Privacy policy

This Privacy Policy has been developed to support 3Arriguitas Lda, a company with tax identification number 513617205, headquartered at Rua Almirante Reis, Nº 42 2330-099 Entroncamento – hereinafter referred to as "Barriguitas", owner of the website www.barriguitas.com.pt, in adapting its activity to the General Data Protection Regulation, approved by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”).

This policy may be supplemented by other security-related policies, which are relevant to Barriguitas' business or its relationship with third parties, together describing Barriguitas’ approach to information security and privacy.

The terms 'Privacy', 'Data Privacy' and 'Data Protection' may be used interchangeably as they relate to a complex set of legal requirements applicable to Personal Data, which go beyond data security and confidentiality. For example, it includes requirements regarding transparency in data use and data retention.

It is the responsibility of Barriguitas to define the appropriate mechanisms to achieve compliance with this policy.

Compliance with this policy may be monitored through inspections, audits, and/or requests for written confirmation of compliance.

This policy is based on the principles established by the GDPR. However, there may be differences between countries regarding data protection and privacy at Barriguitas, namely when processing personal data outside the EU, receiving personal data from outside the EU, or processing data from non-EU citizens.

In case of doubt, please contact Barriguitas through the contact information provided.


Data Protection Principles

As part of our activity, we process Personal Data: whether when we receive personal data in the course of business opportunities, client engagements, marketing activities, or a range of related and support activities. Data may be received directly from a Data Subject (e.g., in person, via mail, email, phone, or other sources), particularly from our clients, partners, subcontractors, joint controllers, support service providers, and credit reference agencies.

All staff and partners must only request personal data from a Data Subject that is relevant and necessary to fulfill a specific purpose and business task.

Barriguitas is committed to complying with the personal data protection principles defined by the GDPR, namely:

  • Lawfulness, fairness, and transparency: We must have a legitimate reason for processing Personal Data, such as the Data Subject’s consent or compliance with a legal obligation. We must also clearly inform the Data Subject about the processing.

  • Purpose limitation: We must only request Personal Data for specific, explicit, and legitimate purposes and not process it beyond the stated purpose.

  • Data minimization: Personal Data processed must be adequate, relevant, and limited to what is necessary.

  • Accuracy: We must ensure that Personal Data is accurate and updated when necessary.

  • Storage limitation: We must not retain Personal Data longer than necessary for its purposes, although some may be retained for historical and statistical purposes.

  • Integrity and confidentiality: We must have appropriate security controls in place to protect data from unauthorized or unlawful processing, loss, destruction, or damage, including technical and organizational measures such as defined processes, training, and awareness.

  • Legal transfer outside the EEA: We only transfer Personal Data outside the EEA where adequate safeguards exist, such as contractual bases.

  • Data Subject Rights: Data Subjects have several rights that we must respect (e.g., the right to access a copy of their data and to withdraw consent given for direct marketing).


Lawfulness and Fairness of Processing

Whenever Personal Data is collected, a legal basis for the processing must exist. Under the GDPR, at least one of the following must apply:

  • Consent: The Data Subject has given consent for their data to be processed for one or more specific purposes.

  • Contractual: Processing is necessary for the performance of a contract to which the Data Subject is party or for pre-contractual steps.

  • Legal obligation: Processing is necessary to comply with a legal obligation to which the Controller is subject.

  • Vital interests: Processing is necessary to protect the vital interests of the Data Subject.

  • Public interest: Processing is necessary for a task carried out in the public interest.

  • Legitimate interests: Processing is necessary for the Controller’s legitimate interests, except where overridden by the Data Subject’s fundamental rights and freedoms.

When acting as a Controller, we must ensure we have a legitimate basis to collect and process Personal Data.

In some cases, we may act as a Processor on behalf of a client, in which case it is the client’s responsibility to ensure they have a proper basis for processing Personal Data, which must be shared with us. However, we must ensure our contract is clear on our responsibilities and that if we collect Personal Data directly on behalf of a client, we do so on a lawful basis.

When processing Special Category Data, additional conditions must be met. Please contact Barriguitas for further guidance.

The GDPR requires us to provide Data Subjects with information about processing to ensure fair and transparent processing. When collecting Personal Data, we must clearly explain why we need the data and how it will be used. When collected via our website, this information is provided via a 'Privacy Notice'.

Any other information provided when collecting personal data should also be available online. Please refer to our Privacy Policy and Cookie Policy for further information.

Treatment for specific purposes only

Whenever we collect and process Personal Data, we must ensure that we only use it for the specific purposes that have been communicated to the respective holder.

Barriguitas shall never process Personal Data for additional purposes that have not been communicated to the Data Subject. Only then will we be clear about the purpose of the processing and we must understand the purposes for which our customers may have collected Personal Data or contact the Privacy Officer.


