Privacy Policy
Last updated: March 2026 β Privacy notice (Mexico LFPDPPP framework)
In GoCancun we are committed to protecting the privacy of our users. This Privacy Notice describes how we collect, use, and protect personal data, in compliance with the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) and its Regulations.
1. Data We Collect
We collect personal data from two types of users: Agencies (platform users) and Tourists (end customers of the Agencies).
1.1 Agency Data
| Data | Purpose |
|---|---|
| Name and business name | Identification and billing |
| Communication, access to the account | |
| Phone | WhatsApp Business settings |
| Tax information | Billing and legal compliance |
| Banking data (via Stripe) | Receipt of sales payments |
1.2 Tourist Data
| Data | Purpose |
|---|---|
| Name | Identification in the reservation |
| Sending confirmations and receipts | |
| Phone (WhatsApp) | Main communication channel |
| Hotel/accommodation | Pickup logistics for tours |
| Nationality | Application of fees (national/foreign) |
| Travel preferences | Personalized recommendations from the AI Agent |
| WhatsApp conversations | Service quality, reservation tracking |
| Payment data | Processed directly by Stripe (not stored by GoCancun) |
1.3 Technical data
We automatically collect: IP address, browser type, device, pages visited, and timestamps. This data is used exclusively for the operation and security of the Platform.
2. How We Use Them
Personal data is used for the following purposes:
Primary purposes (necessary)
- Provide the Platform service to Agencies.
- Process reservations and payments for tours.
- Operate the AI Agent for Tourist assistance via WhatsApp.
- Send confirmations, reminders, and reservation updates.
- Comply with legal and tax obligations.
Secondary purposes (optional)
- Send marketing communications about new features.
- Generate statistics and aggregated analysis to improve the service.
- Track inactive conversations (automated remarketing).
If you do not wish for your data to be used for secondary purposes, you can communicate this to the email indicated in the Contact section.
3. Legal Basis
Data processing is based on:
- Consent: When registering on the Platform or starting a conversation via WhatsApp with an Agency.
- Contractual relationship: To fulfill the provision of the contracted service.
- Legitimate interest: For the security of the Platform, fraud prevention, and service improvement.
- Legal obligation: To comply with tax and regulatory requirements in Mexico.
4. Sharing with Third Parties
GoCancun shares personal data with the following third parties, exclusively for the provision of the service:
| Third party | Purpose | Shared data |
|---|---|---|
| OpenAI (USA) | Natural language processing for the AI Agent | Text of conversations (without payment data) β under EU SCCs 2021/914 |
| Anthropic (USA) | Alternative Claude LLM models | Text of conversations (without payment data) β under SCCs |
| Stripe (USA + EU) | Secure payment processing (PCI DSS Level 1) | Tourist payment data (processed directly by Stripe, we do not store PAN/CVV) |
| Meta Platforms (USA + EU) | WhatsApp Cloud API (official messaging channel) | Messages, phone number, WhatsApp name of the user |
| Evolution API | Alternative connection with WhatsApp Business (Baileys/QR) | Messages and phone number |
| SMTP provider (Gmail/Resend/SendGrid) | Sending transactional emails | Email, name, email content |
| Sentry (USA, optional) | Error tracking and failure diagnosis | Stack traces, logs (without PII by explicit configuration) |
| Tawk.to / Crisp (optional, marketing) | Web support chat | Email, name β only if the user consented to marketing cookies |
5.1 International transfers
Some subprocessors (OpenAI, Anthropic, Stripe, Meta, Sentry) have servers in the United States. Transfers are made under the following legal mechanisms:
- Standard Contractual Clauses (SCC, EU Implementing Decision 2021/914) signed with each sub-processor.
- Adequacy decision of the European Commission when applicable (EU-US Data Privacy Framework for certified companies).
- In Mexico, according to the LFPDPPP Art. 36-37: notification to the holder and implicit consent upon accepting this notice.
5.2 DPA (Data Processing Agreement)
Agencies on the Business or Enterprise plan can request a signed DPA with GoCancun by writing to dpo@gocancun.ai.
We do not sell, rent, or share personal data with third parties for marketing purposes.
5. AI and Automated Processing
GoCancun uses artificial intelligence to automate tourist assistance. It is important for you to know:
- What AI processes: The content of WhatsApp conversations, the Agency's tour catalog, and the data provided by the Tourist during the conversation (name, hotel, dates, preferences).
- Automated decisions: The AI Agent can recommend tours, calculate budgets, and generate payment links. These actions are supervised by business rules configured by the Agency.
- Human intervention: The Tourist can request to speak with a human agent at any time. The Agency can review and modify the interactions of the AI Agent.
- Context retention: The conversation history is maintained to provide continuity in service. The Tourist can request the deletion of their history.
6. Storage and Security
We implement administrative, technical, and physical security measures to protect personal data:
- PostgreSQL database with restricted access and authentication.
- Encrypted communications via HTTPS/TLS.
- Payments processed exclusively by Stripe (PCI DSS certification).
- Access to data limited to authorized personnel with defined roles and permissions.
- Continuous monitoring of suspicious activities.
Data retention
- Agency data: While the account is active, plus 30 days after cancellation.
- Tourist data: While there is an active reservation, plus the period required by tax obligations (up to 5 years).
- WhatsApp conversations: 12 months from the last interaction, unless the Agency configures a different period.
7. ARCO Rights
According to the LFPDPPP, you have the right to:
- Access: Know what personal data we have about you and how we use it.
- Rectification: Request the correction of inaccurate or incomplete data.
- Cancellation: Request the deletion of your data when you consider that they are no longer necessary for the purpose for which they were collected.
- Opposition: Oppose the processing of your data for specific purposes.
How to exercise your rights
Send your request to privacidad@gocancun.com including:
- Full name and means to receive the response.
- Clear description of the right you wish to exercise.
- Documents that prove your identity (copy of official identification).
We will respond within a maximum of 20 business days from the receipt of your request. If the request is deemed appropriate, it will be effective within the following 15 business days.
8. Cookies
GoCancun uses cookies for:
- Essential cookies: Maintain user session, CSRF tokens, and account preferences. Necessary for the operation of the Platform.
- Analytical cookies: Measure the use of the Platform and improve the experience (aggregated and anonymous data).
We do not use advertising or third-party tracking cookies. You can configure your browser to reject cookies, although this may affect the functionality of the Platform.
9. Minors
GoCancun is not directed at minors under 18 years old. We do not intentionally collect personal data from minors. If an Agency collects data from minors as part of a tour reservation (for example, minors traveling with their parents), the Agency is responsible for obtaining the consent of the parent or guardian.
10. International Transfers
Some of the third-party services we use may store or process data outside of Mexico:
- OpenAI: Servers in the United States (text processing for the AI Agent).
- Stripe: Global infrastructure (payment processing).
These transfers are made in accordance with the provisions of the LFPDPPP, ensuring that the receiving third parties comply with equivalent data protection standards. By using the service, you consent to these international transfers.
11. Changes to this Policy
GoCancun reserves the right to modify this Privacy Notice at any time. Changes will be published on this page and, if significant, will be notified by email at least 15 days in advance.
We recommend reviewing this page periodically to stay informed about how we protect your data.
12. DPO Contact
For any inquiries related to the protection of personal data or to exercise your ARCO rights, you can contact us:
- Data Protection Officer: GoCancun
- Privacy email: privacidad@gocancun.com
- General email: hola@gocancun.com
- Location: CancΓΊn, Quintana Roo, Mexico
If you believe your right to data protection has been violated, you can go to the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI): www.inai.org.mx.