Privacy Policy

Last updated: April 15, 2026 Effective date: April 15, 2026

This Privacy Policy explains how Rodrigo de la Torre González (individual sole proprietor) ("we", "us", "the Company" or "Xtarly"), with registered address at Av. Vallarta 4327, Camino Real, 45040, Zapopan, Jalisco, Mexico, collects, uses, stores and protects the personal information of users ("you") of the Xtarly Rewards mobile application and the white-label applications powered by the Xtarly platform (including Caffenio Rewards), as well as of the website https://www.xtarly.com (together, the "Services").

By downloading, installing or using the Services you agree to the practices described in this Policy.

1. Data controller

  • Controller: Rodrigo de la Torre González (individual sole proprietor)
  • Address: Av. Vallarta 4327, Camino Real, 45040, Zapopan, Jalisco, Mexico
  • Contact / Privacy Officer: atencion@xtarly.com
  • Support: atencion@xtarly.com

If your account belongs to a loyalty program operated by a third party (for example, Caffenio Rewards), that third party acts as joint controller with respect to the data you share with its program. The program operator is identified inside the app.

2. Personal data we collect

We only collect information needed to operate the loyalty program:

2.1 Data you provide

  • Account data: full name, email address, password (stored hashed), phone number (optional), preferred language and country.
  • Profile picture / avatar: optional image you may upload from your gallery or camera.
  • Referral code: code you may enter or share.

2.2 Data generated by your use of the Service

  • Loyalty program data: points balance, stamps, tier, transaction history, reward redemptions, redeemed coupons.
  • Push notifications: Expo/FCM/APNs device token, platform (iOS/Android) and read/unread status of notifications.
  • Technical data: anonymous session identifier, app version, OS, device model, IP address and access timestamps.

2.3 Data we do not collect

  • We do not access your GPS location.
  • We do not access your contacts.
  • We do not access the microphone.
  • We do not collect payment data (the app does not process end-customer payments).
  • We do not use third-party advertising SDKs.
  • We do not embed third-party behavioral analytics (Google Analytics, Facebook SDK, etc.) in the mobile app.

3. Device permissions

| Permission | Purpose | Mandatory | |---|---|---| | Notifications | Send alerts for points earned, rewards, coupons and tier changes | No | | Camera | Take a picture for your avatar | No | | Photos / Gallery | Pick an image for your avatar | No | | Internet | Connect to our servers | Yes |

You can revoke any permission at any time from your device settings.

4. Purposes of processing

Primary purposes (required to provide the Service)

  1. Create and manage your account.
  2. Authenticate you via email and password (JWT / refresh token stored securely via expo-secure-store).
  3. Credit points, stamps and tier; record transactions and redemptions.
  4. Display the menu, branches, banners and content of the program you belong to.
  5. Send you transactional notifications (points earned, available rewards, new coupons, tier changes, program messages).
  6. Prevent fraud, abuse and misuse.
  7. Comply with legal obligations.

Secondary purposes (you may opt out without affecting the Service)

  • Promotional communications from the loyalty program you are enrolled in.
  • Satisfaction surveys.

You may opt out of secondary purposes by emailing atencion@xtarly.com or from the app's notification settings.

5. Legal basis (GDPR / EU users)

  • Performance of a contract: to operate your account and the loyalty program.
  • Consent: for push notifications and promotional communications (revocable at any time).
  • Legitimate interest: for security, fraud prevention and Service improvement.
  • Legal obligation: to comply with tax and regulatory requirements.

6. Who we share your data with

We do not sell your personal data. We share it only with:

  • The loyalty program operator you enrolled with (e.g., Caffenio), solely to operate its program.
  • Infrastructure providers (data processors):
    • Vercel Inc. — backend and website hosting.
    • Expo / Google Firebase Cloud Messaging / Apple Push Notification service — push notification delivery.
    • Supabase (managed PostgreSQL) — database storage.
    • Supabase Storage — avatar storage.
    • Resend — verification and password-reset emails.
  • Competent authorities when legally required.

All providers are bound by data-processing agreements under applicable law.

7. International transfers

Some providers process data outside your country of residence (primarily the United States and the European Union). In those cases we apply appropriate safeguards (Standard Contractual Clauses, equivalent certifications or informed consent) to ensure an adequate level of protection.

8. Data retention

We keep your data for as long as your account is active and for any additional period required to meet legal and tax obligations (up to 10 years in Mexico under tax rules; 5 years in the EU unless a longer obligation applies). Session tokens are deleted on logout or expiry. Notification tokens are deleted when the app is uninstalled or the device is deregistered.

9. Security

We apply reasonable technical and organizational measures:

  • TLS/HTTPS for all communications.
  • Passwords hashed with modern algorithms (bcrypt/argon2).
  • Tokens stored encrypted via expo-secure-store (iOS Keychain, Android Keystore).
  • Principle of least privilege for staff access.
  • Periodic audits and backups.

No system is 100% invulnerable; please use a strong password and do not share it.

10. Your rights

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Delete your account and data (right to be forgotten).
  • Object to or restrict certain processing.
  • Portability of your data in a structured format.
  • Withdraw consent at any time.
  • Lodge a complaint with the competent authority (INAI in Mexico, your supervisory authority in the EU).

To exercise any of these rights, or to request account deletion, email atencion@xtarly.com from the address associated with your account. We will respond within 20 business days. You can also delete your account from Settings → Account → Delete account inside the app.

Public account-deletion page: https://www.xtarly.com/legal/delete-account

11. Children

The Services are intended for users 13 years of age or older (or the equivalent minimum age in your jurisdiction, e.g., 16 in the EU). We do not knowingly collect data from children without verifiable parental consent. If you believe a minor has provided us with data, contact atencion@xtarly.com and we will delete it.

12. Cookies and similar technologies (website)

The xtarly.com website uses the following cookies:

| Type | Name / Provider | Purpose | Duration | |---|---|---|---| | Strictly necessary | session_token (Better Auth) | User session authentication | Until sign-out | | Strictly necessary | consent | Store your cookie preference | 30 days | | Strictly necessary | NEXT_LOCALE | Preferred language | 1 year | | Analytics (optional) | Google Analytics 4 (_ga, _ga_*) — ID: G-RDFRE8DCWG | Aggregate site usage measurement | Up to 2 years | | Advertising (optional) | Google Ads — ID: AW-18156222591 | Ad conversion measurement | Up to 90 days | | Tag management (optional) | Google Tag Manager — ID: GTM-KSX6VMVF | Load analytics and advertising scripts | Session |

Cookies marked as optional are only loaded if you give consent via the banner on your first visit. You can withdraw consent at any time by deleting the consent cookie from your browser settings or clearing cookie storage — the banner will reappear on your next visit.

For more on Google's data practices: policies.google.com/privacy.

The mobile app does not use third-party cookies.

13. Changes to this Policy

We may update this Policy. We will publish the new version at this same URL and, if changes are material, notify you by email or in-app at least 15 days in advance.

14. Contact

Rodrigo de la Torre González (individual sole proprietor) Av. Vallarta 4327, Camino Real, 45040, Zapopan, Jalisco, Mexico 📧 atencion@xtarly.com 🌐 https://www.xtarly.com