This Notice describes how Made collects,
uses, and protects personal and operational data in providing
MadeOS services. It applies to all Customers
in Chile, Mexico, and the United States.
01Responsible Entity and
Contact
Throughout this Notice, "Made" refers to the legal
entity acting as data controller or processor for
the relevant jurisdiction, as identified in the
applicable Order Form. The full list of Made's
responsible entities (including the entity governed
by Mexican law for purposes of the Federal Law on
the Protection of Personal Data Held by Private
Parties) is published at madeos.ai/legal/entities and incorporated by reference into this Notice.
For any matter related to this Notice or the
exercise of data subject rights, contact: privacy@madeos.ai.
02Data Processing Roles
(Controller / Processor)
Customer = Data Controller: Determines
the purposes and means of processing data of its employees
and visitors.
Made = Data Processor: Acts exclusively
on the Customer's instructions, for the purposes described
in this Notice.
03Data Collected
Visual Data: Video and images from
industrial cameras for anomaly detection and quality
control. May incidentally contain images of persons
present in the industrial area.
Telemetry and Sensors: PLC readings,
temperature, vibration, pressure, and other machine
operational parameters.
Administrative Data: Name, role,
email, and phone of the primary contact and platform
administrator.
Usage Data: Access logs, dashboard
actions, and configurations.
API Access Data: For Customers
using MadeOS via REST API, Made processes API
credentials (hashed), request and response logs,
IP addresses of API callers, request metadata
(timestamps, endpoints, parameters), and rate-limit
counters. API request payloads are processed
ephemerally and not retained beyond what is required
for audit, security, and SLA monitoring.
Messaging Data: For Customers
enabling Industrial Agent delivery via WhatsApp
or SMS, Made processes end-user (employee) phone
numbers, message content sent and received,
delivery status, read receipts (where supported
by the platform), and opt-in / opt-out timestamps.
Phone numbers and conversation history are processed
only with prior end-user consent obtained by the
Customer.
Important: MadeOS is not designed for
biometric identification. Incidental images of persons
are processed exclusively for the described industrial
purposes and are subject to anonymization within the processing
workflow.
04Purposes of Processing
Primary purposes (necessary for service
delivery):
Real-time detection of quality defects and
microstops on production lines.
Predictive alerts and machine failure diagnosis
based on telemetry.
Workflow automation and AI-assisted SOP
generation.
Security and authentication notifications for
platform access, including identity verification
and risk-activity alerts.
Conversational delivery of Industrial Agent
alerts, prescriptions, and follow-ups via
WhatsApp, SMS, and equivalent channels enabled
by Customer. This purpose requires prior
explicit consent obtained from end-users
(employees) by the Customer and is conditioned
on Customer's ability to provide an accessible
opt-out mechanism.
Delivery of critical platform-event
notifications, operational incidents, and
escalations requiring immediate action.
Digital Twin construction and maintenance.
Billing and commercial management.
Secondary purposes (non-conditioning
of service):
Training and improving AI models in strictly
anonymized and aggregated format (see Clause 5).
Sector-level statistical performance analysis
without identifying specific Customers.
05AI Model Training
The Customer grants Made an irrevocable and perpetual license to use telemetry and operational data under the following
strict conditions:
Exclusively in anonymized and aggregated format, with no possibility of re-identification or
disclosure of trade secrets.
Exclusive purpose: training and improving Made's
AI models.
Data will not be shared with third parties for
AI training outside the Made corporate group.
06Data Transfer and
Subprocessing
Made may subcontract processing to trusted
subprocessors subject to equivalent confidentiality
and security obligations. Categories include:
Cloud Infrastructure Providers:
for hosting, storage, and compute (e.g., AWS,
Cloudflare).
Messaging Platforms: Meta
Platforms, Inc. (WhatsApp Business API) and SMS
aggregators selected based on the Customer's
geographic routing. Messages and phone numbers
processed through these channels may be stored
on Meta's infrastructure (primarily United
States and Ireland) and on aggregator
infrastructure outside the Customer's
jurisdiction.
Authentication and Security
Providers: for identity verification,
fraud prevention, and access monitoring.
Made does not sell or transfer personal data to
third parties for purposes outside this Notice. The
current subprocessor list is published at madeos.ai/legal/subprocessors and is updated when subprocessors change.
International transfers comply with recognized legal
mechanisms in each jurisdiction (see Clause 14).
07Data Retention
Operational data and images are retained during the
contract term and a maximum of 90 additional days for audit and closure. Administrative data is retained
for the minimum period required by applicable tax and
commercial legislation.
