Privacy Notice

1. Identity and address of the controller

Moolaro SaaS, S. de R.L. de C.V. (hereinafter “Moolaro” or the “Controller”), with offices at Av. Insurgentes Sur 1234, Floor 5, Colonia Del Valle, Benito Juárez, Mexico City, 03100, Mexico, is responsible for the processing of your personal data.

Privacy contact: privacidad@moolaro.com

2. Personal data collected

Moolaro, acting as a data processor on behalf of the dental practices that use the platform, may collect the following categories of personal data from patients:

• Identification: full name, date of birth, sex, CURP, RFC.
• Contact: email address, phone number(s), home address.
• Health data (sensitive): dental medical history, diagnoses, treatments performed, x-rays and clinical imaging, allergies, relevant systemic conditions, and medications.
• Financial: billing information, tax ID (RFC), insurance details.
• Emergency contact: name and phone number of a relative or guardian.

Health data is considered sensitive personal data under Article 3, section VI of the LFPDPPP, so its processing requires the express consent of the data subject.

3. Purposes of processing

Personal data will be used for the following primary purposes, which are necessary for providing the service:

• Dental medical care and clinical-record management (NOM-004-SSA3-2012). GDPR Art. 9(2)(h) — provision of health care
• Appointment management, treatments, and clinical follow-up. GDPR Art. 9(2)(h) — provision of health care
• Issuance of electronic invoices and collections management. GDPR Art. 6(1)(b) / LFPDPPP Art. 7 — contract
• Compliance with legal and tax obligations.

The following secondary purposes are not essential to the service; the data subject may refuse their processing:

• Sending appointment reminders and preventive-health communications. GDPR Art. 6(1)(a) — consent
• Satisfaction surveys and service improvement.
• Statistical analysis and anonymized dental research. GDPR Art. 9(2)(j) — public interest

4. Data transfers

Moolaro does not transfer personal data to third parties without the consent of the data subject, except in the cases permitted by law:

• When required by a competent authority through a judicial or administrative order.
• When necessary for the defense of rights before courts of law.
• When indispensable for the urgent medical care of the data subject.

Technology-infrastructure sub-processors (cloud computing) are subject to confidentiality and data-processing agreements that guarantee protection levels equivalent to those required by the LFPDPPP.

Infrastructure sub-processors with potential access to data are:

• Amazon Web Services (AWS) — Cloud storage (region us-east-1, United States). Provides equivalent protection mechanisms and a data-processing agreement.
• Auth0 (Okta, Inc.) — Identity and access management (United States). BAA available on enterprise plans.
• Twilio Inc. — SMS notifications (United States).
• Paubox Inc. — HIPAA-encrypted email (United States).

5. ARCO rights

As a data subject, you have the following rights (ARCO — Access, Rectification, Erasure, Objection):

• Access: know what personal data we hold about you and how we process it.
• Rectification: request the correction of inaccurate or incomplete data.
• Erasure: request the deletion of your data when it is no longer necessary for the purposes that motivated its collection, subject to mandatory retention periods (NOM-004: 5 years; HIPAA: 6 years).
• Objection: object to the processing of your data for secondary purposes.

To exercise your ARCO rights, send a request to privacidad@moolaro.com indicating: full name, contact information, the right you wish to exercise, and documentation proving your identity. We respond within a maximum of 20 business days.

6. Security measures

Moolaro implements technical, administrative, and physical measures to protect your personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access control (RBAC) with multi-factor authentication.
• Audit logs of all access to clinical records (NOM-024).
• Periodic security reviews and vulnerability assessments.
• Data retention and secure-destruction policy.

7. Validity and changes to the privacy notice

This privacy notice may be amended at any time. Any change will be notified to data subjects by publication on this website and, where applicable, by email at least 15 days in advance. Continued use of the services after the publication of changes constitutes acceptance of those changes.

8. Cookies and tracking technologies

Moolaro uses only strictly necessary cookies for session authentication and security (HIPAA §164.312). We do not use analytics or advertising cookies without your express consent (GDPR Art. 6 / LFPDPPP 2025 Art. 8).

You can manage your cookie preferences through the privacy banner shown on your first visit, or at any time by contacting privacidad@moolaro.com.

In accordance with Article 109 of the LFPDPPP Regulations, we inform you that we use the following technologies:

• Session cookies: Authentication via Auth0 (duration: active session). Required for the service to function.
• Preference cookies: Visual theme (light/dark). Contain no personal data.
• Analytics cookies (optional): Activated only with your express consent. Currently not enabled.

9. Means to limit the use or disclosure of data

In accordance with Article 16, section VI of the LFPDPPP, you may limit the use or disclosure of your personal data through:

• Email request to privacidad@moolaro.com stating your name, the data whose use you wish to limit, and the reason.
• Exercising your ARCO rights (Access, Rectification, Erasure, or Objection) per Section 5 of this notice.
• Revoking consent for appointment-reminder communications at any time, without retroactive effect.
• Registration with the Public Consumer Registry (REPECO) to limit contact for commercial purposes.

We respond to requests within 20 business days (LFPDPPP Art. 32).

10. Data retention period

After these periods elapse, data is securely deleted or irreversibly anonymized, except where required otherwise by law.