Privacy Policy
This Privacy Policy governs the processing of personal data that Artifex (hereinafter the “Platform” or the “Application”) collects from its users. Artifex is a marketplace that connects artisan sellers with buyers interested in handcrafted products. The Application is available on Google Play Store and Apple App Store.
Please read this Privacy Policy carefully before using the Application. By registering or using Artifex, you accept the processing of your personal data as described herein.
This policy is governed by Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter “GDPR”), Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (“LOPDGDD”) and Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (“LSSI-CE”).
1. Data Controller
| Controller | David Alonso Santos, self-employed professional |
| Tax ID (DNI) | 53473641K |
| Address | Calle de Alcorcón, 28, 28981, Parla, Madrid, Spain |
| dalodev.dev@gmail.com |
2. Data We Collect
Artifex collects only the data strictly necessary to provide the service, in accordance with the principle of data minimization (Art. 5.1.c GDPR).
2.1. Registration Data
- Full name
- Email address
- Password (stored exclusively as a BCrypt hash; never stored in plain text)
2.2. Seller Profile (SELLER users only)
- Workshop name
- Professional bio
- Workshop location (city and province)
- Artisan specialties
- Profile photo
2.3. Order Data
- Buyer shipping address (street, city, postal code, province)
- Buyer notes to seller
2.4. Push Notification Data NEW IN V1.1
- Device tokens (Firebase Cloud Messaging) for sending push notifications
- Notification interaction data (opened / dismissed)
2.5. Subscription Data NEW IN V1.1
- Subscription plan type (FREE / PRO)
- Subscription status
- Purchase date
- Managed by RevenueCat
Artifex does NOT collect any financial data (credit cards, bank accounts). Subscription purchases are processed entirely by Google Play Store or Apple App Store.
2.6. Device Data
- Device model
- Operating system version
- App version
This data is used for sending push notifications and future analytics.
2.7. Technical Data
- IP address: collected only at the moment of accepting the Terms and Conditions or the Privacy Policy, as evidence of consent.
2.8. Data We Do NOT Collect
Artifex does not collect or process the following data:
- Bank data, IBAN, credit or debit card numbers
- Payment method data (Bizum, PayPal, bank transfer, etc.)
- Advertising identifiers (the Application does not contain advertising)
- Precise location data (GPS)
- Contacts, device photos, or microphone access
3. Purposes of Processing
| Purpose | Data Used |
|---|---|
| Account management | Name, email, password hash |
| Intermediation between buyers and sellers | Seller profile, order data |
| Service communications (order notifications) | Email, device token |
| Order management and tracking | Shipping address, buyer notes, order data |
| Push notifications about orders | Device token, order status |
| Subscription management | Subscription plan, status |
| Consent registration (GDPR) | IP address, date/time of acceptance |
| Legal compliance | Data as required by applicable law |
| Analytics & diagnostics (future) | Device data, app usage events, crash reports |
Artifex does NOT use personal data for commercial profiling, does NOT make automated decisions affecting users, and does NOT send third-party commercial communications.
4. Legal Basis (GDPR Article 6)
The processing of your data is based on the following legal grounds under Article 6 of the GDPR:
| Legal Basis | Applies To |
|---|---|
| Art. 6.1.a) Consent | IP address collection at the time of giving consent. |
| Art. 6.1.b) Contract execution | Account management, intermediation between buyers and sellers, seller profile, order management, and subscriptions. |
| Art. 6.1.c) Legal obligation | Data retention per applicable tax and commercial law obligations. |
| Art. 6.1.f) Legitimate interest | Platform security, fraud prevention, analytics and diagnostics to improve service quality. |
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Active account | While the account remains active. |
| After account deletion | Immediate anonymization of public profile. Legally required data is retained for the corresponding legal periods. |
| Consent records | 5 years (GDPR accountability principle, Art. 5.2 GDPR). |
| Order data | 5 years (tax and commercial obligations, Art. 30 Spanish Commercial Code). |
| Device tokens | Deleted when the user revokes notification permission or deletes their account. |
Once retention periods have elapsed, data will be deleted or irreversibly anonymized.
5bis. Analytics & Error Monitoring NEW IN V1.2
To improve the stability, performance, and user experience of the Platform, Artifex uses Google Firebase Analytics and Google Firebase Crashlytics services.
Data Collected by Firebase Analytics
Firebase Analytics collects the following data automatically and through events defined by the Platform:
- Device information: model, operating system, app version, and screen resolution.
- Usage data: session duration, screens visited, actions performed within the application (such as viewing a product, adding to cart, placing an order, or publishing a product).
