Privacy Policy

1. Identity of the Data Controller

JJ Innovative Results, LLC (the "Controller", "we", "us", or "JJIR"), a limited liability company organized under the laws of the Missouri, with public location at State of Missouri, United States of America. For operations and data subjects in México, the corresponding controller is JJ INNOVATIVE RESULTS (RFC JIR170511NC2), with public location at León, Guanajuato, México. Both entities are legally independent and operate under equivalent privacy and security policies.

For any matter related to this Policy, contact:

• Email: privacy@jjir.org
• Official domain: jjir.org

2. Scope

This Privacy Policy applies to:

• The jjir.org website and any subdomain we operate under the JJIR brand;
• Inquiries you send to us by email, phone, or any contact form on jjir.org;
• Any mobile or web application we publish under the JJIR brand on Apple App Store, Google Play, or directly via our website.

When we provide development or operations services for a client (for example, building a web platform that the client owns), the client is the data controller of the end-user data processed by that platform, and JJIR acts as a data processor under the engagement contract. In those cases, the client's own privacy notice governs that data — not this Policy.

3. Personal Data We Collect

We collect only the minimum data necessary to respond to your inquiry and operate our services.

3.1 Data you provide

• Identification: name, business or organization name (where applicable);
• Contact: email address, phone number;
• Inquiry content: the text of your message, any attachments you choose to send, and metadata such as preferred language;
• Engagement records (paying clients only): RFC, business address, billing data, signed contracts, invoices.

3.2 Data collected automatically

• Connection metadata: IP address, browser User-Agent, timezone offset, referrer URL;
• Strictly necessary cookies: session token, CSRF token, language preference;
• Server logs: request path, response status, latency, error traces — used for security and reliability.

We do not use advertising trackers, behavioral profiling cookies, or third-party analytics with tracking identifiers on jjir.org.

4. Purposes of Processing

4.1 Primary purposes (legitimate basis: contractual/pre-contractual)

• Reply to your inquiry, prepare quotes, and execute service engagements;
• Send invoices, statements, and other transactional communications;
• Provide ongoing support and maintenance for delivered software.

4.2 Secondary purposes (legitimate basis: legitimate interest, you may opt out)

• Improve the security and quality of our services (anonymized aggregate analytics only);
• Send rare service announcements (we do not send marketing newsletters from jjir.org).

You may revoke consent for secondary purposes at any time by emailing privacy@jjir.org.

5. Legal Bases (LFPDPPP / GDPR-equivalent)

• Performance of a contract or steps prior to entering a contract — for inquiries, quotes, engagements, billing;
• Compliance with a legal obligation — accounting and tax records;
• Legitimate interest — security, anti-abuse, and service operation;
• Explicit consent — for any data category not covered by the bases above.

6. How Long We Keep Your Data

| Category | Retention | |---|---| | Inquiry messages without engagement | 24 months from last contact | | Engagement records (contracts, invoices) | 5 years after engagement end (tax-law minimum) | | Server logs | 90 days | | Strictly necessary cookies | until session ends or you clear them |

After the retention period, data is deleted or irreversibly anonymized.

7. Sharing and Transfers

We do not sell, lease, or rent personal data. We share data only with:

• Service providers strictly necessary to deliver our services (e.g. transactional email delivery, payment processing, cloud hosting), each bound by written confidentiality and data-processing terms;
• Government authorities when compelled by a valid court order or applicable law;
• A successor entity in the event of a merger, acquisition, or sale of assets, in which case this Policy continues to apply.

International transfers (México ↔ United States) are covered by data-transfer clauses equivalent to the standard contractual clauses recognized by LFPDPPP and the European Commission.

8. Your Rights

You have the right to:

• Access the personal data we hold about you;
• Rectify inaccurate or incomplete data;
• Cancel (delete) data we hold, subject to legal retention obligations;
• Object to specific processing activities, including secondary purposes;
• Withdraw consent at any time, without retroactive effect;
• Data portability — request your data in a structured, commonly used format;
• Lodge a complaint with the relevant supervisory authority (INAI in México, the FTC or your state attorney general in the U.S.).

To exercise any of these rights, email privacy@jjir.org from the address associated with your data, with the subject line "Data subject request". We respond within thirty (30) days.

9. Security

We protect personal data with industry-standard controls including: TLS 1.3 transport encryption, encryption-at-rest for stored data, role-based access control, audit logging, and regular dependency and vulnerability scans. No system is 100% secure, but we treat data protection as a primary engineering concern, not an afterthought.

9.1 Mobile-wallet credentials and Secure Element

Where a JJIR-built application issues digital access credentials to a mobile wallet (Apple Wallet, Google Wallet, or equivalent), those credentials are provisioned through the platform's published wallet APIs and are protected by the device's hardware-backed Secure Element. The cryptographic key material that authenticates the credential at a reader is generated and stored by the wallet platform inside the Secure Element of the user's device. JJIR does not have, and cannot obtain, access to those private keys. We cannot extract, copy, transfer, or reuse them on any other device. Revocation and rotation of issued credentials happen through the wallet platform's own mechanisms.

10. Children

Our services are not directed to children under thirteen (13). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact privacy@jjir.org and we will delete it.

11. Cookies

We use only strictly necessary cookies on jjir.org: session, CSRF, and language preference. We do not use advertising or analytics cookies that track you across sites. By using jjir.org you consent to strictly necessary cookies; no consent banner is required for these under applicable law.

12. Changes to This Policy

We may update this Policy. The version and effective date appear at the top. For material changes (a new processing purpose, a new category of data, a new recipient), we notify clients with active engagements at least thirty (30) days in advance by email.

13. Governing Law

For data subjects in México: this Policy is governed by the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP, as amended in 2025) and its supervisory authority (INAI).

For data subjects in the United States: this Policy is governed by applicable state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, OCPA, ICPA, DPDPA, TDPSA, and others as enacted) and federal law (FTC Act §5).

For all other jurisdictions, equivalent rights apply on a comity basis.

14. Contact

To exercise rights, raise concerns, or request the integral version of this Policy:

• Email: privacy@jjir.org
• Postal: JJ Innovative Results, LLC, State of Missouri, United States of America