nutriasoftnutriasoft
ESEN
Get started free
ProductPricingSecurityRoadmapSign inGet started free
nutriasoftLegalLFPDPPP
Compliance

Our LFPDPPP compliance.

Mexico's Federal Law on the Protection of Personal Data Held by Private Parties is our baseline framework. Here is how we apply it.

Context

LFPDPPP regulates the handling of personal data by private parties in Mexico. Its regulations, INAI guidelines, and regulatory criteria establish concrete obligations. nutriasoft handles sensitive patient data — so we apply a standard higher than the minimum legal requirement.

The 8 principles, applied

How we implement each principle under Article 6.

Lawfulness

We handle personal data only for legitimate purposes and under a clear legal basis (consent, contract, legal obligation).

Consent

We request explicit consent for sensitive data (clinical data) and for secondary purposes such as product communications.

Information

We provide full, simplified, and short-form privacy notices depending on the context in which data is collected.

Quality

We keep data accurate, complete, updated, and relevant. We enable correction without friction.

Purpose

We process data only for the purposes disclosed. New uses require new consent.

Fairness

We do not collect data through deceptive means or beyond the reasonable expectations of the data subject.

Proportionality

We collect the minimum data required. Nothing extra.

Accountability

We implement administrative, technical, and physical safeguards proportional to the risk.

ARCO rights and how to exercise them

Every data subject has the right to Access, Rectify, Cancel, or Oppose the processing of their data. They may also revoke previously granted consent.

  • Access: receive a copy of your data in a structured format.
  • Rectification: correct inaccurate or incomplete data.
  • Cancellation: delete your data when it is no longer necessary for the disclosed purposes.
  • Opposition: stop processing for a specific legitimate reason.

Exercise any of these rights by writing to privacidad@nutriasoft.com. We respond within 20 business days.

Transfers and processors

Every processor (hosting, payments, email) signs a DPA with clauses equivalent to those required by regulation. International transfers (U.S.) are covered under the Data Privacy Framework and standard clauses.

Security measures

  • Administrative: internal policies, annual team training, confidentiality agreements.
  • Technical: encryption in transit (TLS 1.3) and at rest (AES-256), role-based access control, workspace segregation, immutable audit logs.
  • Physical: data centers operated by providers that apply industry-standard physical controls (restricted access, power and network redundancy).

We maintain an incident response plan with notification to affected data subjects within 72 hours of detection, in line with Article 64 of the regulation.

Official data privacy contact

Head of the personal data department: Miguel Ángel Careaga Gómez, on behalf of Codemach (codemach.dev).
Email: privacidad@nutriasoft.com
Remote operation from Mexico.

You may file complaints with the National Institute for Transparency, Access to Information, and Personal Data Protection (INAI): home.inai.org.mx.

Need a signed DPA?

For clinics that require it for internal compliance, we sign it in under 48h.

Request DPA View privacy notice