COMPREHENSIVE PRIVACY NOTICE
Last updated: May 17, 2026 Version: 2.0
1. Identity and Address of the Controller
Sentilis Platform, with registered office in Guadalajara, Jalisco, Mexico (“Sentilis” or the “Controller”), is responsible for the processing of your personal data under Mexico’s Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), its Regulations, the applicable Guidelines and, where applicable, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, Brazil’s Lei Geral de Proteção de Dados (“LGPD”) and U.S. state privacy laws (including the CCPA/CPRA in California).
Controller / Privacy Officer contact: [email protected].
2. Personal Data We Collect
We process the following categories, obtained directly or indirectly from you:
- Identification data: name, alias, email, profile picture, date of birth (when age verification is required).
- Contact data: email and, where applicable, postal address.
- Tax and banking data: RFC or Tax ID, tax address, Tax Status Certificate, IBAN/CLABE or payment-provider account, official ID when KYC is required.
- Transactional data: purchase history, subscriptions, payouts and amounts. We do not store full card numbers; these are managed by PCI-DSS processors (Stripe, PayPal, MercadoPago).
- Account and content data: credentials (hashed), preferences, publication metadata. The body of Content lives primarily on your local device under the local-first design.
- Browsing and device data: IP address, approximate geolocation, browser fingerprint, operating system, interaction events (clicks, views, dwell time), referrer.
- Support communications: messages and attachments sent to our support channels.
Sensitive data. We do not request sensitive personal data to operate the service. If you choose to publish such data in your Content, you do so under your sole responsibility.
3. Purposes of Processing
3.1. Primary purposes (necessary for the service):
- Create and administer your account and authenticate you.
- Process international payments, recurring subscriptions and Creator payouts.
- Issue invoices and tax receipts (including CFDI where applicable) or payout receipts.
- Verify identity (KYC) and comply with fraud-prevention and anti-money-laundering (AML) obligations.
- Deliver digital content and manage community access (Prime).
- Provide technical support and user assistance.
- Comply with legal, accounting and tax obligations.
3.2. Secondary purposes (non-essential, separable):
- Usage analytics to improve the Platform experience.
- Sending newsletters and product communications.
- Improving the recommendation algorithm (with prioritization by subscriptions and chronology, as described on the Data Transparency page).
- Surveys and satisfaction studies.
You may object to secondary purposes at any time without affecting service provision, by writing to [email protected] or using the unsubscribe link in each communication.
4. Legal Bases for Processing
We process your data based on (depending on applicable jurisdiction):
- Performance of the contract (Terms and Conditions).
- Compliance with legal obligations (tax, anti-fraud, accounting retention).
- Legitimate interest in operating and improving the Platform, preventing fraud and protecting our infrastructure, balanced against the data subject’s rights.
- Consent for secondary purposes (marketing, non-essential analytics, non-essential cookies) and for sensitive data where applicable.
5. Cookies and Similar Technologies
We use cookies and equivalent technologies for authentication, security, preference memory and analytics:
- Strictly necessary: session, load balancing, security. Do not require consent.
- Functional: language or theme preferences.
- Analytics: aggregate usage measurement (via PostHog).
- Marketing: campaign attribution, only if enabled by you.
You can manage your consent from the cookie banner or your browser settings.
6. Transfers and Processors (Sub-processors)
We share strictly necessary data with processors that operate under contract and confidentiality and security obligations:
| Provider | Purpose | Primary location |
|---|---|---|
| Stripe, PayPal, MercadoPago | Payment processing and fraud prevention | US / EU / LATAM |
| PostHog | Product analytics and metrics | US / EU |
| Amazon Web Services (AWS) | Hosting and infrastructure | US / EU |
| Google Cloud Platform (GCP) | Hosting, storage and email | US / EU |
| Cloudflare | CDN, DNS and DDoS mitigation | Global |
| Transactional email providers (e.g., Postmark/Resend) | Notification and newsletter delivery | US / EU |
International transfers. By using the Platform, you acknowledge that your data may be transferred, stored or processed outside your country of residence, including Mexico, the US and the European Union. For transfers from the EU/UK we use Standard Contractual Clauses (SCCs) or equivalent mechanisms.
We do not sell personal data within the meaning of CCPA/CPRA, nor do we share it with data brokers.
7. Retention Period
We keep your data only as long as necessary to fulfill the purposes:
- Account data: while the account is active; after deletion, removed within a maximum of 30 days unless legally blocked.
- Tax and transactional data: 5 years from the operation, in accordance with Article 67 of the Federal Tax Code and equivalent rules.
- Anti-fraud and AML compliance records: up to 10 years where required by law.
- Analytics data: anonymized or aggregated after 24 months.
- Support communications: up to 24 months after ticket closure.
8. Security Measures
We implement reasonable administrative, technical and physical measures: encryption in transit (TLS 1.2+) and at rest for sensitive data, least-privilege access control, audit logging, environment separation, backups, periodic vulnerability assessments and incident response.
Breach notification. Where a breach materially affects your rights, we will notify you without undue delay and, where applicable, the competent authority (INAI, AEPD, ANPD, ICO or others) within the legal timeframes.
9. Data Subject Rights
9.1. ARCO rights and GDPR/LGPD/CCPA rights. You may exercise at any time your rights of Access, Rectification, Cancellation and Opposition (ARCO), as well as portability, restriction of processing, withdrawal of consent, the right not to be subject to solely automated decisions with significant effect, and the equivalent rights under GDPR, LGPD and US privacy laws.
9.2. How to exercise them. Send your request to [email protected] indicating: (i) your name and a means to receive a response; (ii) a document proving identity or representation; (iii) a clear description of the right to be exercised; (iv) any element that helps locate the data. We will respond within the applicable legal periods (in Mexico, up to 20 business days to issue a response and 15 business days to make it effective).
9.3. Supervisory authorities. Without prejudice to your right to contact us first, you may lodge a complaint with INAI (Mexico), the data-protection authority of your EU Member State, the ANPD (Brazil), the ICO (United Kingdom) or any other competent authority.
10. Automated Decisions
We do not make solely automated decisions with significant legal effects on you. Fraud-detection and content-moderation systems may flag cases for human review before any measure affecting you is adopted.
11. Minors
The service is not directed to children under 18 and we do not knowingly collect their data. If we learn of minors’ data collected without proper consent, we will delete it.
12. Changes to the Privacy Notice
We may update this Notice. We will publish the current version with its date and, for material changes, notify you by email or prominent in-Platform notice with at least 15 days’ advance notice. Historical versions will be available upon request.
13. Contact
- Privacy / Personal data:
[email protected] - Security / Incidents:
[email protected] - Legal:
[email protected] - Address: Guadalajara, Jalisco, Mexico