Privacy Policy

1. Who We Are

Data Controller: José Casado Martínez, operating under the brand HISOCER (Physics-Gated Computing).
Contact: privacy@hisocer.com
Website: https://hisocer.com

This Privacy Policy explains how we collect, use, and protect your personal data when you use our services, subscribe to alerts, or interact with our API.

2. Data We Collect and Why

We only collect what is strictly necessary for the stated purpose.

• Email address (required for alert subscription) — to send you a one-time notification when the HISOCER system reaches CRYSTAL_PERFECT state, as you explicitly requested.
• Phone number (optional) — to send the same alert via SMS if you choose this channel.
• Telegram handle (optional) — to deliver the alert via Telegram Bot if you choose this channel.
• API usage data (for registered users) — request count, endpoint accessed, timestamp. Used solely for rate limiting and service quality.
• Browser language preference — detected locally in your browser, never sent to our servers. Used only to display content in your language.

We do not collect: names, addresses, payment card numbers (handled by Stripe), behavioral tracking, or any data beyond what is listed above.

3. Legal Basis (GDPR Art. 6)

• Consent (Art. 6.1.a): Alert subscriptions — you explicitly opt in via checkbox.
• Contract performance (Art. 6.1.b): API key provisioning and service delivery.
• Legitimate interest (Art. 6.1.f): Security logging and fraud prevention.

4. How We Use Your Data

• Send the alert notification you requested (once per CRYSTAL_PERFECT event).
• Deliver API credentials and usage information to registered users.
• Maintain service security and prevent abuse.

We will never use alert subscription data for marketing, newsletters, or any purpose other than the alert you explicitly requested — without a separate, explicit consent.

5. Data Retention

• Alert subscriptions: Retained until you unsubscribe (link in every notification email) or after 24 months of inactivity, whichever comes first.
• API usage logs: 90 days rolling.
• Payment records: 7 years (legal obligation in most jurisdictions).

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share data only with:

• Stripe (payment processing) — governed by Stripe's Privacy Policy. We never see your full card number.
• Email delivery provider (transactional alert sending only) — bound by data processing agreements.
• Telegram (if you choose this channel) — governed by Telegram's Privacy Policy.

All third parties are bound by GDPR-compliant Data Processing Agreements (DPA).

7. International Transfers

Our servers are located within the EU. If any sub-processor transfers data outside the EEA, we ensure appropriate safeguards (Standard Contractual Clauses or adequacy decisions) are in place.

8. Your Rights

Under GDPR, CCPA, LGPD and equivalent laws, you have the right to:

• Access: Request a copy of all personal data we hold about you.
• Rectification: Correct inaccurate data.
• Erasure ("Right to be forgotten"): Delete your data at any time.
• Restriction: Limit how we process your data.
• Portability: Receive your data in a machine-readable format.
• Objection: Object to processing based on legitimate interest.
• Withdraw consent: At any time, without affecting prior processing.

To exercise any right: email privacy@hisocer.com with subject "Data Request — [your email]". We respond within 30 days.

9. Cookies and Tracking

We use only a single functional cookie: hisocer_lang — stores your language preference locally. No analytics, no advertising, no fingerprinting.

10. Security

All data is transmitted over TLS 1.2+. Subscriber data is stored in an encrypted SQLite database on our EU VPS. We apply the principle of data minimization — we only keep what we need, for as long as we need it.

11. Children

Our services are not directed to individuals under 16. We do not knowingly collect data from minors.

12. Changes to This Policy

We may update this policy. Significant changes will be communicated via the email address on file. The "Last updated" date at the top always reflects the current version.

13. Supervisory Authority

If you believe we have processed your data unlawfully, you have the right to lodge a complaint with your local data protection authority. In Spain: AEPD (Agencia Española de Protección de Datos). In the EU: your national DPA. You also have the right to seek judicial remedy.