Privacy Policy – Bottle Express, Unipessoal Lda
Effective: September 2025
We take data protection seriously. This privacy policy explains how we collect, use, and handle your personal data in line with the EU General Data Protection Regulation (GDPR) and Portuguese Law No. 58/2019.
Our website address is: https://bottleexpress.pt
—
1. Automated Order Processing
We use automated systems to process orders and send updates (e.g., via email or WhatsApp). This includes order confirmations, invoice generation, and shipping notifications.
These automations are carried out in accordance with Art. 6(1)(b) GDPR – to perform our contract with you.
We do not use profiling or decision-making based solely on automation.
—
2. What data we collect
We only collect and store personal data when you actively share it with us – for example, when placing an order, contacting us, or creating an account. This includes:
First and last name
Billing and delivery address
Email address
Phone number (optional)
Payment details
We process this data in accordance with Art. 6(1)(b) GDPR – to fulfill our contract with you or to take steps at your request before entering into a contract.
—
3. Why we process your data
We use your data strictly for:
Processing and delivering your order
Sending invoices
Communicating with you (email, WhatsApp, phone)
Fulfilling our legal bookkeeping obligations
Order confirmation and updates
We don’t use your data for anything else – no advertising without your permission.
—
4. Who we share your data with
We only share your data with third parties when necessary for the delivery of your order:
Payment providers (e.g., PayPal, Stripe, myPOS)
Accounting software (e.g., Moloni)
Hosting and IT providers
Delivery partners if applicable
We do not sell your data. Data may be transferred outside the EU only if necessary and only with proper safeguards in place, as required by GDPR Articles 44+.
—
5. Your rights
Under GDPR, you have the right to:
Access your data (Art. 15 GDPR)
Correct your data (Art. 16 GDPR)
Request deletion (Art. 17 GDPR)
Restrict processing (Art. 18 GDPR)
Receive your data in a portable format (Art. 20 GDPR)
Object to data use (Art. 21 GDPR)
File a complaint with a data protection authority
In Portugal, the responsible authority is:
Comissão Nacional de Proteção de Dados (CNPD)
—
6. Data security
We take technical and organizational security measures to protect your data from unauthorized access or loss. Our website is SSL-encrypted.
—
7. Data retention
We store your data only as long as needed – either for legal reasons or to fulfill our contract with you. Nothing more.
—
8. Cookies and tracking
Our website uses cookies to improve user experience. You can manage or reject cookies in your browser settings. We don’t use aggressive tracking or hidden marketing scripts.
—
9. Changes
We may update this privacy policy if laws change or our services do. The version published on our website is always the current one.
—
10. Data Processing at IONOS
We use the services of IONOS SE (Elgendorfer Straße 57, 56410 Montabaur, Germany) to host our website. We have concluded a data processing agreement (DPA) with IONOS in accordance with Art. 28 GDPR. IONOS undertakes to process the data of our website visitors exclusively in accordance with our instructions and to take all technical and organizational measures to protect personal data.
IONOS’ servers are located within the European Union. Data processing is carried out exclusively in accordance with applicable data protection laws and serves the secure and reliable operation of this website.
Further information can be found in the IONOS privacy policy at:
https://www.ionos.de/terms-gtc/datenschutzerklaerung
—
11.Payment Processing
To process your order, we offer several electronic payment methods. Payments are handled via external payment service providers. Depending on the selected payment method, personal data such as your name, email address, billing amount, IP address, and – depending on the provider – other necessary payment-related information will be transferred to the respective service.
The legal basis for this data processing is Article 6 (1)(b) of the GDPR, as it is necessary for the performance of the contract.
PayPal
If you choose PayPal, your payment data will be transmitted to:
PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, 2449 Luxembourg, Luxembourg
PayPal may carry out a credit check. For more information on how PayPal processes your data, please visit:
https://www.paypal.com/de/webapps/mpp/ua/privacy-full
Credit Card Payment (Visa, Mastercard, American Express)
Credit card payments are processed through our payment provider:
Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands
Personal data (e.g. name, billing amount, IP address, card details) is transferred to Mollie for payment processing. Mollie acts as the technical processor and forwards the data to the relevant card networks:
• Visa Europe Services Inc., 1 Sheldon Square, London W2 6TT, United Kingdom
• Mastercard Europe S.A., Chaussée de Tervuren 198A, 1410 Waterloo, Belgium
• American Express Europe S.A., Avenida Partenón 12-14, 28042 Madrid, Spain
All parties process data in accordance with the General Data Protection Regulation (GDPR).
