Compliance & Data Sources
Short version: we don't scrape. We serve public data that SUNAT and BCRP already publish. Here's exactly what we do, what we don't, and why.
Where the data comes from
| Endpoint | Source | Legal basis |
|---|---|---|
/pe/ruc/{ruc} |
SUNAT Padrón Reducido del RUC — official daily open-data release, ~384 MB ZIP. We download and re-index it daily. | Published under Peru's Ley de Transparencia y Acceso a la Información Pública (Ley 27806) and hosted on the national open-data portal. Commercial reuse explicitly permitted under Peru's Open Government Partnership commitment PE0062. |
/pe/fx/rates |
BCRP (Banco Central de Reserva del Perú) open JSON API — same SBS-sourced exchange rates. | Authoritative government-published statistical series, open API, no auth required. |
/pe/fx/indicators |
Stub in v1. Live implementation (BCRP indicator series) planned for v1.1. | Same as FX rates. |
/pe/seace/tenders |
Stub in v1. SEACE procurement data is open-government per Peru's SEACE regulations; v1.1 will ingest from their official feeds. | Open by law for government procurement. |
What we explicitly don't do
- No DNI / RENIEC / personal-identity lookups. Peru's Ley 29733 (personal data protection) requires authorization to resell DNI data commercially. We don't have that authorization and we won't operate without it. This is a hard line.
- No scraping of captcha-gated portals. SUNAT's e-consulta RUC portal added reCAPTCHA v3 in 2026; bypassing it could fall under Ley 30096 (delitos informáticos). We route around the problem by using the official padrón, which has no captcha because it's designed for distribution.
- No mass scraping of anyone's server. Our only recurring fetch is one daily download of SUNAT's own ZIP, and periodic polls of BCRP's public API. Both consistent with each service's intended distribution model.
Natural-person RUC masking
RUCs that start with 10 belong to natural persons (sole proprietors, in most
cases). Even though these appear in the public padrón, we mask the razon_social
field to "[natural person — masked]" before returning the record, as a
defence-in-depth measure against accidental PII leakage via our API. Business RUCs
(prefix 20 and others) return in full.
Customer responsibility
You remain responsible for compliance in your own jurisdiction. Specifically:
- If you re-display data to end-users in a regulated context (KYB, AML, account-opening), verify your regulator's requirements independently.
- If you process any data we return in a way that triggers Peru's Ley 29733 (e.g. combining our output with other data to identify natural persons), the processing obligations fall on you, not on us.
- If you use the data to make adverse decisions about individuals, comply with Peru's anti-discrimination and data-subject-rights rules.
Data freshness
The RUC padrón refreshes daily. Response bodies include fetched_at
(when our cache was populated) and stale: true if we had to serve a stale copy
because SUNAT's publication was unavailable that day. For sub-24h freshness needs, this API
is not the right tool.
Questions
Reach out at hello@latam-mcp.com. If you're a compliance officer reviewing this for your organization, I'm happy to get on a call and walk through the architecture.