Privacy Policy

Effective Date: January 1, 2026 · Last Updated: January 1, 2026

Puentes Yucatán ("Platform", "we", "us", or "our"), operated by Lisa Fitzpatrick, also known as "The Internet Lady" ("Operator"), is committed to protecting the privacy and personal data of all users. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you access or use the Platform at puentesyucatan.com.

This Privacy Policy complies with the following data protection regulations:

  • General Data Protection Regulation (GDPR) — European Union
  • UK General Data Protection Regulation (UK GDPR) — United Kingdom
  • Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada
  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) — United States
  • Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) — Mexico

1. Data Controller

The data controller responsible for processing your personal data is:

Puentes Yucatán
Operated by Lisa Fitzpatrick, "The Internet Lady"
Email: privacy@puentesyucatan.com
Website: puentesyucatan.com

For EU/UK users: If you have concerns about our data processing, you may also contact your local data protection authority.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Registration: Name (or display name), email address, password (stored in hashed form), and optional profile information such as neighborhood, languages spoken, and bio.
  • Profile Information: Profile photo, location, skills, and other information you choose to share on your profile.
  • User-Generated Content: Forum posts, comments, business reviews, business listings, event submissions, nonprofit submissions, volunteer logs, and direct messages.
  • Payment Information: When you purchase a membership, payment details are collected and processed by our third-party payment processor, Stripe. We do not store your full credit card number or CVV on our servers. We receive and store your name, email, subscription status, and transaction history from Stripe.
  • Communications: Emails, support requests, or other communications you send to us.

2.2 Information Collected Automatically

  • Log Data: IP address, browser type and version, operating system, referring URL, pages visited, date and time of access, and time spent on pages.
  • Cookies and Similar Technologies: Session cookies necessary for authentication and site functionality. See Section 7 (Cookie Policy) for details.
  • Device Information: Device type, screen resolution, and unique device identifiers.

2.3 Information from Third-Party Services

  • Google OAuth: If you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive your Google password.
  • Stripe: Transaction status, subscription status, and payment confirmations.

3. Legal Basis for Processing (GDPR/UK GDPR)

We process your personal data under the following legal bases:

  • Contract Performance (Article 6(1)(b)): Processing necessary to provide you with the Platform services, manage your account, and fulfill membership purchases.
  • Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, including improving the Platform, preventing fraud, ensuring security, and communicating service updates. Our legitimate interests do not override your fundamental rights and freedoms.
  • Consent (Article 6(1)(a)): Where we rely on your consent (e.g., for optional marketing communications), you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Legal Obligation (Article 6(1)(c)): Processing necessary to comply with applicable laws and regulations.

4. How We Use Your Information

We use the personal data we collect for the following purposes:

  • To create and manage your account and authenticate your identity.
  • To provide, maintain, and improve the Platform and its features.
  • To process membership payments and manage subscriptions.
  • To display your user-generated content (posts, reviews, listings) on the Platform.
  • To send you service-related communications (account confirmations, security alerts, membership updates).
  • To moderate content and enforce our Terms of Service and Community Standards.
  • To respond to your inquiries and support requests.
  • To detect, prevent, and address fraud, security issues, and technical problems.
  • To comply with legal obligations and respond to lawful requests from authorities.
  • To generate aggregated, anonymized analytics to understand how the Platform is used and to improve our services.

5. How We Share Your Information

We do not sell your personal data. We may share your information in the following circumstances:

  • Service Providers: We share data with trusted third-party service providers who assist in operating the Platform, including Stripe (payment processing), Google (authentication), and hosting providers. These providers are contractually obligated to protect your data and process it only as instructed by us.
  • Public Content: Content you post publicly on the Platform (forum posts, reviews, business listings, profile information you choose to make public) is visible to other users and may be indexed by search engines.
  • Legal Requirements: We may disclose your information if required by law, subpoena, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity.
  • With Your Consent: We may share your information for other purposes if you provide explicit consent.

