Privacy Policy

The controller of your personal data is: Flores Island, Lda. Praça Ilha do Faial 1, 1000-159 Lisboa, Portugal Alameda dos Oceanos 31, 1990-204 Lisboa, Portugal Email: hello@floresisland.pt Phone: (+351) 929 056 863 We do not have a designated Data Protection Officer (DPO). Privacy questions and requests should be sent to the email above; we respond within 30 days as required by the GDPR (Regulation (EU) 2016/679).

We collect only the data we need to run the shop. For each category we list the legal basis under Art. 6 GDPR. Order data — name, email, phone, delivery address, items, total. Legal basis: contract (Art. 6(1)(b)). Without it we cannot fulfil the order. Payment data — handled directly by Stripe; we never see card numbers. We only receive a transaction reference. Legal basis: contract. Customer support — name, email, message you send via the contact form. Legal basis: contract / legitimate interest (Art. 6(1)(b)/(f)). Stock-availability requests — email and optional phone you leave on out-of-stock products. Legal basis: consent (Art. 6(1)(a)). You can withdraw it at any time by emailing us. Newsletter — email you submit to subscribe. Legal basis: consent. Every email contains an unsubscribe link. Wedding & custom requests — name, contact, event details. Legal basis: pre-contract (Art. 6(1)(b)). Feedback & reviews — rating and optional comment after delivery. Legal basis: legitimate interest in improving service (Art. 6(1)(f)). Analytics & error tracking — device, browser, anonymised interaction data via PostHog and Sentry. Legal basis: consent (Art. 6(1)(a)). These cookies are off by default until you accept them in the cookie banner. You can change your choice at any time on this page.

We use the following processors. Each is bound by a Data Processing Agreement (DPA) and processes data on our behalf only. • Stripe (Ireland / USA) — payments. https://stripe.com/privacy • Convex (USA) — primary database. https://www.convex.dev/legal/privacy • Vercel (USA) — hosting & blob storage. https://vercel.com/legal/privacy-policy • Resend (USA) — transactional emails. https://resend.com/legal/privacy-policy • Telegram (United Arab Emirates) — internal staff order notifications only (no customer-facing data). https://telegram.org/privacy • PostHog (USA / EU) — product analytics, only after consent. https://posthog.com/privacy • Sentry (USA / EU) — error tracking, only after consent. https://sentry.io/privacy/ • Mapbox (USA) — delivery zone preview map. https://www.mapbox.com/legal/privacy • Google (USA) — flower-recommendation AI (Sommelier). Only the prompt you submit is sent; no contact details. https://policies.google.com/privacy • Upstash Redis (USA) — request rate-limiting (IP only, hashed). International transfers outside the European Economic Area (EEA) rely on Standard Contractual Clauses (SCCs) approved by the European Commission, plus supplementary measures where applicable. We do not sell, rent or trade your data.

Order records — 10 years from invoice issuance, as required by Portuguese tax law (Decreto-Lei n.º 28/2019). Customer accounts (when applicable) — until you delete the account, then up to 30 days for backups. Newsletter subscribers — until you unsubscribe, then up to 30 days for backups. Stock-availability requests — until the product is back in stock or 12 months, whichever comes first. Support emails — 24 months. Analytics events — 90 days at PostHog (rolling). Backups — overwritten on a 30-day rolling basis.

You have the right to: • Access — get a copy of the data we hold about you (Art. 15). • Rectification — correct inaccurate data (Art. 16). • Erasure — request deletion when no longer needed (Art. 17). Limited by tax-law retention obligations on order data. • Restriction — pause processing while a dispute is open (Art. 18). • Portability — receive your data in a machine-readable format (Art. 20). • Object — to processing based on legitimate interest (Art. 21). • Withdraw consent — at any time, without affecting prior processing (Art. 7). • Lodge a complaint — with the Portuguese supervisory authority (CNPD): https://www.cnpd.pt/cidadaos/queixas/ To exercise any right, email hello@floresisland.pt with the subject "GDPR request". We will respond within 30 days. We may ask for proof of identity to prevent unauthorised access.

Strictly necessary — needed for the cart, language, and security; cannot be turned off. No tracking value. Analytics (PostHog) — if you accept, captures anonymised interactions and a session recording with all input fields masked. Helps us understand which products customers explore. Error tracking (Sentry) — if you accept, sends a stack trace + browser info when something crashes. Does not include any form values. You can review and change your preferences any time using the cookie banner at the bottom of the page. Rejecting analytics will not affect your ability to shop. We do not use advertising or behaviour-targeted cookies.

We do not use automated decision-making or profiling that produces legal or similarly significant effects for you. The flower recommendation tool ("Sommelier") generates a non-binding suggestion based on prompts you provide; you are free to ignore it.

We use HTTPS everywhere, strong session signing (HMAC-SHA-256), strict CSP/HSTS headers, rate-limited login, encrypted Stripe/Convex/Resend integrations, and least-privilege admin access. No system is perfectly secure, but if a breach affecting your data occurs we will notify you and the CNPD within 72 hours, as required by Art. 33-34 GDPR.

Our services are not directed to children under 16. We do not knowingly collect their data. If you believe we have, contact hello@floresisland.pt and we will delete it.

We will revise this page when our processing changes. The "Last Updated" date at the top reflects the latest version. We will notify subscribers of material changes by email and surface the change in the cookie banner so you can re-confirm your choice.

Privacy questions, GDPR requests, complaints: Email: hello@floresisland.pt Phone: (+351) 929 056 863 Post: Flores Island, Lda. — Praça Ilha do Faial 1, 1000-159 Lisboa Supervisory authority — Comissão Nacional de Proteção de Dados (CNPD) Av. D. Carlos I, 134 - 1.º, 1200-651 Lisboa geral@cnpd.pt · +351 213 928 400 · https://www.cnpd.pt