Privacy Policy

PLEASE READ CAREFULLY THIS PRIVACY POLICY BEFORE USING THE SERVICES.

This Privacy Policy (“Policy”) applies to Gataca Labs S.L.U. and to our controlled affiliates and subsidiaries (collectively referred to as "Gataca", "we", "our", or "us").

At Gataca we take your privacy very seriously. This Policy explains in a clear and transparent manner, how and when we collect, share and protect Personal Data as defined below in our capacity as “data controller”

Specifically, this Policy applies to our websites, Gataca Studio (including the product extensions Vouch and Enterprise Wallet), Gataca Wallet, Gataca Attest, and our other products and services available directly to consumers (collectively, the “Services”) provided by Gataca and defined in applicable Terms of Service. This statement applies to Services that display or reference this Policy, but it does not apply to any services that display or reference a different privacy statement. Please note that anonymized information or purely statistical data is not “personal data” under applicable law, so this Policy does not apply to how we use that information.

Additionally, certain Gataca products and services are intended for and provided to businesses and other organizations, and not individual consumers or end-users. In some cases, in providing those products and services, we process personal data of consumers or end-users at the direction of our enterprise customers. When we do, we do so as a service provider or a “data processor” to those organizations, but we do not control and are not responsible for the privacy practices of those organizations. Collectively this processing is Gataca’s “Processor Activities.” This privacy policy does not apply to Personal Data we process in our Processor Activities. If you are a consumer or end-user of one of those organizations, you should read that organization’s privacy policy and direct any privacy inquiries to that organization.

California consumers can find specific disclosures, including “Notice at Collection” details, by clicking here.

Client: Any individual that is acting in their professional/employment capacity for a business or other organization that is an actual or prospective enterprise customer of Gataca.

Data Subject: Any individual who is not a Client and whose Personal Data is subject to this Policy,

Personal Data: Personal data about identified or identifiable natural persons.

DIDs: randomly generated decentralized identifiers, as defined in the W3C Recommendation Decentralized Identifiers (DIDs) v1.0..

Verifiable Credentials (VCs): a tamper-proof electronic document stored in ID Wallets that contain Personal Data about an individual. Example VCs are Legal Age Credentials, Verified Identity Document Credentials, Phone Credentials and Email Credentials.

Cryptographic Keys: Cryptographic material associated with randomly generated decentralized identifiers that we use in the Services to execute signing and encryption or decryption activities on your behalf.

By reading this Policy, you are informed of the circumstances in which Personal Data will be processed in relation to the Services. Furthermore, in the event that this is the necessary legal basis for the processing of your data, your free, informed, specific and unambiguous consent will be requested so that Personal Data about you may be processed by Gataca.

The processing of Personal Data depends on how you interact with us, the Services you use, and the choices you make. The Personal Data in question is collected from a number of different sources and in various ways when you use our Services, including information you provide directly, information collected automatically, information from third-party data sources, and data we infer or generate from other data.

Data that you provide directly. We collect Personal Data you provide to us. This includes for example:

• Identification data: Name, username or alias, Cryptographic Keys, DIDs and similar identifiers, customer or employee numbers.
• Contact information: telephone number, e-mail address, and mailing (postal) address;
• Demographic data: age, sex/gender, marital status, country of residence, and similar demographic details.
• Payment information: credit card numbers, financial account information, and other payment details;
• Content and files: We collect the photos, documents, or other files you upload to our Services; and if you send us email messages or other communications, we collect and retain those communications;
• Professional or employment-related information: Business contact information (such as title/role, employer, and signature), resumes and curriculum vitaes, letters of interest, degrees, qualifications, and academic transcripts;
• Sensitive Personal Data: a. Government IDs: copies of government-issued documents such as driver’s license, passport, or social security cards; b. Biometric information: facial images c. Sexuality: your sex life or sexual orientation if you use our services to verify your age.

Data that we collect automatically. When you use our Services, we collect some information automatically. For example:

• Device information: When you visit our websites, our web servers automatically log your Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration. As further described in our Cookie Policy, our websites and online services store and retrieve cookie identifiers, mobile IDs, and other data.
• Geolocation data: Depending on your device and app settings, we may collect geolocation data when you use our apps or online services.
• Usage data: We automatically log your activity on our Services, including the URL of the website from which you came to our sites, the pages that you viewed, the time spent on those pages, access times, and other details about your use of and actions on our Services.

