Who We Are
Gracida Suite is a business management platform owned and operated by Gracida Procesos Industriales S.A. de C.V. ("Gracida", "we", "us", or "our"), a company incorporated under the laws of the United Mexican States.
This Privacy Policy applies to all users of the Gracida Suite application across all platforms, including iOS, macOS, and web. By accessing or using the application, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy.
Data Controller: Gracida Procesos Industriales S.A. de C.V.
Contact: support@aisdc-org.com
Information We Collect
We collect the following categories of information depending on how you interact with the platform:
2.1 Account & Authentication Data
When you sign in using Google Sign-In or Apple Sign-In, we receive your name, email address, and profile photo as provided by the identity provider. We do not access or store your password from these services.
2.2 Business Data You Provide
Information you voluntarily enter into the platform, including but not limited to:
- Client and supplier records (names, addresses, tax identifiers, fiscal regimes, contact details)
- Projects, tasks, calendar events, and deliverables
- Quotations, sales orders, purchase orders, and invoices (including CFDI-compliant fiscal documents)
- Expense records, payment tracking, and financial data
- Product catalog entries (descriptions, pricing, categories, stock levels)
- Internal notes, comments, and activity logs
2.3 Email Data
If you connect an email account, we sync email messages to display them within the application. This includes sender/recipient information, subject lines, message bodies, timestamps, and attachments. Email data is used to provide in-app email viewing and AI-generated summaries.
2.4 Files & Documents
Files you upload to the platform, including PDFs, images, spreadsheets, and any other attachments associated with your business records. These are stored in cloud storage and indexed for search functionality.
2.5 Device & Technical Data
- Device tokens for push notifications (FCM tokens)
- Device type, model, and operating system version
- App version and build number
- IP address and general geolocation (country/region level)
- Browser type and version (web users)
- Screen resolution and display density
2.6 Usage & Analytics Data
We use Firebase Analytics (Google Analytics for Firebase) to collect anonymous and aggregated usage data, including:
- Screen views and navigation patterns
- Feature usage frequency and session duration
- App opens, crashes, and performance metrics
- User engagement events (non-personally identifiable)
2.7 Camera & Photo Library
We access your device camera or photo library only when you explicitly initiate an action to capture or select an image (e.g., uploading a document photo or changing your profile picture). We do not access these peripherals in the background.
2.8 Crash & Performance Data
We collect crash reports, stack traces, and performance diagnostics to identify and resolve technical issues. This data may include device state at the time of the error but does not include personal business data.
How We Use Your Information
| Purpose | Legal Basis |
|---|---|
| Operate and provide all platform modules (sales, projects, accounting, tasks, calendar, documents, purchasing, deliveries, expenses, client portal) | Contract performance |
| Authenticate your identity and enforce role-based access controls | Contract performance |
| Send push notifications about tasks, events, deadlines, and business updates | Consent / Legitimate interest |
| Power AI features including document search, email summaries, and conversational assistant | Consent / Legitimate interest |
| Generate quotations, invoices, and PDF documents | Contract performance |
| Synchronize data across devices in real time | Contract performance |
| Analyze anonymous usage patterns to improve the app experience | Legitimate interest |
| Monitor performance, diagnose crashes, and maintain service stability | Legitimate interest |
| Comply with legal obligations (e.g., Mexican fiscal regulations for CFDI) | Legal obligation |
Analytics & Tracking
We use Firebase Analytics (Google Analytics for Firebase) to understand how users interact with the application. This service is provided by Google LLC and processes data in accordance with Google's privacy policy.
What Firebase Analytics collects:
- Anonymized and aggregated usage events (screen views, button taps, feature usage)
- Session metadata (duration, frequency, app version)
- Device properties (model, OS, screen size, language)
- General location (country and region based on IP, not precise GPS)
- App instance identifiers (resettable, non-personally-identifiable)
What Firebase Analytics does NOT collect:
- Your business data (clients, invoices, projects, etc.)
- Email contents or attachments
- Precise GPS location
- Personal messages or notes
Advertising: We do NOT use analytics data for advertising purposes. We do NOT display ads in the application. We do NOT sell analytics data to third parties. Firebase Analytics data is used exclusively for product improvement and performance monitoring.
You may opt out of analytics collection by adjusting your device's privacy settings (iOS: Settings > Privacy > Analytics; macOS: System Settings > Privacy & Security > Analytics).
Artificial Intelligence & Automated Processing
Gracida Suite integrates AI-powered features through Google Vertex AI and related Google Cloud services. These features include:
- Conversational AI Assistant: Allows you to query your business data using natural language.
- Document Search: AI-powered search across uploaded documents and indexed business records.
- Email Summaries: Automated summarization of email conversations.
- Entity Recognition: Automatic identification and linking of business entities mentioned in documents and communications.
Important: AI features process your data on Google Cloud Platform infrastructure. Your data is processed in accordance with Google Cloud's data processing terms and is NOT used by Google to train general AI models. AI-generated responses may contain inaccuracies. You are responsible for verifying any AI-generated content before relying on it for business decisions. Gracida assumes no liability for decisions made based on AI-generated outputs.
