Legal
Privacy Notice
Effective June 16, 2026 · Last Updated June 16, 2026
Globally Portable Form with Country-Specific Annex
How this Notice is organized. This Privacy Notice has a globally portable Body that applies wherever Awayward offers the Platform, supplemented by a Country-Specific Annex for each country in which the Platform operates. The Mexico Annex accompanies this Body for the Mexico launch and, together with the Body, constitutes the Aviso de Privacidad (the Spanish-language privacy notice that Mexican law requires) required under Mexican law. Where the Body and an Annex conflict, the Annex governs for the country it addresses. Capitalized terms used and not defined have the meanings given in the Awayward Customer Terms of Service & Telehealth Consent (the “Customer Terms”) or the Awayward Independent Provider Agreement (the “Provider Agreement”), as applicable.
1. Who We Are and What This Notice Covers
This Privacy Notice (the “Notice”) describes how Awayward, Inc., a Delaware corporation (“Awayward,” “we,” “us,” or “our”), collects, uses, discloses, transfers, and protects personal information in connection with the Awayward mobile application and website (collectively, the “Platform”) and the technology services we provide through it (the “Services”). This Notice is the Awayward Privacy Notice referenced in, and incorporated by reference into, the Customer Terms and is the Awayward privacy notice referenced in the Provider Agreement.
Awayward is a technology platform vendor. Awayward does not practice medicine, does not employ healthcare providers, and does not provide medical care, diagnosis, treatment, advice, or opinion. All clinical services are provided by independent, locally licensed healthcare professionals (each, a “Provider”). This distinction shapes everything in this Notice, and in particular the division of data-protection roles described in Section 3.
1.1 Whose information this Notice covers
This Notice applies to the personal information of:
- Customers — travelers who register for and use the Platform to obtain Services, including Family Sponsors and Guardians who use the Platform on behalf of a minor dependent;
- Providers — licensed healthcare professionals (and, where applicable, the clinic or professional-services entity through which a Provider practices) who make Services available through the Platform;
- Partner and prospect contacts — individuals who interact with us on behalf of a Sponsor, Insurance Partner, vendor, or prospective partner; and
- Website visitors — individuals who visit our public website or otherwise contact us.
This Notice does not govern the personal information that a Provider collects, holds, and controls as part of your formal clinical record. That information is governed by the Provider’s own privacy notice, as explained in Sections 3 and 10.
2. Summary of Key Points
This summary highlights points many readers ask about. It does not replace the full Notice below.
- Two custodians of your information. Awayward controls your platform and account data; your Provider controls your formal clinical record. We explain the split in Section 3.
- Where your data is processed. Awayward processes platform and account data on infrastructure located in the United States. By using the Platform you consent to that transfer (Section 8).
- Health information is sensitive. We treat health information as sensitive personal data and process it only with your consent and as described in this Notice and the applicable Annex.
- We are not a HIPAA entity. Awayward is not a HIPAA covered entity or business associate for the Services rendered by foreign-licensed Providers (Section 9).
- Artificial intelligence. We use AI for limited, defined purposes, and we do not sell clinical-content-derived data or use your identifiable sensitive data to train third-party general-purpose AI models without your separate, granular consent (Section 6).
- Your rights. You can exercise data-protection rights over the platform and account data we hold; the procedure is in Section 12 and the applicable Annex. Rights over your clinical record run through your Provider.
3. How Data-Protection Roles Are Divided: The Two-Tier Architecture
The Platform operates under a two-tier data architecture. Understanding it is essential to understanding who is responsible for which information and how you exercise your rights.
3.1 Tier 1 — Platform and Account Data (Awayward is the controller)
“Platform and Account Data” is the information that you, a Provider, or we enter into or generate on the Platform to make the Platform work — for example registration and identity-verification data, geolocation, payment and remittance data, intake forms, asynchronous-messaging content within the post-consultation follow-up window, AI Tool inputs and outputs, customer-support communications, and Platform usage data. With respect to Platform and Account Data, Awayward is the data controller and is the party responsible to you for the processing described in this Notice.
