Privacy policy

Last updated: 24 April 2026

1. Introduction

Ninho do Tejo respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store and protect your information when you visit or make a purchase on our site ninhodotejo.pt.

This policy complies with the General Data Protection Regulation (EU Regulation 2016/679 — GDPR) and with Portuguese Law no. 58/2019, of 8 August, which provides for the implementation of the GDPR in Portugal.

2. Data controller

Company name: Ninho do Tejo, Lda. NIPC: 519 094 484 Registered office: Rua das Perdizes 38, 2925-718 Azeitão, Portugal

Email contact for privacy matters: geral@ninhodotejo.pt

3. Personal data we collect

We collect the following personal data, only where strictly necessary for the relevant purpose:

Identification and contact data: full name, email address, telephone number.

Billing and delivery data: billing address, delivery address, tax number (NIF), where provided by the customer for invoice issuance.

Order data: order history, products purchased, payment methods used (we do not store credit card details — these are processed directly by our payment partners).

Browsing data: IP address, browser type, device used, pages visited, time spent. This data is collected through essential technical cookies for the operation of the site.

Interaction data for advertising purposes (only with consent): when you grant authorisation through the cookie banner, we also collect information about the product pages viewed, items added to basket, checkouts started, and purchases made. This data may include pseudonymised identifiers (obtained through irreversible hashing of your contact details) that allow our advertising partners, in particular Meta Platforms, to associate your activity on our site with the eventual display of advertising on Facebook and Instagram. The technical detail of this sharing is described in section 6.

4. Purposes of processing and legal bases

Your data are processed for the following purposes and on the following legal grounds:

Performance of the sale contract — to process orders, issue invoices, send products and handle returns or exchanges. Legal basis: Article 6(1)(b) GDPR (performance of a contract).

Compliance with legal obligations — to issue and archive tax documents and respond to requests from competent authorities. Legal basis: Article 6(1)(c) GDPR (legal obligation).

Communication with the customer — to respond to enquiries, provide after-sales support, and inform you about the status of your orders. Legal basis: Article 6(1)(b) GDPR (performance of a contract) or (f) (legitimate interest).

Legitimate interest in improving the service — for internal analysis of shop performance and fraud prevention. Legal basis: Article 6(1)(f) GDPR (legitimate interest).

Personalised advertising and campaign measurement — to show you relevant advertising on Meta platforms (Facebook and Instagram), evaluate the effectiveness of our advertising campaigns, and avoid showing you content that is not of interest. Legal basis: Article 6(1)(a) GDPR (consent). This processing only takes place after your explicit consent in the cookie banner; consent can be withdrawn at any time as described in sections 8 and 9.

5. Retention periods

We keep your personal data only for as long as strictly necessary for the purposes for which they were collected:

Billing and order data: 10 years, as required by Portuguese tax law (VAT Code).

Contact data and preferences: for as long as the customer keeps an active account, or until a deletion request.

Browsing data: up to 13 months, the maximum period recommended by the Portuguese Data Protection Authority for analytics cookies.

Data shared with advertising partners: data shared with Meta Platforms for advertising purposes is retained by Meta in accordance with its own retention policies, typically up to 2 years for event data. You can, at any time, request that Meta delete this data through the "Off-Facebook activity" feature (see section 6).

6. Sharing of data with third parties

Your personal data may be shared with the following partners, strictly for the purpose of providing the service:

Shopify, Inc. — e-commerce platform that hosts our shop. Shopify is certified under the European Union's Standard Contractual Clauses. Shopify Privacy Policy.

IFTHENPAY, Lda. — payment processor for MB WAY and Multibanco. Transaction data is processed directly by IFTHENPAY; banking details are not shared with us.

CTT — Correios de Portugal, S.A. — courier responsible for shipping orders. Only the data necessary for delivery (name, address, phone) is shared.

Moloni — Portuguese invoicing platform. Receives the data necessary for issuing the invoice-receipt (name, address, NIF where applicable).

Meta Platforms Ireland Limited (operator of Facebook and Instagram in the European Union) — only with your explicit consent in the cookie banner, we use two complementary technologies provided by Meta:

  • Meta Pixel — a small piece of JavaScript code installed on our site that, via your browser, records events such as product page views, items added to basket, checkout initiation, and completed purchases.

  • Conversions API (CAPI) — a complementary technology that allows our server (via Shopify) to communicate directly with Meta's servers, to ensure the integrity and accuracy of the same events, even when the Meta Pixel is blocked by your browser.

The data shared with Meta includes information about your interaction with the site (pages visited, items viewed, purchase events) and, where applicable, your email address, phone number and address, always previously hashed using an irreversible function (SHA-256). Meta uses this data to identify its users and show them Ninho do Tejo advertising, as well as to provide us with aggregated statistics on the performance of our campaigns.

You can disable this data sharing at any time, regardless of your initial consent, through two mechanisms:

  1. Withdrawing consent for marketing cookies in the cookie banner available on our site.
  2. Accessing your Facebook account and using the "Off-Facebook activity" feature (Settings and privacy → Your Facebook information → Off-Facebook activity), where you can disconnect the link between your activity on third-party sites and your Meta profile.

We never sell or transfer your personal data to third parties for commercial purposes.

7. International data transfers

Some of our partners process data on servers located outside the European Economic Area. This is the case for Shopify, Inc. (Canada and United States) and Meta Platforms Ireland Limited (which, despite being based in Ireland, may transfer data to infrastructure in the United States). In these cases, we ensure that appropriate safeguards are in place, in particular through the Standard Contractual Clauses approved by the European Commission and, in Meta's case, adherence to the EU-U.S. Data Privacy Framework.

8. Your rights

Under the GDPR, the data subject has the right to:

  • Access their personal data.
  • Rectify inaccurate or out-of-date data.
  • Erase their data (right to be forgotten), where applicable.
  • Restrict the processing of their data in certain circumstances.
  • Portability of their data, in a structured, machine-readable format.
  • Object to processing based on legitimate interest.
  • Withdraw consent previously given, without affecting the lawfulness of prior processing.

To exercise any of these rights, simply send an email to geral@ninhodotejo.pt. We will respond within 30 days at the latest.

If you believe that the processing of your data infringes the GDPR, you have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD): [www.cnpd.pt](https://www.cnpd.pt).

9. Cookies

Our site uses cookies to ensure the basic operation of the shop, to improve your experience, and — with your consent — for personalised advertising purposes. We distinguish three categories:

Essential technical cookies — necessary for the operation of the site (basket maintenance, session authentication, language preferences). These do not require consent.

Analytics cookies — help us understand how visitors use the site, in an aggregated and anonymous way. These require consent.

Marketing and advertising cookies — include the cookies installed by the Meta Pixel and allow us to show you relevant advertising on Facebook and Instagram. These require explicit consent.

You can manage your cookie preferences at any time through the consent banner available on the site. Declining marketing cookies does not affect your ability to browse the site or make purchases — it only switches off the personalisation of advertising directed at you.

10. Security

We adopt appropriate technical and organisational measures to protect your personal data from unauthorised access, accidental loss, destruction or alteration. All communication between your browser and our site is encrypted using the SSL protocol.

11. Changes to this Policy

This Privacy Policy may be updated periodically. The date of the last update is shown at the top of the document. Substantial changes will be communicated by email or by prominent notice on the site.