Preamble
Modo Agrario S.A., CUIT (Argentine tax ID) 30-71711149-0, with registered offices at Campos Salles 1300, C1429, Autonomous City of Buenos Aires, Argentine Republic (Parque de Innovación | +54Lab) (hereinafter, "Modo Agrario", the "Platform", or "we"), is the owner and controller responsible for the processing of personal data collected through its sites, applications, digital services, and microsites.
Modo Agrario operates a B2B marketplace for agro-industrial commodities (grains: seeds, cereals, pulses and derivatives, flours) that connects buyer users and seller users (producers, grain storage facilities/aggregators, cooperatives, mills, exporters). Modo Agrario acts as a digital facilitator: it is not a party to the transactions concluded between users, does not represent any of the parties, and does not guarantee the quality, identity, or fulfillment of the users' obligations to one another. The Platform operates in two markets: Argentine domestic and export / international, and uses artificial intelligence agents to detect opportunities, verify and display certifications, and connect supply and demand.
This Privacy Policy describes how Modo Agrario collects, uses, retains, transfers, and protects the personal data of the persons who use the Platform (hereinafter, the "Users" or the "Data Subject"). Use of the Platform implies knowledge and acceptance of this Policy. If the User does not agree with it, they must refrain from using the services.
This Policy is supplemented by the Terms and Conditions of Modo Agrario and, depending on the User's jurisdiction, by the Jurisdiction-Specific Provisions contained in Annexes A through E. In the event of a conflict between the main body (global core) and an Annex applicable to the User, the Annex shall prevail to the extent it is more protective of the Data Subject under mandatory local law.
1. Privacy policy
1.1 Commitment
Modo Agrario undertakes to protect the privacy of Users and to process their personal data in accordance with applicable law. As an entity incorporated and domiciled in the Argentine Republic, Modo Agrario's originating legal basis is Law No. 25,326 on the Protection of Personal Data and its implementing regulations, as well as the provisions of the Agency for Access to Public Information (Agencia de Acceso a la Información Pública, AAIP).
Notwithstanding the foregoing, and given that the Platform operates in international markets, Modo Agrario seeks to observe the protection standards applicable in the jurisdictions where its Users reside, under the terms detailed in the Annexes to this Policy.
1.2 Scope
This Policy applies to all personal data that Modo Agrario processes in connection with:
- The registration and management of User accounts (including multi-user accounts / teams).
- The publication, search, and negotiation of requests for quotation (RFQ) and available lots (SPOT), including the recording of each round of offer and counteroffer (see Sections 1.5.2 and 1.5.bis-A).
- The confirmation, execution, and traceability of operations, including the automatic cascade closing of parallel proposals upon confirmation of an operation (see Section 1.5.3).
- The use of Platform features, including the operation chat, mutual ratings, address georeferencing, and automated processing by AI agents.
- Navigation across Modo Agrario's sites, applications, and microsites.
- Commercial, support, and service communications.
- User authentication in other products of the Modo ecosystem when using their Modo Agrario account as a sign-in mechanism (see Sections 1.5.8 and 1.6.5).
This Policy does not apply to the processing that each User carries out on their own account regarding their counterparty's data, nor to third-party sites or services linked from the Platform, which are governed by their own policies.
1.3 User rights
The User, in their capacity as Data Subject, has the right to access, rectify, update, delete and, where applicable, object to the processing of their personal data, as well as to the expanded rights recognized by the laws of their jurisdiction (portability, enhanced erasure, restriction, human review of automated decisions, opt-out of sale/sharing, among others). The exercise of these rights is detailed in Sections 3, 4, and 10 and in the Annexes.
1.4 Supervision
In the Argentine Republic, the supervisory authority for personal data protection is the Agency for Access to Public Information (AAIP), before which the Data Subject may file claims. In other jurisdictions, the competent supervisory authority is the one indicated in the respective Annex, including: the supervisory authorities of the EU/EEA Member States; in California, the enforcement authority (the California Privacy Protection Agency — abbreviated CPPA, not to be confused with the CCPA, which is the statute) and the California Attorney General; the ANPD of Brazil; and the CAC of China.
1.5 Purposes of processing
Modo Agrario processes personal data for the following purposes:
- Account management and authentication. To create, verify, administer, and deactivate User accounts; to manage sign-in, identity verification, and tax validation. In Argentina, identity verification includes the validation of the CUIT before ARCA (formerly AFIP) through the agency's web services (WSAA + SOAP); in that context, Modo Agrario processes and temporarily retains the tax data and the receipts/tickets from the agency's response in order to avoid re-queries and to evidence the validation (see Section 1.5.1-A and the retention periods in Section 8.bis).
- Marketplace operation and negotiation. To enable the publication, search, matching, negotiation, and confirmation of RFQs, SPOTs, and operations between Users, including the recording of each round of offer and counteroffer (see Section 1.5.2).
- Confirmation and closing of operations (cascade). To process the confirmation of a proposal, which triggers the automatic closing of the parallel proposals linked to the same listing and the creation of the Operation, as well as the notification of the involved counterparties (see Section 1.5.3).
- Multi-user accounts and teams. To manage the membership of users within an account, their roles (administrator, trader, buy operator, sell operator, viewer), and email invitations.
- Automated processing by artificial intelligence agents. To process data of Users, listings, and operations through AI agents in order to detect commercial opportunities, suggest counterparties, verify and display certifications, and connect supply and demand. These features constitute assistance tools and are governed by the provisions of Section 1.7.
- Georeferencing and logistics. To geolocate (latitude/longitude) the addresses entered by Users in order to calculate distances and logistics costs and to enrich listings and operations. To this end, the addresses and/or coordinates may be communicated to third-party geocoding and routing services (see Section 1.6.2). This involves the processing of location data.
- Operation chat. To enable and retain the messages exchanged between the parties to an operation, for purposes of delivery coordination, traceability, and security.
- Mutual ratings. To manage the ratings that buyer and seller mutually award one another after an operation, which are public and collaborative in nature, and to display them in accordance with the moderation rules and the complaint procedure set forth in the Terms and Conditions (see Section 1.5.7-A).
- Centralized identity / single sign-on (SSO). To allow the User to use their Modo Agrario account to authenticate in other products of the Modo ecosystem (e.g., Modo Scoring —available only to companies domiciled in Argentina—, Modo Máquinas, Modo Comex), which involves the communication of identity data among such products (see Section 1.6.5).
- Traceability, fraud prevention, and security. To record activity, prevent, detect, and investigate misuse, fraud, or breaches, and to comply with information security obligations.
- Service and commercial communications. To send operational notifications and, subject to opt-out rules, commercial communications.
- Support and assistance. To respond to inquiries, complaints, and requests for the exercise of rights.
- Legal compliance. To comply with tax, accounting, and regulatory obligations and with requirements of the competent authority.
- Microsites. To publish public pages of agro-industrial companies with information of a public nature.
- Improvement and analytics. To analyze the use of the Platform in order to improve products and services, in aggregated or pseudonymized form where possible.
1.5.1-A Identity verification and tax data (ARCA / formerly AFIP)
Within the framework of the account management purpose (Section 1.5.1), and for Data Subjects whose tax validation is carried out in Argentina, Modo Agrario obtains and processes data originating from a public agency —ARCA (formerly AFIP)— through its web services (WSAA authentication and SOAP queries). The data so obtained (among them, the confirmation of the CUIT, the tax status, and the other data from the agency's response) and the query receipts/tickets are retained on a temporary basis for purposes of evidencing the validation and avoiding unnecessary re-queries to the agency, in accordance with the periods indicated in Section 8.bis.
1.5.2 Multi-round negotiation and offer traceability
The Platform supports negotiation between Users under two modalities:
- RFQ (request for quotation): negotiation of up to four (4) rounds of offer and counteroffer before closing.
- SPOT (available lot): direct purchase (buyDirect modality) or counteroffer with a maximum of two (2) rounds.
Each round of offer and counteroffer —including proposed prices, conditions, deadlines, and associated notes— is recorded and retained as part of the traceability of the negotiation, in order to document the history of the operation, prevent fraud, and enable the exercise of rights and the resolution of any disputes. The retention periods are indicated in Section 8.bis.
1.5.3 Operation confirmation and cascade closing
When a User confirms a proposal, the Platform creates the corresponding Operation and automatically closes the parallel proposals associated with the same listing that were not selected (cascade mechanism). This process involves the processing of data of the non-selected counterparties and their notification that their proposal has been closed. Such notifications and the record of the closing serve the purposes of operation traceability, transparency toward participants, and marketplace security.
1.5.7-A Public nature of mutual ratings
The ratings that buyer and seller mutually award one another after an operation (Section 1.5, purpose 8) are public and collaborative in nature: they form part of the Platform's reputation system and may be viewed by other Users. Modo Agrario displays them in accordance with the moderation rules and the complaint procedure established in the Terms and Conditions, to which reference is made. A Data Subject who considers that a rating is inaccurate, abusive, or harmful may initiate that complaint procedure.
