hisonrisa Privacy Notice in Mexico City

HISONRISA, S.A. DE C.V., with its clinic service address at Tepic 139-706, Roma Sur, Cuauhtémoc, 06760 Ciudad de México, CDMX, is responsible for processing your personal data for the purposes described in this notice. For privacy questions, ARCO-rights requests, or consent withdrawal, you can write to hi@hisonrisa.com .

When a short-form notice is shown in forms, booking flows, or specific contact points, this full notice is the reference document for the expanded information.

We do not collect the same information in every case. The categories may vary depending on whether you only request information, book an appointment, receive treatment, ask for CFDI billing, or request help with a reimbursement.

• Identification and contact data: name, phone number, email, city of origin, and details related to booking or follow-up.
• Administrative and billing data: tax ID, billing name, tax address, payment references, CFDI invoices, receipts, and other information needed to document charges or reimbursements.
• Care and communication data: messages, files, photos, studies, documents, and contact preferences that you share through forms, website chat, email, phone, or WhatsApp.
• Technical, security, and form-attribution data: IP address, user agent, page URL, source page, referrer, language, UTM parameters, ad click identifiers, button context, request references, and data needed for anti-fraud or anti-spam validation when you use forms or campaign links.
• Website technology and preference data: aggregate cookie-free measurement, cookie identifiers when present, consent preferences, pages viewed, basic site events, campaign parameters, ad click identifiers such as gclid, fbclid, or ttclid, and device or browser data when the corresponding tools are enabled.

During dental evaluation and care we may collect sensitive personal data, especially data about present or future health status, medical and dental history, allergies, medications, studies, X-rays, clinical photos, progress notes, and other elements of the clinical record.

To process sensitive personal data, such as health information, medical or dental history, allergies, medications, studies, X-rays, clinical photos, and elements of the clinical record, we will request your express written consent through clinical forms, informed-consent documents, or equivalent records, except in cases permitted by law. Where applicable, we may also process sensitive data to comply with obligations arising from the healthcare relationship or from applicable health regulations.

Please share only information that is relevant to your request or care coordination. Messages, photos, X-rays, and CBCT files help us route your request and prepare the visit, but they do not replace an in-person diagnosis, treatment approval, or emergency care.

• To answer information requests, review cases, and provide administrative or clinical follow-up.
• To schedule, confirm, reschedule, or cancel appointments and coordinate care timing.
• To provide dental care, prepare diagnoses, treatment plans, clinical notes, instructions, and the clinical record.
• To issue receipts, CFDI invoices, letters, clinical summaries, or documentation for administrative or reimbursement processes when applicable.
• To secure forms, verify requests, and prevent abuse, spam, or unauthorized access.
• To comply with legal, regulatory, health, tax, accounting, and clinical-record obligations.

In addition to the purposes needed to answer requests, book appointments, and provide dental care, we may process technical and browsing data for secondary purposes when the corresponding controls or consents are in place.

• First-party cookie-free analytics: measuring aggregate site performance, UTM campaigns, visited pages, and basic contact events without persistent cookie identifiers.
• Optional third-party analytics: measuring site performance with tools such as Google Analytics 4 when enabled and covered by the corresponding consent.
• Optional advertising and measurement: measuring campaigns, attributing ad conversions, improving ads, and, if you allow it, supporting remarketing or ad personalization.
• Preferences: storing your cookie choices, language, currency, or other basic site preferences.

These secondary purposes are not required to receive dental care. You can reject or change optional technologies through the site's cookie preferences, the footer opt-out link, or by writing to our privacy contact.

We do not intentionally send advertising platforms appointment details, message contents, clinical information, requested treatments, X-rays, clinical photos, medical files, or other sensitive personal data from your clinical record.

We also do not use customer lists, enhanced conversions, advanced matching, hashed contact identifiers, or conversion names that reveal a specific dental treatment without separate privacy review and explicit approval.

You may also object or ask us to limit non-essential uses by writing to hi@hisonrisa.com .

We do not sell your personal data. We only disclose or make it available to third parties when this is necessary to fulfill the purposes described, to operate services with processors, when you request it, or when there is a legal obligation.

