New in Store Sales
Account
Account

Privacy policy

 

This Privacy Policy was developed to support Ana & Bárbara, LDA, a company with tax identification number XXXX, with its registered office at 514515902– hereinafter BAGUY, owner of the website www.baguy.pt in adapting its activity to the General Data Protection Regulation, approved by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR").

This policy may be supplemented by others on security, which are relevant to BAGUY's business or its relationship with third parties, collectively describing BAGUY's approach to information security and privacy.

The terms 'Privacy,' 'Data Privacy,' and 'Data Protection' may be used interchangeably as they are associated with a complex set of legal requirements that apply to Personal Data, which go beyond data security and confidentiality. For example, it includes requirements about transparency in data use and its retention.

It is BAGUY's responsibility to define appropriate mechanisms to achieve compliance with this policy.

Compliance with this policy may be monitored through inspections, audits, and/or requests for written confirmations of compliance.

This policy is based on the principles established in the GDPR. However, there may be differences between countries in the applicability of BAGUY's data protection and privacy, especially when processing personal data outside the EU, when receiving personal data from outside the EU, or when processing personal data of non-EU citizens.

In case of doubt, contact BAGUY through the provided contacts.
 
Data Protection Principles
In the scope of our activity, we process Personal Data: whether when we receive personal data during our business opportunities, our commitments with clients, marketing activities, or a range of other related and support activities. Data may be received directly from a Data Subject (for example, in person, by mail, email, phone, or other sources), namely from our clients, partners, subcontractors, joint controllers, support service providers, and credit reference agencies.
All professionals and partners must only request personal data from a Data Subject that is relevant and necessary to fulfill a specific business purpose and task.
BAGUY is committed to complying with the personal data protection principles defined by the GDPR, namely:
• Lawfulness, fairness, and transparency: means that we must have a legitimate reason for processing Personal Data, for example, consent from the Data Subject, compliance with a legal obligation to which we are subject. It also means that we must clearly inform the Data Subject about the processing;
• Limitation of Purposes: we must only request Personal Data for specific, explicit, and legitimate purposes and not process it beyond the purpose for which it was requested;
•    Data minimization: the Personal Data processed must be adequate, relevant, and limited to what is necessary;
•    Accuracy: we have an obligation to ensure that Personal Data is accurate and to update it whenever necessary;
•    Storage limitation: we must not retain Personal Data for longer than necessary for the purposes for which it is processed, although we may retain some for historical and statistical purposes;
•    Integrity and Confidentiality: we must have appropriate security controls in place to protect data against unauthorized and unlawful processing, loss, destruction, or damage, including technical and organizational measures such as defined processes, training, and awareness;
•    Legal transfer outside the European Economic Area: we only transfer Personal Data outside the EEA if adequate safeguards exist, such as a contractual basis;
•    Data Subject Rights: Data Subjects have various rights that we must respect (for example, the right to access a copy of the data we hold and the right to withdraw consent given for direct marketing purposes).
 
Lawfulness and fairness in processing
Whenever Personal Data is collected, it is necessary to have a legal basis for the inherent processing. According to the GDPR, we must identify at least one of the following reasons for processing Personal Data:
•    Consent: The Data Subject has given consent for their data to be processed for one or more specific purposes;
•    Contractual: Processing is necessary for the performance of a contract to which the Data Subject is a party or for pre-contractual steps;
•    Legal: Processing is necessary to comply with a legal obligation to which the Data Controller is subject;
•    Vital interests: Processing is necessary to protect the vital interests of the Data Subject;
•    Public interest: Processing is necessary for the performance of a task carried out in the public interest;
•    Legitimate interests: Processing is necessary for the legitimate interests of the Data Controller, except where overridden by the interests or fundamental rights and freedoms of the Data Subject.
 
When we act as the Data Controller, we must ensure that we have a legitimate basis to collect and process Personal Data.
In some situations, we may act as a Subcontractor on behalf of our client, in which case it is their responsibility to ensure they have a proper reason for processing Personal Data, which they must share with us. However, we must take steps to ensure that our contract is clear about our responsibilities in this regard and that, if we collect Personal Data directly from Data Subjects on behalf of the client, we have the grounds to do so legitimately.
When a Special Category of Data is processed, an additional set of conditions must be met. Please contact BAGUY for further guidance.
The GDPR requires that Data Subjects be provided with information about the processing to ensure fair and transparent processing. Whenever we collect Personal Data, we must ensure that we appropriately explain why we need the information and how we will process it. When the information is collected through our website, this information is provided through a 'Privacy Notice.'
Any other information to be provided at the time of collecting personal data must also be made available online. Please refer to our Privacy Policy and Cookie Policy for more information.

Processing only for specific purposes
Whenever we collect and process Personal Data, we must ensure that we only use it for the specific purposes that have been communicated to the respective data subject.
BAGUY must never process Personal Data for additional purposes that have not been communicated to the Data Subject. Only then will we be clear about the purpose of the processing, and we must understand the purposes for which our clients may have collected the Personal Data or contact the Privacy Officer.