1.6 Transfer of data (local and international)
Modo Agrario may transfer or communicate personal data, to the extent necessary for the purposes described and in accordance with applicable law, to:
- The counterparty of an operation or negotiation, to the extent necessary to conclude and execute the transaction (e.g., legal/corporate name, operational contact details, delivery/pickup address, operation chat messages, ratings and, where applicable, the cascade-closing notification of non-selected proposals).
- Vendors and data processors that provide services to Modo Agrario, under contract with confidentiality and security obligations. These include, by way of example: cloud infrastructure; email messaging and notifications; electronic signature; identity validation; information and background sources; analytics; and geocoding and logistics routing services (e.g., geocoding services of the Nominatim type and route- and distance-calculation services of the OSRM type), to which addresses and/or coordinates are communicated in order to calculate distances and logistics costs.
- Competent authorities, where there is a legal obligation or a valid request.
- Third parties in the context of corporate transactions (reorganization, merger, acquisition), with safeguarding of confidentiality.
- Other products of the Modo ecosystem, within the framework of single sign-on (SSO): when the User uses their Modo Agrario account to authenticate in other products of the ecosystem (Modo Scoring, Modo Máquinas, Modo Comex, among others), Modo Agrario —in its capacity as identity / OAuth provider— communicates to such products the identity data necessary for authentication and account attribution (see Section 1.6.5). Modo Scoring is available exclusively to companies domiciled in the Argentine Republic; Modo Agrario does not communicate data of Users domiciled in other jurisdictions to it.
International transfers of data —including those resulting from hosting on international infrastructure (see Section 9)— are carried out only where there is an adequate level of protection or where the applicable safeguard mechanisms have been implemented (standard contractual clauses, security assessments, certifications, or others) as described in Section 9 and in the corresponding Annexes.
1.6.5 Centralized identity and single sign-on (SSO)
The Modo Agrario account may be used as an identity mechanism to access other products of the Modo ecosystem. When the User opts for this feature, Modo Agrario acts as an identity provider (OAuth) and communicates to the corresponding product the necessary identity data (e.g., account identifier, account data, and role). This communication is limited to what is necessary for the authentication and operation of the destination product, and each product of the ecosystem processes the data so received in accordance with its own privacy policy. A User who does not wish for this linkage may refrain from using the Modo Agrario account as a means of access to other products.
Modo Scoring. Among the ecosystem products accessible via SSO is Modo Scoring, a product of Modo Agrario SA aimed at credit and reputational risk assessment, available exclusively to companies domiciled in the Argentine Republic. Modo Agrario does not communicate identity data to Modo Scoring regarding Users domiciled outside Argentina. For Users covered by it, such communication may include, in addition to identity data, the financial and credit information referred to in Section 1.5 (purpose 1) and in the Terms and Conditions (clause 2.4 bis).
1.7 Automated processing and artificial intelligence agents
- Assistance nature. The suggestions, recommendations, opportunity detections, and other results produced by the Platform's AI agents constitute assistance tools. They do not constitute commercial, financial, legal, or any other type of advice, nor any guarantee as to the suitability, outcome, or success of an operation. The decision to contract, negotiate, or close an operation always rests with the User.
- Verification of certifications. Modo Agrario verifies and displays the certifications of agro-industrial companies to the extent reasonably possible, but does not guarantee the validity, authenticity, or absolute truthfulness of the certifications displayed. The User must carry out their own due diligence before contracting.
- Automated decisions and human review. Where applicable law so requires, the Data Subject has the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect them, and to request human intervention, express their point of view, and contest the decision. The scope of this right is detailed, where applicable, in the Annexes (in particular, Annex B — European Union, art. 22 GDPR; Annex D — China, PIPL; and other applicable regimes).
- Impact assessments. Given that automated processing by AI agents, combined with geolocation and the profiling of counterparties, may entail risks to the rights of Data Subjects, Modo Agrario assesses whether to carry out data protection impact assessments (DPIA) where applicable law so requires or where advisable due to the nature of the processing (see Section 8.1 and, for the EU/EEA, Annex B).
2. Ownership and responsibility for the information
2.1 Truthful information
The User is solely responsible for the truthfulness, accuracy, currency, and authenticity of the data they provide to the Platform, both their own and that of third parties they enter (e.g., contact details of members of their team). The User undertakes to keep their data up to date.
2.2 Warranty of authorization
When the User provides personal data of third parties (for example, by inviting members to their account or by entering operational contact details), they warrant that they have sufficient authorization and/or legal basis to communicate such data to Modo Agrario for the purposes of this Policy, and that they have informed such third parties about the processing. The User shall hold Modo Agrario harmless, to the maximum extent permitted by applicable law, against claims arising from the breach of this warranty.
3. User rights and age
3.1 Persons over 18 years of age
The Platform is a B2B service directed exclusively at persons over 18 years of age with the legal capacity to contract and/or at legal entities represented by persons of legal age. By registering, the User declares that they meet this requirement.
3.2 No collection of minors' data
Modo Agrario does not intentionally collect personal data of minors under 18 years of age. The Platform is not directed at minors.
3.3 Deletion of minors' data
If Modo Agrario becomes aware that it has collected data of a minor without the proper authorization, it will proceed to delete it as soon as possible.
3.4 Communication by parents or guardians
Parents, guardians, or legal representatives who notice that a minor in their care has provided data to the Platform may report it to soporte@modoagrario.com so that it may be deleted.
3.5 Right to object
The Data Subject has the right to object, in whole or in part and on legitimate grounds, to the processing of their personal data, as well as to object to the sending of commercial communications (see Section 4.2). The exercise of this right may entail the impossibility of continuing to provide certain services.
3.6 Rights of access, rectification, update, and cancellation (ARCO)
The Data Subject has the right to:
- Access: to know what personal data about them Modo Agrario processes, for what purpose, and to whom it is communicated.
- Rectification and update: to correct inaccurate or outdated data.
- Cancellation / erasure: to request the deletion of their data where appropriate under the law, without prejudice to the legally required retention periods (e.g., tax obligations, operation traceability, or defense of rights; see Section 8.bis).
- Objection: under the terms of Section 3.5.
In the Argentine Republic, the exercise of the right of access is free of charge at intervals of no less than six months, except where a legitimate interest is demonstrated, in accordance with Law No. 25,326. The applicable legal response periods in Argentina are indicated in Section 10 and in Annex A.
Expanded rights by jurisdiction. Depending on the Data Subject's residence, additional rights recognized by local laws may apply, including: portability and erasure ("right to be forgotten") (Annex B — GDPR; Annex E — LGPD); restriction of processing (Annex B); opt-out of the sale or sharing of personal information and limitation on the use of sensitive information (Annex C — CCPA/CPRA); and separate consent and specific rights regarding automated processing (Annex D — PIPL). The procedure for exercising these rights is detailed in Section 10 and in each Annex.
4. Transfer of personal data
4.1 Purpose
The transfers and communications of data described in Section 1.6 are carried out solely for the purposes indicated therein and subject to the applicable legal basis according to the Data Subject's jurisdiction (see Annexes). Modo Agrario does not transfer personal data for purposes incompatible with those for which it was collected.
4.2 Commercial communications (opt-out)
Modo Agrario may send commercial communications about its products and services. The Data Subject may object at any time and free of charge to receiving them, by means of the unsubscribe mechanism included in each communication or by writing to soporte@modoagrario.com. Unsubscribing from commercial communications does not affect the sending of operational or service communications necessary for the provision of services.
In the Argentine Republic, the Data Subject may register in the National "Do Not Call" Registry (Registro Nacional "No Llame") and exercise the rights provided for in data protection and fair-trade regulations. In other jurisdictions, the electronic marketing rules described in the Annexes apply.
4.3 Revocability and adequate international transfers
Where the processing or a transfer is based on the consent of the Data Subject, they may revoke it at any time, without retroactive effect on the processing already carried out. International transfers of data are carried out only to jurisdictions with an adequate level of protection or under the applicable safeguard mechanisms (standard contractual clauses, security assessments, certifications), in accordance with Section 9 and the Annexes.
5. Microsites
5.1 Objective
Modo Agrario offers microsites: public pages of agro-industrial companies intended to give visibility to their activity, products, and data of a public nature within the marketplace ecosystem.
5.2 Information displayed
Microsites may display information of a public nature, such as CUIT (or equivalent tax identifier), legal/corporate name, activities, products, and certifications. Modo Agrario does not publish on microsites any sensitive data or personal data that is not of a public nature or that is not necessary for the purpose of the microsite.
5.3 Privacy commitment
Modo Agrario processes microsite information respecting the principles of purpose, proportionality, and minimization, and applies the security measures described in Section 8.
