Privacy Policy.

This Policy explains how we process personal data when you browse yagopartal.com, when you purchase from the store, or when you contact us.

This policy applies only to yagopartal.com. If you access other linked domains or services, their own policies will apply.

1. Data controller

Zoo Portraits, S.L. (Spain) Tax ID (NIF): B66773912 Address: C/ Diputacio 363, 08009 Barcelona, Spain Email: mail@yagopartal.com WhatsApp (messages only): +34 644 44 20 03 (no phone calls)

If you have privacy questions or wish to exercise your rights, write to mail@yagopartal.com.

2. What data we process

Depending on how you use the site, we may process:

• Purchase data: name and surname, email, phone (when needed for delivery or certain shipping methods), shipping/billing address, country, language/currency, order details, incidents and related communications.
• Payment data: information necessary to process the payment (e.g. transaction identifiers). We do not store full card details; these are managed by the payment provider.
• Customer account (if applicable): credentials and basic profile data.
• Communications: messages you send us (email or WhatsApp) and the information you include.
• Newsletter/marketing (if you subscribe): email and preferences, and delivery metrics (opens/clicks, depending on configuration).
• Abandoned carts and cart recovery (if enabled): cart information, technical identifiers and, if you provide your email during the process, communications to remind you of the cart.
• Technical and usage data: IP, session/cookie identifiers, browser, operating system, pages visited, usage events and similar data (especially if you accept analytics/marketing cookies).
• Security: logs and technical signals to prevent fraud and abuse.

We do not intentionally process special categories of data (health, ideology, etc.). Please do not share such data with us.

3. Where the data comes from

• Directly from you: when you purchase, register, fill in forms or write to us.
• From providers necessary for the order: payment confirmations, delivery incidents, tracking, etc.

4. Purposes, legal basis and retention

A) Purchasing and managing orders

Purpose: process the order, charges, on-demand production, shipping, support, returns/refunds. Legal basis: performance of contract (Art. 6.1.b GDPR) and legal obligations (Art. 6.1.c). Retention: during the purchase relationship and, thereafter, for the period required by tax/commercial regulations and to handle claims.

B) Payments

Purpose: process payments, handle refunds and prevent fraud. Legal basis: performance of contract (Art. 6.1.b) and, where applicable, legitimate interest in security (Art. 6.1.f). Retention: as necessary to manage the payment and applicable legal obligations.

C) Customer support (email / WhatsApp)

Purpose: respond to inquiries and manage incidents. Legal basis: legitimate interest (Art. 6.1.f) or performance of contract (Art. 6.1.b) if the inquiry relates to an order. Retention: as necessary to resolve the inquiry and maintain reasonable traceability.

D) Newsletter and commercial communications

Purpose: send you news, launches and commercial content. Legal basis: consent (Art. 6.1.a). Unsubscribe: you may unsubscribe via the link in the email or by writing to mail@yagopartal.com. Retention: until you withdraw your consent or request removal.

E) Cart recovery (if enabled)

Purpose: remind you of an initiated cart so you can complete the purchase. Legal basis: legitimate interest (Art. 6.1.f) in facilitating purchase completion, unless you object; and/or consent, depending on configuration and country. Objection: you may request that we not contact you for this purpose.

F) Analytics and marketing (cookies and similar technologies)

Purpose: measure usage, improve the website, and (if you accept) advertising/retargeting. Legal basis: consent (Art. 6.1.a) when not strictly necessary. Retention: according to the duration of each cookie/technology and the configuration you accept.

5. Mandatory or optional nature of data

• Data necessary for purchasing: if you do not provide it, we cannot process the order (e.g. shipping address).
• Optional data: newsletter, certain communications, or non-mandatory checkout fields.

6. Recipients of data

We share data only when necessary to provide the service, by legal obligation, or with your consent.

