Privacy Notice Rappi - Diagnostikare

Privacy Notice

RAPPI

Last updated: July 7, 2025

RESPONSIBLE PARTY

Servicios Clínicos Inteligentes DXKARE, S.A.P.I. de C.V. (hereinafter, “Diagnostikare”), with its registered address at Avenida Mazatlán 154‑5, Colonia Condesa, C.P. 06140, Cuauhtémoc Borough, Mexico City, Mexico, is responsible for the use, protection and processing of your personal data. Your information will be handled with strict confidentiality; its collection, processing, transfer and the exercise of any rights over such data will be carried out in an appropriate, legitimate and lawful manner, permanently safeguarding the principles of lawfulness, consent, quality, information, proportionality and responsibility.

PURPOSES OF PROCESSING

The personal data we collect will be used for the following purposes necessary for the provision of our services:

Creation, updating and maintenance of user profiles within our digital platforms.
Creation, review, analysis, updating and maintenance of clinical records.
Provision of health services, medical, psychological and nutritional guidance and counselling, and general patient care.
Management of schedules for healthcare professionals and patients.
Prioritisation of patient care based on their level of health risk.
Handling of questions and comments related to our digital platforms.
Viewing of information by healthcare professionals on corporate electronic platforms.
Issuance of validated medical prescriptions.
Communication between healthcare professionals, patients and data subjects.
Acquisition of medicines, pharmaceutical and sanitary products.
Retention of records to monitor services and provide future services; and
In general, to follow up on any contractual relationship.

Additionally, we may use your personal data for the following secondary purposes:

Advertising: Promotion of new features and functionalities of our services.
Marketing and commercial prospecting: Marketing strategies to present our services and products to individuals or companies that may require them.

Processing of your personal data for secondary purposes requires your consent.

USE OF COOKIES, WEB BEACONS AND/OR SIMILAR TECHNOLOGIES

On Diagnostikare’s website, located at www.diagnostikare.com, we use cookies and Google Analytics web‑traffic analysis. These tools allow us to identify the location of the IP address used to access our site, the computer’s operating system, the web browser type, the date of access, and the pages and sections visited. This gives us a clear idea of how our clients and users use our website so that we can update it with relevant content. This information does not collect personal data that could identify any user of our site, nor does it include sensitive personal data.

PERSONAL DATA PROCESSED

To carry out the purposes described in this Privacy Notice, we will collect, in whole or in part, the following personal data:

Full name.
Full address.
E‑mail address.
Employee or collaborator number.
Location information.
Mobile phone number.
Date of birth
Emergency contact details (e.g., relative, friend, other).

Additionally, we may collect the following sensitive personal data, which require special protection and explicit consent:

Sex and gender
Weight
Height
Health risk factors
Symptoms
Current medical conditions
Electronic document with instructions and suggestions
Medical history, including sexual health
Relevant personal and family medical background
Smoking and substance use history (controlled and uncontrolled)
Personal image
Audio and video recordings of users and patients
Any other information relevant to diagnosis, analysis, medical treatment, or health-related activities

DATA TRANSFER AND SHARING

Your personal data may be shared within or outside Mexico with the following entities for the purposes indicated:

RECIPIENT	COUNTRY	PURPOSE
Amazon Web Services (AWS)	United States	Storage and hosting for digital services and remote consultations by video
Ecaresoft, Inc.	Mexico	Generation and update of electronic medical records
Prescrypto, S.A.P.I. de C.V.	Mexico	Issuing electronic prescriptions
Clientes de DXKARE que utilizan nuestros servicios y sus subsidiarias.	Mexico	Statistical analysis for contractually related users
Diagnóstico Médico Proa S.A., de C.V.	Mexico	Laboratory test referrals and interpretations
Healthie, Inc.	United States	Appointment management for healthcare professionals and patients

These transfers require your consent. If you do not express opposition, we will consider your consent granted.

If you do not agree to the transfer of your sensitive personal data after having provided explicit consent, you may communicate your opposition by sending a request to Avenida Mazatlán 154-5, Colonia Condesa, C.P. 06140, Cuauhtémoc, Mexico City, Mexico or to [email protected].

