← Back to NoMásFilas

Privacy Policy

Last updated: April 22, 2026 · Effective: April 22, 2026 · Version 1.0

NoMasFilas LLC ("NoMásFilas", "Company", "we", "us", or "our") respects your privacy and is committed to protecting personal data. This Privacy Policy ("Policy") explains how we collect, use, share, store, and protect information when you visit our website, use our platform, or interact with our services.

This Policy applies to:

• Clients: Businesses, organizations, and institutions that use NoMásFilas to manage their queues and appointments.
• Authorized Users: Staff members who access the NoMásFilas backend dashboard on behalf of a Client (administrators, managers, operators).
• End Users / Guests: Individuals who take a queue number, schedule an appointment, or interact with the Service as a customer at a Client's location.
• Website Visitors: Individuals who visit nomasfilas.io or related websites without creating an account.

1. Introduction & Scope

NoMásFilas provides a cloud-based queue management and appointment scheduling platform. In providing this Service, we process personal data in various capacities. This Policy describes our practices regarding all personal data we collect or process, regardless of where you are located.

We process personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Brazilian General Data Protection Law (LGPD), and other applicable national and regional legislation.

2. Data Controller vs. Data Processor

2.1 NoMásFilas as Data Controller

We act as the Data Controller when we determine the purposes and means of processing. This applies to:

• Client account registration and management data
• Billing and payment information
• Website visitor data (analytics, cookies)
• Marketing communications with Clients
• Authorized User account data
• Support and communication records

2.2 NoMásFilas as Data Processor

We act as the Data Processor when processing personal data on behalf of a Client. This applies to:

• End User personal data collected through queue interactions (names, IDs, phone numbers, emails — as configured by the Client)
• Appointment and scheduling data for End Users
• Queue history and interaction records attributable to End Users

2.3 Implications

If you are an End User and wish to exercise data rights regarding data collected at a Client's location, you should first contact the Client (the business whose queue you joined). NoMásFilas will cooperate with Clients to fulfill data subject requests. You may also contact us directly at privacy@nomasfilas.io and we will direct your request appropriately.

3. Information We Collect

3.1 Information Provided by Clients

Data Category	Examples	Purpose
Account Registration	Business name, country, admin email, phone, password	Create and manage account
Business Identification	Tax ID (RUT, EIN, etc.), business address	Billing, compliance, invoicing
Payment Information	Credit/debit card details (processed by Stripe)	Process subscription payments
Authorized User Data	Names, emails, roles of staff members	Account access and permissions
Branch Configuration	Branch names, addresses, service types, schedules	Service configuration
Support Communications	Emails, chat messages, call records	Provide customer support

3.2 End User Data (Collected on Behalf of Clients)

End User data collection is determined and controlled by the Client. Clients configure what data their queue system requests from End Users. This may include:

Data	Collected When	Required?
Name	Client enables "Request Name" setting	Optional — Client configures
National ID (RUT, DNI, etc.)	Client enables "Request ID" setting	Optional — Client configures
Phone number	Client enables notifications or requests phone	Optional — Client configures
Email address	Client enables email notifications or requests email	Optional — Client configures
Service type selected	Always (part of queue function)	Functional requirement
Queue number and timestamp	Always (part of queue function)	Functional requirement
Wait time and service time	Always (measured automatically)	Functional requirement

Important: Some Clients may operate their queues without collecting any personal End User data (anonymous queuing). The queue system functions with just a number and service type selection.

3.3 Automatically Collected Data

Data	Method	Purpose
IP address	Server logs	Security, fraud prevention, approximate geolocation
Browser type & version	HTTP headers	Compatibility, debugging
Operating system & device type	HTTP headers	Compatibility, analytics
Pages visited & time spent	Analytics tools	Service improvement
Referral source	HTTP headers	Marketing analytics
Feature usage patterns	Application telemetry	Product improvement
Error logs	Application monitoring	Debugging, stability

3.4 Information from Third Parties

We may receive information from third parties including: (a) payment status and transaction information from Stripe; (b) authentication information if you sign in using a third-party service; (c) publicly available business information for account verification.

