Privacy Notice

The data controller is KRZ Systems, the company that operates the platform marketed under the Boleti.mx brand.

• Legal name: KRZ Systems (registered details available upon request).
• Address: Corporativo Torre A, Mz 004, Residencial Lomas de Sotelo, ZIP 53390, Naucalpan de Juárez, Estado de México, Mexico.
• Website: https://boleti.mx
• General legal contact: legal@boleti.mx
• Data Protection Officer (DPO) / Privacy Officer: privacidad@boleti.mx
• Rights-exercise phone: +52 55 6133 0723.

For any clarification, exercise of rights or query related to this Privacy Notice, the official channel is privacidad@boleti.mx. We respond within a maximum of 20 business days under the new LFPDPPP 2025, and sooner where other jurisdictions require it (for example, GDPR allows 30 calendar days, extendable in justified cases).

We collect the following categories of personal data, grouped by data subject and purpose:

Important: with respect to passenger data in section B, Boleti.mx acts as a processor, not as a controller. The operator is the controller before its passengers and must maintain its own privacy notice. Boleti.mx processes such data exclusively under operator instructions and pursuant to the service agreement.

Primary purposes (necessary for the contractual relationship; no additional consent required):

• Create and manage the operator account on the platform.
• Provide contracted features: box office, web sales, WhatsApp Business, loyalty program, reports, admin console.
• Process subscription payments through Stripe and issue invoices in accordance with applicable tax law.
• Provide technical support and customer service through the enabled channels.
• Maintain platform security: fraud prevention, abuse detection, integrity monitoring.
• Comply with applicable legal obligations (tax, accounting, labor, regulatory).
• Notify security incidents when required by law.

Secondary purposes (require explicit consent and may be opted out at any time without affecting the main service):

• Send commercial communications about new products, improvements or promotions of Boleti.mx.
• Aggregated statistical analysis and market research (anonymized when feasible).
• Product improvements based on usage patterns.
• Invitations to beta programs, surveys or customer testimonials.

You may opt out of secondary processing by emailing privacidad@boleti.mx or from the preference center inside your account. Refusal does not condition access to the service.

To run the platform we transfer data to strictly necessary third parties. Each provider is bound by contractual data-protection clauses and, where applicable, the European Commission's Standard Contractual Clauses (SCCs).

• Stripe Inc. / Stripe Payments Europe (United States / Ireland) — payment processing and recurring billing. PCI-DSS Level 1 certified. Legal basis: contract performance.
• Meta Platforms, Inc. / WhatsApp Ireland (United States / Ireland) — sending and receiving messages to passengers via WhatsApp Business Cloud API. Legal basis: contract performance and operator's legitimate interest.
• Google LLC / Google Maps Platform (United States) — geocoding, routing and travel-time estimation. Legal basis: contract performance.
• Microsoft Corporation / Azure (Primary datacenter: Mexico Central; backup: East US 2) — backend hosting, PostgreSQL database, blob storage, cryptographic keys. Legal basis: contract performance. Microsoft Azure holds ISO 27001, SOC 2 Type II and ISO 27018 certifications.
• Vercel Inc. (United States, global edge network) — hosting of the public marketing site and the operator console. Legal basis: contract performance.
• Resend / SendGrid (Twilio Inc.) (United States) — transactional email delivery. Legal basis: contract performance.
• Sentry / Datadog (United States) — error monitoring and aggregated observability. Pseudonymized data. Legal basis: legitimate interest.

We do not sell or rent personal data to third parties for advertising purposes. Any additional transfer will be notified and, where applicable, requires your consent.

As a data subject, in Mexico you have the right to:

• Access: know what personal data we hold about you and how we use it.
• Rectification: correct inaccurate or incomplete data.
• Cancellation: request deletion when data is no longer necessary.
• Opposition: object to processing for specific purposes.

Additionally, we recognize the following rights when applicable law contemplates them:

• Portability: receive your data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller.
• Withdrawal of consent: withdraw at any time the consent granted for secondary purposes.
• Restriction of processing: restrict use while a request or dispute is resolved.
• Not be subject to automated decisions: when they produce significant legal effects.

How to exercise them: send an email to privacidad@boleti.mx from the registered account, indicating: (i) your name and means to verify identity, (ii) clear and precise description of the right exercised, (iii) the personal data subject of the request, (iv) your address or contact channel for the response. We address requests within 20 business days under the new LFPDPPP 2025. If reinforced identity proof is required, we may ask for an official document.

If you are not satisfied with our response, you may file a complaint with Mexico's Secretariat for Anti-Corruption and Good Government (SABG) — supervisory authority that took over the duties of the former INAI as of March 21, 2025 — at https://www.gob.mx/buengobierno, or with the supervisory authority of your jurisdiction.

Boleti.mx uses cookies, local storage (localStorage, sessionStorage), pixels and anti-fraud fingerprints to:

• Maintain the user session (strictly necessary cookies).
• Remember preferences (language, time zone, visual theme).
• Measure traffic and usage in aggregate.
• Detect anomalous or fraudulent behavior.
• Display content contextual to the country from which you access.

Full details — including the categorized list of cookies, providers and retention periods — are in our Cookie Policy at /cookies. You may adjust your preferences from the consent center or your browser settings. Strictly necessary cookies do not require consent, in line with the practice recognized by GDPR (e-Privacy Regulation) and the LFPDPPP.

