privacy
notice.

Data controller (titolare del trattamento). Vora S.r.l., an Italian limited-liability company, with registered office in Milan, Italy, Italian VAT number [VORA SRL VAT], R.E.A. [VORA SRL REA NUMBER], share capital [VORA SRL SHARE CAPITAL]. Vora S.r.l. is the controller for every processing activity described in this notice within the meaning of art. 4 n. 7 GDPR.

Brand vs. legal entity. SQUIZITO Atelier is a brand operated under the legal entity Vora S.r.l.; it is not a separate legal entity, has no separate VAT number, and does not autonomously enter into contracts. Every reference in this notice to "SQUIZITO", "SQUIZITO Atelier", "we", "us", or "our" is a reference to Vora S.r.l. in its capacity as operator of the SQUIZITO Atelier brand. Where this notice describes commitments, retention periods, security measures, or rights handling, the legal duty-bearer is Vora S.r.l.

Contact for privacy matters. The primary contact for any matter relating to this notice or the processing of personal data is:

Data Protection Officer (Responsabile della protezione dei dati). Vora S.r.l. has assessed the criteria of art. 37 GDPR and concluded that the mandatory designation of a DPO is not triggered: Vora S.r.l. is not a public authority; the core activities do not consist of large-scale, regular, and systematic monitoring of data subjects; and the core activities do not consist of large-scale processing of special categories of data under art. 9 GDPR or data relating to criminal convictions under art. 10 GDPR. The Amministratore Delegato (Managing Director) of Vora S.r.l. is the named point of accountability for privacy and is reachable at privacy@squizito.me. This assessment is revisited annually and whenever the processing landscape materially changes; we will appoint a DPO and update this notice if and when the art. 37 thresholds become applicable.

EU representative (art. 27 GDPR). Not applicable. Vora S.r.l. is established in the European Union (Italy); the art. 27 obligation to appoint a representative arises only for controllers established outside the Union.

Supervisory authority. The competent supervisory authority for Vora S.r.l. is the Italian Garante per la protezione dei dati personali (Piazza Venezia 11, 00187 Roma, Italy · www.garanteprivacy.it). See section 13 below for the right to lodge a complaint.

The categories of personal data we collect depend on which data-subject category you fall into and which operational step you are at. The lists below are exhaustive: if a data type is not listed, we do not collect it.

· 03.1 · buyers

• Identification and contact data · full name; billing address; shipping address (where different); email address; telephone number.
• Tax data · for B2B purchases, the buyer's VAT identification number (partita IVA) and, where applicable, fiscal code (codice fiscale) or foreign tax-identification number; for consumer purchases, no fiscal code is collected unless the buyer requests a fattura with fiscal-code field.
• Order data · the drop slug, the unit serial, the size and format, the unit price in the buyer's display currency, the EUR-base price, the order timestamp, and any voter-reward code redeemed at checkout.
• Payment data · the buyer's payment-card data is tokenised and handled by Stripe as a separate controller for fraud-prevention purposes and as our processor for the checkout flow. Vora S.r.l. does not see, store, or process the buyer's full primary account number (PAN), CVV, or expiry date. We see only the last four digits of the card, the card brand, the country of issue, and the Stripe token reference.
• Voter-code redemption data · where the buyer redeems a Vora-issued voter reward code (32-character hex), we store on the Order row only the SHA-256 hash of the redeemed code, never the raw code; the raw code is consumed at the Vora side via an HMAC-signed bridge.
• Technical and log data · IP address used to derive country-of-origin for the multi-currency display (see section 03.3 and the geo-lookup mechanism); browser user-agent; HTTP timestamps and request paths in the CloudFront access logs.
• Cookie data · only the strictly-necessary cookies described in section 10 (cart state; voter-code claim cookie).

