Privacy Policy

Last updated: 10/26/2025

1. Privacy Commitment

Welcome to TRATO. Your privacy is of utmost importance to us. This Privacy Notice (hereinafter, the "Notice") describes how we collect, use, store, share and protect your personal information when you use our websites (including trato.io and its subdomains), technology platform, software as a service (SaaS), mobile applications and any other product or service offered by TRATO entities (hereinafter, jointly or as applicable, "TRATO", "we", "our" or "us").

This Notice applies to all visitors, users and customers of our Services (hereinafter, "You" or the "User"). By accessing or using our Services, you acknowledge that you have read and understood this Notice.

2. Who is Responsible for Processing Your Data?

The TRATO entity responsible for processing your personal data will depend on your geographic location and/or the entity with which you have contracted the Services:

For Users in Mexico (and as general reference for Users in the "Rest of the World", except when mandatory local provisions indicate otherwise):

Legal Name: Contratosapp, S.A.P.I. de C.V.
RFC: CON141023CA9
Address: Pasaje Interlomas número 39, Office 108, Colonia Bosques de las Palmas, Huixquilucan, Estado de México, México, C.P. 52787.
Contact (Privacy Mexico): privacidad.mx@trato.io

For Users in Spain and the European Economic Area (EEA):

Legal Name: TRATO Legaltech, S.L.
NIF: B75476556
Registered Office: Plaza Jacinto Benavente, número 2, 4th Floor, 28012-Madrid, Spain.
Contact (EEA Privacy): privacidad.es@trato.io

3. What Personal Data Do We Collect and How Do We Obtain It?

We collect personal data about you in several ways:

Data you provide directly:

Contact and Account Information: Name, surname, email, phone, company name, position or role, postal address.
Billing and Payment Information: Tax information, billing address, payment method information (processed securely through our payment service providers).
User Content: Any information, documents or data that you upload, create, send, store or manage through our Services (for example, contracts, agreements, comments).
Communications: Information you provide when communicating with us for technical support, inquiries or any other reason.
Event or Promotional Information: Data provided when registering or participating in our events, webinars, surveys or promotions.

Data we automatically collect when you use our Services:

Device and Connection Information: IP address, device type, operating system, browser type, unique device identifiers, mobile network information.
Usage Data: Information about how you interact with our Services, such as pages visited, features used, access dates and times, clicks, time spent, search terms.
Cookies and Similar Technologies: We use cookies and similar tracking technologies to collect information about your browsing and preferences. For more details, see our Cookie Policy.

Data we obtain from third parties:

Public Sources and Business Partners: Occasionally, we may obtain information from public sources or business partners (for example, to enrich contact data or in the context of co-organized events), always in accordance with applicable law. If we obtain your data this way and not directly from you, we will inform you in our first communication, in accordance with Article 14 of the GDPR for EEA users, or applicable local regulations.

You guarantee that all data provided is truthful, accurate and you commit to keeping it updated.

4. For What Purposes Do We Process Your Personal Data?

We process your personal data for the following purposes:

Service Provision and Management:

Create and manage your user account.
Process your requests and provide contracted Services (e.g., contract management, electronic signature).
Allow you to upload, manage and share your User Content.
Process payments and manage billing.
Authenticate your access to Services.

Communication and Support:

Respond to your inquiries, information requests or technical support.
Send you administrative or Service-related communications (e.g., updates, security alerts, policy changes).

Service Improvement and Personalization:

Analyze Service usage to understand how they are used and how we can improve them.
Personalize your experience with Services.
Develop new features and products.

Marketing and Promotion (with your consent when necessary):

Send you information about our products, services, solutions, events, special offers and other news we think may interest you.
Inform you about events and activities organized by TRATO or in collaboration with third parties.
With your explicit consent, use images or videos featuring you (e.g., from events) to promote TRATO services or solutions through our communication channels.
Conduct satisfaction surveys or market research.

Legal Compliance and Security:

Comply with our legal and regulatory obligations.
Prevent fraud, abuse and other illegal activities.
Protect our rights, property and security, as well as those of our users and third parties.
Resolve disputes and enforce our agreements.