5.4 Sources
Microsite information may come from the agro-industrial company itself, from information declared by the User, and/or from publicly accessible sources and information providers (see, for Argentina, the sources indicated in Annex A, such as NOSIS and BCRA).
5.5 Deletion or modification requests
Requests for the deletion or modification of the information displayed on a microsite may be directed to info@modoagrario.com. Modo Agrario will assess the request in accordance with the public or private nature of the information and the applicable legal obligations.
5.6 Security
Microsite information is covered by the Platform's security measures (see Section 8).
5.7 Breach of terms
Modo Agrario may suspend or take down a microsite that violates the Terms and Conditions, this Policy, or applicable law, or that contains false, unlawful, or rights-infringing information.
6. Cookies
6.1 What cookies are
Cookies are small files stored on the User's device when navigating the Platform, which make it possible to recognize the device, remember preferences, and analyze the use of the service. Along with cookies, Modo Agrario may use similar technologies (local storage, pixels, identifiers).
6.2 Purposes
Modo Agrario uses:
- Strictly necessary cookies: essential for the functioning, authentication, and security of the Platform.
- Preference cookies: to remember the User's settings.
- Analytics cookies: to measure and improve the use of the Platform.
- Marketing cookies (where applicable and with the applicable legal basis): to display relevant communications.
In jurisdictions that so require (e.g., EU/EEA and the United Kingdom), non-essential cookies are installed only with the prior consent of the User, obtained through the Platform's cookie management mechanism (see Annex B).
6.3 Browser configuration
The User may configure, restrict, or block cookies through their browser options. Blocking necessary cookies may affect the functioning of the Platform.
6.4 Third-party cookies
Certain features may incorporate third-party cookies (e.g., analytics or maps). Such cookies are governed by the policies of the respective third parties.
6.5 Private mode
The User may use their browser's private/incognito browsing mode to limit the storage of cookies during the session.
6.6 Management and revocation
The User may modify or revoke their cookie preferences at any time through the Platform's cookie settings panel and/or their browser.
7. Modifications to the Policy
7.1 Power to modify
Modo Agrario may modify this Policy to adapt it to legislative, regulatory, technological, or business changes.
7.2 Notification
Substantial changes will be notified to Users by reasonable means (e.g., notice on the Platform or email) with reasonable advance notice of their effective date.
7.3 Effectiveness
The version in force will always be the one published on the Platform, with an indication of its date of last update.
7.4 Acceptance
Continued use of the Platform after the effective date of a modification implies knowledge of the new version. Where applicable law so requires, the Data Subject's consent will be obtained anew.
7.5 History
Modo Agrario will endeavor to retain a reference to prior versions of this Policy. This version replaces the one dated November 16, 2024.
8. Security measures
8.1 Commitment
Modo Agrario implements technical and organizational measures that are reasonable and appropriate to the state of the art to protect personal data against loss, misuse, unauthorized access, alteration, and disclosure. These include: encryption of data in transit through secure protocols (SSL/TLS) and, where applicable, at rest; role-based access control; authentication; activity logs; audits and periodic security reviews; and, where the nature of the processing warrants it or applicable law so requires, the carrying out of data protection impact assessments (DPIA) —in particular with respect to automated processing by AI agents, geolocation, and the profiling of counterparties (see Sections 1.7.4 and, for the EU/EEA, Annex B)—.
8.2 Limitations
No system is absolutely secure. Although Modo Agrario applies reasonable measures, it cannot guarantee the absolute security of the information transmitted or stored.
8.3 Security incidents and breach notification
To the maximum extent permitted by applicable law, Modo Agrario shall not be liable for unauthorized access or incidents that occur despite the implementation of reasonable security measures. This limitation does not reach the mandatory legal liability that, in its capacity as data controller, corresponds to Modo Agrario under data protection or consumer protection rules that do not allow waiver or limitation (e.g., the security duties and the consequences provided for under GDPR, LGPD, or other applicable regimes). Notwithstanding the foregoing, in the event of a security incident affecting personal data, Modo Agrario will take the corresponding containment and remediation actions and will notify the competent supervisory authority and/or the affected Data Subjects within the periods and under the conditions required by the law applicable to each jurisdiction (see Annexes), keeping an internal record of the incident.
8.4 User responsibility
The User is responsible for maintaining the confidentiality of their access credentials and for all activity carried out with their account. They must immediately notify Modo Agrario of any unauthorized use or suspected compromise of their account at soporte@modoagrario.com. The User must likewise adopt reasonable security measures on their own devices.
8.bis Data retention periods
8.bis.1 General criterion
Modo Agrario retains personal data only for as long as necessary to fulfill the purposes for which it was collected (Section 1.5) and, thereafter, for the periods required by applicable legal obligations (tax, accounting, and regulatory), by the traceability of operations, and by the potential defense of rights against claims or disputes. Once such periods have elapsed, the data is deleted or anonymized / pseudonymized so that it no longer allows identification of the Data Subject.
8.bis.2 Criteria by data category
By way of guidance, and without prejudice to the mandatory periods of each jurisdiction (see Annexes) and the adjustments determined by the corresponding legal counsel, Modo Agrario applies the following criteria:
| Data category | Retention criterion |
|---|---|
| Account and team data (multi-user, roles, invitations) | While the account is active and for the legal period following its deactivation for the defense of rights. |
| Negotiation rounds (RFQ and SPOT offers and counteroffers) | While the negotiation is ongoing and, after its closing, for the period of traceability and limitation of any claims. |
| Operations and their documentation | For the period required by tax, accounting, and traceability obligations (typically the applicable legal period for retention of commercial documentation). |
| Cascade-closing notifications (non-selected proposals) | For the traceability period of the operation to which they are linked. |
| Operation chat messages | For the period necessary for the coordination, traceability, and security of the operation, and the defense of rights. |
| Mutual ratings | While they form part of the public reputation system, without prejudice to the moderation and complaint procedures. |
| Location data (addresses and coordinates) | While necessary for the logistics of active operations and for the subsequent traceability period. |
| Tax validation data (ARCA) and receipts/tickets | On a temporary basis, for the period necessary to evidence the validation and avoid re-queries, without prejudice to legal retention obligations. |
| Activity and security records (logs) | For the period necessary for security, fraud prevention, and compliance purposes. |
8.bis.3 Annexes
The specific periods required by each jurisdiction are detailed, where applicable, in the Annexes (in particular, Annex B.7 for the EU/EEA).
9. Storage and international transfer
9.1 International servers
Personal data is hosted and processed on server infrastructure that may be located outside the User's country of residence. Modo Agrario uses cloud hosting infrastructure (as of the reference date of this document, the Platform's environment runs on Amazon Web Services (AWS) servers; ). Consequently, the provision of the service may involve international transfers of data.
9.2 Protection
International transfers are carried out safeguarding an adequate level of data protection, through the selection of providers that offer sufficient guarantees and the implementation of the corresponding contractual and technical mechanisms.
9.3 Consent and legal basis
Where applicable law so requires, international transfers are carried out on the basis of the consent of the Data Subject or of another valid legal basis, as detailed in the Annexes.
9.4 Additional measures and transfer mechanisms
Depending on the jurisdiction of origin of the data, Modo Agrario implements the required transfer mechanisms, including: standard contractual clauses (SCC) for transfers from the EU/EEA (Annex B); assessment of the applicable cross-border transfer mechanisms under PIPL for data from China, including the security assessment or the standard contract where applicable (Annex D); and the guarantees required under LGPD for data from Brazil (Annex E). Likewise, it may adopt supplementary technical measures (pseudonymization, encryption, and access controls) where necessary.
10. Contact and exercise of rights
The Data Subject may exercise their rights and make inquiries or complaints through the following channels:
| Subject | |
|---|---|
| Personal data and Data Subject rights (ARCO and expanded rights) | soporte@modoagrario.com |
| Complaints and notifications | reclamos@modoagrario.com |
| Microsites (deletion/modification of information) | info@modoagrario.com |
| Billing and payments | pagos@modoagrario.com |
To exercise their rights, the Data Subject must verify their identity by reasonable means.
Response periods. Modo Agrario will respond to requests within the periods established by the law applicable to each jurisdiction (see Annexes) and, where such law does not set a specific period, within a reasonable period not exceeding 15 (fifteen) business days. Where applicable law sets shorter periods or ones more favorable to the Data Subject, such periods shall prevail. In particular, in the Argentine Republic, Law No. 25,326 sets shorter legal periods —ten (10) calendar days for the right of access and five (5) business days for rectification, update, or deletion—, which prevail over the general period indicated in this Section (see Annex A.4). The right of access, in Argentina, is free of charge at intervals of no less than six months, except where a legitimate interest is demonstrated (Sections 3.6 and Annex A.4).
Domicile of the controller: Modo Agrario S.A., Campos Salles 1300, C1429, Autonomous City of Buenos Aires, Argentina. In the Argentine Republic, the Data Subject may also file complaints before the Agency for Access to Public Information (AAIP).
