Talentapy

Aviso de privacidad

Responsible Party: Talentapy, S.A.P.I. de C.V.

Talentapy acts as the data controller for all personal data processed through our platform. We operate an individual-controlled data model where you own your assessment data and career profile. Organizations can access your information only when you choose to participate in their assessment process, and you can stop sharing your data at any time.

This model ensures your career data builds into a comprehensive, portable profile that you control throughout your professional life.

In compliance with the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), the General Data Protection Regulation (GDPR), and applicable local laws, Talentapy issues this Privacy Notice to inform you about how we collect, use, protect, and respect your personal data.

Last updated: March 2026

Table of Contents

  1. Foundational Principles
  2. Data Collected
  3. How We Use Your Information
  4. Legal Basis for Processing
  5. Data Security Measures
  6. Data Sharing and Organizational Access
  7. Sub-Processors and Service Providers
  8. Data Retention
  9. Your Rights (ARCO and GDPR)
  10. Consent and Processing Basis
  11. Cookies and Similar Technologies
  12. Data Accuracy and Updates
  13. International Data Transfers
  14. Updates to this Privacy Notice
  15. Applicable Regulations
  16. Contact Information
  17. Jurisdiction-Specific Provisions

1. Foundational Principles

1.1 Data Ownership

Your personal data belongs to you—always.

You own your profile, assessment data, and career insights. Organizations can access your information only when you choose to participate in their assessment processes, and you can stop sharing at any time.

Talentapy acts as the data controller and platform provider. We protect your data, enable you to share it selectively with organizations, and ensure you maintain control over who sees what.

1.2 Individual Control Model

Talentapy operates on an individual-controlled data model:

You control your data:

  • You decide whether to participate when an organization invites you to an assessment
  • By completing an assessment, you grant that organization access to your results
  • Organizations can view and download your assessment reports while you share access with them
  • You can stop sharing your data with any organization at any time
  • When you stop sharing, the organization retains what they already downloaded but receives no further updates
  • Your profile persists independently of any single organization

Organizations access data through you:

  • When an organization invites you to participate, you choose whether to proceed
  • If you complete the assessment, you authorize that organization to view and download your results
  • While you share access, organizations can see your profile updates in real-time
  • When you stop sharing, they retain previously downloaded reports but no longer see updates to your profile

Why this matters:

  • Your assessment data builds over time into a comprehensive career profile
  • You can share relevant insights with multiple organizations throughout your career
  • Organizations benefit from richer, longitudinal talent data
  • You maintain privacy and control as you grow professionally

1.3 Our Commitment

We process personal data lawfully, transparently, and proportionally. We implement technical, physical, and administrative safeguards to protect your information and ensure its confidentiality, integrity, and availability.

2. Data Collected

Depending on the service, assessment, or platform interaction, we may collect the following categories of data:

Identification Data

  • Full name, gender, date of birth, nationality, country and city of residence

Contact Data

  • Email address, telephone number, physical address (when applicable)

Professional Data

  • Job title, department, company name, hierarchical level, role type, seniority, professional experience, resume/CV
  • Compensation information (salary, bonuses, benefits) - voluntarily provided by you for benchmarking and market insights

Assessment and Development Data

  • Responses, scores, and observations from psychometric assessments (personality, leadership, sales)
  • Video and audio interview recordings and responses
  • 360° feedback, qualitative interviews, cultural instruments, and surveys
  • Third-party assessment reports uploaded by you or organizations
  • Performance observations and development notes

Contextual and Behavioral Data

  • Personal, cultural, or employment information voluntarily provided during interviews or diagnostics
  • Perceptions, interaction patterns, leadership styles, decision-making patterns

Derived and Analytical Data

  • Interpretative results, categorizations, profile reports, and AI-generated insights derived from processing your data
  • Aggregated and anonymized data for benchmarking, research, and product development

Technical Data

  • IP address, device information, browser type, operating system, time zone, cookies, and similar technologies

