Legal

Privacy Policy

Last updated · 28 May 2026

Suberea Atelier respects your privacy. This policy explains what personal data we collect, why, and how we handle it. It applies to suberea.com and any correspondence you have with the studio.

Who We Are

Suberea Atelier is the data controller for any personal information you share through this website. We are based in Almada, Portugal. For any privacy-related question, write to atelier@suberea.com.

1. What We Collect

We collect personal data only when you give it to us. This site does not use analytics cookies, tracking pixels, or fingerprinting scripts.

The data we collect:

When you place an order — name, shipping address, email, phone (optional), and payment information (handled by Stripe, never stored by us)
When you write to us — name, email, and the content of your message
When you request a personalisation — the text you'd like engraved or handwritten

2. How We Use Your Data

We use your data only for the purpose for which you provided it:

To produce and deliver your order
To reply to your message
To fulfil our legal obligations (tax records, invoicing)
To send order updates and, occasionally, news about new editions — only if you have opted in

3. Third Parties We Work With

To run the studio, we share specific data with a small number of trusted processors:

Stripe — processes payments. We do not see or store your card details. stripe.com/privacy
Web3Forms — delivers contact form messages to the studio inbox. web3forms.com/privacy-policy
Shipping carriers (CTT and partners) — receive your name and shipping address to deliver your order
Namecheap — hosts the website

We do not sell, rent, or share your data with anyone for advertising or marketing purposes. Ever.

4. How Long We Keep Your Data

Order records are kept for the period required by Portuguese tax law (currently 10 years). Contact form messages are kept for up to 2 years unless they become part of ongoing correspondence. You can request earlier deletion under Section 6.

5. Cookies

This site does not use tracking, analytics, or advertising cookies. Stripe may set functional cookies during checkout, which are technically necessary to process your payment.

6. Your Rights Under GDPR

As an EU resident, you have the right to:

Access — request a copy of the data we hold about you
Rectification — ask us to correct anything that is wrong
Erasure — ask us to delete your data, subject to legal retention obligations
Restriction — ask us to limit how we use your data
Portability — receive your data in a portable format
Objection — object to specific uses of your data

To exercise any of these rights, write to atelier@suberea.com. We will respond within 30 days.

You also have the right to complain to the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, CNPD): cnpd.pt

7. Security

The site uses HTTPS (TLS encryption) for all traffic. Payment data is handled exclusively by Stripe, which is PCI DSS Level 1 certified — the highest available standard. We take reasonable technical and organisational measures to protect data held on our systems.

No system is ever perfectly secure. If a data breach affects you, we will notify you and the CNPD within 72 hours, as GDPR requires.

8. International Data Transfers

Most of our processors are based in the EU or operate under EU-approved data transfer mechanisms (Standard Contractual Clauses or adequacy decisions). Stripe and some others transfer limited data to the United States under approved frameworks.

9. Children

The site and our products are not directed at children under 16. We do not knowingly collect personal data from anyone in this age group.

10. Changes to This Policy

We may update this policy as our practices evolve. The "Last updated" date above reflects the current version. Material changes will be communicated by email to customers with active orders.

11. Contact

For any privacy-related request, write to atelier@suberea.com.