GLOBAL PRIVACY POLICY – GIG APPS

1. DEFINITIONS

For the purposes of this Policy:

• "Company," "we," or "GIG Apps": AGUISAFI HUB S.A. de C.V., operator of GIG Alarm and GIG Task.

• "User": person who uses the applications or manages their account.

• "GIG Third Parties" or "GIG Recipients": individuals whose contact information is used to send reminders, tasks, or notifications at the User's instructions (e.g., team members).

• "Personal Data": information that identifies or can identify a natural person.

• "Processing": any operation on Personal Data (collection, use, storage, transfer, deletion).

• "Stores": Apple App Store and Google Play.

• "Services/Providers": tools and technology platforms that help us operate the Service (e.g., messaging, analytics, hosting).

2. SCOPE AND SERVICE MODEL (B2C / B2B)

This Policy applies to GIG Alarm and GIG Task. GIG Apps may be used by individual users (B2C) and/or organizations (B2B).

In both cases, the Company acts as the data processor regarding the data it processes to operate the GIG Apps. When a corporate client uploads or uses third-party data (e.g., employees), the client declares that they have the necessary legal basis and authorizations for this.

3. IDENTIFICATION OF THE RESPONSIBLE PARTY AND CONTACT

Responsible: AGUISAFI HUB S.A. de C.V. (Mexico).

Website: https://www.sendmeagig.com

Privacy contact: sendmeagig@gmail.com

4. PERSONAL DATA WE PROCESS

We process the following categories of data, depending on the use of the Service:

• 4.1 User Data: name, email, phone number, country/state/city, account data, preferences, and settings.

• 4.2 GIG Third Party Data (Recipients): names and contact information (e.g., phone number and/or email) that the User (i) manually enters, or (ii) selects from their device's contact directory when the User grants permission.

• 4.3 Technical and Device Data: IP address, device and/or app identifiers, operating system, app version, language, time zone, logs, performance metrics, usage events, and diagnostic data.

• 4.4 Subscription and Payments Data in Stores: transaction information and subscription status processed by Apple/Google and/or subscription management providers (if applicable). We do not receive complete card numbers when payments are made through Stores.

• 4.5 Direct Contracting Data (if applicable): if an organization directly purchases licenses from the Company (e.g., due to exceeding purchase thresholds in Stores), we may process corporate contact data (name, email, phone, company, country) and billing data necessary for operation and tax compliance.

5. HOW WE OBTAIN DATA

• From the User: when registering, setting up their account, using features, and/or communicating with support.

• From the User's device: only when the User grants permissions (e.g., access to contacts).

• From Stores (Apple/Google): purchase/subscription events and transaction status.

• From technical providers: technical logs, metrics, and events necessary to operate and protect the Service.

6. PURPOSES OF PROCESSING

We use the data for:

• 6.1 Providing the Service: creating and managing accounts, enabling the use of features, managing teams and permissions (including manual enablements on management platforms when applicable).

• 6.2 Sending notifications and reminders: push notifications (APNs/FCM) and/or communications related to the functions of the Service.

• 6.3 Operation and security: preventing fraud, abuse, unauthorized access, and maintaining the integrity of the Service.

• 6.4 Analytics and improvement: measuring usage, performance, errors, and product optimization.

• 6.5 Support: addressing requests and resolving incidents.

• 6.6 Legal and tax compliance: applicable obligations (including invoicing in case of direct contracting).

7. LEGAL BASES

Depending on the country and case, the legal bases may include:

• 7.1 Consent: when the User grants permissions (e.g., access to contacts) or chooses to receive certain communications.

• 7.2 Contract execution: to provide the Service according to Terms and Conditions accepted by the User.

• 7.3 Legitimate interest: for security, fraud prevention, analytics, and improvement of the Service, always weighing the rights of the data subjects.

• 7.4 Compliance with legal obligation: due to applicable regulatory/tax requirements.

8. PROVIDERS, RESPONSIBLE PARTIES, AND SUBPROCESSORS

To operate the Service, we use technology providers that may act as processors/subprocessors. We use industry-standard contracts/conditions and reasonable security measures. Providers may include, but are not limited to:

• Infrastructure/Hosting/Backend: Railway; Amazon Web Services (AWS); Google Cloud Platform (GCP); and/or equivalents.

• Messaging/communications: Twilio (e.g., verification or messages when applicable).

• Push notifications: Apple Push Notification Service (APNs) and Firebase Cloud Messaging (FCM).

• Subscriptions/monetization: RevenueCat or other subscription management services (if applicable).

• Analytics/telemetry: PostHog; Firebase (Google LLC) or other equivalents; measurement through SDKs (e.g., Meta SDK, Google/Apple SDKs as per integration).

• Advertising/attribution (if applicable): Apple Ads (Search Ads), Google Ads, Meta Ads.

• Web/Domain: Namecheap, Framer, and/or equivalents.

