/01 Who we are
The entity responsible for processing your personal information is:
| LEGAL ENTITY | XX Disruptive Minds SAPI de CV |
| TRADE NAME | XX Disruptive Minds (XXDM) |
| PRINCIPAL OFFICE | Mexico City, Mexico |
| CONTACT EMAIL | hello@xxdisruptiveminds.com |
| WEBSITE | xxdisruptiveminds.com |
Throughout this policy, XX Disruptive Minds SAPI de CV is referred to as "XXDM", "the company", "we" or "the studio". The person who provides their personal information is referred to as "the individual", "you" or "the user".
/02 Information we collect
To fulfill the purposes described below, XXDM may collect the following categories of personal information about you:
2.1 Identification and contact information
- Full name
- Email address
- Phone or WhatsApp number
- Company or client business name
- Job title or role at the company
2.2 Commercial and project information
- Description of the project or service requested
- Estimated budget and investment range
- Timeline or estimated project dates
- Client industry or sector
2.3 Billing information (only upon engagement)
- Business legal name and tax identification (e.g., EIN)
- Billing address
- Billing contact
- Tax forms required for international payment (e.g., W-8BEN-E provided by us)
- Banking or payment details for invoicing and transfers
2.4 Technical browsing information
- IP address (anonymized)
- Device and browser type
- Pages visited and time on page
- Traffic source (referrer)
// INFORMATION WE DO NOT COLLECT
XXDM does not collect sensitive personal information (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, or genetic/biometric information). We also do not knowingly collect information from minors. If you believe you have provided information that falls into these categories, contact us so we can delete it.
/03 How we use your information
3.1 Primary purposes (necessary to provide the service)
Your personal information is used for the following essential purposes:
- Respond to inquiries received via form, email, WhatsApp, or any other studio channel.
- Prepare commercial proposals tailored to the project you describe.
- Formalize service agreements upon engagement, including invoicing and billing in USD.
- Maintain operational communication throughout the project (Slack, email, calls, meetings).
- Process payments by card, ACH, or wire via our payment processor, or other authorized methods.
- Comply with legal obligations — tax, administrative, or contractual — that apply to us.
3.2 Secondary purposes (optional)
With your express consent, we may also use your information to:
- Send you newsletters about new services, case studies, or studio content.
- Invite you to events, webinars, or launches related to XXDM.
- Request your post-project feedback through surveys.
- Feature you as a public case study (only with explicit written authorization).
// OPTING OUT OF SECONDARY PURPOSES
You can decline or opt out at any time from the use of your information for secondary purposes, without affecting the delivery of the core service. Send a request to hello@xxdisruptiveminds.com with "Opt out of secondary purposes" in the subject line.
/04 How we share information
XXDM does not sell, rent, or share your personal information with third parties for their commercial purposes. In limited cases, however, we may share information with service providers who help us operate, always under confidentiality agreements.
4.1 Sharing that does not require your consent
We may share information without your consent in the following cases:
- Tax, regulatory, and judicial authorities when required to do so by law.
- Payment processors (banks, intermediaries) to collect payment for contracted services.
- Companies within the same corporate group under a consistent privacy policy.
4.2 Service providers we share operational information with
| HOSTING / INFRA | Netlify, Cloudflare, AWS — site hosting and data storage |
| EMAIL | Google Workspace — client communication |
| ANALYTICS | Plausible Analytics — metrics without invasive cookies |
| CRM | Internal system — lead and project management |
| PAYMENTS | Stripe — invoicing and card, ACH, and wire processing |
All of these providers maintain their own privacy policies that meet international standards (GDPR, CCPA/CPRA, and equivalent frameworks as applicable). If you need specifics about a particular provider, contact us.
/05 Your privacy rights
As an individual whose personal information we hold, you have the following rights under US privacy frameworks such as the CCPA/CPRA, and consistent with general data-protection principles:
Your 4 core rights
You may exercise any of these rights at any time, with no need to justify your reasons. We respond within the timeframes required by applicable law (generally up to 45 days for verifiable requests, with an extension where permitted).
A
ACCESS
Know what information we hold about you and how we use it.
R
CORRECTION
Correct information that is inaccurate or out of date.
D
DELETION
Delete your information from our systems.
O
OPT OUT
Opt out of specific processing of your information.
5.1 How to exercise your rights
To exercise any of these rights, send an email to hello@xxdisruptiveminds.com including:
- The full name and email address associated with your account or your communication with XXDM.
- Enough information for us to reasonably verify your identity as the individual making the request (we will not request more information than necessary).
- A clear, specific description of the right you wish to exercise (access, correction, deletion, or opt out).
- For a correction, the corrected information and any documents that support the change.
- For a deletion or opt out, the reason for your request (optional, but it helps us respond faster).
5.2 Response times
We confirm receipt promptly and respond within the timeframe required by applicable law — generally up to 45 days for a verifiable request, with one additional extension where the law permits and where we notify you of the reason. If your request is granted, we will give effect to it without undue delay.
5.3 When we may decline a request
Consistent with applicable law, we may decline a privacy-rights request in these cases:
- When you are not the individual the information relates to, or we cannot reasonably verify your identity.
- When the information is necessary to meet ongoing legal or contractual obligations (e.g., tax and billing records).
- When there is a legal impediment or an order from a competent authority.
- When the correction or deletion would affect the rights of third parties.
// NO RETALIATION
We will never discriminate or retaliate against you for exercising your privacy rights. You will receive the same level of service and the same pricing whether or not you choose to exercise them.
/06 Cookies and tracking
Our website uses minimal, respectful tracking technologies. We do not use invasive third-party cookies. For full details, see our Cookie Policy.
Quick summary:
- Technical cookies: necessary for the site to function (session, preferences). These do not require consent.
- Analytics: we use Plausible Analytics, which does not use cookies or collect identifiable personal information.
- Marketing: we may use a conversion pixel to measure advertising effectiveness; you can manage tracking through your browser settings and any consent controls we display.
/07 Security measures
XXDM implements reasonable administrative, physical, and technical safeguards to protect your personal information against unauthorized access, alteration, loss, or destruction:
- TLS 1.3 encryption on all website communications (HTTPS enforced).
- Encryption of data at rest in databases and storage.
- Two-factor authentication (2FA) across all internal lead-management systems.
- Encrypted backups with a 30-day retention window.
- Access restricted by role and operational need.
- Regular training for the team on data protection.
// IN THE EVENT OF A SECURITY INCIDENT
If we detect an incident that compromises your personal information, we will notify you within 72 hours of discovery, along with the corrective measures taken and recommendations to protect yourself. This notification will be sent to the email on record in our database.
/08 Consent
By providing your personal information to XXDM — whether via web form, email, WhatsApp, or any other channel — you expressly accept the processing described in this privacy policy for the primary purposes.
Consent for secondary purposes is requested separately and is always optional. You may grant it, decline it, or withdraw it at any time without affecting the delivery of the core service.
/09 Changes to this policy
XXDM reserves the right to modify, update, or expand this privacy policy when necessary due to:
- Changes in applicable law.
- New regulatory requirements.
- Updates to our data-processing practices.
- Changes to relevant technology providers.
Any material change will be communicated through our website (xxdisruptiveminds.com) and by email to active users at least 15 days before it takes effect.