Privacy Policy

SDIT is the data controller responsible for your personal data. Contact: privacy@sdit.ai.

For users in Mexico: SDIT acts as "Responsable" under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP). Our Aviso de Privacidad is incorporated into this document.

For users in the EU/EEA: SDIT is the data controller within the meaning of the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.

We collect the following categories of personal data:

2.1 Data you provide directly

Name and email address (when you submit our contact or assessment form)

Company name, role, and message content

2.2 Data collected automatically

IP address (used to derive approximate country/region)

Browser type, version, and device operating system

Screen resolution and device type (desktop/mobile/tablet)

Full URL of pages visited, including query strings and UTM parameters

Referral URL: the exact address of the website or search engine from which you arrived

Exit link tracking: outbound URLs you click from our site

Time and date of visits, session duration, and page sequence

Scroll depth and content interaction events

Geographic region (country and state/region level, derived from IP)

2.3 Cookie and tracking data

See Section 5 (Cookies and Tracking Technologies) below.

2.4 Data we do NOT collect

We do not intentionally collect: payment card data, government ID numbers, health or biometric data, or data from children under 16. Our services are directed to business professionals. If you believe a minor has submitted data, contact privacy@sdit.ai immediately.

We process your personal data for the following purposes:

| Purpose | Legal Basis (GDPR Art. 6) | LFPDPPP / LGPD Equivalent |

|---|---|---|

| Respond to your inquiries and deliver requested services | Art. 6(1)(b) – contract performance | Consent / Contractual necessity |

| Operate and maintain the website | Art. 6(1)(f) – legitimate interests | Legitimate interest |

| Analyse website traffic, behaviour, and referral sources | Art. 6(1)(a) – consent (analytics cookies) | Consent |

| SEO and SEM optimisation (understanding traffic sources, keyword performance, geographic demand) | Art. 6(1)(f) – legitimate interests / Art. 6(1)(a) – consent | Consent / Legitimate interest |

| Retargeting and paid advertising | Art. 6(1)(a) – consent (marketing cookies) | Consent |

| Geo-analytics: understanding which regions, cities, and countries generate demand | Art. 6(1)(a) – consent / Art. 6(1)(f) – legitimate interests | Consent |

| Fraud prevention and security | Art. 6(1)(f) – legitimate interests | Legal obligation / Legitimate interest |

| Compliance with legal obligations | Art. 6(1)(c) – legal obligation | Legal obligation |

Legitimate Interests: Where we rely on legitimate interests, these interests are: operating and improving a professional B2B website, protecting against fraud, and marketing our services to business professionals. These interests are balanced against your rights and do not override them.

We are transparent about our tracking practices:

Referral source tracking: We record the URL from which you arrived (referrer header and UTM parameters such as utm_source, utm_medium, utm_campaign). This tells us which marketing channels, search engines, paid ads, or referring websites bring visitors. This data directly informs our SEO and SEM strategy.

Exit and navigation tracking: We record which links you click when leaving our site (outbound link events). This tells us where our visitors go after visiting us and helps us understand intent.

Geographic analytics: We derive your approximate country and region from your IP address. This helps us understand geographic demand and tailor content, language, and outreach to specific markets (Mexico, USA, EU, Latin America).

Behavioural analytics: We track which pages you visit, in what order, how long you stay, how far you scroll, and which content elements you interact with. This improves our content strategy and user experience.

Session recording and heatmaps: We may use session recording tools (such as Microsoft Clarity) to replay anonymised user sessions and generate heatmaps. No personally identifiable information is captured in recordings. Recordings are used exclusively to improve website design and navigation.

Purpose: All of the above data is used internally to improve our website, content strategy, SEO rankings, and paid marketing effectiveness. We do not sell individual behavioural profiles to third parties.

We use the following categories of cookies:

5.1 Strictly Necessary Cookies

Required for the website to function. These include session management, security tokens, and your cookie consent record. No consent required.

5.2 Analytics Cookies

Set only with your consent. These include:

**Google Analytics 4 (_ga, _gid, _ga_*)**: Page views, events, session data, geographic data. Data processed by Google LLC (USA). See: policies.google.com/privacy.

**Microsoft Clarity (_clck, _clsk, CLID, ANONCHK, MR, SM)**: Session recordings, heatmaps. Data processed by Microsoft Corporation (USA). See: privacy.microsoft.com.

5.3 Marketing and Retargeting Cookies

Set only with your consent. These include:

**Google Ads (_gcl_au, _gcl_aw)**: Conversion tracking and remarketing.

**Meta Pixel (_fbp, _fbc)**: Facebook/Instagram retargeting. Data processed by Meta Platforms, Inc. (USA).

**LinkedIn Insight Tag (li_fat_id, UserMatchHistory)**: B2B retargeting and conversion tracking. Data processed by LinkedIn Corporation (USA).

Managing cookies: You may change your preferences at any time via the "Manage Preferences" link in our footer. You may also control cookies through your browser settings, though this may affect website functionality.

Cookie retention: Strictly necessary cookies expire at session end or within 1 year. Analytics cookies persist for up to 13 months. Marketing cookies persist for up to 90 days.