Appropriate, relevant and limited treatment

When we collect and process Personal Data, we must follow the principle of data minimization. This means that we should only collect the minimum Personal Data necessary to perform a specific task.

Additionally, we must ensure that we have an adequate amount of personal data to perform a specific task properly. For example, collecting data only necessary to identify a person.

This also applies to any sharing and other processing activities. It is important to minimize the data held and processed; we must ensure that if we share data internally or externally or if we use it in activities such as testing, we only use/share the minimum amount in each case.

 

Accuracy of personal data

We are obliged to ensure that Personal Data is kept accurate and up to date. We must ensure that appropriate processes are in place to maintain accurate data where necessary (for example, of current and potential professionals or clients held by relevant areas).

When acting as Controller in relation to a client we will not be obliged to implement mechanisms to keep such data up to date; this will be the responsibility of the Controller, that is, our client.


Retention of Personal Data

Personal Data should not be retained for longer than necessary. This means that we must define and apply maximum retention periods for the Personal Data we process and implement processes to erase them upon their expiration. Therefore, the following retention periods may apply:

(i) for as long as is necessary for the relevant activity or services;

(ii) any retention period required by law;

(iii) the end of the period in which disputes or investigations may arise in relation to the Services; or

(iv) for the minimum period stipulated in the contract.

 

Data Subjects’ Rights

The GDPR requires us to inform individuals about the Personal Data we collect and the purposes and means for which it is processed. Such information is given in the form of a ‘Privacy Notice’.

a) Right of Access

The Data Subject has the right to ask to see the Personal Data we hold about him/her, the purpose of the processing and the categories of data concerned.

We must notify the Data Subject of the recipients with whom we are going to share your data, especially if the recipient is in another country or if it belongs to an international organization.

Where possible, we will define the retention period for data to meet business purposes.

We must communicate to the Data Subject the existence of the right to object to processing and their right to rectification and erasure.

We must communicate to the Data Subject the existence of his/her right to complain to a Supervisory Authority.

When data is collected from someone other than the Data Subject, we must communicate the source of that data to them.

We must ensure that we have processes in place to identify and respond to Data Subject access queries without undue delay and within a maximum of one month.

b) Right of rectification

Data Subjects have the right to rectify inaccurate data, and Barriguitas will make every effort to do so immediately.

c) Right to erasure

The Data Subject has the right to obtain from the Controller the erasure of his/her data ('right to be forgotten'). It is Barriguitas' responsibility to do everything possible to immediately delete the data held, except when there is a legal requirement for its conservation. If you receive a request from a Data Subject, please contact the Privacy Officer first before erasing any data.

d) Children's rights

All individuals, including children, are protected by the GDPR. For children under 13 years of age, we must not process their Personal Data based on their consent, unless authorized by the respective holders of parental responsibilities.

e) Marketing

We may sometimes send our customers and partners marketing material to inform them of services, upcoming events or other activities of interest to them, in which case we must indicate the right to withdraw consent at any time if they wish not to be contacted again on these terms.

We must also ensure that we have processes in place to ensure that all participation preferences are recorded and respected.

 

Security of Retained Data

Barriguitas will maintain data security by protecting the Confidentiality, Integrity and Availability of Personal Data, as follows:

Confidentiality means that only authorized people can access the data;

Integrity means that Personal Data must be accurate and appropriate for the purposes inherent in the processing;

Availability means that authorized users must be able to access the data if they need it for authorized purposes.



Data Disclosure

All professionals and partners must avoid any inappropriate disclosure of Personal Data and comply with our general duties regarding Confidentiality.

We share your personal information with third parties to help us. For example, our online store is hosted on the Shopify platform. You can read more about how Shopify uses your personal information here: https://www.shopify.com/legal/privacy. We also use Google Analytics to help us understand how our customers use our online store. You can read more about how Google uses your personal information here: https://www.google.com/intl/en/policies/privacy/. You can also opt out of Google Analytics here: https://tools.google.com/dlpage/gaoptout, thereby limiting our access to your data or activity log.

It is allowed:

a) Disclose Personal Data to third parties only upon instruction or where we have a legitimate basis to do so, and there are no restrictions in place.

b) Disclose Personal Data to third parties in the event that we sell or buy any business or assets, or where we are a joint Controller as part of a joint venture.

c) Sharing Personal Data with a third party that is processing data on our behalf, which may include transferring data to a third country.

Generally, Personal Data may be disclosed:

a) To Professionals or agents so that they can perform their functions as such.

b) In cases where non-disclosure may prejudice the prevention or detection of crimes, the bringing of charges against offenders, or the assessment or collection of any tax or duty. Barriguitas must have adequate grounds for disclosing data under this category in order to avoid criminal prosecution. All disclosures must be justified and documented.

For legal purposes data may be disclosed if:

a) Required by law, statute or court order.

b) For the purpose of obtaining legal advice;

c) Within the scope of or for the purposes of legal proceedings or when necessary to defend a legal right.

d) To safeguard national security.