3.2 Tier 2 — Clinical Record Data (the Provider is the controller)
Your “formal clinical record” — the record of clinical encounters that the law of the country in which your Provider is licensed requires the Provider to keep — is created and maintained by the Provider on the Provider’s own systems located in that country. With respect to your formal clinical record, the Provider — not Awayward — is the data controller. Awayward does not operate a clinical-record system of record, and the Platform is a communication and note-capture layer rather than the legally required clinical record. Your rights over your clinical record (including access and correction) run through your Provider, whose own privacy notice governs that record.
3.3 Platform Clinical Content (Awayward acts as a processor for the Provider)
Some clinical content necessarily passes through the Platform on its way to or from the Provider’s clinical-record system — for example consultation notes, the informational copy of prescription details a Provider may upload for your convenience, and clinical messages within the follow-up window (“Platform Clinical Content”). When Platform Clinical Content transits the Platform, Awayward processes it as a processor on the documented instructions of the Provider, solely to operate the Platform and enable the Provider’s delivery of the Services, subject only to the limited de-identified-data use described in Section 6. We do not use Platform Clinical Content for our own independent purposes.
| Category of information | Role of Awayward | Who controls / governs |
|---|---|---|
| Platform and Account Data (Section 3.1) | Data controller | Awayward — governed by this Notice |
| Formal clinical record (Section 3.2) | Not a controller; no system of record | Your Provider — governed by the Provider’s privacy notice |
| Platform Clinical Content transiting the Platform (Section 3.3) | Processor for the Provider | Your Provider as controller; Awayward processes on the Provider’s instructions |
4. Personal Information We Collect
We collect the categories of personal information described below. The specific lawful bases on which we rely, where a lawful-basis framework applies, are set out in the applicable Country Annex. The tables describe Platform and Account Data for which Awayward is the controller; they do not describe the formal clinical record controlled by your Provider.
4.1 Information we collect about Customers
| Context in which we collect it | Purpose | Categories of information |
|---|---|---|
| You register for and set up an account | Create and administer your account; verify eligibility, age, and identity; operate the Platform | Legal name; date of birth; country of citizenship; contact details (email, phone, address); account credentials; government-issued identification; and, for a Family Sponsor or Guardian, the corresponding details of each enrolled minor dependent |
| You are verified to use the Services | Confirm identity and physical presence in the Service Territory; prevent fraud and misuse | Identity- and document-verification data; current geolocation (including IP-based and device-based location); device identifiers |
| You book, prepare for, or attend a consultation | Match you with a Provider; schedule; operate the consultation and the follow-up messaging window; deliver consultation summaries | Intake-form responses; scheduling data; the health information you choose to enter into the Platform; asynchronous-messaging content within the follow-up window; the informational copy of prescription details a Provider uploads for your reference |
| You pay for the Services | Collect the Provider professional fee (as the Provider’s disclosed payment agent) and the Awayward platform fee; process refunds; issue tax documentation through the Platform | Billing details; transaction history; partial payment-card data and payment-status confirmations from our payment processors (we do not store full card numbers); tax-invoice data fields required in the Service Territory |
| You use optional AI Tools | Provide the informational and trip-preparation features you request (Section 6) | The inputs you provide to AI Tools and the outputs generated for you |
| You contact support, leave a review, or respond to a survey | Respond to and resolve your request; operate ratings and reviews; improve the Services | Your name and contact details; the content of your message or review; survey responses |
| You use the Platform (collected automatically) | Operate, secure, and improve the Platform; analytics | Device and browser data; IP address; access times; in-app actions and usage data; cookie and similar-technology identifiers (Section 14) |
4.2 Information we collect about Providers
In addition to any personal information a Provider holds as controller of a patient’s clinical record, Awayward collects and controls the following Provider personal information:
| Context in which we collect it | Purpose | Categories of information |
|---|---|---|
| Onboarding and credentialing | Verify licensure and eligibility; build and maintain the Provider profile; meet our credentialing and re-credentialing obligations | Name; professional license and registration numbers; specialty and council certifications; curriculum vitae and training history; photograph and biographical statement; professional-liability insurance certificates; facility or sanitary licensure; lawful professional-background information; tax identification and invoicing-registration evidence |
| Account and Platform use | Provide Platform access; communicate operationally; manage availability and consultation offers | Account credentials; availability and scheduling settings; consultation and offer history; device and usage data |
| Payment and remittance | Remit Provider professional fees; apply withholding; issue required tax documentation | Bank-account and payout details; payout-currency election; tax-residency and tax-regime information; withholding and constancia data |
| Profile, ratings, and marketing | Display verified credentials and consumer reviews; market the Platform consistent with the Provider Agreement | Profile content; ratings and reviews; name, image, and credentials used in the Provider directory and approved marketing |
4.3 Information we collect about partner and prospect contacts
Where you interact with us on behalf of a Sponsor, Insurance Partner, vendor, or prospective partner, we collect your business contact details, your role, and the content of our communications, in order to manage the relationship and our business development.
