Privacy Policy

Emoz Privacy Policy

Last updated: September 20, 2025

In accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and Organic Law 3/2018 of December 5 on the Protection of Personal Data and Guarantee of Digital Rights, Customers and the general public are hereby informed of the following:

1. Introduction

This document constitutes the Privacy Policy of the EMOZ technology platform (hereinafter, "EMOZ") available at www.emoz.io (hereinafter, the Website) with regard to the processing of the personal data of its Customers or Users, when they are natural persons.

The party that contracts the services of EMOZ shall be referred to as the Customer or User (or Customers or Users, in the plural).

2. Who is responsible for processing your data?

Collarium Tech, S.L., identified with Tax ID number B68222921 (hereinafter, the "Company").

  • Postal address: Paseo de Gracia 53, Ático 08007, Barcelona (Spain)
  • Email: privacy@emoz.io

3. What personal data do we process and where does it come from?

In the course of your relationship with us, only the following categories of personal data will be processed:

Customer identification data:

  • Full name and email address
  • SHA-256 hash of the User's file whose authorship or copyright (if it contains a work) or ownership (if it is digital content not considered a work under current legislation) is to be certified through EMOZ, only and exclusively when said file contains personal data
  • Basic transactional data (payments)

The data will come from the data subject themselves (User or Customer who is a natural person).

4. Where is Users' personal data stored?

The personal data provided by Users, i.e., their identifying data (full name and email address) and the SHA-256 hash of their file, are first stored in the Company's database. This database is hosted on Amazon Web Services (AWS) servers deployed in the European Union region and is a PostgreSQL-type RDS.

The User grants the Company a mandate agreement, which the Company accepts on the spot, to proceed with the creation of an NFT as a technological means to certify that on a specific date and time a specific work or digital content has been registered on the Polygon blockchain in the name of the Customer. This mandate agreement is understood to be confirmed by the User upon acceptance of this Privacy Policy and EMOZ's ToS.

Important: Once the NFT has been created and the corresponding certificate of authorship (or intellectual property) of their work or ownership of their digital content has been issued, the transaction recorded on the blockchain will be irreversible, permanent, immutable, and will continue to exist on the blockchain network, even if EMOZ ceases to operate or disappears.

As clearly and thoroughly explained in EMOZ's ToS, which you have read, understood, and accepted before being able to use EMOZ's services, EMOZ enables Users to obtain certification of authorship of works and certification of ownership of digital content other than a work, stored in both cases in digital files, by registering a fingerprint (hash) on the Polygon public blockchain.

The User also understands that the NFT created by the EMOZ smart contract, being published on a public blockchain (Polygon), cannot be altered, deleted, or destroyed, and includes a public and immutable timestamp. This guarantees that the certificate is permanent and will never disappear, even in the hypothetical case that EMOZ ceases its activity, and serves as technical proof of existence and authorship linked to the original file, without the need to rely on private or centralized databases.

The Customer also understands that the data stored on this blockchain is public. Each NFT generated by EMOZ stores in clear text (i.e., unencrypted or plain text) the fingerprint (hash) of the file containing the User's work or digital content, as well as the algorithm used (in this case, SHA-256).

All other data stored by the EMOZ smart contract is encrypted. This metadata contains the full name and surname, as well as the User's email hash, in addition to the declaration of authorship or intellectual property over the work (or, as the case may be, the declaration of ownership over the digital content). All this data is encrypted with XSalsa20-Poly1305, which is a symmetric encryption algorithm with authentication, before being recorded on the blockchain.

In any case, since the original file always remains in the User's possession, the User is solely responsible for its proper safekeeping.

5. How do we protect your personal data?

The Company has adopted the appropriate technical and organizational measures to ensure an adequate level of security in view of the potential risks involved, taking into account the current state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks of probability and severity for the rights and freedoms of natural persons.

However, in compliance with the mandate agreement given by the User, before proceeding to register their personal data on the Polygon public blockchain, the Company has adopted a series of technical and organizational measures to prevent such data from being stored on the blockchain in a directly identifiable form. These measures are specifically as follows:

Hashing of personal data:

What the Company records on the Polygon blockchain is only the SHA-256 hash (fingerprint) of the User's digital file and the SHA-256 hash of their email address. The Company does not store or save the digital file anywhere: only the hash and the file name are transmitted to the EMOZ database and servers.

Encryption of personal data:

The Company encrypts the User's full name and surname, as well as the hash of their email address, using XSalsa20-Poly1305, which is a symmetric encryption algorithm with authentication, before they are recorded on the blockchain.

However, the User understands that neither hashing nor encryption of personal data removes the obligation to apply the GDPR, as hashes and encrypted personal data remain personal data. The User also understands that all these measures may not be sufficient to guarantee the necessary level of confidentiality for storing personal data on a public blockchain such as Polygon.