Administrative Data

  • Tax ID (RFC), invoicing details, payment methods, and contractual information (collected only when necessary for service delivery)

3. How We Use Your Information

We use collected data exclusively for the following purposes, based on your informed consent and limited to what is necessary:

3.1 Primary Service Purposes

  • Create and manage your profile within Talentapy
  • Administer assessments and generate individual and organizational reports
  • Facilitate communication with you regarding assessments, results, and services
  • Conduct analyses and diagnostics to support professional and organizational development
  • Enable organizational stakeholders (when you participate in their assessment) to access your consolidated talent profile
  • Fulfill contractual, administrative, and legal obligations

3.2 Building Career Intelligence Through Your Data

Your data contributes to powerful career insights—while you maintain full control.

As you use Talentapy over time, your assessment data, career progression, compensation information, and development activities build into a comprehensive professional profile. This individual-controlled data model creates value in three ways:

For you:

  • Longitudinal insights into your growth and development
  • Benchmarking against relevant career paths and industries
  • Personalized recommendations based on your unique trajectory
  • A portable career profile that grows with you across organizations

For organizations (when you choose to participate):

  • Richer talent insights from your multi-dimensional profile
  • Historical context that improves hiring and development decisions
  • Ability to see your growth over time, not just a point-in-time snapshot

For the talent ecosystem (anonymized):

  • We use anonymized, aggregated data to improve our assessment methodologies
  • Train AI models to provide better insights and recommendations
  • Develop industry benchmarks and career pathway insights
  • Conduct research to advance talent science

What this means in practice:

  • Your identified data (name, email, specific responses) remains under your control
  • We may use anonymized versions of assessment patterns to improve our AI models
  • Aggregated data (e.g., "leadership scores for marketing directors in Mexico") helps us build better benchmarks
  • You benefit from insights powered by the collective intelligence of the talent ecosystem
  • Organizations benefit from more accurate predictions and recommendations

You can:

  • Delete your account and identified data at any time
  • Stop sharing with specific organizations
  • Export your complete profile
  • Request that we delete your identified data (anonymized data used for research and AI training may be retained)

3.3 Analytics and Improvement

  • Analyze platform usage to enhance user experience and functionality
  • Develop new services, features, and assessment methodologies
  • Conduct internal research to improve the effectiveness of our assessments and insights

3.4 Communication

  • Send service-related communications (assessment invitations, results notifications, platform updates)
  • Respond to your inquiries and support requests
  • Send marketing communications (only with your consent, and you can opt out at any time)

3.5 Legal and Compliance

  • Comply with legal obligations, court orders, and government requests
  • Protect our rights, property, and safety, and those of our users
  • Prevent fraud, security threats, and technical issues

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

Purpose Legal Basis (GDPR) Legal Basis (LFPDPPP)
Account creation and service delivery Contract performance Express consent
Assessment administration and reporting Contract performance Express consent
Communication about services Legitimate interests Express consent
Analytics and platform improvement Legitimate interests Express consent
Legal compliance Legal obligation Legal obligation
Marketing communications Consent Express consent
AI training and research (anonymized data) Legitimate interests Legitimate interests

Legitimate Interests: When we rely on legitimate interests, we balance our business needs against your privacy rights. You have the right to object to processing based on legitimate interests.

5. Data Security Measures

We implement comprehensive security controls to protect your personal data:

Technical Safeguards

  • Encryption: Data encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • Access Controls: Role-based access control (RBAC) limiting data access to authorized personnel only
  • Authentication: Multi-factor authentication (MFA) required for all administrative access
  • Network Security: Firewalls, intrusion detection systems, and network segmentation
  • Vulnerability Management: Regular security testing, penetration testing, and vulnerability assessments

Administrative Safeguards

  • Data Processing Agreements (DPAs): Executed with all service providers handling personal data
  • Employee Training: Regular privacy and security training for all personnel
  • Background Checks: Conducted for personnel with access to sensitive data
  • Incident Response Plan: Documented procedures for detecting, responding to, and reporting security incidents
  • Data Minimization: We collect and retain only the data necessary for specified purposes

