Privacy Notice

Korsica (the "Data Controller"), with address for purposes of this Notice in Mexico City, Mexico, is responsible for processing your personal data pursuant to Mexico's Federal Law on the Protection of Personal Data Held by Private Parties ("LFPDPPP"), its Regulations, and other applicable law. For any privacy-related inquiry you may contact us at arco@korsica.mx.

To fulfill the purposes described in this Notice, Korsica collects the following categories of personal data:

• Identification data: full name, date of birth, gender, nationality, image of official ID (INE, passport, professional license).
• Contact data: email, phone, address.
• Tax data (where applicable): RFC, proof of tax status, legal name for CFDI invoicing.
• Biometric data (KYC with liveness): facial capture, liveness video, and comparison against the official-ID photograph, used solely to verify identity and prevent fraud.
• Transactional data: bid, purchase, and sale history; tokenized payment methods (Korsica does not store full card numbers); bank references.
• Vehicle data: VIN, license plates, ownership documentation, vehicle photos and videos.
• Navigation data: IP address, device type, operating system, cookies, and similar technologies (see our Cookie Policy).

Biometric and financial data are deemed sensitive personal data under LFPDPPP; their processing requires express consent, which the Data Subject grants by continuing the KYC flow or registering a payment method.

• Create and administer your User account.
• Verify your identity and prevent fraud (KYC/AML).
• Publish listings, manage bids, and execute transactions.
• Process payments and issue tax invoices where applicable.
• Coordinate vehicle delivery between Seller and Buyer.
• Handle inquiries, complaints, and dispute procedures.
• Comply with legal, tax, accounting, and regulatory obligations.
• Maintain Platform security (anomalous activity detection, anti-fraud monitoring).

Unless the Data Subject objects, Korsica may process your data for the following secondary purposes, which are not necessary for the contracted service:

• Newsletters, editorial content, and communications about automotive events.
• Marketing, commercial prospecting, and personalized advertising.
• Aggregated statistics and market research.
• Invitations to product trials and satisfaction surveys.

If you do not wish your data to be processed for these purposes, you may object by emailing arco@korsica.mx or by disabling notifications in your account settings.

Korsica may transfer your data, without additional consent as permitted by article 37 of LFPDPPP, to the following categories of third parties:

• Payment processors and gateways: to authorize holds, capture payments, and issue refunds.
• KYC and biometric verification providers: to validate identity, liveness, and sanctions screening.
• Technology infrastructure providers: hosting, databases, transactional email, and analytics, contracted under confidentiality and equivalent-processing clauses.
• Competent authorities: when required by judicial or administrative resolution, or to fulfill tax and regulatory obligations.
• Transaction counterparty: minimum data necessary (name, contact, delivery address) is shared with Seller and Buyer to formalize the sale.

Some of these providers may be located outside Mexico; in all cases a level of protection equivalent to LFPDPPP is required through contractual clauses.

You have the right to know what personal data we hold, what we use it for, and the terms of such use (Access). You also have the right to request correction if the data is outdated, inaccurate, or incomplete (Rectification); to have it deleted when you believe it is not being used in accordance with the principles, duties, and obligations under law (Cancellation); and to object to its use for specific purposes (Objection). These are known as ARCO rights.

To exercise any of these rights, or to revoke consent previously granted, send a request to arco@korsica.mx containing: (i) Data Subject's name and contact email; (ii) document proving identity (or representation, where applicable); (iii) clear description of the data and rights you wish to exercise; and (iv) any element that helps locate the data. We will respond within a maximum of twenty (20) business days and, where appropriate, will give effect to the right within the following fifteen (15) business days.

If you believe your right to personal-data protection has been violated, you may contact Mexico's National Institute for Transparency, Access to Information and Personal Data Protection (INAI, inai.org.mx).

Korsica uses first- and third-party cookies to operate the site, remember sessions, measure usage, and personalize content. To learn about cookie types, purposes, and how to disable them, see our Cookie Policy.

Korsica implements reasonable administrative, technical, and physical security measures to protect your data, including TLS encryption in transit, encryption at rest for sensitive data, role-based access control, multi-factor authentication for staff with data access, monitoring, and regular backups. No measure is infallible; in the event of a breach that significantly affects your property or moral rights, we will notify you as required by law.

Korsica may update this Notice to reflect changes in its services, applicable regulations, or privacy practices. Changes will be posted on this page with the last-updated date. For material changes to purposes or transfers, we will additionally notify you by email or via prominent notice on the Platform.