Data that we create or generate. We create new information such as DIDs or other identifiers, and associated Cryptographic Keys on your behalf or infer new information from other data we collect, including using automated means to generate information about your likely preferences or other characteristics (“inferences”). For example, we infer your general geographic location (such as city, state, and country) based on your IP address and your legal age threshold based on your birth date.

Data that we obtain from third-party sources. We also obtain the types of information described above from third parties. These third-party sources include, for example:

• Service providers. Third parties that collect or provide data in connection with work they do on our behalf, for example companies that provide us with your device’s location based on its IP address.
• Publicly available sources. Public sources of information such as open government databases.

When you are asked to provide Personal Data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional.

5.1 To deliver our Services

The primary objective of our Personal Data processing is to provide and deliver our Services, including troubleshooting, improving, and personalizing those Services. The processing of Personal Data is legally based on the execution of the terms that regulate the use of our Services.

The categories of Personal Data processing vary depending on the specific Service accessed:

5.1.1 Gataca Wallet

Categories of data: Identification data; Contact information; Content and files; Device information; Inferences.

We collect Wallet and device identifiers and the email address you used to create your Wallet account with the sole purpose of providing you with the Wallet Service. Additionally, we may process Personal Data to improve our Services and to respond to inquiries you may have. This includes providing customer support and detecting, preventing, and addressing technical issues related to the Services.

We do not collect or have access to VCs stored in the Gataca Wallet or how you use them. We will only collect or have access to VCs in your Wallet if you have proactively and with explicit consent provided them from your Wallet to us. We will retain VCs that you provide directly to Gataca until you withdraw your consent through the Gataca Wallet interface.

VCs will remain stored in your Wallet until you delete them. If you delete a credential from your Wallet, the associated data will be removed from your Wallet. However, this does not affect any copies retained by the VC issuer. If we issued the credential, you can find information on how to exercise your right of erasure in the section of this Policy titled “Your Data Protection Rights” Otherwise (if the credential was issued by another third party or as part of our Processing Activities), you must contact the appropriate issuer directly to request the blocking or deletion of such data from the issuer’s systems.

The processing of Personal Data is legally based on the execution of the End User License Agreement, as well as to fulfill our legal obligations.

5.1.2 Gataca Studio

Categories of data: Identification data; Contact information; Demographic data; Payment information; Content and files; Professional or employment-related information; Sensitive Personal Data; Device information; ; Geolocation data; Usage data; Inferences.

Gataca Studio is intended for and provided to businesses and other organizations, and not individual consumers or end-users. In providing Gataca Studio, we process personal data of consumers or end-users at the direction of our enterprise customers. These Processor Activities are governed by individual contractual agreements with our Clients.

We collect and process Personal Data from our Clients with the sole purpose of managing the legal relationship established under these individual contractual agreements. This encompasses the management of administrative, fiscal, billing, operation, and accounting activities, as well as the evaluation and monitoring of Services.

The legal basis for this processing includes the performance of the contractual relationship and our legitimate interest in ensuring efficient Services delivery and compliance.

5.1.3 Gataca Vouch

Categories of data: Identification data; Contact information; Demographic data: Payment information; Content and files; Professional or employment-related information; Sensitive Personal Data; Device information; Geolocation data; Usage data; Inferences.

Gataca Vouch is a product designed to facilitate secure information exchange between end-users and Clients, with Gataca acting as a trusted intermediary.

This Policy applies to processing in connection with Gataca Vouch to the extent that you, as such an end-user, use Gataca Vouch to request that we transfer your Personal Data to a third party. The remainder of this explanation addresses this situation (in all other situations, Gataca Vouch is limited to Processor Activities).

Before collecting the required information and transferring it to the third party, we will request your explicit consent. In this process, we will clearly inform you about the Personal Data or VCs we need you to provide, and which specific information will then be transferred to the third party.

We will only request from you the minimum information necessary to provide a response to the third party, and we will only share with the third party the minimum information required by such third party. For example, in the case of the use of Vouch for age assurance services, Gataca will collect your legal age VC or a facial image to determine if you meet the required legal age and we will only provide the third party with an anonymous authorization token indicating whether you meet the required legal age.

Immediately after providing the required information to the third party, we delete all Personal Data we received from you except proof of your consent to sharing Personal Data with us, which includes your DID or similar pseudonymous identifiers. We will not retain any link between you and the third party.

The legal basis for this processing is based on the provisioning of the data exchange service requested by you, as governed by the End User License Agreement. In addition, the processing of special categories of data (as defined by applicable law) will be based on your explicit consent.

