Skip to main content

Your corporate travel, now simplified. Discover Mendel Travel

PRIVACY POLICY

This Privacy Notice (the “Privacy Notice”) contains the terms and conditions relating to the collection, storage, use, transfer, safeguarding, and, in general, processing of Corporate Information, Personal Information, and Financial Information (as such terms are defined in MENDEL’s Terms and Conditions), as well as the personal data of the User’s representatives, officers, employees, contractors, subcontractors, directors, managers, and/or other officials that the User provides to MENDEL within the framework of MENDEL’s Terms and Conditions and/or a Service Request (the “Personal Data”), in compliance with the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares – “LFPDPPP”), its Regulations, and other applicable provisions.

This Privacy Notice also contemplates the processing of data derived from the use of corporate travel management technological functionalities (“Travel”) and automated recommendation, classification, filtering, and/or generation of outputs based on artificial intelligence (“AI Functions”), when enabled on the Platform.

This Privacy Notice forms an integral part of MENDEL’s Terms and Conditions. By accepting such Terms and Conditions through the corporate User’s representative, the User has accepted the provisions of this Privacy Notice.

I. IDENTITY AND ADDRESS OF MENDEL

Shlujim, S.A. de C.V. and Financiera CR Capital, S.A.P.I. de C.V., SOFOM, E.N.R. (hereinafter, “MENDEL”), with address at Blvd. Miguel de Cervantes Saavedra 161 – Floor 6, Granada, Miguel Hidalgo, C.P. 11520, Mexico City, CDMX, are responsible for the processing and protection of Personal Data, and therefore make this Privacy Notice available to you in compliance with the LFPDPPP and its Regulations.

As controller, MENDEL carries out the activities of collecting, storing, using, and safeguarding Corporate Information, Financial Information, and Personal Data through www.mendel.com (the “Website”) and/or MENDEL’s app/technology platform (the “Platform” or the “App”), as well as the channels enabled for onboarding, operation, and support of the services.

The protection of Personal Data is MENDEL’s responsibility, and data subjects may exercise the rights granted by applicable regulations pursuant to the procedure described under the section “Mechanism to express refusal of processing, exercise ARCO rights, and revoke consent.”

II. DEFINITIONS AND SCOPE

For purposes of this Privacy Notice:
a) “Website”: MENDEL’s website available at www.mendel.com (including subdomains and local pages).
b) “Platform” / “App”: MENDEL’s technology platform (including its application) through which MENDEL offers products and services to corporate clients, including software services and technological functionalities, as well as financial products/services when applicable.
c) “User” or “Corporate User”: MENDEL’s corporate customer (legal entity) that contracts and/or uses the Platform and authorizes its representatives, officers, employees, contractors, subcontractors, directors, managers, and/or other officials to use it.
d) “User’s Persons”: the natural persons authorized by the Corporate User who access and use the Website and/or Platform on its behalf (e.g., administrators, employees, collaborators, travelers, approvers, executives).
e) “Data Subject” (“Titular”): the natural person to whom the Personal Data relates.
f) “Personal Data”: any information concerning an identified or identifiable natural person.
g) “Travel”: technology functionalities integrated into the Platform that allow, among other things, to view, compare, filter, quote, request, manage and/or book services related to transportation, lodging, vehicle rental, insurance, and other related services, connecting the User with third parties (agencies, consolidators, GDSs and/or providers).
h) “AI Functions”: automated functionalities based on algorithms and/or artificial intelligence models that generate recommendations, rankings, classifications, filters, summaries, or other automated outputs within the Platform.
i) “AI Records”: prompts/queries entered into AI functionalities, generated outputs (responses, rankings, summaries, etc.), feedback provided (e.g., “useful/not useful”), and associated logs/metadata (session identifiers, timestamps, performance metrics, security signals, etc.).

This Privacy Notice applies to the processing of Personal Data carried out by MENDEL in connection with the use of the Website and/or Platform, contracted products and services, Service Requests, and Travel and AI Functions when enabled.

III. PERSONAL DATA COLLECTED

To fulfill the purposes described in this Privacy Notice, MENDEL may collect and process personal, employment, academic, asset-related, migration, and other data necessary for MENDEL to carry out the purposes described in Section V.

MENDEL may collect, by way of example and not limitation:

  • Personal identification data of the User’s Persons.
  • Contact details of the User and User’s Persons.
  • Device location data from which the Website is accessed and/or the App/Platform is executed.
  • IP address data associated with access from the device used to access the App and the Website.
  • Tax data for billing services.
  • Corporate Information and Financial Information and information related to credit risk profiling and/or profiling under anti-money laundering regulations, as well as other financial data corresponding to the means of disposition used by the Corporate User and User’s Persons.

Likewise, MENDEL collects from its clients and prospects (natural persons and legal entities; collectively, the “Data Subject”), the following categories of data:

Identification and contact data – natural persons (where applicable):
Name; marital status; Federal Taxpayers Registry (RFC); Unique Population Registry Code (CURP); place of birth; date of birth; nationality; address; home phone; mobile phone; email; age.