In addition, we do not require your consent to transfer your personal data in the following cases as provided by Article 36 of the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP):

When the transfer is provided for in a law or treaty to which Mexico is a party;
When the transfer is necessary for medical prevention or diagnosis, healthcare provision, medical treatment or management of healthcare services;
When the transfer is made to controlling, subsidiary or affiliate companies under the common control of the controller, or to a parent company or any company of the same group that operates under the same internal processes and policies;
When the transfer is necessary by virtue of a contract executed or to be executed in the interest of the data subject by the controller and a third party;
When the transfer is necessary or legally required for the safeguarding of a public interest or for the procurement or administration of justice;
When the transfer is necessary for the recognition, exercise or defence of a right in judicial proceedings; and
When the transfer is necessary for the maintenance or fulfilment of a legal relationship between the controller and the data subject.

ARCO RIGHTS (ACCESS, RECTIFICATION, CANCELLATION AND OPPOSITION)

In accordance with applicable regulations, you have the right to:

Access the personal data we hold about you, as well as information regarding the conditions and generalities of its processing (Access).
Request the rectification or correction of your personal information if it is outdated, inaccurate or incomplete (Rectification).
Request that we delete your information from our records, files or databases (Cancellation).
Object to or request cessation of the processing of your personal data (Opposition).

These rights are known as ARCO rights.

To exercise ARCO rights, you must submit the corresponding request addressed to the Privacy Department, either at Avenida Mazatlán 154‑5, Colonia Condesa, C.P. 06140, Cuauhtémoc Borough, Mexico City, Mexico, or to the e‑mail address: [email protected], including the following information:

Full name of the data subject.
RFC or CURP.
Copy of official photo ID.
Contact details for us to communicate with you (telephone, address, e‑mail, etc.).
A clear and precise description of the personal data on which you wish to exercise any ARCO right, except when exercising the right of Access.
The description of the ARCO right you wish to exercise and what exactly is being requested.
Any other information that would help us better address your request.
If exercising the right of Rectification, you must also indicate the modifications to be made and provide documentation supporting your request.

Additionally, you may submit your request by filling out our ARCO rights form at the following link: www.diagnostikare/derechosarco

If you are acting on behalf of someone else, you must attach the document proving your representation.

When exercising your right of Access, you will receive a list of the personal data we have about you and the conditions of its processing.

When exercising your right of Rectification, you must indicate the error and the correct data; once the rectification is made, we will inform you accordingly.

When exercising your right of Cancellation, you will be informed of the deletion of the information after the blocking period.

When exercising your right of Opposition, you must indicate the purpose(s) for which you require your data not to be processed; once your request is analysed, we will inform you of the outcome.

If exercising your ARCO rights makes it impossible for us to provide our service, we will inform you that we cannot continue providing our services so that you can make an express decision.

Diagnostikare will respond to your request within a maximum of 20 calendar days, and the corresponding determination will be applied within the following 15 calendar days.

If you believe that your personal data protection rights have been infringed by any conduct attributable to Diagnostikare, or you presume that in the processing of your personal data there is a violation of the provisions of the LFPDPPP, you may submit a data‑protection request to the Secretaría Anticorrupción y Buen Gobierno. For more information visit https://www.gob.mx/buengobierno

INFORMATION REGARDING MINORS, THIRD PARTIES AND EXCEPTIONS TO CONSENT FOR THE PROCESSING OF PERSONAL DATA

If the service user is not the data subject and provides information about third parties, they must have the authorisation and legal capacity to provide such information to Diagnostikare. By using Diagnostikare’s services, the user affirms that they have the right to transfer personal data, including, without limitation, being the parent and/or guardian with parental authority over the minor data subject or the legal representative of the incapable person or of the data subject who, due to their health condition, cannot personally enter the information into our system.

If you are not certain that you have the data subject’s consent or the right to decide on the use and transfer of their data, DO NOT enter personal data in Diagnostikare’s platforms or services.

Additionally, please note that consent is not required for the processing and transfer of personal data when such processing and transfer are indispensable for medical care, prevention, diagnosis, healthcare provision, medical treatment or management of healthcare services, while the data subject is unable to provide consent, under the terms established by the General Health Law and other applicable legal provisions, and provided that the data is processed by a person bound by professional secrecy or equivalent obligation.