5.1.4 Gataca Attest

Categories of data: Identification data; Contact information; Demographic data: Payment information; Content and files; Professional or employment-related information; Sensitive Personal Data; Device information; Geolocation data; Usage data; Inferences.

Gataca Attest is a product that enables Gataca to issue VCs to you, with Gataca acting as issuer. This service is primarily integrated into the Gataca Wallet, although these VCs may be issued to other digital wallets that integrate the Gataca Attest service.

In the event that you choose to store these credentials in a different (non-Gataca) wallet, we recommend you consult that wallet’s privacy policy to understand how that data will be processed.

When you request Gataca to issue any type of VCs, Gataca will process Personal Data necessary to carry out such request. This data is processed for the sole purpose of producing the requested VC and maintaining its status.

The removal of VCs from the Wallet does not imply the deletion of the data in Gataca Attest. To request your right of erasure you can refer to the section in this Policy entitled “Your Data Protection Rights” Personal Data processed to issue VCs by Gataca will be retained for as long as necessary to fulfill our legal obligations.

The legal basis for this processing is based on the provisioning of the Service requested by you to issue a VC, as governed by the End User License Agreement. In addition, the processing of special categories of data (as defined by applicable law) will be based on your explicit consent.

5.2 To conduct our business operations

Categories of data: Identification data; Contact information; Demographic data: Payment information; Content and files; Professional or employment-related information; Sensitive Personal Data; Device information; Geolocation data; Usage data; Inferences.

We process Personal Data to operate our business, such as performing billing and accounting activities, improving our internal operations, securing our systems, detecting fraudulent or illegal activity, and meeting our legal obligations.

The legal basis for this processing includes the performance of the contractual relationship and our legitimate interest in ensuring efficient Services delivery and compliance.

5.3 To send communications

Categories of data: Identification data; Contact information; Content and files; Device information; Geolocation data; Usage data; Inferences.

We process Personal Data to send you information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages. The legal basis for this processing is based on the provisioning of the Service requested by you, as governed by the End User License Agreement.

5.4 To provide customer support and respond to any inquiry

Categories of data: Identification data; Contact information; Demographic data: Payment information; Content and files; Professional or employment-related information; Sensitive Personal Data; Device information; Geolocation data; Usage data; Inferences.

We process Personal Data to provide support while detecting, preventing, and addressing technical issues related to our Services and to address inquiries submitted through our customer service channels, such as the ‘Contact Us’ or ‘Job openings’ pages and similar forms on our website.

In these instances, we will only process the Personal Data that is strictly necessary to manage or resolve your inquiry or request. This may include, for example, collecting identification data, contact, profile, technical and usage data and correspondence data.

The legal basis for this processing is based on the provisioning of the Service or information requested by you, as governed by the End User License Agreement, or, in the case of generic inquiries not linked to the use of our Services, on our legitimate interest in responding to the submissions you made to us and your explicit consent.

5.5 To improve or develop new Services, or to conduct internal research

Categories of data: Demographic data; Geolocation data; Usage data;

Gataca may use identifiers, device information and usage data to enhance the services we provide and to identify areas for improvement, or to develop new functionalities.

The legal basis for this processing is our legitimate interest in improving user experience and delivering higher quality services to you.

5.6 To conduct marketing activities

Categories of data: Identification data; Contact information; Demographic data: Device information; Geolocation data; Inferences.

We process Personal Data to keep you informed with relevant updates, special offers, and general information about goods, services, and events similar to those you have already purchased.

You have the right to withdraw your consent for future communications at any time by simply clicking the unsubscribe link provided in any email we send you. Additionally, you may object to the processing of Personal Data based on our legitimate interest, both when Personal Data is initially collected and at any point when you receive commercial communications from us.

The legal basis for this processing is our legitimate interest in promoting and marketing our products and services to our Clients, which is grounded in an existing contractual relationship, as provided for in Article 21.2 of the Law 34/2002, of July 11, 2002, on information society services and electronic commerce (“LSSI”). This applies unless you have specifically opted out of receiving such communications.

In instances where our legitimate interest does not apply, we will rely on your explicit consent and we will ensure that we seek your clear permission before sending you any commercial communications or information about our products, on the basis of Article 21.1 of the LSSI and Article 6.1.a) of the GDPR.

5.7 To measure advertising

Categories of data: Identification data and contact information; Demographic data: Device information; Geolocation data; Usage data, Inferences.