5. What is the Legal Basis for Processing Your Data?

The legal basis for processing your personal data varies according to the purpose and your jurisdiction:

For Users in Spain and the EEA (GDPR):

Contract Performance (Art. 6.1.b GDPR): When processing is necessary for providing Services you have requested or for executing a contract to which you are party.
Consent (Art. 6.1.a GDPR): For specific purposes such as sending unsolicited commercial communications, publishing images for promotional purposes or using certain cookies. You have the right to withdraw your consent at any time.
Legitimate Interest (Art. 6.1.f GDPR): To improve our Services, prevent fraud, ensure network and system security, or for direct marketing to existing customers about similar products or services, provided our legitimate interests do not override your fundamental rights and freedoms.
Legal Obligation (Art. 6.1.c GDPR): When processing is necessary to comply with a legal obligation to which we are subject (e.g., tax, accounting).

For Users in Mexico (LFPDPPP):

Consent: Generally, we require your consent (tacit or express depending on data sensitivity) for processing your personal data, except for exceptions provided in the LFPDPPP.
Legal Relationship: When processing is necessary by virtue of a legal relationship between you and TRATO (e.g., provision of a contracted service).
Legal Obligations: To comply with obligations derived from applicable legislation.

For Users in the Rest of the World:

We will rely on similar principles of consent, contractual necessity, legitimate interest and legal obligation, in accordance with privacy laws applicable in your jurisdiction. By default, and in the absence of specific local regulations that prevail, the principles of Mexico's LFPDPPP will be taken as reference.

6. How Long Will We Keep Your Data?

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, as well as to comply with our legal obligations, resolve disputes and enforce our agreements.

The criteria we use to determine retention periods include:

The duration of your relationship with us and Service provision.
The existence of legal or regulatory obligations requiring us to retain data for a specific period (e.g., tax, commercial laws).
The need to retain data for the formulation, exercise or defense of legal claims.
Limitation periods for potential liabilities arising from the relationship.

Once your personal data is no longer necessary for these purposes, it will be securely deleted or anonymized, in accordance with our internal policies and applicable legislation. In some cases, data may be kept blocked, available exclusively to judges, courts or competent public administrations, to address possible liabilities arising from processing, during their limitation period.

7. To Which Recipients Will Your Data Be Communicated?

TRATO will not transfer or sell your personal data to third parties without your prior consent, except in the following cases or when there is a legal obligation:

Service Providers: We share information with third parties who provide us services and act as data processors (for example, web hosting providers, payment platforms, analytics tools, email marketing services, technical support). These providers only have access to personal data necessary to perform their functions and are contractually obligated to protect it and use it only for the purposes for which they were hired.

TRATO Group Entities: We may share information with other companies within the TRATO group for internal administrative purposes, coordinated service provision or marketing purposes (always with your consent when necessary).

Event or Service Collaborators: If you register or participate in an event or service co-organized with a third party, we may share your information with that third party for event or service management, with prior information and, if necessary, your consent.

Legal Obligations and Competent Authorities: We may disclose your personal data if required by law, a court order or a request from a competent governmental or regulatory authority.

Rights Protection: We may share information if we believe in good faith that it is necessary to protect our rights, property or security, or those of our users or third parties, as well as to investigate fraud or respond to an emergency.

Corporate Transactions: In case of merger, acquisition, asset sale, reorganization or bankruptcy proceeding, your personal data could be transferred as part of such transaction. We will notify you of any changes and options you may have regarding your data.

International Data Transfers:

Your personal data may be transferred and processed in countries other than your country of residence, where data protection laws may be different. TRATO will take all reasonably necessary measures to ensure your data is processed securely and in accordance with this Notice and applicable law.

For EEA users, if we transfer personal data outside the EEA to countries that do not offer an adequate level of data protection according to the European Commission, we will implement appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, or rely on other legal bases for transfer, such as your explicit consent or necessity for contract performance.

