GraciasGracias Privacy Policy

Effective Date: June 15, 2026 Last Updated: May 16, 2026 Version: 1.0

1. Introduction

1.1 Purpose

This Privacy Policy ("Policy") describes how GraciasGracias ("we," "us," "our," or "Platform") collects, uses, discloses, and protects personal information of users ("you" or "your") of the platform at graciasgracias.live and related services.

1.2 Scope

This Policy applies to all users of the Platform, including visitors, registered users, event organizers, and ticket purchasers. It governs our practices regarding personal information collected through the Platform, regardless of where you access it from.

1.3 Data Controller

The data controller responsible for your personal information is:

GraciasGracias Av. José Martí 49, Escandón I Secc Miguel Hidalgo, 11800 Ciudad de México, CDMX Mexico

Email: support@graciasgracias.live

1.4 Applicable Laws

We comply with applicable data protection laws including:

• LFPDPPP — Mexican Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares)
• GDPR — European Union General Data Protection Regulation (for EU users)
• CCPA/CPRA — California Consumer Privacy Act (for California users)
• Other applicable jurisdictional privacy laws

1.5 Acceptance

By using the Platform, you consent to the collection, use, and disclosure of your personal information as described in this Policy. If you do not agree, you must not use the Platform.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

• Name (display name)
• Email address
• Username (immutable once selected)
• Password (stored encrypted; we never see plaintext)
• Profile information you choose to provide (bio, photo, location)
• Preferred city for content personalization

Authentication Information:

• Social authentication tokens (Google) and basic profile data when you use SSO
• Multi-factor authentication credentials if enabled

Communication Content:

• Messages you send through Platform messaging
• Community board posts, comments, and reactions
• Event reviews and ratings
• Custom approval question responses
• Support communications with us

Event and Ticketing Information:

• Events you create as an organizer
• Tickets you purchase
• Refund requests
• Friends Only meetup participation

Marketplace and Rental Information:

• Listings you create (items for sale, rentals available)
• Contact attempts between buyers/sellers, renters/landlords
• Mexican-specific rental information (Fiador, Póliza Jurídica preferences)

Social Connections:

• Friend connections you establish
• Users you block
• Hangouts and social calls

2.2 Information Collected Automatically

Device and Connection Information:

• IP address
• Device type and identifiers
• Browser type and version
• Operating system
• Mobile device identifiers
• Network information

Usage Information:

• Pages visited and content viewed
• Search queries on the Platform
• Click and interaction patterns
• Session duration and frequency
• Feature usage patterns
• Performance and error data

Location Information:

• Approximate location derived from IP address
• Explicit location data if you enable location-based features
• Selected region or city preference
• Event venue locations you interact with

Cookies and Similar Technologies:

• Authentication cookies (essential)
• Preference cookies (functional)
• Analytics cookies (PostHog)
• Performance cookies

See Section 9 for details on cookies.

2.3 Information from Third Parties

Payment Information: We do not store full payment card information. Stripe processes payments and we receive:

• Transaction confirmation
• Last 4 digits of payment methods
• Payment method type
• Stripe customer ID and payment intent ID

Stripe Connect (Organizers): For organizers, Stripe provides additional information including:

• Identity verification status
• Payout account configuration
• Connect account ID
• Lane configuration (MX or US)

Social Authentication: When you authenticate via Google, we receive basic profile information (email, name, profile photo) per the OAuth scope you authorize.

Event Import Partners: External event data from Ticketmaster and other partners includes event details, venue information, and pricing, which become Platform content.

Content Moderation Services: We use OpenAI and Anthropic content moderation services. Content submitted for moderation is processed by these services per their policies.

2.4 Sensitive Personal Information

We generally do not collect sensitive personal information. However, certain features may incidentally involve sensitive data:

• Health information: If shared voluntarily in community posts or event approval questions
• Sexual orientation/gender identity: If shared voluntarily in profile or content
• Religious beliefs: If shared voluntarily in community posts
• Political opinions: If shared voluntarily in community posts

We do not encourage submission of sensitive information. Where collected, we apply heightened protections. You may request removal of sensitive information at any time.

