- Version
- 2026-05-26
- Jurisdiction
- México (LFPDPPP), with cross-border transfers to the United States under contractual safeguards.
- Data controller (Responsable del tratamiento)
- Regeneris Therapy S.A. de C.V. — Av. Tulúm SM 11 MZ 1 Lote 1 Local 207, Cancún, Quintana Roo, C.P. 77504, México
- Privacy / DPO contact
- contact@regeneristherapy.com
- General contact
- hola@regeneristherapy.com
This Privacy Policy describes how Regeneris Therapy S.A. de C.V. collects, uses, stores, and protects personal data from users who interact with our Facebook Page, our Instagram Business account, and our internal application “Regeneris CRM”.
01Scope and purpose
This Privacy Policy describes how Regeneris Therapy S.A. de C.V. (“Regeneris”, “we”, “us”) collects, uses, stores, and protects personal data from users who interact with our Facebook Page, our Instagram Business account, and our internal application “Regeneris CRM” (the “App”). The App is used exclusively by our authorised clinical and administrative staff to manage inbound and outbound communications with current and prospective patients through Facebook Messenger and Instagram Direct.
The legal basis for processing in México is the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) and its Reglamento; in the European Union (where applicable to EU residents who reach out to us), the General Data Protection Regulation (GDPR) Article 6(1)(b) (performance of a service the user has requested) and 6(1)(c) (legal obligation for medical record retention under Mexican NOM-004-SSA3-2012).
02Data we collect through Meta APIs
When you message our Facebook Page or our Instagram Business account, Meta delivers the following data to our App through their Graph / Messaging APIs. We do not collect any of this data outside of a direct conversation you initiate with us.
| Field | Meta source | Purpose | Retention |
|---|---|---|---|
| PSID (Messenger) / IGSID (Instagram) | entry.messaging.sender.id | Identify the conversation thread and route replies back to the correct user. PSID/IGSID is scoped to our Page only. | Same as the conversation — see §6. |
| Message text | entry.messaging.message.text | Read and reply to the user's question; stored in the CRM inbox so staff can see conversation history. | See §6 (medical vs non-medical retention). |
| Message attachments (images, audio, video, files) | entry.messaging.message.attachments[] | Photos of skin conditions, audio notes, documents — stored alongside the message thread so the responding clinician has full context. | Same as the conversation. |
| Profile public info: first_name, last_name, profile_pic | Graph API /me with pages_messaging | Display the user's name and avatar in the inbox so staff know who they are responding to. | Name retained with the conversation; profile picture URL cached up to 24h. |
| Instagram username | Graph API /me with instagram_manage_messages | Display the IG handle in the inbox so staff can confirm identity. | Retained with the conversation. |
| Timestamps (sent, delivered, read) | entry.messaging.timestamp plus message_deliveries / message_reads | Show staff when the message was sent / seen; compute response-time SLAs. | Retained with the conversation. |
We do not collect: phone numbers (Meta does not expose them via these APIs), email addresses, payment data, location data, friend lists, or any other Graph-API field beyond those listed above.
03How we use the data
Notice for international patients (HIPAA)
Meta (Facebook, Instagram, Messenger) does NOT sign a Business Associate Agreement (BAA). If you are a U.S. resident, or your medical information is protected under HIPAA, please do NOT share detailed clinical information through Messenger or Instagram Direct. Use our secure patient portal or WhatsApp Business (end-to-end encrypted) instead. When our staff sees PHI being shared through a Meta surface, we will offer to move the conversation to a HIPAA-appropriate channel before continuing the clinical discussion.
We use the data collected above exclusively for the following purposes:
- Provide clinical and customer service responses. Staff read incoming messages in the CRM inbox and reply within the 24-hour Messenger window or 7-day Standard Messaging window, as applicable.
- Schedule appointments. If you ask about availability, our staff may offer appointment slots and confirm bookings.
- Send appointment reminders. If you have booked an appointment and explicitly opted in to reminders, we send one reminder approximately 24 hours before the scheduled visit. You can opt out at any time by replying STOP, BAJA, NO MÁS, or PARAR (LFPDPPP Art. 22).
- Maintain the clinical record where applicable. Mexican health law (NOM-004-SSA3-2012, Del expediente clínico, numeral 5.4) requires us to keep records of clinical communications for a minimum of 5 years from the last clinical act (and up to 10 years for diagnostic imaging studies).