6. For what purpose do we process your personal data?

Your personal data will be processed by the data controller for the following purposes:

  • To create and manage User accounts
  • To generate valid and verifiable proof of existence at a specific date and time of the User's digital file containing a work or digital content other than a work, by registering a fingerprint (hash) on the Polygon public blockchain
  • To send the User communications related to EMOZ, such as service updates, respond to support queries, and send important notices
  • To send commercial communications
  • To browse through EMOZ, in accordance with the Cookies Policy, which can be consulted at the following link: https://emoz.io/cookies-policy

7. EMOZ does not store Users' financial data

Neither the Company nor the EMOZ platform has access to or stores Users' financial data. All payments made for the use of EMOZ services are managed through the Paddle platform (https://www.paddle.com/), an external payment processor managed by Paddle Payments Ltd.

The Company has delegated the management of payments for the use of its services to Paddle. Therefore, Paddle is responsible for processing Customer payments, storing Users' debit, credit, or prepaid card numbers, collecting applicable taxes, and transferring them to the relevant tax authorities.

In the EMOZ database, the Company only and exclusively records general transactional or payment data of the User, such as the transaction ID and checkout ID, both generated by Paddle, as well as the currency used by the User, the date and time of payment, and the total amount of the payment.

Security Standards: Paddle guarantees that it complies with PCI and SOC2 security standards, as well as the California Consumer Privacy Act (CCPA), in addition to the GDPR.

8. What is the legal basis for the processing of your data?

Purpose Basis for Processing
Generate valid and verifiable proof of existence at a specific date and time of the User's digital file Processing necessary for the execution of a contract to which the Customer is a party; and/or legitimate interest of the data controller; and the User's consent
Handling of Customer requests Processing based on the consent of the data subject and/or the legitimate interest of the data controller
Compliance with legal obligations Processing necessary for compliance with legal obligations applicable to the data controller
Formalization and execution of the contract Processing necessary for the execution of the ToS to which the Customer is a party
Sending commercial communications Processing based on the consent of the data subject

9. How long do we keep your personal data?

In general, your data will only be kept for as long as is strictly necessary for the purpose for which it was collected.

The data collected for the formalization and execution of the contract will be kept in the Company's database for the duration of the contractual relationship, as well as for the period necessary for the formulation, exercise, or defense of claims, for a minimum of five years.

Blockchain Data: However, the encrypted identification data of Users (full name and SHA-256 hash of their email address) and the SHA-256 hash of their digital file, which have been recorded in the Polygon blockchain, will remain indefinitely unchanged and will not be subject to deletion, due to the very nature of the technology used (blockchain).

Personal data provided for the purpose of managing any request for information, complaint, suggestion, claim, exercise of data protection rights, etc., will be kept for the time necessary to process the request, and in any case for the time established by law.

Data processed for the fulfillment of legal obligations will be kept for the time established in the applicable legislation.

Data processed for the purpose of sending commercial communications will be kept until the data subject revokes their consent and/or exercises their rights of opposition and/or deletion.

10. To whom will your data be communicated?

To ensure adequate service provision, certain service providers need to process User data on behalf of the data controller and as data processors.

Your personal data will not be disclosed to third parties except where there is a legal obligation, legitimate interest, or prior consent of the data subject, as well as to the recipients detailed below:

  • AWS, for the provision of hosting, storage, and digitization services for EMOZ information
  • Paddle, for the provision and management of EMOZ payment services, under the terms indicated in section 7 of this document

11. What are your rights when you provide us with your data?

With regard to the User's personal data stored in the Company's database (outside the Polygon blockchain), the User may at any time exercise their rights of:

  • Access
  • Rectification of inaccurate data (right to rectification)
  • Request deletion (right to erasure), when, among other reasons, the data is no longer necessary for the purposes for which it was collected
  • Request the limitation of the processing of their data (right to restriction of processing)
  • Object and the right to data portability
  • Revoke, at any time, the consent given for the processing of their data

To exercise these rights, you must send an email to privacy@emoz.io or write to Paseo de Gracia 53, Ático 08007, Barcelona, Spain.

Blockchain Limitations: As for the User's personal data recorded on the Polygon blockchain, as already indicated, due to the technical properties of the blockchain, in practice, it is not technically possible for the User to exercise their rights of rectification and erasure (right to be forgotten) with respect to their encrypted identifying data.

These rights also entitle you to object to the sending of commercial communications by electronic means from EMOZ, for which you may contact the above addresses or follow the instructions provided in each commercial communication you receive.

In addition, all non-transactional emails (i.e., those that are not mandatory for the provision of EMOZ services) will always include a link allowing the User to unsubscribe and stop receiving further messages.

12. Cookies

EMOZ uses technical cookies that are essential for the functioning of its Website, as well as analytical cookies (such as Google Analytics) to understand User behavior and improve its services.

Users can accept, reject, or configure the use of cookies through the banner enabled on their first visit to the Website or from the "Cookie Settings" section. For more information, please see our detailed Cookie Policy at https://emoz.io/cookies-policy.

13. Complaints related to data protection

Users may always contact the EMOZ Privacy Office. For any questions related to the processing of your personal data, you can write to privacy@emoz.io.

If you believe that your rights under the GDPR have been infringed, you may lodge a complaint with your local supervisory authority and, in the case of Spain, with the Spanish Data Protection Agency (www.aepd.es), if you disagree with the response you have received from the Company.

The Company may update this document in the future. The date of its entry into force is indicated at the top. Please check this information periodically to ensure that you are aware of the latest version.