We do not collect:

• Financial account credentials
• Government-issued ID numbers (except as required by Stripe for organizer KYC)
• Biometric information
• Genetic information

3. How We Use Information

3.1 To Provide the Platform

• Authenticate your access and maintain your account
• Process ticket purchases and refunds
• Facilitate organizer payouts via Stripe
• Display events, listings, and community content
• Enable messaging and social features
• Deliver tickets (email, in-app, future Wallet integrations)
• Send transactional notifications (purchase confirmations, event reminders, etc.)
• Process refunds and resolve disputes
• Provide customer support

3.2 Lawful Bases for Processing (GDPR)

For users protected by GDPR, we process personal information based on:

• Contract performance — To provide services you request (Article 6(1)(b))
• Legitimate interests — Platform operations, security, fraud prevention (Article 6(1)(f))
• Legal obligations — Tax records, regulatory compliance (Article 6(1)(c))
• Consent — Where explicitly required (marketing, special categories) (Article 6(1)(a))

3.3 LFPDPPP Purposes (Mexican Users)

For Mexican users, primary purposes (finalidades primarias) include:

• Provision of Platform services
• Account management and authentication
• Transaction processing
• Communications related to your use of the Platform
• Compliance with legal obligations

Secondary purposes (finalidades secundarias) — which you may opt out of:

• Marketing communications
• Product improvement analytics
• User research

3.4 To Improve the Platform

• Analyze usage patterns to improve features
• Detect and fix technical issues
• Develop new features
• Conduct A/B testing
• Aggregate analytics

3.5 For Safety and Security

• Content moderation (automated and human)
• Fraud detection and prevention
• Investigation of suspected violations
• Account security monitoring
• Protection of user safety

3.6 For Communications

• Transactional emails (essential, cannot be opted out)
• Marketing emails (with opt-in consent where required)
• Bell notifications within the Platform
• Service announcements

3.7 For Legal Compliance

• Compliance with applicable laws
• Response to legal process (subpoenas, court orders)
• Protection of rights and safety
• Tax recordkeeping

3.8 With Your Consent

For purposes beyond those described, we will request your specific consent.

4. How We Share Information

4.1 With Other Users

Information you share publicly is visible to other users:

• Profile information you make public
• Community posts and comments
• Event participation
• Marketplace and rental listings
• Friends Only meetup participation (visible to creator's friends only)

4.2 With Event Organizers

When you purchase a ticket or request approval:

• The organizer receives your name, email, and ticket information
• Custom approval question responses are visible to the organizer
• The organizer may need to communicate with you about the event

Organizers are bound by data protection obligations regarding attendee information.

4.3 With Service Providers

We share information with trusted service providers who help us operate the Platform:

| Service Provider | Purpose | Data Shared | |---|---|---| | Stripe | Payment processing | Transaction details, payment methods, organizer KYC | | Supabase | Database and authentication | All user data (stored) | | Vercel | Web hosting | Web requests and responses | | Resend | Email delivery | Email addresses and email content | | PostHog | Product analytics | Usage data, device info, user actions | | OpenAI | Content moderation | Content submitted for moderation | | Anthropic | Content moderation | Content submitted for moderation | | Google | Authentication, Wallet, Maps | Basic profile, ticket information | | Klipy | GIF integration | GIF search queries | | CARTO / Leaflet | Map display | Location queries | | Ticketmaster (partners) | Event data | Public event interactions |

These providers process information per their own privacy policies and our data processing agreements.

4.4 Cross-Border Transfers

Personal information may be transferred to and processed in countries other than your country of residence, including:

• United States — Many service providers (Stripe, Vercel, Supabase, OpenAI, Anthropic, PostHog, Resend, Google) operate primarily in the United States
• European Union — Some service infrastructure
• Mexico — Primary operations

For EU users, we ensure appropriate safeguards including Standard Contractual Clauses (SCCs) where required by GDPR.

For Mexican users (LFPDPPP), international transfers are conducted per applicable legal frameworks.

4.5 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred. We will notify you of any such transfer and any changes in privacy practices.

