Privacy Notice (Aviso de Privacidad Integral)
Responsible for your information (Responsable)
Nexus Stem Cells Medical Alliance, with address at C. Jose Maria Heredia 2960, Guadalajara, Jalisco, Mexico 44670, is the entity responsible (“Responsable”) for collecting and using your personal data. In Mexico, the Responsable is required to inform you of how your data is handled, the purposes for which it is used, and your rights under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP, 2025).
If you have any questions about this notice or wish to exercise your privacy rights, you can contact our Privacy Office at:
- Email: privacy@nexusstemcells.com
- Phone: +52 (33) 1840-6037
Personal data we collect
We collect personal data that you voluntarily provide when you fill out our medical inquiry form, request information about our services, or communicate with us. Depending on your interaction, the data may include:
- Contact details: Full name, email address, telephone number, preferred contact time.
- Health information: Your medical history, symptoms, diagnosis, duration of condition, previous treatments, and area of concern (orthopedic, neurological, autoimmune, metabolic, pulmonary, or longevity). Under Mexican law, health data is classified as sensitive personal data and receives the highest level of legal protection.
- Technical data: IP address, browser type, device identifiers, and usage analytics (only if you consent via our cookie banner).
We do not collect financial or insurance information through this website. If you proceed to become a patient, additional financial data will be collected under a separate, more detailed privacy notice provided at that time.
Purposes and legal basis for processing
Primary purposes (necessary to respond to your inquiry): We use your contact and health information to answer your questions, provide educational information about regenerative medicine (mesenchymal stem cell mechanisms, paracrine signaling, immunomodulation, etc.), schedule consultations, and coordinate with our licensed medical partners. These purposes are based on your explicit consent when you submit the inquiry form and, for sensitive health data, the legal exception for medical diagnosis, prevention, treatment, or healthcare management under Article 10 of the LFPDPPP (2025).
Secondary purposes (only with your separate consent): We may use your data to send you newsletters, marketing communications about our services, or invitations to events. You will be asked to check a separate box to consent to these secondary purposes.
We do not use automated decision-making or AI algorithms to make legally or significantly affecting decisions about you without human review. If we implement any AI tools for administrative support (e.g., spam filtering or analytics), we will update this notice accordingly.
ARCO rights
Under Mexico’s LFPDPPP (2025), you have the following rights regarding your personal data (known as “ARCO” rights):
- Access: Request to know what personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Cancellation: Request deletion of your data when it is no longer necessary for the purposes for which it was collected.
- Opposition: Object to the processing of your data for specific purposes.
Additionally, under the 2025 LFPDPPP, you have the right to be informed about automated decision-making that produces legal effects concerning you, and to obtain human intervention.
To exercise your ARCO rights, send an email to privacy@nexusstemcells.com with the subject “ARCO Request.” We will respond within 20 business days as required by Mexican law, and may extend this period for an additional 20 days if justified.
Data retention
We retain your personal data for the time necessary to fulfill the purposes stated in this notice. Specifically:
- Health-related data collected through our inquiry forms is retained for 5 years from the date of your last interaction. This period aligns with the Official Mexican Standard NOM-024-SSA3-2012 for electronic health records, which mandates a minimum retention of 5 years.
- Contact data used only for secondary purposes (marketing) is retained for 24 months or until you withdraw your consent.
- Anonymised analytics data (from which you cannot be identified) may be retained indefinitely for statistical purposes.
Once the retention period expires, your data will be blocked (to prevent further use) and then deleted in accordance with Article 34 of the LFPDPPP (2025).
Sharing your personal data (transfers)
We do not sell your personal data to third parties.
We may share your data only in the following circumstances:
- With licensed medical partners and laboratories within our physician‑supervised network, all of whom are contractually bound to protect your data under the LFPDPPP.
- With service providers (e.g., email delivery, website hosting) that process data on our behalf. These providers are required to implement security measures equivalent to those we maintain.