Physical Safeguards

  • Secure Data Centers: Data hosted in SOC 2 Type II certified facilities (AWS, Google Cloud)
  • Access Controls: Restricted physical access to servers and infrastructure
  • Environmental Controls: Backup power, climate control, and fire suppression systems

Organizational Measures

  • Privacy by Design: Privacy considerations integrated into system design and development
  • Third-Party Audits: Regular independent security assessments and compliance audits
  • Vendor Management: Rigorous evaluation and ongoing monitoring of service providers

Breach Notification: In the event of a data breach affecting your personal information, we will notify you and relevant authorities within 72 hours of discovery, as required by applicable law.

6. Data Sharing and Organizational Access

6.1 How Organizations Access Your Data

You control when organizations see your data:

  • When an organization invites you to participate in an assessment, you choose whether to proceed
  • By completing an assessment, you authorize that specific organization to access your results
  • Organizations can view and download assessment reports while you maintain active sharing
  • You can stop sharing with any organization at any time through your privacy settings

What organizations can access:

  • Assessment results and reports you completed for them
  • Profile information relevant to the assessment (professional background, relevant experience)
  • Updates to your profile while you maintain active sharing
  • Historical data from previous assessments (if you participated with them before)

What organizations cannot access:

  • Data from assessments you completed for other organizations (unless you explicitly share)
  • Your compensation information (unless you choose to share it)
  • Your communication with other organizations
  • Private notes or development plans not shared with them

6.2 When You Stop Sharing

  • Organizations retain assessment reports they previously downloaded
  • They no longer see updates to your profile
  • They cannot access new assessments or data you add
  • Your profile remains active and accessible to you

6.3 Data Processing Agreements

Organizations that use Talentapy to assess candidates or employees enter into Data Processing Agreements (DPAs) that:

  • Define roles and responsibilities for data protection
  • Establish security requirements and breach notification procedures
  • Limit data use to specified purposes
  • Require deletion of data when no longer needed for legitimate business purposes

6.4 Sharing with Third Parties

We do not sell, rent, or trade your personal information. We may share data with third parties only in the following circumstances:

Service Providers: We engage trusted sub-processors (Section 7) to help deliver our services. These providers are contractually obligated to protect your data and use it only for specified purposes.

Legal Requirements: We may disclose personal data if required by law, court order, or government request, or to protect our rights, property, or safety.

Business Transfers: If Talentapy is involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

With Your Consent: We may share your data with third parties when you provide explicit consent.

7. Sub-Processors and Service Providers

We engage the following categories of sub-processors to help deliver our services. All sub-processors are bound by Data Processing Agreements ensuring GDPR and LFPDPPP compliance:

Cloud Infrastructure and Hosting

Amazon Web Services (AWS)

  • Services: Platform hosting, database storage, file storage
  • Data Processed: All personal data categories
  • Location: United States (with EU data residency options)
  • Safeguards: AWS GDPR-compliant DPA, SOC 2 Type II certified

Google Cloud Platform (GCP)

  • Services: AI/ML processing, analytics infrastructure
  • Data Processed: Assessment data, analytical data
  • Location: United States and Europe
  • Safeguards: Google Cloud GDPR-compliant DPA, ISO 27001 certified

Vercel

  • Services: Web application hosting and edge delivery
  • Data Processed: Platform access data, session information
  • Location: Global (edge network)
  • Safeguards: GDPR-compliant DPA, SOC 2 Type II certified

Assessment Methodology Provider

Luks Prisma

  • Services: Psychometric assessment methodology, scoring algorithms, validation research
  • Data Processed: Assessment responses, scores, interpretations
  • Location: Mexico and internationally
  • Safeguards: Exclusive partnership agreement with strict confidentiality and data protection obligations