11. Intellectual property of the Policy
This document, its structure, drafting, and content are the property of Modo Agrario S.A. and are protected by applicable intellectual property regulations (in Argentina, Law No. 11,723). Its total or partial reproduction for commercial purposes is prohibited without the prior written authorization of Modo Agrario, without prejudice to the User's right to keep a copy for their personal information.
JURISDICTION-SPECIFIC PROVISIONS
The following provisions supplement the global core of this Policy and apply to Data Subjects according to their residence or according to the jurisdiction whose regime is applicable to the processing. In the event of a conflict with the main body, the Annex prevails to the extent it is more protective of the Data Subject under mandatory local law. In any matter not expressly governed by an Annex, the laws of the Argentine Republic —the country of domicile and incorporation of Modo Agrario SA— apply on a default (supplementary) basis, without prejudice to the mandatory data protection rules of the Data Subject's jurisdiction that cannot be excluded by agreement of the parties.
Annex A — Argentina
(Jurisdiction of origin — full provisions)
A.1 Legal framework
The processing of personal data of Data Subjects in the Argentine Republic is governed by Law No. 25,326 on the Protection of Personal Data, its implementing Decree, and the provisions of the Agency for Access to Public Information (AAIP), the competent supervisory authority. Also applicable are the National Civil and Commercial Code (Código Civil y Comercial de la Nación) and Law No. 11,723 on intellectual property.
A.2 Controller
Data controller: Modo Agrario S.A., CUIT 30-71711149-0, with registered offices at Campos Salles 1300, C1429, Autonomous City of Buenos Aires.
A.3 Legal bases and consent
The processing is based, as the case may be, on the free, express, and informed consent of the Data Subject, on the performance of the contractual relationship with the User, on compliance with legal obligations, and on the legitimate interest of Modo Agrario, under the terms of Law No. 25,326. Consent may be revoked in accordance with Section 4.3.
A.4 Data Subject rights and legal periods
The Data Subject may exercise the rights of access, rectification, update, and deletion provided for in Law No. 25,326, as well as the right to object. The legal response periods in Argentina are as follows and prevail over the general period in Section 10 as they are more favorable to the Data Subject:
- Access: the controller must satisfy the request within ten (10) calendar days of its receipt (art. 14, Law No. 25,326). The right of access is free of charge at intervals of no less than six months, except where a legitimate interest is demonstrated.
- Rectification, update, or deletion: must be carried out within five (5) business days of receipt of the request (art. 16, Law No. 25,326).
Requests are channeled in accordance with Section 10 (soporte@modoagrario.com).
A.5 Supervisory authority
The Data Subject may file complaints or claims before the Agency for Access to Public Information (AAIP), without prejudice to the corresponding judicial actions (habeas data action).
A.6 Delivery terms (domestic market)
For operations of the Argentine domestic market, the delivery terms used on the Platform correspond to local practice: at-farm (puesto campo), delivered-to-plant (entregado planta), at-elevator (puesto elevador), and FAS port (FAS puerto), among others. These terms are distinguished from the Incoterms applicable to international trade / export (see Annexes B through E and the export section of the Terms and Conditions). The global core of this Policy contemplates the coexistence of both schemes according to the market of the operation.
A.7 Vendors and sources in Argentina
In the context of local operation, Modo Agrario may rely on:
- Electronic signature: provided by Contractia S.R.L., CUIT 30-71683658-0.
- Tax identity validation: ARCA (formerly AFIP), through its web services (WSAA + SOAP), as the public agency of origin of the tax data (see Section 1.5.1-A).
- Information and background sources: NOSIS and BCRA (Central Bank's Debtors Registry), among other publicly accessible or lawful sources.
- Geocoding and logistics routing: geocoding and route/distance calculation services (e.g., Nominatim and OSRM), in accordance with Section 1.6.2.
- Arbitration: disputes may be submitted, where so agreed, to the Arbitration Tribunal of the Argentine Chamber of Commerce (CEMARC), in accordance with the Terms and Conditions.
- Hosting: cloud infrastructure (currently Amazon Web Services — AWS; see Section 9.1).
A.8 International transfers from Argentina
International transfers of data from Argentina are carried out in accordance with Law No. 25,326 and the provisions of the AAIP, to jurisdictions with an adequate level of protection or under the corresponding contractual safeguards.
Annex B — European Union / European Economic Area (GDPR)
B.1 Legal framework
Processing subject to Regulation (EU) 2016/679 (GDPR) and the national implementing legislation of each Member State, as well as Directive 2002/58/EC (ePrivacy) regarding cookies and electronic communications.
B.2 Legal bases (art. 6 GDPR)
Modo Agrario processes personal data on the basis of: performance of a contract (art. 6.1.b); consent (art. 6.1.a), e.g., for non-essential cookies and certain communications; legal obligation (art. 6.1.c); and legitimate interest (art. 6.1.f), subject to a documented balancing test (LIA), e.g., for fraud prevention, security, and B2B prospecting.
B.2.bis Mapping of purposes and legal bases
The following table details, for each of the purposes described in Section 1.5 of the global core, the applicable legal basis under article 6.1 of the GDPR. For comparative purposes, the equivalent legal hypothesis under article 7 of the Brazilian LGPD is also included (see Annex E.2.bis). Where more than one basis is indicated for the same purpose, this is because the purpose may rest, depending on the particular aspect of the processing in question, on alternative or concurrent bases (e.g., a primary basis of performance of a contract and a residual basis of legitimate interest for the ancillary security or transparency aspects of the same purpose).
| # | Purpose (Section 1.5) | Legal basis — GDPR (art. 6.1) | Legal hypothesis — LGPD (art. 7) |
|---|---|---|---|
| 1 | Account management and authentication (incl. CUIT validation before ARCA) | Performance of contract (6.1.b) — account opening and administration; legal obligation (6.1.c) — identity verification and tax validation required to operate the marketplace | Execução de contrato (inc. V); cumprimento de obrigação legal ou regulatória (inc. II) |
| 2 | Marketplace operation and negotiation (RFQ/SPOT) | Performance of contract (6.1.b) | Execução de contrato (inc. V) |
| 3 | Confirmation and closing of operations (cascade) | Performance of contract (6.1.b); legitimate interest (6.1.f) — notification to non-selected counterparties and transparency of the process | Execução de contrato (inc. V); legítimo interesse (inc. IX) |
| 4 | Multi-user accounts and teams | Performance of contract (6.1.b) | Execução de contrato (inc. V) |
| 5 | Automated processing by AI agents | Performance of contract (6.1.b) — to the extent it forms part of the contracted service; legitimate interest (6.1.f), subject to a documented balancing test (LIA) — opportunity detection and counterparty suggestion. Where there is a decision based solely on automated processing with legal or significant effects, the safeguards of art. 22 GDPR additionally apply (see Annex B.4) | Execução de contrato (inc. V); legítimo interesse (inc. IX) |
| 6 | Georeferencing and logistics | Performance of contract (6.1.b) | Execução de contrato (inc. V) |
| 7 | Operation chat | Performance of contract (6.1.b) — delivery coordination; legitimate interest (6.1.f) — traceability and security, including retention after the operation closes | Execução de contrato (inc. V); legítimo interesse (inc. IX) |
| 8 | Mutual ratings | Performance of contract (6.1.b) — Platform reputation feature; legitimate interest (6.1.f) — integrity and trust of the marketplace | Execução de contrato (inc. V); legítimo interesse (inc. IX) |
| 9 | Centralized identity / SSO with other Modo products | Performance of contract (6.1.b) — feature activated at the data subject's request; consent (6.1.a) — the linkage is optional and revocable | Execução de contrato (inc. V); consentimento (inc. I) |
| 10 | Traceability, fraud prevention, and security | Legitimate interest (6.1.f); legal obligation (6.1.c) where information security regulations apply | Legítimo interesse (inc. IX); cumprimento de obrigação legal ou regulatória (inc. II) |
| 11 | Service and commercial communications | Service: performance of contract (6.1.b). Commercial: consent (6.1.a) or legitimate interest (6.1.f) for B2B prospecting, depending on the national legislation of each Member State (ePrivacy) and always subject to opt-out — | Service: execução de contrato (inc. V). Commercial: consentimento (inc. I) or legítimo interesse (inc. IX), as the case may be |
| 12 | Support and assistance | Performance of contract (6.1.b); legal obligation (6.1.c) where the inquiry concerns the exercise of rights | Execução de contrato (inc. V); cumprimento de obrigação legal ou regulatória (inc. II) |
| 13 | Legal compliance | Legal obligation (6.1.c) | Cumprimento de obrigação legal ou regulatória (inc. II) |
| 14 | Microsites | Legitimate interest (6.1.f) — dissemination of public information about the agro-industrial company; consent (6.1.a) where the content includes personal data of the microsite owner that does not come from a public source | Legítimo interesse (inc. IX); consentimento (inc. I), where applicable |
| 15 | Improvement and analytics | Legitimate interest (6.1.f), on aggregated or pseudonymized data; consent (6.1.a) for non-essential cookies/analytics tools, in accordance with the ePrivacy Directive (see Section 6) | Legítimo interesse (inc. IX); consentimento (inc. I), where applicable to non-essential cookies/analytics |
None of the fifteen purposes rests on the data subject's vital interest (art. 6.1.d) or on the performance of a task carried out in the public interest or in the exercise of official authority (art. 6.1.e), bases that are not applicable to Modo Agrario's private commercial activity.