Identification and contact data – legal entities:
Corporate name; business activity/corporate purpose; nationality; RFC; advanced e-signature serial number; confidential electronic identification key (CIEC); address; institutional phones; incorporation data; shareholding structure; names of attorneys-in-fact/administrators/managers/CEO; controlling beneficiary.

Employment data:
Position/job title; work address; email; telephone(s).

Academic data:
Educational background; company CV (legal entities).

Migration data:
Residence rights; nationality of the company (legal entities).

Asset and/or financial data – natural persons:
Credit history; income; bank accounts; credit card number(s).

Asset and/or financial data – legal entities:
Credit history; financial statements; bank accounts.

These data may be obtained in person or through electronic means (equipment, optical media, automated data processing systems, and telecommunications networks, public or private), under applicable legal provisions made available by MENDEL, in which the creation, transmission, modification, or extinction of rights and obligations may be recorded.

Data associated with Travel

When the User uses Travel functionalities, MENDEL may process data necessary to facilitate technological travel management and connection with third parties (agencies, consolidators, GDSs and/or providers), such as: traveler data (name, contact information), travel preferences (e.g., flight/hotel preferences, loyalty programs if uploaded), itineraries and booking details (dates, segments, lodging, record locators, conditions), requests, approvals, and internal travel policies, as well as the minimum data required by the third party for booking/issuance/confirmation (e.g., ID or passport data only if required by the third party and provided/authorized by the User).

Data associated with AI Functions

To provide AI Functions, MENDEL may process: (i) content entered by the Data Subject/User’s Persons in query fields (prompts), (ii) outputs generated (responses, rankings, summaries, etc.), (iii) operational context data used by the function (e.g., categories, internal policies, Travel information available in the Platform), and (iv) technical and quality/security metadata (timestamps, session identifiers, performance metrics, security logs, and abuse signals).

AI Records (retention and use)

MENDEL may record and retain AI Records in logs and/or databases for: (a) operation and support of the functionality, (b) quality control, audit, and traceability, (c) security, fraud/abuse prevention, and incident detection, (d) analysis, investigation, and bug fixing, and (e) continuous improvement of the Platform and AI Functions.

MENDEL may also use AI Records to train, fine-tune, evaluate, and improve models, algorithms, and/or rules associated with AI Functions and/or the Platform, preferably applying minimization, aggregation, and/or anonymization techniques where feasible, and maintaining access and confidentiality controls.

MENDEL may conduct human review of AI Records for quality control, security, abuse prevention, and incident resolution, applying access controls and confidentiality obligations.

The Data Subject and/or User’s Persons undertake not to enter sensitive personal data (e.g., health, biometric, beliefs, sexual orientation, etc.) or information that should not be shared, especially in AI interactions.

IV. SENSITIVE PERSONAL DATA

For the specific case of the App/Platform and the Website, as well as specialized third parties (as applicable, service providers and/or commercial entities), MENDEL may collect the following sensitive data when indispensable for service operation or a specific feature:

  • Geolocation (including precise geolocation if enabled by the Data Subject and indispensable for a feature).
  • Biometric data (only if a specific feature requires it and based on applicable legal grounds).

V. PURPOSES OF PROCESSING

Personal Data collected by MENDEL is processed for two types of purposes:

  1. A) Purposes necessary for the legal relationship between MENDEL and the Data Subject
  • Identify clients and validate identity.
  • Manage and operate services and products requested or contracted.
  • Assess payment capacity and liquidity.
  • Inform clients about changes in products and services.
  • Register data for the contracted product/service.
  • Formalize and register contracting of a product or service.
  • Credit bureau inquiries.
  • Geolocation of the Data Subject when contracting, via mobile device or Website.
  • Identify Users, verify identity, and validate Corporate and Financial Information, including credit capacity analysis through Credit Information Companies.
  • Identify representatives, officers, employees, contractors, subcontractors, directors, managers and/or other User officials.
  • Promotion and evaluation of financial services and products, including credit analysis and risk profiling.
  • Marketing and promotional activities, sending information that may be of interest.
  • Market analysis and intelligence related to spending/consumption behavior of User’s Persons, risk analysis, purchasing preference analysis, and delivery of results about User activity and User’s Persons in the use of means of disposition.

Travel (when applicable):

  • Enable technological management of requests, quotes, and bookings within the Platform.
  • Facilitate connection and transmission of required information to third parties (agencies, consolidators, GDSs and/or providers) at the User’s request.
  • Provide operational/technological support for Travel (e.g., tracking, request administration).

AI Functions (when applicable):

  • Generate recommendations, rankings, classifications, filters, or summaries based on Platform data.
  • Improve quality and safety (e.g., detect abuse, failures, problematic outputs).
  • Maintain reasonable security and performance logs.
  • Train, fine-tune, evaluate, and improve models/algorithms/rules associated with AI Functions and/or the Platform, including analysis of prompts, outputs, and feedback, using minimization and, when feasible, aggregation and/or anonymization.
  1. B) Purposes not necessary for the legal relationship
  • Customer satisfaction and quality surveys.
  • Sending commercial and advertising information via email and mobile (SMS, MMS).
  • Informing about new products or services related to those contracted/acquired.
  • Collection management, including recovery of delinquent portfolios and preventive actions, including portfolio sales.

