Privacy Policy
1. Who we are
Dardo (the "Service") is operated by Jaime Muriel Monroy ("Dardo," "we," "us"), with primary place of business at Bosque de Duraznos 65, local 1108, Bosque de las Lomas, Miguel Hidalgo, 11700 Ciudad de México. We are the data controller (responsable del tratamiento) for the personal data described in this policy. For all data-protection inquiries, contact [email protected].
The Service is an institutional Mexican fixed-income rates dashboard at dardoresearch.com, available by paid subscription.
2. What personal data we collect
We collect only the data needed to operate a paid subscription service.
Identity and account data. Name and email address you provide at sign-up, optionally a profile photo if you sign in via a third-party identity provider (Google, etc.). Authentication credentials (password hash or OAuth tokens) are stored by our auth processor, never by us directly.
Billing data. Billing address, last four digits of payment card, payment-method type, subscription history. Full card details are handled by Stripe and never touch our infrastructure.
Usage data. IP address, browser type and version, device identifiers, pages viewed, timestamps. Standard server access logs.
Email engagement. Whether transactional emails (welcome, trial-expiring, payment-failed, subscription-confirmed) were delivered, opened, or had links clicked. Used to ensure deliverability, not for marketing profiling.
Communications. If you contact support, the message contents and your contact details.
We do not collect: government-issued IDs, biometric data, geolocation beyond IP-derived city, health data, financial account numbers, or special-category data under LFPDPPP Article 9.
3. How we collect it
Directly from you when you create an account, subscribe, or contact us; automatically through standard web-server logs and email-delivery telemetry; and from third-party identity providers if you choose Google or another OAuth method to sign in.
4. Why we collect it
We use personal data for the following purposes:
- To provide the Service — account creation, authentication, and gating of paid features.
- To bill you — subscription processing through Stripe.
- To communicate transactional information — trial expiry, billing receipts, payment failures, security notices.
- To comply with legal obligations — tax records, accounting, and other obligations under Mexican law.
- To detect and prevent fraud and abuse — protecting your account and the Service.
- To improve the Service — through aggregated, non-identifying analytics.
We do not sell your personal data and do not use it for behavioral advertising.
5. Sub-processors
The Service relies on the following processors who handle personal data on our behalf under contractual data-protection terms. The complete current list, including each processor's purpose, data location, transfer mechanism, executed DPA, and retention obligations, is maintained as a living register at dardoresearch.com/sub-processors. Summary table:
| Processor | Purpose | Data location |
|---|---|---|
| Clerk | Authentication, user-record management | United States |
| Stripe | Payment processing, subscription billing | United States |
| Resend | Transactional email delivery | United States |
| Cloudflare | Hosting, edge data storage, server logs | Global edge |
| Anthropic | Generative AI for daily market briefs (no personal data sent — only anonymized market analytics) | United States |
Each processor is bound by a written data-processing agreement and processes data only on our documented instructions. Material changes to this list require 30 days' advance notice per §12.
6. International transfers
Personal data is transferred to and processed in the United States by the sub-processors listed in §5 and detailed in the Sub-Processor Register. Such transfers comply with LFPDPPP Article 36 through contractual safeguards equivalent to those required under Mexican law, captured in each processor's executed Data Processing Agreement. Copies of executed DPAs are maintained internally and available for INAI inspection on reasonable notice. By using the Service, you acknowledge and consent to these transfers.
7. Retention
Account data: retained while your account is active and for 12 months after closure to satisfy support and audit needs, unless a longer retention is required by law.
Payment records: retained for at least five years from each transaction in compliance with Mexican tax and accounting requirements (Código Fiscal de la Federación Article 30).
Server logs: retained at most 30 days at the edge, after which they are aggregated and anonymized.
Email-delivery records: retained 90 days for deliverability auditing.
After applicable retention windows expire, data is securely deleted or fully anonymized.
8. Your ARCO rights
Under LFPDPPP Articles 22–26, you have the right to:
- Acceder — obtain a copy of personal data we hold about you
- Rectificar — correct inaccurate or incomplete data
- Cancelar — request deletion subject to lawful retention obligations
- Oponerse — object to specific processing for legitimate cause
To exercise these rights, send a written request to [email protected] including: your full name, the right(s) you wish to exercise, a clear description of the personal data involved, and any supporting documents. We will respond within 20 business days as required by Article 32. There is no charge for the first request in any 12-month period; subsequent requests in the same period may incur a reproduction-cost charge as permitted by law.
You may also revoke consent for processing not strictly necessary to provide the Service by writing to the same address. Revocation does not affect the lawfulness of prior processing.
9. Cookies and similar technologies
The Service uses session cookies set by Clerk to keep you signed in across pages, and uses browser local storage minimally for UI preferences. No third-party advertising or tracking cookies are set. No analytics SDKs are loaded in the production application.
10. Children
The Service is directed at financial professionals and is not intended for minors. We do not knowingly collect personal data from anyone under 18.
11. Security
We protect personal data using industry-standard measures: TLS encryption in transit, encryption at rest in our processors' systems, access controls limiting personal data to authorized personnel, and routine review of our security posture. No system is perfectly secure.
Incident response. In the event of a security incident affecting personal data, we will (a) take prompt containment and remediation steps, (b) notify affected users without undue delay as required by LFPDPPP Article 20, with the goal of notification within 72 hours of confirmed incident scope where the incident presents a meaningful risk to affected users' rights, and (c) cooperate with INAI as required by law.
12. Updates to this policy
We may update this policy from time to time. Material changes will be communicated by email and through a notice on the Service at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact
For privacy questions, ARCO requests, or other inquiries: [email protected].
For complaints about our handling of personal data, you may also contact the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) via the INAI's official website after attempting resolution with us first.
Document v1.0 published 2026-05-10. Next review: 12 months from publish, or sooner if a material change is required.