4.4 Sensitive information
Some information we process is sensitive personal data — in particular health information you enter into the Platform, and certain identity-verification data. We process sensitive personal data only where you have consented or another valid basis under the applicable Annex applies, and only as described in this Notice. Where the applicable law requires express written consent for sensitive personal data, the consent mechanism is described in the applicable Annex.
5. How We Use Personal Information
We use the personal information for which Awayward is the controller for the following purposes:
- operating, providing, and maintaining the Platform and the Services, including account creation, identity and location verification, Provider matching, scheduling, the consultation experience, and the follow-up messaging window;
- collecting and remitting fees, processing refunds and chargebacks, and facilitating the issuance of country-required tax documentation through the Platform;
- verifying, credentialing, and re-credentialing Providers, and maintaining the Provider directory;
- communicating with you about your account, bookings, support requests, and material changes to our terms or this Notice;
- providing optional AI Tools and the other features you request, as described in Section 6;
- securing the Platform; detecting, preventing, and investigating fraud, misuse, and security incidents; and enforcing our terms;
- operating, evaluating, and improving the Platform, including analytics and the de-identified and aggregated uses described in Section 6;
- complying with legal, tax, and regulatory obligations and responding to lawful requests from competent authorities; and
- establishing, exercising, or defending legal claims, and effecting a corporate transaction as described in Section 7.
We will not use your personal information for materially different, unrelated purposes without providing notice and, where required, obtaining your consent.
6. Artificial Intelligence; De-Identified and Aggregated Data
6.1 AI Tools are a distinct processing purpose
The Platform may offer optional artificial-intelligence-enabled features — such as general informational content, chat support, language translation, content moderation, fraud detection, and trip-preparation tools (“AI Tools”). At launch, AI Tools do not perform symptom triage, clinical-severity assessment, diagnosis, or treatment, and do not constitute medical advice. AI Tools may be operated by Awayward or by U.S.-based subprocessors and run on U.S. infrastructure. Where AI Tool inputs and outputs form part of the clinical encounter, they are part of the Platform Clinical Content described in Section 3.3 and are incorporated by the Provider into the Provider’s clinical record.
6.2 De-identified and aggregated data
We may irreversibly de-identify, aggregate, and anonymize data captured by or transiting the Platform so that it cannot reasonably be used to identify any Customer, Provider, or other person, and may use such data — on a perpetual basis — to operate, secure, and improve the Platform (including the AI Tools); to train, validate, and test machine-learning and other models (including the development of an international care model); for internal analytics; and to prepare and publish aggregate research in which no individual is identifiable. We do not sell de-identified, aggregated, or anonymized data that contains clinical content.
6.3 Limits on training third-party general-purpose models
We will not use your sensitive personal data in identifiable form to train third-party general-purpose AI models without your separate, granular consent. Where the applicable Annex imposes specific obligations on automated decision-making or AI governance, those obligations apply in addition to this Section.