· 03.2 · designers and voters

Voter participation on the Vora platform is governed by the Vora privacy notice; SQUIZITO does not see individual votes or voter identities. We see only the aggregate counts via the public idea-challenge API and the hashed redemption code described in 03.1. When a Designer is selected at the close of a consultation and enters the SQUIZITO signing pipeline, we collect the following from the Designer (and, for the purposes of D.Lgs. 21 novembre 2007, n. 231 AML screening where applicable, run the screening against this data):

• Identification data · legal name; date of birth; place of birth; nationality.
• Identity-document data · a copy of a government-issued photographic identity document (passport, EU national ID, or equivalent), uploaded as BAT Annex C · Documento di Identità, stored in an AWS S3 bucket configured with Object Lock in COMPLIANCE mode for the legal-retention period (see section 07).
• Fiscal data · Italian fiscal code (codice fiscale) or foreign tax-identification number (TIN); VAT number where the Designer invoices as a VAT-registered business; tax-residency country; certificate of tax residence (certificato di residenza fiscale) where the double-tax treaty applies.
• Payment data · IBAN and BIC/SWIFT, or the equivalent banking-coordinate format for non-SEPA jurisdictions, for royalty disbursement.
• Contact data · email address; telephone number (for one-time-password verification during signing).
• Self-declarations under DPR 28 dicembre 2000, n. 445 · the suite of self-certified declarations the Designer signs as part of the BAT, covering: (i) sole and exclusive authorship of the design; (ii) absence of generative-AI generation in any material part of the design under art. 5 Reg. (UE) 2024/1689 (AI Act); (iii) majority of age (maggiore età · at least 18 years of age at the time of signature; effective for signings from 20 May 2026); (iv) non-PEP and non-sanctioned status under the relevant Italian, EU, UN, and OFAC frameworks; (v) accuracy of the tax-residency declaration. The Designer's self-declaration is the legal basis for our reliance on the data; we are entitled under artt. 71 e 72 DPR 445/2000 to perform sample audits on these declarations.
• Signed contractual artefacts · the verbale di selezione, the contratto d'opera, the Approvazione BAT e Dichiarazioni dell'Autore, all signed via eIDAS-compliant electronic signature under Reg. (UE) 910/2014, with audit trail metadata (IP address, timestamps, OTP receipts).
• Print-master file · the high-resolution vector or raster file the Designer delivers for screen-print production. This is not personal data in the conventional sense but is retained alongside the personal-data artefacts as part of the production audit trail.

· 03.3 · website visitors

• IP address · used to derive the visitor's country for the multi-currency display rendered by the Stripe Adaptive Pricing widget and for the EUR-based fallback. The lookup is performed locally on our backend against the MaxMind GeoLite2-Country database shipped inside the Lambda zip; no IP is transmitted to MaxMind on lookup. The IP is not stored on the visitor record; it appears only transiently in CloudFront access logs (see section 07 retention).
• Browser metadata · user-agent, language preference (where the browser sends it), request path, response status, response size, request timestamp · the standard CloudFront access-log fields.
• No analytics cookies, no marketing cookies, no third-party trackers · see section 10 for the full cookie state of the site.

Special categories of data (art. 9 GDPR). We do not knowingly process special categories of personal data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation). The identity document we collect from Designers under section 03.2 may incidentally reveal data of a sensitive nature (e.g. a religious symbol on a national ID, a birthplace that suggests national origin); we do not process such incidental data for any purpose and do not extract it from the document. The document is stored and not parsed.

Criminal-conviction data (art. 10 GDPR). We do not process criminal-conviction data. The PEP and sanctions self-declarations we collect from Designers are not criminal-conviction data within the meaning of art. 10; they are self-attestations made under DPR 445/2000 for AML, sanctions-compliance, and reputation-due-diligence purposes.

On a drop page you may choose to share the drop and then submit your email address to receive a single-use percentage discount code for that drop (the "Spread-the-Word Discount"). The discount is a straight reduction of the price of our own Goods, applied at Stripe checkout. It is not a prize, a draw, a lottery, or a reward of chance: everyone who completes the flow receives the same fixed percentage, on equal and predetermined terms. The processing this triggers is the following.

· issuing your code · art. 6 c. 1 lett. b GDPR

We process the email address you submit to send you the discount code you requested. This is the performance of a service you have explicitly asked us to provide. We first send a single confirmation email; when you click the confirm link (a "double opt-in" that proves you control the address) we issue the code and send it. We do not use this email for marketing.

