How Disocy Protects Privacy and the Provenance of Handmade Pieces

Purpose

This Privacy Policy governs the processing of personal data carried out by Disocy in relation to browsing, order management and the management of the digital identity associated with pieces. It sets out purposes, legal bases, data subject rights, retention periods and the channels to exercise them.

INSTITUTIONAL IDENTIFICATION (LSSI-CE)

Aaron Retamero is the sole responsible party and Data Controller for the contents, management, and technical execution of the Disocy ecosystem.

Proprietor: Aaron Retamero
Registered Trademarks: Disocy trademark records before the OEPM:
- M4330756 — Denominative trademark (registered): Protects the name only, without any design or typography. Strongest legal protection — independent of any visual element and survives logo changes.
- M4330762 — Figurative trademark (pending): Protects a symbol or logo without text. Ideal for pure visual identities such as isotypes or standalone graphic marks.
VAT ID: ES77142312J
Registered address: Paraje Los Tranquillos, 1, 18127 Játar Granada, Spain
Contact information: For official enquiries, visit our Contact Page or send an email to contact@disocy.com.
Business hours: 09:00 – 18:00 (GMT+2), from Monday to Friday

Purposes of processing, data categories and legal bases

This section sets out the main processing purposes, the categories of data typically involved and the applicable legal basis.

Service provision and contract performance

Purpose: to manage orders, prepare and deliver the piece, maintain user accounts and perform contractual obligations arising from purchase.
Categories of data: identification, contact and billing data, and data necessary for delivery.
Legal basis: Article 6(1)(b) GDPR.

Legal, tax and accounting compliance

Purpose: to meet tax, accounting and legal reporting obligations.
Categories of data: billing data and transaction records.
Legal basis: Article 6(1)(c) GDPR and applicable law.

Security, fraud prevention and platform operation

Purpose: to protect system integrity, detect and prevent fraud and respond to security incidents.
Categories of data: technical logs, IP addresses, session identifiers and access traces.
Legal basis: Article 6(1)(f) GDPR (legitimate interest) and, when necessary, contractual performance.

Digital identity management and traceability linked to DiD™

Purpose: to generate, retain and consult authenticity, provenance and integrity metadata associated with pieces, and to support verification and ownership-transfer processes when applicable.
Categories of data: identity metadata, cryptographic summaries, timestamps and traceability-related data.
Legal bases: Article 6(1)(b) GDPR when processing is necessary for contract performance; Article 6(1)(f) GDPR when it serves a legitimate interest in preserving record integrity; and applicable legal retention obligations when relevant.

Note: ownership credentials such as the claim token are treated as sensitive. They are protected by cryptographic and access controls and are processed to guarantee authenticity and traceability of the piece.

Principles

We apply the principles of data minimisation, purpose limitation, accuracy, storage limitation, integrity and confidentiality. Privacy by design and by default are integrated into processes affecting personal data.

Technical records and archival formats are designed, where legally appropriate, to reduce direct exposure of personal identifiers through disassociation techniques when compatible with record integrity.

Retention

We retain personal data for as long as necessary to fulfil the purpose for which it was collected and thereafter for statutory retention periods or to defend against claims.

Account, order and billing data: for the duration of the contractual relationship and applicable legal retention periods.
Technical and security logs: for the time strictly necessary to detect, investigate and remediate incidents, or for any additional period required by system security.
Identity and traceability records linked to DiD™: for as long as needed to preserve authenticity, integrity and provenance; these records may be retained for extended periods where a sufficient legal basis exists.

When an erasure request is valid, we will assess whether disassociation or restriction measures can be applied to reconcile the request with the obligation to retain certain records.

International transfers

If certain providers or infrastructures imply transfers of data outside the European Economic Area, we will apply the safeguards required by law, such as Standard Contractual Clauses or other valid transfer mechanisms.

Where possible, identity and traceability records will be hosted or processed in infrastructures located in Spain / European Union or in environments offering an equivalent level of protection.

Data subject rights

Where applicable, you may exercise the rights of access, rectification, erasure, objection, restriction and portability under Articles 15 to 22 GDPR and applicable national law.

To exercise your rights, contact:

legal@disocy.com

We may request additional information or a reasonable identity verification step to prevent unauthorized requests.

Processors and requests for information

When third parties access data on behalf of Disocy, they act as processors or sub-processors under contracts consistent with the GDPR. If you wish to obtain the current list of processors and sub-processors, request it via legal@disocy.com and we will provide the information as permitted by law.

Security measures

We implement technical and organisational measures proportionate to the risk, which may include encryption in transit and at rest where appropriate, access controls, privilege management, audit trails and incident response procedures. These measures aim to preserve confidentiality, integrity and availability.

Contact and complaints

For privacy enquiries and to exercise your rights use: