Privacy Policy.

This Policy explains how we process personal data when you browse yagopartal.com, when you purchase from the store, or when you contact us.

This policy applies only to yagopartal.com. If you access other linked domains or services, their own policies will apply.

1. Data controller

Zoo Portraits, S.L. (Spain) Tax ID (NIF): B66773912 Address: C/ Diputacio 363, 08009 Barcelona, Spain Email: mail@yagopartal.com WhatsApp (messages only): +34 644 44 20 03 (no phone calls)

If you have privacy questions or wish to exercise your rights, write to mail@yagopartal.com.

2. What data we process

Depending on how you use the site, we may process:

• Purchase data: name and surname, email, phone (when needed for delivery or certain shipping methods), shipping/billing address, country, language/currency, order details, incidents and related communications.
• Payment data: information necessary to process the payment (e.g. transaction identifiers). We do not store full card details; these are managed by the payment provider.
• Customer account (if applicable): credentials and basic profile data.
• Communications: messages you send us (email or WhatsApp) and the information you include.
• Newsletter/marketing (if you subscribe): email and preferences, and delivery metrics (opens/clicks, depending on configuration).
• Abandoned carts and cart recovery (if enabled): cart information, technical identifiers and, if you provide your email during the process, communications to remind you of the cart.
• Technical and usage data: IP, session/cookie identifiers, browser, operating system, pages visited, usage events and similar data (especially if you accept analytics/marketing cookies).
• Security: logs and technical signals to prevent fraud and abuse.

We do not intentionally process special categories of data (health, ideology, etc.). Please do not share such data with us.

3. Where the data comes from

• Directly from you: when you purchase, register, fill in forms or write to us.
• From providers necessary for the order: payment confirmations, delivery incidents, tracking, etc.

4. Purposes, legal basis and retention

A) Purchasing and managing orders

Purpose: process the order, charges, on-demand production, shipping, support, returns/refunds. Legal basis: performance of contract (Art. 6.1.b GDPR) and legal obligations (Art. 6.1.c). Retention: during the purchase relationship and, thereafter, for the period required by tax/commercial regulations and to handle claims.

B) Payments

Purpose: process payments, handle refunds and prevent fraud. Legal basis: performance of contract (Art. 6.1.b) and, where applicable, legitimate interest in security (Art. 6.1.f). Retention: as necessary to manage the payment and applicable legal obligations.

C) Customer support (email / WhatsApp)

Purpose: respond to enquiries and manage incidents. Legal basis: legitimate interest (Art. 6.1.f) or performance of contract (Art. 6.1.b) if the enquiry relates to an order. Retention: as necessary to resolve the enquiry and maintain reasonable traceability.

D) Newsletter and commercial communications

Purpose: send you news, launches and commercial content. Legal basis: consent (Art. 6.1.a). Unsubscribe: you may unsubscribe via the link in the email or by writing to mail@yagopartal.com. Retention: until you withdraw your consent or request removal.

E) Cart recovery (if enabled)

Purpose: remind you of an initiated cart so you can complete the purchase. Legal basis: legitimate interest (Art. 6.1.f) in facilitating purchase completion, unless you object; and/or consent, depending on configuration and country. Objection: you may request that we not contact you for this purpose.

F) Analytics and marketing (cookies and similar technologies)

Purpose: measure usage, improve the website, and (if you accept) advertising/retargeting. Legal basis: consent (Art. 6.1.a) when not strictly necessary. Retention: according to the duration of each cookie/technology and the configuration you accept.

5. Mandatory or optional nature of data

• Data necessary for purchasing: if you do not provide it, we cannot process the order (e.g. shipping address).
• Optional data: newsletter, certain communications, or non-mandatory checkout fields.

6. Recipients of data

We share data only when necessary to provide the service, by legal obligation, or with your consent.