- Approximate geographic location, derived from the IP address (country/region level, never precise geolocation).
- User properties: account type (buyer, seller, or both) and subscription status (free or PRO).
Data Collected by Firebase Crashlytics
When an error or unexpected application crash occurs, Firebase Crashlytics collects:
- Technical error information: stack trace, device state at the time of the crash, operating system version, and app version.
- Internal user identifier (if logged in), in order to correlate errors with specific accounts and provide technical support.
Purpose of Processing
This data is used exclusively to:
- Detect and fix technical errors affecting application stability.
- Analyze usage patterns to improve user experience.
- Monitor the overall performance of the Platform.
Artifex does NOT use this data for advertising purposes, commercial profiling, or automated decision-making.
Legal Basis
Art. 6.1.f) GDPR (Legitimate interest): Ensuring the stability, security, and proper functioning of the Platform constitutes a legitimate interest of the controller that does not override the fundamental rights and freedoms of users, especially considering that the data is anonymized after the retention period.
Retention Period
Data collected by Firebase Analytics and Firebase Crashlytics is retained for a maximum period of 90 days on Google Firebase servers, after which it is automatically anonymized or deleted.
Data Processor
Google LLC acts as a data processor in relation to Firebase services, pursuant to the Google Cloud data processing agreement. Data is stored in the European region (GCP europe-west1).
Right to Object
If you wish to object to the collection of analytics and error data, you may do so by sending an email to dalodev.dev@gmail.com indicating your username and the subject “Analytics opt-out”. Artifex will disable analytics data collection on your account within a maximum of 15 business days. Please note that disabling Crashlytics may limit our ability to diagnose errors affecting your experience.
6. Data Recipients & Processors
Your personal data may be disclosed to the following recipients, acting as data processors (Art. 28 GDPR) or due to legal obligations:
6.1. Google Cloud Platform (GCP)
Server hosting infrastructure. Data processor under Art. 28 GDPR. Data hosted exclusively in the EU region. Google Cloud Standard Contractual Clauses (SCCs) apply.
6.2. Firebase / Google LLC
Push notification service via Firebase Cloud Messaging. Data is stored in the European Economic Area (EEA). Google Data Processing Terms apply.
6.3. Google Firebase (Analytics & Crashlytics) NEW IN V1.2
Usage analytics and error monitoring services. Google LLC acts as a data processor pursuant to Article 28 of the GDPR. Data is processed on servers located in the European region (GCP europe-west1) and is automatically anonymized after 90 days.
6.4. RevenueCat, Inc. NEW IN V1.1
Subscription management. Processes subscription status, purchase identifiers, and platform information. Privacy Policy: https://www.revenuecat.com/privacy. Covered by the EU-US Data Privacy Framework (adequacy decision) and Standard Contractual Clauses (SCCs) as a fallback mechanism.
6.5. SMTP Email Provider
Sending transactional emails (order notifications, account communications). Only the email address and message content are shared.
6.6. Data Shared Between Users
- The buyer’s shipping address and notes are shared with the seller for order fulfillment.
- The seller’s public profile is visible to all users of the Platform.
6.7. Public Authorities
Data may be disclosed to judicial, tax, or administrative authorities when required by applicable law.
Artifex does not sell or share personal data with third parties for commercial or advertising purposes.
7. International Data Transfers
| Provider | Location | Safeguards |
|---|---|---|
| Google Cloud Platform | European Union (EEA) | No transfers outside the EEA. |
| Firebase | EEA | Data processed in the EEA per Google infrastructure commitments. |
| RevenueCat, Inc. | USA | EU-US Data Privacy Framework (adequacy decision) + Standard Contractual Clauses (SCCs) as a fallback mechanism. |
Google Firebase stores and processes analytics and error data in the European region (GCP europe-west1). Although Google LLC is headquartered in the United States, the processing of this data takes place within the EEA pursuant to the European Commission’s Standard Contractual Clauses.
8. Push Notifications NEW IN V1.1
Artifex sends push notifications to inform users about changes in their order status (new order, accepted, shipped, delivered).
- Device tokens are collected when the user grants notification permission on their device.
- Tokens are stored on Artifex servers and shared with Firebase Cloud Messaging exclusively for notification delivery.
- The user can disable notifications at any time from their device settings or from the Application’s own settings.
- Disabling notifications or deleting the account triggers the immediate deletion of device tokens from Artifex servers.
- Artifex may send promotional notifications about new features or subscription offers, always with the user’s prior explicit consent.
