LEGAL — PRIVACY NOTICE

Privacy Policy

How GrayCat PI collects, uses, shares, and protects personal data — for everyone who visits this site, contacts us, or becomes a client. Written to meet our obligations in Mexico and the United States.

EFFECTIVE: 26 JUNE 2026 JURISDICTIONS: MEXICO (LFPDPPP) · U.S. (TX / CA) AVAILABLE IN: EN · ES · FR
AT A GLANCE
We don’t sell your data.
Ever. We share only with the service providers needed to run the site and respond to you.
Inquiries stay private.
Case details are reviewed by a licensed investigator and never discussed outside our team.
You control your data.
Access, correct, or delete it under Mexican (ARCO) and U.S. (TX/CA) law — see sections 09–10.
We keep little, briefly.
Contact-form messages are deleted on a rolling basis; we retain only what a case or the law requires.

This summary is for convenience only and does not replace the full notice below.

01 — WHO WE ARE

The organization responsible for your data

GrayCat PI is a private investigation firm registered in Mexico and the United States. For the purposes of Mexican data-protection law, the responsable (data controller) for personal data collected through this website is GrayCat PI, SAS. Our website address is https://graycatpi.com.

MEXICO — DATA CONTROLLER
GrayCat PI, SAS
Montecito 38
Mexico City, CDMX 03810, México
+52 951 565 4804
UNITED STATES — AFFILIATE
GrayCat PI, Corp
2028 E Ben White
Austin, TX 78741, USA
+1 512 273 3555

Cases are coordinated by a licensed case manager (Cédula Profesional / SEP No. 14357746). For any privacy question or to exercise your rights, use our contact page — see section 16.

02 — WHICH LAWS APPLY

The frameworks we operate under

Because we are registered in both countries and serve clients on both sides of the border, this notice is written to meet the requirements of:

  • Mexico — the Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, “LFPDPPP”) and its Regulations.
  • United States — the Texas Data Privacy and Security Act (“TDPSA”) and, for California residents, the California Consumer Privacy Act as amended (“CCPA/CPRA”).
  • Other jurisdictions — where a visitor is protected by another regime, such as the EU/UK GDPR, we apply equivalent safeguards to the extent those laws apply to us.

Where these laws differ, we follow the standard that gives you the stronger protection for the data in question.

03 — WHAT WE COLLECT & WHY

The personal data we collect, and our reasons

We collect only what we need. The categories below cover ordinary use of this website; data handled as part of an active investigation is addressed separately in section 11.

Data you give us

  • Identity & contact details — name, email, phone/WhatsApp — when you submit our case-review form.
  • The contents of your message — the case type, location, and whatever you choose to tell us.
  • If you comment on a blog post — the name, email, and comment you enter, plus your IP and browser string for spam screening.

Data collected automatically

  • Technical data — IP address, browser and device type, referring page, and pages viewed — through cookies and our analytics and security tools.
  • Security logs — failed login attempts and error/redirect events used to protect the site.

Why we collect it (legal basis)

We process this data to respond to your inquiry, assess whether we can help, deliver and invoice our services, keep the site secure and performant, and meet our legal and tax obligations. Under the LFPDPPP this rests on your consent (given when you submit a form) and our legitimate interest in operating and securing the site; under U.S. law it supports the transaction or service you requested and our reasonable business and security needs. We do not use your personal data for secondary purposes such as marketing or advertising, and we do not sell it.

04 — COOKIES & TRACKING

Cookies and similar technologies

We use a small number of cookies to make the site work and to understand how it’s used:

  • Functional — remembering your language choice (set by Polylang) and, if you comment, your name and email so you needn’t re-enter them.
  • Performance & caching — serving pages faster through our caching layer (LiteSpeed / QUIC.cloud).
  • Analytics — anonymized usage measurement via Site Kit by Google (Google Analytics). See section 05.

You can block or delete cookies in your browser settings; some site features may then work less smoothly. To opt out of Google Analytics specifically, you can use Google’s opt-out tools.

05 — PLUGINS & THIRD-PARTY SERVICES

The tools that run this site, and what each handles

This site runs on WordPress. The components below process some personal or technical data on our behalf, each under its own privacy terms. We do not authorize any of them to use your data for their own marketing.

SERVICEWHAT IT HANDLES
Contact Form 7 + Flamingo Runs the case-review form and stores submissions so we can respond. Messages are not used for marketing and are purged on a rolling basis (see section 08).
Akismet Screens form and comment submissions for spam. Sends the submission and metadata (IP, browser, content) to Automattic for analysis. Privacy policy.
Jetpack Provides security and site statistics; processes limited activity and technical data through Automattic. Privacy policy.
Site Kit by Google Connects Google Analytics and Search Console for anonymized traffic measurement. Google privacy policy.
LiteSpeed Cache + QUIC.cloud Caches and accelerates pages through a content delivery network; processes technical data temporarily. Privacy policy.
Loginizer Protects the login page against brute-force attacks by logging IP addresses of failed attempts.
Redirection Manages URL redirects and logs 404 errors (requested URL, referrer, and IP) to keep links working.
Polylang Delivers the site in English, Spanish, and French; stores a cookie remembering your language.
Gravatar If you comment, a hash of your email may be sent to Gravatar to show a profile image. Privacy policy.
06 — WHO WE SHARE DATA WITH

When and with whom we share data

We do not sell your personal data, and we do not share it for cross-context behavioral advertising. We disclose data only in these limited cases:

  • With the service providers listed in section 05 — our host, CDN, security, and analytics providers — strictly to operate the site, under confidentiality and data-processing terms.
  • With professional advisers (e.g. our lawyers or accountants) where necessary, bound by professional confidentiality.
  • Where required by law, court order, or a lawful request from a competent authority.
  • In connection with the deliverables of an investigation, only with the client who engaged us and as agreed in our engagement terms.
  • The service providers in section 05 act as our data processors, handling data only on our instructions; this sharing is not a sale and does not require your separate consent under the LFPDPPP.
07 — INTERNATIONAL TRANSFERS

Where your data is processed

Because we operate in Mexico and the United States and use international service providers, some technical and contact data may be stored or processed outside your home country — including in the U.S. We require these providers to protect your data to standards consistent with the LFPDPPP and applicable U.S. law, through their contractual commitments and recognized safeguards. Where the GDPR applies to a transfer, we rely on appropriate safeguards such as Standard Contractual Clauses.