We may advertise our Services on third party platforms. When we do, we may use tracking technology on our website to measure the effectiveness of our advertising campaigns (see our Cookie Policy and the “Your Data Protection Rights” section of this Policy for information about tracking technology and how you may exercise control). Third party analytics and advertising companies may collect personal data through our website and apps including Device information (such as cookie IDs, device IDs, and IP address), geolocation data, usage data, and inferences based on and associated with that data, as described in our Cookie Policy. These third-party vendors act as our service providers and only use that personal data for our measurement purposes. For more information, see our Cookie Policy.

Our legal basis for this processing is our legitimate interest in promoting and marketing our products and services to our Clients, which is grounded in an existing contractual relationship, as provided for in Article 21.2 of the Law 34/2002, of July 11, 2002, on information society services and electronic commerce (“LSSI”). This applies unless you have specifically opted out of receiving such communications.

We disclose Personal Data with your express consent or as we determine necessary to complete your transactions or provide the Services you have requested or authorized. In addition, we disclose each of the categories of Personal Data described above, to the types of third parties described below, for the following business purposes:

• Service providers. We provide Personal Data to vendors or agents working on our behalf for the purposes described in this Policy. For example, companies we’ve hired to provide cloud infrastructure services, identity verification services, customer support services, and companies that support or assist in protecting and securing our systems and services may need access to Personal Data to provide those functions.
• Affiliates. We may enable access to Personal Data across our corporate affiliates (i.e. our family of companies that are related by common ownership or control) for example, where we share common data systems or where access helps us to provide our Services and operate our business.
• Business Transfers & Corporate Transactions. We may disclose Personal Data when we do a business deal, or negotiate a business deal, involving the divestiture, sale, or transfer of all or a part of our business or assets. This includes disclosure as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, or dissolution.
• Compliance with Laws and Law Enforcement. We will access, disclose, and preserve Personal Data when we believe doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement, national security, or other government agencies.
• Security, Safety, and Protecting Rights. We will disclose Personal Data if we believe it is necessary to: a. protect our customers and others, for example to prevent spam or attempts to commit fraud, or to help prevent the loss of life or serious injury of anyone; b. operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or c. protect the rights or property of ourselves or others, including enforcing our agreements, terms, and policies.
• Third Parties. We may share your Personal Data a per your request and with your explicit consent when you use some of our Services, such as Gataca Vouch.

Please note that some of our Services also include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide Personal Data to any of those third parties, or allow us to disclose Personal Data to them, that data is governed by their privacy statements.

The Personal Data we collect may be stored and processed in any other country where we or our affiliates, subsidiaries, or service providers process data, some of which may have laws that offer different levels of data protection than the country in which you reside. Currently, we use data centers in the European Economic Area (EEA). The storage location(s) are chosen to operate efficiently and improve performance. We take steps to process and protect Personal Data as described in this Policy wherever the data is located.

Gataca will retain Personal Data only for as long as necessary to provide the services and fulfill the transactions you have requested, comply with our purposes, including our legal obligations, resolve disputes, enforce our legal agreements, and for other legitimate and lawful business purposes. Because these needs can vary for different data types in the context of different services, actual retention periods can vary significantly based on criteria such as user expectations or consent, the sensitivity of the data, the availability of automated controls that enable users to delete data, and our legal or contractual obligations.

For example, we retain biometric information about Data Subjects located in the US as described in the “Biometric Retention” subsection of the “Your Data Protection Rights (US only)” section in this Policy, below.

9.1 Data Protection Rights for non-US Clients and Data Subjects

This section only applies to Clients and Data Subjects who are not located in the United States. Clients and Data Subjects located in the United States are discussed in the next section, “Your Data Protection Rights (US only).” We discuss these separately because applicable rights vary by region.

Under the applicable data protection regulations you have the following data protection rights:

• The right to access, update or delete the information we have on you. Whenever made possible, you can access, update or request deletion of your Personal Data directly within your account settings section in the corresponding Service. If you are unable to perform these actions yourself, please contact us to assist you.
• The right of rectification. You have the right to have your Personal Data rectified if that information is inaccurate or incomplete.
• The right to object. You have the right to object to our processing of your Personal Data.
• The right of restriction. You have the right to request that we restrict the processing of your Personal Data.
• The right to data portability. You have the right to be provided with a copy of the Personal Data we have on you in a structured, machine-readable and commonly used format.
• The right to withdraw consent. You also have the right to withdraw your consent at any time where Gataca relied on your consent to process your Personal Data.

