In compliance with Mexico's Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), its Regulations and the INAI Guidelines, we provide you with this comprehensive privacy notice.
1. Data controller identity and address
Naye Quiros, individual with business activity, with tax domicile in Mexico City (available upon request to privacidad@nqoro.com), is the controller for the processing of your personal data collected via nqoro.com.
2. Personal data we collect
2.1 Identification and contact data
- Full name
- Email address
- Phone
- Shipping address (street, neighborhood, city, state, ZIP, references)
2.2 Billing data
- Legal name, RFC (Mexican tax ID), tax regime, fiscal address and CFDI use — only when you request a tax invoice
2.3 Payment data (tokenized)
We do not store full card numbers. Payment data is processed directly on the servers of Stripe (PCI-DSS Level 1) and, where applicable, Mercado Pago. NQORO only keeps the last 4 digits and the card brand as a reference for you.
2.4 Browsing data (cookies and similar technologies)
IP address, browser/device identifier, pages visited, time on page, interactions with the site. See cookie policy for the details.
3. Purposes of processing
3.1 Primary purposes (required for the legal relationship)
- Process your order, payment, shipping and delivery
- Issue CFDI tax invoices when you request them
- Handle returns, refunds and warranties
- Respond to support inquiries
- Comply with tax, accounting and consumer protection (PROFECO) obligations
- Prevent fraud and money laundering
3.2 Secondary purposes (optional, require your consent)
- Send our newsletter and marketing communications
- Send the weekly NQORO · Φ ritual letter (tarot)
- Measure site usage (aggregated analytics)
- Show you relevant advertising on social networks
- Build purchase-behavior profiles
You may decline secondary purposes at any time without affecting your commercial relationship with NQORO.
4. Personal data transfers
We transfer personal data to the following processors, under contract:
| Provider | Purpose | Country |
|---|---|---|
| Stripe Inc. | Card payment processing | USA |
| Mercado Pago | Alternative payments (when active) | Argentina / Mexico |
| Skydropx | Shipping rates and labels | Mexico |
| Resend | Transactional and newsletter emails | USA |
| Cloudinary | Image storage and processing | USA / Israel |
| Vercel | Site hosting | USA |
| Neon | Postgres database | USA |
| Sentry | Error monitoring | USA |
| PostHog, Google Analytics, Meta, TikTok | Analytics and marketing (consent-gated) | USA / EU |
| Anthropic | AI chatbot (when active) | USA |
All processors are contractually bound to handle data only for the instructed purposes, maintain confidentiality and meet LFPDPPP security standards.
5. Your ARCO rights
You have the right to:
- Access: know what data we hold and how we use it
- Rectification: correct inaccurate or incomplete data
- Cancellation: delete your data when no longer needed
- Opposition: object to processing for specific purposes
- Withdrawal of consent for secondary purposes
You may exercise your ARCO rights through any of the following channels:
- From your account at nqoro.com/cuenta/privacidad (data download, rectification, cancellation, opposition)
- By emailing arco@nqoro.com with your full name, a copy of official ID, a clear description of the right you are exercising and the data the request refers to
We respond within a maximum of 20 business days (art. 32 LFPDPPP). The exercise is free of charge.
6. Security measures
- TLS 1.3 encryption on all web traffic, HSTS enabled
- Database encryption at rest
- Multi-factor authentication for administrative access
- Payment-data tokenization via PCI-DSS processors
- Immutable audit logs
- Least-privilege principle on internal access
- Rate limiting and brute-force protection
7. Retention
- Orders and billing: 5 years (Mexican SAT tax requirement)
- User account: while active; if you cancel, we delete within 30 days unless legal obligations apply
- Analytics: up to 26 months
- Consent logs: 5 years (INAI evidence)
8. Cookies
We use first-party and third-party cookies. Necessary ones are always on. Preferences, analytics and marketing require your consent. Details at /legal/cookies.
9. Minors
NQORO is not intended for minors under 18. If a guardian discovers a minor has registered, they may request cancellation at arco@nqoro.com.
10. Changes to this privacy notice
Any substantial change will be published at least 10 days before it takes effect, with the last-updated date refreshed. For changes affecting purposes for which you gave consent, we will notify you by email.
11. Authority
If you believe your right to the protection of personal data has been violated, you may file a complaint with INAI (Mexican DPA): home.inai.org.mx.
12. Acceptance
If you do not object to the processing of your data for the primary purposes when browsing, registering or purchasing on NQORO, you accept this notice. Secondary purposes require explicit consent via the CMP banner or specific opt-in checkboxes.
Controller: Naye Quiros · ARCO: arco@nqoro.com · General privacy: privacidad@nqoro.com · Last revised: April 21, 2026.