Sayulita Guide

Privacy Policy

This Privacy Policy explains how Sayulita Guide ("the app", "we", "us") collects, uses, retains, and protects your information. We built this app with a strong privacy posture: no third-party tracking, no data sales, no cross-app advertising, no fingerprinting.

1. Who We Are

Sayulita Guide is operated by Get X Media Inc., a Canadian corporation registered in Alberta, Canada.

• Operator: Get X Media Inc.
• Mailing address: 4441 76 Ave SE, Suite 214, Calgary, AB T2C 2G8, Canada
• Privacy contact / Data Protection Officer: [email protected]
• Jurisdictions we comply with: PIPEDA (Canada), LFPDPPP (Mexico — our primary user base), GDPR (EU tourists), CCPA (California users)

2. What We Collect

2.1 Information you provide

• Email address — when you create an account or sign in with Apple/Google.
• Name — from sign-in provider or your profile edit.
• Phone number (optional) — only if you choose to add it, used for business-listing-owner contact flows.
• Profile photo (optional) — uploaded by you, hosted on our private CDN.
• User-generated content — community posts, reviews, comments, mentions, listing claims, and any photos you upload as part of these features.
• Support communications — emails or in-app reports you send us.

2.2 Information collected automatically

• Device identifiers — only for crash and performance diagnostics (Sentry). Not used for advertising.
• Coarse location— only when you grant the "While Using" permission for features that benefit from it (e.g. "near me" filter on the map). Used during the session, not stored persistently against your account unless you explicitly attach it to a community post.
• Precise location— only when you explicitly tap "share location" on a community post or save your home base to a trip.
• Crash and performance diagnostics — non-personal, anonymized telemetry sent to Sentry to help us fix bugs.
• Product analytics — aggregate usage events (which screens are viewed, which features are tapped) sent to PostHog. No personal content of posts, photos, or messages is sent.

3. What We Do NOT Do

• We do not track you across other apps or websites. (`NSPrivacyTracking: false` in our iOS privacy manifest.)
• We do not sell your data to anyone, ever.
• We do not use third-party advertising networks. No Google AdMob, Meta Audience Network, Unity Ads, or any similar service. Featured business listings inside the app are first-party paid placements only.
• We do not use the IDFA (iOS Advertising Identifier).
• We do not fingerprint your device.
• We do not request access to your photos, contacts, or calendar without your explicit per-feature action.

4. How We Use Your Information

• App functionality — sign-in, account management, showing you content, letting you post and save favorites.
• Transactional communication — verification emails, password resets, listing-claim approvals, account-deletion confirmations. These are necessary to operate the service.
• Marketing communications — we may use your name and email to send periodic updates about new features, events happening in Sayulita, and listings that match your interests. We may also send push notifications from paying business partners (clearly labeled as such). You can unsubscribe at any time via the link in every marketing email or by adjusting your in-app notification preferences; transactional emails (required for the service) are sent regardless.
• In-app advertising — paying business partners can purchase a Verified Business badge and prominent placement of their listing in browse + map views. These are first-party placements — we do not use third-party ad networks, we do not track you across other apps or sites for advertising, and the placements are the same for every user (not personalized).
• Bug fixing and performance — Sentry diagnostics (anonymized).
• Product improvement — aggregate PostHog event analytics, used in aggregate to decide what features to build next.
• Trust and Safety — moderation of reported content (Sightengine for image moderation), enforcing our Terms of Service.

5. How Long We Keep It

• Account data— until you delete your account (Settings → Privacy & Data → Delete My Account inside the app). Deletion triggers a request-and-review flow; once approved, your personal data is removed and Apple Sign In refresh tokens are revoked.
• Content you posted — kept after account deletion but with your name and avatar removed (anonymized contribution to the community feed). You may request hard-deletion of specific posts before closing the account.
• Diagnostics (Sentry) — 90-day rolling retention.
• Operational logs (Better Stack) — 3 to 30 day retention depending on tier; no personal content.
• Backups — encrypted, 30 day retention.

6. Your Rights

You have the right to access, correct, delete, and withdraw consent for our processing of your data:

• Access: request a copy of your data — email [email protected].
• Correct: edit your name, email, phone, password, and profile photo in-app under Settings.
• Delete:in-app under Settings → Privacy & Data → Delete My Account. Processed within 30 days of request approval.
• Withdraw consent: delete your account.
• Lodge a complaint with your data protection authority:
  • Canada — Office of the Privacy Commissioner (priv.gc.ca)
  • Mexico — INAI (home.inai.org.mx)
  • EU — your member-state Data Protection Authority
  • California — Office of the Attorney General (oag.ca.gov)

7. Service Providers We Use

We use the following third-party services strictly to deliver the app. Each has its own privacy policy; we have data processing addenda in place where applicable.

• Cloudflare — DNS, CDN, WAF; edge servers globally.
• Hetzner Online GmbH — origin server hosting (Germany, EU jurisdiction).
• Sentry — crash reporting and performance monitoring (US; we have requested Zero Data Retention).
• Better Stack (Logtail) — operational log storage (EU, Germany).
• PostHog — first-party product analytics (US).
• SendGrid — transactional email delivery (US).
• Mapbox — map tile delivery (US).
• Sightengine — content moderation for user-uploaded photos (France).
• Apple & Google — sign-in providers; we never receive your password.
• Anthropic (Claude) — used for content translations when our team requests them (US; ZDR requested for our org).

8. Children's Privacy

Sayulita Guide is rated 13+ and is not directed at children under 13. If a parent or guardian believes their child has registered an account, contact us at [email protected] and we will delete the account within 7 days.

9. International Data Transfers

We are a Canadian corporation. Some of our service providers (listed in §7) operate in the US, EU, and other jurisdictions. Cross-border transfers are made under appropriate safeguards (Standard Contractual Clauses for EU transfers, adequacy decisions where applicable).

10. Security

We use industry-standard safeguards: TLS in transit, encrypted-at-rest databases and backups, hashed credentials (Argon2), iOS Keychain and Android Keystore for client-side session token storage, scoped API tokens, rate limiting, and Cloudflare WAF. We commit to acting on reported security issues within 24 hours.

11. Changes to this Policy

We will notify you by email at least 30 daysbefore any material change to this Privacy Policy. Non-material changes (typos, clarifications, additional service providers covered by existing categories) will be reflected by updating the "Last Updated" date below.

12. Contact

Privacy questions, data access requests, or complaints: [email protected]