To exercise your rights, you may (i) log in to your User profile or Settings section on the Services; or (ii) send an email to dpo@gataca.io.

You have the right to file a complaint before a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority.

9.2 Data Protection Rights for US Clients and Data Subjects

This section only applies to Clients and Data Subjects who are in the United States. Clients and Data Subjects not located in the United States are discussed in the previous section, “Data Protection Rights for non-US Clients and Data Subjects.” We discuss these separately because applicable rights vary by region.

9.2.1 California Privacy Rights

If you are a California resident and the processing of Personal Data about you is subject to the California Consumer Privacy Act (CCPA), you have certain rights with respect to that information.

Notice at Collection. At or before the time of collection, you have a right to receive notice of our practices, including the categories of Personal Data and sensitive Personal Data to be collected, the purposes for which such information is collected or used, whether such information is sold or shared, and how long such information is retained. You can find those details in this Policy by clicking on the above links.

Right to Know. You have a right to request that we disclose to you the Personal Data we have collected about you. You also have a right to request additional information about our collection, use, disclosure, or sale of Personal Data. Note that we have provided much of this information in this Policy. You may make such a “request to know” by emailing legal@gataca.io.

Rights to Request Correction or Deletion. You also have rights to request that we correct inaccurate Personal Data and that we delete Personal Data under certain circumstances, subject to a number of exceptions. To make a request to correct or delete, please email legal@gataca.io.

Right to Opt-Out / “Do Not Sell or Share My Personal Information”. You have a right to opt-out from future “sales” or “sharing” of personal information as those terms are defined by the CCPA. Note that we do not “sell” personal information as defined by the CCPA.

Right to Limit Use and Disclosure of Sensitive Personal Data. You have a right to limit our use of sensitive Personal Data for any purposes other than to provide the services or goods you request or as otherwise permitted by law. Note that we do not use sensitive Personal Data for any such additional purposes.

You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under the CCPA. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.

Further, to provide, correct, or delete specific pieces of Personal Data we will need to verify your identity to the degree of certainty required by law. We will verify your request by asking you to send it from the email address associated with your account or requiring you to provide information necessary to verify your account.

Finally, you have a right to not be discriminated against for exercising these rights set out in the CCPA.

Shine the Light. Additionally, under California Civil Code section 1798.83, also known as the “Shine the Light” law, California residents who have provided Personal Data to a business with which the individual has established a business relationship for personal, family, or household purposes (“California Customers”) may request information about whether the business has disclosed Personal Data to any third parties for the third parties’ direct marketing purposes.

Please be aware that we do not disclose Personal Data to any third parties for their direct marketing purposes as defined by this law. California Customers may request further information about our compliance with this law by emailing legal@gataca.io. Please note that businesses are required to respond to one request per California Customer each year and may not be required to respond to requests made by means other than through the designated email address.

9.2.2 Other Privacy Rights

We provide a variety of ways for you to control the Personal Data we hold about you, including choices about how we use that data. In some jurisdictions, these controls and choices may be enforceable as rights under applicable law.

Access, portability, correction, and deletion. If you wish to access, correct, or delete Personal Data about you that we hold, you may do so directly within your account settings section in the corresponding Service. If you are unable to access, copy, correct, or delete certain Personal Data we have via these means, you can send us a request by using contact methods described at the bottom of this Policy.

Communications preferences. You can choose whether to receive promotional communications from us by email. If you receive promotional email from us and would like to stop, you can do so by following the directions in that message or by contacting us as described in the “Contact” section below. These choices do not apply to certain informational communications including surveys and mandatory service communications.

Targeted advertising. To opt-out from or otherwise control targeted advertising, you have several options. First, you can use the controls available through our website cookie banner to decline advertising-related cookies. Second, you can use the Global Privacy Control setting in a web browser or browser extension as described below. Third, you can use the opt-out controls offered by the organizations our advertising partners may participate in, which you can access at:

• United States: NAI (http://optout.networkadvertising.org) and DAA (http://optout.aboutads.info/)
• Canada: Digital Advertising Alliance of Canada (https://youradchoices.ca/)
• Europe: European Digital Advertising Alliance (http://www.youronlinechoices.com/) Fourth, you can use the other cookie or mobile ID controls described below. These choices are specific to the device or browser you are using. If you access our services from other devices or browsers, take these actions from those devices or browsers to ensure your choices apply to the data collected when you use them.