Usual processors on this website

• E-commerce platform and commerce backend: Shopify Inc. (Canada / USA) — order management, customer accounts, checkout, abandoned cart recovery.
• Frontend hosting and CDN: Vercel Inc. (USA) — delivery of yagopartal.com.
• Production and logistics POD (tier 1): Printful Inc. (USA / Latvia) — on-demand manufacturing and direct shipping, connected via Shopify.
• Fine art production and dropship (tier 2): WhiteWall GmbH (Germany) — fine art manufacturing and printing (Hahnemühle Photo Rag, Diasec, Hamburg frame, ArtBox) and direct shipping to buyer. Receives name, shipping address, phone and order data.
• Specialised fine art logistics (tier 3): Convelio / Velico SAS (France) — handling of high-value shipments with nail-to-nail insurance and coordinated delivery window.
• Payments:
  • Shopify Payments (Stripe Payments Europe Ltd, Ireland) — card payments and compatible methods.
  • PayPal Sàrl (Luxembourg) — if you choose that method.
• Email marketing and automations: Klaviyo Inc. (USA) — provider scheduled to be active from the launch of Animal Kinhood Drop 01 Otto on 1 July 2026. Klaviyo will process newsletter, segmentation and automated flows (welcome, abandoned cart, post-purchase), receiving email, name, order history and on-site behaviour (only if you have consented to tracking). Until that date, operational emails (order confirmation, shipping notifications) are handled by Shopify.
• Transactional email: Shopify Email for order confirmations and operational messages.
• Certificates of authenticity (COA) and blockchain: Verisart Ltd. (United Kingdom — EU adequacy decision 2021) — issuance and on-chain registration of certificates of authenticity. Receives buyer name, email, artwork data and edition number. Minimum metadata is registered publicly and irreversibly on blockchain (see §12 on technical limitations of the right to erasure).
• Invoicing and accounting: Holded SL (Spain) — invoicing, accounting and tax obligations. Receives identification data, billing address, NIF/VAT where applicable, amounts and invoice items.
• Cookie consent: custom cookie banner based on browser localStorage. No data about your consent choice is sent to external services.
• Analytics (only with your consent): Google LLC (USA) — Google Analytics 4 with IP anonymisation, without Google Signals or advertising features enabled.
• Marketing and retargeting (only with your consent): Meta Platforms Inc. (USA) — Meta Pixel for measurement of Facebook and Instagram campaign conversions.

Other recipients

• Carriers (to deliver orders).
• Banks / payment entities (depending on the chosen method).
• Public authorities (if required by law: tax, consumer, etc.).

We do not sell your personal data.

7. International transfers

Some processors above process data outside the European Economic Area (EEA), mainly in the USA and United Kingdom. We apply the following safeguards:

• USA: we rely on the EU-US Data Privacy Framework (DPF) adequacy decision (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023) where the processor is DPF-certified. Certified: Google LLC, Meta Platforms Inc., Klaviyo Inc., Vercel Inc. Check certifications at https://www.dataprivacyframework.gov/list. As a fallback in case of DPF invalidation (Schrems III review pending at the CJEU), we apply the Standard Contractual Clauses (SCCs) approved by Commission Implementing Decision (EU) 2021/914.
• United Kingdom: EU-UK adequacy decision (2021/1772) + UK International Data Transfer Agreement (IDTA) as fallback.
• Other third countries without adequacy: SCCs + documented Transfer Impact Assessment (TIA).

Usual examples:

• Shopify (infrastructure, commerce backend and payments),
• Printful (depending on production/shipping centre),
• Verisart (blockchain certificates of authenticity · UK adequacy),
• Klaviyo (email marketing · DPF certified),
• payment providers (Stripe Ireland · PayPal Luxembourg),
• Google LLC (GA4, if active and consented · DPF certified),
• Meta Platforms (Pixel, if active and consented · DPF certified),
• Vercel (CDN edge nodes · DPF certified).

For more information about specific providers and their safeguards, contact privacy@yagopartal.com.

8. Cookies, analytics and advertising

This site uses cookies and similar technologies. Consent and configuration are managed via our cookie banner.

• You can accept, reject or configure categories (necessary, preferences, analytics, marketing).
• If you accept analytics/marketing, tools such as GA4 and the Meta Pixel may be activated on this website.
• Cookie preferences are stored locally in your browser (localStorage). No data about your consent choice is sent to external services.

