MOBIPLAY
PRIVACY POLICY
Rideshare Digital Advertising Platform
Effective Date: [DATE]
Note: This English version is provided for convenience. In case of any conflict between the Spanish and English versions, the Spanish version shall prevail, as it constitutes the legally binding document under Mexican law.
Field | Information |
Legal Company Name | [COMPANY NAME], S.A.P.I. de C.V. |
RFC (Tax ID) | [RFC] |
Registered Address | [ADDRESS] |
Privacy Contact Email (ARCO Requests) | privacidad@[DOMAIN].com |
Website | https://[DOMAIN].com |
This Privacy Notice applies to the following categories of data subjects:
Companies or individuals who create an account on the platform, deposit funds, and configure digital advertising campaigns. By accepting these terms, the advertiser expressly consents to the processing of their data for the purposes described herein.
Individuals who install and host digital screens in their vehicles and participate as operators in the advertising network. Their relationship with [COMPANY NAME] is that of an independent contractor; however, their personal data is processed to manage the service, process payments, and fulfill legal obligations.
[COMPANY NAME] does not passively collect passenger data. The only information that may be processed is that generated when a passenger voluntarily chooses to scan a QR code displayed on an advertisement (e.g., IP address).
Any person — including employees and third-party service providers — who has access to personal data in the course of their duties is directly subject to the obligations of the LFPDPPP, regardless of whether they determine the purposes of the processing.
Data Type | Category | Collection Method | Consent Required? |
Representative first and last name | Identification | Account registration | Implied |
Account email address | Contact | Account registration | Implied |
Corporate email address | Contact | Account registration | Implied |
Phone number | Contact | Account registration | Implied |
Company name / legal entity name | Fiscal/Commercial | Account registration | Implied |
RFC validated by facturapi | Tax | Registration / facturapi integration | Implied |
Tax regime code (SAT) | Tax | Account registration | Implied |
CFDI Purpose (Uso CFDI) | Tax | Account registration | Implied |
Full billing address | Tax | Account registration | Implied |
Payment / card data (processed by Stripe) | Financial | Deposit portal (Stripe) | Express |
Campaign content and configuration | Commercial | Management platform | Implied |
IP address | Technical | Automatic system log | N/A (technical data) |
Platform activity logs | Technical | Automatic system log | N/A |
Documentation required by COFEPRIS or other authorities | Legal/Regulatory | Document upload | Implied |
Data Type | Category | Collection Method | Consent Required? |
First and last name | Identification | Registration process | Implied |
CURP (national ID number) | Personal ID | Registration process | Express |
RFC (tax ID) | Tax | Registration process | Implied |
INE / official ID number | Personal ID | Sumsub verification | Express |
Vehicle type, year, and license plate | Vehicle | Registration process | Implied |
Bank account details (CLABE, bank name) | Financial | Registration process | Express |
Tax regime code (SAT) | Tax | Registration process | Implied |
Device installation address (full address) | Location | Registration process | Implied |
GPS location of device (for reporting) | Technical location | Installed device | Express |
Phone number | Contact | Registration process | Implied |
Email address | Contact | Registration process | Implied |
Rideshare platform screenshots / profile reports | Verification | Document upload | Express |
Independent driver permits and insurance certificates | Legal | Document upload | Implied |
Vehicle insurance and registration | Legal/Vehicle | Document upload | Implied |
Proof of address | Identification | Document upload | Implied |
Vehicle photographs | Vehicle | Document upload | Implied |
Identity verified by Sumsub | Biometric ID | Sumsub verification flow | Express |
Data Type | Category | Collection Method | Consent Required? |
IP address | Technical | Voluntary QR code scan | Notice at point of interaction |
Additional data depending on QR destination | Variable | Voluntary user redirect | Per advertiser's policy |
Note: [COMPANY NAME] does not passively collect any data from passengers. Any data that may be generated occurs solely as a result of the passenger's voluntary action in scanning the QR code.
• Creating, managing, and maintaining accounts on the platform.
• Processing payments, managing account balance, and issuing tax invoices (CFDI) through facturapi.
• Configuring, launching, monitoring, and optimizing advertising campaigns.
• Compliance with tax obligations before SAT (Article 30-B of the Federal Fiscal Code — see note at end of this section).
• Prevention and detection of fraud, money laundering, and other illicit conduct.
• Transactional communications (confirmations, account alerts, receipts).
• Compliance with COFEPRIS or other applicable regulatory authority requirements.
• Sending marketing communications, promotions, and product updates.
• Participation in product improvement programs and satisfaction surveys.
• Sharing aggregated and anonymized campaign performance data with business partners.
• Identity, background, and eligibility verification (KYC/KYB via Sumsub).
• Device installation, maintenance, and technical support management.
