Your data, handled with care.

Ediccio Digital Publishing SL ("Ediccio", "we", "us", "our") provides customer-memory infrastructure for software teams. We are based in Sant Cugat del Vallès, Barcelona, Spain, and the European Union's General Data Protection Regulation (GDPR) is our baseline.

We act in two distinct roles, and it matters which one applies to you:

• Controller. For personal data about people who interact with Ediccio directly (you visit ediccio.ai, request access, apply to be a design partner, contact us, or hold an Ediccio account), we decide why and how the data is used. This notice covers that data.
• Processor. When a business customer uses Ediccio to power features in their own product, the end-user data that flows through Ediccio belongs to that customer. They are the controller; we process it only on their documented instructions, under a data-processing agreement. The notice that governs those end-users is the customer's own privacy notice, not this page. How we handle that data, where it runs, and who the sub-processors are is disclosed at /trust/substrate.

For any question about this notice or about how we handle your personal data, write to privacy@ediccio.com.

As a controller, we collect the following categories of personal data:

• Information you provide. Your name, work email, company, role, and anything you write when you request access, apply as a design partner, fill in a form, or email us. If you hold an account, the identifiers and settings tied to it. If you become a paying customer, the billing and tax details needed to invoice you.
• Information collected automatically. Minimal technical data generated when you use ediccio.ai or the service: device and browser type, approximate location derived from IP address, and security and diagnostic logs. We do not build advertising or behavioral profiles of site visitors.
• Data from connected platforms and integrations. Where you or your organisation connects a third-party platform or integration to Ediccio, we receive data from that platform solely to deliver the features you asked for. We use it for that purpose, not for advertising, and not for any use the connecting party did not authorise. See section 5.

We do not knowingly collect more data than we need for the purposes below, and we do not collect special-category data (health, biometric, and similar) for our own purposes.

We use personal data only for the purposes below. For each, we name the legal basis we rely on under the GDPR.

We do not use your personal data for automated decisions that produce legal or similarly significant effects on you.

We share personal data only with the recipients below, and only to the extent each purpose needs:

• Service providers acting on our instructions. The infrastructure, AI-inference, hosting, communication, and payment providers that help us run the service, under contract and on our instructions. The named sub-processors that touch service data, with their region and role, are published at /trust/substrate.
• Professional advisers. Lawyers, auditors, and accountants, under confidentiality obligations.
• Authorities and courts. Where we are legally required to share data, or to protect our rights or the safety of others.
• A successor entity. In a merger, acquisition, or sale of assets, with appropriate safeguards and notice where required.

We do not sell personal data, and we do not share it for cross-context behavioral advertising.

Ediccio is built to receive data from other platforms and integrations that you, or the organisation you belong to, choose to connect. When a connection is established:

• We receive only the data the connection is scoped to, and we use it solely to provide the features the connecting party asked for.
• We do not use that data for advertising, and we do not combine one organisation's data with another's.
• The connecting party can disconnect the integration at any time, and can ask us to delete the data we received through it. We act on a deletion request within the timelines in section 7.
• Each connected platform has its own privacy policy and controls. Your relationship with that platform is governed by its terms, which we encourage you to review.

Service data is processed in the European Union by default. Where any personal data is transferred outside the European Economic Area (for example, a content-delivery edge that serves the public website, or a DNS and certificate control plane that holds no personal data), we rely on a recognised transfer mechanism: an adequacy decision where one exists, or the European Commission's Standard Contractual Clauses with supplementary safeguards. To request a copy of the safeguards that apply to a specific transfer, write to privacy@ediccio.com.

We keep personal data only for as long as we need it for the purposes in this notice, then we delete or anonymise it.

• Enquiries and applications. Up to 24 months after our last exchange, unless you ask us to delete sooner.
• Account and billing data. For the life of the account, and afterwards only for the period tax and accounting law requires.
• Security and diagnostic logs. A short rolling window for security and operations, then deleted.
• Service data and data from connected integrations. Deleted on request. We act within 30 days of a verified deletion request, and backups age out on a defined rotation within the same window. The mechanism is described at /trust/substrate.

Customer profiles are uniquely sensitive, so security constrains the architecture rather than sitting beside it. We apply technical and organisational measures appropriate to the risk, including:

• Encryption of personal data in transit and at rest.
• Strict access controls, authentication, and need-to-know access for staff.
• Logical separation so one organisation's data is not exposed to another.
• Security testing, monitoring, and an incident-response process.
• Contractual security obligations on our service providers.

No system is perfectly secure. If we become aware of a personal-data breach likely to put your rights at risk, we will notify the relevant supervisory authority, and you where the law requires, within the applicable timelines.

Depending on where you live, you have some or all of these rights:

• Access a copy of the personal data we hold about you.
• Rectify data that is inaccurate or incomplete.
• Erase your data ("right to be forgotten").
• Restrict or object to certain processing, including direct marketing.
• Portability: receive your data in a structured, machine-readable format.
• Withdraw consent at any time where we relied on it, without affecting prior processing.

To exercise any right, write to privacy@ediccio.com. We may ask for enough information to confirm your identity before we act, to protect your data against impersonation. We respond within one month, and will tell you if a complex request needs longer. There is no fee unless a request is manifestly unfounded or excessive.

If you are not satisfied with our response, you may lodge a complaint with a supervisory authority. In Spain this is the Agencia Española de Protección de Datos (AEPD); in the rest of the European Union it is the authority where you live, work, or where the issue arose.

The public website runs on strictly necessary cookies and equivalent storage: the items needed to serve pages securely and to remember choices you make. We do not use advertising or cross-site tracking cookies on ediccio.ai. Where the service uses cookies, they are for authentication and session management only. You can control cookies in your browser, though disabling the essential ones may affect how the site works.

Ediccio is a tool for businesses and is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us data, write to privacy@ediccio.com and we will delete it.

We may update this notice, for example when we add a feature, change a provider, or respond to a change in the law. The effective date at the top shows when the current version took effect. Where a change is material, we will give notice before it takes effect through the service or by email.

• Data controller: Ediccio Digital Publishing SL
• Privacy contact: privacy@ediccio.com
• Based in: Sant Cugat del Vallès, Barcelona, Spain
• Sub-processors and substrate disclosure: /trust/substrate