4. How We Use Information

Purpose	Data Used	Legal Basis (GDPR)
Provide and operate the Service	Account data, configuration data, End User data	Contract performance (Art. 6(1)(b))
Process payments and billing	Payment and account information	Contract performance (Art. 6(1)(b))
Send transactional communications	Email, phone number	Contract performance (Art. 6(1)(b))
Send queue notifications to End Users	Phone, email (as configured by Client)	Legitimate interest / Client's legal basis
Generate analytics and reports	Queue data, service times, usage patterns	Contract performance (Art. 6(1)(b))
Improve and develop the Service	Aggregated usage data, feedback	Legitimate interest (Art. 6(1)(f))
Ensure security and prevent fraud	IP address, activity logs, account data	Legitimate interest (Art. 6(1)(f))
Provide technical support	Account data, communication records, logs	Contract performance (Art. 6(1)(b))
Comply with legal obligations	As required by law	Legal obligation (Art. 6(1)(c))
Marketing to Clients (opt-in only)	Business email	Consent (Art. 6(1)(a))
Create anonymized benchmarks	Aggregated, de-identified data	Legitimate interest (Art. 6(1)(f))

4.1 What We Do NOT Do

• We do not sell personal data to third parties.
• We do not use End User data for our own marketing purposes.
• We do not share End User data with other Clients.
• We do not use personal data for automated decision-making that produces legal effects.
• We do not profile End Users for advertising or marketing purposes.

5. Legal Bases for Processing (GDPR)

For individuals in the European Economic Area (EEA) and United Kingdom, we process personal data based on one or more of the following legal bases:

• Contract Performance (Art. 6(1)(b)): Processing necessary to perform our contractual obligations to you (e.g., providing the Service, processing payments).
• Legitimate Interest (Art. 6(1)(f)): Processing necessary for our legitimate business interests, balanced against your rights (e.g., security, fraud prevention, service improvement). You may object to processing based on legitimate interest — see Section 10.
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws (e.g., tax records, responding to legal requests).
• Consent (Art. 6(1)(a)): Processing based on your specific, informed, freely given consent (e.g., marketing communications). You may withdraw consent at any time.

6. How We Share Information

We share personal data only as necessary and with appropriate safeguards:

Recipient	Purpose	Data Shared	Safeguards
Stripe, Inc.	Payment processing	Payment card details, billing info	PCI-DSS Level 1; Privacy Policy
Google Cloud / Firebase	Cloud hosting & infrastructure	All Service data (encrypted)	SOC 2, ISO 27001; DPA in place
MongoDB Atlas	Database storage	Service data (encrypted)	SOC 2, ISO 27001; DPA in place
Cloudflare	DNS, CDN, security	IP addresses, traffic data	ISO 27001; DPA in place
SMS/Email providers	Deliver notifications	Phone/email of End Users	Contractual obligations
WhatsApp (Meta)	WhatsApp notifications	Phone numbers of End Users	WhatsApp Business Terms
Google Analytics	Website analytics	Anonymized usage data	IP anonymization enabled
Legal authorities	Legal compliance	As required by law	Court order or legal obligation
Business successors	Merger/acquisition	All data (with notice)	Contractual protections; prior notice

We require all third-party recipients to maintain confidentiality and security of personal data through appropriate contractual provisions.

7. International Data Transfers

NoMásFilas operates globally. Personal data may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have data protection laws different from your country of residence.

When transferring data from the EEA, UK, Switzerland, or other jurisdictions with data transfer restrictions, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Binding Corporate Rules of our service providers where applicable
• Your explicit consent to the transfer when you use the Service
• Necessity for contract performance (processing required to deliver the Service you requested)

You may request a copy of the applicable transfer mechanisms by contacting privacy@nomasfilas.io.

8. Data Retention

Data Category	Retention Period	Basis
Client account data	Duration of account + 30 days post-termination	Contract + data export period
Authorized User data	Duration of account + 30 days	Contract
End User queue data	Up to 24 months (configurable by Client)	Analytics and reporting
End User personal identifiers	As configured by Client, max 24 months	Client's data retention policy
Payment and billing records	7 years	Tax and accounting laws
Support communications	3 years after resolution	Quality and dispute resolution
Website analytics	26 months (aggregated)	Service improvement
Server logs	90 days	Security and debugging
Aggregated/anonymized data	Indefinitely	No personal data involved

Clients may request earlier deletion of End User data at any time by contacting support@nomasfilas.io. We will process deletion requests within 30 days.

