Comprehensive Privacy Notice

Company: MIIA Platform and Nqual5 Services

Data Controller: Nqual5 S. de R.L. de C.V. (hereinafter, "Nqual5" or "NQUAL5")

Address: Aguascalientes, Mexico

Privacy email: privacidad@mi-ia.ai

Website: https://www.mi-ia.ai

Last Updated: 01/30/2026

---

1. Introduction

At Nqual5, we recognize the importance of privacy and personal data protection. Our commitment is to ensure that the information entrusted to us by users, customers, and third parties is handled securely, responsibly, and in accordance with applicable Mexican law, including the Federal Law on Protection of Personal Data Held by Private Parties and its secondary regulations. Where applicable based on the data subject's location or context, we may apply relevant international frameworks such as the General Data Protection Regulation (GDPR) and applicable provisions in other jurisdictions (e.g., CCPA/CPRA), to the extent they are enforceable.

The purpose of this Privacy Notice is to explain:

• What personal data we collect and, where applicable, the legal basis that allows its processing (consent, contractual relationship, legal obligation, or legitimate interest).

• How we use and protect that information.

• What rights you have as a data subject and how you can exercise them.

• Under what conditions information is shared with third parties and what measures we apply.

Our MIIA platform and related services integrate with different communication channels (for example, Facebook, Instagram, WhatsApp, and others), enabling automated interaction, report generation, campaign execution, and intelligent conversation management. By using these services, users may send, receive, and analyze information that may include personal data; therefore, protecting such information is a priority for us.

2. Identity and Address of the Data Controller

The data controller responsible for processing your personal data is Nqual5 S. de R.L. de C.V., a company incorporated under the laws of the United Mexican States.

• Address: Aguascalientes, Mexico.

• Privacy responsible area: Nqual5 Legal Department.

• Official privacy email: privacidad@mi-ia.ai

In jurisdictions that require the appointment of a Data Protection Officer (DPO) or representative, Nqual5 will implement what is necessary where applicable and will communicate it through this notice or by appropriate means.

3. Personal Data We Collect

At Nqual5, we collect and process personal data necessary for operating and improving our services (MIIA) and related functionalities. The types of data we may collect include:

3.1 Account and registration data

• Full name or corporate name (as applicable).

• Email address.

• Phone number.

• Access credentials (e.g., tokens/sessions; not passwords in plain text).

• Billing information.

Payments: when external payment processors are used, Nqual5 does not store complete card data (for example, full card number or security code). We may retain limited information for reconciliation and billing (for example, transaction reference, method type, last digits when enabled by the provider).

3.2 User-generated content and communications

• Text messages, images, audios, videos, files, and other content sent or received through channel integrations (Facebook, Instagram, WhatsApp, or others).

• Information voluntarily included by users during conversations or flows (for example, contact details, payment references, or other data provided).

3.3 Technical and usage data

• IP address, approximate location, device type, browser, and operating system.

• Connection date and time, feature usage, technical identifiers, and activity logs.

3.4 Financial data shared between users

If users share financial information in conversations (for example, payment references), such information will be handled with appropriate security measures. We recommend that users avoid sharing unnecessary sensitive or financial data through channels not designed for that purpose.

3.5 Processing of sensitive data

Our platform is not designed to collect sensitive personal data (for example, health, religious beliefs, political opinions, union membership, biometric data, or other protected categories). However, due to the conversational nature of the service, users or their end customers may voluntarily share such information.

If we receive sensitive data:

• It will be processed only to fulfill the specific purpose for which it was provided or to deliver the requested service.

• Enhanced security measures will be applied.

• It will not be used for marketing.

• It will be deleted or anonymized when it is no longer necessary, where applicable under the law, and considering possible limited retention periods in backups.

Purposes of Processing (Primary and Secondary)

Personal data are used to provide a secure, efficient, and personalized service.

4.1 Primary purposes (necessary for the service)

Service provision

• Provide access to the MIIA platform and enable account management.

• Enable automated interaction with customers through integrated channels.

• Process and respond to conversations, including analysis of messages, audios, images, and other data.

Support, operations, and continuity

• Handle requests, technical support, and diagnostics.

• Maintain, administer, and operate the platform (including logs and operational metrics).

Security and fraud/abuse prevention

• Detect anomalous activity, prevent fraud or misuse.

• Protect the integrity of systems, users, and third parties.

Legal compliance

• Comply with legal obligations and requirements from competent authorities.

