Privacy Policy

PRIVACY POLICY I. DATA CONTROLLER 

Wispok Capital, S.A.P.I. de C.V. (hereinafter referred to as “Wispok”), with its registered address at Real de Acueducto 335, Office 1801-01, Col. Real Acueducto, Zip Code 45058, Zapopan, Jalisco, is the legal entity responsible for processing the personal data that you, in your capacity as the data subject, freely and voluntarily provide through any physical, electronic, optical, sound, visual, or other technological means, such as postal mail, internet, or telephone, made available by Wispok, in accordance with the provisions of the Federal Law on Protection of Personal Data Held by Private Parties (hereinafter referred to as the “Law”), its Regulations, and other applicable provisions. 

Wispok is a company that operates as a payment aggregator, dedicated to the implementation of technological solutions for smart and secure collection through the CoDi® system, authorized by the Bank of Mexico, as well as through the use of physical point-of-sale terminals (POS) that allow for secure and in-person payment transactions. 

In accordance with its business model, Wispok may share and transfer personal data to its affiliates, subsidiaries, parent or controlling companies, and business partners, provided that such entities belong to the same corporate group and adopt security policies and measures equivalent to those established in this Privacy Notice. Under no circumstances will personal data be transferred without the data subject’s consent, except in legally exempted cases. 

Please take the time to read this Privacy Notice carefully, as it contains important information particularly directed at customers and users of Wispok’s services. The purpose of this Privacy Notice is to clearly and precisely inform the data subject about Wispok’s practices regarding the collection, use, storage, handling, utilization, transfer, and eventual disposal of their personal data, as well as the security measures implemented for their proper protection, and the mechanisms available for the exercise of their rights of access, rectification, cancellation, and opposition (hereinafter, “ARCO Rights”), the revocation of consent granted, or the limitation of the use and disclosure of their information. 

Wispok guarantees that the processing of personal data will always be carried out under the principles of lawfulness, purpose, loyalty, consent, quality, proportionality, information, and accountability. Wispok shall refrain from collecting or processing personal data through deceptive, fraudulent, or disproportionate means, prioritizing the data subject’s reasonable expectation of privacy. 

In the event that the data subject considers that Wispok has infringed their rights in relation to personal data protection, they may at any time submit a request to exercise their ARCO rights through the channels and procedure indicated in this Notice. Likewise, the data subject may contact the Secretariat for Anti-Corruption and Good Governance, the competent authority for the protection of personal data in the private sector, to request the protection of their rights.

II. HOW DOES WISPOK COLLECT PERSONAL DATA?

Wispok collects personal data: 

  • Directly (in person or through electronic, optical, sound, visual, telephone, or internet-based means). 
  • Indirectly (from publicly accessible sources or through permitted data transfers). 

III. PERSONAL DATA SUBJECT TO PROCESSING

Wispok informs data subjects that, for the fulfillment of the purposes described in this Privacy Notice, it will collect and process the personal data detailed below, in accordance with the principles of lawfulness, purpose, loyalty, consent, quality, proportionality, information, and accountability established in the Law. 

A. Personal data of job applicants and employees

  1. Identification data 
  2. Authentication data 
  3. Contact data 
  4. Academic data 
  5. Employment data 
  6. Financial and asset data 
  7. Legal data 

Wispok will not process sensitive personal data; if necessary, express consent will be obtained in advance under the terms required by the Law. 

With respect to the processing of financial and asset data of employees and job applicants, Wispok will obtain the data subject’s express consent through their handwritten signature at the time of signing the individual employment contract or, as applicable, the corresponding recruitment process document.

B. Personal data of affiliated merchants and users who carry out transactions through point-of-sale terminals and/or remotely conducted operations

  1. Identification data 
  2. Authentication data 
  3. Contact data 
  4. Financial and asset data 
  5. Geolocation information 
  6. Service usage data 
  7. Device data used to access the services 

With regard to geolocation information, this refers to data that allows the holder to be located with a reasonable degree of accuracy through coordinates, GPS signals, cellular triangulation, Wi-Fi, or other similar technologies. If the holder does not authorize access to their geolocation, some services may not function properly. 

Wispok will not process sensitive personal data; if such processing becomes necessary, the holder’s prior express consent will be obtained under the terms required by the Law. 

