Privacy Notice

Who we are

The data controller is XALA Studio, an independent digital design and development studio based in Tijuana, Baja California, Mexico.

Data we collect

We collect only what's needed to serve you. We do not collect sensitive data (race, health, beliefs, sexual life, biometric data, bank account numbers).

Identification and contact

• Name and, if applicable, company name.
• Email address.
• Phone number.
• City and country.

Project data

• Business information you share with us so we can design and build your site or platform — service descriptions, bios, photos you provide, written content.
• Third-party service credentials you choose to share for integration (Google Analytics, CMS, domain registrar, etc.).
• Email, chat, and call communications related to the project.

Billing

• Tax information for invoicing (RFC for Mexican clients, billing address for US clients).
• Payment information — processed by our payment processor; we do not store full card numbers.

Site usage

• Aggregate usage of xala.studio: pages viewed, time on page, device, browser, approximate country. Details in Cookies.

Categories we collect (CCPA framing): identifiers (name, email, phone, IP), commercial information (services purchased), internet activity (site usage), professional information (your role, company). Sources: directly from you (forms, email, calls) and automatically from your browser when you visit our site. Sale or share: we do not sell or share your personal information for cross-context behavioral advertising.

Why we use it

Primary purposes — needed for our relationship with you; you can't opt out without ending the service:

• Respond to inquiries and provide service information.
• Enter into and perform our professional services agreement.
• Design, build, host, and maintain the contracted site or platform.
• Invoice and collect payment.
• Communicate with you during the project and the support period.
• Comply with tax, accounting, and legal obligations.
• Defend our rights in case of dispute.

Secondary purposes — require your consent; you can decline without affecting service:

• Send you a monthly studio newsletter — case notes, reading, work-in-progress.
• Show your brand, logo, and a short case study in our public portfolio.
• Quote a written testimonial attributed to you or your role.

To opt out of any secondary purpose, email hola@xala.studio with subject "Opt out — secondary purposes". We action it within five business days.

Legal basis

Under Mexican law (LFPDPPP, March 20, 2025) we rely on your consent (express for secondary purposes, tacit-by-conduct for primary purposes) and on the necessity of processing to perform our contract with you.

For EU/UK clients reading this through a GDPR lens, our bases are: contract (Art. 6(1)(b)) for service delivery, legitimate interest (Art. 6(1)(f)) for security and limited analytics, legal obligation (Art. 6(1)(c)) for tax and accounting, and consent (Art. 6(1)(a)) for marketing.

Third parties we share with

We do not sell your data. We don't share it for commercial purposes outside the service. We do use service providers to operate, each acting under our instructions and their own privacy policies:

Your rights

Under Mexican law (LFPDPPP) you have four ARCO rights — and equivalents under CCPA (California) and GDPR (EU/UK):

• Access — know what data we hold about you and how we use it. (CCPA "right to know" / GDPR "access".)
• Rectification — correct inaccurate or outdated data. (GDPR "rectification".)
• Cancellation / Deletion — ask us to delete your data, except where law requires retention. (CCPA "right to delete" / GDPR "erasure".)
• Opposition — ask us to stop using your data for a specific purpose. (CCPA "right to opt out" / GDPR "object".)

For US/EU clients we also honor the equivalent of data portability (a copy in a structured format) and non-discrimination for exercising any of these rights.

How to exercise

Email hola@xala.studio with subject "Privacy rights request". Include:

1. Your name and a contact email.
2. Proof of identity (government ID or legal representation document).
3. A clear description of the right you're exercising and the data involved.
4. For rectification: the corrected data and supporting documentation.

Response times: Mexican law gives us 20 business days to respond and 15 more to execute. We do our best to match or beat the equivalent CCPA (45 days) and GDPR (one month) windows. No fee, except justified shipping or reproduction costs.

Withdrawing consent

You can withdraw consent at any time. Email hola@xala.studio with subject "Withdraw consent". Withdrawal is not retroactive and doesn't apply to primary purposes needed for an active contract or legal obligation.

Limiting use or disclosure

To stop commercial communications, email hola@xala.studio with subject "Limit use". We add you to our internal suppression list within five business days. Every newsletter has a one-click unsubscribe link.

Cookies and analytics

Our site uses cookies and similar technologies to function and to measure aggregate use.

You can block or delete cookies in your browser settings. If you do, parts of the site may not work.

Security and retention

We apply reasonable administrative, technical, and physical safeguards to protect your data — TLS in transit, repository access controls, two-factor authentication on critical accounts, encrypted backups.

Retention:

• Prospects who didn't become clients: 12 months from last contact.
• Active clients: for the duration of the contract.
• Tax and accounting records: five years after termination, per Mexican Federal Fiscal Code.
• Closed project records: 24 months after close, for warranty and support.

After that, data is deleted or anonymized.

Cross-border transfers

We're based in Mexico. Most of our processors are in the United States. By engaging us, you understand that your data may be processed in Mexico, the United States, and (depending on the processor) other jurisdictions.

For EU/UK clients we rely on the processor's own transfer safeguards (Standard Contractual Clauses where applicable). For California clients, see the CCPA-framed disclosures throughout.

Children

Our services are for businesses and professionals. They're not directed at children, and we don't knowingly collect data from anyone under 16. If you believe a child has submitted data, email us and we'll delete it.

Changes to this notice

We may update this notice. The current version always lives at xala.studio/privacy with the last-updated date at the top. Material changes get emailed to active clients and subscribers at least 30 days in advance.

Authority and contact

The Mexican data protection authority is the Secretaría Anticorrupción y Buen Gobierno, which took over from the former INAI under the 2025 LFPDPPP reform.

If you think your privacy rights were violated, please contact us first. If we don't satisfy your request, you may file a complaint with the competent authority (or, for EU residents, your local supervisory authority; for California residents, the California Privacy Protection Agency).

Related documents: Terms of Service · Versión en español