08 — HOW LONG WE KEEP DATA

Retention periods

We keep personal data only as long as needed for the purpose it was collected, then delete or anonymize it:

Contact-form submissionsUP TO 6 MONTHS
Analytics recordsUP TO 14 MONTHS
Security & error logsUP TO 12 MONTHS
Blog commentsUNTIL REMOVED
Engaged-client & invoicing recordsAS LAW REQUIRES

Client and invoicing records are kept for the period Mexican tax and commercial law requires. You can ask us to delete data sooner where no legal obligation requires us to keep it (see sections 09–10).

09 — YOUR RIGHTS IN MEXICO

ARCO rights under the LFPDPPP

If you are in Mexico, you have the right to Access, Rectify, Cancel (delete), and Oppose the processing of your personal data — together known as your ARCO rights. You may also withdraw consent you previously gave, and limit the use or disclosure of your data.

To exercise these rights, send a request through our contact page stating your name, a way to contact you, a description of the data concerned, and the right you wish to exercise. We will respond within the timeframe set by the LFPDPPP — generally within 20 business days — and act on valid requests within the following 15 days. There is no charge unless you request copies beyond the first, or repeat a request within the same period. If you are not satisfied with our response, you may file a complaint with Mexico’s data-protection authority, the Secretariat Against Corruption and Good Governance (Secretaría Anticorrupción y Buen Gobierno), which under the current LFPDPPP took over the functions formerly held by INAI.

10 — YOUR RIGHTS IN THE U.S.

Texas and California consumer rights

If you are a resident of Texas (TDPSA) or California (CCPA/CPRA), you have the right to:

  • Confirm whether we process your personal data and access it.
  • Correct inaccurate data and request its deletion.
  • Obtain a portable copy of data you provided.
  • Opt out of the sale of personal data, targeted advertising, and certain profiling.

We do not sell personal data and do not use it for targeted advertising, so there is nothing to opt out of in those respects — but you may still exercise every other right above. Submit a request through our contact page; we will verify and respond within the period the applicable law requires (generally 45 days). You will not be discriminated against for exercising these rights, and you may appeal a decision by contacting us again. You may use an authorized agent to submit a request on your behalf, subject to our verifying your identity and the agent’s authority.

11 — DATA IN INVESTIGATIONS

Personal data we handle during a case

In the course of a lawful investigation, we necessarily process personal data about people who are not our clients — for example the subject of a missing-person, fraud, due-diligence, or surveillance case. We handle this data on the legal bases permitted for the establishment, exercise, or defense of legal claims and for our and our clients’ legitimate interests, and always within the limits of Mexican and U.S. law.

Investigation data is kept confidential, accessible only to authorized personnel, used solely for the purpose of the engagement, and retained no longer than the case and our legal obligations require. As the LFPDPPP and applicable U.S. law allow, certain rights and notice obligations may be limited where complying would frustrate a lawful investigation, prejudice legal proceedings, or where another legal exception applies. We do not conduct investigations except on a lawful basis and a legitimate engagement.

12 — HOW WE PROTECT DATA

Our safeguards

We protect personal data with encrypted connections (SSL/TLS), server firewalls, brute-force protection on the login page, and strict access controls. Access to personal and case data is limited to authorized personnel who need it, and our staff follow internal confidentiality and security policies. No method of transmission or storage is completely secure, but we work to keep our safeguards aligned with the sensitivity of the data we hold.

13 — DATA BREACH PROCEDURES

If a breach occurs

If a security breach materially affects your rights, we will investigate and contain it, take corrective action, and notify affected individuals and any competent authority where the LFPDPPP or applicable U.S. law requires, without undue delay. Our response includes assessing the cause, the data involved, and the steps you can take to protect yourself.

14 — AUTOMATED DECISIONS

Automated decision-making & profiling

We do not use your personal data to make decisions about you by automated means alone, and we do not build advertising or behavioral profiles. Our work — assessing and conducting cases — is carried out by people, using their professional judgment.

15 — CHILDREN’S PRIVACY

Children’s data

This website and our intake forms are intended for adults. We do not knowingly collect personal data from children through the site. Where a case lawfully involves data concerning a minor, it is handled with heightened care and only as permitted by law and our engagement. If you believe a child has provided data through the site, contact us and we will delete it.

16 — CHANGES & CONTACT

Updates to this notice, and how to reach us

We may update this Privacy Policy to reflect changes in our practices, technology, or the law. The effective date at the top of the page shows when it was last revised; material changes will be posted here. Continued use of the site after an update means you accept the revised notice.

EXERCISE YOUR RIGHTS / ASK A QUESTION

For any privacy concern — including ARCO or U.S. consumer-rights requests — reach our data contact through the form below. We respond within the timeframes set out in sections 09 and 10.

Call Request Case Review