1. Who we are
This privacy policy applies to Beijo de Deus, operated by [your legal name / business name], registered in Portugal at [your address], tax number (NIF): [your NIF].
For any data-related question, write to hello@beijodedeus.com.
2. What we collect
When you place an order, we collect:
- Your name
- Your email address
- Your shipping address and phone number (for delivery)
- Order details (which edition, quantity, date)
When you pay, your payment card details are handled directly by Stripe, our payment processor. We never see or store your full card number, CVC, or expiry date. We only receive a confirmation of payment and the last four digits of your card.
If you subscribe to news from us (optional), we also store your email and consent record.
3. Why we collect it
- To fulfil your order — we need your name and address to ship the chocolate.
- To communicate with you — order confirmations, shipping updates, and any questions about your purchase.
- To meet our legal obligations — Portuguese tax law requires us to keep invoice and sales records for ten (10) years.
- To improve the product and service — anonymous, aggregated insights from sales patterns.
4. Legal basis
Under the EU General Data Protection Regulation (GDPR), we rely on the following legal bases:
- Contract performance — to process and ship your order (Article 6(1)(b) GDPR).
- Legal obligation — to retain invoice records for tax purposes (Article 6(1)(c) GDPR).
- Legitimate interest — to keep our service secure and improve it (Article 6(1)(f) GDPR).
- Consent — for any marketing communication, which you can withdraw at any time (Article 6(1)(a) GDPR).
5. Who we share your data with
We share only what is strictly necessary, with the following partners:
- Stripe (payment processing) — see Stripe's Privacy Policy.
- Our shipping carrier ([CTT / DHL / other]) — receives your name, address, and phone number for delivery.
- Our accountant (if applicable) — for legally required tax and invoice processing.
- Cloudflare Pages / Vercel — our hosting provider; processes basic technical request data.
We never sell or rent your data to anyone.
6. How long we keep it
- Order and invoice records — 10 years (Portuguese tax law requirement).
- Customer service emails — up to 3 years after our last interaction.
- Marketing consent and email lists — until you unsubscribe or withdraw consent.
7. Your rights
Under GDPR, you have the right to:
- Access — request a copy of the data we hold about you.
- Rectification — ask us to correct anything that's wrong.
- Erasure — ask us to delete your data (subject to legal retention obligations).
- Restriction — limit how we use your data.
- Portability — receive your data in a machine-readable format.
- Objection — object to certain types of processing.
- Withdraw consent — at any time, where consent was the legal basis.
- File a complaint — with the Portuguese data protection authority, CNPD (cnpd.pt).
To exercise any of these rights, email hello@beijodedeus.com. We will respond within 30 days.
8. Cookies and tracking
We keep tracking to a minimum. The website uses:
- Functional cookies only when needed (e.g., during Stripe checkout). These are required for the site to work.
- No third-party advertising trackers.
- No Google Analytics at this time. If we add analytics later, we will use a privacy-respecting tool and update this policy.
9. International data transfers
Stripe and our hosting provider may process data outside the European Economic Area (EEA), including in the United States. Where this happens, transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.
10. Children
This website and product are not intended for anyone under 16. We do not knowingly collect data from minors.
11. Updates to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated via email if we have your contact information.
12. Contact
For any privacy question, contact us at hello@beijodedeus.com.