Privacy Policy

Introduction

At FORXYA, we respect your privacy and are committed to protecting your personal information in compliance with applicable data protection laws in your jurisdiction, including Mexico's LFPDPPP, the GDPR (European Union), CCPA (California), and LGPD (Brazil), as applicable. This Privacy Policy describes what data we collect, how we use it, the legal bases for processing, and the protection mechanisms we implement, both on our website (forxya.io) and in the FORXYA application for iOS, Android, and Web. By using our services, you agree to the practices described in this policy. FORXYA acts as the data controller for personal data collected directly and as the data processor for operational data that each organization manages through the platform.

Information We Collect

When you complete the contact form on our website, we collect your name, email address, industry, and message. This information is used exclusively to respond to your inquiry and provide you with information about our services.

We use website analytics tools under a strict data minimization framework. We only collect anonymized technical metrics (pages visited, session duration, device type, and operating system) necessary for the proper functioning and improvement of the service. We do not collect personally identifiable information through these tools, we do not use advertising tracking cookies, and we disable any identifier that could be linked to cross-site advertising profiles.

The FORXYA application may collect the following types of data depending on each organization's configuration: GPS location (coordinates, altitude, accuracy, and timestamp), photographs and visual evidence, digital signatures, audio recordings, form submissions with all their fields, device information (model, operating system, app version), and field-level audit logs. Additionally, the platform automatically records operational metadata such as timestamps, user identifiers, and state transitions within workflows. This data is stored locally on the device in encrypted form and synced to the cloud when connectivity is available.

How We Use Your Information

We use the information collected for the following specific purposes: responding to contact inquiries and requests; providing, operating, and improving FORXYA platform services; processing and managing workflows configured by each organization; generating operational reports, dashboards, and performance metrics; communicating relevant platform updates and changes to our terms or policies; and ensuring the security, integrity, and availability of our systems. We do not use your information for purposes other than those described in this policy, and we never sell or commercialize personal data.

Data Storage & Security

All data is encrypted at rest and in transit using enterprise-grade encryption standards. The mobile application implements communication integrity protection mechanisms to prevent man-in-the-middle attacks, as well as runtime protection against tampering or unauthorized debugging. Each organization operates in a completely isolated space through record-level access policies, ensuring zero cross-access between organizations. Backups are encrypted and stored in cloud infrastructure with geographic redundancy.

Third-Party Services

FORXYA's architecture relies on enterprise-grade cloud infrastructure providers operating under shared-responsibility models and complying with international security standards including SOC 2 Type II, ISO 27001, and HIPAA. All communications between system components occur exclusively over encrypted channels within isolated private networks. FORXYA does not sell, rent, or share your personal information with third parties for commercial or advertising purposes. We only share data with infrastructure providers strictly necessary for service operation.

Your Rights

Depending on your location, you have rights over your personal data under applicable law. In Mexico: ARCO rights (Access, Rectification, Cancellation, and Opposition) under the LFPDPPP. In the European Union: rights under the GDPR including access, rectification, erasure, portability, restriction of processing, and objection. In California: rights under the CCPA including the right to know, delete, and opt out of sharing your data. To exercise any of these rights, send your request to hello@forxya.com including your full name, country of residence, a description of the right you wish to exercise, and identity verification. We will respond within 20 business days (LFPDPPP) or 30 days (GDPR/CCPA), as applicable.

Cookies

FORXYA implements Google Consent Mode v2 to respect your preferences before activating any non-essential cookies. On your first visit you will see a banner where you can accept all, reject or customize your choice. Categories: Necessary (always on) — language preference ES/EN, light/dark theme, security and basic site functionality. Analytics (optional) — Google Analytics 4 with anonymized IP, activated only after your explicit consent; helps us understand which pages work and how to improve the landing. Marketing (optional) — FORXYA currently does not use advertising or cross-site tracking cookies; this control is available in case they are enabled in the future. You can change your choice anytime from the 'Cookie preferences' link in the footer. Your decision is stored locally in your browser (localStorage). You may also configure your browser to reject cookies, although this may affect site functionality.

Location Data (GPS)

FORXYA collects GPS location data only when the organization has enabled GPS tracking in its configuration. Location data includes geographic coordinates, altitude, accuracy, and timestamp, and is used for field team tracking, geofencing, and location stamps on data captures. This data is stored associated with each record and is accessible only to users with the corresponding permissions within the organization. Users can disable location access at any time from their device settings.

Offline Data

When the device lacks connectivity, FORXYA stores all collected data locally on the device using databases encrypted to enterprise-grade security standards. The mobile application implements runtime protections to actively mitigate unauthorized tampering, elevated-privilege access, or the use of debugging tools. Data automatically syncs to the cloud infrastructure over encrypted channels when connectivity is restored. Once the integrity of the synchronization is confirmed, local data is managed according to the retention policy configured by each organization. FORXYA assumes no liability for the loss of data due to physical destruction of the device before synchronization is completed.

International Transfers

FORXYA operates globally and data may be processed on cloud infrastructure distributed across multiple geographic regions. Data is encrypted at the source prior to any cross-border transmission. When transfers occur outside protected jurisdictions (such as the EEA under GDPR, or Mexico under LFPDPPP), they are governed by Standard Contractual Clauses (SCCs) or other approved transfer mechanisms. Our infrastructure complies with international security standards including SOC 2, ISO 27001, and encryption at rest and in transit. Where local legislation requires it, we will obtain your prior consent for international transfers.

Audit Trail

FORXYA automatically records who accessed, modified, or transferred each record at the individual field level, including the previous value, the new value, the timestamp, and the responsible user. This audit trail is immutable and cannot be altered or deleted by any user, including organization administrators. Audit data is retained for regulatory compliance, operational traceability, and dispute resolution purposes, and is available to the organization through reports and the platform interface.

Data Retention

We retain your information only for as long as necessary to fulfill the purposes described in this policy and applicable legal obligations. Contact form data is retained during the business relationship and for an additional period of 12 months after its last use, or until you request its deletion. Application operational data is retained according to the terms agreed upon with each organization and their configured retention policy. Audit logs are retained for a minimum of 5 years for compliance purposes. Upon termination of the relationship with FORXYA, the organization may request a complete export of its data before permanent deletion.

Children's Privacy

FORXYA is not directed at children under 13 years of age, and we do not knowingly collect personal information from children. If we discover that we have collected data from a child, we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable legislation. Changes will take effect upon publication on this page. We recommend reviewing this policy regularly.

Contact

If you have questions or concerns about this Privacy Policy, the handling of your personal data, or wish to exercise your ARCO rights, contact us at hello@forxya.com. You may also direct written communications to our data protection department at the same email address.