· preventing abuse of the discount · art. 6 c. 1 lett. f GDPR

To stop the same person over-creating codes (which would erode the offer for everyone), we record your email, your IP address, and a first-party technical marker stored in your browser, and we use them only to cap the number of codes per email, per IP, and per browser, per drop. The legal basis is our legitimate interest in fraud and abuse prevention; we have performed a Legitimate Interest Assessment, available on request to privacy@squizito.me. We do not profile you, we do not track you across other sites, and we do not enrich this data with any other source. We store the IP in hashed form. The technical marker (sqz_stw_marker) is a strictly-necessary cookie under art. 122 D.Lgs. 196/2003 and the Garante cookie guidelines of 10 June 2021, and requires no consent; it is listed in the cookie policy inventory.

· recipients

The confirmation and discount-code emails are delivered by Resend Inc. as our processor (see section 05). The discount itself is applied at checkout via Stripe (see section 05). No other recipient receives this data; we engage no data broker, ad-tech, or analytics provider for this flow.

· retention

If you only request a code, we delete your email at code expiry plus ninety (90) days. The IP address and technical marker used for abuse prevention are kept for the duration of the relevant drop plus thirty (30) days, then deleted. The record evidencing your consent choice is kept for as long as needed to demonstrate lawfulness under art. 5 c. 2 GDPR and for the applicable limitation period thereafter.

· your rights

All rights in section 08 apply. To have an already-issued, unredeemed code and its associated email erased, write to privacy@squizito.me and we will delete the email and invalidate the code. Once a code is redeemed at a sale, the associated order record follows the ten-year accounting retention in section 07.

Honour-based sharing. We cannot technically verify whether you actually posted on any social platform, and we do not claim to. The discount is gated only behind the share interface and the email step; we do not represent that a verified post is required. This keeps the offer honest under D.Lgs. 206/2005 (Codice del Consumo) artt. 20-23 and Directive 2005/29/EC. The discount is a uniform commercial price reduction (sconto) under art. 6 DPR 430/2001, not a manifestazione a premio, and is not combinable with the voter pre-order price.

We engage the following third parties to process personal data on our behalf as processors under art. 28 GDPR, or to act alongside us as joint or independent controllers where the regulatory characterisation is different. Each engagement is governed by a written data processing agreement (DPA) or the equivalent contractual arrangement under art. 28 c. 3 GDPR. For each, this table describes the role, the categories of data shared, the location of processing, and the safeguard applied to transfers outside the European Economic Area (EEA) where applicable.

Sub-processors. Each of the processors above may engage sub-processors under their own DPAs (for example, AWS engages low-level infrastructure providers; Stripe engages card networks and acquiring banks). The chain of accountability under art. 28 c. 2 e c. 4 GDPR is preserved: each processor remains liable to us, and we remain liable to you, for the acts and omissions of its sub-processors. The current list of sub-processors for each platform is published by the respective platform at the URLs given above.

No data brokers, no ad-tech, no analytics SaaS. We do not engage any data broker, behavioural-advertising platform, marketing-attribution platform, web-analytics SaaS, or social-media tracking pixel. The processor list above is the complete list of third parties that touch personal data on our behalf. If this changes, we will update this notice and · where the change requires a fresh consent · obtain it before the new processor is engaged for the affected data subjects.

Garante per la protezione dei dati personali. Listed under section 13 as the recourse forum for data-subject complaints; the Garante is not a processor of personal data in this notice.

We retain personal data only for as long as needed for the purpose for which it was collected, and in any case no longer than the maximum statutory retention period applicable. The detailed retention map is the following:

Retention floor under art. 2220 c.c. Italian accounting law imposes a ten-year retention floor on every record that supports an accounting entry: order data, payment data, invoice fields, fiscal data, signed contracts. This floor is not waivable by the data subject; the right to erasure under art. 17 GDPR does not override it (the exception at art. 17 c. 3 lett. b GDPR · compliance with a legal obligation · applies). What we can do at the data subject's request, before the ten-year window closes, is restrict processing (art. 18 GDPR) so the data is kept only for the legal-obligation purpose and not used for any other.