- Operational quality. We may aggregate anonymised metrics (median response time, message volume by hour) for internal quality reporting. These aggregates contain no message text and no identifiers.
We will never:
- Sell your data to any third party.
- Share your data with advertisers, data brokers, or any party outside the processors listed in §5.
- Use your message content to train any AI model, public or private.
- Send unsolicited promotional messages. Marketing communications, if any, run on email and require a separate, explicit opt-in.
- Process your data for any purpose not listed above.
04LFPDPPP compliance and ARCO rights
Under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares, you have the following rights, collectively known as derechos ARCO:
- Acceso (Access) — request a copy of the personal data we hold about you.
- Rectificación (Rectification) — correct data that is inaccurate or incomplete.
- Cancelación (Cancellation / Erasure) — request that we delete your data. We will comply unless retention is mandated by law (e.g. NOM-004-SSA3-2012 medical-record retention).
- Oposición (Opposition) — object to processing for a specific purpose (typically marketing).
To exercise any ARCO right, send an email to contact@regeneristherapy.com with: your full name and a copy of an official ID (INE, passport); a clear description of the right you wish to exercise; the data subject of the request; and an address for response.
We respond within 20 business days per LFPDPPP Art. 32. You can also file the request through the public form at /legal/arco. If you are unsatisfied with our response, you may file a complaint with the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI).
05Revocation of consent (LFPDPPP Art. 35)
Beyond the ARCO rights in §4, LFPDPPP Art. 8 and Art. 35 grant you the separate right to revoke your consent to the entire processing of your personal data at any time. This mechanism is express, free of charge, and easy to access as required by LFPDPPP Art. 35 and Reglamento Art. 21.
How to revoke your consent. Send an email to contact@regeneristherapy.com with the subject line “Revocación de Consentimiento” and include the identity information required by LFPDPPP Art. 29:
- Your full legal name.
- A copy of an official ID (INE, passport, or CURP). Redact anything you do not want shared.
- The Meta channel(s) (Messenger / Instagram) or other identifier you used when contacting us.
- An address (email is acceptable) for our response.
- A short statement that you wish to revoke your consent to the processing of your personal data.
Timeline. We respond within 20 business days per LFPDPPP Art. 32. The revocation is free of charge.
What revocation does. Upon a valid revocation we will stop processing your data for the finalidades that depend on your consent (clinical replies, appointment scheduling, opt-in reminders, operational metrics) and we will register your PSID/IGSID in our opt-out table to prevent any future proactive contact.
What revocation does NOT do. Revocation does not erase clinical records we are legally required to retain under NOM-004-SSA3-2012 (Del expediente clínico, numeral 5.4: minimum 5 years from the last clinical act; up to 10 years for diagnostic imaging) — these supuestos están exceptuados under LFPDPPP Art. 10. In those cases we will anonymise the identifiers and retain only the clinical content under a non-identifying ID for the legally mandated period, then delete or definitively anonymise the record.
06Sub-processors and cross-border transfers
The App is hosted on infrastructure outside of México. Under LFPDPPP Art. 36 we disclose the cross-border transfer recipients:
- Vercel Inc. (United States) — application hosting for
admin.regeneristherapy.comandregeneristherapy.com. SOC 2 Type II; TLS 1.3. - Supabase Inc. (United States, us-east-1) — PostgreSQL database, authentication, file storage and realtime channel. SOC 2 Type II; AES-256 at rest; row-level security on every table.
- Meta Platforms, Inc. (United States) — original source of message data; Meta is the original controller for Facebook / Instagram and a joint controller with us for ingested data.
- Resend (United States) — transactional email delivery. Receives email addresses only — never message content from Meta.
- Cal.com (United States) — appointment scheduling. Receives first name, last name, and appointment metadata — never message content from Meta.
All transfers occur because the processor provides the technical service we need to run the App. No processor is permitted to use the data for its own purposes. Meta data does not flow to Resend or Cal.com — the boundary stops at our database.