B.3 Data subject rights
The data subject has the right of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection, as well as the right to withdraw consent at any time and not to be subject to automated individual decisions (art. 22). Response period: one month, extendable by two additional months depending on complexity.
B.4 Automated decisions and impact assessments (arts. 22 and 35 GDPR)
Where there are decisions based solely on automated processing —including profiling— that produce legal effects or significantly affect the data subject, the latter has the right to obtain human intervention, to express their point of view, and to contest the decision. Modo Agrario will provide information about the logic applied and the consequences envisaged.
Reasoned determination (art. 22.1 GDPR). Modo Agrario has assessed its current artificial intelligence features —detection of supply-and-demand matching opportunities, certification verification, and counterparty connection— in light of art. 22.1 GDPR, and concludes that none of them constitutes, in its current design, a "decision based solely on automated processing... which produces legal effects concerning the data subject or similarly significantly affects him or her". This determination is based on the following:
- The outputs of the AI agents (counterparty recommendations, opportunity alerts, certification verification) operate as informational input within the Platform, not as a binding automatic resolution.
- The decision to contract —that is, the act that generates the relevant legal effect, the perfection of an Operation between a Buyer User and a Seller User— is always made by a human person, through their own affirmative action (publishing, quoting, negotiating, accepting, confirming), without the system executing, approving, or denying it autonomously.
- Modo Agrario does not, as of the date hereof, automate decisions such as the approval or rejection of accounts, the blocking of operations, the binding setting of price, or credit scoring with a direct effect on the data subject without human intervention.
Accordingly, art. 22 GDPR does not, strictly speaking, apply to Modo Agrario's current AI features. Nevertheless, given that the processing involves the profiling of counterparties combined with geolocation at scale —a criterion encompassed among the high-risk cases under art. 35.3.a GDPR—, Modo Agrario will likewise assess whether to carry out a DPIA (art. 35 GDPR) for risk-management reasons, irrespective of the absence of ADM within the meaning of art. 22 (see also Sections 1.7.4 and 8.1).
Review caveat. This determination must be reassessed if, in the future, Modo Agrario automates any decision with a binding legal effect without substantive human intervention (e.g., automatic approval or deactivation of accounts, automatic blocking of operations, or automatic and binding setting of commercial conditions). Should that occur, the safeguards of art. 22.3 GDPR must be implemented and the corresponding DPIA completed.
B.5 International transfers
Argentina has held, since 2003, an adequacy decision of the European Commission (Decision 2003/490/EC, of June 30, 2003, issued under Directive 95/46/EC and kept in force under the GDPR pursuant to its art. 45.9). This decision was confirmed in the first periodic review of adequacy decisions carried out by the European Commission (Report of January 15, 2024, on eleven adequacy decisions adopted under Directive 95/46/EC, including Argentina), which concluded that Argentina continues to offer an adequate level of protection —with follow-up recommendations regarding pending legislative reforms in this area—. As of the reference date of this document (June 30, 2026), the adequacy decision regarding Argentina is in force.
Accordingly:
- The transfer of personal data of Data Subjects located in the EU/EEA to Modo Agrario S.A. in Argentina (as data controller) is directly covered by art. 45 GDPR (transfer based on an adequacy decision), without the need for Standard Contractual Clauses (SCC) or a Transfer Impact Assessment (TIA) for that specific leg.
- The leg corresponding to Modo Agrario's infrastructure providers, in their capacity as data processors, is different (see Section 9.1 on the hosting provider). To the extent that processing or storage takes place at data centers located outside Argentina and outside a country with an adequacy decision, that leg constitutes an onward transfer requiring its own Chapter V GDPR mechanism. The applicable module would be Module 2 (Controller → Processor) of the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of June 4, 2021, together with the corresponding TIA (an assessment, under the standard set by the CJEU in Schrems II, of the surveillance legislation of the destination country) and the supplementary measures already implemented by Modo Agrario (encryption in transit and at rest, role-based access control — see Section 8).
- Modo Agrario will seek to formalize with its infrastructure provider the Data Processing Addendum incorporating the applicable SCC 2021/914 (Module 2).
B.6 DPO and EU representative
Art. 27 GDPR requires controllers and processors not established in the EU to designate, in writing, a representative in the Union where the processing is subject to the GDPR by virtue of art. 3.2 —that is, where (i) goods or services are offered to Data Subjects located in the EU (regardless of whether payment is required), or (ii) their behavior is monitored to the extent that such behavior takes place within the EU—. The obligation admits a narrow exception (art. 27.2.a): it does not apply where the processing is merely occasional, does not include large-scale processing of special categories of data or data relating to criminal convictions, and is unlikely to result in a risk to the rights and freedoms of natural persons; the three requirements are cumulative, and the European Data Protection Board (EDPB) interprets them restrictively: a recurring commercial relationship with EU Data Subjects —even if low-volume— typically does not qualify as "occasional".
Separately, art. 37 GDPR requires the appointment of a Data Protection Officer (DPO) where the core activities of the controller or processor involve regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special categories of data.
Pending action by Modo Agrario. It is necessary to assess, with actual operational data —volume of Buyer/Seller Users actually located in the EU/EEA, the recurrence of that activity, and whether the Platform actively targets that market (language, currency, targeted marketing)— whether Modo Agrario is covered by art. 3.2 GDPR and, if so, whether the exception under art. 27.2.a applies or whether it is necessary to appoint an EU representative (and, depending on the volume and nature of the processing, to assess the appointment of a DPO under art. 37).
B.7 Retention
Without prejudice to the general retention criteria by data category set forth in Section 8.bis of the global core, and in application of the principle of storage limitation (art. 5.1.e GDPR), Modo Agrario proposes, for EU/EEA Data Subjects, the following indicative periods by category:
- Account/profile data (identification, contact details, credentials): for as long as the account remains active, plus an additional period of up to 24 months from deactivation or inactivity, for purposes of reactivation, fraud prevention, and handling of complaints, unless the Data Subject requests earlier deletion under Section 10.
- Transaction and commercial traceability data (RFQ, SPOT, proposals, Operations, billing): retained for the general commercial limitation period of five (5) years (art. 2560, Argentine National Civil and Commercial Code) and, with respect to receipts and records with accounting/tax relevance, for ten (10) years from the last entry or from the date of the receipt (art. 328, National Civil and Commercial Code).
- Operation chat messages: retained for the same period as the Operation to which they are linked, as they constitute evidence of traceability, security, and fraud prevention between the parties.
- Geolocation/location data: retained while the address remains active on the Data Subject's account or is necessary for an ongoing Operation; coordinates associated with a completed Operation are retained together with the record of that Operation; absent a link to an Operation, a purge or anonymization period of 12 to 24 months from the last update is suggested.
- Marketing/commercial prospecting data: retained while the Data Subject's legitimate interest or consent subsists, with deletion after 24-36 months of inactivity, or immediately upon the exercise of the right to object or to withdraw consent.
B.8 Supervisory authority
Modo Agrario does not have a main establishment in the European Union (its sole establishment is located in Argentina), and therefore the lead supervisory authority mechanism under art. 56 GDPR —applicable only to controllers or processors with a main or sole establishment within the EU— does not apply to Modo Agrario.
Instead, under the general competence rules of arts. 55 to 57 GDPR, each supervisory authority of the Member State of the Data Subject's habitual residence, place of work, or place of the alleged infringement has jurisdiction to hear the complaints filed by that Data Subject against Modo Agrario, with no single "lead" authority centralizing the procedure. In practice, this means that an EU Data Subject may direct their complaint to the supervisory authority of their own Member State of residence (e.g., the AEPD in Spain, the CNIL in France, the Garante in Italy, as applicable), without prejudice to the cooperation and mutual assistance mechanisms among supervisory authorities provided for in Chapter VII GDPR.
Annex C — United States (CCPA / CPRA and state laws)
C.1 Legal framework
Processing of California residents subject to the California Consumer Privacy Act (CCPA) —the statute—, as amended by the California Privacy Rights Act (CPRA), whose enforcement authority is the California Privacy Protection Agency (CPPA) —the authority—, with powers shared, in certain cases, with the California Attorney General. (Note the difference between CCPA = statute and CPPA = supervisory authority.)