REVOCATION OF CONSENT FOR THE PROCESSING OF PERSONAL DATA

You may revoke the consent you have given for the processing of your personal data. Not all requests can be fulfilled or will result in immediate cessation of use, as legal obligations may exist that require continued processing of your personal data. In any case, we will communicate with you to determine the procedure applicable to your request and jointly agree on a solution.

Additionally, for certain purposes, revoking your consent may mean we can no longer provide the service you requested, the termination of the legal relationship, or other legal consequences.

To revoke your consent, you must submit the corresponding request at Avenida Mazatlán 154‑5, Colonia Condesa, C.P. 06140, Cuauhtémoc Borough, Mexico City, Mexico, or to the e‑mail address: [email protected]

LIMITATION OF THE USE OR DISCLOSURE OF PERSONAL DATA

If you do not wish your personal data to continue being used for advertising, marketing or commercial prospecting, please request your registration in the exclusion list so that your data will not be processed for such purposes. Send your request to [email protected], specifying:

Name.
E‑mail address.
DXKARE service you use.

ADDITIONAL INFORMATION FOR RESIDENTS OF ARGENTINA

If you are a resident of the Argentine Republic, we additionally inform you that, pursuant to Article 6 of Law 25.326 on Personal Data Protection, we must inform you that to provide medical services we collect indispensable data, such as sensitive personal data. Other data, such as emergency contacts, are not necessary for the provision of our medical services. Furthermore, the data we collect are stored and safeguarded in our internal management systems on electronic media that comply with the security measures required by applicable legislation.

If you decide not to provide any of the requested data or provide inaccurate information, this may prevent the total or partial provision of medical services, cause delays in appointment scheduling, or limit compliance with contractual obligations with our corporate clients.

ADDITIONAL INFORMATION FOR RESIDENTS OF BRAZIL

If you are a resident of the Federative Republic of Brazil, we additionally inform you that, in accordance with Articles 7, 8 and 9 of the General Law on Personal Data Protection (LGPD), we are entitled to obtain your personal data under the Service Provision Agreement between Diagnostikare and Tecnologías RAPPI, S.A.P.I. de C.V. and under the Terms and Conditions accepted by you that govern the relationship as an individual user. We inform you that we collect your data directly when you provide them through our platforms. We also obtain additional data from monitoring your health, location, voice, IP address and behaviour. We generate new data based on the results of our services, such as medical prescriptions or clinical history, and we infer new personal data based on an analysis of your reported health status.

Your personal data will be stored for the time necessary to fulfil the primary purposes plus the time required to comply with DXKARE’s administrative, tax and legal obligations, in accordance with applicable regulations, plus the corresponding blocking period prior to deletion.

Diagnostikare has implemented physical, technical and administrative security measures to ensure the security and confidentiality of the personal data provided by our users. These measures are as follows:

Physical measures::

Controlled access keys to the main doors of DXKARE’s offices, managed by four employees. A digital access‑control dashboard for the offices, managed by the Operations Coordination/Office Manager.
CCTV surveillance system at the main entrance and in access routes to the two offices where equipment storing personal data is located.
Security alarm with automatic sensor and panic button, managed by the Operations Coordination/Office Manager.
Computers in DXKARE’s premises remain switched off and protected with passwords.
Additional DXKARE information not stored on computers is kept in the cloud.
Some computers at DXKARE’s premises have physical security locks.
Maintenance of equipment that stores personal data.
Secure data‑deletion mechanisms.

Administrative measures:

Authorised access to systems storing personal data.
Roles and responsibilities of employees handling personal data.
Engagement of an external supplier for storage and management of employees’ records.
Inventory of personal data and processing systems.
Periodic personal‑data risk assessments.
Compliance monitoring by the Privacy Officer.
Gap analysis between existing and required security measures.
Work plan to establish an Information Security Management System aligned with ISO 27001.
Acquisition of CCTV and security alarm for DXKARE’s premises.

Technical measures:

Encryption of databases containing client information and communication from the client to the API and between the API and the database.
Access to the infrastructure protected with security certificates.
Security certificates exchanged via encrypted communication channels.
API mechanisms to prevent users from accessing unauthorised information within their organisation.
Access to logical databases granted only to the Head of Technology Architecture and the General Management.
Internal administration of CCTV via the mobile devices of responsible employees.
CCTV recordings uploaded to the cloud.