Data Sharing & Third-Party Processors
We do not sell, rent, lease, or trade your personal or business data to any third party under any circumstances.
We share data only with the following categories of processors, strictly as necessary to provide the service:
| Processor | Purpose | Data Shared |
|---|---|---|
| Google Cloud Platform / Firebase | Infrastructure: data storage (Firestore), authentication, cloud functions, push notifications (FCM), file storage, analytics | All platform data, encrypted at rest and in transit |
| Google Vertex AI | AI search, document indexing, conversational assistant, email summaries | Indexed documents, search queries, email content for summarization |
| Apple (Sign in with Apple) | Authentication | Authentication tokens only |
| Google (Google Sign-In) | Authentication | Authentication tokens only |
Intra-organizational sharing
Team members within your organization can access shared business data according to their assigned roles and permissions as configured by your organization's administrator. Gracida is not responsible for access permissions configured by your organization.
Client Portal sharing
If your organization uses the Client Portal feature, your external clients may view quotations, project statuses, and invoices that your organization explicitly shares with them through the portal.
Legal requirements
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, including compliance with Mexican fiscal authorities (SAT) regarding CFDI documentation.
Data Storage & Security
Your data is stored on Google Cloud Platform infrastructure with the following security measures:
- Encryption at rest: All data stored in Firestore, Cloud Storage, and backups is encrypted using AES-256.
- Encryption in transit: All communications between your device and our servers use TLS 1.2 or higher.
- Authentication: Firebase Authentication with support for multi-factor authentication via Google and Apple identity providers.
- Tenant isolation: Multi-tenant architecture ensures your organization's data is logically separated from other organizations.
- Role-based access control: Granular permissions system restricting data access based on user roles (Admin, Manager, Sales, Engineering, Accountant).
- Firebase Security Rules: Server-side rules enforcing data access policies at the database level.
- Audit logging: Activity logs tracking data access and modifications.
No Absolute Guarantee: While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data. You acknowledge and accept this inherent risk when using any cloud-based service. Gracida shall not be held liable for unauthorized access resulting from factors beyond our reasonable control, including but not limited to zero-day vulnerabilities, compromise of third-party infrastructure providers, or user credential compromise.
Data Retention
- Active accounts: We retain your data for as long as your account remains active and your organization maintains its subscription.
- Account deletion: Upon request, we will delete your personal data within 30 calendar days. Organizational business records (invoices, fiscal documents) may be retained for up to 5 years as required by Mexican tax law (Codigo Fiscal de la Federacion).
- Analytics data: Aggregated analytics data is retained for up to 14 months by Firebase Analytics, after which it is automatically purged.
- Crash reports: Retained for up to 90 days.
- Backups: Encrypted backups may persist for up to 30 days after data deletion before being permanently purged.
- Legal holds: Data subject to legal proceedings or regulatory investigations may be retained beyond normal retention periods as required by law.
Your Rights
In accordance with the Ley Federal de Proteccion de Datos Personales en Posesion de los Particulares (LFPDPPP) and applicable international privacy frameworks, you have the following ARCO rights:
- Access (Acceso): Request a copy of the personal data we hold about you.
- Rectification (Rectificacion): Request correction of inaccurate or incomplete personal data.
- Cancellation (Cancelacion): Request deletion of your personal data, subject to legal retention obligations.
- Opposition (Oposicion): Object to specific processing of your personal data.
Additionally, you may:
- Export your data in standard formats.
- Withdraw consent for optional features (email sync, push notifications, analytics).
- Request information about what data has been shared and with whom.
- Lodge a complaint with the Instituto Nacional de Transparencia, Acceso a la Informacion y Proteccion de Datos Personales (INAI).
To exercise any of these rights, contact us at support@aisdc-org.com. We will respond within 20 business days as required by Mexican law.
Cookies & Local Storage
The web version of Gracida Suite uses the following technologies:
- Firebase Authentication tokens: Stored in local storage to maintain your session.
- Service Worker cache: Used by Flutter Web to cache application assets for faster loading and limited offline functionality.
- Firebase Analytics cookies: First-party cookies used by Google Analytics for Firebase to distinguish users and sessions. These are not used for advertising.
The iOS and macOS applications do not use cookies but may use equivalent local storage mechanisms provided by the operating system.
Third-Party Services & Links
Gracida Suite may contain links to or integrations with third-party services. We are not responsible for the privacy practices, content, or security of any third-party services. Each third-party service is governed by its own privacy policy:
- Google Privacy Policy
- Firebase Privacy & Security
- Google Cloud Data Processing Addendum
- Apple Privacy Policy
We strongly recommend that you review the privacy policies of any third-party service before providing them with your information.
International Data Transfers
Your data may be processed and stored on servers located outside of Mexico, including in the United States, where Google Cloud Platform maintains its infrastructure. By using Gracida Suite, you consent to the transfer of your data to these jurisdictions.
Google Cloud Platform provides contractual safeguards including Standard Contractual Clauses (SCCs) for international data transfers, as well as compliance with applicable data protection frameworks.