Other state laws in force (beyond California). As of June 30, 2026, in addition to California, the following U.S. states have comprehensive consumer privacy laws in force or with an imminent effective date (indicative list, subject to verification and periodic updating with U.S. counsel, given that the state landscape continues to expand):
| State | Law | Effective date |
|---|---|---|
| Virginia | Virginia Consumer Data Protection Act (VCDPA) | 1/1/2023 |
| Colorado | Colorado Privacy Act (CPA) | 7/1/2023 |
| Connecticut | Connecticut Data Privacy Act (CTDPA) | 7/1/2023; recognition of universal opt-out signals (GPC) in force since 1/1/2025; enhanced protections for minors effective 7/1/2026 |
| Utah | Utah Consumer Privacy Act (UCPA) | 12/31/2023 |
| Texas | Texas Data Privacy and Security Act (TDPSA) | 7/1/2024 |
| Oregon | Oregon Consumer Privacy Act (OCPA) | 7/1/2024 |
| Florida | Florida Digital Bill of Rights (FDBR) — scope limited to very-high-revenue businesses and other specific thresholds | 7/1/2024 |
| Montana | Montana Consumer Data Privacy Act (MCDPA) | 10/1/2024 |
| Iowa | Iowa Consumer Data Protection Act (ICDPA) | 1/1/2025 |
| Delaware | Delaware Personal Data Privacy Act (DPDPA) | 1/1/2025 |
| Nebraska | Nebraska Data Privacy Act (NDPA) | 1/1/2025 |
| New Hampshire | New Hampshire Data Privacy Act | 1/1/2025 |
| New Jersey | New Jersey Data Privacy Act (NJDPA) | 1/15/2025 |
| Tennessee | Tennessee Information Protection Act (TIPA) | 7/1/2025 |
| Minnesota | Minnesota Consumer Data Privacy Act (MCDPA) | 7/31/2025 |
| Maryland | Maryland Online Data Privacy Act (MODPA) | 10/1/2025 |
| Indiana | Indiana Consumer Data Protection Act | 1/1/2026 |
| Kentucky | Kentucky Consumer Data Protection Act (KCDPA) | 1/1/2026 |
| Rhode Island | Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) | 1/1/2026 |
| Arkansas | Arkansas Digital Responsibility, Safety, and Trust Act (ADRSTA) | 7/1/2026 |
B2B vs. consumer distinction. Most of these laws —following the so-called "Virginia model"— define "consumer" as a resident natural person acting solely in an individual or household context, expressly excluding a natural person acting in a commercial or employment context. Given that Modo Agrario is a B2B marketplace —Users act as representatives of a legal entity or as merchants/producers in the exercise of their economic activity—, a large part of the data processed on the Platform could fall outside the scope of these "Virginia model" state laws. The most relevant exception is California: the original CCPA's "B2B" and "employee" exemptions expired on January 1, 2023, together with the full entry into force of the CPRA, so the CCPA/CPRA does currently reach B2B contacts and employee data of California residents, without the commercial/employment carve-out that Virginia and most other states retain.
"Highest common denominator" policy. Given (i) the number and heterogeneity of state regimes, (ii) that Modo Agrario cannot always determine with certainty the state of residence of each natural person interacting with the Platform, and (iii) that a state-by-state threshold analysis for each processing activity is operationally unworkable, Modo Agrario adopts as a matter of policy applying the most protective available standard uniformly to all U.S. Users, rather than limiting rights and opt-out mechanisms only to residents of the state that strictly requires them.
C.2 Consumer rights
The consumer has the right to: know / access the personal information collected; delete personal information; correct inaccurate information; opt out of the sale or sharing ("Do Not Sell or Share My Personal Information"); and limit the use and disclosure of sensitive personal information. Modo Agrario will not discriminate against the consumer for exercising these rights. Response period: 45 days, extendable by an additional 45 days.
C.3 "Do not sell or share" and opt-out
Based on the business model of Modo Agrario described in this Policy (Sections 1.6 and 4) —a B2B transaction fee (1% on the seller side in Argentina) and an international subscription, without the sale of personal data in exchange for monetary or other consideration to third parties, and without cross-context behavioral advertising or the exchange of data with advertising networks or data brokers—, Modo Agrario determines that, as of the reference date of this document, it does not engage in the "sale" or "sharing" of personal information within the meaning of the CPRA (Cal. Civ. Code § 1798.140). The third-party vendors that receive personal information in the course of providing the service (cloud infrastructure hosting — see Section 9.1 —, geocoding and routing providers, messaging and notifications, analytics tools) act, in principle, as "service providers" subject to limited contractual instructions, and not as recipients of a "sale" or "sharing".
Notwithstanding this determination, and as a preventive practice, Modo Agrario:
- Will make available the "Do Not Sell or Share My Personal Information" link (or its Spanish-language equivalent) in the Platform's footer for U.S. Users, together with the corresponding opt-out mechanism.
- Will recognize and honor Global Privacy Control (GPC) signals issued by the User's browser as a valid request to opt out of sale/sharing, without requiring additional confirmation steps.
- Will reassess this determination if, in the future, it modifies its analytics, marketing, or advertising infrastructure in a manner that involves the transmission of personal information to third parties for cross-context behavioral advertising purposes, or any form of consideration in exchange for personal data.
C.4 Categories of data
As required by the CPRA (Cal. Civ. Code § 1798.100 and § 1798.130), Modo Agrario discloses below the categories of personal information it collects from U.S. Users (including, where applicable due to the absence of the B2B exclusion explained in C.1, business contacts and counterparty representatives), cross-referenced with their sources and the business purposes described in Section 1.5 of this Policy:
| Category (CPRA, Cal. Civ. Code § 1798.140(v)(1)) | Examples at Modo Agrario | Source | Business purpose |
|---|---|---|---|
| Identifiers | name, email, telephone, account identifier, IP address, user/cookie identifier | Provided directly by the User upon registration; generated by the Platform | Account management and authentication (Section 1.5); centralized identity / SSO with Modo Scoring, Modo Máquinas, and Modo Comex (Section 1.6.5) |
| Commercial information | history of RFQs, SPOTs, proposals, negotiations, and Operations; delivery terms; amounts and commodities traded | Generated by the User through use of the Platform | Marketplace operation, multi-round negotiation, and confirmation of Operations (Sections 1.5.2–1.5.3) |
| Geolocation data | coordinates (lat/lng) of pickup/delivery addresses, calculated using third-party geocoding and routing services | Provided by the User (declared address) and calculated by geocoding/routing providers | Logistics and distance calculation between counterparties (georeferencing) |
| Professional or employment-related information | CUIT/tax identifier, role within the Account (buyer/seller), position within the team, declared certifications | Provided by the User; validated against official sources (e.g., ARCA/formerly AFIP for Argentine Users) | Identity verification and account enablement; team and role management |
| Internet or network activity | interaction with the Platform, operation chat messages, site usage history | Automatically generated through use of the Platform | Traceability of the operation chat (security and fraud prevention); service improvement |
| Inferences | recommendations of commercial opportunities, detection of potential counterparties, ratings derived from behavior on the Platform | Generated by Modo Agrario's artificial intelligence agents based on the foregoing categories | Detection of opportunities, verification of certifications, and supply/demand connection through AI, always with a final human decision (Section 1.7) |
C.5 Sensitive personal information
The CPRA defines a closed catalog of "sensitive personal information" (Cal. Civ. Code § 1798.140(ae)), which includes —among other categories— government-issued identification document numbers, account access credentials, precise geolocation, racial or ethnic origin, religious beliefs, union membership, the content of private communications, genetic or biometric data, health information, and data concerning sex life or sexual orientation.
Based on the business model described in this Policy, Modo Agrario does not collect or process, in the ordinary course of the Platform, any of the typical "consumer" categories of sensitive personal information. Likewise, the financial and credit data that Modo Agrario shares with, or receives from, NOSIS and the BCRA (Section 1.6) correspond, in general, to the risk assessment of legal entities or of the Account as a business entity —not of a natural person acting as a consumer—, and therefore would not, on their own, constitute "sensitive personal information" within the meaning of the CPRA, except in the case of a financial account number combined with its access code or password, a scenario that Modo Agrario does not collect through these sources.
As a caveat, two scenarios are identified for confirmation with U.S. counsel:
- Account access credentials. The username and password (or OTP) that the User uses to authenticate on the Platform could, in a literal sense, fall within the CPRA category of "credentials that permit access to an account".
- Precise geolocation. The coordinates calculated for pickup/delivery addresses generally identify the commercial domicile of the Account (farm, storage facility, plant) and not the location of an individually identified natural person.
Annex D — China (PIPL)
D.1 Legal framework
Processing of persons in the People's Republic of China subject to the Personal Information Protection Law (PIPL), in force since November 2021, and supplementary regulations of the Cyberspace Administration of China (CAC).
