Trully | Fraud Prevention and Identity Verification
Subscribe to our newsletter! Get fraud prevention content

Privacy Notice

  • Date of last update: 06/09/2022

Privacy Notice for the users of our product

Who are we? (Identity and address of the Responsible)

Truface, S.A.P.I. de C.V., (“Trully” or “The Responsible”) in compliance with the Mexican Federal Law for the Protection of Personal Information in Possession of Private Entities and its Regulations (both together, the “Law”), with address in Rio Lerma 94, 3rd Floor, Cuauhtémoc. 06500. Mexico City, Mexico. This address is also valid to hear and receive notifications.

  • Personal data: Any information concerning an identified or identifiable natural person.
  • Sensitive personal data: Those personal data that affect the most intimate sphere of its owner, or whose improper use may give rise to discrimination or entail a serious risk for it. In particular, those that may reveal aspects such as racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral beliefs, union affiliation, political opinions, sexual preference are considered sensitive.
  • Holder: The natural person to whom the personal data identifies or corresponds.
  • Responsible: Natural or legal person of a private nature who decides on the processing of personal data.
  • Treatment: Obtaining, using (including access, handling, use, transfer or disposal of personal data), disclosure or storage of personal data by any means.
  • Manager: The natural or legal person who alone or jointly with others processes personal data on behalf of the person in charge.

Manager: The natural or legal person who alone or jointly with others processes personal data on behalf of the person in charge.

In order to comply with the purposes indicated in this Privacy Notice, Trully will process personal identification data such as: (i) device ID; (ii) Phone number; (iii) Email (iv) Geolocation; (v) National identification numbers; and (vi) Biometrics.

Treatment purposes

In its capacity as "Responsible" according to the definition established in article 3, section IX of the LFPDPPP, Trully receives certain data from the "Responsible" (as said term is defined in article 3, section XIV of the LFPDPP) for the purposes of carrying out the implementation of collective intelligence and artificial intelligence models with the sole purpose of issuing an opinion for the benefit of its clients that can help correct decision-making and fraud prevention.

Once having issued its opinion after running its implementation, Trully returns to the "Responsible" all those data previously shared and used for the stated assessment. Trully for the study and review of said data, at all times has a contract for the provision of services, by virtue of which, the "Responsible" undertakes to implement, generate and achieve any procedure so that a "Holder" (according to said term is defined in article 3, section XVVI of the LFPDPPP, expressly accept that the "Responsible" may share with a "Manager" the personal data that belongs to him for the purpose of making an assessment in terms of fraud, thus helping companies, in the correct decision making with respect to its clients.


In accordance with the express acceptance, stated in the previous paragraph, personal data such as: (i) device ID; (ii) Telephone; (iii) Email (iv) Geolocation; (v) National identification numbers; and (vi) Biometrics, may be transferred by the "Responsible" to Trully in order to fulfill the contracted services and who will guarantee that these will be treated solely and exclusively for the purposes established between the "Responsible" and Trully. Consequently, the "Responsible", enables Trully in its capacity as "Manager", according to what the Federal Law on Protection of Personal Data Held by Private Parties ("LFPDPPP") provides.

In its capacity as "Manager", Trully will work in accordance with the following provisions:

  • Treat personal data exclusively for the performance of the object of the services contracted by the "Responsible".
  • Treat personal data under the guiding principles of the LFPDPPP and its regulations.
  • Comply with the requirements established in article 52 and article 49 of the LFPDPPP Regulation, by virtue of the fact that it uses infrastructure in the so-called cloud computing.
  • Implement and maintain all physical, technical and administrative security measures that are necessary to protect personal data against alteration, damage, disclosure, loss, destruction, access or unauthorized treatment, and that allow deviations, intentional or not, to be detected. Whether the risks come from human action or from the technical means used, verifying that they are not less than those provided by the LFPDPPP or any other applicable regulations, in such a way that, acting with total diligence, they maintain reasonable measures for the protection of personal data and the level of security appropriate to the risks involved in the processing and the nature of the data to be protected.
  • Allow the "Responsible" to carry out technological audits to corroborate the correct treatment and security of the transferred data.
  • Make its employees, agents and subcontractors comply with the applicable obligations regarding the security and protection of personal data, maintaining the levels of security, protection and confidentiality required by the LFPDPPP and any other applicable regulations.
  • Ensure the identification and mitigation or remediation of any breach of data and/or information security, for which it is obliged to provide, at any time, access to tools, logs, records, or necessary technological elements.
  • Carry out the processing of personal data by qualified, authorized and trained personnel, establishing access levels and passwords. Said personnel must maintain their confidentiality and security, signing agreements for such purposes. Likewise, it must ensure that said personnel receive adequate training in the area of ​​personal data protection and privacy.