9. Data Security

We implement and maintain appropriate technical and organizational security measures, including:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• Encryption at rest: All stored data is encrypted using AES-256 encryption on our cloud infrastructure.
• Access controls: Role-based access control for all administrative functions. Principle of least privilege applied.
• Authentication: Secure password hashing. Session management with automatic timeout.
• Infrastructure security: Hosted on enterprise-grade cloud infrastructure (Google Cloud Platform / Firebase) with SOC 2 and ISO 27001 certifications.
• Payment security: All payment data handled exclusively by Stripe, which is PCI-DSS Level 1 certified. We never store full card numbers on our systems.
• Monitoring: Continuous monitoring for unauthorized access attempts and anomalous activity.
• Employee access: Staff access to production data is limited, logged, and subject to confidentiality agreements.
• Incident response: Documented incident response procedures for detecting, investigating, and mitigating security incidents.

While we take reasonable measures to protect data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security against all possible threats.

10. Your Rights

10.1 Rights for All Users

Regardless of your location, you may:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your data, subject to legal retention requirements.
• Data Portability: Request a machine-readable copy of your data (JSON or CSV format).
• Withdraw Consent: Where we rely on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Opt-out of Marketing: Unsubscribe from marketing communications at any time using the unsubscribe link or by contacting us.

10.2 Additional Rights for EEA/UK Residents (GDPR)

• Restriction of Processing: Request that we limit how we use your data in certain circumstances.
• Object to Processing: Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
• Automated Decision-Making: Right not to be subject to decisions based solely on automated processing that produce legal or significant effects. (Note: We do not currently engage in such processing.)
• Lodge a Complaint: File a complaint with your local supervisory authority (data protection authority).

10.3 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@nomasfilas.io. We will verify your identity and respond within 30 days (or 45 days for complex requests, with notice). We will not charge a fee for reasonable requests. Manifestly unfounded or excessive requests may be subject to a reasonable administrative fee or refused.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the CCPA/CPRA:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the third parties with whom we share it.
• Right to Delete: Request deletion of personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell personal information and do not share personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: We limit our use of sensitive information to purposes necessary to provide the Service.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact privacy@nomasfilas.io or call us (contact details in Section 19). We will verify your identity using at least two pieces of personal information before fulfilling requests.

11.1 Categories of Personal Information Collected

CCPA Category	Examples	Sold?	Shared for Ads?
Identifiers	Name, email, phone, IP address	No	No
Commercial Information	Subscription plan, payment history	No	No
Internet/Network Activity	Browsing history, usage data	No	No
Geolocation	Approximate location from IP	No	No
Professional Information	Business name, role	No	No

12. Brazilian Privacy Rights (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to: (a) confirmation of processing; (b) access; (c) correction; (d) anonymization, blocking, or deletion of unnecessary data; (e) portability; (f) information about sharing with third parties; (g) information about the possibility of denying consent and its consequences; (h) revocation of consent. To exercise these rights, contact privacy@nomasfilas.io.

13. Children's Privacy

The Service is not intended for use by children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided personal data through the Service, contact us at privacy@nomasfilas.io and we will promptly delete it.

14. Cookies & Tracking

• Essential cookies: Required for the Service to function (session management, authentication). Cannot be disabled.
• Analytics cookies: Help us understand how the Service is used (Google Analytics with IP anonymization). Can be declined.
• Preference cookies: Remember your settings and choices. Can be declined.

We do not use advertising or tracking cookies. We do not participate in third-party advertising networks.

15. Third-Party Links & Services

The Service may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices, content, or security of third parties. We encourage you to review the privacy policies of any third-party services you interact with.

16. Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals. There is currently no industry standard for interpreting DNT signals. We do not currently respond to DNT signals, but we do not engage in cross-site tracking of individual users.

17. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by GDPR).
• Notify affected Clients without undue delay so they can fulfill their own notification obligations to End Users.
• Notify affected individuals directly if the breach is likely to result in a high risk to their rights and freedoms (where we are the Data Controller).
• Document the breach, its effects, and the remedial actions taken.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes:

• We will notify Clients by email at least 15 days before the changes take effect.
• We will post a prominent notice on the Service.
• We will update the "Last updated" date at the top of this Policy.
• For material changes affecting End User data processing, we will also notify Clients so they can inform their End Users as appropriate.

Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

19. Contact & Data Protection Officer

For privacy-related inquiries, data subject requests, or concerns:

Purpose	Contact
Privacy & Data Protection Inquiries	privacy@nomasfilas.io
General Support	support@nomasfilas.io
Legal	legal@nomasfilas.io
Security Incidents	security@nomasfilas.io
Entity	NoMasFilas LLC, Wyoming, United States
Website	nomasfilas.io

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.

Part B — Data Processing Agreement: Scope & Definitions

This Data Processing Agreement ("DPA") forms an integral part of this Privacy Policy and the Terms of Service. It governs the processing of personal data by NoMasFilas LLC ("Processor") on behalf of the Client ("Controller") in connection with the Service. This DPA meets the requirements of Article 28 GDPR, UK GDPR, CCPA/CPRA, and LGPD.

By using the Service, you accept this DPA. For a separately signed copy (e.g., institutional compliance), contact legal@nomasfilas.io.

• "Personal Data" — information relating to an identified or identifiable person, processed by the Processor on behalf of the Controller.
• "Processing" — any operation on Personal Data: collection, recording, storage, retrieval, use, disclosure, erasure, destruction.
• "Data Subject" — the person to whom the Personal Data relates (typically End Users).
• "Sub-processor" — any third party engaged by the Processor to process Personal Data on the Controller's behalf.
• "Personal Data Breach" — a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

21. Nature & Purpose of Processing

Aspect	Details
Nature	Collection, storage, organization, retrieval, consultation, use, transmission (for notifications), and erasure of End User data
Purpose	Queue management, virtual ticketing, appointment scheduling, notifications, analytics, and reporting
Duration	Duration of the Terms of Service + 30 days post-termination
Data Subjects	End Users / Guests of the Controller's locations; Authorized Users (staff)
Data Types	As configured by Controller: names, national IDs, phone numbers, emails, queue interaction data, appointment details, IP addresses

Special categories: The Service is not designed for special category data (health, biometric, religious). If the Controller's use involves such data (e.g., medical queues), the Controller is solely responsible for lawful basis and additional safeguards.

22. Obligations of the Processor

NoMásFilas shall:

1. Process on instructions only: Process Personal Data solely on documented Controller instructions (Terms + DPA), unless required by law (with prior notice, unless legally prohibited).
2. Confidentiality: Ensure all personnel authorized to process Personal Data are bound by confidentiality obligations.
3. Security: Implement appropriate technical and organizational measures (see Section 9 above).
4. Sub-processors: Not engage Sub-processors without Controller authorization (see Section 24).
5. Data subject assistance: Assist Controller in responding to data subject rights requests.
6. Breach notification: Notify Controller within 72 hours of becoming aware of a Personal Data Breach.
7. Deletion/return: Delete or return all Personal Data upon termination, per Section 26.
8. Audit cooperation: Make information available to demonstrate compliance and allow audits (Section 27).
9. DPIA assistance: Assist with data protection impact assessments and prior consultations where required.
10. Cross-border safeguards: Implement transfer mechanisms (SCCs, etc.) for international data transfers.

23. Obligations of the Controller

The Client (Controller) shall:

1. Determine the lawful basis for processing End User Personal Data.
2. Provide appropriate privacy notices to Data Subjects.
3. Obtain necessary consents where required.
4. Respond to Data Subject requests (with Processor assistance).
5. Ensure data collection scope is necessary and proportionate.
6. Provide documented processing instructions.
7. Comply with all Applicable Data Protection Law.