 

International Transfer of Personal Data

Barriguitas may transfer any Personal Data to a third country or international organization. The Personal Data we hold may also be processed by staff operating in a third country or for one of our suppliers.

We must ensure that at least one of the following conditions applies:

a) The country to which the Personal Data is transferred ensures an adequate level of protection for the rights and freedoms of Data Subjects, by decision of the EU Commission.

b) Appropriate safeguards are provided (e.g. standard data protection clauses).

c) The Data Subject has given explicit consent to the transfer after having been informed of the possible risks.

d) The transfer is necessary for one of the reasons set out in the GDPR, including the performance of a contract between Barriguitas and the Data Subject, or the protection of the vital interests of the Data Subject.

e) The transfer is legally required for important reasons of public interest or for the purpose of initiating legal actions or defending them.

 

COOKIE POLICY

This website uses cookies to provide better experience for its visitors, as well as to ensure that it is fully functional. This Cookie Policy is part of our Privacy Policy, which you should consult for more information about us and how we protect user information. In order for us to provide a personalized and efficient service to our users, it is necessary to memorize and store information about how this Website should be used. For this purpose, we use reduced text files called cookies that contain reduced amounts of information downloaded to the computer or other devices of our users via a server. Your internet browser then sends these cookies back to the Website on each subsequent visit, enabling us to recognise and remember the identity of our visitors, specifically our users’ usage preferences. You can find more detailed information about cookies and how they work here (aboutcookies.org). Browsing this Website allows the collection of information using cookies and other technologies. By using this website you accept the use of cookies as described in this Cookie Notice.


What types of cookies are used and why?

Some of the cookies we use are necessary to allow navigation on this website and to take advantage of its features, such as accessing secure areas and content exclusively for registered users. Our website also uses functional cookies to record information about our users' choices and to allow us to adapt our website to their needs; for example, remembering the source language or region or that a user has already completed a survey. The information recorded is anonymous and is intended only for the purpose indicated above. We may use, directly or indirectly, web analytics services to evaluate the effectiveness of our content and the preferences of our users, which allow us to contribute to optimizing the functioning of this website. Additionally, we use web beacons or tracking pixels to count the number of visitors and performance cookies to monitor how individual users access our website and how often. This information is used for statistical purposes only without identifying any particular user. However, for registered users who are connected to the website, we may use this information in combination with data collected via web analytics services and cookies to analyze how visitors use this website in more detail. This website does not use targeting cookies to deliver targeted advertising to our visitors. Whenever you would like detailed information about the cookies used on our website, please contact us by email.

 

How to control cookies?

Users of the website accept the introduction of cookies on their computers or devices under the terms indicated above without prejudice to the control and management available. We inform users that removing or blocking cookies may affect their user experience and may limit access to some areas of the website.

In-browser controls

The vast majority of browsers allow our users to view hosted cookies and delete them individually or alternatively block cookies on a specific website or all in general. Please note that any preferences you have set, including opt-out, are lost whenever cookies are deleted. For further information, please consult the websites or cookiecentral.com.

Analytics cookie management

Our users may choose to de-anonymize their browsing activity within websites monitored by analytics cookies. We use the following service providers where you can obtain more information about their privacy policies and how to delete their cookies by clicking on the following links:

- Shopify: www.shopify.com/legal/privacy

- Google Analytics: google.com/analytics/learn/privacy.html

- Facebook Pixel: facebook.com/business/help/742478679120153

 

Managing local shared objects or flash cookies

A local shared object or flash cookie is similar to other browser cookies, differing in that it can store more types of information. These cookies cannot be controlled through the mechanisms identified above. Some areas of our website use this type of cookie to store user preferences for media player functionality and without them the content of some videos may not be displayed properly. These cookies can be manually controlled by visiting the Adobe website.

Social buttons

We use social buttons to allow our users to share or bookmark pages. These buttons relate to social networks which may obtain information about the activities of our visitors on the Internet, including on our website. Understanding how information is used and how you can opt out of its collection should be obtained by reviewing the respective Terms of Use and Privacy Policies of these websites.

Email communications

To assess the relevance of our communications, we may use tracking technologies to determine whether our visitors have read, clicked on links or forwarded certain email communications sent by us. If you disagree with this procedure, our users must unsubscribe, as it is not possible to send these emails without these monitoring mechanisms active. Registered subscribers may update their communication preferences at any time by contacting us via email, or they may unsubscribe by following the instructions in the communication email sent by us to their email address.

This Cookie Policy may be revised at any time at our discretion. When such changes are made, the revision date at the top of the page will change. The amended Cookie Policy will be effective from the date of revision. We recommend that users of our website review the Cookie Policy periodically to stay informed about our management of cookies.



Updated March 12, 2025