7. How We Share Personal Information
We share personal information only as described below. We do not sell your personal information.
| Recipient category | Why we share | Examples |
|---|---|---|
| Providers and their clinics | To match you with a Provider and enable the consultation, follow-up messaging, and the Provider’s recordkeeping | The matched Provider and, where applicable, the clinic or professional-services entity through which the Provider practices |
| Payment and tax-invoicing providers | To process payments and remittances and to facilitate country-required tax documentation | Payment processors and gateways; authorized tax-invoicing/certification providers integrated into the Platform |
| Hosting and infrastructure providers | To host, store, back up, and deliver the Platform | U.S.-based cloud infrastructure, storage, backup, and content-delivery providers |
| Operational subprocessors | To provide identity verification, fraud prevention, analytics, customer support, communications, and AI Tools on our behalf | Identity-verification and fraud-prevention vendors; analytics, support, and communications vendors; AI Tool subprocessors |
| Sponsors and Insurance Partners | Where some or all of your use of the Services is funded by a Sponsor or Insurance Partner, to administer that arrangement | Corporate, study-abroad, hospitality, or other Sponsors; travel-insurance partners (as further described in any partner-specific summary you accept) |
| Professional advisors and authorities | To obtain professional advice, comply with law, and respond to lawful requests | Lawyers, auditors, and advisors; courts, tax authorities, data-protection authorities, and other competent authorities |
| Corporate transactions | To evaluate, negotiate, or complete a merger, acquisition, financing, reorganization, or sale of assets | Counterparties and their advisors, subject to appropriate confidentiality protections |
Where we share Platform and Account Data with a recipient that processes it on our behalf, we impose contractual obligations requiring the recipient to use the data only to provide services to us and to maintain appropriate technical and organizational measures. We do not transfer your formal clinical record to these recipients; that record stays with your Provider as described in Section 3.2.
8. Cross-Border Transfers to the United States
Awayward processes Platform and Account Data on infrastructure located in the United States of America, and may share it with U.S.-based providers and subprocessors as described in Section 7. The categories of recipients include Awayward and its affiliates; U.S.-based cloud infrastructure providers; U.S.-based subprocessors providing identity verification, fraud prevention, payment processing, customer support, analytics, and AI Tool services; and, to the extent of any sponsored or insurer-funded use, Sponsors and Insurance Partners.
Some countries from which you use the Platform may not have been determined to provide a level of data protection equivalent to their own. Where that is so, we address the transfer by imposing on each recipient, by contract, obligations to maintain technical and organizational measures and data-handling practices substantially equivalent to those required by the applicable law, and by relying on the additional safeguards and, where required, the express consent described in the applicable Annex. Your formal clinical record is not transferred to our U.S. infrastructure as a custodial matter; only Platform Clinical Content that transits the Platform is processed as described in Section 3.3.
9. HIPAA Does Not Apply to the Platform Services
Awayward is not a “covered entity” or “business associate” under the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) with respect to the Services rendered through the Platform by foreign-licensed Providers. Any references to HIPAA-style protections in our materials describe voluntary security practices and are not legal-compliance commitments under HIPAA. The data-protection law that applies to you is the law identified in the applicable Annex.
10. Your Clinical Record and the Provider’s Role
Your formal clinical record is held and controlled by your Provider, under the law of the country in which the Provider is licensed. To exercise rights over that record — including obtaining a copy, requesting correction, or asking how it is processed — you contact your Provider directly, and the Provider’s own privacy notice governs. When we process Platform Clinical Content as a processor for your Provider (Section 3.3), we act only on the Provider’s instructions and we cooperate with the Provider in responding to your requests, recognizing that the practical scope of some rights may be narrow given the single purpose of care delivery.
11. Data Retention
We retain Platform and Account Data for as long as necessary for the purposes described in this Notice — for example, for as long as you maintain an account and thereafter as needed to operate and secure the Platform, complete and document transactions, meet tax and other legal obligations, resolve disputes, and establish, exercise, or defend legal claims. Retention periods vary by category of information and by the requirements of the applicable law; the country-specific retention requirements for the formal clinical record (which your Provider keeps) are set out in the applicable Annex. When we no longer need personal information, we delete it or irreversibly de-identify it in accordance with the applicable law.
12. Your Privacy Rights
Depending on where you are located and the law that applies to you, you may have rights to access, correct, update, or obtain a copy of your personal information; to request deletion or restriction of processing; to object to certain processing; to withdraw consent (without affecting processing already carried out); and to lodge a complaint with the competent authority. The specific rights available to you, and the procedure and any country-specific contact for exercising them, are set out in the applicable Annex.
