Privacy
What we do with your data.
Version of 1 May 2026. This notice explains how we handle your personal data under GDPR. In short: we use only what's needed, we don't sell to anyone, you can ask for everything to be deleted at any time.
What data we collect
- Account: name, email, phone (if you provide it).
- Orders: delivery address, purchase history, messages with the maker.
- Payment: processed by Stripe, we never see your card details.
- Browsing: analytics cookies only if you accept (see /cookies).
What we use it for
To process orders, send order-related emails, improve the site, and meet tax obligations (Portuguese tax authority requires us to keep invoices for 10 years). Nothing else.
Who we share with
The maker fulfilling your order (name, address, phone if needed). Stripe (payments). The courier (CTT/DPD). We also rely on technical providers that process data on our behalf (subprocessors): Supabase (database and authentication), Vercel (site hosting and aggregate analytics), Cloudflare (anti-spam protection on forms), and Google (address autocomplete). We don't sell or swap data with third parties for marketing.
How long we keep it
Account data while your account exists. Order data for 10 years (tax obligation). Marketing data (newsletter) until you withdraw consent.
Your rights
- Access your data.
- Correct wrong data.
- Delete your account (except invoice records we're legally required to keep).
- Request a portable copy.
- Withdraw marketing consent at any time.
- File a complaint with the Portuguese DPA (CNPD).
How to exercise your rights
Email ola@lavora.pt, we reply within 30 days. To delete your account, go to /conta → Settings → Delete account.