07Data retention
We classify messages into two regimes based on their content:
6.1 Medical / clinical messages — 7 years
If the thread relates to a clinical matter (symptoms, treatment follow-up, post-procedure questions, prescriptions, lab results, anything that becomes part of the expediente clínico), the entire thread is retained for 7 years from the date of the last message. This covers the NOM-004-SSA3-2012 minimum (5 years from the last clinical act, per numeral 5.4) plus a 2-year buffer for potential civil-liability claims under Código Civil Federal Art. 1934. Diagnostic imaging studies that form part of the expediente clínico are retained for 10 years where NOM-004 numeral 5.4 mandates it.
6.2 Non-medical messages — 5 years
Conversations limited to administrative, scheduling, or commercial content are retained for 5 years from the date of the last message. After 5 years, the message body, attachments, and any cached profile picture are deleted; we retain only a hashed identifier and the conversation timestamp for statistical reporting.
6.3 Earlier deletion at user request
If you exercise your right of Cancelación (§4) we delete your data within 20 business days unless retention is mandated by law. In the medical case, we anonymise (drop the PSID/IGSID and profile data) and keep only the message content under a non-identifying ID — the LFPDPPP-compliant balance between your right to erasure and our obligation to preserve the clinical record.
6.4 Opt-out retention
When you opt out of proactive messaging (reply STOP / BAJA / NO MÁS / PARAR), we retain the opt-out indefinitely — that is what allows us to honour the opt-out in perpetuity. The opt-out record contains the PSID/IGSID and timestamp only.
08Security
- TLS 1.3 for all data in transit (Meta → our webhook, our webhook → Supabase, browser → admin app).
- AES-256 for data at rest (Supabase managed encryption).
- Row-level security (RLS) on every Supabase table — staff can only see threads assigned to their role.
- HMAC signature verification on every Meta webhook delivery (the
META_APP_SECRETis rotated annually). - Audit logging of every read / write to the CRM tables.
- Principle of least privilege for staff access — front-desk staff can see and reply to threads but cannot export bulk data.
In the unlikely event of a security incident affecting your data, we notify INAI within 72 hours of confirmation per LFPDPPP Art. 20, and we notify you directly within 72 hours of confirmation when the incident materially affects your rights.
09Children's data
We do not knowingly process the personal data of children under 13 through the App. If a parent or legal guardian books an appointment for a minor and messages us about it, the data subject of the clinical record is the minor and the legal-representative consent applies (LFPDPPP Art. 8). Parents may exercise ARCO rights on behalf of their children.
10Changes to this Privacy Policy
We may update this Privacy Policy to reflect changes in law, in our processing practices, or in the Meta APIs. When we do, the “Last updated” date at the top of this document changes, and the internal PRIVACY_NOTICE_VERSION constant bumps to a new YYYY-MM-DD string. For material changes that affect your rights we will notify you by direct message to your Meta account before the new version takes effect.
11Contact
- Data Controller: Regeneris Therapy S.A. de C.V.
- Address: Av. Tulúm SM 11 MZ 1 Lote 1 Local 207, Cancún, Quintana Roo, C.P. 77504, México
- Privacy / DPO email: contact@regeneristherapy.com
- General contact email: hola@regeneristherapy.com
- Phone: +52 998 616 0110
- ARCO online form: /legal/arco
- Regulator: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI), home.inai.org.mx.
12Meta App Review summary
This section exists so a Meta App Review reviewer can verify the policy meets their platform requirements in under one minute.
- Data we collect from Meta APIs: PSIDs / IGSIDs, message text, message attachments, profile public info (
first_name,last_name,profile_pic, IGusername), and timestamps. Detailed in §2. - What we use it for: read + reply to inbound messages, schedule appointments, send opted-in appointment reminders, maintain the clinical record where applicable. Detailed in §3.
- What we never do: sell, share for advertising, train AI models, or send unsolicited marketing. Detailed in §3.
- Retention: 7 years for clinical messages (NOM-004-SSA3-2012 numeral 5.4: 5-year minimum + 2-year civil-liability buffer; 10 years for diagnostic imaging), 5 years for non-clinical messages. Detailed in §6.
- Deletion: users can request deletion via the ARCO form at /legal/arco. Detailed in §4.
- Hosting: Vercel (USA) for app, Supabase (USA, us-east-1) for database. Detailed in §5.
- Security: TLS 1.3 in transit, AES-256 at rest, RLS, HMAC webhook verification, audit logging. Detailed in §7.
Privacy contact
Reach our Data Protection Officer for any privacy request.