To exercise your rights over the Platform and Account Data Awayward controls, contact us using the details in Section 17. Rights over your formal clinical record run through your Provider (Section 10). We will respond within the timeframe required by the applicable law and may need to verify your identity before acting on a request.
13. Minors; Family Sponsor and Guardian Accounts
The Platform supports use by an adult Family Sponsor or Guardian on behalf of a minor dependent, as described in the Customer Terms. Where the Platform is used on behalf of a minor, the Family Sponsor or Guardian is responsible for the consents and representations made under the Customer Terms, and any clinical service to the minor remains subject to the acting Provider’s clinical judgment and to the pediatric and parental-consent rules of the Service Territory. We process a minor’s information only as needed to provide the Services requested on the minor’s behalf and as the applicable Annex permits. The Platform is not directed to unaccompanied minors, and we do not knowingly create accounts for minors except through a Family Sponsor or Guardian.
14. Cookies and Similar Technologies
We and our service providers use cookies and similar technologies to operate the Platform and website, remember your preferences, secure your session, measure and analyze usage, and — where permitted and, where required, with your consent — improve and personalize your experience. Where a separate cookie notice or consent tool applies in your country, the applicable Annex identifies it and the choices available to you. You can also manage certain cookies through your browser or device settings.
15. How We Protect Information
We maintain administrative, technical, and physical safeguards designed to protect personal information against loss, misuse, and unauthorized access, use, alteration, and disclosure — including role-based access controls, audit logging, encryption in transit and, to the extent supported by the underlying infrastructure, at rest, and vendor security requirements. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a security incident affecting personal information, we will respond and notify affected individuals and authorities to the extent and within the timeframes required by the applicable law.
16. Changes to This Notice
We may update this Notice from time to time. When we make material changes, we will provide notice through the Platform or by other appropriate means and, where required, obtain your consent, before the change takes effect. The “Last Updated” date at the top of this Notice indicates when it was most recently revised. Your continued use of the Platform after a change becomes effective constitutes acceptance of the updated Notice to the extent permitted by the applicable law.
17. How to Contact Us
If you have questions about this Notice or wish to exercise your privacy rights with respect to the Platform and Account Data Awayward controls, contact us at:
Awayward, Inc.
[Street Address]
[City, State ZIP], United States of America
Privacy contact: privacy@awayward.com
Legal: legal@awayward.com | Support: support@awayward.com
The data-protection contact and the country-specific authority with which you may lodge a complaint are identified in the applicable Annex. [Awayward to confirm whether a Data Protection Officer / privacy officer and any non-EU representative are appointed.]
18. Country-Specific Annexes
The following Annex supplements this Body for the country it addresses. Additional Annexes may be appended as Awayward expands the Service Territory. Where the Body and an Annex conflict, the Annex governs for the country it addresses.
- Annex – Mexico (applies when you are physically located in the United Mexican States).
Annex – Mexico
Aviso de Privacidad — LFPDPPP (2025)
This Annex – Mexico supplements the Body of the Awayward Privacy Notice when you are physically located in the United Mexican States (“Mexico”). Together with the Body, this Annex constitutes the Aviso de Privacidad required under the Mexican Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, the “LFPDPPP”), as overhauled in 2025. Capitalized terms not defined here have the meanings given in the Body or the Customer Terms. Where the Body and this Annex conflict, this Annex governs for Mexico. A Spanish-language version of this Aviso de Privacidad is presented at the point of collection and controls for purposes of Mexican law.