• Operational tools: Payload (CMS/administration) or other equivalents.

Note: If providers are added or replaced in the future, this Policy may be updated in accordance with section 18.

9. INTERNATIONAL TRANSFERS (INCLUDING SCC)

Since we use global infrastructure, data may be stored or processed outside the User’s country. This includes, for example, when servers or providers are located in another country.

For residents of the European Economic Area (EEA)/United Kingdom/Switzerland, when there is an international transfer outside the EEA, the Company will use recognized safeguards, including Standard Contractual Clauses (SCC) or other equivalent mechanisms (e.g., adequacy decisions or other legally valid tools).

10. RETENTION AND DELETION

We retain data only for as long as necessary for the purposes described and legal obligations. As a general guideline:

• Account data: as long as the account exists and for a reasonable period thereafter to fulfill obligations or resolve disputes.

• GIG Third Party data: while the User maintains those contacts in their use of the Service or until they are deleted by the User or by valid request.

• Technical data/logs: for limited periods based on operational need and security; in some cases, in an aggregated/anonymized form for a longer time.

• Tax/billing data (if applicable): for the periods required by law.

11. SECURITY

We implement reasonable technical and organizational measures (e.g., access controls, encryption in transit where applicable, secure development practices, monitoring, and logging). No system is 100% infallible, but we work to minimize risks of unauthorized access, loss, or alteration.

12. SECURITY INCIDENTS AND NOTIFICATIONS (BREACH)

If a security incident affects personal data, we will manage it according to applicable law. When required (e.g., GDPR), we may notify authorities and/or data subjects within applicable time frames (including the 72-hour standard when relevant).

13. NO SALE OF DATA

The Company does not sell personal data. We do not trade user or contact lists. Any sharing with providers is for operating the Service, security, measurement, or compliance, as appropriate.

14. AUTOMATED DECISIONS AND PROFILING

The Company does not make automated decisions that produce legal or similarly significant effects on users, nor profiling with such effects (under Article 22 GDPR).

15. RIGHTS OF DATA SUBJECTS AND PROCEDURE

You can exercise rights according to applicable law (e.g., access, rectification, cancellation/deletion, opposition, limitation, and portability, according to jurisdiction).

Procedure:

1. Send your request to: sendmeagig@gmail.com, indicating (i) name, (ii) country of residence, (iii) right you wish to exercise, (iv) necessary data to locate your account, and (v) a way to respond to you.

2. We may request reasonable identity verification to protect your information.

3. We will respond within the applicable legal time frames. In the EU, the typical period is 30 days (extendable when appropriate).

16. MINORS

The Service is not directed at minors when law requires parental consent. If you believe a minor provided us with data without authorization, contact us to review it.

17. DPO AND REPRESENTATIVE IN THE EU

DPO: The Company may designate a Data Protection Officer (DPO) or equivalent figure when deemed necessary or when required by law, and will publish the corresponding contact details.

EU Representative (Art. 27 GDPR): When required by GDPR, the Company will designate a representative in the EU and publish their contact information.

18. CHANGES TO THIS POLICY

We may update this Policy due to legal, technical, or operational changes. We will publish the current version at https://www.sendmeagig.com and/or within the applications.

19. ANNEXES BY JURISDICTION (SPECIFIC PROVISIONS)

The following provisions complement the Policy based on the User’s location. In case of conflict, the applicable specific provision will prevail.

ANNEX A – SPAIN / EUROPEAN UNION (GDPR)

• A1. Control authority: Users can file a complaint with their local authority. In Spain: Spanish Agency for the Protection of Data (AEPD).

• A2. GDPR legal bases: consent (Art. 6.1.a), contract (Art. 6.1.b), legitimate interest (Art. 6.1.f), and legal obligation (Art. 6.1.c), as applicable.

• A3. Transfers: SCC or other valid safeguards (see section 9).

• A4. Deadlines: response to requests within 30 days (extendable under GDPR).

• A5. Art. 22: no automated decisions with significant legal effects (see section 14).

ANNEX B – UNITED STATES (CCPA/CPRA – CALIFORNIA)

• B1. Rights: right to know, delete, correct, and opt out of “selling” or “sharing” data (the Company does not sell personal data).

• B2. Non-discrimination: we do not discriminate against you for exercising privacy rights.

• B3. Preference signals: where applicable, we will respect reasonable privacy preference mechanisms according to the law.

ANNEX C – CANADA (PIPEDA)

• C1. Principles: accountability, purpose identification, consent, limitation of collection/use, safeguards, transparency, and access.

• C2. Access and correction: you can request access/correction according to section 15.

ANNEX D – INDIA (DPDP ACT 2023)

• D1. Rights: access to information, correction, deletion, and complaint mechanism according to applicable law.

• D2. Consent: where required, we will obtain valid consent and maintain appropriate notices.

• D3. Complaints: you can contact us at sendmeagig@gmail.com for privacy-related inquiries or complaints.