Privacy Notice

Effective date: April 20, 2026 Data controller: Francisco Javier Vera Gómez (Persona física con actividad empresarial y profesional), Mexican tax ID (RFC) VEGF911128LR4, with domicile at Puebla, Puebla, C.P. 72190, México, holder of the trademark Moradas App (registration IMPI 2416686). Referred to as "Moradas," "we," "us," or "our." Privacy contact: [email protected]

This Privacy Notice is issued under the Mexican Federal Law on the Protection of Personal Data Held by Private Parties ("LFPDPPP"), its Regulations and the Privacy Notice Guidelines. It describes how we collect, use, disclose, transfer and retain your personal data when you use Moradas's services, including our mobile application, backend services, hardware access controllers and marketing website (collectively, the "Service").

By using the Service you acknowledge that you have read and understood this Privacy Notice. If you do not agree, please do not use the Service.

This English version is a convenience translation. The authoritative version is in Spanish; in the event of any discrepancy, the Spanish version prevails.

1. Who this Notice applies to

This Notice applies to:

Website visitors who browse our site or submit inquiries.
End users — residents, property managers, security guards, staff, and other individuals — who use the Moradas mobile app and related services.
People whose data is submitted by others, such as guests added through visitor passes or residents added by administrators.

If you use Moradas through a property or community that administers your account (an "Administrator"), that Administrator may control certain settings and may have access to information associated with your account in accordance with their own policies. The Administrator acts as an independent data controller with respect to information it submits about third parties; Moradas acts as a data processor in that relationship under Article 49 of the LFPDPPP Regulations.

2. Personal data we process

A. Data you provide

Identification and contact data: name, phone number, language preference and, where applicable, email, job title or profile photo.
Communications and content: chat messages, announcements, documents, images or other files submitted through the Service.
Guest and visitor data: a guest's name and phone number when you create a visitor pass.
Community data: community name or address when you create or join a community.
Contact form submissions: name, email and message.
Guard workflow data: details submitted when registering an access event.

B. Data collected automatically

Device and technical data: device platform, app version and push notification tokens required to deliver notifications.
Network and security data: IP addresses and request metadata, collected for security, abuse prevention and rate limiting.
Crash and diagnostic data: error reports, performance metrics and device information. In production, our mobile app may use session replay tools to help diagnose issues; session replay may capture interactions such as taps and navigation. We apply reasonable controls to limit the capture of sensitive information in diagnostic data.

C. Permission-based data

Camera: to scan QR codes for access control.
Contacts: to select a guest's phone number when creating a visitor pass. We do not upload or store your contact list.
Location (while in use): for community features such as discovery and verification. We do not continuously or background-track your location.
Bluetooth: for hardware controller setup and offline access features.
Photos and files: to upload images or documents.

You may deny or revoke these permissions at any time from your device settings. Some features may not work without them.

D. Data generated through use of the Service

Access control records: entry and exit events, outcomes and related metadata.
Billing records: charges, payments, balances and statements generated within the Service.
Reservation records: facility bookings.
Community and moderation records: membership status, invitations and moderation actions.

E. Sensitive personal data

As a general rule, we do not request or process sensitive personal data as defined in Article 3, section VI of the LFPDPPP. We do not collect biometric, health, ethnic origin, political opinion, religious belief or sexual orientation data. If we later introduce features that involve sensitive data (for example, optional facial recognition), we will request your express written consent before collecting it and this Notice will be updated accordingly.

3. Purposes of processing

A. Primary purposes (necessary to provide the Service)

These purposes give rise to and are necessary for the legal relationship between you and Moradas. You cannot opt out of these purposes without discontinuing use of the Service:

Authenticating you via one-time code (OTP) sent to your phone number.
Creating, operating and maintaining your account and profile.
Operating access control, visitor passes, communications, billing records, reservations, community features and guard workflows.
Maintaining audit and security logs, and preventing abuse, fraud and unauthorized access.
Responding to inquiries and providing technical support.
Complying with applicable legal obligations (tax, administrative, judicial and data protection).

B. Secondary purposes (not necessary to provide the Service)

Sending informational communications or product updates that may be of interest to you.
Performing aggregated statistical analysis to improve reliability and performance.

If you do not want your data used for these secondary purposes, email [email protected] with the subject "Objection to secondary purposes." Your objection will not result in denial of the Service or termination of our relationship.

4. Information submitted by Administrators

Administrators and authorized staff may add or update information about other individuals (residents, personnel or guards) to operate their property or community, including names, phone numbers and unit or residence details.

If you are an Administrator, you represent and warrant that you have the legal authority and consents required under the LFPDPPP to submit such data to Moradas and make it available within the Service. Moradas processes that data under the Administrator's instructions, as a data processor under Article 3, section IX of the LFPDPPP.

