PUIhoteles
ESEN Get started
PUI compliance
Connection to the PUI LawIdentity captureGuest registry
How it works
Query modelConnected to R2Security & encryption
For your hotel
No technical teamLlaveMX & e.firmaCompliance dashboard
By lodging type
HotelsHostelsMotelsAirbnb & short rentals
By situation
Hotels in Mexico CitySole proprietorSmall lodging
Compare
PUIhoteles vs ConectaPUIPUIhoteles vs PUIMexicovs Build it yourself
Learn
What is the PUI LawThe fine for not complyingBlogHelp center
Company
AboutContact
Pricing Get started
Guide · PUI Law

What the PUI Law is and what your hotel must do

PUI is the Mexican government’s Single Identity Platform. The law requires EVERY lodging to register each guest’s identity and connect to the federal platform to help locate missing persons. This is the clear, jargon-free guide for hotel owners: what it is, who it applies to, what data it asks for, the fine, how the “query” model works, the official dates and what to do today.

Get startedCreate your demo

In one line: record who stays and connect to the government

PUI (the Single Identity Platform) comes from Mexico’s General Law on the Forced Disappearance of Persons (LGMDFP). Its sole purpose is to help locate people reported missing: when authorities search for someone, they can ask lodgings whether that person checked in. It is not a tourism law, it is not fiscal and it has nothing to do with the tax office.

Article 12 Bis of that law creates the obligation: every lodging establishment must keep a record of its guests’ identity and make it available to the system. Article 43 Bis sets the penalty for those who do not comply. That is why this applies to every hotel, hostel, inn, motel, cabin and short-term rental in the country.

The good news for an owner is that “complying” boils down to two things: (1) properly capturing each guest’s identity at check-in and storing it, and (2) being connected to the platform to respond when the government asks. PUIhoteles does both for you. The rest of this guide explains each part in plain language.

The essentials in four ideas

If you only remember four things about the whole law, make it these.

It’s a federal search law

It comes from the LGMDFP (Art. 12 Bis). Its purpose is to locate missing persons. Not tourism, not taxes.

It applies to ALL lodging

Any size, individual or company. A large hotel and a two-room cabin share the very same obligation.

You record identity, not spending

CURP, name, date of birth and document (national ID, passport or migratory form). Never a card or how much they spent.

You answer targeted queries

The government asks about a reported person; your hotel responds. It is not mass monitoring of your guests.

Who does it apply to? Everyone, with no size exemption

The obligation makes no distinction by size or legal form. A chain hotel, an eight-key boutique, a hostel, a roadside motel, a family inn, a mountain cabin and an Airbnb-style short rental all fall under the same rule. If someone stays overnight in exchange for payment, there is a duty to register their identity.

This surprises many small owners, who assume “this is for the big hotels.” It is not. In fact, the small establishment is often the most exposed, because it has no IT department to solve it. The law does not forgive you for being small; it forgives you for being compliant.

Exactly what data PUI asks for

Identity data so a person can be located. No commercial or spending information.

CURP

The guest’s Unique Population Registry Code, where applicable.

Full name

As it appears on their official identity document.

Date of birth

To identify the person unambiguously.

Document and nationality

National ID for nationals; passport or migratory form (FMM) and nationality for foreigners.

What it does NOT ask

No credit card, no amount paid, no record of what the guest consumed. It is identity, not billing.

Handled with care

These are sensitive personal data: they must be captured, stored and transmitted securely, not in an open notebook.

The fine: why it pays to take this seriously

Article 43 Bis sets the penalty for non-compliance: from 10,000 to 20,000 UMA. The UMA is the Unit of Measure and Update, the figure the government uses to calculate fines. In today’s pesos that is roughly $1,170,000 to $2,350,000 MXN. This is not a typo: the fine can exceed a million pesos.

And there is a key detail: the penalty is per infraction. It is not a single fixed annual fine; each failure can count separately. For a small lodging, a single fine at the low end of the range can already cost more than entire years of complying properly. That is why compliance is not an expense: it is insurance.

