As part of our customer, supplier, and user registry, certain personally identifiable information about you may be collected and processed. The information that may be collected and processed includes:

1. Identification data: full name, marital status, signature, electronic signature, Taxpayer Registry (RFC), Unique Population Registry Code (CURP), image or images identifying you, place and date of birth, age, names of family members, dependents, and beneficiaries
2. Contact information: address, home phone, cell phone and/or work phone, as well as email addresses.

3. Professional data: occupation, position, department or area, work address, work phone, extracurricular activities, employment references, personal references, academic history, performance history within the company, among others.
4. Financial data: credit history, income and expenses, bank accounts, and bank statements.

We commit to processing these data under strict security measures, always ensuring confidentiality

For the purposes outlined in this notice, we may collect your personal data through various means: when you provide them directly to us; when you visit our websites or use our online services; by telephone; and/or voluntarily providing data when entering our premises, as well as from other sources permitted by the Personal Data Law.

Your personal data will be processed for the following purposes:

Primary Purposes

• Identify and/or contact you.
• Control access records to and from our facilities.
• Market the products and services offered by Ferrocarril Mexicano, S.A. de C.V. and Ferrosur, S.A. de C.V., subsidiaries, and/or affiliates.
• Update records and systems programs of Ferrocarril Mexicano, S.A. de C.V. and Ferrosur, S.A. de C.V., subsidiaries, and/or affiliates.
• Comply with requests from authorities, when necessary to safeguard public interest or administer justice.
• If applicable, draft, prepare, define, and execute any document required with any client, supplier, service provider, or advisor.
• 7. Fulfill obligations arising from the legal relationship established with the client.
  Provide services and products required by the client in a timely and correct manner.
• In the case of financial data, these may only be used to register suppliers and maintain a legal relationship with them.

Secondary Purposes

• Market research and promotion of products./li>
• Sending advertisements and promotions about our products and services.
• Analysis to determine the effectiveness of our advertising and promotions.
• Discount programs, refunds, and other programs in which the client or user chooses to participate and for quality assurance purposes.
• Conduct consultations, investigations, and reviews regarding services provided, complaints, or claims.

You will have a period of 5 business days to object to your personal data being processed for the secondary purposes mentioned in this Privacy Notice. To do so, you must contact us through the mechanisms mentioned below. Otherwise, you may limit the use of your personal data for secondary purposes, in accordance with the mechanisms provided in this Privacy Notice.

For the fulfillment of the purposes of this Privacy Notice, the Controller may transfer and/or transmit, nationally and internationally, data without your consent, in accordance with the terms of the Personal Data Law, under the following circumstances:

• When the transfer is made to controlling companies, subsidiaries, or affiliates belonging to the same group as the Controller and operating under the same internal processes and policies;
• When the transfer is necessary for the maintenance or fulfillment of a legal relationship between the Controller and the data subject;
• When the transfer is provided for by a Personal Data Law or treaties to which Mexico is a party;
• When the transfer is necessary for medical prevention or diagnosis, provision of health care, medical treatment, or management of health services;
• When the transfer is necessary due to a contract executed or to be executed in the interest of the data subject, by the Controller and a third party;
• When the transfer is necessary or legally required for the safeguarding of a public interest, or for the procurement or administration of justice; and
• When the transfer is necessary for the recognition, exercise, or defense of a right in a judicial proceeding.

Additionally, the Controller may transfer personal data to third parties that the Controller considers necessary for the operation of its electronic sites, proper provision of services, and for marketing and commercialization purposes.

Third parties and entities receiving personal data will be aware of the terms under which you agreed to the processing of your personal data, as established in this privacy notice.

You or your legal representative may exercise any of the rights of access, rectification, cancellation, or opposition (hereinafter, the "ARCO Rights"), as well as request the revocation of your consent, by sending an email to the Controller at the email address datospersonales@gmxt.mx.
Your request must be made through a request to exercise ARCO Rights and revoke consent, which should be sent to the email address datospersonales@gmxt.mx and must contain all the elements necessary to process your request for exercising your rights and/or revoking consent in accordance with the regulations. The exercise of these rights and/or revocation of consent will be free of charge, with you only needing to cover the costs of shipping, reproduction, and, if applicable, certification of documents.
In order for the Controller to process your request, you or your legal representative must properly verify your identity by providing the following information with your request:

• Your name and email address;
• A copy of the documents proving your identity (for example, a copy of your voter ID card, passport, or any other official identification) or, if applicable, your legal representation;
• A clear and precise description of the personal data about which you seek to exercise any of your ARCO Rights;
• Any document or information that facilitates the location of your personal data; and
• In case of requesting rectification of your personal data, you must also indicate the modifications to be made and provide the documentation supporting your request.

