Privacy Notice

1. Data Controller

Shield My Field is operated by a Mexican Investment Promotion Variable Capital Stock Corporation (S.A.P.I. de C.V., in formation) backed by PeninsuLawyers (a law firm domiciled in Mérida, Yucatán, Mexico). The designated data protection contact is the legal department: legal@shieldmyfield.com.

Domicile for notifications: Mérida, Yucatán, Mexico (full fiscal address available upon request to the above email once incorporation is complete).

2. Personal Data We Collect

2.1 Account data

• Name or pseudonym
• Email address
• Password (hashed, never stored in plaintext)
• Preferred language and timezone
• Subscription plan and start/renewal dates

2.2 Usage data

• Search terms and applied filters
• Developer and project profiles viewed
• Pages viewed, session duration, device, browser, OS, IP address
• Anonymous analytics identifiers (no third-party ad profiling)

2.3 Payment data

Processed directly by Stripe Payments Europe Ltd. and/or affiliates under their own terms. We do not store nor have access to card numbers, CVV, or expiration dates. We retain only the Stripe customer identifier, last 4 digits, brand, country of issuance, and subscription status.

2.4 User-generated content

Reviews, ratings, comments, file attachments (proof of purchase, photos), developer reply requests, and support communications. Such content may be public on the platform if the user chooses so at posting.

2.5 Sensitive data

We do not collect sensitive personal data (racial or ethnic origin, health, genetic info, religious/philosophical/moral beliefs, union affiliation, political opinions, sexual preference) unless the user voluntarily includes it in free-text content. We discourage doing so.

3. Purposes of Processing

3.1 Primary (necessary for the service)

• Provide the platform, authentication, account management
• Process payments, subscriptions, issue tax receipts
• Calculate and display the Trust Score and related metrics
• Handle support, complaints, and ARCO data subject requests
• Prevent fraud, abuse, money laundering, and comply with legal obligations
• Preserve evidence per fiscal and commercial obligations

3.2 Secondary (optional)

• Aggregate statistical analysis and product improvement
• Internal market research
• Marketing communications, newsletters, surveys

You may opt out of secondary purposes at any time without affecting the service, by writing to legal@shieldmyfield.com or via account preferences.

4. Automated Decisions and Profiling (Trust Score)

The Trust Score is an algorithmic evaluation system that classifies real estate developers based on public data (PROFECO, INSEJUPY, SEDETUS/SEDUOPI, mercantile registries, media monitoring) and, where available, verified user reviews. Methodology, weights, and sources are fully published at /metodologia.

Pursuant to Article 36 of the LFPDPPP and best practices of GDPR (EU 2016/679) applied as reference, you have the right to:

• Know the general logic used in the automated decision
• Request a specific explanation of the calculation for a developer if you are its verified owner
• Challenge the outcome via the developer reply portal
• Provide documented additional information that may modify the calculation

The Trust Score is informational; it does not constitute investment advice, credit rating, or expert opinion. Purchase decisions are the sole responsibility of the user.

5. Applicable Legal Framework

• Mexico's Federal Law for Protection of Personal Data Held by Private Parties (LFPDPPP)
• LFPDPPP Regulations
• INAI's Privacy Notice Guidelines
• Mexico's Federal Consumer Protection Law (LFPC) regarding the consumer relationship
• General guidelines for personal data processing by private parties

We process data only with the subject's consent and for legitimate, lawful, specific purposes, applying principles of legality, consent, information, quality, purpose, loyalty, proportionality, and accountability.

6. ARCO Rights and Exercise Procedure

You have the right to Access, Rectify, Cancel, or Object to the processing of your data. You may also revoke consent at any time and limit use or disclosure.

6.1 How to exercise

1. Send your request to legal@shieldmyfield.com indicating: right exercised, clear description, data to locate your information, copy of valid official ID (INE/passport), and proof of representation if applicable.
2. We respond within 20 business days and, if proceeding, execute the request within the following 15 business days (LFPDPPP arts. 32–34).
3. Exercising these rights is free; only justified shipping/reproduction costs for special formats would be charged.

6.2 Limitations

Cancellation or objection may be limited when a legal obligation exists (fiscal record-keeping, anti-fraud duties) or when data is necessary to fulfill an active contract. We will inform you of the legal basis and duration of any residual processing.