PUIhoteles costs a one-time setup of $4,350 MXN plus $930 MXN per month (plus VAT), with no lock-in. Placed next to the range of the fine, the decision explains itself: you pay a tiny fraction to be compliant and stop carrying the risk.

How the “query” model works

The government does not watch your guests live. It only asks when looking for a specific person.

  1. A person is reportedThe search authority registers a missing person and needs to trace where they may have been.
  2. The system asks lodgingsThrough the platform it queries whether that person checked in at any connected hotel.
  3. Your hotel responds, connectedIf they are in your registry, the system responds securely. If not, there is no match. It is targeted, not mass.
  4. You are compliantHaving captured identity and being connected is exactly what the law requires of you. That is complying.

The official dates (as of June 2026)

The LGMDFP reform that creates the obligation was published in July 2025. The Guidelines followed (27 November 2025) and Technical Manual v1.0 (23 January 2026), which already defines what the connection must look like: JWT tokens, AES-256-GCM encryption, SHA3-256 hashing and TLS transport. In plain terms: the “how to connect technically” is already published.

One piece is still missing: the SNIP Operations Manual, which is still pending publication. When it comes out, it opens a window of 45 business days to request access and formally interconnect. We are honest with you: full interconnection closes once that manual appears.

That is why the smart play is to start capturing identity NOW —there is no reason to wait to register your guests properly— and have the interconnection ready to switch on the moment the manual is published. PUIhoteles has you capturing from day one and connects on your behalf the moment SNIP allows it.

What you must do to comply (and what PUIhoteles does)

Five pieces. We handle the technical ones; you just welcome guests.

Capture identity

Record each guest’s CURP, name, date and document. PUIhoteles captures it at check-in.

Keep the registry

Store the record up to date and be able to export it. PUIhoteles keeps your registry ready for audit.

Obtain your e.firma

The tax-office electronic signature the platform requires to identify you. We arrange it for you.

Set up your LlaveMX

The government’s digital identity (free) used for access. We prepare it for you.

Connect to the federal platform

The query URL with JWT and TLS that responds for your hotel. We handle that technical part.

Answer the queries

Be ready to respond when the government asks. PUIhoteles answers for you, connected to R2 in real time.

Frequently asked questions about the PUI Law

Is the PUI Law the same as a tax-office procedure?
No. PUI comes from the General Law on the Forced Disappearance of Persons and serves to locate people. It is neither fiscal nor tourism-related. The tax-office e.firma is used as an identification mechanism, but the obligation has nothing to do with taxes.
I’m a small hotel — does it really apply to me?
Yes. The obligation covers every lodging regardless of size or whether you are an individual or a company. An inn or a cabin has the same duty as a chain. PUIhoteles is built precisely so a small team can comply without an IT department.
Will the government see all my guests in real time?
It is not mass monitoring. The model is query-based: authorities ask about a specific person reported missing and the system responds if they are in your registry. Your data is not displayed openly.
What data exactly must I record?
Identity: CURP, name, date of birth and document (national ID for nationals; passport or migratory form and nationality for foreigners). No card, amount or spending is requested.
How much is the fine for not complying?
From 10,000 to 20,000 UMA under Art. 43 Bis, which today is roughly between $1,170,000 and $2,350,000 MXN, applied per infraction. It is an enormous risk against the cost of complying.
If a manual is still pending, should I wait to sign up?
It is not worth waiting to capture identity: properly registering your guests is already part of complying and does not depend on any manual. Full interconnection switches on when the SNIP Operations Manual is published, and PUIhoteles connects on your behalf at that moment.
What does PUIhoteles do for me?
It captures identity at check-in, keeps your exportable registry, arranges your e.firma and LlaveMX, connects you to the federal platform and answers the queries, all connected to R2 in real time. It costs $4,350 MXN setup plus $930 MXN per month (plus VAT), with no lock-in.

Put PUIhoteles to work for you

Get started