Privacy Policy
Last updated: March 2026
1. Introduction
Your privacy is important to us. This Privacy Policy explains how Tsuky ("we", "us", "our") collects, uses, discloses, and protects your personal information when you visit our website (tsuky.co) and use our services, in accordance with the General Data Protection Regulation (GDPR) and Portuguese data protection law.
2. Data Controller
The data controller responsible for your personal data is:
Tsuky, Unipessoal Lda
Address: Rua João Barros, N.º 86, R/C Dto., 2775-298 Parede, Cascais, Portugal
VAT/NIF: 518340538
Email: supportcenter@tsuky.co
3. Information We Collect
Personal Identification Information: We collect information such as your name, email address, phone number, shipping and billing address, and any other information you provide directly to us when placing an order or creating an account.
Usage Information: We automatically collect information about your interaction with our site, including your IP address, browser type and version, operating system, pages visited, time spent on each page, referral source, and other usage statistics.
Cookies and Similar Technologies: We use cookies and similar tracking technologies to enhance your experience, understand how you use our site, and provide relevant content. You can manage your cookie preferences through your browser settings.
4. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal grounds:
- Contract performance: Processing necessary to fulfil your orders and provide our services
- Legitimate interest: Processing for business analytics, fraud prevention, and website improvement
- Consent: Processing for marketing communications (you can withdraw consent at any time)
- Legal obligation: Processing required to comply with tax, accounting, and other legal requirements
5. How We Use Your Information
- To process, ship, and manage your orders
- To provide customer support related to your purchases
- To improve our website, products, and services based on feedback and usage data
- To send promotional emails about new products, collections, and special offers (with your consent)
- To comply with legal and regulatory obligations
- To prevent fraud and protect the security of our website
6. Information Sharing
We may share your personal data with:
- Payment processors (to process transactions securely)
- Shipping and logistics companies (to deliver your orders)
- Marketing service providers (for email campaigns, with your consent)
- Legal and regulatory authorities (when required by law)
We do not sell your personal data to third parties. All third-party service providers are contractually obligated to protect your data and may only use it for the specific purpose for which it was shared.
6.1. Sub-processors
The following service providers process your personal data on our behalf under data processing agreements that comply with GDPR Article 28. Each acts only on documented instructions from TSUKY.
| Provider | Purpose | Data categories | Region |
|---|---|---|---|
| Supabase, Inc. | Database hosting, authentication, edge compute | Account credentials, profile, orders, addresses | EU (Frankfurt) |
| Stripe Payments Europe Ltd. | Card and Apple/Google Pay processing | Name, email, billing address, card token (we never store card numbers) | Ireland / US (SCCs + DPF) |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | PayPal checkout payment processing | Name, email, billing address, order amount and reference | Luxembourg / EU |
| Resend, Inc. | Transactional and newsletter email delivery | Email address, name, order metadata | US (DPF-certified) |
| ipapi.co (Kloudend, Inc.) | IP-based country detection to derive shipping zone (no profile is stored) | Client IP address (ephemeral, single request, not retained by us) | US (SCCs) |
| Shipping carriers (CTT, DPD, DHL, UPS, FedEx, GLS, NACEX) | Order fulfilment and tracking | Name, shipping address, phone | EU / Worldwide |
An updated list is maintained as our service stack evolves. Material changes are reflected in the “Changes to This Privacy Policy” section below.
7. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes outlined in this policy, unless a longer retention period is required by law. Order data is retained for a minimum of 10 years to comply with Portuguese tax and invoicing regulations (CIVA / Decreto-Lei 28/2019). Marketing-consent records are retained for the duration of the consent plus a 3-year audit window. Account profile data is deleted on request via the in-account “Delete account” flow.
8. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA), we rely on the following lawful safeguards:
- EU-US Data Privacy Framework (DPF): for transfers to DPF-certified US providers (Resend, Stripe US entities).
- Standard Contractual Clauses (SCCs): module 2 (Controller-to-Processor) for any provider not covered by an adequacy decision.
- Supplementary measures: encryption in transit (TLS 1.2+) and at rest, and pseudonymisation where technically feasible.
9. Security Measures
We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These include SSL encryption, secure payment processing, and regular security audits. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.
10. Your Rights Under GDPR
Under the GDPR, you have the following rights:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Restriction: Request restriction of processing of your data
- Right to Data Portability: Receive your data in a structured, commonly used format
- Right to Object: Object to processing based on legitimate interests or for marketing purposes
- Right to Withdraw Consent: Withdraw consent for marketing at any time
To exercise any of these rights, contact us at supportcenter@tsuky.co. We will respond within 30 days.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD — Comissao Nacional de Protecao de Dados).
11. Children's Privacy
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy periodically. We will notify you of any material changes by posting the updated policy on our website with a revised date. We recommend reviewing this policy regularly.
13. Contact Information
If you have any questions or concerns about this Privacy Policy or wish to exercise your data protection rights, please contact us at:
Email: supportcenter@tsuky.co