6.3 Recourse before INAI

If you consider your right was not properly attended, you may file a data rights protection request before INAI (Mexico's data protection authority) within 15 business days from receipt of our response or expiration of the deadline: home.inai.org.mx.

7. Retention Periods

• Active account data: while the account remains active.
• Post-cancellation data: 90 days for reactivation, then anonymized.
• Accounting and tax data: 5 years per the Federal Tax Code.
• Anti-fraud records: up to 5 years for compliance purposes.
• Public reviews: kept as part of the service history unless the author requests removal.
• Access logs: up to 12 months for security purposes.

8. Data Transfers (processors / sub-processors)

List current as of 2026-05-27. We will notify B2B Pro users of any material addition or removal with at least 15 calendar days' notice.

We share data with the following processors, all under processing clauses compliant with LFPDPPP:

• Supabase Inc. (USA — database hosting and authentication)
• Vercel Inc. (USA — web hosting, edge runtime, anonymous analytics)
• Stripe Payments Europe Ltd. (Ireland — payment processing)
• Resend Inc. (USA — transactional email delivery via send.shieldmyfield.com)
• Cloudflare Inc. (USA — CDN, anti-bot protection, DDoS mitigation)
• PeninsuLawyers (Mexico — legal audits and Pro-tier client support)
• Competent authorities pursuant to a valid legal requirement

International transfers are made to jurisdictions offering comparable protection levels and under standard contractual clauses. We do not sell or transfer your data to third parties for marketing, nor do we use, license, or make it available for training any third-party artificial intelligence models.

9. Security Measures

We implement reasonable administrative, technical, and physical measures, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 at database level)
• Password hashing with adaptive algorithms (bcrypt/argon2)
• Role-based access control, least-privilege principle, MFA for staff
• Row-Level Security at database level (Supabase RLS)
• Admin access logs and periodic review
• Encrypted backups with limited retention
• Confidentiality agreements with staff and processors

10. Security Breach Notification

In the event of a security breach materially affecting data subjects' patrimonial or moral rights, we will notify the data subject by email without undue delay and, if applicable, INAI. The notice will include: nature of the incident, data compromised, corrective actions taken, and recommendations for the data subject (LFPDPPP art. 20).

11. Information About Developers and Brokers (Public Data)

Information about real estate developers is sourced exclusively from official public sources: PROFECO (complaints), INSEJUPY (Yucatan public property registry), SEDETUS / SEDUOPI (permits), Public Commerce Registry, and lawfully available media. Processing of public information for consumer-information purposes is protected under the constitutional principles of freedom of expression, freedom of the press, and the right to information (Mexican Constitution arts. 6 and 7).

Brokers and listed properties appear on the Platform only where a verified-claim broker voluntarily posts inventory. Listings are content provided by the broker; Shield My Field does not verify individual listings or title. Brokers are excluded from the Trust Score (see Terms section 7-ter).

Developers and brokers may exercise their right of reply through the verified profile claim portal (see Terms section 7) or request rectification of demonstrably incorrect data.

12. Cookies and Similar Technologies

12.1 Detailed inventory

12.2 Strictly necessary

Session and authentication cookies (Supabase Auth), language preference, and cookie consent. These cookies do not require consent as they are indispensable to provide the service.

12.3 Anonymous analytics

Vercel Analytics and/or similar tools with IP anonymization. They collect aggregate statistics without identifying the individual user.

12.4 How to control them

You can disable cookies via your browser settings. Disabling strictly necessary cookies may prevent using the platform. We do not use third-party advertising cookies.

13. Minors

The service is intended exclusively for users 18 years or older. We do not knowingly collect personal data from minors. If we discover an account belongs to a minor, we will cancel it. Parents or guardians suspecting improper registration may write to legal@shieldmyfield.com.

14. Changes to This Privacy Notice

Any modification will be posted here with an updated date. Substantial changes will be notified by email to active users at least 15 calendar days before they take effect, providing an opportunity to object or cancel the account.

15. Contact and Regulatory Authority

For any inquiry, complaint, or to exercise rights: legal@shieldmyfield.com. Mexico's competent data protection authority is INAI (home.inai.org.mx), Av. Insurgentes Sur 3211, Col. Insurgentes Cuicuilco, Coyoacán, CDMX.

16. Acceptance

By registering and/or using Shield My Field, you acknowledge having read, understood, and accepted the terms of this Privacy Notice and consent to the processing of your data for the purposes described herein.