If you believe your data was submitted without authorization or is inaccurate, contact your property or community Administrator first. You may also contact us at [email protected].

5. Data transfers

Moradas may transfer your personal data to the following third parties, exclusively for the purposes stated:

Recipient	Country	Purpose
Fly.io, Inc.	United States (IAD region, N. Virginia)	Backend and database hosting
Twilio Inc.	United States	Delivery of OTP codes via SMS and WhatsApp
Stripe Payments México, S. de R.L. de C.V.	Mexico	Payment processing
Apple Inc. / Google LLC	United States	Push notification delivery to iOS/Android devices
Competent authorities	Mexico and applicable jurisdictions	Compliance with duly founded legal requests

Under Articles 36 and 37 of the LFPDPPP, your consent is not required for the transfers listed above, as they are necessary to maintain or fulfill the legal relationship between you and Moradas, or are made to affiliates under common policies, or are required by law. Recipients are bound by contractual confidentiality and data-processing obligations consistent with this Notice.

We do not sell personal data.

6. How to exercise ARCO rights

You have the right to Access, Rectify, Cancel or Object to the processing of your personal data (ARCO rights), as well as to limit the use or disclosure of your data and to revoke any consent you may have granted.

To exercise any of these rights, send a request to [email protected] including:

Full name and a contact channel for our response.
A document proving your identity (valid official ID) or, where applicable, legal representation of the data subject.
A clear, precise description of the data concerned and the specific right you wish to exercise.
Any other element that helps locate the data.

We will respond within a maximum of 20 business days from receipt of your request, and will give effect to our determination within the following 15 business days, pursuant to Article 32 of the LFPDPPP. The procedure is free; we may charge only justified shipping or reproduction expenses.

If you believe your data protection rights have been violated, you may file a complaint with the National Institute for Transparency, Access to Information and Personal Data Protection (INAI) at home.inai.org.mx.

7. Choices and controls within the Service

Notification preferences: manage categories in the app and disable push notifications at the operating system level.
Device permissions: grant, deny or revoke camera, contacts, location, Bluetooth and file permissions from system settings.
Profile: update certain profile information in the app.
Account deletion: request account deletion by writing to [email protected].

8. Data retention

We retain personal data only for the time strictly necessary to fulfill the purposes of processing and applicable legal obligations:

Data type	Retention period	Basis
Account (name, phone, email)	While the account is active, plus 90 days after a deletion request	Service continuity and handling of requests
Access records (entry/exit events)	12 months from the event	Audit and security dispute resolution
Chat messages	While the account is active; 90 days after closure	Product operation
Payment records, billing and CFDI	5 years	Article 30 of the Mexican Federal Fiscal Code
Administrative audit logs	5 years	Tax compliance and dispute support

Once these periods elapse, data is blocked and subsequently deleted, or de-identified for aggregate statistical purposes.

9. Security measures

We apply reasonable administrative, technical and physical measures to protect personal data against damage, loss, alteration, destruction or unauthorized processing, including access controls, encryption in transit (TLS), credential encryption and cryptographic signatures for access-control flows. No system is infallible; you use the Service accepting the inherent risks of internet transmission.

In the event of a security breach that significantly affects your rights, we will notify you without undue delay, pursuant to Article 20 of the LFPDPPP, so you may take appropriate measures.

10. Cookies and similar technologies

Our website may use cookies and similar technologies strictly necessary for its operation (for example, to remember your language preference). You can configure your browser to block or delete cookies; certain features may not work properly as a result. The mobile app does not use advertising cookies or cross-app tracking identifiers.

11. Minors

The Service is not directed to persons under 18 years of age and we do not knowingly collect personal data from minors. If a minor uses the Service with the authorization of a parent or legal guardian, the adult is responsible for the use of the Service and for any data provided. If you believe a minor has provided data without their guardian's consent, write to [email protected] and we will delete it.

12. Changes to this Privacy Notice

We may update this Notice to reflect legal, operational or Service changes. The current version will be available on our website at all times. Where changes are material, we will notify you by a reasonable means (email, in-app notification or prominent site notice) at least 15 calendar days before the changes take effect.

13. Authoritative version

This Notice is originally issued in Spanish, which is the legally authoritative version. Translations into other languages are provided for convenience only. In the event of any discrepancy, the Spanish version prevails.

14. Contact

For any request, complaint or exercise of ARCO rights related to this Notice:

Francisco Javier Vera Gómez

Persona física con actividad empresarial y profesional

RFC: VEGF911128LR4 Address: Puebla, Puebla, C.P. 72190, México

[email protected]

You may also review our Terms of Service.