Mexican Terms and Acronyms Used in This Annex
For ease of reference, the Spanish-language terms and acronyms used in this Annex are defined below. They are also defined in plain English the first time they appear in the text.
| Term / acronym | Spanish (full form) | Plain-English meaning |
|---|---|---|
| Aviso de Privacidad | Aviso de Privacidad | Privacy notice — the disclosure Mexican law requires a business to give about how it handles personal data |
| LFPDPPP | Ley Federal de Protección de Datos Personales en Posesión de los Particulares | Federal Law on the Protection of Personal Data Held by Private Parties (Mexico’s private-sector data-protection law, overhauled in 2025) |
| responsable | responsable | Data controller — the party that decides how and why personal data is processed |
| encargado | encargado | Data processor — a party that processes personal data on the controller’s behalf and instructions |
| datos personales sensibles | datos personales sensibles | Sensitive personal data (for example, health information) |
| derechos ARCO | Acceso, Rectificación, Cancelación y Oposición | The data-subject rights of Access, Rectification, Cancellation, and Opposition |
| expediente clínico | expediente clínico | The formal clinical record a Provider must create and keep |
| finalidades primarias / secundarias | finalidades primarias / secundarias | Primary purposes (needed to provide the service) / secondary purposes (e.g., marketing, which you can refuse) |
| NOM | Norma Oficial Mexicana | Official Mexican Standard. NOM-004 governs clinical records; NOM-024 governs electronic health-information systems |
| SIRES | Sistema de Información de Registro Electrónico para la Salud | Electronic Health Records Information System (a regulated clinical-records system; the Platform is not one) |
| CFDI | Comprobante Fiscal Digital por Internet | The Mexican digital tax invoice |
| SAT | Servicio de Administración Tributaria | The Mexican federal tax authority |
| COFEPRIS | Comisión Federal para la Protección contra Riesgos Sanitarios | The Mexican health-products and sanitary-risk regulator |
| CONAMED | Comisión Nacional de Arbitraje Médico | The National Medical Arbitration Commission (handles clinical disputes) |
| PROFECO | Procuraduría Federal del Consumidor | The Federal Consumer Protection Agency |
| INAI | Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales | The former National Institute for Transparency, Access to Information and Protection of Personal Data — dissolved in 2025 (see Section M-11) |
| Transparencia para el Pueblo | Transparencia para el Pueblo | “Transparency for the People” — the body that replaced INAI for data-protection oversight, under the Secretariat of Anti-Corruption and Good Governance |
M-1. Identity and Domicile of the Responsable (Data Controller)
For purposes of the LFPDPPP, the responsable (data controller) for the Platform and Account Data is Awayward, Inc., with its principal place of business at [Street Address, City, State ZIP], United States of America, and contact privacy@awayward.com. Awayward is a foreign resident providing digital intermediary services to recipients located in Mexico; its Mexican legal representative and domicile for notification purposes are [Mexican legal representative and address to be confirmed by Mexican counsel].
With respect to your formal clinical record (expediente clínico), the Provider is the responsable under the LFPDPPP, and the Platform is not a Sistema de Información de Registro Electrónico para la Salud (SIRES — a regulated electronic clinical-records system) with respect to that record. Where clinical content transits the Platform en route to the Provider’s expediente clínico, Awayward acts as the Provider’s encargado (data processor).
M-2. Personal Data and Sensitive Personal Data We Process
As responsable for the Platform and Account Data, Awayward processes the categories of personal data described in Section 4 of the Body, which include identification and contact data, account and verification data, geolocation, payment and billing data, usage data, and — where you provide it — health information you enter into the Platform.
The LFPDPPP treats health information as sensitive personal data (datos personales sensibles). We process sensitive personal data only with your express written consent and only for the purposes described in this Aviso de Privacidad.
M-3. Purposes of Processing
M-3.1 Primary purposes (finalidades primarias). We process your personal data to provide the Platform and the Services you request, including account creation and administration; identity, age, and location verification; Provider matching, scheduling, and the consultation experience; the follow-up messaging window; collection and remittance of fees and facilitation of CFDI (Comprobante Fiscal Digital por Internet — the Mexican digital tax invoice) issuance; customer support; security and fraud prevention; and compliance with applicable law.
M-3.2 Secondary purposes (finalidades secundarias). Subject to your consent where the LFPDPPP requires it, we may also process your personal data for product improvement and analytics, the de-identified and aggregated uses described in Section 6 of the Body, service-quality surveys, and marketing of Awayward services. You may refuse or withdraw consent to the secondary purposes without affecting the provision of the Services, using the mechanism in Section M-6.