As for the processing of financial and asset data, consent is obtained through the holder’s express acceptance via the digital mechanism known as a “Click-Wrap Agreement,” enabled on the Wispok platform, through which the holder declares having read and accepted the terms of this Privacy Notice.

C. Personal Data of Suppliers

  1. Identification data. 
  2. Authentication data. 
  3. Contact data. 
  4. Financial and asset data. 

Wispok will not process sensitive personal data; if such processing becomes necessary, the holder’s prior express consent will be obtained under the terms required by the Law. 

As for the processing of financial and asset data, consent will be obtained through handwritten signature, electronic signature, or any other valid authentication mechanism established at the time of signing the corresponding contract. 

IV. PURPOSES OF DATA PROCESSING

The primary purpose of Wispok’s processing of personal data is to comply with contractual, administrative, tax, and legal obligations arising from its relationship with the data subject. The purposes are grouped according to the category of the data subject: 

A. Job Applicants and Employees 

Primary Purposes for Job Applicants 

  • To evaluate the data subject’s profile in order to verify and validate its match with the characteristics and requirements of the vacancy. 
  • To identify the data subject’s skills and competencies to verify full alignment with the job profile. 
  • To conduct a background check to verify the information provided by the data subject. 
  • To coordinate schedules in order to arrange and conduct an interview to assess the data subject’s suitability for the vacancy. 
  • To contact the data subject by any means for the purpose of following up on the recruitment process. 
  • To prepare an assessment report to determine the data subject’s viability as a candidate.
  • In the event that the data subject does not continue with the recruitment process, to refer the data subject to a different vacancy, or to store their information in Wispok’s databases for future job opportunities. 

Primary Purposes for Employees 

  • To authenticate the identity of the Data Subject and open a file in their name for the purposes of retention, identification, consultation, and analysis of information, as well as to comply with legal provisions and potential requirements from competent authorities or regulatory bodies. 
  • To carry out and coordinate the necessary registration, cancellation, modification, and disability procedures before public institutions to which Wispok is legally obligated. 
  • To structure and plan all measures or actions necessary to implement Wispok’s projects and programs. 
  • To assign the Data Subject the tools and work resources required for the performance of their job duties. 
  • To coordinate the payment of salary and benefits corresponding to the Data Subject. 
  • To evaluate the performance and development of the Data Subject in the exercise of their duties. 
  • To make available to the Data Subject the necessary documentation to become part of Wispok’s team of collaborators for their proper review, understanding, and signature. 
  • To generate and update organizational charts. 
  • Purposes for the Processing of Sensitive Personal Data of Job Applicants and Employees 
  • No sensitive personal data are collected from Job Applicants. 
  • Sensitive personal data are collected from Employees solely to allow their access to Wispok’s facilities, and such data are obtained with the express consent of the Data Subject. 

Secondary Purposes for Job Applicants 

  • To contact the Data Subject in order to notify them about the Processing and status of their Personal Data, as well as about changes to this Privacy Notice. 
  • To send information from Wispok, such as newsletters, and invitations to courses or seminars. 
  • To send promotional and advertising information from Wispok, as well as information about its services or products, which may be sent through any contact method provided by the Job Applicant, including instant messaging platforms (opt-in). 
  • To use personal data for statistical purposes. 

Secondary Purposes for Employees 

  • To contact the Data Subject in order to notify them about the Processing and status of their Personal Data, as well as about changes to this Privacy Notice.
  • To send information from Wispok, such as newsletters and invitations to courses or seminars. 
  • To send promotional and advertising information from Wispok, as well as information about its services or products, which may be sent through any contact method provided by the Employee, including instant messaging platforms (opt-in). 
  • To use personal data for statistical purposes. 
  • To take photographs and videos for Wispok’s promotional and advertising purposes. 

B. Purposes for Affiliated Merchants and Users 

Primary Purposes. 