• Payment processing and settlements; issuance of CFDI where applicable.
• GPS device location monitoring for impression reporting and advertiser contract fulfillment.
• Tax compliance obligations before SAT.
• Operational and support communications.
• Compliance with transport and advertising regulatory requirements.
• Marketing communications and incentive programs.
• Participation in service improvement studies.
• Facilitating user interaction with the scanned advertisement (redirect to advertiser URL).
• Generating campaign performance metrics for the advertiser (in aggregated or anonymized form where possible).
• Prevention of fraud and platform abuse.
Mandatory legal notice: Tax and billing data may be accessed by the Servicio de Administracion Tributaria (SAT) pursuant to Article 30-B of the Federal Fiscal Code (Codigo Fiscal de la Federacion). This access constitutes a non-waivable legal obligation and does not require additional consent from the data subject.
Processing Purpose | Consent Type Required |
Account creation and management (advertiser/driver) | Implied — by completing registration and accepting the terms of service |
Payment and transaction processing (Stripe) | Express — by entering payment data and confirming the transaction |
CFDI issuance / SAT tax compliance | Implied (non-waivable legal obligation) |
Financial data (CLABE, bank details) | Express — via driver agreement |
Identity verification KYC (Sumsub) | Express — consent captured within the Sumsub verification flow |
GPS device location (drivers) | Express — via driver agreement |
Transactional communications | Implied — necessary for service operation |
Marketing and promotional communications | Express — opt-in at time of registration, revocable at any time |
Sharing data with third-party advertisers (passengers) | Express — visible notice on device and QR code at point of interaction |
Sensitive data (CURP, biometrics) | Express — via driver agreement and captured within Sumsub verification flow |
Authority access (SAT, SABG, judicial) | No consent required — legal obligation |
• Advertisers: Acceptance checkbox for terms and privacy policy at registration; separate checkbox for marketing; active confirmation when depositing funds via Stripe.
• Driver-Partners: Digital onboarding process with a separate driver agreement; Acknowledgement of privacy policy, separate checkbox for marketing, Sumsub verification flow with integrated consent.
• Passengers: Privacy disclosure visible on the advertisement where a QR code is displayed; voluntary interaction constitutes consent for minimum technical processing.
All persons, employees, contractors, and service providers who access personal data must sign confidentiality agreements. These obligations are irrevocable and survive termination of the employment or service relationship.
Recipient Category | Purpose | International Transfer |
Stripe, Inc. | Card payment processing; PCI-DSS compliance | Yes — USA; LFPDPPP Chapter V |
facturapi | CFDI generation and stamping; RFC validation | No |
Sumsub | Driver KYC/KYB identity verification | Yes — USA/EU; LFPDPPP Chapter V |
Cloud infrastructure provider (AWS/GCP/Azure[MH1] ) | Data and platform hosting | Yes — per region; LFPDPPP Chapter V |
Analytics platforms | Performance metrics and platform monitoring | Possible[MH2] ; LFPDPPP Chapter V |
SAT (Servicio de Administracion Tributaria) | Tax compliance — CFF Art. 30-B | No — legal obligation |
SABG (regulatory authority) | Regulatory compliance and incident reporting | No — legal obligation |
Judicial and law enforcement authorities | Court order or legal mandate | No — legal obligation |
Advertisers (re: passenger metrics) | Campaign performance reports (aggregated/anonymized) | Only with express passenger consent |
International data transfers comply with the requirements of Chapter V of the LFPDPPP, including the execution of standard contractual clauses or the verification of an adequate level of protection in the recipient country where applicable.
Data Type | Retention Period | Legal Basis | Deletion Method |
Advertiser account data | Duration of account + 3 years after closure | LFPDPPP Art. 11; CFF Art. 30 | Secure deletion / anonymization |
Campaign data and creatives | 2 years after campaign end | Contractual legitimate interest | Secure deletion |
Driver-Partner data | Duration of relationship + 3 years | LFPDPPP Art. 11; LFT; CFF | Secure deletion / anonymization |
Transaction and fiscal records | 5 years minimum (non-negotiable) | CFF Art. 30 — legal obligation | Legal retention; subsequent secure deletion |
Payment card data | Not retained by [COMPANY NAME] | Processed by Stripe (PCI-DSS) | N/A — never stored |
Passenger QR interaction data | 12 months or advertiser-specified period (whichever is shorter) | Consent / minimum legitimate interest | Automatic deletion at period end |
Incident and breach records | 5 years | LFPDPPP; SABG — regulatory obligation | Secure deletion after regulatory period |
Consent records | Duration of processing + 3 years | LFPDPPP — burden of proof | Secure deletion |
You have the right to know what personal data we hold about you (Access), to request its correction (Rectification), to request its removal from our records (Cancellation), and to object to the processing of your data for specific purposes (Objection).