- To comply with legal obligations, such as responding to a valid court order or a request from COFEPRIS (the Mexican health regulatory authority).
Cross‑border data transfers
Your personal data may be transferred to and stored on servers located outside Mexico (for example, in the United States or other countries where our service providers operate). Under Article 36 of the LFPDPPP (2025), such international transfers are permitted without your consent when necessary for medical diagnosis, healthcare provision, or the management of health services.
When we transfer your data internationally, we require the receiving party to agree in writing to protect your data with safeguards that are at least equivalent to those required by Mexican law.
Cookies and tracking technologies
Our website uses necessary cookies (functional) which do not require your consent. For non‑essential cookies (analytics, marketing, preferences), we obtain your explicit opt‑in consent through our cookie consent banner. Although Mexico’s LFPDPPP does not explicitly regulate cookies, best practice and alignment with 2026 international standards require opt‑in for non‑essential cookies.
You can change your cookie preferences at any time by clicking “Cookie Preferences” in the footer of our website.
Security measures
We implement reasonable security measures to protect your personal data against unauthorized access, loss, alteration, or destruction. These measures include:
- TLS 1.3 encryption for data transmitted between your browser and our website.
- AES‑256 encryption for sensitive data stored in our databases.
- Access restricted to authorised personnel only, with role‑based permissions.
- Regular security audits and vulnerability scanning.
In the event of a data breach that poses significant risks to your rights, we will notify you without undue delay as required by the LFPDPPP.
Children’s privacy
Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe that a child has provided us with personal information, please contact us immediately so that we can delete it.
Your privacy rights outside Mexico
Although Nexus Stem Cells is based in Mexico and primarily governed by Mexican law, we recognise that you may be located in other jurisdictions.
- European Union / European Economic Area (GDPR): If you are located in the EU/EEA, the General Data Protection Regulation (GDPR) may apply to our processing of your personal data if we intentionally offer services to you or monitor your behaviour in the EU. The GDPR provides you with additional rights, including the right to data portability and the right to restrict processing. If you believe we have not complied with the GDPR, you have the right to lodge a complaint with your local Data Protection Authority.
- California (CCPA/CPRA): The California Consumer Privacy Act (as amended by the CPRA) can apply to businesses anywhere in the world that do business in California or collect California consumers’ personal information and meet certain thresholds (e.g., annual gross revenue over $25 million, or buying/selling personal data of 50,000+ consumers). Currently, Nexus Stem Cells does not meet those thresholds. Nevertheless, we voluntarily extend to all users the core CCPA rights: to know what personal data we collect, to request deletion, to opt out of “sales” (we do not sell data), and to non‑discrimination for exercising your rights.
- UK (UK GDPR): If you are located in the United Kingdom, the UK GDPR applies similarly to the EU GDPR.
If you have questions about how these laws apply to you, please contact us at privacy@nexusstemcells.com.
Use of artificial intelligence
We do not use AI for automated decision-making that produces legal effects concerning you or that otherwise significantly affects you. Any AI tools we may use (e.g., for spam filtering or analytics) are subject to human review and are audited for bias and transparency on an annual basis, in accordance with evolving standards under the LFPDPPP (2025), which now includes accountability for AI‑driven decision‑making.
Changes to this privacy notice
We may update this privacy notice from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. The “Last updated” date at the top of this notice will indicate when the most recent changes were made. If we make material changes, we will notify you by email (if you have provided one) or by posting a prominent notice on our website.
How to contact us
For any questions about this privacy notice, to exercise your ARCO rights, or to report a privacy concern, please contact:
Nexus Stem Cells Privacy Office
Email: privacy@nexusstemcells.com
Phone: +52 (33) 1840-6037
Address: C. Jose Maria Heredia 2960, Guadalajara, Jalisco, Mexico 44670
External links and third‑party services
Our website may contain links to external websites (e.g., research publications, social media platforms). This privacy notice does not apply to those external sites, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third‑party websites you visit.