If you disable cookies, some features may not work correctly (e.g. cart, login or preferences).

9. Your rights

As a data subject, you may exercise the following rights at any time:

• Access (GDPR art. 15): confirmation of whether we process your data and a copy of it.
• Rectification (art. 16): correction of inaccurate or incomplete data.
• Erasure (art. 17, “right to be forgotten”): request deletion when data is no longer necessary or you withdraw consent. Limitation: data registered on blockchain (Verisart) is technically irreversible · see §12.
• Restriction of processing (art. 18).
• Objection (art. 21), including objection to direct marketing.
• Portability (art. 20): receive your data in a structured, machine-readable format.
• Withdraw consent (art. 7.3) where processing is based on consent. Withdrawal does not affect prior lawful processing.
• Not to be subject to automated decisions with legal or similarly significant effects (art. 22). See §11.

How to exercise them: write to privacy@yagopartal.com (or mail@yagopartal.com with “GDPR Request” in the subject line). If we have reasonable doubts about your identity, we may request additional information for verification.

Response time: we will respond within 1 month of receipt (GDPR art. 12.3). In complex cases we may extend by 2 additional months, informing you of the reason.

Right to lodge a complaint: you may file a complaint with:

• the Spanish Data Protection Agency (AEPD) — lead supervisory authority, <www.aepd.es>;
• or with the supervisory authority of your country of residence in the EU/EEA: CNIL (France), BfDI or relevant Land authority (Germany), Garante (Italy), ICO (United Kingdom under UK GDPR), or other equivalent national authority.

10. Retention periods

Processing	Period
Orders and purchase data	6 years (AEAT tax obligations · Law 58/2003 art. 66)
Consumer complaints	5 years (TRLGDCU + Civil Code)
Newsletter and marketing	Until you withdraw consent · if you unsubscribe, up to 12 additional months on suppression list to prevent resending
Logs and security	12 months (legitimate interest in security)
Analytics cookies	Up to 14 months (GA4 server-side default)
Marketing cookies	Up to 90 days (Meta Pixel) or per consent
On-chain COA certificates (Verisart)	Permanent (blockchain technical limitation · see §12)

11. Automated decisions

We do not make automated decisions with legal or similarly significant effects on you based exclusively on automated processing. Our payment providers (Shopify Payments, PayPal) may apply standard anti-fraud rules before approving transactions · this is considered necessary for contract execution and to prevent fraud under GDPR art. 6.1.b and 6.1.f.

12. Blockchain processing (Verisart · COA)

When you purchase a limited edition, we issue a certificate of authenticity (COA) registered through Verisart Ltd (United Kingdom) that anchors minimum metadata on public blockchain.

• On-chain data: cryptographic hash of the certificate, wallet address assigned to the certificate, timestamp. Your name, email or physical address are not published on-chain.
• Off-chain data (in Verisart and Zoo Portraits, S.L. systems): buyer name, email, artwork data and edition number. These are fully subject to your GDPR rights.
• Technical limitation of the right to erasure (art. 17.3.b GDPR): on-chain metadata is technically irreversible by blockchain design. Erasure is executed in Verisart and Zoo Portraits SL off-chain systems. On-chain data (not directly identifying) remains as an immutable record of the artwork’s authenticity · this is considered a legitimate limitation under EDPB Guidelines 4/2018.
• Legal basis: contract performance (GDPR art. 6.1.b) — the COA is part of the limited edition deliverable — and informed consent at purchase.

If this raises concerns before purchase, contact privacy@yagopartal.com.

13. Security

We apply reasonable technical and organisational measures to protect your data (access controls, encryption in transit via HTTPS, data minimisation, etc.). No system is 100% secure; if we detect a relevant incident, we will act in accordance with applicable regulations (notification to AEPD and affected data subjects as per GDPR arts. 33-34).

14. Changes to this policy

We may update this Policy to reflect legal, technical or business changes. We will publish the current version on this page indicating the “Last updated” date.

Privacy policy · v1.0 · revisado 19 May 2026 · Yago Partal Studio