1. Submit your request by email to: privacidad@[DOMAIN].com
2. Your request must include: (a) full name; (b) copy of a valid official ID; (c) a clear and detailed description of the right you wish to exercise and the data involved; (d) postal address or email address to receive the response; and (e) any document that facilitates locating your data.
3. Acknowledgment: [COMPANY NAME] will acknowledge receipt of your request within 5 (five) business days of receiving it.
4. Substantive response: A response to your request will be issued within 20 (twenty) business days of receipt, in accordance with Article 32 of the LFPDPPP. This period may be extended in duly justified exceptional cases.
5. Internal responsibility: ARCO requests are received by the Privacy Officer, reviewed by the Legal department, and approved with the participation of the Finance department when they involve the cancellation of billing records.
• Data subject to mandatory legal retention (SAT tax records — CFF Art. 30).
• Data linked to ongoing judicial, administrative proceedings, or fraud investigations.
• Data whose preservation is necessary to comply with a legal obligation or to defend [COMPANY NAME]'s legal rights.
If you are not satisfied with the response received, you have the right to file a complaint directly with the Secretaria Antiburocrática y de Buen Gobierno (SABG), the competent authority for data protection in Mexico.
INCIDENT RESPONSE PLAN — PERSONAL DATA
Operational reference document | Version effective as of: [DATE]
• Responsible for detection: Engineering/IT team or any employee who identifies a potential incident.
• Immediate escalation: Notify the Privacy Officer and Engineering Lead/CTO within a maximum of 2 hours of detection.
• Initial containment steps: isolate affected systems, preserve evidence, revoke compromised credentials, notify the Executive Sponsor.
• Determine the type of data affected (sensitive, financial, technical), the number of data subjects involved, and the exposure period.
• Assess whether the incident triggers the notification duty to SABG (criterion: personal data compromised with real risk to data subjects).
• Document all findings in the internal Incident Log.
• SABG must be notified within 72 hours of confirming a breach involving personal data.
• The SABG report must include: nature and type of the breach; categories and approximate volume of data affected; containment and remediation measures taken; Privacy Officer contact details.
• Affected data subjects must be informed promptly and without undue delay, in clear and plain language.
• Channels: registered email address and/or in-platform notification.
• The notice must describe: what happened, what data was affected, what steps are being taken, and how to contact the Privacy Officer.
Role | Primary Responsibility |
Privacy Officer | Primary incident coordinator; communication with SABG; data subject notification |
Legal Counsel | Legal assessment of notification duty; review of external communications |
CTO / Engineering Lead | Technical containment; forensic analysis; system remediation |
Executive Sponsor | Business decisions; approval of public statements; board reporting |
• Root cause analysis within 30 days of incident closure.
• Update of affected policies, technical controls, and procedures.
• Follow-up report to SABG if required or if new relevant findings were identified.
All incidents — regardless of whether they triggered the notification duty — must be logged in the Internal Incident Register and retained for a minimum period of 5 (five) years, in accordance with the LFPDPPP and SABG regulations.
All access to personal data — whether by full-time employees, project-based workers, independent contractors, or third-party service providers — is conditioned upon the signing of a confidentiality agreement with [COMPANY NAME].
These obligations are irrevocable and survive termination of the employment, service, or contractual relationship, regardless of the reason for termination.
Breach of these obligations may result in: (i) internal disciplinary measures, up to and including contract termination; (ii) civil action for damages; and (iii) administrative sanctions under the LFPDPPP, imposed by the SABG.
[COMPANY NAME] may modify this Privacy Notice as necessary to reflect changes in its data processing practices, applicable law, or the services offered.
Material changes — those involving a significant modification to processing purposes, categories of data collected, or data subject rights — will be communicated via: (i) email to the registered address; and/or (ii) a prominent notice on the platform, at least 15 days before they take effect.
Continued use of the platform following notification of non-material changes constitutes tacit acceptance of those changes.
Previous versions of this Privacy Notice will be made available upon request addressed to privacidad@[DOMAIN].com.
Channel | Details |
Privacy email | privacidad@[DOMAIN].com |
Acknowledgment timeframe | 5 business days |
Substantive response timeframe | 20 business days (LFPDPPP Art. 32) |
Supervisory authority | Secretaria Antiburocrática y de Buen Gobierno (SABG) |
Full notice website | https://[DOMAIN].com/privacy |
If you do not receive a response within the indicated timeframes, or if you consider that your request was not addressed satisfactorily, you have the right to file a complaint directly with the SABG, which acts as the data protection supervisory authority in Mexico.
[COMPANY NAME] — Privacy Policy
Effective as of: [DATE]
privacidad@[DOMAIN].com | [DOMAIN].com/privacidad