• We may use Cloudflare Pages, Cloudflare D1, Cloudflare Turnstile, Chatwoot, email providers, and, when enabled, Notion or Discord to receive, store, secure, notify the team about, and follow up on form or website chat submissions.
• First-party analytics: we may use a self-hosted cookie-free tool, such as Umami, to measure aggregate site use, UTM campaigns, and basic contact events. This measurement must not receive form data, names, phone numbers, emails, messages, appointment details, or clinical information.
• Measurement and tag technologies: when enabled, Google Tag Manager may help us manage tags and Google Analytics 4 may help us measure website performance, always according to your consent preferences.
• Advertising and campaigns: when enabled and marketing consent exists, Google Ads, Meta Pixel/Meta Ads, and TikTok Pixel/TikTok Ads may help us measure campaigns, advertising conversions, remarketing, and ad personalization.
• Embeds and external platforms: Google Maps, YouTube, WhatsApp, and social networks may process data under their own terms and notices when you choose to interact with those services.
• Care and treatment: labs, specialists, consulting professionals, dental technicians, or clinical providers that need to participate in your case.
• Procedures requested by you: insurers, companies, authorized relatives, or third parties to whom we must deliver documents because you asked us to do so.
• Authorities: when the transfer is required by law, by a competent authority, or by obligations arising from the provision of healthcare services.

If a transfer to a third party outside our processors does not fall within a legal scenario allowing it without consent, we will request your authorization before carrying it out.

When you use website forms, website chat, or other digital resources, we may automatically obtain certain technical and contextual data, such as IP address, browser, language, referrer, visited URL, aggregate cookie-free measurement, cookie identifiers when present, consent preferences, UTM parameters, and ad click identifiers, as well as information needed to validate security challenges on forms.

Necessary technologies protect the site, forms, and basic preferences. First-party cookie-free analytics may measure aggregate site use without creating persistent cookie identifiers. Third-party analytics technologies, such as Google Analytics 4, remain subject to your analytics choice. Marketing technologies, such as Google Ads, Meta Pixel, or TikTok Pixel, remain subject to your marketing choice and to Global Privacy Control signals when your browser sends them.

To reduce risk on a dental-care website, advertising conversion events must remain generic, such as contact, appointment request, phone click, or WhatsApp click, without treatment names or form data.

On campaign pages, forms and some WhatsApp links may store a request or page reference together with campaign parameters, click identifiers, button context, and technical metadata in Cloudflare D1. References shown in WhatsApp are used for request follow-up and should not include symptoms, notes, phone numbers, emails, UTM parameters, or other clinical details.

You can change your preferences from the cookie link in the footer. If you disable interactive maps or video embeds, future page loads should use static alternatives or external links instead of loading interactive maps or embedded players.

If you choose to use the website chat, message us on WhatsApp, open maps, view embedded videos, or leave the site for social networks or third-party services, those services may process data under their own terms and privacy notices.

You may exercise your rights of access, rectification, cancellation, or objection, and you may revoke consent when legally applicable and when there is no duty to keep or continue processing certain data.

• The request must identify the data subject and, where applicable, their legal representative.
• You must clearly describe the right you want to exercise and provide information that helps locate the data or the relationship you have with the clinic.
• Requests are received through hi@hisonrisa.com.
• Unless a rule allows otherwise, we will respond within 20 business days and, if appropriate, implement the request within the following 15 business days.

In clinical, billing, security, or claims-defense matters, some requests may be subject to restrictions or mandatory retention periods established by law.

For optional web technologies, you can revoke or modify your preferences from the cookie panel. When the browser sends Global Privacy Control, we treat that signal as an opt-out for marketing, sale, or sharing of data for targeted advertising in contexts where it applies.

Although hisonrisa is located in Mexico and this notice is primarily based on applicable Mexican law, some campaigns or visits may involve residents of U.S. states with opt-out rights for sale, sharing of data, or targeted advertising.

• We do not sell personal data for money.
• When advertising tools are enabled, the use of identifiers for targeted advertising, remarketing, or ad measurement depends on your marketing consent and available opt-out signals.
• You can use the footer link "Do Not Sell or Share My Personal Information" to open preferences and keep marketing disabled.
• If your browser sends Global Privacy Control, marketing remains disabled even though other optional categories may be managed separately.

• Clinical records are kept for at least the applicable minimum period under health regulations, which generally is 5 years counted from the last medical act.
• Contact, booking, payment, CFDI, claims, and support records are kept for as long as needed to fulfill purposes and comply with tax, accounting, regulatory, and legal-defense obligations.
• We apply reasonable administrative, technical, and physical safeguards to protect information against damage, loss, alteration, destruction, or unauthorized access.

If a security incident were to occur that significantly affects your patrimonial or moral rights, we will inform you through reasonably available means in accordance with applicable law.

We may update this notice to reflect operational, legal, or regulatory changes. The current version will be available on the website with its updated date. If a change materially affects the purposes or the way data is processed, we will adopt the corresponding reasonable communication measures.