Upon receipt of your request, the personal data department will acknowledge receipt on the same day it is received. If the information provided in the request is incorrect or insufficient, or if the corresponding accreditation documents are not attached, the Controller may, within five (5) business days following receipt of the request, request that you provide the necessary elements or documents to process it. You will have ten (10) business days to respond to this requirement, counted from the day following its receipt. Failure to respond within this period will result in the request being considered as not submitted.
The Controller will communicate the determination made within a maximum period of twenty (20) business days from the date the request was received, so that, if it is appropriate, you can make it effective within fifteen (15) business days following the communication of the response. Please note that this response may be issued affirmatively or negatively, and will be duly justified. The response will be sent electronically to the email address specified in the request. Furthermore, regarding ARCO Rights, their exercise may be restricted for reasons of national security, public order provisions, public health and safety, or to protect the rights of third parties, or by resolution of the competent authority duly reasoned and motivated. If your ARCO Rights are restricted for any of these reasons, you will be notified of the reasons.
Additionally, in accordance with Chapter VII of the Federal Law on Protection of Personal Data Held by Private Parties, if you believe that your right to data protection has been violated, you may initiate a rights protection procedure before the National Institute for Transparency, Access to Information and Personal Data Protection (formerly Federal Institute of Access to Information and Data Protection).
It is important to consider that, for the purposes that originated and are necessary for the development of the relationship you have with the Controller, if you request the cancellation or opposition to the processing of such data, the data subject accepts that they may not be able to continue that relationship with the Controller.

You may limit the use or disclosure of your personal data to prevent them from being used or disclosed for purposes unnecessary for the legal relationship between you and the Controller.

If you wish to limit the use or disclosure of your personal data, you must submit your request through the same mechanisms available for exercising your ARCO Rights and/or revoking your consent.

On the website https://www.ferromex.com.mx/ (hereinafter, the "Website"), we use our own and third-party cookies to enhance your user experience. The information collected through the cookies mentioned in this section will provide the Controller with means to identify session, authenticate users, or store user preferences.

Furthermore, please be aware that you can disable the use of these cookies through:

Microsoft Edge

1. In the address bar, go to Settings and More (Alt+F).
2. Choose Settings.
3. Go to Site Permissions.
4. Click on Cookies and Site Data.
5. Disable the option Allow sites to save and read cookie data (recommended).
6. Close the settings window.

Chrome

1. Open Chrome.
2. At the top right, click More, then Settings.
3. Under "Privacy and security", click Cookies and other site data.
4. Click Block all cookies.

Firefox

1. Click the Firefox menu button and select Options.
2. On the left side, click on Privacy & Security.
3. In the Enhanced Tracking Protection section, click Custom.
4. Disable the Cookies option.

Safari

1. In Safari, click on Safari > Preferences.
2. In the Privacy & Security section, disable the option Block all cookies.

By navigating the website, we will assume that you consent to the use of cookies under the conditions specified in this privacy notice.

For any inquiries regarding the protection of your Personal Data, please contact the Privacy Officer of the Controller, who is the designated person to handle and process any requests regarding personal data and for the exercise of your ARCO Rights (located at the Controller's address) or you can send an email to datospersonales@gmxt.mx ensuring confirmation of receipt via telephone. Additionally, you can reach us at +52 55 5246 3700 from Monday to Friday, 8:00 am to 6:00 pm (Central Mexico Time).

The Controller reserves the right to update and/or modify the terms of this privacy notice at any time, in response to legislative developments, internal policies, or new requirements for the provision or offering of our products or services and market practices. These modifications or updates will be made available to the public through this medium. You may request the most updated Privacy Notice from the Controller via email at  datospersonales@gmxt.mx .