tax Code (Código Fiscal de la Federación — CFF), fiscal and accounting records, including data associated with invoicing and tax receipts, shall be retained for a minimum period of five (5) years from the date on which the related tax returns were filed or should have been filed.

Once the above periods have elapsed, personal data will be permanently and irreversibly deleted from the Data Controller’s systems.

8. User Rights

The user has the right to exercise, at any time, the following rights over their personal data:

8.1 ARCO Rights (Mexican law)

Pursuant to Mexico’s Federal Law for the Protection of Personal Data Held by Private Parties (LFPDPPP), the user has the right to:

Access: Know what personal data we hold about you and the conditions of its processing.
Rectification: Request the correction of your personal data when it is inaccurate or incomplete.
Cancellation: Request the deletion of your personal data from our records.
Opposition: Object to the processing of your personal data for specific purposes.

8.2 Additional Rights (EU users)

If the user is located in the European Union, they additionally have the right to:

Portability: Receive their personal data in a structured, commonly used, and machine-readable format.
Restriction of processing: Request that we restrict the processing of their data in certain circumstances.
File a complaint with the competent data protection authority in their country.

8.3 Additional Rights (California, USA users)

If the user is a California resident, pursuant to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), they have the right to:

Know what personal data we have collected and for what purposes.
Request the deletion of their personal data.
Not be discriminated against for exercising their privacy rights.

For clarity: SCS BMS México SA de CV does not sell personal data and, therefore, it is not necessary to exercise the “opt-out” right regarding data sales.

8.4 How to Exercise Your Rights

To exercise any of the rights described above, the user must send a request via email to [email protected] with the following information:

Full name and email address associated with their account.
Clear description of the right they wish to exercise.
Documentation proving their identity (copy of official identification).

The Data Controller will respond to the request within twenty (20) business days following receipt of the complete request, pursuant to the LFPDPPP. For users in the European Union, the response period shall be thirty (30) calendar days pursuant to the GDPR.

9. Cookies and Tracking Technologies

The Site uses cookies classified into the following categories:

(a) Essential cookies: Strictly necessary for the operation of the Site, including session cookies, authentication cookies, and language preferences. These cookies do not require consent and cannot be disabled.
(b) Analytics cookies: Used to understand how users interact with the Site, including web analytics tools that measure traffic and browsing behavior in an aggregated and anonymous manner.
(c) Marketing cookies: Used to display relevant content and measure the effectiveness of the Data Controller’s communication campaigns.

Analytics and marketing cookies require the user’s prior consent, which is managed through the Site’s cookie banner. The user may modify their cookie preferences at any time through the cookie settings available on the Site.

WE DO NOT USE INDIVIDUALIZED COMMERCIAL PROFILING COOKIES OR INVASIVE TRACKING TECHNOLOGIES. MARKETING COOKIES ARE LIMITED TO MEASURING THE EFFECTIVENESS OF OUR OWN COMMUNICATIONS AND DO NOT INVOLVE DATA SHARING WITH THIRD-PARTY ADVERTISING NETWORKS.

The user may configure their browser to reject cookies or manage their preferences through the Site’s cookie banner. Rejecting essential cookies may affect the functionality of the Site. Rejecting analytics and marketing cookies will not affect the operation of the Software or the Site.

10. International Data Transfers

Given that the Software uses cloud infrastructure providers and AI model providers that may operate in jurisdictions outside of Mexico, the user’s data may be transferred and processed in countries other than the user’s country of residence.

In such cases, the Data Controller ensures that:

Transfers are made only to providers that maintain adequate data protection standards.
The data transferred is limited to what is strictly necessary for the provision of the service.
Providers are subject to contractual commitments of confidentiality and data protection.

11. Minors

The Software is intended exclusively for professionals and businesses. We do not knowingly collect personal data from individuals under eighteen (18) years of age. If the Data Controller becomes aware that it has collected data from a minor, it will proceed to delete it immediately.

12. Modifications to This Policy

The Data Controller reserves the right to modify this Policy at any time. Modifications will be notified to the user via email or publication on the Site with at least fifteen (15) calendar days’ advance notice. Continued use of the Software or the Site after notification shall constitute acceptance of the modified Policy.

The user is encouraged to review this Policy periodically. The date of last update is indicated at the beginning of this document.

13. Applicable Legislation

This Policy is governed by the laws of the United Mexican States, in particular by the Federal Law for the Protection of Personal Data Held by Private Parties (LFPDPPP) and its Regulations. For users in the European Union, the provisions of the General Data Protection Regulation (GDPR) apply on a complementary basis. For users in California, the provisions of the CCPA and CPRA apply on a complementary basis.

14. Contact

If the user has questions, comments, or requests related to this Policy or the processing of their personal data, they may contact the Data Controller at:

Email: [email protected]
Address: Av. Jesús del Monte #41, Piso 14, Ofc. 1526B, Colonia Jesús del Monte, Huixquilucan, Estado de México, C.P. 52764, México