MERKURIO

Mobile Point of Sale

COMPREHENSIVE PRIVACY POLICY

In accordance with the Federal Law on Protection of Personal Data in Possession of Private Parties (LFPDPPP)

Last updated: April 2026

Version 1.0

1. Identity and Address of the Data Controller

In compliance with the Federal Law on Protection of Personal Data in Possession of Private Parties (LFPDPPP) and its Regulations, we inform you that the data controller for your personal data is:

• Business Name: Merkurio
• Legal Representative: Diego Francisco Macias Rodriguez
• Nature: Individual - Simplified Trust Regime (RESICO)
• Website: https://mercuriomx.com
• Email: contacto@mercuriomx.com
• Country of operation: Mexico

2. Personal Data Collected

2.1 Account Holder Data (Business Owner)

When creating your account in Merkurio, we collect the following personal data:

• Full name (displayName)
• Email address
• Password (stored encrypted; only available in offline mode under user control)
• Type of subscription contracted

2.2 Employee and System User Data

Business owners can register employees with the following data:

• Full name
• Email address
• Role and permissions assigned within the application
• Profile picture (optional)
• Assigned store or branch

2.3 Final Customer Data of the Business

Merkurio users can register data from their own customers for credit sales management and tracking:

• First and last name
• Phone number
• Email address
• Address
• Additional information (business notes)
• Debt history and payments
• Credit limit assigned by the business

2.4 Supplier Data

Users can register information from their commercial suppliers:

• Supplier or company name
• Address
• Contact email
• Phone number
• Contact person
• Additional information

2.5 Business Operation Data

For POS system operation, operational data is stored:

• Store/branch information: name, location, address
• Product inventory: name, price, stock, barcode
• Sales history: amount, payment method, products, responsible employee
• Work shifts: cash register opening and closing hours
• Registered business expenses
• Returns and credit payments

2.6 Technical Data Automatically Collected

Through Firebase (Google LLC) and analytics services, the following data is automatically collected:

• Unique device identifiers
• Operating system and application version
• Usage and navigation data within the app (anonymized events)
• Session and authentication information
• Error reports and technical failures

3. Purposes of Data Processing

3.1 Primary Purposes (Necessary for the service)

• Create and manage your user account on the Merkurio platform
• Authenticate access of owners and employees to the system
• Process and register sales transactions (point of sale)
• Manage inventories, products and business categories
• Administer business customer and supplier information
• Control work shifts and financial reports
• Manage credit sales, payments and returns
• Manage service subscription and payments through Google Play and App Store
• Ensure data synchronization between devices via Firebase/Firestore
• Provide technical support and customer service

3.2 Secondary Purposes (Optional)

The following purposes are NOT necessary for the service, but allow us to improve the platform. You may object to this processing:

• Statistical analysis anonymized to improve user experience
• Sending communications about updates, new features and product improvements
• Research and development of new functionalities

To object to secondary purposes, write to: contacto@mercuriomx.com indicating ‘Objection to secondary purposes’.

4. Data Transfer to Third Parties

Merkurio uses the following third-party services that may receive or have access to personal data, according to their own privacy policies:

Firebase / Google LLC:

• User authentication (Firebase Authentication)
• Cloud storage (Cloud Firestore)
• Usage analytics (Firebase Analytics / Google Analytics)
• Privacy policy: https://policies.google.com/privacy

Apple Inc. (App Store) and Google LLC (Google Play):

• Subscription payment processing
• Mobile app distribution
• Payment information is managed exclusively by Apple or Google; Merkurio does not store banking card data

Except as above, Merkurio does not sell, assign, or transfer your personal data to third parties without your consent, unless required by law or competent authority.

5. ARCO Rights and How to Exercise Them

As a data subject, you have the right to:

• Access: Know what personal data we have about you, what we use it for and the processing conditions
• Rectification: Request correction of inaccurate or incomplete data
• Cancellation: Request deletion of your data when you consider they are not necessary for the service or are no longer relevant
• Opposition: Oppose the processing of your data for specific purposes

To exercise your ARCO rights, send us an email to:

contacto@mercuriomx.com

Indicating in the subject: ‘ARCO Rights - Merkurio’ and attaching:

• Full name and email of the registered account
• Clear description of the right you wish to exercise
• Copy of valid official identification

We will respond within a maximum period of 20 business days in accordance with the LFPDPPP.

6. Consent

By downloading, installing and using the Merkurio application, you give your express consent for the processing of your personal data as described in this Privacy Policy.

Regarding sensitive data or data from customers and suppliers that you yourself enter into the system, you are responsible for obtaining the consent of such subjects for their registration and processing on the platform.

7. Security Measures

Merkurio implements the following technical and administrative measures to protect your personal data:

• Data encryption in transit via HTTPS/TLS
• Secure authentication managed by Firebase Authentication
• Encrypted storage in Google Cloud Firestore with granular access rules
• Role-based access control within the application
• Offline mode with data stored locally on the user’s device
• Error and failure monitoring to detect security incidents

8. Use of Tracking Technologies

The Merkurio mobile application uses Firebase SDK (Google LLC) for the following functions:

• Usage event logging (anonymized behavior analytics)
• Technical failure reporting (Crashlytics)
• Push notifications (Firebase Cloud Messaging, if applicable)

These technologies collect device identifiers and session data according to Google’s privacy policy.

9. Modifications to the Privacy Policy

Merkurio reserves the right to modify this Privacy Policy at any time. Any changes will be notified through:

• Update of the version published at https://mercuriomx.com/privacy-policy
• Notification within the mobile application
• Email to the data subject, when possible

We recommend reviewing this document periodically. The date of last update appears at the beginning of this notice.

10. Contact and Competent Authority

For any questions, requests or exercise of rights related to your personal data:

• Email: contacto@mercuriomx.com
• Website: https://mercuriomx.com

If you believe your right to data protection has been violated, you can file a complaint with the National Institute for Transparency, Access to Information and Personal Data Protection (INAI):

• INAI website: https://www.inai.org.mx

Merkurio - mercuriomx.com

contacto@mercuriomx.com