Usual processors on this website

• E-commerce platform and commerce backend: Shopify Inc. (Canada / USA) — order management, customer accounts, checkout, abandoned cart recovery.
• Frontend hosting and CDN: Vercel Inc. (USA) — delivery of yagopartal.com.
• Production and logistics POD (tier 1): Printful Inc. (USA / Latvia) — on-demand manufacturing and direct shipping, connected via Shopify.
• Fine art production and dropship (tier 2): WhiteWall GmbH (Germany) — fine art manufacturing and printing (Hahnemühle Photo Rag, Diasec, Hamburg frame, ArtBox) and direct shipping to buyer. Receives name, shipping address, phone and order data.
• Specialized fine art logistics (tier 3): Convelio / Velico SAS (France) — handling of high-value shipments with nail-to-nail insurance and coordinated delivery window.
• Payments:
  • Shopify Payments (Stripe Payments Europe Ltd, Ireland) — card payments and compatible methods.
  • PayPal Sàrl (Luxembourg) — if you choose that method.
• Email marketing and automations: Klaviyo Inc. (USA — DPF certified) — active provider managing two separate lists (Newsletter editorial and Drop alerts limited editions) with their respective purposes, segmentation, and automated flows (welcome, abandoned cart, post-purchase, drop announcement). Receives email, name, BCP-47 language, order history, and on-site behavior (only if you have consented to marketing tracking). Operational emails (order confirmation, shipping notifications) are handled by Shopify.
• Transactional email: Shopify Email for order confirmations and operational messages.
• Certificates of authenticity (COA) and blockchain: Verisart Ltd. (United Kingdom — EU adequacy decision 2021) — issuance and on-chain registration of certificates of authenticity. Receives buyer name, email, artwork data and edition number. Minimum metadata is registered publicly and irreversibly on blockchain (see §12 on technical limitations of the right to erasure).
• Invoicing and accounting: Holded SL (Spain) — invoicing, accounting and tax obligations. Receives identification data, billing address, NIF/VAT where applicable, amounts and invoice items.
• Cookie consent: custom cookie banner based on browser localStorage. No data about your consent choice is sent to external services.
• Analytics (only with your consent): Google LLC (USA) — Google Analytics 4 with IP anonymisation, without Google Signals or advertising features enabled.
• Marketing and retargeting (only with your consent): Meta Platforms Inc. (USA) — Meta Pixel for measurement of Facebook and Instagram campaign conversions.

Other recipients

• Carriers (to deliver orders).
• Banks / payment entities (depending on the chosen method).
• Public authorities (if required by law: tax, consumer, etc.).

We do not sell your personal data.

7. International transfers

Some processors above process data outside the European Economic Area (EEA), mainly in the USA and United Kingdom. We apply the following safeguards:

• USA: we rely on the EU-US Data Privacy Framework (DPF) adequacy decision (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023) where the processor is DPF-certified. Certified: Google LLC, Meta Platforms Inc., Klaviyo Inc., Vercel Inc. Check certifications at https://www.dataprivacyframework.gov/list. As a fallback in case of DPF invalidation (Schrems III review pending at the CJEU), we apply the Standard Contractual Clauses (SCCs) approved by Commission Implementing Decision (EU) 2021/914.
• United Kingdom: EU-UK adequacy decision (2021/1772) + UK International Data Transfer Agreement (IDTA) as fallback.
• Other third countries without adequacy: SCCs + documented Transfer Impact Assessment (TIA).

Usual examples:

• Shopify (infrastructure, commerce backend and payments),
• Printful (depending on production/shipping center),
• Verisart (blockchain certificates of authenticity · UK adequacy),
• Klaviyo (email marketing · DPF certified),
• payment providers (Stripe Ireland · PayPal Luxembourg),
• Google LLC (GA4, if active and consented · DPF certified),
• Meta Platforms (Pixel, if active and consented · DPF certified),
• Vercel (CDN edge nodes · DPF certified).

For more information about specific providers and their safeguards, contact privacy@yagopartal.com.

8. Cookies, analytics and advertising

This site uses cookies and similar technologies. Consent and configuration are managed via our cookie banner.

• You can accept, reject or configure categories (necessary, preferences, analytics, marketing).
• If you accept analytics/marketing, tools such as GA4 and the Meta Pixel may be activated on this website.
• Cookie preferences are stored locally in your browser (localStorage). No data about your consent choice is sent to external services.

If you disable cookies, some features may not work correctly (e.g. cart, login or preferences).