Object-Lock COMPLIANCE mode · what it means. The legal-archive S3 bucket is configured so that, once an object is written, neither Vora S.r.l. nor any AWS administrator can delete it before the retention end. This protects the integrity of the legal archive against tampering, accidental deletion, and ransomware. The trade-off is that, where a data-subject erasure request would, under normal GDPR analysis, lead to deletion, it cannot in fact be honoured against the Object-Lock copy until the retention window expires. We disclose this trade-off honestly: the Object-Lock setting is a documented data-protection control under art. 25 GDPR (data protection by design), aligned with the legal-obligation retention floor at art. 2220 c.c., and not a workaround.

To exercise any of the rights described in section 08, send an email to privacy@squizito.me (with hello@squizito.me as fallback until the dedicated mailbox is fully provisioned) with:

• a clear statement of the right you wish to exercise (e.g. "I exercise my right of access under art. 15 GDPR");
• the data-subject category you fall into (Buyer · Designer · Voter · Website visitor) and any reference that helps us locate the records (order number, drop slug, signing reference);
• a copy of a government-issued photographic identity document for identity-verification purposes only, where reasonably necessary under art. 12 c. 6 GDPR. We do not retain the identity copy beyond verification (the copy is deleted within fourteen (14) days of completion of the request); we will not request the document for routine non-sensitive interactions.

Response time. We respond within thirty (30) days from receipt of a complete request, per art. 12 c. 3 GDPR. The period may be extended by up to two further months where necessary, taking into account the complexity and number of the requests; we will inform you within thirty (30) days of any such extension and the reasons.

Form of response. By default, we respond in the same channel and format as the request (email, with attachments where necessary). On request we will provide a structured machine-readable copy of your data.

Free of charge. Responses are free of charge. We may charge a reasonable fee, based on administrative cost, or refuse to act, where requests are manifestly unfounded or excessive, in particular because of their repetitive character (art. 12 c. 5 GDPR). The burden of demonstrating that the request is manifestly unfounded or excessive lies on Vora S.r.l.

If we cannot fully comply. Where a request cannot be fully honoured (typically because the records are subject to the art. 2220 c.c. ten-year accounting retention; or because the records are in the Object-Lock COMPLIANCE-mode bucket and cannot be deleted before the retention end; or because the on-chain record is intrinsically immutable · see section 11), we will tell you which records fall under the exception, the legal basis for it, and what we will do as the available alternative (typically restriction of processing under art. 18 GDPR).

Each unit sold is paired with a non-transferable certificate of authenticity recorded on the Base blockchain, implemented as an ERC-721 token bearing the ERC-5192 locked() trait (the "Certificate"). The Certificate is a separate processing activity from the order pipeline and merits its own disclosure.

• What is on-chain. A serial-encoded token id (the drop number + piece number), the per-piece authenticity-card hash (keccak256 of the random per-piece code printed on the wax-sealed authenticity card), a token URI pointing to a fully on-chain SVG render of the design, and the owning address (always the SQUIZITO atelier vault). No personal data of the Buyer is written on-chain · no name, no email, no order reference, and no Buyer wallet address is encoded in the token id, the URI, or any storage slot.
• The token never leaves the atelier vault. The contract is soulbound by design (ERC-5192 locked() returns true forever; every transferFrom and approve overload reverts). The Certificate is minted at production time to the SQUIZITO-controlled atelier vault address and remains there permanently. The Certificate is associated with the Buyer's order off-chain via the unit serial number; there is no on-chain link between the token and the Buyer.
• No personal-wallet claim flow exists. The Buyer is not asked to hold a cryptocurrency wallet and cannot move the Certificate to a personal wallet · the contract has no claim or transfer function for that purpose. The garment is the addressed entity; the on-chain certificate is its permanent provenance record, not a holding of the Buyer's.
• Verification reads via the card code. When the Buyer verifies a piece at squizito.me/verify/, the 16-character code from the sealed authenticity card is sent to the public Base RPC as the argument to the contract's verifySecret(tokenId, code) view function · the contract computes keccak256 on the code and compares to the stored hash. The plaintext code is observable by the RPC provider (Alchemy · see section 05) during verification. The code is a per-piece random secret not derived from the Buyer's identity; we do not consider it personal data in the conventional sense, but we disclose the transmission for transparency.
• Public-ledger immutability and GDPR. Once an on-chain transaction is confirmed, the record is permanent and replicated across the global Base node network. The data controller cannot rectify (art. 16) or erase (art. 17) an on-chain transaction. Because the design above writes no Buyer personal data on-chain, the right-to-erasure question does not arise in respect of any Buyer-identifying field: there is nothing on-chain to erase. Off-chain order records remain subject to the retention regime described in section 07 (ten-year accounting floor under art. 2220 c.c.).
• Garante guidance. We have considered the Italian Garante's 19 March 2020 provision on personal data and blockchain technology (Provvedimento n. 56/2020) and the ongoing EDPB work on blockchain and GDPR. The design choice to write no Buyer-identifying data on-chain and to retain custody of every Certificate at the atelier vault is the strongest expression of the regulator's data-minimisation guidance for blockchain controllers.
• RPC processor. The RPC endpoint we use to read the chain (and that the verify page calls from the Buyer's browser) is Alchemy · see section 05. Where the Buyer reads the Certificate via BaseScan or a different RPC, the read goes through whichever provider the Buyer's tool resolves to; we do not control the Buyer's read path.