  • Contact the data subject to address any matter related to the services provided by Wispok. 
  • For the administration of the data subject’s account on Wispok’s application or website. 
  • To comply with collection orders on behalf and in the name of the data subject by Wispok. 
  • Collection processes for the services provided by the data subject. 
  • Manage payment processes in favor of the data subject. 
  • Compliance with legal, administrative, commercial, and tax obligations. 
  • Establishment of databases. 
  • Development of new products and services. 
  • Improvement of products and services. 
  • Analysis and development of Wispok services, as well as their use. 
  • Respond to any ARCO rights request, revocation, or limitation of consent submitted by the data subject. 
  • Respond to any inquiry from the data subject. 
  • Respond to legal requirements from competent authorities. 
  • For the administration of Wispok’s own business, including statistical analysis. 
  • Authenticate the identity of the Data Subject. 
  • Creation, integration, analysis, updating, and preservation of the Data Subject’s file, for the fulfillment of the relationship that Wispok has with the Data Subject, including the execution of future transactions. 
  • Contact the Data Subject in order to manage and follow up on their requests for products or services. 
  • Register/affiliate the Data Subject with the various acquirers with whom Wispok maintains a relationship. 
  • Contact the Data Subject to clarify and follow up on acquired products, payments, and/or any inconvenience in the provision of services. 
  • Record in Wispok’s accounting and administrative systems the data collected from the Data Subject, the products and services provided to them, and the related payments. 
  • Issue and preserve for up to 10 (ten) years the invoices issued, derived from the contracted services or products. 
  • Send the Data Subject receipts, transaction information, payments, and invoices. 
  • Facilitate the sending of the payment receipt or proof to the Data Subject through the affiliated merchant, using electronic means such as email or instant messaging.
  • Compliance with Wispok’s legal obligation
Secondary purposes
 
  • Contact the Data Subject in order to notify them of website updates, reports on the Processing and status of their Personal Data, as well as changes to this Privacy Notice or to the published Terms and Conditions. 
  • Generate a profile for marketing, advertising, or commercial prospecting purposes. 
  • Send promotional and advertising information about the services, products, and business lines of Wispok and/or its business partners, which may be sent through any contact method provided, including instant messaging platforms (opt-in). 
  • Provide advice, marketing, promotion, contracting, and placement of complementary services and products. 
  • Inform the Data Subject about the range of new products and services, as well as benefits, discounts, and promotions. 
  • Conduct market research on the use of Wispok’s services. 
  • General advertising derived from the products and services offered by Wispok. 
  • Advertising campaigns, promotions, and loyalty programs. 
  • Conduct post-sale surveys and satisfaction level surveys. 
  • Share the Data Subject’s contact information with the affiliated merchant in order to update their records regarding the transaction carried out through the use of Wispok’s services. 
  • Allow the affiliated merchant to establish communication with the Data Subject in order to promote the recurring use of the digital payment channel. 
  • Request or verify the Data Subject’s contact or transactional information for purposes of fraud prevention, monitoring of suspicious operations, or identity verification. 
  • Wispok will process your personal data only for as long as necessary to fulfill the purposes described in this Privacy Notice and in accordance with the applicable legal provisions. 
 
C. Purposes for Providers 
 
Primary purposes. 
 
  • Authenticate the identity of the Data Subject. 
  • Register the Data Subject in Wispok’s systems. 
  • Carry out the contracting of services and/or products. 
  • Draft contracts and documentation related to the commercial relationship between Wispok and the Data Subject. 
  • Payment of consideration and compliance with tax obligations. 
  • Send the Data Subject receipts, transaction information, payments, and invoices. Secondary purposes. 
  • Contact the Data Subject to notify them of website updates, reports on the Processing and status of their Personal Data, as well as changes to this Privacy Notice. 
  • Send offers for Wispok’s products and services, which may be delivered through any contact method provided by the Provider, including instant messaging platforms (opt-in).
 
Without prejudice to the above, under no circumstances does Wispok process personal data considered sensitive; in the event that the processing of sensitive personal data becomes necessary, Wispok will obtain your express consent prior to such processing. 
 
The personal data collected by Wispok will be managed in physical or electronic documents, with security measures in place for their protection, handled responsibly and confidentially, and their disclosure is prohibited except as stated in this Privacy Notice and in accordance with the Law, as well as to fulfill administrative needs for your benefit. 
 

V. MECHANISMS TO EXPRESS REFUSAL FOR THE PROCESSING OF DATA FOR SECONDARY PURPOSES

The data subject may, at any time, express their refusal to the processing of their personal data for purposes that are not necessary for the legal relationship with Wispok. 