6. International Data Transfers

The Platform is operated from infrastructure that may be located in the United States and other countries. If you access the Platform from the European Economic Area (EEA), United Kingdom, Canada, or other jurisdictions with data protection laws, your personal data may be transferred to and processed in countries that may not provide the same level of data protection as your home jurisdiction.

Where required, we ensure appropriate safeguards are in place for international data transfers, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • The UK International Data Transfer Agreement or Addendum.
  • Adequacy decisions where applicable.
  • Other appropriate safeguards as required by applicable law.

7. Cookie Policy

We use cookies and similar technologies for the following purposes:

  • Essential Cookies: Required for user authentication, session management, and core Platform functionality. These cookies cannot be disabled without affecting the Platform's operation.
  • Functional Cookies: Used to remember your preferences and settings (such as language preferences).

We do not currently use advertising or tracking cookies. If this changes in the future, we will update this policy and seek your consent where required by law.

You can manage cookies through your browser settings. Please note that disabling essential cookies may prevent you from using certain features of the Platform.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with services. Specifically:

  • Account Data: Retained for the duration of your account and for up to 30 days after account deletion to allow for recovery.
  • User-Generated Content: Retained for the duration of your account. Content may be deleted upon account termination, chargeback, or refund as described in our Terms of Service.
  • Payment Records: Retained for a minimum of 7 years as required by applicable tax and financial regulations.
  • Log Data: Retained for up to 12 months for security and analytics purposes.
  • Communications: Retained for up to 3 years for legal and support purposes.

When personal data is no longer needed, we securely delete or anonymize it.

9. Your Rights

9.1 Rights Under GDPR/UK GDPR (EU and UK Users)

If you are located in the European Economic Area or United Kingdom, you have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data, subject to legal retention requirements.
  • Right to Restriction of Processing: Request that we limit how we use your data in certain circumstances.
  • Right to Data Portability: Request a copy of your data in a structured, commonly used, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests, including profiling.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw consent at any time.
  • Right to Lodge a Complaint: File a complaint with your local data protection authority.

9.2 Rights Under CCPA/CPRA (California Users)

If you are a California resident, you have the following rights:

  • Right to Know: Request information about the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom it is shared.
  • Right to Delete: Request deletion of your personal information, subject to legal exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale: We do not sell personal information. If this changes, we will provide an opt-out mechanism.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

9.3 Rights Under PIPEDA (Canadian Users)

If you are a Canadian resident, you have the right to:

  • Access the personal information we hold about you.
  • Challenge the accuracy and completeness of your personal information and have it amended as appropriate.
  • Withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.
  • File a complaint with the Office of the Privacy Commissioner of Canada.

9.4 Rights Under LFPDPPP (Mexican Users)

If you are located in Mexico, you have ARCO rights:

  • Access: Access the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Cancellation: Request deletion of your personal data when it is no longer necessary.
  • Opposition: Object to the processing of your personal data for specific purposes.

9.5 Exercising Your Rights

To exercise any of your data protection rights, contact us at:

Email: privacy@puentesyucatan.com

We will respond to your request within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests unless the request is manifestly unfounded or excessive.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS/SSL.
  • Secure password hashing (bcrypt).
  • Access controls limiting who can access personal data within our organization.
  • Regular security reviews and updates.
  • PCI-DSS compliant payment processing through Stripe.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

11. Children's Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@puentesyucatan.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

  • We will post the updated policy on this page with a revised "Last Updated" date.
  • We will notify registered users by email or through a prominent notice on the Platform at least 30 days before the changes take effect.
  • Where required by law (including GDPR), we will obtain your consent for material changes to data processing.

Your continued use of the Platform after the effective date of the revised Privacy Policy constitutes acceptance of the changes.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Puentes Yucatán
Operated by Lisa Fitzpatrick, "The Internet Lady"
Email: privacy@puentesyucatan.com
Website: puentesyucatan.com

For EU/UK data protection inquiries, you may also contact your local supervisory authority.

Puentes Yucatán Privacy Policy · Effective January 1, 2026
puentesyucatan.com · privacy@puentesyucatan.com