PRIVACY POLICY
VAOTHY COMPANY S.A. DE C.V.
Last updated: May 18, 2026
This Comprehensive Privacy Notice (hereinafter, the "Notice") is issued in strict compliance with the provisions of the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), its Regulations, and the Privacy Notice Guidelines published in the Official Gazette of the Federation.
CLAUSE I. - DECLARATION OF RESPONSIBILITY AND LEGAL ADDRESS
VAOTHY COMPANY S.A. DE C.V. (hereinafter, "THE CONTROLLER"), a company duly incorporated under the laws of the Mexican Republic, states that it is the owner and responsible for the processing of personal data collected through its e-commerce portal vaothy.com, as well as at its physical facilities.
For the purpose of any communication, clarification, or exercise of rights related to data integrity, THE CONTROLLER designates its legal address as:
Calle José María Velazco 2440, Zona Urbana Río Tijuana, Postal Code 22010, Tijuana, Baja California, Mexico.
CLAUSE II. - SCOPE AND PURPOSE
The purpose of this document is to establish the terms and conditions under which THE CONTROLLER carries out the collection, use, disclosure, storage, and, in general, the processing of user information (hereinafter, the "DATA SUBJECT").
THE CONTROLLER reliably states that the services provided under the VAOTHY brand consist exclusively of non-invasive aesthetic, facial, and body treatments. Therefore, the processing of personal data described herein is limited to a wellness and cosmetic services relationship, and not to a clinical or surgical doctor-patient relationship, disclaiming the specific regulations of invasive health institutions, without prejudice to compliance with current health regulations applicable to SPAs.
CLAUSE III. - GLOSSARY OF LEGAL TERMS
For greater clarity and technical rigor, the following definitions are adopted:
Processing: The collection, use, disclosure, or storage of personal data by any means.
Transfer: Any communication of data made to a person other than the controller or processor.
Third Party: A natural or legal person, national or foreign, other than the data subject or the data controller.
Sensitive Personal Data: Those that affect the most intimate sphere of their owner, or whose improper use may give rise to discrimination or pose a serious risk to them.
CLAUSE IV. - CATEGORIZATION AND TAXONOMY OF COLLECTED DATA
By virtue of the operation of the VAOTHY digital ecosystem, the DATA SUBJECT is informed that the following personal data will be collected, under the principles of legality, consent, information, quality, purpose, loyalty, proportionality, and responsibility:
A. Identification and Contact Data (Collected directly or electronically):
Full name.
Institutional or personal email address.
Mobile phone number.
Physical address linked to billing or product shipping.
B. Patrimonial and Financial Data (High Security Processing):
Given the nature of the e-commerce platform, credit card, debit card, or intermediary payment account data will be processed. This data will be treated under encryption protocols and in compliance with international financial security standards, with the exclusive purpose of completing the commercial transaction and mitigating risks of fraud or identity theft.
C. Sensitive Personal Data (With Express Consent):
Due to the nature of SPA services and personalized follow-up, THE CONTROLLER may collect data related to superficial health status (skin allergies, skin types, non-clinical dermatological conditions). This data is essential to avoid contraindications in non-invasive treatments and to guarantee the physical integrity of the DATA SUBJECT.
CLAUSE V. - PURPOSES OF PROCESSING
The primary objective of THE CONTROLLER's processing of personal data is to ensure legal certainty in the provision of services and efficiency in the e-commerce platform. The purposes are divided into two categories:
A. Primary Purposes (Original and necessary for the legal relationship):
Contractual Perfection: To process, manage, and complete commercial transactions made through the vaothy.com portal, including payment validation and corresponding electronic invoicing.
Risk Mitigation and Fraud Prevention: To implement verification protocols to ensure the legality of financial operations, protecting both the DATA SUBJECT's assets and THE CONTROLLER's integrity.
Operational Management of SPA Services: To manage the reservation system, appointment control, and assignment of technical staff for the execution of non-invasive treatments.
Security and Access Protocols: To verify the identity of the DATA SUBJECT upon entering the physical facilities at the Tijuana headquarters, ensuring that the person receiving the treatment matches the one who made the digital contract.
Aesthetic Record and Personalized Follow-up: To integrate a historical record of assessments, applied protocols, and treatment evolution to ensure optimal and personalized results, tailored to the DATA SUBJECT's skin condition.
B. Secondary Purposes (Ancillary):
Market Intelligence: Development of consumption profiles for continuous improvement of wellness services.
Corporate Communication: Sending newsletters, launching new cosmetic lines, exclusive promotions, and loyalty programs.