24. Sub-processors

24.1 Authorized Sub-processors

The Controller provides general authorization for the following Sub-processors:

Sub-processor	Purpose	Location
Google Cloud / Firebase	Cloud hosting, database, authentication	United States
MongoDB Atlas	Database storage	United States
Cloudflare	DNS, CDN, DDoS protection	Global (US-based)
Stripe, Inc.	Payment processing	United States
Twilio / SMS providers	SMS notifications	United States
WhatsApp (Meta)	WhatsApp notifications	United States
Email service providers	Email notifications	United States

24.2 Changes

Processor shall notify Controller of Sub-processor changes at least 15 days in advance. Controller may object on reasonable grounds within 15 days. If unresolved, either party may terminate the affected portion. Processor remains fully liable for Sub-processor acts.

25. International Transfers (DPA)

For transfers from EEA/UK/Switzerland, we rely on: (a) Standard Contractual Clauses (EU Commission Decision 2021/914); (b) UK International Data Transfer Agreement or Addendum; (c) Controller's consent as part of Service acceptance. Supplementary measures include encryption and access controls. Request transfer mechanism copies at privacy@nomasfilas.io.

26. Data Retention & Deletion (DPA)

• Upon termination: data retained 30 days for export.
• After 30 days: deletion or anonymization from active systems.
• Backups: purged per backup retention schedule.
• Controller may request specific End User deletion at any time.
• Legally mandated retention (e.g., tax records) overrides deletion requests.

27. Audits

Upon reasonable request and at Controller's expense, Processor shall provide: (a) written questionnaire responses; (b) certifications and audit reports; (c) on-site/remote audits with 30 days' notice, during business hours, under confidentiality, max once per 12 months. In case of conflict, this DPA prevails over the Terms regarding Personal Data processing.

28. Data Breach Response (DPA)

Upon a Personal Data Breach, Processor shall: (a) notify Controller within 72 hours; (b) provide: nature, categories/numbers affected, likely consequences, mitigation measures; (c) cooperate with investigation and remediation; (d) assist Controller in notifying authorities and Data Subjects; (e) document the breach and remedial actions.

Part C — Cookie Policy: What Are Cookies

Cookies are small text files placed on your device when you visit a website. They enable functionality, remember preferences, and help us understand usage. Similar technologies include web beacons, pixels, and local storage. "Cookies" in this section covers all such technologies.

30. Cookies We Use

30.1 Strictly Necessary (cannot be disabled)

Cookie	Purpose	Duration
session_id	Maintains login session	Session
csrf_token	Prevents CSRF attacks	Session
auth_token	Authentication for logged-in users	30 days
locale	Language preference	1 year
cookie_consent	Remembers your cookie choice	1 year

30.2 Analytics (consent required)

Cookie	Provider	Purpose	Duration
_ga	Google Analytics	Unique visitor ID (anonymized IP)	2 years
_ga_*	Google Analytics	Session state	2 years
_gid	Google Analytics	24-hour visitor distinction	24 hours
_gat	Google Analytics	Rate throttling	1 minute

30.3 Functional (preference-based)

Cookie	Purpose	Duration
theme	Dark/light mode preference	1 year
branch_last	Last selected branch (backend users)	30 days
display_prefs	TV/display interface settings	1 year

30.4 What We Do NOT Use

We do not use: advertising cookies, social media tracking cookies, cross-site tracking, or behavioral advertising cookies.

31. Third-Party Cookies

• Google Analytics: Anonymized IP enabled. Opt out: Google Analytics Opt-out Add-on.
• Stripe: May set cookies during payment for fraud prevention. See Stripe's Cookie Policy.

32. How to Manage Cookies

Consent banner: On first visit, accept or decline non-essential cookies. Change preferences anytime via "Cookie Settings" in the footer.

Browser controls: Most browsers let you view, delete, block, or allow cookies. Instructions:

• Chrome
• Firefox
• Safari
• Edge

Disabling strictly necessary cookies may prevent core features from working.

33. Local Storage

The Service may use browser local/session storage for: caching queue data, storing UI preferences, and maintaining application state. This data stays on your device and is not transmitted to our servers. Clear it via browser settings.