We apply administrative, physical and technical controls proportional to the sensitivity of the data:

• Encryption at rest: AES-256 for databases, blob storage and backups.
• Encryption in transit: TLS 1.3 mandatory on every endpoint; HSTS enabled.
• Authentication: Argon2id password hashing, mandatory second factor (TOTP) for admin roles, support for WebAuthn (passkeys).
• Tokens: signed JWTs with automatic rotation and per-session blacklist.
• Multi-tenant isolation: native PostgreSQL Row-Level Security (RLS) — each operator only sees its own data, with no technical possibility of cross-tenant leakage.
• Auditing: every critical action (CRUD on business entities, admin access, configuration changes) is recorded in an immutable log with field-by-field diff and retained for at least 5 years.
• Encrypted backups: daily, geo-redundant, with quarterly restore tests.
• Security testing: static analysis (SAST), dynamic analysis (DAST), dependency scanning, annual third-party pentest.
• Incident response: documented plan, 24/7 on-call team. In case of a breach affecting personal data, we notify the authority and data subjects in line with LFPDPPP art. 20 and GDPR (72 hours).

No system is risk-free. If you discover a vulnerability, report it to security@boleti.mx; we honor a 90-day responsible-disclosure program.

We retain personal data for the period required to fulfill the processing purposes and, afterwards, for the applicable legal periods:

• Account and transactional data: for the entire contractual relationship + 5 years after termination, in line with article 67 of Mexico's Federal Tax Code (CFF) governing accounting and tax retention. Equivalent periods apply in other countries (e.g., 5 years in Brazil under CT-e, 6 years in Canada).
• Passenger data (processor mode): for the period instructed by the operator in its own policy, with a minimum of 3 years to ensure tax traceability of the sold ticket.
• Technical and audit logs: at least 5 years, anonymized after the second year when feasible.
• Data for secondary purposes: until you withdraw consent.
• Backups: retained up to 90 days, then rotated.

Once the term has elapsed, we proceed with secure deletion (random-pattern overwrite + block recycling) or irreversible anonymization when data may still be useful in aggregate to improve the service. The right to be forgotten (RTBF) is executed within 30 days of the request, unless a legal obligation requires further retention, in which case it is documented and notified to the data subject.

Boleti.mx is a B2B platform aimed exclusively at professional transportation operators and their adult staff. It is not directed at minors and we do not intentionally collect personal data of persons under 18 (16 in some jurisdictions).

Minor passenger data the operator may capture in the system (for instance, a passenger's date of birth) is processed by Boleti.mx as a processor under the operator's responsibility, who must obtain consent from the parent or legal guardian as required by applicable child-protection laws (LFPDPPP, COPPA in the U.S., GDPR-K in the EU, ECA in Brazil, among others).

If you believe a minor has provided data without authorization, contact us at privacidad@boleti.mx and we will delete it promptly.

Boleti.mx is a platform operated from Mexico by KRZ Systems. The primary law applicable to this Privacy Notice is the new LFPDPPP 2025 and the regulation issued by the Secretariat for Anti-Corruption and Good Government (SABG), supervisory authority in Mexico. In addition, we recognize and abide by the following legislation when data subjects reside in their respective jurisdictions:

• Argentina: Personal Data Protection Act 25.326 and rules issued by the Agency of Access to Public Information (AAIP).
• Brazil: General Data Protection Law (LGPD — Law 13.709/2018) and resolutions of the National Data Protection Authority (ANPD).
• Colombia: Law 1581 of 2012, Decree 1377 of 2013 and rules of the Superintendence of Industry and Commerce (SIC).
• Chile: Law 19.628 on the Protection of Private Life and the new Personal Data Framework Law.
• Peru: Personal Data Protection Law 29.733 and its Regulation.
• United States (state framework): California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Texas Data Privacy and Security Act (TDPSA), among other emerging state laws.
• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial laws (Quebec Law 25, Alberta PIPA, BC PIPA).
• European Union / United Kingdom (when applicable): General Data Protection Regulation (GDPR) and UK GDPR. Transfers from the EU/UK to Mexico are made under Standard Contractual Clauses (SCCs) and, when relevant, transfer impact assessments (TIA).

In case of conflict between provisions, the rule that grants the highest protection to the data subject prevails.

We may update this Privacy Notice when required by law, when processing purposes change, when relevant new providers are added, or when we improve security controls.

The date of the latest version appears at the top of the document. Any material change will be communicated at least 30 calendar days in advance via:

• Email to the primary contact of each active account.
• Prominent in-app banner upon login.
• Publication of the new version at https://boleti.mx/privacy with date stamp.

We maintain a version history available upon request from the DPO. Continued use of the service after the effective date implies acceptance of the new version, unless you timely exercise your right to object.

To exercise rights, raise queries or report incidents, the channels are:

• Boleti.mx DPO: privacidad@boleti.mx
• Legal: legal@boleti.mx
• Security and vulnerabilities: security@boleti.mx
• Address: Corporativo Torre A, Mz 004, Residencial Lomas de Sotelo, ZIP 53390, Naucalpan de Juárez, Estado de México, Mexico.

If you believe your right to data protection has not been properly addressed, you may file a complaint with the supervisory authority of your jurisdiction:

• Mexico (SABG — Secretariat for Anti-Corruption and Good Government): https://www.gob.mx/buengobierno — supervisory authority that took over INAI's duties as of March 21, 2025.
• Brazil (ANPD): https://www.gov.br/anpd
• Argentina (AAIP): https://www.argentina.gob.ar/aaip
• Colombia (SIC): https://www.sic.gov.co
• Chile (Council for Transparency): https://www.consejotransparencia.cl
• Peru (ANPD-Peru): https://www.gob.pe/anpd
• European Union: national authority of your residence.
• United States (California — CPPA): https://cppa.ca.gov
• Canada (OPC): https://www.priv.gc.ca

We commit to cooperate in good faith with any supervisory authority and to respond within the legal timeframes.