Submission channel: 

Minimum content of the request: 

  1. Full name of the data subject. 
  2. Means for receiving notifications (email address). 
  3. Information allowing identification of the relationship with Wispok. 
  4. The secondary purpose(s) for which the data subject wishes to express their refusal. 
  5. A clear and legible copy of a valid official identification to verify their identity (attached to the email). 
  6. If the request is not submitted personally by the data subject, the person acting on their behalf must prove their authority through a public instrument or a power of attorney signed before two witnesses, along with valid official identifications of both the data subject and the representative. 

Once the complete request is received, Wispok will respond to the data subject within a maximum period of 10 (ten) business days, confirming that the request has been addressed and, if applicable, executing the corresponding actions to exclude the data subject from the indicated activities. 

The exercise of this right will not affect the processing of personal data necessary for the provision of contracted services, nor will it result in the termination of the legal relationship with Wispok. The refusal will take effect from the moment its implementation is confirmed, without retroactive effect. 

VI. TRANSFER OF PERSONAL DATA

Wispok will not carry out transfers of your Personal Data to third parties, except for those listed in Article 36 of the Law, which do not require the data subject’s consent. These transfers will be made exclusively in the following cases: 

 

RECIPIENT THIRD PARTY 

PURPOSE 

CONSENT

Companies within the same corporate group, whether domestic or foreign.

Fulfillment of the primary and secondary purposes set forth in this Privacy Notice.

Not required.

Administrative and/or judicial authorities. 

Compliance with legal obligations or official requests.

Not required.

Service providers or recipients for the fulfillment of legal obligations acquired by Wispok or by anyof Wispok’s affiliated and subsidiary companies.

Execution of contractual, regulatory, or 

administrative processes necessary to fulfill 

purposes.

Not required.

Third-party providers or recipients of services forresearch, data analysis, delivery of information tailored to the data subject’s needs, and the performance of other financial services required or requested by the data subject.

Management and handling of procedures. Fulfillment of the primary and 

secondary purposes set forth in this Privacy Notice.

Not required.

Financial entities and payment systems. 

Fulfillment of primary purposes and compliance with tax and banking obligations.

Not required.

Insurance brokers. 

Management of medical and life insurance.

Not required.

Business partners with whom Wispok or any affiliated companies enter into agreements or contracts aimed at developing new products 

and/or services tailored to user needs and research.

Administrative 

management and 

operational functioning.

Not required.

Affiliated merchants to whom the Data Subject makes payments through the use of Wispok’s services.

Sending of payment 

receipts, updating records, and follow-up on the transaction.

Required.

 

Wispok will ensure, through the execution of agreements and the adoption of other binding documents, that such third parties maintain appropriate administrative, technical, and physical security measures to safeguard your personal data, and that said third parties use your personal data solely for the purposes for which they were collected, in accordance with this Privacy Notice.
 
If you wish to object to any of these transfers of your personal data, please refer to the sections: “How can I exercise ARCO rights?” and “Means and Procedure for Revocation or Limitation of Consent” of this Privacy Notice. If no express objection is made, it will be understood that the data subject consents to the transfer of their personal data as provided herein. 
 
In cases where the affiliated merchant acts as a data processor of Wispok, pursuant to Article 49 of the Regulations of the Federal Law on the Protection of Personal Data Held by Private Parties, the data of the Data Subject may be transferred without requiring consent, provided that compliance with Wispok’s conditions is guaranteed, and that the data is not used for other purposes nor shared with third parties. In cases where the merchant acts as a third-party recipient, the express consent of the data subject will be requested through the mechanisms provided, such as visible checkboxes at the time of the transaction. 
 

VII. PROTECTION OF PERSONAL DATA

Wispok states that it has adopted and maintains appropriate administrative, technical, and physical security measures to protect the personal data in its possession, in order to prevent loss, misuse, unauthorized access, alteration, or destruction. 

These measures include, but are not limited to, the following: 

  • Internal personal data protection policies. 
  • Physical and digital access controls. 
  • Incident and security breach response protocols. 
  • Data encryption. 