8. What Are Your Rights and How Can You Exercise Them?

You have certain rights regarding your personal data, which may vary according to your jurisdiction:

For Users in Spain and the EEA (GDPR Rights):

Right of Access: Obtain confirmation of whether we are processing your data and, if so, access it and certain information about the processing.
Right of Rectification: Request correction of inaccurate data or completion of incomplete data.
Right of Erasure (Right to be Forgotten): Request deletion of your data when, among other reasons, it is no longer necessary for the purposes for which it was collected.
Right to Restriction of Processing: Request limitation of use of your data in certain circumstances (for example, while data accuracy is being verified).
Right to Data Portability: Receive your personal data in a structured, commonly used and machine-readable format, and transmit it to another controller, when processing is based on consent or a contract and is carried out by automated means.
Right to Object: Object to processing of your data for reasons related to your particular situation, including processing for direct marketing purposes.
Right Not to be Subject to Automated Individual Decision-Making: Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
Right to Withdraw Consent: When processing is based on your consent, you can withdraw it at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

For Users in Mexico (ARCO Rights - LFPDPPP):

Right of Access: Know what personal data we have about you, what we use it for and the conditions of use we give it.
Right of Rectification: Request correction of your personal information if it is outdated, inaccurate or incomplete.
Right of Cancellation: Request that we delete your information from our records or databases when you consider it is not being used in accordance with the principles, duties and obligations provided in the regulations.
Right to Object: Object to the use of your personal data for specific purposes.
Right to Revoke Consent: Revoke the consent that, where applicable, you have given us for processing your personal data.

For Users in the Rest of the World:

We will strive to recognize and facilitate the exercise of similar rights to those mentioned, in accordance with privacy principles and applicable local laws.

Exercise of Your Rights: To exercise any of these rights, you can send a written request, duly proving your identity (for example, through a copy of your ID, INE, Passport or equivalent document), to the email or postal address of the Data Controller corresponding to your jurisdiction.

We will respond to your request within the timeframes and conditions established by applicable legislation.

Right to File a Complaint:

If you consider your data protection rights have been violated, you have the right to file a complaint with the competent supervisory authority. We recommend that, before filing a complaint with the supervisory authority, you contact us to try to resolve any issues amicably.

9. Security Measures

TRATO has adopted and maintains appropriate technical, administrative and physical security measures to protect your personal data against loss, misuse, unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in processing and the nature of personal data, in accordance with current legislation. However, no electronic transmission or storage system is completely secure, so we cannot guarantee absolute security of your information.

10. Cookie Policy

We use cookies and similar technologies to improve your experience on our Website and Services, analyze traffic and personalize content. For detailed information about the cookies we use, their purposes and how you can manage them, see our Cookie Policy.

11. Children's Privacy

Our Services are not directed at minors (generally, those under 18 or the age of legal majority in your jurisdiction). We do not knowingly collect personal data from minors. If you are a parent or guardian and become aware that a minor has provided us with personal data without your consent, please contact us immediately so we can take appropriate measures.

12. Changes to this Privacy Notice

We may update this Privacy Notice at any time to reflect changes in our practices, technologies, legal requirements or other factors. When we make changes, we will update the "Last Updated" date at the top of this Notice. If changes are significant, we will notify you more prominently (for example, through a notice on our Website or by sending you an email communication). We recommend that you review this Notice periodically to stay informed about how we protect your information.

13. Contact

If you have questions, comments or concerns about this Privacy Notice or our data processing practices, or if you wish to exercise any of your rights, contact the Data Controller corresponding to your jurisdiction:

For Users in Mexico (and Rest of the World, unless otherwise indicated):

Attention: TRATO Mexico Data Protection Department
Email: privacidad.mx@trato.io
Postal address: Contratosapp, S.A.P.I. de C.V., Pasaje Interlomas número 39, Office 108, Colonia Bosques de las Palmas, Huixquilucan, Estado de México, México, postal code 52787.

For Users in Spain and the EEA:

Attention: TRATO Spain/EEA Privacy Department
Email: privacidad.es@trato.io
Postal address: TRATO Legaltech, S.L., Plaza Jacinto Benavente, número 2, 4th Floor, 28012-Madrid, Spain.
TRATO Legaltech | AI-Powered Contract Management Platform