This summary is for convenience only and does not replace the full notice below.
The organization responsible for your data
GrayCat PI is a private investigation firm registered in Mexico and the United States. For the purposes of Mexican data-protection law, the responsable (data controller) for personal data collected through this website is GrayCat PI, SAS. Our website address is https://graycatpi.com.
Mexico City, CDMX 03810, México
Austin, TX 78741, USA
Cases are coordinated by a licensed case manager (Cédula Profesional / SEP No. 14357746). For any privacy question or to exercise your rights, use our contact page — see section 16.
The frameworks we operate under
Because we are registered in both countries and serve clients on both sides of the border, this notice is written to meet the requirements of:
- Mexico — the Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, “LFPDPPP”) and its Regulations.
- United States — the Texas Data Privacy and Security Act (“TDPSA”) and, for California residents, the California Consumer Privacy Act as amended (“CCPA/CPRA”).
- Other jurisdictions — where a visitor is protected by another regime, such as the EU/UK GDPR, we apply equivalent safeguards to the extent those laws apply to us.
Where these laws differ, we follow the standard that gives you the stronger protection for the data in question.
The personal data we collect, and our reasons
We collect only what we need. The categories below cover ordinary use of this website; data handled as part of an active investigation is addressed separately in section 11.
Data you give us
- Identity & contact details — name, email, phone/WhatsApp — when you submit our case-review form.
- The contents of your message — the case type, location, and whatever you choose to tell us.
- If you comment on a blog post — the name, email, and comment you enter, plus your IP and browser string for spam screening.
Data collected automatically
- Technical data — IP address, browser and device type, referring page, and pages viewed — through cookies and our analytics and security tools.
- Security logs — failed login attempts and error/redirect events used to protect the site.
Why we collect it (legal basis)
We process this data to respond to your inquiry, assess whether we can help, deliver and invoice our services, keep the site secure and performant, and meet our legal and tax obligations. Under the LFPDPPP this rests on your consent (given when you submit a form) and our legitimate interest in operating and securing the site; under U.S. law it supports the transaction or service you requested and our reasonable business and security needs. We do not use your personal data for secondary purposes such as marketing or advertising, and we do not sell it.
The tools that run this site, and what each handles
This site runs on WordPress. The components below process some personal or technical data on our behalf, each under its own privacy terms. We do not authorize any of them to use your data for their own marketing.
Where your data is processed
Because we operate in Mexico and the United States and use international service providers, some technical and contact data may be stored or processed outside your home country — including in the U.S. We require these providers to protect your data to standards consistent with the LFPDPPP and applicable U.S. law, through their contractual commitments and recognized safeguards. Where the GDPR applies to a transfer, we rely on appropriate safeguards such as Standard Contractual Clauses.
Retention periods
We keep personal data only as long as needed for the purpose it was collected, then delete or anonymize it:
Client and invoicing records are kept for the period Mexican tax and commercial law requires. You can ask us to delete data sooner where no legal obligation requires us to keep it (see sections 09–10).
ARCO rights under the LFPDPPP
If you are in Mexico, you have the right to Access, Rectify, Cancel (delete), and Oppose the processing of your personal data — together known as your ARCO rights. You may also withdraw consent you previously gave, and limit the use or disclosure of your data.
To exercise these rights, send a request through our contact page stating your name, a way to contact you, a description of the data concerned, and the right you wish to exercise. We will respond within the timeframe set by the LFPDPPP — generally within 20 business days — and act on valid requests within the following 15 days. There is no charge unless you request copies beyond the first, or repeat a request within the same period. If you are not satisfied with our response, you may file a complaint with Mexico’s data-protection authority, the Secretariat Against Corruption and Good Governance (Secretaría Anticorrupción y Buen Gobierno), which under the current LFPDPPP took over the functions formerly held by INAI.
Texas and California consumer rights
If you are a resident of Texas (TDPSA) or California (CCPA/CPRA), you have the right to:
- Confirm whether we process your personal data and access it.
- Correct inaccurate data and request its deletion.
- Obtain a portable copy of data you provided.
- Opt out of the sale of personal data, targeted advertising, and certain profiling.
We do not sell personal data and do not use it for targeted advertising, so there is nothing to opt out of in those respects — but you may still exercise every other right above. Submit a request through our contact page; we will verify and respond within the period the applicable law requires (generally 45 days). You will not be discriminated against for exercising these rights, and you may appeal a decision by contacting us again. You may use an authorized agent to submit a request on your behalf, subject to our verifying your identity and the agent’s authority.
Personal data we handle during a case
In the course of a lawful investigation, we necessarily process personal data about people who are not our clients — for example the subject of a missing-person, fraud, due-diligence, or surveillance case. We handle this data on the legal bases permitted for the establishment, exercise, or defense of legal claims and for our and our clients’ legitimate interests, and always within the limits of Mexican and U.S. law.
Investigation data is kept confidential, accessible only to authorized personnel, used solely for the purpose of the engagement, and retained no longer than the case and our legal obligations require. As the LFPDPPP and applicable U.S. law allow, certain rights and notice obligations may be limited where complying would frustrate a lawful investigation, prejudice legal proceedings, or where another legal exception applies. We do not conduct investigations except on a lawful basis and a legitimate engagement.
Our safeguards
We protect personal data with encrypted connections (SSL/TLS), server firewalls, brute-force protection on the login page, and strict access controls. Access to personal and case data is limited to authorized personnel who need it, and our staff follow internal confidentiality and security policies. No method of transmission or storage is completely secure, but we work to keep our safeguards aligned with the sensitivity of the data we hold.
If a breach occurs
If a security breach materially affects your rights, we will investigate and contain it, take corrective action, and notify affected individuals and any competent authority where the LFPDPPP or applicable U.S. law requires, without undue delay. Our response includes assessing the cause, the data involved, and the steps you can take to protect yourself.
Automated decision-making & profiling
We do not use your personal data to make decisions about you by automated means alone, and we do not build advertising or behavioral profiles. Our work — assessing and conducting cases — is carried out by people, using their professional judgment.
Children’s data
This website and our intake forms are intended for adults. We do not knowingly collect personal data from children through the site. Where a case lawfully involves data concerning a minor, it is handled with heightened care and only as permitted by law and our engagement. If you believe a child has provided data through the site, contact us and we will delete it.
Updates to this notice, and how to reach us
We may update this Privacy Policy to reflect changes in our practices, technology, or the law. The effective date at the top of the page shows when it was last revised; material changes will be posted here. Continued use of the site after an update means you accept the revised notice.
For any privacy concern — including ARCO or U.S. consumer-rights requests — reach our data contact through the form below. We respond within the timeframes set out in sections 09 and 10.