Mollie privacy policy:
https://www.mollie.com/en/privacy
Google Pay
Google Pay is a service provided by:
Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland
If you use Google Pay, Google transmits your payment details to the selected payment provider. Google may also process personal data.
Privacy policy:
https://policies.google.com/privacy
MB WAY
If you choose MB WAY, your payment information (e.g., phone number, amount) is transmitted to:
SIBS Forward Payment Solutions, S.A., Rua Soeiro Pereira Gomes, Lote 1, 1649-031 Lisboa, Portugal
MB WAY is a mobile payment service offered by Portuguese banks.
Privacy policy:
https://www.mbway.pt/politica-de-privacidade
Summary of Payments
Using one of these payment services is optional. Your data will only be transmitted to the selected provider if you actively choose that payment method. All providers operate in compliance with the GDPR and – where applicable – within the framework of EU regulations.
—
12. Contact Form
If you contact us via the contact form on our website, we will collect and process the information you enter into the form – including:
• First and last name
• Email address
• Phone number (optional)
• Subject
• Your message
We process this data solely for the purpose of handling your inquiry and contacting you.
The legal basis for this processing is:
• Art. 6(1)(b) GDPR – to respond to pre-contractual requests, or
• Art. 6(1)(f) GDPR – based on our legitimate interest in providing good customer service.
We do not use your contact details for marketing purposes unless you have given explicit consent.
Your data will be stored only as long as necessary to respond to your request or to meet legal documentation requirements.
This information is not shared with third parties unless required to fulfill your inquiry.
—
13. Location Data and Google Maps
Our website uses location-based services to assist with accurate delivery address input. If you choose to allow access to your current location via your browser, your device’s GPS coordinates will be processed in order to suggest or pre-fill your delivery location.
We use the Google Maps API to display interactive maps and determine coordinates. When you use this function, information (including your IP address and location data) may be transmitted to Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.
The processing of location data is based on your explicit consent (Art. 6(1)(a) GDPR). You can allow or deny location access via your browser settings.
Google processes this data under its own privacy terms, available at:
https://policies.google.com/privacy
We do not store or share your GPS coordinates beyond the purpose of matching your delivery address.
—
14. Social Media Links
Our website includes links to our social media profiles on Instagram and Facebook. These are external links only – we do not embed social media plugins that automatically transmit data.
When you click on one of these links, you will be redirected to the respective social media platform. At that moment, the platform may collect personal data from you (e.g., your IP address, device information, or account activity), especially if you are logged into your social media account.
We have no control over how these platforms process your data. For more information, please refer to their respective privacy policies:
Instagram (Meta Platforms Ireland Ltd.)
https://privacycenter.instagram.com/policy
Facebook (Meta Platforms Ireland Ltd.)
https://www.facebook.com/privacy/policy
The legal basis for providing these links is our legitimate interest in promoting our services (Art. 6(1)(f) GDPR). No data is transferred to these platforms unless you actively click on the links.
—
15. Newsletter
If you subscribe to our newsletter, we will use your email address to send you updates, offers, and news about our products and services.
We use a double opt-in process: After signing up, you will receive a confirmation email to verify your subscription. Your data will not be added to the mailing list unless you confirm.
We store your subscription data (email address, IP address, time of signup) based on Art. 6(1)(a) GDPR (your consent). You can unsubscribe at any time by clicking the unsubscribe link in any of our emails or by contacting us directly.
We use the newsletter service solely for the purposes described and do not share your email address with third parties for marketing purposes.
If we use an external newsletter provider, data processing is carried out in accordance with Art. 28 GDPR under a data processing agreement.
(Currently: No third-party provider in use / or insert name of provider if known)
—
16. Communication via WhatsApp
If you choose to contact us via WhatsApp or receive order updates through WhatsApp, your phone number and message content will be processed by WhatsApp Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland.
WhatsApp processes data in accordance with their privacy policy:
https://www.whatsapp.com/legal/privacy-policy-eea
We do not use WhatsApp for unsolicited advertising.