We share your personal data only as follows:

Service providers (processors): Google (Analytics, Ads, Cloud), Microsoft (Clarity, Azure), Meta (Pixel), LinkedIn — all under data processing agreements that restrict use to provision of services to us.

Legal requirements: We may disclose data if required by law, court order, or regulatory authority (including INAI in Mexico, supervisory authorities in the EU/EEA, or US authorities).

Business transfer: In the event of a merger, acquisition, or asset sale, personal data may transfer to the acquirer, subject to equivalent protections.

We do NOT: sell, rent, or trade your personal data to third parties for their own marketing purposes. We do not share individual behavioural profiles with advertising networks except through the standard mechanisms described above (pixels and tags), and only with your consent.

We are headquartered in Mexico and serve users globally. Your data may be transferred to and processed in the United States, the European Economic Area, or other countries.

Transfers from the EU/EEA: We rely on the EU Standard Contractual Clauses (SCCs, as adopted by the European Commission) for transfers to non-adequate countries, including the USA. Google, Microsoft, Meta, and LinkedIn participate in these frameworks.

Transfers from Mexico: International transfers comply with Article 37 of the LFPDPPP. We ensure equivalent levels of protection through contractual clauses with our processors.

Transfers from Brazil: Comply with LGPD Article 33. Transfers are subject to contractual protections or adequacy decisions where available.

We retain personal data only as long as necessary:

**Inquiry / contact form data:** 3 years from last contact, or for the duration of any business relationship.

**Analytics data:** Aggregated analytics data is retained for 26 months in Google Analytics (as configured). Raw event logs are retained for 14 months.

**Session recordings:** Automatically deleted after 90 days.

**Cookie consent records:** Retained for 3 years to demonstrate compliance.

**Marketing attribution data:** Retained for 90 days.

After these periods, data is deleted or anonymised. You may request earlier deletion — see Section 9.

You have the following rights, exercisable by contacting privacy@sdit.ai:

All users (global baseline):

Right to know what personal data we hold about you

Right to correct inaccurate data

Right to deletion ("right to be forgotten") subject to legal obligations

Right to withdraw consent at any time (does not affect prior processing)

Right to lodge a complaint with a supervisory authority

EU / EEA residents (GDPR):

In addition to the above: right to restrict processing, right to data portability (receive your data in machine-readable format), right to object to processing based on legitimate interests, and right not to be subject to solely automated decision-making. Supervisory authority: your national Data Protection Authority (DPA).

California residents (CCPA / CPRA):

Right to know the categories and specific pieces of personal information collected about you. Right to delete personal information. Right to opt-out of the "sale" or "sharing" of personal information (we do not sell personal data, but you may opt-out of sharing via our cookie preferences). Right to correct inaccurate personal information. Right to limit use of sensitive personal information. Right to non-discrimination for exercising these rights. To exercise: email privacy@sdit.ai or use the "Essential Only" option in our cookie banner.

Mexico residents (LFPDPPP — ARCO Rights):

**Acceso (Access):** Request access to your personal data and the terms of its processing.

**Rectificación (Rectification):** Request correction of inaccurate or incomplete data.

**Cancelación (Cancellation):** Request deletion of your data, subject to legal blocking periods.

**Oposición (Opposition):** Object to processing of your data for specific purposes.

To exercise ARCO rights, contact privacy@sdit.ai with your name, a copy of official ID (cédula, pasaporte, or INE), and a description of the right you wish to exercise. We will respond within 20 business days as required by LFPDPPP. If unsatisfied, you may file a complaint with INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales): www.inai.org.mx.

Brazil residents (LGPD):

You have the rights established in LGPD Article 18, including access, correction, anonymisation, deletion, portability, information about sharing, and the right to revoke consent. Supervisory authority: ANPD (Autoridade Nacional de Proteção de Dados): www.gov.br/anpd.

Argentina: Rights under Law 25,326 — contact the AAIP (Agencia de Acceso a la Información Pública): www.argentina.gob.ar/aaip.

Colombia: Rights under Law 1581/2012 — contact the SIC (Superintendencia de Industria y Comercio): www.sic.gov.co.

Response times: We respond to all verified requests within 30 days (or the shorter period required by applicable law).

Our website and services are directed to business professionals and are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided personal data, we will delete it promptly. Contact privacy@sdit.ai if you believe this has occurred.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include: HTTPS/TLS encryption in transit, access controls on data systems, and contractual obligations on processors. No transmission over the internet is 100% secure; we cannot guarantee absolute security.

Our website may contain links to third-party websites. This Privacy Policy does not apply to those sites. We encourage you to review their privacy policies before providing any personal data to them.

We may update this Privacy Policy to reflect changes in our practices or applicable law. When we do, we will update the effective date above. Material changes will be signalled by a notice on our website. Your continued use of the website after the effective date constitutes acceptance of the updated policy.

For privacy-related questions, to exercise your rights, or to reach our Data Protection contact:

Email: privacy@sdit.ai

Website: https://sdit.ai

For Mexican residents exercising ARCO rights, our designated Privacy Officer can be reached at the same email address.