Privacy Notice

This Privacy Notice is issued pursuant to articles 15, 16, and 17 of Mexico's Federal Law on the Protection of Personal Data Held by Private Parties ("LFPDPPP"), its Regulations, and the Privacy Notice Guidelines issued by the National Institute for Transparency, Access to Information and Personal Data Protection (INAI).

• Name / legal entity: Korsica .
• Tax ID (RFC): .
• Registered address: .
• Privacy contact email: hola@korsica.mx.
• Platform: korsica.mx and associated applications (the "Platform").

Korsica (the "Data Controller") decides how your personal data is processed. If you have questions about this Notice or wish to exercise your rights, please write to us at the email above.

To fulfill the purposes described in this Notice, Korsica collects the following categories of personal data, either directly from the Data Subject or from public sources and authorized providers (e.g. identity-verification services, REPUVE, NHTSA):

• Identification data: full name, date of birth, gender, nationality, CURP, RFC, photograph, and image of official ID (INE, passport, or professional license).
• Contact data: email, phone, and postal address.
• Proof of address: utility bill, bank statement, or equivalent document for KYC verification.
• Financial and banking data: tokenized card references (Korsica does not store the full number), CLABE account, and banking details needed to process payments and disburse sale proceeds.
• Tax data: RFC, proof of tax status, and legal name, used to issue CFDI invoices.
• Biometric data (KYC with liveness): facial capture and liveness video, compared against the official-ID photograph, used solely to verify identity and prevent fraud.
• Vehicle data: VIN, license plates, original invoice or endorsements, vehicle-circulation card, registration and inspection records, vehicle photos and videos.
• Transactional data: bid, purchase and sale history, commissions paid, claims and disputes.
• Navigation and device data: IP address, device identifiers, browser type, operating system, pages visited, session time, cookies, and similar technologies.

Biometric and financial data are deemed sensitive personal data under LFPDPPP; their processing requires express consent, which the Data Subject grants by continuing the KYC flow or registering a payment method.

The following purposes are necessary to maintain and perform the legal relationship between Korsica and the Data Subject. Without them we cannot provide the service:

• Create, authenticate, and administer your User account.
• Verify your identity through KYC (including liveness) and confirm vehicle ownership via invoice, registration card, and REPUVE lookup.
• Process and display bids on active auctions, including holds on the registered payment method.
• Charge the commission applicable to the winning buyer and disburse net proceeds to the seller.
• Issue Digital Tax Receipts (CFDI) through our authorized provider (FacturAPI or another PAC).
• Comply with tax, accounting, and legal obligations before the SAT, UIF, and other authorities, including those arising from Mexico's Anti-Money-Laundering Law (PLD).
• Prevent, detect, and investigate fraud, identity theft, and misuse of the Platform.
• Send transactional notifications (account confirmation, bid confirmation, outbid alerts, auction close, results, payment and delivery instructions).
• Handle inquiries, complaints, and dispute procedures between Seller and Buyer.
• Coordinate delivery of the vehicle between Seller and Buyer.

The following purposes are not required for the service and need your consent. You may decline now or at any time with no impact on your access to the Platform:

• Newsletters, editorial content, event invitations, and marketing communications.
• Content personalization, auction recommendations, and advertising offers.
• Aggregated statistics, market research, and behavioral analysis (using dissociated or pseudonymized data where possible).
• Invitations to product trials, satisfaction surveys, and pilot programs.

If you do not wish your data processed for these purposes, you may opt out by writing to hola@korsica.mx or by disabling the corresponding notifications in your account settings. Your refusal will not affect the provision of the service.

Korsica may transfer your personal data, without additional consent in the scenarios set out in article 37 of LFPDPPP, to the following categories of recipients:

• Infrastructure and technology service providers:
  • Supabase — database, authentication, and storage.
  • Vercel — hosting and content delivery.
  • Resend — transactional email.
  • Conekta — payment processing and card holds.
  • FacturAPI — CFDI issuance before the SAT.
  • Web analytics and fraud-prevention providers.
• Competent authorities: upon validly grounded judicial, administrative, or tax requirements (SAT, UIF, INAI, PROFECO, prosecutors, courts).
• Transaction counterparty: we share the minimum information strictly necessary to consummate the sale with Seller and Buyer (name, contact, delivery address, banking details for payment).

Some providers may host data outside Mexico. In all cases we contractually require a level of protection equivalent to LFPDPPP (contractual clauses, data-processing agreements, and adequate security standards).

You have the right to:

• Access: know what personal data we hold about you, what we use it for, and the terms of such use.
• Rectification: request correction of outdated, inaccurate, or incomplete information.
• Cancellation: request deletion of your data when you believe it is not used in accordance with the principles, duties, and obligations set by law.
• Objection: object to the use of your data for specific purposes.

How to exercise them. Send your request to hola@korsica.mx with the following:

• Data Subject's full name and contact email.
• Copy of valid official ID (INE, passport, or professional license); in case of representation, notarized power of attorney or letter of authorization together with the representative's ID.
• Clear, precise description of the right you wish to exercise (Access, Rectification, Cancellation, Objection) and the data involved.
• Any element that helps locate your data (e.g. registration date, related auction).

Pursuant to article 32 of LFPDPPP, we will respond within a maximum of twenty (20) business days from receipt of the request. Where appropriate, the right will be made effective within the following fifteen (15) business days after our response.

You may revoke the consent you have granted for the processing of your personal data at any time. Revocation has effect going forward and does not affect lawful processing carried out beforehand. In certain cases revocation may not apply (e.g. when there is a legal obligation to retain data for tax or anti-money-laundering purposes); if so, we will explain the reasons.

You may also request that we limit the use or disclosure of your data (for example, inclusion in a marketing-exclusion list). For either case, send your request to hola@korsica.mx following the same procedure as for ARCO rights.

Korsica uses cookies and similar technologies (local storage, device identifiers, pixels) to operate and improve the Platform. We classify these technologies in three types:

• Essential: required to authenticate sessions, remember basic preferences, and protect against fraud. Cannot be disabled without losing core functionality.
• Analytics: help us measure aggregate usage, detect errors, and prioritize improvements. Can be disabled from browser settings or the consent panel.
• Marketing: used to personalize campaigns and measure their effectiveness. Require consent and may be declined at any time.

You can reject or delete cookies through your browser settings. For details, see our Cookie Policy.

Korsica implements reasonable administrative, technical, and physical security measures to protect your data, including: TLS encryption in transit, encryption at rest for sensitive data, password hashing with strong algorithms (bcrypt/argon2), role-based access control with least-privilege principle, multi-factor authentication for staff with database access, continuous monitoring, regular backups, and security testing. No measure is infallible; in the event of a breach materially affecting your property or moral rights, we will notify you without delay pursuant to article 20 of LFPDPPP.

Korsica may update this Notice to reflect changes in its services, applicable regulations, or privacy practices. Changes will be published on this page, indicating the last-updated date. Where changes involve new purposes or transfers that require consent, we will notify you by email and/or via a prominent notice within the Platform. Continued use of the service after publication implies acceptance of the updated Notice, except for processing activities that require independent express consent.

By using Korsica, you express your consent for the processing of your personal data under the terms described in this Privacy Notice. For sensitive personal data (biometric and financial) and for secondary purposes, consent is obtained expressly when the information is registered or when optional communications are accepted.

If you believe that your right to personal-data protection has been breached by any act or omission of Korsica, or you presume a violation of LFPDPPP, its Regulations, or other applicable rules, you may file a complaint before the National Institute for Transparency, Access to Information and Personal Data Protection (INAI). For more information about procedures and deadlines visit home.inai.org.mx.