Soulbound · not a financial instrument. The Certificate is non-transferable and represents only an authenticity attestation. It is not a "crypto-asset" in the tradable sense of Reg. (UE) 2023/1114 (MiCA) art. 3 c. 1 n. 5, not an asset-referenced token, not an electronic-money token, and not a financial instrument within the meaning of MiFID II / Directive 2014/65/EU. The Buyer acquires no financial right by virtue of the Certificate. The on-chain processing under this section is therefore not "financial-services" processing and the financial-services special regimes do not apply.

If you believe the processing of your personal data infringes the GDPR, you have the right under art. 77 GDPR to lodge a complaint with a supervisory authority. The competent supervisory authority for Vora S.r.l. is:

You may also lodge a complaint with the supervisory authority of the EU Member State of your habitual residence, your place of work, or the place where the alleged infringement took place, where this is different from Italy. The full list of EU supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu/about-edpb/about-edpb/members.

Judicial remedies. The right to lodge a complaint with a supervisory authority is without prejudice to your right to a judicial remedy against a supervisory authority (art. 78 GDPR), to an effective judicial remedy against a controller or processor (art. 79 GDPR), and to compensation under art. 82 GDPR where you have suffered material or non-material damage as a result of an infringement.

Informal resolution first. We encourage you to contact us directly at privacy@squizito.me before lodging a complaint or initiating proceedings. We are committed to resolving privacy concerns promptly and in good faith; many issues can be resolved within the 30-day window without external escalation. This invitation is not a precondition to your right of complaint or judicial remedy.

A privacy notice is, in legal substance, an informativa · a one-way disclosure that art. 13 GDPR requires the controller to make to the data subject at the moment personal data is collected. It is not, by itself, a contract or a consent. The legal bases for the processing activities described here are the ones listed in section 04, of which only one (art. 6 c. 1 lett. a GDPR) involves consent.

Acknowledgement at signing (Designers). A Designer entering the SQUIZITO signing pipeline acknowledges receipt and reading of this notice via the consent checkbox at art. 6.1 of the BAT (Approvazione BAT e Dichiarazioni dell'Autore), which reads: "The Designer confirms receipt and reading of the Committente's privacy notice available at https://squizito.me/privacy/ under art. 13 of Reg. (EU) 2016/679 (GDPR)."

Acknowledgement at checkout (Buyers). The Buyer acknowledges this notice by completing checkout; a link to this notice is presented in the checkout footer and in the order-confirmation email. No separate consent checkbox is required because the processing of Buyer data runs on the contract-performance and legal-obligation bases at art. 6 c. 1 lett. b and c GDPR.

Acknowledgement on the site (Visitors). Continued use of the site after the publication of this notice constitutes acknowledgement of the strictly-necessary-cookie state described in section 10. No consent banner is loaded because no consent is currently required.