Privacy Notice

1. Identity and Address of the Data Controller

In compliance with Mexico's Federal Law on Protection of Personal Data Held by Private Parties, published in the Diario Oficial de la Federación on March 20, 2025 (the "LFPDPPP"), the data controller is the individual Alexis Ulises Barba Pérez, operating under the trade name "Espres" (RFC: BAPA950302880), with address at Calle Ures #450, Tepic, Nayarit, C.P. 63058, México.

For any matter related to this Privacy Notice or the exercise of your rights, you may contact us at privacidad@espres.app.

2. Personal Data Collected

Espres collects, as data controller, the following categories of personal data: (a) identification and contact data: name, last name, email address, phone number; (b) professional profile data: company name, job title; (c) access and authentication data: IP address, device identifiers, session tokens; (d) location data: GPS coordinates captured exclusively during active use of the route tracking feature, and only with your prior explicit consent; (e) payment data: processed directly by Stripe — Espres does not store card numbers or CVV data; (f) service usage data: activity logs, configuration preferences, sales and inventory metadata entered by you.

Espres does not collect sensitive personal data as defined under the LFPDPPP.

3. Purposes of Processing

Personal data is used for the following primary purposes, necessary to provide the service: (a) creating and managing your account and organization; (b) processing transactions and managing your subscription; (c) providing technical support and customer service; (d) complying with applicable legal and regulatory obligations; (e) ensuring platform security and preventing fraud.

Data may also be used for the following secondary purposes, which are not necessary for the service but contribute to its improvement: (f) sending marketing communications about new features or plans, with the option to unsubscribe at any time; (g) performing aggregated and anonymous usage pattern analysis to improve the product.

If you do not wish your personal data to be processed for the secondary purposes described above, you may express this by sending an email to privacidad@espres.app with the subject "Objection to secondary purposes" within five (5) business days of receiving this Notice.

4. Disclosures and Transfers of Personal Data

Espres discloses your personal data to the following processors, who process it on Espres's behalf and under contract: (a) Supabase Inc. — database infrastructure and authentication; (b) Stripe, Inc. — payment processing and subscription management; (c) Resend Inc. — sending transactional emails; (d) Vercel Inc. — web application hosting; (e) Google LLC — geocoding and maps services (for the customer address feature only); (f) Facturapi S.A. de C.V. (Phase 2) — issuance of digital tax receipts (CFDI) for users who request it; (g) Cloudflare, Inc. — network and security services.

These disclosures are necessary to provide the service and, under the LFPDPPP, do not require your consent; however, each processor is subject to contractual confidentiality and security obligations equivalent to those established in this Notice, even after the contractual relationship ends.

Espres does not sell, assign, or commercialize your personal data to third parties for advertising purposes.

5. International Data Transfers

Under the LFPDPPP, Espres informs you that your personal data may be disclosed to and stored on servers located in the United States of America through the infrastructure processors listed in the preceding section (Supabase on Amazon Web Services infrastructure, Vercel, among others). These disclosures to processors do not constitute transfers requiring your consent; they are governed by contracts that ensure conditions of protection equivalent to those provided under Mexican law.

Espres does not transfer your personal data to third parties acting as independent data controllers, except by legal obligation or duly grounded and motivated requirement from a competent authority.

6. ARCO Rights and How to Exercise Them

You have the right to Access, Rectify, Cancel, or Object (ARCO rights) to the processing of your personal data, in accordance with the LFPDPPP.

To exercise your ARCO rights, send a written request to privacidad@espres.app with the subject "ARCO Rights Request", including: (a) your full name and registered email address; (b) the right you wish to exercise; (c) a clear description of the data to which you are asserting the right; (d) a copy of a valid government-issued ID. You may also submit your request in writing at the controller's address indicated in section 1 of this Notice.

Espres will respond to your request within twenty (20) business days of receipt. If the request is approved, the changes will take effect within fifteen (15) business days after the response. Deadlines may be extended in accordance with the LFPDPPP when circumstances warrant.

7. Mechanism to Limit Use or Disclosure

In addition to ARCO rights, you may at any time request the limitation of use or disclosure of your personal data for secondary purposes (marketing, usage analytics), by sending an email to privacidad@espres.app with the subject "Limit data use".

You may also unsubscribe from our marketing communications directly via the "Unsubscribe" link included in every email we send you.

8. Security Breach Notification

In the event of a security breach that significantly affects your property or moral rights, Espres will inform you immediately — and in any event within the timelines established by applicable law and by the competent personal-data protection authority (currently the Secretaría Anticorrupción y Buen Gobierno) — about the nature of the incident, the data involved, and the corrective measures taken.

Notification will be made by email to the address registered on your account and, when the severity requires, through a notice on the platform.

9. Changes to the Privacy Notice

Espres may modify this Privacy Notice to reflect changes to the service, applicable law, or our data processing practices. Material changes will be communicated via email to the address registered on your account and published at espres.app/legal/privacidad at least fifteen (15) days before taking effect.

We recommend periodically reviewing this Notice. The date of the most recent update is indicated in the header of this document.