4.6 Legal Compliance

We may disclose information when required by law, including:

• Response to legal process (subpoenas, court orders, search warrants)
• Tax authority requirements
• Law enforcement requests with valid legal basis
• Protection of rights, property, and safety of GraciasGracias, users, or others
• Investigation of fraud or violations

4.7 With Your Consent

We may share information for other purposes with your consent.

4.8 Aggregated and Anonymized Data

We may share aggregated or anonymized data that cannot reasonably be used to identify you for any purpose.

5. Your Rights

5.1 Rights Under LFPDPPP (ARCO Rights) — Mexican Users

If you are in Mexico, you have the following rights regarding your personal information:

• Acceso (Access): Right to know what data we hold about you
• Rectificación (Rectification): Right to correct inaccurate data
• Cancelación (Cancellation): Right to request deletion
• Oposición (Opposition): Right to object to processing

To exercise ARCO rights, contact us at support@graciasgracias.live with:

• Your name and contact information
• Specific right(s) you wish to exercise
• Clear description of the data involved
• Proof of identity

We will respond within 20 business days as required by LFPDPPP.

5.2 Rights Under GDPR — EU Users

If you are in the EU/EEA, you have additional rights:

• Right to access — Receive a copy of your data
• Right to rectification — Correct inaccurate data
• Right to erasure ("right to be forgotten") — Request deletion
• Right to restrict processing — Limit how we use your data
• Right to data portability — Receive your data in machine-readable format
• Right to object — Object to certain processing
• Right not to be subject to automated decision-making — With significant effect
• Right to withdraw consent — Where processing is based on consent
• Right to lodge a complaint — With your data protection authority

To exercise GDPR rights, contact us at support@graciasgracias.live.

5.3 Rights Under CCPA/CPRA — California Users

California residents have the following rights:

• Right to know — What personal information we collect, use, and share
• Right to delete — Request deletion of personal information
• Right to correct — Correct inaccurate personal information
• Right to opt out — Of sale or sharing for cross-context behavioral advertising
• Right to limit — Use of sensitive personal information
• Right to non-discrimination — For exercising your rights

We do not sell personal information for monetary consideration. We may share information for limited purposes that could be considered "sharing" under CPRA; you may opt out by contacting support@graciasgracias.live.

5.4 Account Settings

Many rights can be exercised through account settings:

• Update profile information
• Change email address (subject to verification)
• Manage notification preferences
• Block other users
• Delete posts and content you created
• Close your account

Note: Username cannot be changed by users (Section 2.2 of ToS); contact support for exceptional circumstances.

5.5 Marketing Communications

You may opt out of marketing communications:

• Unsubscribe link in marketing emails
• Notification preferences in account settings
• Contact support@graciasgracias.live

Transactional communications (ticket confirmations, event reminders, security alerts) cannot be opted out while maintaining an active account.

5.6 Cookie Management

You can manage cookies through:

• Browser settings (block/delete cookies)
• Platform cookie preferences (if implemented)
• Third-party opt-out tools

Disabling essential cookies may prevent the Platform from functioning.

6. Data Retention

6.1 Retention Periods

We retain personal information for as long as necessary to:

• Provide Platform services
• Comply with legal obligations
• Resolve disputes
• Enforce agreements
• Maintain business records

Specific retention periods:

| Data Type | Retention Period | |---|---| | Account information | Duration of account + reasonable post-closure period | | Transaction records | As required by Mexican tax law (typically 5 years) | | Stripe Connect records | Per Stripe's retention requirements | | Content (posts, comments) | Until deleted by user or account closure (subject to legal holds) | | Communications (messages) | Per user preferences and legal requirements | | Analytics data | Aggregated/anonymized after defined periods | | Backup data | Per backup rotation schedules | | Logs (security, errors) | Typically 30-90 days |

6.2 Account Deletion

Upon account closure:

• Personal profile information is deactivated
• Some content may remain visible (posts that have been responded to)
• Transaction records are retained per legal requirements
• Username is reserved to prevent impersonation
• Backup copies are deleted per backup rotation

6.3 Legal Holds

We may retain information longer when required for legal proceedings, investigations, or compliance.

