Comprehensive Privacy Notice
Last updated: April 02, 2026 | Version 2.0
I. Identity and Domicile of the Responsible Party
SHERPA MONTERREY, S.A. DE C.V. (hereinafter "Sherpa"), domiciled at Callejón de Capellanía No. 400, Zona de los Callejones, San Pedro Garza García, Nuevo León, C.P. 66228, is responsible for the use and protection of your personal data under the terms of the Federal Law on Protection of Personal Data Held by Private Parties ("LFPDPPP").
Personal Data Protection Department:
- Email: info@sherpa.la
- Address: Callejón de Capellanía No. 400, Zona de los Callejones, San Pedro Garza García, N.L., C.P. 66228
II. Tracked Personal Data
For the purposes described in this Notice, Sherpa will process the following categories of data:
a) Identification and contact data
- Full name, CURP, birth date, sex, local origins, address, phone, email, payroll number/employee ID.
b) Labor data
- Employer name, job position, and CLUES identification.
c) Sensitive personal data — requires express consent
In accordance with Article 3 section VI and Article 9 of the LFPDPPP, processing the following data requires express written consent:
- Clinical history, Clinical diagnoses (CIE-10), medical consultation records, periodic exam results, vaccination schemes, labor leaves, emotional wellbeing notes, habits changes, and general clinical evolution parameters.
The express consent is gathered via active acceptance inside the platform's authentication protocol tracking time and versions.
III. Treatment Purposes
Sherpa is a technology entity providing occupational software. It acts purely as a technological facilitator; the hiring company holds ultimate processing control directly.
a) Primary purposes — necessary for the provision of service
- Corroborate identity to enable platform access, manage user profiles, enable record storage functionalities, ensure technical functionality & data safety, validate CURP authenticity by RENAPO, and meet technical duties originating from NOM-024-SSA3-2012 schemas.
b) Secondary purposes — not necessary for service
- Anonymous statistical research and usability adjustments to enhance continuous UI UX delivery.
Opposition processes can be initiated at info@sherpa.la.
IV. Personal Data Transfers
Sherpa solely transfers the strictly necessary infrastructural records. Authorities and internal hiring parties retain separate compliance scopes operating exclusively as third-party Controllers.
| Recipient | Purpose | Legal Baseline |
|---|---|---|
| Amazon Web Services (AWS) Cloud Provider | Safe housing and processing via AES-256 environments acting as Processor instructions without proprietary usages. | Art. 36 LFPDPPP — Current DPA Agreement |
Contractual responsibility falls exclusively to the hiring organization navigating health information sharing decisions.
V. ARCO Rights, Portability, and Exercise Mechanisms
You have the constitutional right to Access, Rectify, Cancel or Oppose your data by emailing info@sherpa.la subject “ARCO Right Application”. Responses are provided inside 20 business days.
Portability Rights (LFPDPPP 2025)
You inherently preserve rights over structured digital file exports mapping your identification data via standardized formats like JSON or CSV requested to the core contact.
- Applies strictly to: Identificational/labor records.
- Excludes: Clinical data inherently bound under strict 5-year reservation decrees commanded by the Health framework NOM-024.
VI. Revocation of Consent
Consent revocations can be executed directly targeting legal@sherpa.la effectively withdrawing primary participation.
VII. Usage Limitation
Options to limit usage include the REPEP registration and emailing legal@sherpa.la for secondary purposes opposition.
VIII. Collection Methods
Direct methods encapsulate platform interaction. Indirect encapsulates HR databases. Minor handling forces parental documentation routines establishing clear protective guardrails.
IX. Tracking Technology Use
| Cookie | Type | Functionality |
|---|---|---|
| NID, _ga, _ga_SPLLXDM7Z8 | External (Google Analytics) | Permanent session tracking purely tied to analytics. Holds 0 health data metrics. |
| PHPSESSID | Internal | Maintains credential access stability actively discarded upon signouts. |
X. Security Measures
Sherpa utilizes TLS in-transit protocols alongside profound roles-based logic and segmented clouds to eliminate unauthorized visibility breaches.
XI. Data Conservation Durations
Blocked secure storage frames encompass explicit rules:
| Data Type | Timeframe Minimum | Legal Trigger |
|---|---|---|
| Clinical specific data | 5 Years / Adulthood thresholds | NOM-024-SSA3-2012 / LGS |
| Standard Identification details | 5 Years post-commercial end | LFPDPPP 2025 |
XII. Notice Changes
Updated modifications alert automatically via emails or platform modals capturing fresh acknowledgment signatures linking strictly to https://sherpa.la.
XIII. Express Consent for Sensitive Data Treatment
Active registration logic documents acceptance establishing fundamental compliant grounds satisfying Art 9 LFPDPPP clauses.
XIV. Legal Framework Outline
Strictly governed through LFPDPPP, NOM-024 systems frameworks alongside comprehensive health regulations applicable inside Mexico.
XV. Questions and Contact Channels
Direct inquiries to our dedicated data privacy handlers:
- Email: info@sherpa.la
- Address: Callejón de Capellanía No. 400, Zona de los Callejones, San Pedro Garza García, N.L., C.P. 66228
Last updated: April 02, 2026 | Version 2.0
SHERPA MONTERREY, S.A. DE C.V. | info@sherpa.la | https://sherpa.la/