4.2 Secondary purposes (optional)

These purposes are not essential to provide the service:

Marketing and commercial communications

• Send commercial communications or campaigns related to products/services, when required by applicable law and/or user preferences.

Improvement and advanced analytics

• Analyze usage and performance trends to optimize functionality and experience.

Research and improvement of AI models (where applicable)

• Use data in an anonymized or aggregated manner for internal research and technological improvement.

• When use requires or involves non-anonymized content, it will be carried out under strict controls and as indicated in Section 9 (objection/opt-out).

Objection to secondary purposes: the data subject or user may object to these purposes by writing to privacidad@mi-ia.ai. Refusal of secondary purposes will not affect the provision of the service.

5.Legal Bases for Processing (where applicable)

Depending on the nature of the data and the purpose, Nqual5 may process personal data based on:

• Contractual relationship and service provision (for example, access, operation, support).

• Consent (for example, commercial communications when required by law).

• Legal obligation (for example, tax/accounting retention or authority requirements).

• Legitimate interest (for example, security, fraud prevention, platform protection), applying measures to respect the data subject's rights.

6. Data Retention

Nqual5 retains personal data only for as long as necessary to fulfill purposes and legal obligations.

6.1 General timeframes (for reference)

• Account and registration data: while the account or contractual relationship exists, and thereafter for the time necessary to meet legal obligations or address claims.

• Conversations and content: as long as necessary to provide the service, support, or platform configuration, or according to retention configured or required by the User; thereafter they may be deleted or anonymized.

• Technical and security records (logs): for reasonable periods for operations, auditing, and security.

• Billing and tax receipts: for the periods required by applicable tax regulations.

6.2 Backups and deletion

Once the applicable retention period ends or a valid request is fulfilled, data are securely deleted or anonymized. Some data may remain temporarily in backup copies for limited periods, after which they are deleted or overwritten according to backup cycles.

6.3 Anonymized data

In some cases, information may be retained in anonymized or aggregated form for statistical purposes, internal research, or technological improvement, with no reasonable possibility of identifying the data subject.

Data Transfers and Disclosure

Nqual5 protects the confidentiality of information and only shares data when necessary to provide the service or comply with legal obligations.

7.1. Recipients

• Integrated platforms (channels): messaging services and social networks (for example, Facebook, Instagram, WhatsApp) to enable the communication requested by the user.

• Infrastructure providers: cloud, storage, and processing services (for example, DigitalOcean, AWS, Google Cloud, Firebase, or others), which act as processors and are subject to contractual security and confidentiality obligations.

• Support and analytics: providers that help maintain, diagnose, and improve the platform, with limited access and under confidentiality obligations.

7.2. International transfers

Due to the global nature of the service, some data may be processed on servers outside Mexico. In such cases:

• Contractual agreements and reasonable measures are established to ensure an adequate level of protection.

• Where applicable (for example, transfers under GDPR), recognized mechanisms such as Standard Contractual Clauses or other equivalent instruments will be used.

7.3. Competent authorities

We may disclose information when required by law or when necessary to:

• Comply with legal or regulatory processes.

• Protect and defend the rights, property, or security of Nqual5, users, or the public.

• Investigate or prevent illegal activities or fraud.

7.4 No sale of data

Nqual5 does not sell or commercialize personal data. Where regulations such as CCPA/CPRA apply, Nqual5 states that it does not "sell" or "share" personal data as defined by those laws, unless the applicable framework requires additional notice or specific mechanisms.

Data Subject Rights (ARCO and equivalents)

Nqual5 respects and facilitates the exercise of rights in accordance with applicable law.

8.1. ARCO Rights (Mexico)

• Access: learn what data we process, their source, and purposes.

• Rectification: correct inaccurate or incomplete information.

• Cancellation: request deletion where applicable.

• Objection: object to processing for specific purposes, where permitted by law.

8.2. Additional rights (where applicable)

• Data portability (e.g., GDPR).

• Restriction of processing (e.g., GDPR).

• Withdrawal of consent (without retroactive effects).

• Additional preferences or options in other jurisdictions.

8.3. Procedure

To exercise rights, send a request to privacidad@mi-ia.ai. The request must include:

• Full name and contact method.

• A clear description of the right to be exercised and, where applicable, the data involved.

• Documentation to verify identity (and, if applicable, legal representation by power of attorney/letter).

If the request is incomplete, additional information may be required to process it.

8.4. Timeframes

• Response: up to 20 business days from receipt of a complete request.