7. Data Security

7.1 Security Measures

We implement appropriate technical and organizational measures to protect personal information:

• Encryption in transit (TLS/SSL)
• Encryption at rest for sensitive data
• Row-level security (RLS) policies on database access
• Authentication and access controls
• Regular security audits
• Secure development practices
• Employee training and confidentiality agreements
• Incident response procedures

7.2 Limitations

No security measure is perfect. We cannot guarantee absolute security of information transmitted to or stored on the Platform. You are responsible for:

• Maintaining your account credentials
• Using strong passwords
• Reporting suspected security breaches immediately

7.3 Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you and applicable authorities as required by law, including:

• LFPDPPP notification requirements (Mexico)
• GDPR Article 33-34 notification (EU users)
• State data breach laws (US users)
• Other applicable notification laws

8. Children's Privacy

The Platform is not intended for users under 18 years of age. We do not knowingly collect personal information from minors.

If we discover we have collected information from a minor:

• We will delete the information promptly
• We will close the account
• We will notify parents/guardians where appropriate

If you believe we have collected information from a minor, contact us at support@graciasgracias.live.

Parents/guardians who believe their child has provided information should contact us for removal.

9. Cookies and Tracking Technologies

9.1 What Are Cookies

Cookies are small text files stored on your device when you visit websites. They help websites function and collect information.

9.2 How We Use Cookies

Essential Cookies (cannot be disabled):

• Authentication and session management
• Security features
• Basic functionality

Functional Cookies (can be managed):

• Language and region preferences
• User interface customization
• Feature preferences

Analytics Cookies (can be managed):

• PostHog product analytics
• Usage measurement
• Performance monitoring

Third-Party Cookies:

• Stripe (payment processing)
• Google (authentication)
• Other integrated services

9.3 Managing Cookies

You can manage cookies through:

• Browser settings (most browsers allow blocking/deleting cookies)
• Platform cookie preferences (if implemented in future)
• Third-party opt-out tools

Disabling essential cookies will prevent Platform login and core functionality.

9.4 Do Not Track Signals

We currently do not respond to Do Not Track (DNT) browser signals. Industry standards for DNT signals remain evolving.

10. Automated Decision-Making and Profiling

10.1 Content Moderation

We use automated content moderation systems (OpenAI moderation API, Claude Haiku) to detect policy violations. Automated moderation may:

• Flag content for human review
• Apply temporary restrictions
• Auto-remove content meeting specific criteria

You may request human review of automated moderation decisions affecting your content.

10.2 Fraud Detection

We use automated systems to detect potential fraud, including:

• Unusual login patterns
• Suspicious transaction patterns
• Account behavior anomalies

10.3 Recommendation Systems

The Platform may use recommendation algorithms to surface relevant content, events, and connections. These do not result in significant automated decisions affecting your legal rights.

10.4 Your Rights

You have the right to:

• Request explanation of automated decisions
• Request human review
• Object to processing based on legitimate interests

11. Specific Features and Privacy

11.1 Friends Only Meetups

Friends Only Meetup features rely on friend connections:

• Friends are explicitly established (mutual consent)
• Friend lists are not publicly displayed
• Friends Only content visibility is creator-anchored, not transitively granted through friendship chains

11.2 Location Features

Location information is used for:

• City-based content personalization
• Event discovery in your area
• Map display of event venues
• Optional location sharing in profile

You can manage location-related preferences in account settings.

11.3 Messaging

Direct messages are:

• Visible to participants in the conversation
• Stored on Platform infrastructure
• Subject to moderation for safety violations
• Not encrypted end-to-end (not private from Platform)

We may review messages flagged for safety concerns. We do not routinely monitor message content.

11.4 Event Approval Custom Questions

Custom approval questions and your responses are:

• Visible to the event organizer
• Visible to GraciasGracias administrators for support purposes
• Not publicly displayed

11.5 Wallet Integrations

When you add tickets to wallet services (Google Wallet, future Apple Wallet):

• The wallet provider receives ticket information
• Wallet provider terms and privacy policies apply
• Pass revocation may occur with refunds

11.6 Future Friend System Enhancements

When friend system features are enhanced post-launch, this Policy will be updated.