M-4. Consent to Process Sensitive Personal Data
Under Article 9 of the LFPDPPP, the processing of sensitive personal data requires your express written consent, which may be given electronically. By providing health information through the Platform and accepting this Aviso de Privacidad electronically (for example, by checking the designated box), you give your express written consent to Awayward’s processing of your sensitive personal data for the primary purposes described in Section M-3.1.
M-5. Cross-Border Transfer of Personal Data
By accepting this Aviso de Privacidad you expressly consent in writing under the LFPDPPP to the transfer, storage, and processing of your Platform and Account Data outside Mexico, specifically to infrastructure located in the United States, and to the categories of recipients described in Sections 7 and 8 of the Body. The 2025 LFPDPPP requires express consent for cross-border transfers of this kind. Awayward addresses the transfer by imposing on each recipient, by contract, obligations to maintain protections substantially equivalent to those required by the LFPDPPP.
M-6. Your Derechos ARCO and How to Exercise Them
You have the rights of Acceso, Rectificación, Cancelación y Oposición (access, rectification, cancellation, and opposition — the “derechos ARCO”) with respect to the Platform and Account Data Awayward holds as responsable, as well as the right to revoke consent and to limit the use or disclosure of your personal data.
To exercise these rights, submit a request to privacy@awayward.com (or through [the in-Platform privacy module / dedicated ARCO contact to be confirmed]), including your name and a means of contact, a clear description of the personal data and the right you wish to exercise, and any element that helps locate the data. We will respond within the timeframe established by the LFPDPPP. Derechos ARCO over your expediente clínico run through your Provider as responsable of that record.
M-7. Mechanisms to Limit Use and Disclosure
You may limit the use or disclosure of your personal data for secondary purposes by using the contact in Section M-6 and, where offered, the in-Platform privacy controls. You may also register in any applicable exclusion listings maintained by the competent Mexican authority where relevant.
M-8. Cookies and Tracking Technologies
The Platform and website use cookies and similar technologies as described in Section 14 of the Body. Where required, a Spanish-language cookie notice and consent mechanism is presented at the point of collection in Mexico, identifying the technologies used and the choices available to you.
M-9. Automated Decisions and Artificial Intelligence
The 2025 LFPDPPP introduces requirements relating to automated decision-making and the use of artificial intelligence. Awayward’s AI Tools are described in Section 6 of the Body and, at launch, do not perform symptom triage, clinical-severity assessment, diagnosis, or treatment. Where Awayward uses automated processing that produces legal effects or similarly significant effects concerning you, we will provide the information and choices required by the LFPDPPP.
M-10. Clinical Record (NOM-004 / NOM-024)
Your expediente clínico is created and maintained by your Provider on Provider-controlled systems located in Mexico, in accordance with NOM-004-SSA3-2012 (a Norma Oficial Mexicana, or Official Mexican Standard, governing Clinical Records) and, where applicable, NOM-024-SSA3-2012 (the Official Mexican Standard governing Electronic Health Information Systems), and is retained for at least five (5) years from the last clinical encounter or such longer period as applicable law requires. The Provider is the responsable of the expediente clínico; Awayward does not operate a SIRES with respect to it. Requests to exercise derechos ARCO over the expediente clínico run through the Provider directly.
M-11. Supervisory Authority
Following the 2025 overhaul of the LFPDPPP, the autonomous National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) was dissolved, and oversight of the protection of personal data held by private parties was transferred to Transparency for the People (Transparencia para el Pueblo), a body under the Secretariat of Anti-Corruption and Good Governance. You have the right to file a complaint regarding the processing of your personal data before that authority and before any other competent Mexican authority, including, as relevant, COFEPRIS (the Mexican health-products and sanitary-risk regulator), CONAMED (the National Medical Arbitration Commission), and PROFECO (the Federal Consumer Protection Agency).
M-12. Changes to This Aviso de Privacidad
We may amend this Aviso de Privacidad as described in Section 16 of the Body. Material changes will be communicated through the Platform or other appropriate means and, where the LFPDPPP requires, with your consent. The current version is made available through the Platform and, in Mexico, in Spanish.