• Implementation: if applicable, up to 15 business days after the response, in accordance with applicable regulations.

8.5. Complaint to authorities

If you believe your request was not properly addressed, you may contact the competent authority (for example, INAI in Mexico) or the applicable data protection authority in your jurisdiction.

Automated Processing and Artificial Intelligence (MIIA)

MIIA uses artificial intelligence algorithms to generate responses, reports, and automations requested by the user.

• The user is responsible for reviewing generated content before using it in critical decisions.

• Nqual5 does not guarantee absolute accuracy of generated content.

9.1. Model improvement/training and objection (opt-out)

When Nqual5 uses information for internal research or technological improvement, it will seek to do so in an anonymized and aggregated manner. If the user wishes to object to the use of their content for training/improvement purposes, they may request this at privacidad@mi-ia.ai. In that case, Nqual5 will not use such content for those purposes, without affecting service provision (although it may still be processed for operations, security, support, and legal compliance).

Cookies and Similar Technologies

The platform may use cookies and similar technologies to improve the experience, enable functionalities, and analyze usage trends.

Types of cookies (for reference):

• Essential: login, security, basic operation.

• Preferences: language, region, or options.

• Analytics: usage and performance measurement.

• Third parties: when external analytics tools or integrations are used.

Control: users can manage cookies through their browser and, when enabled, through a banner/preference center. Disabling essential cookies may affect the platform's operation.

Security and Incident Management

Nqual5 implements technical, administrative, and organizational measures designed to protect data against loss, misuse, unauthorized access, disclosure, alteration, or destruction.

11.1. Technical measures

• Encryption in transit (for example, TLS) and, where appropriate, encryption at rest.

• Access controls, firewalls, monitoring, and activity logs.

• Backup and recovery protocols to ensure operational continuity.

11.2. Administrative and organizational measures

• Internal privacy and security policies for staff and collaborators.

• Role-based access control (least privilege).

• Ongoing training in data protection and cybersecurity.

11.3. Security incidents

In the event of a breach that compromises personal data, Nqual5 commits to:

• Assess the scope of the incident and immediately mitigate risks.

• Notify affected data subjects without undue delay and, when required by law, notify the competent authority within applicable deadlines (including 72 hours where required under GDPR).

• Document the incident and corrective actions.

No system is completely secure; we recommend that users use strong passwords and avoid sharing unnecessary sensitive information.

12. Privacy Roles (Controller / Processor) and "End Customer" Data

12.1. User data (account, billing, usage)

With respect to User data (account administration, billing, and platform usage), Nqual5 acts as the data controller.

12.2. End customers of the User (contacts who converse with MIIA)

When the User uses MIIA to interact with end customers (for example, contacts on WhatsApp/Instagram/Facebook), the User typically acts as the data controller for those data, and Nqual5 acts as the processor when handling them on the User's behalf to provide the service.

The User represents and warrants that they have the necessary legal basis (consent, notice, contractual relationship, or other applicable basis) for Nqual5 to process those data as a processor, and that they have informed their end customers in accordance with applicable regulations.

13. Processing of Minors' Data

Our services are not deliberately directed at minors. We do not intentionally collect personal data from individuals under 18 years of age without an applicable legal basis (for example, verifiable consent from parents or guardians when required by regulations).

If we detect that data from a minor have been collected without the appropriate consent or legal basis, we will delete them or restrict processing in accordance with the law and notify where possible.

14. International Scope and Applicable Law

The services may be available in multiple countries. The user is responsible for ensuring that their use of the platform complies with the regulations of their jurisdiction, especially regarding automated communications and privacy.

This Notice is governed by the laws of the United Mexican States, without prejudice to the application of mandatory rules of other jurisdictions where applicable.

This Notice is initially made available in Spanish; in the event of discrepancies with translations, the Spanish version will prevail.

15. Changes to the Privacy Notice

Nqual5 may update this Notice to reflect changes in practices, laws, or services. Modifications will be published with a visible updated date.

If changes materially affect processing, Nqual5 will notify through available means (for example, email or notices within the platform) and, where applicable, will request additional consent if required by regulations.

16. Contact

For questions or requests related to privacy:

• Email: privacidad@mi-ia.ai

• Address: Aguascalientes, Mexico.

Nqual5 will handle requests within the timeframes described in Section 8.

17. Effective Term, Last Update, and History

This Notice takes effect as of 01/30/2026 and will remain in effect while the purposes described herein exist or until it is replaced by an updated version.