D.2 Bases and separate consent
The PIPL requires, in numerous cases, separate consent (specific and differentiated consent), in particular for: the processing of sensitive personal information, the cross-border transfer of personal information, and the use of automated decisions. Modo Agrario will obtain such separate consent where applicable.
D.3 Cross-border transfer
Transfers of personal information outside China must be covered by one of the three mechanisms set forth in the PIPL and its implementing regulations issued by the Cyberspace Administration of China (CAC): the Measures for the Security Assessment of Cross-Border Data Transfers (CAC, Jul. 2022, in force since Sep. 2022), the Measures on the Standard Contract for the Export of Personal Information (CAC, Feb. 2023, in force since Jun. 2023), and the Provisions on Promoting and Regulating the Cross-Border Flow of Data (CAC, in force since Mar. 22, 2024, which raised the original 2022/2023 thresholds):
- CAC security assessment — a mandatory mechanism where the controller: transfers "important data"; qualifies as a critical information infrastructure operator (CIIO); transfers non-sensitive personal information of more than 1,000,000 data subjects; or transfers sensitive personal information of more than 10,000 data subjects, cumulatively since January 1 of the current calendar year.
- Personal information protection certification — certification issued by a professional institution accredited by the CAC.
- Standard Contract of the CAC — a form contract, in the format prescribed by the CAC, executed with the overseas recipient and filed with the provincial CAC office. This is the route envisaged for controllers with limited data volumes — analogous, in its logic, to the EU's standard contractual clauses (Annex B).
Thresholds in force (March 2024 Provisions): below 100,000 data subjects of non-sensitive information (with no "important data" and no CIIO status), none of the three mechanisms is required (de minimis exception, which does not extend to sensitive information); between 100,000 and 1,000,000 non-sensitive data subjects, or any volume up to 10,000 sensitive data subjects, a Standard Contract or Certification is required; above those volumes, or upon transfer of "important data" or CIIO status, a security assessment is required.
Categorical exceptions independent of volume. The March 2024 Provisions (art. 5) further provide for exceptions that operate irrespective of the volumetric threshold, including the transfer of data necessary for the conclusion or performance of a contract to which the data subject is a party (e.g., cross-border purchase, delivery, or payment). Given Modo Agrario's profile as a B2B platform that facilitates sale and purchase contracts between parties, this exception could apply to a significant portion of transfers, even above the de minimis threshold.
Modo Agrario is a niche B2B platform, with a volume of users and counterparties located in China foreseeably well below the thresholds that trigger the mandatory security assessment. Within that framework, the CAC Standard Contract is proposed as the default mechanism, subject to periodic reassessment of the actual volume.
D.4 Local representative or entity
Art. 53 PIPL requires every controller located outside China, where covered by the law's extraterritorial effect (art. 3.2 PIPL) —that is, where it processes personal information of natural persons located in China for the purpose of (i) offering them products or services, or (ii) analyzing or evaluating their behavior—, to designate a specialized entity or a representative within China responsible for personal information protection matters, and to communicate its name and contact details to the competent authority. Unlike the transfer mechanisms in section D.3, this obligation does not depend on the volume of data processed: it applies by the mere fact of offering products or services to persons located in China.
D.5 Sensitive data and rights
The Data Subject has the right of access, rectification, deletion, and portability, and to obtain an explanation of the processing rules. The processing of sensitive data requires a specific purpose, sufficient necessity, and reinforced protection measures.
Annex E — Brazil and Latin America (LGPD and LATAM framework)
E.1 Brazil — Legal framework
Processing of persons in Brazil subject to the General Personal Data Protection Law (Lei Geral de Proteção de Dados — LGPD — Law 13,709/2018), under the supervision of the National Data Protection Authority (Autoridade Nacional de Proteção de Dados, ANPD).
E.2 Legal bases
The processing is based on one of the legal bases of the LGPD (art. 7 and, for sensitive data, art. 11), including: consent, performance of contract, compliance with a legal obligation, legitimate interest, and credit protection.
E.2.bis Mapping of purposes and legal bases (LGPD)
For each purpose described in Section 1.5 of the global core, the applicable legal hypothesis under art. 7 of the LGPD is as follows (see the comparative detail with the GDPR in Annex B.2.bis):
- Account management and authentication (CUIT/ARCA) — execução de contrato (inc. V) and cumprimento de obrigação legal ou regulatória (inc. II).
- Marketplace operation and negotiation — execução de contrato (inc. V).
- Confirmation and closing of operations (cascade) — execução de contrato (inc. V) and legítimo interesse (inc. IX).
- Multi-user accounts and teams — execução de contrato (inc. V).
- Automated processing by AI agents — execução de contrato (inc. V) and legítimo interesse (inc. IX).
- Georeferencing and logistics — execução de contrato (inc. V).
- Operation chat — execução de contrato (inc. V) and legítimo interesse (inc. IX).
- Mutual ratings — execução de contrato (inc. V) and legítimo interesse (inc. IX).
- Centralized identity / SSO — execução de contrato (inc. V) and consentimento (inc. I).
- Traceability, fraud prevention, and security — legítimo interesse (inc. IX) and cumprimento de obrigação legal ou regulatória (inc. II).
- Service and commercial communications — execução de contrato (inc. V) for service communications; consentimento (inc. I) or legítimo interesse (inc. IX) for commercial communications.
- Support and assistance — execução de contrato (inc. V) and cumprimento de obrigação legal ou regulatória (inc. II).
- Legal compliance — cumprimento de obrigação legal ou regulatória (inc. II).
- Microsites — legítimo interesse (inc. IX) and, where applicable, consentimento (inc. I).
- Improvement and analytics — legítimo interesse (inc. IX) and, where applicable to non-essential cookies/analytics, consentimento (inc. I).
None of the fifteen purposes invokes the hypotheses of public policy by the public administration (inc. III), studies by a research body (inc. IV), regular exercise of rights in judicial, administrative, or arbitration proceedings (inc. VI), protection of life (inc. VII), health protection (inc. VIII), or credit protection (inc. X) — the latter could become relevant, as the case may be, if in the future the processing linked to financial background information between Users or to the integration with Modo Scoring is specifically documented.
E.3 Data subject rights
The data subject has the right to confirmation, access, correction, anonymization, blocking or deletion, portability, information about data sharing, and revocation of consent, in accordance with the LGPD.
E.4 Processor / Operator and Encarregado (DPO)
Modo Agrario acts as controller and/or operator as the case may be. The details of the role assignment —including the cases in which Modo Agrario acts as controller, the cases in which it does not act as a third party's operator, and the vendors that act as operators of Modo Agrario— are set out in the Terms and Conditions, Annex E.1, to which reference is made.
E.5 International transfers
International transfers from Brazil are carried out in accordance with the mechanisms provided for in the LGPD (adequacy, contractual clauses, specific guarantees).
E.6 Other Latin American countries
Various Latin American countries have local personal data protection laws. The applicable provisions for Mexico, Chile, Colombia, Peru, Uruguay, and Ecuador are detailed below (Sections E.7 through E.12). The User and Modo Agrario must, in addition, observe the local regulations of any other country in the region not included in this list that is applicable to a specific operation or Data Subject.
E.7 Mexico (LFPDPPP)
Law in force. The processing of personal data of Data Subjects domiciled in Mexico is governed by the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, LFPDPPP), published in the Federal Official Gazette (Diario Oficial de la Federación) on March 20, 2025 and in force since March 21, 2025, which fully replaced the homonymous 2010 law.
Supervisory authority. Following the dissolution of the National Institute for Transparency, Access to Information, and Protection of Personal Data (INAI) —decree published on December 20, 2024—, the functions relating to personal data held by private parties were assumed by the Anti-Corruption and Good Governance Secretariat (Secretaría Anticorrupción y Buen Gobierno, SABG).
Legal bases. The general rule is the consent of the Data Subject (express or implied depending on the type of data; express and in writing for financial or sensitive data), revocable at any time through a simple and free mechanism. The LFPDPPP also recognizes processing without consent where there is an obligation arising from a legal relationship between the Data Subject and the controller (a functional equivalent to "performance of contract") or where so provided by an applicable legal rule in a broad sense. Unlike the GDPR, Mexican law does not expressly contemplate "legitimate interest" as an autonomous basis; it operates on consent plus enumerated legal exceptions.
Data subject rights. The ARCO rights (access, rectification, cancellation, and objection) and the right to portability are recognized, in addition to the revocation of consent.
International transfers to Argentina. The LFPDPPP does not establish a closed list of "adequate" countries (unlike Colombia). Modo Agrario SA, domiciled in Argentina, may receive data transferred from Mexico provided it contractually assumes the same protection obligations set forth by the law and the principles disclosed in the privacy notice, which is implemented through this document and the corresponding contractual undertakings with the Mexican User.
Commerce/registration requirements. The LFPDPPP does not require the registration of private databases with a public registry. No specific commercial registration requirement was identified for the mere fact that a foreign B2B platform offers its service to companies domiciled in Mexico; any registration obligation unrelated to data protection must be assessed separately with local counsel.