08Rights of Data Subjects
Exercisable by contacting privacy@madeos.ai. As Customer is the Controller, Customer is
responsible for addressing and responding to rights
requests. Made, as Processor, will reasonably assist
Customer to comply within applicable legal
timeframes.
Access: Learn what personal data
Made processes.
Rectification: Correct inaccurate
or incomplete data.
Erasure: Request deletion when there
is no legal basis for processing.
Objection: Object to processing for
secondary purposes.
Portability: Receive data in structured
format (where applicable by law).
Restriction: Request restriction
of processing where provided by law.
09Jurisdiction-Specific
Provisions
π²π½ Mexico - LFPDPPP
The Customer assumes the obligation to obtain
express written consent for incidental biometric
data capture, in compliance with the LFPDPPP and
its Regulations.
To exercise ARCO rights, contact privacy@madeos.ai with official ID. Made responds within 20 business
days.
Made maintains security measures consistent with
applicable law and guidance issued by the
competent authority.
π¨π± Chile - Laws No. 19,628 and No. 21,719
The Customer declares that video surveillance is
aligned with the Chilean Labor Directorate's
doctrine for use exclusively in industrial
safety and technical process control.
The Customer warrants having disclosed this in
the company's Internal Regulations and notified
workers per the Labor Code.
Made will adapt its practices to Law No. 21,719
within the statutory deadlines.
πΊπΈ United States - CCPA / CPRA
Do Not Sell: Made does not sell or
share personal information. We operate as a Service
Provider, retaining data only for the business purposes
described.
California residents may exercise their CPRA
rights by contacting privacy@madeos.ai.
Made does not discriminate against data subjects
who exercise their privacy rights.
10Data Security
Made implements encryption in transit (TLS 1.2+) and
at rest, role-based access controls, continuous
monitoring, and incident response plans. In the
event of a breach affecting personal data, Made will
notify the Customer within 72 hours of
detection.
11Customer Obligations as
Data Controller
Having obtained necessary consents from
personnel for industrial video surveillance and,
where applicable, for biometric data processing.
Having installed and maintaining required video
surveillance signage per applicable law.
Where messaging channels (WhatsApp / SMS) are
enabled, having obtained explicit, documented
consent from each end-user (employee) prior to
enrollment, and providing an accessible opt-out
mechanism in compliance with applicable law
(including the LFPDPPP in Mexico, Ley 21.719 in
Chile, and TCPA / equivalent regulations in the
United States).
Indemnifying and holding Made harmless from any
claim arising from breach of these obligations.
12Changes to This Notice
Updates will be published at madeos.ai/legal. For material changes involving new processing
purposes, Made will obtain the Customer's consent in
accordance with applicable law.
13Legal Bases and Made's
Role
13.1 Legal Bases: Made processes
personal data only to (a) perform the contract and
provide the Services, (b) comply with legal obligations,
and (c) secondary purposes only where permitted by
applicable law and, where required, with Customer
or data-subject consent.
13.2 Made as Processor: Made acts
as a Processor under Customer's documented instructions.
Customer is the Controller for data of its employees,
contractors, and visitors.
14International Transfers
and Safeguards
14.1 Transfers: Data may be transferred
to and processed in countries other than the Customer's,
consistent with service operation. Recurring transfer
destinations include: (a) cloud infrastructure providers
in the United States and the European Union for hosting
and compute; (b) Meta Platforms, Inc. infrastructure
in the United States and Ireland for delivery of
WhatsApp Business API messages; and (c) SMS aggregators
in jurisdictions determined by the Customer's geographic
routing.
14.2 Mechanisms: Where required by
law, Made will implement recognized safeguards for
international transfers, such as standard contractual
clauses (EU SCCs), the Mexican Standard Contractual
Clauses model under the LFPDPPP, or other valid
instruments under the applicable jurisdiction.
Customers may request a copy of executed transfer
instruments at
privacy@madeos.ai.
15Retention, Deletion and
Return
15.1 Retention: The retention periods
in Clause 07 apply unless law requires longer retention
or Customer requests earlier deletion where permissible.
15.2 Deletion and Return: Upon Customer
request and subject to reasonable legal and technical
limitations, Made will delete or return personal data
processed as Processor upon contract end, pursuant
to the DPA.
16CCPA/CPRA Transparency and
No Sale
16.1 No Sale or Sharing: Made does
not sell personal information or share it for cross-context
behavioral advertising.
16.2 California Rights: California
residents may request access, deletion, correction,
and limitation of use of sensitive personal information
where applicable via privacy@madeos.ai. Made may require
reasonable verification and will accommodate authorized
agents as required by law.
16.3 Categories and Purposes: Made
processes the categories described in Clause 03 for
the purposes described in Clause 04 and retains data
per Clause 07.