By entering into a contract with MENDEL, the Data Subject expresses express or implied consent for processing as provided by applicable provisions.

The Corporate User acknowledges that, regarding Personal Data of User’s Persons provided to MENDEL, the Corporate User is obligated to inform User’s Persons about the processing of their data and the content of this Privacy Notice, and declares it has duly complied with such obligation.

VI. MECHANISM TO REFUSE PROCESSING, EXERCISE ARCO RIGHTS, AND REVOKE CONSENT

Once this Privacy Notice is made available to the Data Subject and no opposition is expressed, it will be understood that the Data Subject grants MENDEL consent to process Personal Data.

If the Privacy Notice was not provided directly or personally, the Data Subject will have five (5) business days under the law to state that he/she does not consent to the processing of personal data for purposes that are not necessary and did not give rise to the legal relationship.

The Data Subject may exercise ARCO rights (Access, Rectification, Cancellation, and Opposition) and revoke consent.

Procedure:

  • Submit an ARCO request to the “Personal Data Protection Unit” located at Blvd. Miguel de Cervantes Saavedra 161 – Floor 6, Granada, Miguel Hidalgo, C.P. 11520, Mexico City, CDMX or by email to [email protected].
  • Identity must be evidenced by providing, via email to [email protected], INE or passport (if exercised by the Data Subject) or INE/passport of the legal representative, the valid power of attorney, and INE/passport of the Data Subject whose data is subject to the request.
  • The Personal Data Protection Unit will register and process the request and respond within the timeframes set by law.
  • MENDEL may refuse cancellation/opposition under the cases contemplated in Articles 26 and 34 of the LFPDPPP.

VII. TRANSFERS OF PERSONAL DATA

MENDEL may transfer and process the Data Subject’s Personal Data within and outside Mexico to MENDEL affiliates, regulators, and companies that provide services, for the purposes described in Section V, including, by way of example and not limitation:
(a) MENDEL affiliates/related entities for operation, support, internal administration, and/or infrastructure.
(b) Technology providers (hosting, storage, communications, monitoring, cybersecurity, analytics, support, integrations) under confidentiality and security agreements.
(c) Fraud prevention/identity verification/corporate verification and/or screening providers, as needed.
(d) Credit information companies and related providers for credit bureau inquiries, as applicable.
(e) Travel third parties (agencies, consolidators, GDSs and/or providers) only to the extent necessary for Travel management requested by the User and under their terms/policies.
(f) Providers associated with AI Functions (e.g., infrastructure or technology services to operate the feature) to the extent necessary to provide the service and, where applicable, acting as processors under MENDEL’s instructions, with confidentiality, security, and purpose limitation obligations.

Additionally, MENDEL may disclose Personal Data if required by law or by competent authorities under applicable legislation.

When transferring data, MENDEL will require appropriate confidentiality and security obligations consistent with applicable law.

VIII. CONSENT TO TRANSFERS

MENDEL will not transfer Personal Data to third parties without the Data Subject’s consent and in compliance with Article 37 of the LFPDPPP, except where an exception applies under the applicable regulations.

IX. OPTIONS AND MEANS TO LIMIT USE OR DISCLOSURE

MENDEL has implemented administrative, physical, and technical security measures to prevent misuse and disclosure of Personal Data.

Additionally, MENDEL encourages:

  • Registering with the Public Registry to Avoid Advertising (REPEP).
  • For natural persons, registering with the Public Registry of users who do not wish to receive advertising about financial products and services (REUS).

X. COOKIES / WEB BEACONS / SIMILAR TECHNOLOGIES

When accessing the Website and/or the App/Platform, mechanisms (cookies, web beacons, or similar technologies) may automatically collect information such as: source IP address, browser used, date and time of access, browser type, operating system type, web pages visited, searches performed, advertising reviewed, and consumer habits, among others.

The Data Subject may disable these mechanisms at any time according to the instructions provided by the browser providers. If additional information is needed, please consult MENDEL’s Cookies/Web Beacons Policy.

XI. MENDEL COMPLIANCE

MENDEL complies with the obligations set forth in the LFPDPPP, its Regulations, and related regulatory and/or administrative provisions.

MENDEL assumes no liability for processing carried out by third parties for whom MENDEL has no duty to respond. Recipients of data will be subject to the LFPDPPP and its Regulations as controllers and must process the data in accordance with this Privacy Notice.

Any processor that receives or accesses Personal Data on MENDEL’s behalf will be deemed responsible with MENDEL’s obligations if it processes Personal Data for a purpose other than that authorized by MENDEL. Any such processing will be the responsibility of that third party, without liability attributable to MENDEL.

XII. CHANGES TO THIS PRIVACY NOTICE

MENDEL reserves the right to make changes or updates to this Privacy Notice at any time to address legislative or jurisprudential developments, internal policies, new requirements for providing or offering services or products, and market practices.

Any changes will be communicated through the Website.

Last update: January 2026.

If the Data Subject considers their rights have been violated, or suspects a breach of the LFPDPPP, they may file a complaint with the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI). For more information: https://home.inai.org.mx/