VIII. PERSON RESPONSIBLE FOR HANDLING PERSONAL DATA REQUESTS

If the Data Subject wishes to revoke their consent, limit the use and disclosure of their information, or Access, Rectify, Cancel, or Oppose the Processing of their Personal Data, they must do so through the department designated by WISPOK, whose contact details are provided belo 

  • Responsible Department: Wispok’s Personal Data Protection Department 
  • Contact email: privacidad@wispok.com 

Wispok guarantees that every request will be received, recorded, addressed, and resolved within the timeframes and terms established by applicable regulations and this Privacy Notice, in accordance with the principles of lawfulness, purpose, loyalty, consent, quality, proportionality, information, and accountability. 

IX. EXERCISE OF ARCO RIGHTS

What Are ARCO Rights?

ARCO Rights are the rights granted by law to every individual who is the owner of personal data, allowing them to exercise effective control over the use and processing of their information by data controllers. These rights are as follows: 

  • Access: The right to know whether Wispok processes personal data belonging to the data subject. 
  • Rectification: The right to request the correction or updating of personal data when it is inaccurate, incomplete, or outdated. 
  • Cancellation: The right to request the deletion of personal data when the data subject believes it is not being processed in accordance with the principles, duties, and obligations established by law. 
  • Opposition: The right to object to the processing of personal data for legitimate and specific reasons. 

Wispok has implemented appropriate physical, administrative, and technological security measures to safeguard the personal data in its possession, ensuring its integrity, confidentiality, and availability, in accordance with the provisions of Article 18 of the Law. 

If the data subject believes that any of their rights have been violated, or that Wispok has not properly addressed a request related to the exercise of ARCO Rights, they may file a complaint with the Secretariat of Anti-Corruption and Good Governance. 

 

How to Exercise Them 

In accordance with Articles 27 to 34 of the Law, the data subject or their duly authorized legal representative may exercise their ARCO Rights at any time with respect to the processing of their personal data by Wispok. 

Submission channel: 

Minimum content of the request: 
  1. Full name of the data subject. 
  2. Means for receiving notifications (email address). 
  3. Documents proving the identity of the data subject or, if the request is submitted by someone else, documents proving their legal representation, including a public deed or power of attorney signed before two witnesses, along with valid official identifications of both the data subject and the representative. 
  4. Clear and precise description of the personal data related to the ARCO right being exercised, except in the case of the right of access. 
  5. Indication of the specific ARCO right to be exercised. 
  6. Any other document or information that may help locate the personal data. 7. In the case of a rectification request, the modifications to be made must be indicated and supporting documentation must be attached.
Once the request is received, Wispok will send an acknowledgment of receipt to the data subject via email. 
  • Within a maximum period of 20 (twenty) business days from the date of complete receipt of the request, Wispok will issue a reasoned response, informing the data subject whether the request is admissible or not. 
  • If the request is deemed admissible, Wispok will carry out the requested measure within an additional period of 15 (fifteen) business days from the date the response is sent. 
  • In the case of access requests, the delivery of data will be made upon verification of identity, either through physical copies or via the email address provided by the data subject. 

The Data Subject should consider that, in order to have sufficient elements to address the request, Wispok may request additional information within 5 (five) business days following receipt of the request. From the date of Wispok’s request, the Data Subject will have a period of 10 (ten) business days to respond. In such cases, the 20 (twenty) business day period mentioned above will begin on the business day following the date on which the Data Subject complies with Wispok’s request. 

When the exercise of the right to object is deemed appropriate, Wispok will cease processing the personal data as of the business day following the notification of the favorable resolution to the data subject, unless a legal or contractual obligation prevents it. 
 
X. MEANS AND PROCEDURE TO LIMIT THE USE OR DISCLOSURE OF PERSONAL DATA 
 
The data subject may, at any time and for any reason, revoke or limit the consent previously granted to Wispok for the processing of their personal data, in accordance with the provisions of Article 7, sixth paragraph of the Law. 
 
It is important to note that the revocation or limitation of consent will not have retroactive effects and, in certain cases, may result in the inability to continue providing services or granting access to contracted products when the processing of data is essential for such purposes. 
 