Execution of ARCO rights

You have the right to know which Personal and/or sensitive data we hold about you, for which purposes we are using the data (Access). Also, it is your right to solicit the correction of your Personal data in case it is outdated, incorrect or incomplete (Rectification); that we eliminate your data from our records and databases when you consider such Personal data is not being used correctly (Cancellation); such as oppose the usage of your Personal and/or sensitive data for the purposes herein specified (Opposition). Such rights are known as ARCO rights.

Should you wish to execute your ARCO right, you can send us an email to any of the following email addresses:,

To execute your ARCO rights, we suggest you to know the procedure:

Requirements to file an ARCO rights request:

1.File the request before the Responsible holding the Personal data, through the aforementioned means of contact, with the following information:

  • File the request before the Responsible holding the Personal data, through the aforementioned means of contact, with the following information:
    • General information. All ARCO rights request should contain the following information:
      • Name of the Personal data owner.
      • Documents that validate the ownership of the data. These documents are specified in the next section.
      • Address or a mean to receive notifications (E.g., email address)
      • Description of the right the owner wishes to execute: Access, Rectification, Cancellation or Opposition.
      • If applies, documents or information that helps us find such information, such as the business responsible for the treatment of the data.
    • Specific information. Besides including the General information, depending on the right you wish you execute, you should include the following information:
      • Access right: how you wish your information to be reproduced.
      • Rectification right: which are the edits to your data you wish us to conduct.
      • Address or a mean to receive notifications (E.g., email address)
      • Cancellation right: what are the causes of the cancellation.
      • Opposition right: that are the causes of the opposition, and what the harm is should the data treatment continues.

It is important to know that, if the request does not have the requested information, the Manager of the information could help you get to the Responsible of the Data, so you can request the missing information. Such information should be delivered back to us within the following 10 days. Failing to return the requested information back to us, will lead us to discard your request.

When you file your request, we will send you a receipt that your request has been filed.

2. Accreddit the identity of the Holder, and if it applies, the representative.

The request should be accompanied by a copy of an official ID, and a copy of the representative’s official ID if it applies.

For this purpose, an official ID could be:

  • Valid National ID
  • Valid Passport
  • Valid birth certificate

To accredit the representative’s information, the representative should file:

  • Power letter with a copy of both valid IDs.
  • A document written and certified by a Notary.
  • Valid birth certificate

Terms and procedures to attend request of ARCO rights

Once a valid request has been filed with the aforementioned requirements, the entity to whom the request was filed should:

In a term of 20 business days from the reception date, the entity that received the file should inform you whether the request will follow through or not.

In the event that the request follows through, a response should be provided in a term of 15 business days, after the previous response has been issued.

The aforementioned terms could be longer, when it is justified and the requester is informed.

If the request does not follow through, you will be notified in a 15 business day period after the request has been submitted.


If you consider that your rights have been violated in compliance with the Mexican Federal Law for the Protection of Personal Information in Possession of Private Entities and its Regulations, we suggest you to file a complaint with the with the National Institute of Transparency, Information Access and Personal data Protection (INAI). For more information we suggest you to visit the following website:

Applicable Law and Jurisdiction

You agree that this Privacy of Notice will be ruled by the applicable laws in Mexico, especially, by the dispositions of the Mexican Federal Law for the Protection of Personal Information in Possession of Private Entities and its Regulations.

Changes to this Privacy Notice

This Privacy Notice may be modified, changed or updated according to the services, privacy practices, and needs without further notice. We are committed to ensuring that the information contained in this Privacy Notice provided through our website is accurate, complete and updated.