Privacy PolicyExecutive SummaryIdentity and contact details of the data controllerPurposes of processingLegal bases and applicable principlesSharing and transfersARCO rights, revocation, and portabilityUse of cookies and similar technologiesSecurity measuresRetention and deletionMinorsContact and supervisory authorityDisclaimer

Privacy Policy


Executive Summary

• Geravolt acts as the data controller for the data it collects on its websites, online store, and customer service channels.

• We only collect data—identification, contact, billing, and navigation—for contractual, logistical, electronic billing, support, and consented marketing purposes.

• We apply principles of legality, consent, information, quality, purpose, loyalty, proportionality, and accountability in accordance with the LFPDPPP.

• Data subjects retain their ARCO rights and options for revocation or opposition, accessible through an electronic or written form.

• We employ physical, technical, and administrative controls aligned with the INAI Security Recommendations and ISO 27001 to protect data against unauthorized access, loss, or destruction.

• We only share information with logistics partners, payment gateways, and competent authorities; all national or international transfers are documented in contractual clauses that ensure an equivalent level of protection.

• We offer transparency regarding cookies and tracking technologies, requiring prior consent for third-party cookies in accordance with regulatory trends for 2024-2025.

• This policy is updated when our practices or regulations change (last review: April 19, 2025), in line with privacy reforms published in the DOF.

Identity and contact details of the data controller

Geravolt Solar®

6th. between 19 and 21, Warehouse #10, Col. Chichí Suárez, Mérida, Yucatán, C.P. 97306, Mexico.

Tel.: +52 999 454 0444 | Email: [email:privacy]

Data we collect

Category

Examples

Main purpose

Identification

Name, RFC, CURP

Billing and identity verification

Contact

Phone, email, shipping address

Order delivery and support

Commercial

Purchase history, preferences

Offers and loyalty programs (opt-in)

Technical

IP, browser type, operating system, cookies

Security, analytics, and site personalization

Sensitive data (e.g., biometrics for plant access) will only be processed when essential and with enhanced safeguards in accordance with Art. 3 LFPDPPP


Purposes of processing

1. Contract execution: processing orders, managing warranties, and providing after-sales service.

2. Legal and tax compliance: issuing CFDI, fraud prevention, authority requirements.

3. Customer service: technical support, laboratory, and training programs.

4. Consent-based marketing: newsletters, promotions, and surveys; you can always unsubscribe.

5. Continuous improvement and analytics: optimizing processes through aggregated data and anonymization (GDPR Art. 5.1.e)

Legal bases and applicable principles

Jurisdiction

Legitimacy basis

Mexico (LFPDPPP)

Consent, compliance with obligations, contractual relationship 

EU/EEA (GDPR)

Art. 6 (1)(a-f): consent, contract, legitimate interest, legal obligation 

U.S. – California (CCPA/CPRA)

Prior notice, right to opt-out of selling/sharing data, annual risk assessments 


Sharing and transfers

• National processors: shipping companies, payment gateways, electronic accounting.

• International processors: servers in the EU and U.S.; we use standard contractual clauses and impact assessments to ensure equivalent protection.

• We do not sell data to third parties; any additional transfer will require your explicit consent, except for the exceptions in Articles 37 and 38 LFPDPPP.

ARCO rights, revocation, and portability

Data subjects can access, rectify, cancel, or oppose the processing of their data, as well as request portability, by sending:

1. A dedicated web form or

2. A free-form letter to [email:privacy] with a copy of identification.


Geravolt will respond within 20 business days and will execute the determination within an additional 15 days, in accordance with Articles 32-35 LFPDPPP. 

Use of cookies and similar technologies

We implement a granular consent banner; cookies are classified as:

• Necessary: session, cart, language preference.

• Analytics: Google Analytics 4 (IP anonymized).

• Marketing: Facebook/Meta pixels only if you provide explicit consent, as required by the new 2024 cookie regulation.


You can modify your preferences at any time through the site's "Privacy Center."

Security measures

• Administrative: internal policies, confidentiality agreements, and annual training.

• Technical: TLS 1.3 encryption, bcrypt password hashing, two-factor authentication for administrative panels.

• Physical: restricted access to the warehouse and laboratory through biometric credentials.


The safeguards follow the "Personal Data Security Recommendations" from INAI and the controls of Annex A of ISO 27001:2022. 

Retention and deletion

We retain information for as long as necessary to fulfill the mentioned purposes and tax obligations (5 years after the transaction, art. 30 CFF), after which it is securely deleted or anonymized.

Minors

Geravolt does not direct its services to individuals under 18 years of age; any detected registration will be canceled and the data will be immediately deleted.

Changes to the policy

We may modify this notice to reflect regulatory changes such as the Mexican reforms published in the DOF (March 20, 2025) or updates to the European Data Act. We will notify by email and a prominent banner at least 30 days in advance.

Contact and supervisory authority

If you believe your data protection rights have been violated, you can contact INAI (www.inai.org.mx) and file a complaint.

Disclaimer

This document is a reference template and does not constitute legal advice. For full implementation, consult a privacy attorney and adapt the clauses to Geravolt's internal processes.