Submission channel: 
Minimum content of the request: 
  1. Full name of the data subject. 
  2. Product or service with respect to which they wish to revoke or limit consent. 
  3. Reasons supporting the request (optional, for service improvement purposes). 
  4. Date from which the revocation or limitation should take effect. 
  5. A clear and legible copy of a valid official identification proving their identity (attached to the email).
  6. If the request is not submitted personally by the data subject, the person acting on their behalf must prove their authority through a public instrument or a power of attorney signed before two witnesses, along with valid official identifications of both the data subject and the representative. 
Wispok will respond to your request via email within a period of 20 (twenty) business days from the date it was received. This period will only apply provided that Wispok has sufficient information to process the request, in accordance with the following paragraph. 
 
If the request does not meet the aforementioned requirements, Wispok may request, within 5 (five) business days following receipt, any additional information or documentation necessary to process it. From the date of Wispok’s request, the Data Subject will have a period of 10 (ten) business days to correct the omission; in such case, the 20 (twenty) business day period mentioned above will begin on the business day following the date on which the Data Subject responds to Wispok’s request. 
 
XI. USE OF COOKIES AND SIMILAR TECHNOLOGIES 
 
Wispok informs that, while browsing its website, cookies and other similar technologies are used to enhance user experience, analyze usage patterns, and enable the technical functionality of the site. 
 
Cookies are text files that are automatically downloaded and stored on the user’s device when they access the website. These files allow the identification of the user’s browser during future visits and facilitate the collection of data such as IP address, browser type, operating system, preferred language, date and time of access, visit duration, sections viewed, and searches performed. 
 
Virtually all websites use cookies, and many are essential for the proper functioning of various services and features, such as purchasing or registration services or connecting to social networks. If you use a medium or low security setting that allows the automatic installation of cookies when browsing our website, we will consider that you tacitly consent to their installation. On the other hand, if your browser is already configured not to accept cookies by default, our website may not function correctly. If you do not agree with the use of this technology, please disable cookies in your browser or refrain from using Wispok’s website. 
 
The data subject has the right at any time to enable or disable cookies on the website www.wispok.com. To deactivate or reactivate them, the user can do so through the browser used to access the website. Below is information on how to enable and disable cookies in the main web browsers: 
  1. If you use Microsoft Edge, go to the menu option Settings > Cookies and site permissions. 
  2. If you use Firefox, go to Tools > Options > Privacy & Security > Cookies. 
  3. If you use Google Chrome, go to Settings > Privacy and security. 
  4. If you use Safari, go to Preferences > Security.
If your browser is not listed above, please refer to its “Help” section for instructions on how to modify the settings. Keep in mind that blocking or limiting cookies may cause some features of the website www.wispok.com to not function properly or become more difficult or slower to access. 
 
An alternative to blocking cookies is enabling your browser’s private browsing mode. This mode allows you to browse websites without storing them in the browser’s history, cookie storage, or search history once all incognito tabs are closed. For more information, Wispok recommends consulting your browser’s help section. 
 
To object to the processing of your personal data in connection with any of the purposes described, please refer to the section: “Mechanisms to express refusal for the processing of data for secondary purposes” in this Privacy Notice. If you do not express your refusal, it will be considered as a clear indication of your consent to the processing of your personal data in accordance with the described purposes. 
 
XII. CHANGES TO THE PRIVACY NOTICE 
 
Wispok reserves the right to modify, update, supplement, or replace the content of this Privacy Notice at any time, in order to reflect changes in its internal practices, legislative, regulatory, or judicial amendments, or new provisions issued by competent authorities in matters of personal data protection. 
 
All modifications will be made in strict compliance with the Law, its Regulations, and other applicable provisions, ensuring at all times that the principles of personal data protection and the rights of the data subject are duly respected. 
Wispok will inform data subjects of such modifications through any of the following means: 
 
I. Publication on its official website https://www.wispok.com/aviso-de-privacidad/, where the updated version will be available along with the date of the last revision; 
II. By informational message or notice sent to the email address provided by the data subject, in the event of substantial changes that alter the purpose of the processing, the type of data collected, or affect the essential conditions of the granted consent. 
 
The data subject may consult the current content of the Privacy Notice at any time on the aforementioned website. Any modification will take effect from the date of its publication and/or notification as stated above. 
 

(LAST UPDATED: MAY 13, 2025)