Email Communications

SendGrid (Twilio)

  • Services: Transactional email delivery, email analytics
  • Data Processed: Email addresses, communication content, delivery metrics
  • Location: United States
  • Safeguards: GDPR-compliant DPA, SOC 2 Type II certified

AI and Analytics Services

OpenAI

  • Services: AI-powered assessment interpretation and insights generation
  • Data Processed: Assessment responses, professional background (pseudonymized where possible)
  • Location: United States
  • Safeguards: Business agreement prohibiting use of customer data for model training, data deleted after processing

Anthropic

  • Services: AI-powered analysis and recommendation generation
  • Data Processed: Assessment data, career information (pseudonymized where possible)
  • Location: United States
  • Safeguards: Enterprise agreement with data retention controls, no training on customer data

xAI (Grok)

  • Services: Advanced data processing and analytical insights
  • Data Processed: Aggregated assessment patterns, anonymized career data
  • Location: United States
  • Safeguards: Data processing agreement with security and confidentiality obligations

Security and Performance

Cloudflare

  • Services: Content delivery network (CDN), DDoS protection, web application firewall
  • Data Processed: IP addresses, request metadata, cached content
  • Location: Global edge network
  • Safeguards: GDPR-compliant DPA, SOC 2 Type II certified

Analytics and Advertising

Google Analytics

  • Services: Website and platform usage analytics
  • Data Processed: Anonymized usage patterns, page views, session data
  • Location: United States
  • Safeguards: Google Analytics GDPR controls, IP anonymization enabled

Google Ads, LinkedIn Ads, Facebook Pixel, Microsoft Advertising

  • Services: Marketing campaign management and conversion tracking
  • Data Processed: Anonymized user identifiers, ad interaction data
  • Location: United States and Europe
  • Safeguards: Standard contractual clauses, user consent mechanisms

Sub-Processor Changes

We may add, replace, or remove sub-processors as necessary to deliver and improve our services. We will:

  • Maintain an updated list at https://talentapy.com/subprocessors
  • Notify organizational clients 30 days before material sub-processor changes
  • Ensure new sub-processors meet our data protection standards
  • Provide you with the right to object to new sub-processors (organizational clients)

8. Data Retention

8.1 Retention Principles

We retain personal data only as long as necessary for the purposes for which it was collected, to comply with legal obligations, or to resolve disputes and enforce our agreements.

8.2 Retention Periods

Active Accounts:

  • Personal data is retained for the duration of your active account
  • Assessment data and career profile remain accessible to you while your account is active
  • You can update, modify, or delete information at any time through your account settings

Inactive Accounts:

  • If you do not log in for 5 years, your account is considered inactive
  • We may delete your account and personal data after 5 years of inactivity
  • We will notify you via email before deletion (if your email address is still valid)
  • You can prevent deletion by logging in and confirming continued use

Deleted Accounts:

  • When you request account deletion, we delete your identified personal data within 30 days
  • Downloaded assessment reports retained by organizations are outside our control and subject to their retention policies
  • Aggregated and anonymized data may be retained indefinitely for research, AI training, and benchmarking purposes

Assessment Data:

  • Assessment responses and results are retained for the duration of your account plus 5 years
  • This allows longitudinal analysis and career development insights
  • Identified assessment data is deleted upon account deletion
  • Anonymized assessment patterns may be retained indefinitely for research and model improvement

Legal and Compliance Data:

  • Financial records and invoicing data: 10 years (Mexican tax law requirement)
  • Data required for legal claims or investigations: Retained until resolution
  • Audit logs and security records: 2 years

8.3 Anonymization vs. Deletion

What happens when you delete your account:

  • Identified data deleted: Name, email, contact information, and directly identifiable profile data
  • Anonymized data retained: Assessment patterns, career progression insights, and aggregated benchmarking data that cannot be linked back to you
  • Organizational reports: Organizations that previously downloaded your reports retain those copies (we cannot delete data from their systems)