Data sales. Some privacy laws define “sale” broadly to include some the practices described in the “Our Use of Personal Data (US only)” section above. To opt-out from such data “sales”, please use the controls available through our website cookie banner to decline advertising- and analytics-related cookies. We do not sell personal information.

Browser or platform controls.

• Cookie controls. Most web browsers are set to accept cookies by default. If you prefer, you can go to your browser settings to learn how to delete or reject cookies. If you choose to delete or reject cookies, this could affect certain features or services of our website. If you choose to delete cookies, settings and preferences controlled by those cookies, including advertising preferences, may be deleted and may need to be recreated.
• Global Privacy Control. Some browsers and browser extensions support the “Global Privacy Control” (GPC) or similar controls that can send a signal to the websites you visit indicating your choice to opt-out from certain types of data processing, including data sales and/or targeted advertising, as specified by applicable law. We do not engage in targeted advertising or the sale of personal information, and therefore do not respond to the GPC.
• Do Not Track. Some browsers include a "Do Not Track" (DNT) setting that can send a signal to the websites you visit indicating you do not wish to be tracked. Unlike the GPC described above, there is not a common understanding of how to interpret the DNT signal; therefore, our websites do not respond to browser DNT signals. Instead, you can use the range of other tools to control data collection and use, including the GPC, cookie controls, and advertising controls described above.
• Mobile advertising ID controls. iOS and Android operating systems provide options to limit tracking and/or reset the advertising IDs.
• Email web beacons. Most email clients have settings that allow you to prevent the automatic downloading of images, including web beacons, and the automatic connection to the web servers that host those images.

Except for the automated controls described above, if you send us a request to exercise your rights or these choices, to the extent permitted by applicable law, we may decline requests in certain cases. For example, we may decline requests where granting the request would be prohibited by law, could adversely affect the privacy or other rights of another person, would reveal a trade secret or other confidential information, or would interfere with a legal or business obligation that requires retention or use of the data. Further, we may decline a request where we are unable to authenticate you as the person to whom the data relates, the request is unreasonable or excessive, or where otherwise permitted by applicable law. If you receive a response from us informing you that we have declined your request, in whole or in part, you may appeal that decision by submitting your appeal to our data protection officer using the contact method described at the bottom of this Policy.

9.2.3 Biometric Information

As described in this Policy, we process biometric information in connection with the Services. If you are a resident of certain U.S. states, you have a right to additional information about this processing. Note that we have provided much of this information in this Policy. We provide the remaining information in this subsection.

We retain biometric information, including similar terms such as “biometric identifiers” and “biometric data” as defined by applicable law, in accordance with applicable law and as described in the “Retention” section of this Policy. Additionally, if you are a resident of Colorado or Illinois, our retention is subject to the following guidelines:

• Colorado residents: We delete biometric information about you on or before the earliest of the following dates: the date on which our initial purpose for collecting the information has been satisfied; twenty-four (24) months after you last interacted with us; or within forty-five (45) days of us determining that continued retention is no longer necessary, adequate, or relevant to the identified purpose for processing it, subject to one extension up to ninety (90) days total when reasonably necessary (considering the complexity and volume of information to be deleted).
• Illinois residents: we delete biometric information about you on or before the earliest of the following dates: the date on which our initial purpose for collecting the information has been satisfied; or three (3) years after you last interacted with us.

We follow an internal protocol for investigating and responding to incidents that potentially compromise the security of biometric information, including providing notice to you when required by law. Please note, we may be required to make exceptions to these guidelines in order to comply with our legal obligations, such as complying with a valid warrant or subpoena.

We take reasonable and appropriate steps to help protect Personal Data from unauthorized access, use, disclosure, alteration, and destruction.

To help us protect Personal Data, we request that you use a strong password and never share your password with anyone or use the same password with other sites or accounts.

We will update this Policy from time to time, when necessary to reflect changes in our Services, how we use Personal Data, or the applicable law. When we post changes to this Policy, we will update the "last updated" date at the top of this Policy. If we make material changes to this Policy, we will provide notice or obtain consent regarding such changes as may be required by law.

If you have any questions about this Policy or a privacy concern, complaint, or question for Gataca, please contact us our Data Protection Officer by e-mail to dpo@gataca.io or via postal mailing at our address in Calle López de Hoyos 286, Bj B, 28027 Madrid, Spain.