Legal document

Privacy policy

Last updated: 18 May 2026

At BezelPass we take your privacy as we'd like ours to be taken. This document explains, without fluff, what data we collect, what we use it for, who we share it with and how to exercise your rights.

1. Data controller

The controller of your data is BezelPass. For privacy reasons of the owner, the controller's full identification details (name, tax ID and registered address) are provided upon explicit request to the contact email.

Contact email for privacy and GDPR rights: bezelpass@gmail.com

2. What data we collect

When you register a watch with BezelPass, we collect:

  • Owner identification: full name and email address.
  • Watch data: brand, model, reference, serial number, approximate year, condition.
  • History of the piece: whether it has been serviced, date and place of the last service, whether you are the first owner or the number of previous owners.
  • Photographs of the watch you attach to the form.
  • Technical metadata: registration date and time, session language, IP address for security and anti-fraud purposes.

We do not collect special categories of data (health, ideology, sexual orientation, etc.) or banking data — the Premium plan payment is handled, when applicable, through an external provider (Stripe) which does not expose card numbers to BezelPass.

3. Purpose of the processing

We process your data exclusively to:

  • Issue your BezelPass digital passport: PDF certificate with QR code and permanent link to the public file.
  • Maintain the historical archive of the piece so it can be transferred when you sell the watch.
  • Publish the piece on the public registry at registro.bezelpass.com in an anonymised form regarding the owner (see section 7).
  • Send operational communications strictly necessary: the certificate, change confirmations, transfer or theft notifications. We do not use your email for marketing unless you give separate explicit consent.
  • Comply with legal obligations, particularly in the event of a theft report.

4. Legal basis

  • Performance of contract (Art. 6.1.b GDPR): data essential to issue the passport and provide the service.
  • Consent (Art. 6.1.a GDPR): granted by ticking the relevant boxes on the registration form.
  • Legitimate interest (Art. 6.1.f GDPR): to maintain the integrity and availability of the public registry, prevent fraud and cooperate with authorities.
  • Legal compliance (Art. 6.1.c GDPR): when a rule or judicial decision requires us to retain or disclose information.

5. Data retention

We retain data while the passport remains active, as the purpose of the service is precisely the permanent archive of the piece's history.

You can request the cancellation of your passport and the deletion of your identifying personal data at any time by writing to bezelpass@gmail.com. We will, however, keep the technical data of the watch (brand, model, serial number) in the public registry in anonymised form (without your name), since deleting the history of a specific piece could facilitate the laundering of stolen watches.

6. Data processors

To provide the service we share data with the following external providers, all contractually bound to process data in compliance with GDPR:

  • Cloudinary (photo storage) — EU. Policy
  • Airtable (passport database) — US, certified under the EU-US Data Privacy Framework. Policy
  • Make.com (automation engine) — EU. Policy
  • PDFMonkey (PDF certificate generation) — EU. Policy
  • Brevo (sending the certificate email) — EU. Policy
  • Netlify (site hosting) — US, certified under the EU-US Data Privacy Framework. Policy
  • Google Fonts (site typography) — US. Policy

7. International transfers

Some of our providers (Airtable, Netlify, Google) are located in the United States. These transfers are made under the EU-US Data Privacy Framework and, additionally, through the standard contractual clauses approved by the European Commission. In line with the Schrems II ruling, we encourage users to weigh these transfers before providing sensitive data.

8. Public information in the registry

The BezelPass service exists to create a public registry of watches consultable by anyone wishing to verify the provenance of a piece before buying it. Therefore:

  • Public: brand, model, reference, serial number, year, declared condition, photographs of the piece, registration date, service history and previous-owner history (in anonymised form, without full names).
  • Kept private: your full name, your email address and any direct identifying data. In the public registry only the initial of your first name and first letter of your surname will appear (e.g. "F. L.") unless you explicitly choose to expose more.

9. Your rights

Under GDPR you may exercise at any time the following rights:

  • Access: know what data of yours we process.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion of your identifying data (see nuance in section 5).
  • Restriction: limit the use of your data.
  • Portability: receive your data in a structured format.
  • Objection: object to processing based on legitimate interest.
  • Withdrawal of consent: at any time, without retroactive effect.

To exercise these rights, write to bezelpass@gmail.com stating the right you wish to exercise. We will respond within the legal deadline of one month.

If you believe we have not adequately addressed your request, you may file a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.

10. Security

We apply reasonable technical and organisational measures, proportionate to the volume and sensitivity of the data processed: encrypted connections (HTTPS), restricted database access, backups and a careful selection of providers holding recognised security certifications.

11. Modifications

We may update this policy to reflect regulatory or operational changes. We will notify registered users by email of any substantive change.