Opt-out Mechanism: The DATA SUBJECT has a period of five (5) business days to express their refusal to the processing of their data for Secondary Purposes, by sending an email to the address specified in the ARCO Rights section.
CLAUSE VI. - TRANSFER OF PERSONAL DATA
THE CONTROLLER undertakes not to sell, rent, or dispose of the DATA SUBJECT's personal data. However, it is informed that national and international data transfers will be carried out in the following cases, which do not require the express consent of the DATA SUBJECT in accordance with Article 37 of the Law:
Banking Institutions and Payment Processors: For managing collections and validating transactions through security protocols (e.g., Stripe, PayPal, or Mexican financial institutions).
Technology Infrastructure Providers: To companies providing data hosting services (Cloud Computing) and e-commerce platform administration, who act as "Processors" and maintain equivalent privacy policies.
Competent Authorities: Only in cases provided for by applicable legislation, for compliance with judicial or administrative requirements duly founded and motivated.
CLAUSE VII. - SECURITY MEASURES AND SAFEGUARDING
THE CONTROLLER states that it has implemented the necessary administrative, technical, and physical security measures to protect personal data against damage, loss, alteration, destruction, or unauthorized use, access, or processing. These measures include, but are not limited to:
SSL encryption protocols for online transactions.
Restriction of physical and digital access to databases to authorized personnel only.
Strict confidentiality agreements with all staff at the Tijuana headquarters.
CLAUSE VIII. - EXERCISE OF ARCO RIGHTS (ACCESS, RECTIFICATION, CANCELLATION, AND OBJECTION)
The DATA SUBJECT always has the right to access their personal data, rectify them if they are inaccurate, cancel them when they consider them unnecessary for the stated purposes, or object to their processing for specific purposes.
To exercise these rights, THE CONTROLLER has designated a Personal Data Department. The procedure will be subject to the following rules:
Request: The DATA SUBJECT must send a formal request to the email address: privacidad@vaothy.com (or the one provided by the company) or submit it physically at the address located in Zona Urbana Río Tijuana.
Requirements: The request must contain:
Name of the data subject and address or other means to communicate the response.
Documents proving their identity (valid INE, Passport) or, where applicable, legal representation.
Clear and precise description of the personal data for which one of the aforementioned rights is sought to be exercised.
Resolution Deadlines: THE CONTROLLER will inform the DATA SUBJECT, within a maximum period of twenty (20) business days from the date of receipt, of the decision made. If appropriate, it will be made effective within fifteen (15) business days following the date on which the response is communicated.
CLAUSE IX. - USE OF TRACKING TECHNOLOGIES ON THE E-COMMERCE PORTAL
The DATA SUBJECT is informed that the website vaothy.com uses cookies, web beacons, and other tracking technologies through which it is possible to monitor their behavior as an internet user, with the aim of providing a superior and personalized user experience during their navigation.
The data obtained from these technologies include:
Session identifiers, region, and browser type.
Consumption habits and browsing time on the portal.
Pages consulted and access paths.
These technologies can be disabled directly by the DATA SUBJECT through the privacy settings of their internet browser; however, it is warned that such action could limit the functionality of the online store and appointment processing.
CLAUSE X. - LIMITATION OF USE AND DISCLOSURE OF INFORMATION
In addition to exercising ARCO Rights, the DATA SUBJECT may limit the use or disclosure of their personal data by registering with the Public Registry to Avoid Advertising (REPEP) of the Federal Consumer Protection Agency (PROFECO), so that their personal data is not used to receive advertising or promotions from goods or services companies.
CLAUSE XI. - PROCEDURE FOR MODIFICATION TO THE PRIVACY NOTICE
VAOTHY COMPANY S.A. DE C.V. reserves the right to make, at any time, modifications or updates to this Privacy Notice, motivated by legislative reforms, internal policies, or new requirements for the provision of SPA services and product sales.
Such modifications will be available to the public through the following means:
Visible announcements at the physical establishment in Tijuana.
In the "Privacy Policy" section of our website vaothy.com.
Via email to the last address provided by the DATA SUBJECT (at the company's discretion).
CLAUSE XII. - DATA SUBJECT'S CONSENT
By using the website, making commercial transactions, and/or contracting non-invasive SPA services, the DATA SUBJECT acknowledges having read, understood, and accepted the terms set forth in this Privacy Notice. The payment for any treatment through the e-commerce platform will constitute an express manifestation of will and consent for the processing of their personal data in accordance with what is established herein.