Privacy policy

Last updated: March 23, 2026

1. Introduction

A Pomar operates this store and website, including all related information, content, features, tools, products and services, in order to provide you with a personalised shopping experience (the “Services”). The Services are powered by Shopify.

This Privacy Policy describes how we collect, use, disclose and protect your personal information when you visit, use or make a purchase through the Services, or when you otherwise communicate with us. This policy has been prepared in compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and Portuguese Law No. 58/2019 of 8 August, which ensures its implementation in Portugal.

In the event of any conflict between our Terms of Service and this Privacy Policy, this Privacy Policy shall prevail with respect to the collection, processing and disclosure of your personal information.

2. Data Controller

The data controller responsible for your personal data is:

A Pomar

Sole Proprietor (Empresário em Nome Individual)

Email: a.pomar.da.eva@gmail.com

3. Personal Information We Collect

The term “personal information” refers to information that identifies or can be reasonably linked to you. Personal information does not include anonymised data. We may collect the following categories of data, depending on how you interact with the Services:

•        Contact details: name, address, billing address, shipping address, phone number and email address.

•        Financial information: payment card details, transaction details, payment method and payment confirmation. Full card data is processed directly by the payment provider and is not stored by us.

•        Account information: username, password (encrypted), preferences and settings.

•        Transaction information: items viewed, added to cart, purchased, returned or cancelled, and transaction history.

•        Communications with us: information included in your customer support messages or other contacts.

•        Device information: device type, browser, IP address and other identifiers.

•        Usage information: data about how you browse and interact with the Services.

•        Newsletter data: email address and name, collected when you voluntarily subscribe to our newsletter. This data is processed through Shopify Email and Klaviyo.

4. Sources of Personal Information

We may collect personal information from the following sources:

•        Directly from you: when you create an account, make a purchase, subscribe to our newsletter, contact us or otherwise provide us with information.

•        Automatically: from your device when you use the Services, through functional cookies and similar technologies.

•        Service providers: when third parties collect or process data on our behalf (e.g. Shopify, payment processors, Shopify Email, Klaviyo).

5. Legal Bases for Processing (GDPR, Art. 6)

The processing of your personal data is based on the following legal grounds, as required by Art. 6(1) of the GDPR:

Legal Basis (GDPR)	Purpose
Performance of a contract (Art. 6(1)(b))	Order processing, account management, shipping, returns and exchanges, payment processing
Consent (Art. 6(1)(a))	Sending newsletter and marketing communications by email via Shopify Email and Klaviyo
Legitimate interest (Art. 6(1)(f))	Fraud prevention, security of the Services, improvement of user experience
Legal obligation (Art. 6(1)(c))	Compliance with tax and accounting obligations (Art. 40 of the Portuguese Commercial Code, Art. 52 of the Portuguese VAT Code)

 

You may withdraw your consent at any time (for example, by unsubscribing from the newsletter), without affecting the lawfulness of processing carried out before the withdrawal (Art. 7(3) of the GDPR).

6. How We Use Your Personal Information

Depending on how you interact with us, we may use your personal information for the following purposes:

•        Providing the Services: processing orders and payments, managing your account, arranging shipping, facilitating returns and exchanges, and creating a personalised shopping experience.

•        Marketing communications: sending our newsletter and promotional communications by email via Shopify Email and Klaviyo, only with your prior and explicit consent (opt-in). You may unsubscribe at any time via the unsubscribe link in each email.

•        Security and fraud prevention: authenticating accounts, detecting fraudulent or illegal activity, and protecting the security of the Services.

•        Transactional communications: sending order confirmations, shipping updates, account notifications and customer support responses.

•        Legal compliance: complying with legal obligations, responding to valid legal processes, and protecting our rights.

7. How We Disclose Personal Information

We may disclose your personal information to third parties in the following circumstances:

•        Shopify: the platform that hosts the Services and processes data on our behalf (payment processing, cloud storage, order fulfilment, email marketing via Shopify Email).

•        Klaviyo: email marketing platform used for sending automated communications and newsletters. Klaviyo processes your email address and store interaction data as a processor on our behalf.

•        Other service providers: vendors that provide services on our behalf, such as IT management and shipping/logistics services.

•        With your consent: when you expressly authorise us to share information with third parties.

•        Legal obligations: to comply with legal obligations, respond to subpoenas or warrants, or protect our rights and those of our users.

•        Business transactions: in connection with a merger, acquisition or insolvency.

8. Relationship with Shopify

The Services are hosted by Shopify Inc., which collects and processes personal information related to your access and use of the Services. Information submitted to the Services will be transmitted to Shopify and to third parties that may be located in countries other than your country of residence, namely in Canada and the United States.

Shopify may also use data from your interactions with our store, combined with data from other Shopify merchants, for optimisation and advertising purposes within the Shopify network (Shopify Network Intelligence). This processing only occurs with your consent.

We use Shopify Email and Klaviyo to send our newsletter and marketing communications. When you subscribe, your email address is processed by Shopify and Klaviyo in accordance with their respective privacy policies.