Why we retain anonymized data:

  • Improves AI models and assessment accuracy for all users
  • Enables industry benchmarks and career pathway insights
  • Supports talent research and methodological validation
  • Benefits the broader talent ecosystem without compromising your privacy

Your choices:

  • You can delete your account and identified data at any time
  • You can request we not use your data for anonymized research (we will comply, though this may limit some platform features)
  • You cannot force deletion of reports already downloaded by organizations (this is outside our control)

9. Your Rights (ARCO and GDPR)

You have the following rights regarding your personal data:

9.1 ARCO Rights (Mexico - LFPDPPP)

Access (Acceso): Request a copy of your personal data in our possession

Rectification (Rectificación): Correct inaccurate or incomplete data

Cancellation (Cancelación): Request deletion of your personal data (subject to legal retention requirements)

Opposition (Oposición): Object to specific uses of your personal data

How to Exercise ARCO Rights:

  • Submit requests to: compliance@talentapy.com
  • We will respond within 20 business days
  • If approved, changes will be implemented within 15 business days
  • If denied, we will explain the legal basis for denial

9.2 GDPR Rights (Europe)

Right to Access: Obtain confirmation of whether we process your data and access to your personal data

Right to Rectification: Correct inaccurate or incomplete personal data

Right to Erasure ("Right to be Forgotten"): Request deletion of personal data under certain conditions

Right to Restriction of Processing: Limit how we use your data in specific circumstances

Right to Data Portability: Receive your data in a structured, commonly used format and transfer it to another controller

Right to Object: Object to processing based on legitimate interests, including profiling

Right to Withdraw Consent: Withdraw consent at any time (does not affect lawfulness of processing before withdrawal)

Right to Lodge a Complaint: File a complaint with your local data protection authority

How to Exercise GDPR Rights:

  • Submit requests to: compliance@talentapy.com
  • We will respond within 1 month (extendable by 2 months for complex requests)
  • We will verify your identity before processing requests
  • We will not charge a fee unless requests are manifestly unfounded or excessive

9.3 Automated Decision-Making and Profiling

We use AI and algorithms to generate assessment insights, career recommendations, and organizational benchmarks. These processes involve profiling based on assessment responses, professional background, and career trajectory.

Your rights:

  • You have the right to know when automated decision-making affects you
  • You can request human review of AI-generated insights
  • You can object to profiling in certain circumstances
  • Organizations using our platform for high-stakes decisions (hiring, promotion) should combine AI insights with human judgment

Our approach:

  • AI-generated insights are recommendations, not final decisions
  • We design systems to minimize bias and ensure fairness
  • We regularly audit algorithms for accuracy and fairness
  • We provide transparency into how AI-generated insights are produced

10. Consent and Processing Basis

10.1 Providing Consent

By creating an account and using Talentapy, you provide express, informed, and freely given consent to the processing of your personal data as described in this Privacy Notice.

For specific processing activities requiring separate consent:

  • Marketing communications: Opt-in via checkbox during registration or through communication preferences
  • Data sharing with organizations: Implicit consent when you complete an assessment for a specific organization
  • Sensitive data processing: Explicit consent obtained before collecting sensitive information

10.2 Withdrawing Consent

You may withdraw consent at any time by:

  • Updating your privacy preferences in your account settings
  • Unsubscribing from marketing emails via the link provided in each communication
  • Stopping data sharing with specific organizations through your privacy dashboard
  • Contacting compliance@talentapy.com to request consent withdrawal

Effect of withdrawal:

  • Does not affect the lawfulness of processing based on consent before withdrawal
  • May limit your ability to use certain platform features
  • Does not require you to delete your account (though you may choose to do so)

10.3 Children's Data

Talentapy is intended for users 18 years of age and older. We do not knowingly collect personal data from individuals under 18.

If we discover that we have inadvertently collected data from someone under 18, we will delete that information immediately.