E.8 Chile (Law 19,628 / Law 21,719)
Framework in force as of June 30, 2026. Chile is in a period of regulatory transition. Law No. 21,719, published on December 13, 2024, comprehensively reforms Law No. 19,628 on Protection of Private Life (1999) and creates a new supervisory authority, with full entry into force set for December 1, 2026. As of the reference date (June 30, 2026), Law 21,719 is not yet fully in force: the pre-reform regime of Law 19,628 continues to apply.
Supervisory authority. Until December 1, 2026, there is no autonomous, specialized supervisory authority; enforcement of Law 19,628 has historically been channeled through judicial proceedings (habeas data). As of that date, the Personal Data Protection Agency (Agencia de Protección de Datos Personales, APDP) is to assume that role. On May 20, 2026, the Senate rejected the slate of board members proposed by the Executive Branch to sit on its Governing Council, for failure to reach the required 2/3 quorum, which prevented the legal deadline of June 1, 2026 for its constitution from being met.
Legal bases. Under the regime in force as of 6/30/2026, the general basis is the consent of the Data Subject, with narrow legal exceptions. Law 21,719 will incorporate, upon its entry into force, six legal bases equivalent to those of the GDPR (consent, performance of contract, legal obligation, vital interest, public interest, and legitimate interest).
Data subject rights. The ARCO rights are recognized, expanded as of the entry into force of Law 21,719 with portability and the right to contest decisions based solely on automated processing.
International transfers to Argentina. Law 19,628, as currently in force, does not contain a specific regime for international transfers; Modo Agrario bases the transfer on the Data Subject's informed consent and on the necessity of the transfer for the commercial relationship, until Law 21,719 enters into force with its regime modeled on the European one (adequacy decision, SCC, or binding corporate rules before the APDP).
Commerce/registration requirements. Chilean regulations reach foreign controllers without a domicile in Chile that offer goods or services to persons located in the country, regardless of local physical presence. As of the entry into force of Law 21,719, the Register of Processing Activities (Registro de Actividades de Tratamiento, RAT) before the APDP will be required, as applicable.
E.9 Colombia (Law 1581 of 2012)
Law in force. The processing of personal data of Data Subjects domiciled in Colombia is governed by Statutory Law 1581 of 2012 (Habeas Data), regulated by Decree 1377 of 2013 (compiled in Single Regulatory Decree 1074 of 2015). A reform bill is pending before the legislature and has not been enacted as of the reference date.
Supervisory authority. The Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio, SIC), through its Delegation for the Protection of Personal Data.
Legal bases. The general rule is the Data Subject's prior, express, and informed authorization (art. 9, Law 1581), with enumerated exceptions analogous to "performance of contract" or "legal obligation" (art. 10). Unlike the GDPR, Colombian law does not recognize an autonomous legitimate-interest basis.
Data subject rights. Under art. 8, the Data Subject has the right to know, update, and rectify their data; request proof of the authorization; be informed; file complaints with the SIC; and revoke the authorization and/or request deletion.
International transfers to Argentina. Art. 26 of Law 1581 prohibits transferring data to countries without adequate levels of protection, except for a legal exception or a SIC Declaration of Conformity. The SIC maintains a list of countries with an adequate level that does not currently include Argentina, despite its EU adequacy decision dating from 2003. Modo Agrario SA bases the transfer from Colombia on the Data Subject's express and unequivocal consent, contractual necessity, or obtains a Declaration of Conformity or standard contractual clauses before the SIC.
Commerce/registration requirements. The National Database Registry (Registro Nacional de Bases de Datos, RNBD) before the SIC is mandatory (Decree 90 of 2018) for companies with assets exceeding 100,000 UVT; its applicability to a foreign company without a domicile in Colombia is not automatic and must be assessed case by case. The mere provision of a B2B digital service from abroad does not, in principle, constitute "permanent activity" within the meaning of art. 471 of the Commercial Code that would require the establishment of a branch.
E.10 Peru
Legal framework and supervisory authority. The processing of personal data of Data Subjects domiciled in Peru is governed by Law No. 29733 (2011) and its Regulations approved by Supreme Decree No. 016-2024-JUS (in force since March 30, 2025). The supervisory authority is the National Authority for the Protection of Personal Data (Autoridad Nacional de Protección de Datos Personales, ANPD-Peru) — not to be confused with the Brazilian ANPD (Section E.1). The law has extraterritorial scope: it reaches controllers without a domicile in Peru —such as Modo Agrario SA— that offer goods or services to Data Subjects located in its territory, requiring them to designate a representative in or for Peru.
Legal bases. General rule: prior, free, express, informed, and unequivocal consent. Exceptions: data from publicly accessible sources, contractual necessity, or legal mandate.
Data subject rights (ARCO). Access, rectification, cancellation (including the right to be forgotten), and objection, exercisable before the controller and, ultimately, before the ANPD-Peru.
International transfers to Argentina. Art. 15 of Law 29733 conditions cross-border flows on an adequate level of protection in the destination country. Argentina's Law No. 25,326 holds an EU adequacy decision since 2003 (revalidated in January 2024), a favorable element; it was not possible to confirm the existence of a public, closed list of "adequate" countries maintained by the ANPD-Peru equivalent to Uruguay's (E.11). As an alternative mechanism, Directorial Resolution No. 074-2022-JUS/DGTAIPD enabled the IberoAmerican Data Protection Network (RIPD) standard contractual clauses.
Commerce/registration requirements. An obligation to register every personal data bank in the National Registry for the Protection of Personal Data (Registro Nacional de Protección de Datos Personales, RNPDP) (via SIPDP), and to designate a personal data officer for large volumes or sensitive data. Failure to register is sanctionable as a serious infraction, with fines of up to 50 UIT under the regime in force since 2024.
E.11 Uruguay
Legal framework and supervisory authority. The processing of personal data of Data Subjects domiciled in Uruguay is governed by Law No. 18,331 (2008), amended by Law No. 19,670 (2018) and regulated by Decree No. 64/020 (2020). The supervisory authority is the Regulatory and Control Unit for Personal Data (Unidad Reguladora y de Control de Datos Personales, URCDP). Extraterritorial scope: controllers not established in Uruguay —such as Modo Agrario SA— that direct goods or services to its inhabitants must designate a representative domiciled in Uruguay, except where a legal exception applies.
Legal bases. General rule: free, prior, express, and informed consent. Exceptions: public information sources, exercise of State functions, legal obligation.
Data subject rights. Access (free of charge, every six months), rectification, update, deletion, and challenge of assessments, with the constitutional guarantee of habeas data.
International transfers to Argentina. Art. 23 of Law 18,331 prohibits, in principle, transfers to countries without adequate protection. The URCDP maintains an official list of adequate countries that expressly includes the Argentine Republic. Accordingly, transfers from Uruguay to Argentina may be carried out without a prior authorization procedure, provided the controller's database is registered with the URCDP. Of the jurisdictions in this section, Uruguay offers the most direct transfer mechanism toward Argentina.
Commerce/registration requirements. An obligation to register databases with the URCDP Registry, publish an accessible privacy policy, report security breaches, and, where applicable, appoint a data protection officer.
E.12 Ecuador
Legal framework and supervisory authority. The processing of personal data of Data Subjects domiciled in Ecuador is governed by the Organic Law on Protection of Personal Data (Ley Orgánica de Protección de Datos Personales, LOPDP) (May 26, 2021) and its General Regulations (November 13, 2023). The supervisory authority is the Superintendence for the Protection of Personal Data (Superintendencia de Protección de Datos Personales, SPDP). The LOPDP has extraterritorial scope: controllers without a domicile in Ecuador —such as Modo Agrario SA— that offer goods or services to persons in Ecuador must designate a special attorney-in-fact domiciled in Ecuador, registered with the SPDP.
Legal bases. Art. 7 of the LOPDP recognizes bases similar to the GDPR: consent, contractual performance, legal obligation, vital interests, public interest, and legitimate interest.
Data subject rights. Access, rectification and update, deletion (right to be forgotten), objection, and portability.
International transfers to Argentina. Through Resolution No. SPDP-SPD-2026-0004-R (January 28, 2026), the SPDP automatically recognizes as "adequate" the regime of the Andean Community (Comunidad Andina, CAN) —of which Argentina is not a member— and enables, as Annex I of that resolution, the RIPD standard contractual clauses as an appropriate safeguard for transfers to Argentina.
Commerce/registration requirements. The LOPDP provides for the registration of certain processing activities —and of the special attorney-in-fact— with the data protection registry administered by the SPDP, as well as the designation of a Data Protection Officer (DPO) for large-scale processing or processing of sensitive data.
Framework document of Modo Agrario S.A. — subject to review and validation by legal counsel licensed in each target jurisdiction before being used in production. Last updated: June 30, 2026. Replaces the version dated November 16, 2024.