9. Your rights

As a data subject, you may exercise the following rights at any time:

• Access (GDPR art. 15): confirmation of whether we process your data and a copy of it.
• Rectification (art. 16): correction of inaccurate or incomplete data.
• Erasure (art. 17, “right to be forgotten”): request deletion when data is no longer necessary or you withdraw consent. Limitation: data registered on blockchain (Verisart) is technically irreversible · see §12.
• Restriction of processing (art. 18).
• Objection (art. 21), including objection to direct marketing.
• Portability (art. 20): receive your data in a structured, machine-readable format.
• Withdraw consent (art. 7.3) where processing is based on consent. Withdrawal does not affect prior lawful processing.
• Not to be subject to automated decisions with legal or similarly significant effects (art. 22). See §11.

How to exercise them: write to privacy@yagopartal.com (or mail@yagopartal.com with “GDPR Request” in the subject line). If we have reasonable doubts about your identity, we may request additional information for verification.

Response time: we will respond within 1 month of receipt (GDPR art. 12.3). In complex cases we may extend by 2 additional months, informing you of the reason.

Right to lodge a complaint: you may file a complaint with:

• the Spanish Data Protection Agency (AEPD) — lead supervisory authority, <www.aepd.es>;
• or with the supervisory authority of your country of residence in the EU/EEA: CNIL (France), BfDI or relevant Land authority (Germany), Garante (Italy), ICO (United Kingdom under UK GDPR), or other equivalent national authority.

10. Retention periods

Processing	Period
Orders and purchase data	6 years (AEAT tax obligations · Law 58/2003 art. 66)
Consumer complaints	5 years (TRLGDCU + Civil Code)
Newsletter and marketing	Until you withdraw consent · if you unsubscribe, up to 12 additional months on suppression list to prevent resending
Logs and security	12 months (legitimate interest in security)
Analytics cookies	Up to 14 months (GA4 server-side default)
Marketing cookies	Up to 90 days (Meta Pixel) or per consent
On-chain COA certificates (Verisart)	Permanent (blockchain technical limitation · see §12)

11. Automated decisions

We do not make automated decisions with legal or similarly significant effects on you based exclusively on automated processing. Our payment providers (Shopify Payments, PayPal) may apply standard anti-fraud rules before approving transactions · this is considered necessary for contract execution and to prevent fraud under GDPR art. 6.1.b and 6.1.f.

12. Blockchain processing (Verisart · COA)

When you purchase a limited edition, we issue a certificate of authenticity (COA) registered through Verisart Ltd (United Kingdom) that anchors minimum metadata on public blockchain.

• On-chain data: cryptographic hash of the certificate, wallet address assigned to the certificate, timestamp. Your name, email or physical address are not published on-chain.
• Off-chain data (in Verisart and Zoo Portraits, S.L. systems): buyer name, email, artwork data and edition number. These are fully subject to your GDPR rights.
• Technical limitation of the right to erasure (art. 17.3.b GDPR): on-chain metadata is technically irreversible by blockchain design. Erasure is executed in Verisart and Zoo Portraits SL off-chain systems. On-chain data (not directly identifying) remains as an immutable record of the artwork’s authenticity · this is considered a legitimate limitation under EDPB Guidelines 4/2018.
• Legal basis: contract performance (GDPR art. 6.1.b) — the COA is part of the limited edition deliverable — and informed consent at purchase.

If this raises concerns before purchase, contact privacy@yagopartal.com.

13. Security

We apply reasonable technical and organizational measures to protect your data (access controls, encryption in transit via HTTPS, data minimization, etc.). No system is 100% secure; if we detect a relevant incident, we will act in accordance with applicable regulations (notification to AEPD and affected data subjects as per GDPR arts. 33-34).

14. Changes to this policy

We may update this Policy to reflect legal, technical or business changes. We will publish the current version on this page indicating the “Last updated” date.

15. Enhanced identity verification (anti-money-laundering KYC)

Purpose of processing

As a dealer in works of art, Zoo Portraits SL is a regulated party under Spanish Law 10/2010 of April 28 on the prevention of money laundering and terrorism financing. This regulation requires us to verify our customers’ identity and to document the source of their funds when certain thresholds are exceeded or when we detect risk indicators specified in the law.

We process your KYC data for two specific purposes:

1. Compliance with the legal obligations of identification, due diligence, and recordkeeping imposed by Law 10/2010 (articles 4 through 7, 17, 25).
2. Fraud prevention in individual transactions, through identity verification and ongoing monitoring of the business relationship.