12. International Considerations

12.1 Users Outside Mexico

We welcome users from anywhere in the world. By using the Platform, you consent to:

• Processing of your information in Mexico and other jurisdictions where our service providers operate
• Application of Mexican law to your use of the Platform (subject to mandatory protections in your jurisdiction)

12.2 Specific Jurisdictional Rights

If you have specific rights under your local laws that exceed those described here, those rights remain in effect.

12.3 Language

This Policy is available in English and Spanish. In case of conflict between language versions, the English version controls. The Spanish translation is provided for convenience.

13. Changes to This Policy

13.1 Updates

We may update this Policy from time to time. Material changes will be communicated via:

• Email notification
• Prominent Platform notice
• Updated "Last Updated" date

13.2 Continued Use

Continued use of the Platform after material changes constitutes acceptance. For changes affecting your rights, we may seek additional consent where required by law.

14. Privacy Officer and Contact

14.1 Privacy Contact

For privacy questions, requests, or complaints:

Email: support@graciasgracias.live

Mailing Address: GraciasGracias Av. José Martí 49, Escandón I Secc Miguel Hidalgo, 11800 Ciudad de México, CDMX Mexico

14.2 Data Protection Authorities

If you believe we have violated your privacy rights:

Mexico: INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) at https://home.inai.org.mx

EU: Your national data protection authority — find yours at https://edpb.europa.eu/about-edpb/about-edpb/members_en

California: California Privacy Protection Agency at https://cppa.ca.gov

We encourage you to contact us first to address concerns.

15. Summary Table

| Question | Answer | |---|---| | Who collects my data? | GraciasGracias (data controller) | | What data is collected? | Account info, content, transactions, usage data, technical data | | Why is data collected? | Provide Platform, security, legal compliance, improvement | | Who is data shared with? | Service providers, organizers (for your transactions), as legally required | | Where is data stored? | Primarily United States (Supabase, Vercel) and Mexico | | How long is data kept? | As long as needed; transactions per tax law (typically 5 years) | | What are my rights? | Access, rectification, deletion, opposition, portability (subject to jurisdiction) | | How do I exercise rights? | Email support@graciasgracias.live or use account settings | | How is data secured? | Encryption, access controls, security audits |

16. Specific Privacy Notices

16.1 LFPDPPP Aviso de Privacidad (Mexican Users)

This Privacy Notice complements the main Privacy Policy and provides specific information pursuant to LFPDPPP:

• Identity and address of the data controller: GraciasGracias, Av. José Martí 49, Escandón I Secc, Miguel Hidalgo, 11800, Ciudad de México, CDMX, Mexico
• Primary processing purposes: Provision of platform services, account management, transaction processing, communications, legal compliance
• Secondary purposes: Marketing, product analytics, user research (you may opt out)
• Sensitive personal data: We do not regularly collect sensitive data
• Transfers: We share data with service providers primarily in the United States
• ARCO rights: You may exercise your rights by contacting support@graciasgracias.live
• Notice changes: We will notify material changes by email and platform notice

16.2 GDPR-Specific Disclosures (EU Users)

• Data controller identity: GraciasGracias
• Data protection officer: Not currently appointed (not required for our scale; reviewed periodically)
• Lawful basis details: See Section 3.2
• Recipient categories: See Section 4
• Third country transfers: Standard Contractual Clauses where applicable
• Retention details: See Section 6
• Source of data: Directly from you and from third parties as described
• Automated decision-making: See Section 10
• Right to lodge complaint: Contact your national supervisory authority

16.3 CCPA-Specific Disclosures (California Users)

Categories of personal information collected (per CCPA categories):

• Identifiers (name, email, IP address, account identifiers)
• Customer records (transactions, communications)
• Commercial information (purchases, listings)
• Internet activity (usage, interactions)
• Geolocation data (approximate location)
• User content (posts, messages)
• Inferences (preferences, characteristics)

We do not sell personal information for monetary consideration. Disclosure for business purposes is covered in Section 4.

17. Effective Date and Versioning

This Privacy Policy is effective as of June 15, 2026.

Version History:

• 1.0 — May 16, 2026 — Initial publication

Prior versions available upon request.

End of Privacy Policy.