Gracida is not responsible for data protection practices in jurisdictions where third-party processors operate, beyond requiring contractual commitments to maintain adequate safeguards.
Children's Privacy
Gracida Suite is a business application designed for professional and commercial use. It is not intended for use by children under 13 years of age (or under 16 in jurisdictions where applicable). We do not knowingly collect personal information from children.
If we become aware that we have collected personal data from a child without verified parental consent, we will take steps to delete that information as quickly as possible. If you believe a child has provided us with personal data, please contact us immediately at support@aisdc-org.com.
Disclaimers
14.1 "As Is" Provision
Gracida Suite is provided "AS IS" and "AS AVAILABLE" without warranties of any kind, whether express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, non-infringement, accuracy, or reliability.
14.2 Data Accuracy
You are solely responsible for the accuracy, completeness, and legality of the data you enter into the platform. Gracida does not verify, validate, or audit the business data you input. Any fiscal documents (CFDI, invoices, payment complements) generated by the platform are based entirely on the information you provide.
14.3 AI-Generated Content
AI features (search results, email summaries, conversational responses, entity recognition) are generated by automated systems and may contain errors, inaccuracies, or omissions. AI outputs do not constitute professional, legal, financial, or tax advice. You must independently verify all AI-generated content before using it for any business decision.
14.4 Email Integration
Email synchronization is provided as a convenience feature. Gracida is not responsible for email delivery failures, synchronization delays, missing messages, or any consequences arising from reliance on the email integration as your primary email client.
14.5 Service Availability
We do not guarantee uninterrupted, timely, or error-free operation of the platform. The service may be subject to downtime for maintenance, updates, or circumstances beyond our control, including but not limited to failures in third-party infrastructure (Google Cloud Platform, Firebase, internet service providers).
14.6 Fiscal & Legal Compliance
While Gracida Suite supports CFDI-compliant invoicing and Mexican fiscal document formats, we do not provide tax, legal, or accounting advice. You are solely responsible for ensuring that your use of the platform complies with all applicable laws, regulations, and fiscal requirements. We strongly recommend consulting qualified professionals for tax and legal matters.
14.7 Third-Party Dependencies
Gracida Suite relies on third-party services (Google Cloud Platform, Firebase, Vertex AI, Apple Authentication). Changes, outages, or discontinuation of these services may affect the functionality of the platform. We are not responsible for any losses or damages resulting from third-party service disruptions.
14.8 User Credentials & Access
You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. Gracida is not liable for unauthorized access to your account resulting from your failure to secure your credentials, including shared devices, compromised identity provider accounts, or social engineering attacks.
14.9 Data Backup
While we maintain regular backups, you are encouraged to independently back up your critical business data. Gracida is not responsible for permanent data loss in the event of catastrophic infrastructure failure, despite our best efforts to prevent such scenarios.
Limitation of Liability
To the maximum extent permitted by applicable law, Gracida Procesos Industriales S.A. de C.V., its directors, officers, employees, agents, and affiliates shall not be liable for:
- Any indirect, incidental, special, consequential, or punitive damages.
- Any loss of profits, revenue, data, business opportunities, or goodwill.
- Any damages arising from unauthorized access to or alteration of your data.
- Any damages arising from interruption or cessation of the service.
- Any damages resulting from reliance on AI-generated content or automated features.
- Any damages caused by third-party services, infrastructure providers, or identity providers.
- Any damages resulting from bugs, errors, or vulnerabilities in the software.
- Any fiscal, legal, or regulatory penalties arising from your use of the platform.
- Any damages arising from force majeure events, including natural disasters, pandemics, wars, government actions, cyberattacks, or infrastructure failures beyond our reasonable control.
In no event shall our total aggregate liability exceed the amount you have paid to Gracida in the twelve (12) months immediately preceding the event giving rise to the claim, or one hundred (100) Mexican pesos, whichever is greater.
Indemnification: You agree to indemnify, defend, and hold harmless Gracida and its affiliates from any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from your use of the platform, your violation of this policy, or your violation of any applicable law or regulation.
Changes to This Policy
We reserve the right to modify this Privacy Policy at any time. When we make material changes, we will:
- Update the "Effective" date at the top of this page.
- Post a notice within the application.
- For significant changes, send a notification to your registered email address.
Your continued use of Gracida Suite after any modifications constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you must discontinue use of the platform and request account deletion.
Governing Law & Jurisdiction
This Privacy Policy shall be governed by and construed in accordance with the laws of the United Mexican States, including the Ley Federal de Proteccion de Datos Personales en Posesion de los Particulares (LFPDPPP) and its regulations.
Any dispute arising from or related to this Privacy Policy shall be submitted to the competent courts in the city where Gracida Procesos Industriales S.A. de C.V. maintains its principal place of business, and you hereby consent to the exclusive jurisdiction of such courts.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, you may contact us through the following means:
Gracida Procesos Industriales S.A. de C.V.
Email: support@aisdc-org.com
Subject line: "Privacy Request — Gracida Suite"
We will acknowledge receipt of your request within 5 business days and provide a substantive response within 20 business days, as required by the LFPDPPP.