Adequate, relevant, and limited processing
When we collect and process Personal Data, we must follow the principle of data minimization. This means we should only collect the minimum Personal Data necessary to perform a specific task.
Additionally, we must ensure that we have an adequate amount of personal data to perform a specific task properly. For example, collecting only the data necessary to identify a person.
This also applies to any sharing and other processing activities. It is important to minimize the data kept and processed; we must ensure that if we share data internally or externally or use it in activities such as testing, we only use/share the minimum amount in each case.
 
Accuracy of personal data
We have an obligation to ensure that Personal Data is kept accurate and up to date. We must ensure the existence of appropriate processes to keep data accurate whenever necessary (for example, of professionals or current and potential clients maintained by the relevant areas).
When acting as the Data Controller in relation to a client, we are not required to implement mechanisms to keep that data updated; this will be the responsibility of the Data Controller, i.e., our client.
 
Personal Data Retention
Personal Data should not be kept longer than necessary. This means we must define and apply maximum retention periods for the Personal Data we process and implement processes to delete them when the period ends. Therefore, the following retention periods may apply:
(i) for as long as necessary for the relevant activity or services;
(ii) any retention period required by law;
(iii) the end of the period during which disputes or investigations may arise in relation to the services; or
(iv) for the minimum period provided in the contract.
 
Rights of Data Subjects
The GDPR requires us to inform people about the Personal Data we collect, the purposes, and the means for which it is processed. This information is provided in the form of a 'Privacy Notice'.
a) Right of Access
• The Data Subject has the right to request to see the Personal Data we hold about them, the purpose of the processing, and the categories of data involved.
• We must notify the Data Subject of the recipients with whom we will share their data, especially if the recipient is in another country or belongs to an international organization.
• Whenever possible, we will define the data retention period to meet business objectives.
• We must inform the Data Subject of their right to object to processing and their right to rectification and deletion.
• We must inform the Data Subject of their right to lodge a complaint with a Supervisory Authority.
• When data is collected from someone other than the Data Subject themselves, we must inform the Data Subject of the source of that data.
• We must ensure that we have processes in place to identify and respond to access requests from the Data Subject without undue delay, and within a maximum period of one month.
b) Right to rectification
• Data Subjects have the right to rectify inaccurate data, and BAGUY must make every effort to do so immediately.
c) Right to deletion
• The Data Subject has the right to obtain from the Controller the deletion of their data ('right to be forgotten'). It is BAGUY's responsibility to do its best to delete the data immediately, except when there is a legal requirement for its retention. If you receive a request from a Data Subject, contact the Privacy Officer first before deleting any data.
d) Rights of children
• All individuals, including children, are protected by the GDPR. For children under 13 years old, we must not process their Personal Data based on their consent, except with authorization from the respective holders of parental responsibilities.
e) Marketing
•    Sometimes we may send our customers and partners marketing material to inform them of services, upcoming events, or other activities of interest, in which case we must indicate the right to withdraw consent at any time if they no longer wish to be contacted on those terms.
•    We must also ensure that we have processes that guarantee all opt-in preferences are recorded and respected.
 
Retained Data Security
BAGUY will maintain data security by protecting the Confidentiality, Integrity, and Availability of Personal Data, whereby:
•    Confidentiality means that only authorized persons can access the data;
•    Integrity means that Personal Data must be accurate and adequate for the purposes inherent to the processing;
•    Availability means that authorized users must be able to access the data if they need it for authorized purposes.
 
Data Disclosure
All professionals and partners must avoid any inappropriate disclosure of Personal Data and comply with our general duties regarding Confidentiality.
We share your personal information with third parties to help us. For example, our online store is hosted on the Shopify platform. You can read more about how Shopify uses your personal information here: https://www.shopify.com/legal/privacy. We also use Google Analytics to help us understand how our customers use our online store. You can read more about how Google uses your personal information here: https://www.google.com/intl/en/policies/privacy/. You can also disable Google Analytics here: https://tools.google.com/dlpage/gaoptout, thus limiting our access to your data or activity logging.
It is permitted:
a) Disclosing Personal Data to third parties only under instruction or when we have a legitimate basis to do so, and no restrictions are in place.
b) Disclosing Personal Data to third parties in the event we sell or buy any business or assets, or when we are a Joint Controller as part of a joint venture.
c) Sharing Personal Data with a third party who is processing data on our behalf, which may include transferring data to a third country.
Personal Data can generally be disclosed:
a) To Professionals or agents so that they can perform their functions as such.
b) In cases where non-disclosure could harm the prevention or detection of crimes, the filing of charges against offenders, or the assessment or collection of any tax or fee. PINK must have adequate reasons to disclose data under this category to avoid criminal proceedings. All disclosures must be justified and documented.
For legal purposes, data may be disclosed if:
a) Required by law, statute, or court order.
b) For the purpose of obtaining legal advice;
c) Within or for the purposes of legal proceedings or when necessary to defend a legal right.
d) To safeguard national security.
 