If you believe we have collected data from a minor, please contact us at compliance@talentapy.com.

11. Cookies and Similar Technologies

We use cookies and similar technologies to enhance platform functionality, analyze usage, and deliver personalized experiences.

Types of cookies we use:

  • Strictly Necessary: Essential for platform operation (authentication, security, session management)
  • Analytics: Help us understand how users interact with the platform (Google Analytics)
  • Functional: Remember your preferences and settings
  • Marketing: Deliver relevant advertising and measure campaign effectiveness (Google Ads, LinkedIn, Facebook, Microsoft)

Managing cookies:

  • Configure preferences through our Cookie Consent Manager (first visit)
  • Change settings anytime via "Cookie Settings" link in the website footer
  • Control cookies through browser settings (may affect platform functionality)

For detailed information: See our Cookie Policy

12. Data Accuracy and Updates

We rely on you to ensure your personal data is accurate and current.

Your responsibilities:

  • Keep your profile information up to date
  • Notify us of any changes to contact information
  • Review and correct data errors through your account settings

Our responsibilities:

  • Provide tools for you to easily update your information
  • Correct inaccurate data upon your request
  • Implement reasonable measures to maintain data accuracy

How to update your data:

  • Log in to your account and edit your profile
  • Contact compliance@talentapy.com for assistance
  • Submit a rectification request under ARCO or GDPR rights

13. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, Mexico, and the European Union.

Safeguards for international transfers:

  • Standard Contractual Clauses (SCCs): EU-approved contracts ensuring GDPR-level protection
  • Adequacy Decisions: Transfers to countries deemed to provide adequate protection by the European Commission
  • Binding Corporate Rules: For transfers within multinational organizations
  • Data Processing Agreements: Contracts with sub-processors ensuring appropriate safeguards

Specific transfer mechanisms:

  • Mexico to EU/US: Standard Contractual Clauses with AWS, Google Cloud, and other US-based providers
  • EU to US: Standard Contractual Clauses, supplemented by additional technical and organizational measures
  • Intra-LATAM: Regional data processing agreements ensuring local compliance

Your rights:

  • Request information about the safeguards applied to your data transfers
  • Object to specific international transfers (may limit platform functionality)
  • Request a copy of the Standard Contractual Clauses we use

14. Updates to this Privacy Notice

We may modify this Privacy Notice to reflect changes in our practices, legal requirements, or service offerings.

How we notify you of changes:

  • Material changes: 30 days' advance notice via email and prominent platform notification
  • Non-material changes: Posted immediately at https://talentapy.com/privacy with updated "Last Updated" date
  • Significant changes: May require renewed consent for affected processing activities

What constitutes a material change:

  • Expansion of data collection categories
  • New uses of personal data not previously disclosed
  • Changes to data retention periods
  • Addition of new sub-processors handling sensitive data
  • Changes affecting your rights or our obligations

Your options:

  • Review updated Privacy Notice before it takes effect
  • Object to changes or withdraw consent
  • Delete your account if you disagree with material changes
  • Contact us with questions or concerns

Version history: We maintain a version history of this Privacy Notice at https://talentapy.com/privacy/history

15. Applicable Regulations

This Privacy Notice complies with:

  • Mexico: Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP)
  • European Union: General Data Protection Regulation (GDPR)
  • United States: California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
  • Other jurisdictions: Applicable local data protection laws where we operate

Regulatory authorities:

  • Mexico: National Institute of Transparency, Access to Information and Personal Data Protection (INAI)
  • EU: European Data Protection Board (EDPB) and national data protection authorities
  • UK: Information Commissioner's Office (ICO)
  • California: California Privacy Protection Agency (CPPA)

16. Contact Information

For questions, requests, or concerns regarding your personal data:

General Privacy Inquiries: compliance@talentapy.com

Data Subject Rights Requests: compliance@talentapy.com

Security Incidents: security@talentapy.com

Website: https://talentapy.com/privacy

Responsible Party: Talentapy, S.A.P.I. de C.V.