9. Analytics & Diagnostics (Future)
Artifex may implement the following services in future versions of the Application:
- Firebase Analytics: will collect app usage events, screen views, session duration, device model, and operating system version. No personally identifiable information will be collected.
- Firebase Crashlytics: will collect crash reports, stack traces, device model, and operating system version. Used exclusively to improve Application stability.
Legal basis: Legitimate interest (Art. 6.1.f GDPR) — improving the quality and stability of the service.
Users may opt out of analytics data collection from the Application settings.
This section will be updated when these services are activated. Users will be notified of any changes in accordance with section 14 of this policy.
10. Your Rights (GDPR)
Under the GDPR and LOPDGDD, you have the following rights over your personal data:
| Right | Description | GDPR Article |
|---|---|---|
| Access | Obtain confirmation of whether your data is being processed and, if so, access it. | Art. 15 |
| Rectification | Request correction of inaccurate or incomplete data. | Art. 16 |
| Erasure (right to be forgotten) | Request deletion of your data when it is no longer necessary, you withdraw consent, or you object to processing. | Art. 17 |
| Restriction | Request limitation of processing under certain circumstances. | Art. 18 |
| Portability | Receive your data in a structured, commonly used, and machine-readable format, and transmit it to another controller. | Art. 20 |
| Opposition | Object to the processing of your data, including processing based on legitimate interest or for marketing purposes. | Art. 21 |
How to Exercise Your Rights
- By email: dalodev.dev@gmail.com
- By postal mail: Calle de Alcorcón, 28, 28981, Parla, Madrid, Spain
Your request must include a copy of your identity document (DNI, NIE, or passport) to verify your identity.
We will respond to your request within a maximum of 30 days from receipt (Art. 12.3 GDPR). This period may be extended by an additional two months for complex or numerous requests, with prior reasoned notification.
Right to Lodge a Complaint
If you believe that the processing of your data violates your rights, you may file a complaint with the Spanish Data Protection Agency (AEPD):
- Website: https://www.aepd.es
- Address: C/ Jorge Juan, 6, 28001 Madrid
11. Security Measures
Artifex implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR), including:
- BCrypt password hashing: passwords are never stored in plain text.
- HTTPS/TLS encrypted communications: all communication between the Application and servers uses secure protocols.
- JWT authentication with temporal expiration, minimizing the risk of unauthorized access.
- Data minimization principle: only strictly necessary data is collected and processed.
- Restricted database access: only authorized personnel have access to personal data.
- Google Cloud Platform security infrastructure: we leverage the industry-leading security measures offered by GCP.
Data Breach Notification
In the event of a personal data breach, Artifex will notify the competent supervisory authority within a maximum of 72 hours (Art. 33 GDPR). If the breach poses a high risk to the rights and freedoms of users, they will be notified without undue delay (Art. 34 GDPR).
12. Children
Artifex is not intended for individuals under 18 years of age. We do not intentionally collect personal data from minors. Under Article 8 of the GDPR and Article 7 of the LOPDGDD, the processing of data from children under 14 requires the consent of their legal guardians.
If you become aware that a minor has registered on the Platform, please contact us at dalodev.dev@gmail.com so we can proceed with the immediate deletion of the account and its associated data.
13. Data Protection Officer
In accordance with Article 37 of the GDPR and Article 34 of the LOPDGDD, the appointment of a Data Protection Officer (DPO) is not mandatory for self-employed professionals who do not carry out large-scale processing of special categories of personal data.
For any inquiry regarding the protection of your personal data, you may contact the Data Controller directly at: dalodev.dev@gmail.com.
14. Modifications to This Policy
Artifex reserves the right to modify this Privacy Policy to adapt it to legislative, case-law, or technical developments.
- Changes will be communicated with a minimum notice of 30 calendar days through the Platform.
- Substantial changes will require the user’s explicit acceptance to continue using the service.
- We recommend periodically reviewing this policy to stay informed about how we protect your personal data.
15. Governing Law & Jurisdiction
This Privacy Policy is governed by applicable Spanish and European legislation on the protection of personal data, in particular:
- Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016 (General Data Protection Regulation, GDPR).
- Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD).
- Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI-CE).
For the resolution of any dispute arising from this policy, the courts of the user’s domicile shall have jurisdiction, in accordance with applicable consumer protection legislation.
16. Contact
For any inquiry, complaint, or exercise of rights related to the processing of your personal data, you may contact us through:
- Email: dalodev.dev@gmail.com
- Postal address: David Alonso Santos, Calle de Alcorcón, 28, 28981, Parla, Madrid, Spain