To learn more about how Shopify uses your data, please refer to the Shopify Consumer Privacy Policy. You may also exercise your rights through the Shopify Privacy Portal.

9. Cookies and Similar Technologies

The Services use cookies for different purposes. Below we explain the types of cookies used:

•        Strictly necessary cookies: Shopify uses essential cookies for the store to function, including session cookies, shopping cart cookies and authentication cookies. These cookies are indispensable for the Services to work correctly and do not require your consent.

•        Shopify Network Intelligence: Shopify may use data from your interactions with our store, combined with data from other Shopify merchants, for optimisation and advertising purposes within the Shopify network. This processing only occurs with your consent, collected through the cookie banner.

•        Third-party marketing/analytics cookies: we currently do not use third-party marketing, analytics or tracking cookies (such as Google Analytics, Meta Pixel or similar). Should we implement them in the future, this policy will be updated.

For visitors in the European Economic Area and the United Kingdom, a cookie consent banner is automatically displayed when visiting the Services. You may manage your cookie preferences at any time through this banner. If you do not consent to non-essential cookies, your data will not be used for advertising or analytics purposes.

10. Data Retention

We retain your personal information only for as long as necessary for the purposes described in this policy, or as required by law. The applicable retention periods are:

•        Order and billing data: retained for 10 years after the transaction, to comply with tax and accounting obligations under Portuguese law (Art. 40 of the Commercial Code, Art. 52 of the VAT Code, Art. 123 of the Corporate Tax Code).

•        Customer account data: retained while the account is active. After account deletion or 2 years of inactivity, data will be deleted, except where retention is required by law.

•        Newsletter data (Shopify Email / Klaviyo): retained while your subscription is active. After unsubscribing, data will be deleted within 30 days.

•        Customer support data: retained for 2 years after the resolution of the request.

•        Browsing and device data: retained for a maximum period of 12 months.

11. International Data Transfers

Your personal information may be transferred, stored and processed outside Portugal and the European Economic Area (EEA), namely on Shopify servers located in Canada and the United States.

When we transfer data outside the EEA, we rely on transfer mechanisms recognised by the GDPR, such as the European Commission’s Standard Contractual Clauses (Art. 46 of the GDPR), or transfers to countries with an adequacy decision (Art. 45 of the GDPR).

12. Your Rights (GDPR)

As a resident of the European Union, you have the following rights regarding your personal data:

•        Right of access (Art. 15): you have the right to obtain confirmation that we process your data and to access a copy of it.

•        Right to rectification (Art. 16): you have the right to request the correction of inaccurate or incomplete data.

•        Right to erasure (Art. 17): you have the right to request the deletion of your personal data, as provided by law.

•        Right to restriction of processing (Art. 18): you have the right to request the restriction of the processing of your data in certain circumstances.

•        Right to data portability (Art. 20): you have the right to receive your data in a structured format and to request its transfer to another controller.

•        Right to object (Art. 21): you have the right to object to the processing of your data for certain purposes, including direct marketing.

•        Right to withdraw consent (Art. 7(3)): where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us using the details provided in Section 17. We will respond to your request within 30 days, as required by Art. 12(3) of the GDPR.

If the provision of personal data is a requirement necessary to enter into a purchase contract (for example, name and address for shipping), failure to provide such data may prevent us from processing your order.

13. Automated Decision-Making and Profiling

We do not use solely automated decision-making processes that produce legal effects or significantly affect you, as provided in Art. 22 of the GDPR. Should we implement such processes in the future, this policy will be updated accordingly.

14. Children’s Data

The Services are not intended for persons under the age of 16 (as established by Art. 16 of Portuguese Law No. 58/2019), and we do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us so that we can delete it.

15. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration or destruction, as required by Art. 32 of the GDPR. However, no electronic transmission or storage system is entirely secure, and we cannot guarantee absolute security.

16. Complaints

If you wish to complain about how we process your personal data, you may contact us using the details provided in Section 17.

You also have the right to lodge a complaint with the competent supervisory authority (Art. 77 of the GDPR). In Portugal, the competent authority is the Comissão Nacional de Proteção de Dados (CNPD) — the Portuguese Data Protection Authority:

Website: www.cnpd.pt

Address: Av. D. Carlos I, 134, 1.º, 1200-651 Lisbon, Portugal

Phone: (+351) 213 928 400

Email: geral@cnpd.pt

17. Third-Party Websites and Links

The Services may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We recommend that you review the privacy policies of any third-party website you visit.

18. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be published on this website with the new “Last updated” date. For material changes, we will make a reasonable effort to notify you, including by email.

19. Contact

For any questions about this Privacy Policy or to exercise your rights, you may contact us at:

•        Email: a.pomar.da.eva@gmail.com

We will respond to your request within a maximum of 30 days, as required by the GDPR. This period may be extended by a further 60 days in cases of particular complexity, and you will be informed of any such extension (Art. 12(3) of the GDPR).