Legal basis

• Compliance with a legal obligation (article 6.1.c GDPR), tied to articles 4, 5, 6, 7, 17, and 25 of Law 10/2010. This is the primary basis and covers identification, sanctions screening, source-of-funds declarations, and documentary retention.
• Legitimate interest in fraud prevention (article 6.1.f GDPR) for ongoing screening of our customer base against updated sanctions lists and for operational risk monitoring.

Categories of data we process

When enhanced verification applies, we may collect:

• Enhanced identification data: first and last name, date of birth, document number and type (national ID, residence permit, or passport), issuing country, expiration date, and document image.
• Proof of address: postal address and supporting document dated within the last 3 months (utility bill, bank statement, official residence certificate).
• Source of funds: signed written declaration regarding the origin of the money used for payment (in the higher tiers).
• Sanctions screening result: binary flags for matches against PEP (Politically Exposed Persons), OFAC (US Office of Foreign Assets Control), European Union, United Nations, and national lists.

We don’t process special categories of data (health, racial origin, sexual orientation, etc.) or data relating to criminal offenses, except when an objective match in a public sanctions list makes this necessary to fulfill our obligations.

Recipients

We share your KYC data only with:

• The sole director of Zoo Portraits SL, in their capacity as representative before the Spanish Anti-Money-Laundering Executive Service (SEPBLAC). Access is restricted to that individual.
• SEPBLAC, exclusively in the event of a suspicious activity report (article 18 of Law 10/2010). If such a report occurs, it is subject to strict confidentiality: the regulation itself prohibits us from informing you about it (article 24 of Law 10/2010).
• Stripe Identity (Stripe, Inc., USA), if you choose to use its automated document verification service. Stripe acts as a data processor under a contract signed pursuant to article 28 GDPR.
• OpenSanctions (Open Sanctions e.V., Germany), as the provider of cross-referencing against international sanctions lists. It acts as a data processor.

We don’t sell or share your data with third parties for commercial purposes or advertising profiling.

International transfers

If we use Stripe Identity, an international transfer to the United States takes place. This transfer relies on:

• The EU-US Data Privacy Framework (DPF) Adequacy Decision, in force since July 2023, with Stripe, Inc. certified under the framework.
• As a backup measure for possible future DPF changes, the Standard Contractual Clauses approved by the European Commission (Decision 2021/914) included in our contract with Stripe.

Open Sanctions e.V. operates from Germany (EU); no international transfer is involved in sanctions screening.

Retention period

We retain your KYC data for 10 years from the end of the business relationship, in compliance with article 25 of Law 10/2010. This period is mandatory and prevails over your right to erasure under article 17.3.b GDPR.

After this period, we securely delete the data or, if tax obligations or defense against claims remain, we block them until those obligations are closed.

Your rights

As a data subject you can exercise:

• Access and rectification: yes, at any time. We respond within a maximum of one month (article 12 GDPR).
• Erasure: blocked during the mandatory 10-year legal period (article 17.3.b GDPR). Once that period ends, requests are handled without restriction.
• Portability: does not apply to this processing. Article 20 GDPR limits the right of portability to processing based on consent or contract performance; KYC data is processed under a legal obligation and falls outside the scope of portability.
• Objection: does not apply, for the same reasons as portability (the processing responds to a legal obligation).
• Complaint before the AEPD: you can file a complaint with the Spanish Data Protection Agency (aepd.es) if you believe the processing does not comply with the regulation.

To exercise your rights, contact us at privacy@yagopartal.com.

Security measures

We apply the following safeguards:

• AES-256 encryption at rest on the KYC database.
• TLS 1.3 encryption in transit on all communications containing KYC data.
• Access restricted to the sole director as SEPBLAC representative.
• Audited access log with 24-month retention covering every read or modification.
• Encrypted backups in separate storage with controlled access.

Applicable law: Regulation (EU) 2016/679 (GDPR) articles 6.1.c, 6.1.f, 12, 13, 17.3.b, 20, 28, 44 through 49; Spanish Organic Law 3/2018 on Personal Data Protection; Law 10/2010 of April 28, articles 4, 5, 6, 7, 17, 18, 24, and 25; Commission Implementing Decision (EU) 2023/1795 (DPF).

Privacy policy · v1.0 · revisado 19 May 2026 · Yago Partal Studio