International Transfer of Personal Data
BAGUY may transfer any Personal Data to a third country or international organization. The Personal Data we hold may also be processed by employees operating in a third country or by one of our suppliers.
We must ensure that at least one of the following conditions applies:
a) The country to which the Personal Data is transferred ensures an adequate level of protection for the rights and freedoms of the Data Subjects, by decision of the EU Commission.
b) Appropriate safeguards are provided (e.g., standard data protection clauses).
c) The Data Subject has given explicit consent to the transfer after being informed of the possible risks.
d) The transfer is necessary for one of the reasons established in the GDPR, including the execution of a contract between BAGUY and the Data Subject, or protection of the vital interests of the Data Subject.
e) The transfer is legally required for important reasons of public interest or for the initiation of legal actions or defense within the scope of such actions.
 
COOKIE POLICY
This website uses cookies to provide a better experience for its visitors, as well as to ensure that it is fully operational. This Cookie Policy is part of our Privacy Policy, which you should consult for more information about us and how we protect users' information. In order to provide a personalized and efficient service to our users, it is necessary to remember and store information about how this Website should be used. For this purpose, we use small text files called cookies that contain small amounts of information downloaded to the computer or other devices of our users through a server. Your internet browser subsequently sends these cookies back to the Website on each subsequent visit, allowing the recognition and memorization of the identity of our visitors, namely the usage preferences of our users. You can find more detailed information about cookies and their functioning here (aboutcookies.org). Browsing this Website allows the collection of information using cookies and other technologies. By using this site, you accept the use of cookies as described in this Cookie Notice.
 
What types of cookies are used and why?
Some of the cookies we use are necessary to allow navigation on this website as well as to take advantage of its features such as accessing secure areas and exclusive content for registered users. Our website also uses functional cookies to record information about our users' choices and to adapt our website to their needs; for example, remembering the original language or region or that a user has already completed a survey. The recorded information is anonymous and intended only for the above purpose. We may use, directly or indirectly, web analytics services to assess the effectiveness of our content and our users' preferences, which allow us to contribute to optimizing the operation of this website. Additionally, we use web beacons or tracking pixels to count the number of visitors and performance cookies to monitor how individual users access our website and how frequently. This information is used only for statistical purposes without identifying any particular user. However, for registered users who are logged into the website, we may combine this information with data collected via web analytics services and cookies to analyze how visitors use this website in more detail. This website does not use targeting cookies to promote targeted advertising to our visitors. Whenever you want detailed information about the cookies used on our website, we appreciate your contact via email.

How to control cookies?
Website users accept the introduction of cookies on their computers or devices under the terms indicated above without prejudice to the available control and management. We inform users that removing or blocking cookies may affect their user experience and may limit access to some areas of the website.

Browser controls
The vast majority of browsers allow our users to view stored cookies and delete them individually or alternatively block cookies on a specific website or all in general. We remind you that the preferences set, including self-exclusion, are lost whenever cookies are deleted. For further clarification, you should consult the websites or cookiecentral.com.

Management of analytics cookies
Our users may choose to opt out of anonymity in their browsing activity within websites monitored by analytics cookies. We use the following service providers where you can obtain more information about their privacy policies and how to opt out of their cookies by clicking on the following links:
•    Shopify: www.shopify.com/legal/privacy
•    Google Analytics: google.com/analytics/learn/privacy.html
•    Facebook Pixel: facebook.com/business/help/742478679120153
 
Management of local shared objects or flash cookies
A local shared object or flash cookie is similar to other browser cookies, differing in that they can store more types of information. These cookies cannot be controlled through the mechanisms identified above. Some areas of our website use this type of cookie to store user preferences for media player functionalities, and without them, some video content may not be properly viewed. These cookies can be manually controlled by visiting the Adobe website.

Social buttons
We use social buttons to allow our users to share or bookmark pages. These buttons relate to social networks that may obtain information about our visitors' activities on the Internet, including on our website. Understanding how the information is used and how to opt out of its collection should be obtained by reviewing the respective Terms of Use and Privacy Policies of those websites.

Email communications
To assess the relevance of our communications, we may use tracking technologies to determine whether our visitors have read, clicked on links, or forwarded certain communications sent by us via email. If users disagree with this approach, they should unsubscribe since it is not possible to send these emails without these tracking mechanisms active. Registered subscribers can update their communication preferences at any time by contacting us via email, or they can unsubscribe by following the instructions in the communication email sent to their email address.
This Cookie Policy may be reviewed at any time, at our discretion. When such changes are made, the revision date at the top of the page will be updated. The amended Cookie Policy will take effect from the revision date. We recommend that users of our website periodically review the Cookie Policies in order to stay informed about our management of cookies.

Updated on October 4, 2024