Privacy Policy

At Disocy, the protection of your identity is treated as an essential operational obligation. This Privacy Policy describes our data processing model under a Dual-Layer Architecture: the Platform Layer (commerce and browsing) and the Sovereign Layer (DiD™ and archive).

SECTION 1 — INSTITUTIONAL IDENTIFICATION (DATA CONTROLLER)

In accordance with Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD), the controller of your personal data is:

• Controller: Aaron Retamero

• Trademark: DISOCY, currently pending registration before the Spanish Patent and Trademark Office (M4330756), owned by Aaron Retamero.

• Registered Domicile: DISOCY MAISON Grup Sant Bernat, 20, 08640 Olesa de Montserrat Barcelona, Spain.

• Primary Contact: clientservices@disocy.com

• Data Protection & Rights: legal@disocy.com

• Identity Transfers: transfer@disocy.com (strictly for ownership transfers).

SECTION 2 — LEGAL BASES & PROCESSING CATEGORIES

We process personal data on the legal bases established in Art. 6 of the GDPR and the LOPDGDD:

Data Category

Purpose

Legal Basis (GDPR / LOPDGDD)

Contact & Shipping

Order execution and delivery.

Art. 6.1.b (Performance of a contract)

Financial/Billing

Payment processing and fiscal compliance.

Art. 6.1.c (Legal obligation)

Technical Logs/IP

Fraud prevention and system security.

Art. 6.1.f (Legitimate interest)

Sovereign Metadata

Archival integrity and DiD™ synchronization.

Art. 6.1.f (Archival value)

SECTION 3 — THE SOVEREIGN LAYER (DiD™ & ARCHIVAL CUSTODY)

To comply with the principles of Privacy by Design and by Default, Disocy employs a technical abstraction framework for managing identity and hardware provenance:

Sovereign Layer (Zero-Knowledge Verification): Public verification nodes at did.disocy.com operate on a strict Zero-Knowledge basis. Verification uses salted one-way cryptographic hashes. Our public servers lack any technical means to reconstruct or retrieve your original Claim Token from this layer.

Hardware Abstraction (UID-Chip-DiD Mapping): To separate physical hardware identifiers from digital identity, our secure database implements the following linkage:

1. The UID (Unique Identifier / Silicon ID) is associated only with the Chip entry in our database.

2. The Chip entry is thereafter linked to the DiD™ (Decentralized Identifier).

This design prevents the permanent hardware identifier (UID) from appearing on public ledgers or being directly associated with personal identifiers in public-facing layers.

Archival Layer (Authenticated Encryption): For production and recovery, tokens and internal mappings are stored using banking-grade authenticated symmetric encryption, secured by a Master Key isolated from the public verification infrastructure.

SECTION 4 — CONSENT MANAGEMENT & REVOCATION

Explicit Consent: For processing not required to perform a contract (for example, marketing), we rely on your clear, affirmative consent.

Right to Revoke: You may withdraw consent at any time via the "Unsubscribe" link in our communications or by emailing legal@disocy.com. Revocation does not affect the lawfulness of processing based on consent given prior to its withdrawal.

SECTION 5 — RETENTION & THE DISSOCIATION PRINCIPLE

Platform Data: Deleted upon account closure or at the end of applicable legal or fiscal retention periods (typically 5–10 years for tax records under Spanish law).

Sovereign Data (Technical Immutability): Technical records (hashes and timestamps) are retained indefinitely to preserve the garment's authenticity.

The Dissociation Principle: Following a valid erasure request, personal identifiers are permanently unlinked (dissociated) from the archival record. The UID-Chip-DiD relationship remains as an anonymous Public Record Summary to prevent counterfeiting and protect provenance without identifying the former owner.

SECTION 6 — TECHNICAL SECURITY & TRANSFERS

Infrastructure: We employ industry-standard authenticated encryption at rest and DiD™ (Disocy Identity) for data in transit.

Hardware Grade: DiD™ nodes operate on an EAL5+ banking-grade architecture.

International Transfers: Platform Data may be processed via Shopify under Standard Contractual Clauses (SCCs). Sovereign Layer data is stored exclusively within Disocy’s proprietary infrastructure in the EEA (Spain / European Union).

SECTION 7 — YOUR SOVEREIGN RIGHTS

Under Arts. 15–22 of the GDPR and Arts. 12–18 of the LOPDGDD, you have the rights of Access, Rectification, Erasure, Objection, Restriction and Portability.

Verification: Identity verification is mandatory via legal@disocy.com before fulfilling requests, in order to prevent identity theft.

Authority: You may lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

INTEGRATED LEGAL LINKS

For a complete understanding of your relationship with Disocy, please review:

• Contact Information
• Cookie Policy
• Legal Notice
• Privacy Policy
• Refund Policy
• Reserve Policy
• Shipping Policy
• Terms of Service