Legal
Privacy policy
Last updated: 1 July 2026
1. Who we are
This site (drinkoya.com) and the ŌYA brand are operated by:
NÉCTAR ESPERANÇOSO, LDA.
Rua Newton, 5, Fração D
1170-275 Lisboa, Portugal
NIPC / Registo Comercial: 518 904 571
Capital Social: €5.000
Contact: info@drinkoya.com
We are the data controller for personal data processed through this website. If you have any question about this policy or your data, contact us at the address above.
2. What we collect and why
- Checkout data — name, email, shipping address, phone number and order contents. We use this to fulfil your order, take payment, deliver your cans and meet our accounting and tax obligations. Providing this data is necessary to enter into and perform your purchase contract; without it we cannot process your order. Order processing and record-keeping are carried out through Shopify.
- Payment data — card details are entered directly into Shopify Checkout and its connected payment providers. We never see or store your card number.
- Newsletter — if you subscribe, we store your email address to send you occasional updates. We send these through Shopify Email. You can unsubscribe at any time using the link in any email.
- Technical data — our storefront host and content delivery network record standard connection logs (IP address, browser type, timestamps) to serve the site, keep it secure and prevent abuse.
We do not use your personal data for automated decision-making or profiling.
3. Legal bases (GDPR Art. 6)
- Contract — to process and deliver your order (Art. 6(1)(b)).
- Consent — for the newsletter and any optional marketing; you can withdraw it at any time (Art. 6(1)(a)).
- Legitimate interests — to keep the site secure, available and free from abuse (network and information security, fraud prevention) (Art. 6(1)(f)).
- Legal obligation — accounting, tax and consumer-protection duties under Portuguese and EU law (Art. 6(1)(c)).
4. Who we share data with (subprocessors)
We use a small number of service providers who process data on our behalf under data processing agreements:
- Shopify (Shopify International Ltd. / Shopify Inc.) — checkout, payment routing, order management, hosting of order records, and newsletter delivery via Shopify Email. Shopify acts as our processor for this data; it may act as an independent controller for limited purposes of operating and securing its own platform.
- Lovable — hosting of our storefront (the site was also built on this platform).
- Cloudflare — content delivery and security for the storefront (serving pages, protecting against abuse).
- Payment providers connected to Shopify Payments — shown at checkout; they process your payment as required.
- Shipping carriers — only with the details required to deliver your order.
We do not sell your personal data and we do not share it for third-party advertising.
5. How long we keep it
- Order and invoicing records — 10 years, as required by Portuguese tax and commercial law.
- Newsletter — until you unsubscribe.
- Technical / connection logs — up to 90 days.
- Support emails — up to 24 months after your request is resolved, then deleted.
6. Your rights
Under the GDPR you can:
- Access the personal data we hold about you.
- Ask us to correct or delete it.
- Ask us to restrict or object to certain processing.
- Request a portable copy of the data you gave us.
- Withdraw consent at any time (for example, the newsletter), without affecting processing already carried out.
To exercise any of these, email info@drinkoya.com. We aim to respond within one month. You also have the right to lodge a complaint with the Portuguese data protection authority (CNPD, www.cnpd.pt).
7. Cookies
The site uses strictly-necessary cookies for the shopping cart and checkout session. We also show a cookie consent banner: any non-essential cookies (for example analytics or marketing) are only set if you accept them. We currently use no analytics or advertising cookies beyond what is needed to run the shop. If that changes, we will ask for your consent through the banner first and update this policy.
8. International transfers
Because we are a European business, Shopify stores our store, order and customer data in Europe (EEA / UK / Switzerland) by default. Some processing still takes place outside the EEA — for example, Shopify may route data onward to Canada (covered by the European Commission's adequacy decision) and to the United States, and our storefront and content-delivery provider Cloudflare is headquartered in the United States. Where personal data is transferred outside the EEA, it is protected by an appropriate safeguard: an EU adequacy decision (including the EU–US Data Privacy Framework for certified US recipients) or the European Commission's Standard Contractual Clauses. You can ask us for more detail on the safeguards that apply.
9. Children
Our site and products are intended for adults. We do not knowingly collect personal data from children. Under Portuguese law (Lei n.º 58/2019), the minimum age to consent on your own to online (information-society) services is 13; if you are younger, please do not send us your personal data without the involvement of a parent or guardian.
10. Changes to this policy
We may update this policy over time. The date at the top will reflect the latest version, and material changes will be highlighted on the site.