Response Times:

  • ARCO requests (Mexico): 20 business days
  • GDPR requests (EU): 30 days (extendable to 90 days for complex requests)
  • General inquiries: 5 business days

17. Jurisdiction-Specific Provisions

17.1 For Residents of California, USA

California Consumer Privacy Act (CCPA) Rights:

California residents have additional rights under the CCPA:

  • Right to Know: Request disclosure of personal information collected, sources, purposes, and third parties with whom it's shared
  • Right to Delete: Request deletion of personal information (subject to certain exceptions)
  • Right to Opt-Out: Opt out of the "sale" of personal information
  • Right to Non-Discrimination: Not receive discriminatory treatment for exercising CCPA rights

Important: Talentapy does not sell personal information as defined by the CCPA. We do not disclose personal information to third parties for their direct marketing purposes.

Shine the Light Law: California residents may request information about disclosures of personal information to third parties for direct marketing purposes. As we do not make such disclosures, no information will be provided in response to these requests.

To exercise these rights, contact: compliance@talentapy.com

17.2 For Residents of Nevada, USA

Nevada residents may opt out of the "sale" of certain types of personal information. Talentapy does not currently sell personal information as defined under Nevada law. However, you may submit a verified request to opt out by contacting compliance@talentapy.com, and we will record your preference for future reference.

17.3 For Residents of Canada

Canadian Privacy Rights:

Under Canadian federal and provincial privacy laws (PIPEDA, Law 25 in Quebec), you have the right to:

  • Access your personal information and learn how it's being used
  • Request correction of inaccurate information
  • Withdraw consent (subject to legal and contractual restrictions)
  • File a complaint with the Privacy Commissioner of Canada or your provincial privacy authority

For Quebec residents: Additional rights under Quebec's Law 25 include:

  • Enhanced transparency requirements for automated decision-making
  • Stricter consent standards for sensitive information
  • Right to data portability
  • Mandatory privacy impact assessments for high-risk processing

Canadian contact: compliance@talentapy.com

17.4 For Residents of the United Kingdom

UK GDPR Provisions:

The UK GDPR grants you specific rights regarding your personal data, including:

  • All GDPR rights listed in Section 9.2
  • Right to object to automated decision-making and profiling
  • Right to lodge a complaint with the Information Commissioner's Office (ICO)

Data transfers outside the UK:

We use approved mechanisms including:

  • Standard Contractual Clauses approved by the UK government
  • Adequacy decisions where applicable
  • International Data Transfer Agreements (IDTAs)

UK contact: compliance@talentapy.com

ICO: https://ico.org.uk

17.5 For Residents of Mexico

Additional LFPDPPP Information:

Mexican residents have specific rights under the LFPDPPP:

  • Revocation of consent: You may revoke consent at any time through your account settings or by contacting compliance@talentapy.com
  • Limitation of use and disclosure: Request that we limit how we use and share your data
  • Access to your data: Request a copy of your personal data in our possession

ARCO Request Process:

  1. Submit written request to compliance@talentapy.com with:
    • Your full name and contact information
    • Clear description of the right(s) you wish to exercise
    • Documents proving your identity
    • Any relevant account or reference numbers
  2. We respond within 20 business days
  3. If approved, we implement changes within 15 business days
  4. If denied, we provide legal justification

Data Transfer Notice:

When we transfer your data internationally, we ensure adequate protection through:

  • Standard Contractual Clauses
  • Binding corporate rules
  • Other legal mechanisms recognized by Mexican law

National Institute of Transparency, Access to Information and Personal Data Protection (INAI):

You have the right to file a complaint with INAI if you believe your privacy rights have been violated.

INAI website: https://home.inai.org.mx

INAI telephone: +52 55 5004 2400

Mexican contact: compliance@talentapy.com

Last Updated: March 2026

© 2026 Talentapy, S.A.P.I. de C.V. All rights reserved.