ADDITIONAL INFORMATION FOR RESIDENTS OF COSTA RICA

If you are a resident of the Republic of Costa Rica, we additionally inform you that, in accordance with Article 5 of the Law for the Protection of the Person regarding the processing of personal data, the data we collect are stored and safeguarded in our internal management systems on electronic media that comply with the security measures required by applicable legislation.

Only Diagnostikare personnel, as well as the persons specified in the Transfer section and those derived from the relationships established in the Terms and Conditions accepted by you that govern the relationship as an individual user, are authorised to manage your personal information, and solely through the databases enabled for these purposes.

ADDITIONAL INFORMATION FOR RESIDENTS OF ECUADOR

If you are a resident of the Republic of Ecuador, we additionally inform you that, pursuant to Article 12 of the Organic Law on Personal Data Protection, if you decide not to provide any of the requested data or provide inaccurate information, this may prevent the full or partial provision of medical services, cause delays in appointment scheduling, or limit compliance with contractual obligations with our corporate clients.

Personal data may also be provided directly by Tecnologías RAPPI, S.A.P.I. de C.V. to fulfil our contractual relationships.

The personal data collected will be subjected to various manual and automated processes that include obtaining, recording, use, conservation, organisation, access, storage, transfer and, where appropriate, deletion, for the purposes previously indicated.

Your personal data will be stored for the time necessary to fulfil the primary purposes plus the time required to comply with DXKARE’s administrative, tax and legal obligations, plus the corresponding blocking period prior to deletion, in accordance with applicable regulations.

We are entitled to obtain your personal data under the Service Provision Agreement between Diagnostikare and Tecnologías RAPPI, S.A.P.I. de C.V. and under the Terms and Conditions accepted by you that govern the relationship as an individual user.

The data we collect are stored and safeguarded in our internal management systems on electronic media that comply with the security measures required by applicable legislation.

Diagnostikare may carry out automated assessments and create health profiles based on the personal data you provide. For more information, please review the Terms and Conditions of the service.

If you have any questions about the provisions of this Privacy Notice, the Privacy Department is available at [email protected].

ADDITIONAL INFORMATION FOR RESIDENTS OF PERU

If you are a resident of the Republic of Peru, we additionally inform you that, pursuant to Article 18 of Law No. 29733 on Personal Data Protection, to provide medical services we collect indispensable data such as sensitive personal data. Other personal data such as emergency contacts are not necessary for the provision of our medical services.

If you decide not to provide any of the requested data or provide inaccurate information, this may prevent the full or partial provision of medical services, cause delays in appointment scheduling, or limit compliance with contractual obligations with our corporate clients.

Your personal data will be stored for the time necessary to fulfil the primary purposes plus the time required to comply with DXKARE’s administrative, tax and legal obligations, plus the corresponding blocking period prior to deletion, in accordance with applicable regulations.

The data we collect are stored and safeguarded in our internal management systems on electronic media that comply with the security measures required by applicable legislation.

Only Diagnostikare personnel, as well as the persons indicated in the Transfer section and those arising from the relationships established in the Terms and Conditions accepted by you that govern the relationship as an individual user, are authorised to manage your personal information, and only through the databases enabled for these purposes.

ADDITIONAL INFORMATION FOR RESIDENTS OF URUGUAY

If you are a resident of the Oriental Republic of Uruguay, we additionally inform you that, pursuant to Article 13 of Law No. 18.331 on Personal Data Protection, to provide medical services we collect indispensable data such as sensitive personal data. Other personal data such as emergency contacts are not necessary for the provision of our medical services.

The data we collect are stored and safeguarded in our internal management systems on electronic media that comply with the security measures required by applicable legislation.

Diagnostikare may process your data automatically through its software. For more information about its operation, please review the Terms and Conditions of the service.

CHANGES TO THIS PRIVACY NOTICE

This Privacy Notice may be modified, changed or updated as a result of legal requirements; internal needs related to the products or services we offer; our privacy practices; changes in our business model; or other causes beyond our control.

In the event of any modifications, changes and/or updates, you will be notified via the e‑mail address you provide and through an update of the notice on the page https://rappi-en.diagnostikare.com/privacidad, or by any other oral, printed or electronic means of communication determined for such purpose.