Privacy notice

Version 2026-06-09-v1 · June 9, 2026

1. Data controller

  • Identity: Casa de la Luz Hotel Boutique
  • Legal name: {Razón social — pendiente confirmar con el hotel}
  • Address: Viaducto Miguel Alemán 297, 08310, Mexico City, Mexico
  • RFC (Tax ID): {RFC — pendiente confirmar con el hotel}
  • Contact for ARCO rights: privacidad@casadelaluz.mx {PENDIENTE confirmar con Manuel}

2. Personal data collected

Full name, nationality, date of birth, address, official ID (type and number), photo of the ID, verification selfie, contact (phone and/or email), vehicle plates (where applicable), data of accompanying minors and the responsible adult (where applicable), and arrival and departure times.

3. Purpose of processing

The personal data collected during guest registration is used exclusively to:

  • Comply with the legal registration obligation set out in Article 23 of the Mexico City Commercial Establishments Law (Ley de Establecimientos Mercantiles de la Ciudad de México) (amendment published in the CDMX Official Gazette on December 19, 2025 · in force since April 18, 2026).
  • Comply with the establishment's tax obligations (CFF Art. 30 · retention of receipts).
  • Respond to requests from competent authorities (CDMX administrative verification, tax or immigration authorities) where a duly grounded and justified request exists.
  • Manage the guest's reservation and stay (check-in, room assignment, billing).
  • Ensure the safety of persons and property at the establishment.

4. Legal basis

  • Legal obligation (LFPDPPP Art. 10 sec. IV) · Article 23 of the Mexico City Commercial Establishments Law.
  • Performance of the lodging contract to which the data subject is a party (the reservation).
  • Consent of the data subject · for the capture of the ID document image and verification selfie, recorded electronically with timestamp and IP at the moment of check-in, as well as for additional purposes.

5. Categories of data

  • Identifiers: full name, date of birth, sex, nationality.
  • Document: type (INE by default; Passport or Migratory Form for foreign nationals), number, dates of issue and expiry, issuing country.
  • ID document image and verification selfie (AES-256-GCM encrypted at rest).
  • Document holder address.
  • Check-in data: arrival and departure dates, room number, payment method, vehicle plates (where applicable).
  • Data of accompanying minors and the responsible adult (where applicable).

6. Recipients and transfers

  • CDMX administrative verification, tax or immigration authorities, where a duly grounded and justified request exists.
  • Service providers (data processors):
    • Vercel Inc. (web hosting).
    • Google LLC · Google Drive (encrypted image storage · with additional client-side encryption).
    • Anthropic PBC · Claude API (OCR document reading · data is not used for model training).
    • Supabase Inc. (database · when enabled).

Data is not transferred to third parties for commercial purposes without the data subject's express consent. Document images are encrypted before being stored or transmitted (AES-256-GCM) and only the controller retains the decryption key.

7. Retention period

  • Guest registry (identifiers, address, vehicle, minors, arrival/departure times): 1 year from the check-out date, in accordance with Art. 23 of the Mexico City Commercial Establishments Law.
  • Video surveillance: 90 days, under the same Art. 23.
  • Associated tax documents (CFDI, payment receipts): 5 years, in accordance with Art. 30 of the Federal Tax Code (Código Fiscal de la Federación).
  • Sensitive data (dietary preferences, declared medical conditions, accessibility): kept only during the stay and deleted at check-out, unless the data subject gives express written consent (LFPDPPP Art. 8).

After these periods, data will be blocked during the statutory limitation period for derived actions and then irreversibly deleted or anonymised (scheduled deletion process).

8. ARCO rights

At any time the data subject may exercise their rights of Access, Rectification, Cancellation and Objection (ARCO) to the processing of their data, as well as withdraw consent given.

  • Access · obtain a copy of the data we process about you.
  • Rectification · correct inaccurate data.
  • Cancellation · request blocking and subsequent deletion, unless a legal retention obligation applies (Art. 23 CDMX Commercial Establishments Law).
  • Objection · object to processing on grounds related to your particular situation.
  • Withdraw consent · at any time, without retroactive effect.

To exercise any of these rights, write to privacidad@casadelaluz.mx stating: your full name, a copy of valid official ID, a clear description of the right you are exercising, and contact details. Response time: the controller has 20 business days to respond to the request and a further 15 business days to carry out the requested action (LFPDPPP Art. 31).

9. Complaint to the SABG

If you believe processing does not comply with regulations or you are not satisfied with the response to your rights request, you may file a complaint with the Anticorruption and Good Governance Secretariat (Secretaría Anticorrupción y Buen Gobierno · SABG), the entity that succeeds INAI following the LFPDPPP amendment published in the DOF on March 20, 2025.

10. Security measures

  • Encryption in transit (TLS 1.3) and at rest (AES-256-GCM) for document images.
  • Unique cryptographic key per establishment.
  • Immutable hash-chained audit log (SHA-256) for all sensitive data access.
  • Role-based access control · staff sessions expire after 8 h.
  • HMAC-signed guest tokens with short expiry.

11. Changes to this notice

This notice may be updated. The current version is identified by header 2026-06-09-v1. Substantial changes will be notified and, where appropriate, new consent requested.

See cookie policy← Back