—
17. Google Analytics
We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
Google Analytics uses cookies that allow us to analyze how users interact with our website. The information collected includes:
• IP address (anonymized)
• Browser type
• Pages visited
• Time spent on each page
• Referring pages
We use Google Analytics in anonymized mode, meaning your IP address is truncated within the EU before being transmitted to Google. This prevents personal identification.
The data is processed to understand usage patterns and improve the user experience. The legal basis for this processing is Art. 6(1)(a) GDPR – your consent via the cookie banner.
Google may transfer data to servers in the United States. Google is certified under the EU-U.S. Data Privacy Framework, ensuring an adequate level of protection.
You can withdraw your consent at any time by changing your cookie preferences or using the following browser add-on:
https://tools.google.com/dlpage/gaoptout
Google’s privacy policy:
https://policies.google.com/privacy
—
18. Cookie Banner / Consent Management
To ensure compliance with the General Data Protection Regulation (GDPR), our website uses a cookie banner that asks for your consent before placing any cookies or similar technologies that are not strictly necessary.
When you visit our site for the first time, a banner will appear asking you to accept or reject cookies used for purposes such as:
• Analytics (e.g. Google Analytics)
• Location services (e.g. Google Maps)
• Embedded content (e.g. YouTube)
• Functional tools (e.g. remembering preferences)
Your consent is logged and stored in accordance with Art. 6(1)(a) GDPR. You can change or withdraw your consent at any time by accessing the “Cookie Settings” link in the footer of our website.
Cookies that are technically necessary for website operation are placed based on Art. 6(1)(f) GDPR (legitimate interest).
We use a consent management platform to store your preferences and log consent data in compliance with Art. 7 GDPR.
—
19. Customer Accounts and User Profiles
If you create a customer account on our website, we will store and process the following data:
• Full name
• Email address
• Billing and shipping address
• Phone number (if provided)
• Order history
• Login credentials (encrypted password)
This data is processed in accordance with Art. 6(1)(b) GDPR, for the purpose of managing your orders, tracking past purchases, and providing you with faster checkout experiences.
You can update or delete your account information at any time through the account dashboard.
If you wish to delete your entire customer account, please contact us directly at [insert your email address].
We will retain your account data as long as it is necessary to fulfill our contractual obligations or until you request deletion, unless legal retention requirements apply.
Passwords are stored in encrypted form and cannot be accessed by us.
We do not share your account data with third parties except where required for payment processing, invoicing, or shipping.
—
20. External Review Platforms (TripAdvisor)
We link to our profile on TripAdvisor to allow customers to view external reviews about our service. When you click the link, you are redirected to the platform operated by TripAdvisor LLC, 400 1st Avenue, Needham, MA 02494, USA.
No personal data is transmitted unless you actively click the link. For more information, please refer to their privacy policy:
https://tripadvisor.mediaroom.com/UK-privacy-policy
—
21. Meta Pixel (Facebook Pixel)
We use the Meta Pixel (formerly Facebook Pixel) provided by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland, to measure the effectiveness of our Facebook and Instagram ads and to optimize our advertising strategy.
The Meta Pixel enables us to track users’ behavior after they click on a Meta ad and are redirected to our website. This allows us to measure ad performance and create custom audiences for remarketing.
The data collected includes:
IP address
Browser information
Visited pages
Conversion events (e.g. purchases)
If you are logged into your Facebook or Instagram account, Meta can associate this information with your user profile.
We use the Meta Pixel only with your prior consent (Art. 6(1)(a) GDPR), which you provide through our cookie banner. You can withdraw your consent at any time.
Meta may transfer data to servers in the United States. Meta is certified under the EU-U.S. Data Privacy Framework, providing adequate protection under Art. 45 GDPR.
More information on how Meta processes your data can be found in their privacy policy:
https://www.facebook.com/privacy/policy
You can manage your ad preferences or disable tracking here: https://www.facebook.com/adpreferences/ad_settings
—
22.Clause of Conditional Consent Validity
We rely on user consent for the use of certain cookies and tracking technologies.
If such consent was technically invalid, incomplete, or withdrawn via browser extensions or blockers, we will not use the associated data and consider it void.
Users are responsible for ensuring the proper functioning of consent mechanisms on their devices.
—
23. Legitimate Interest in Anti-Fraud Measures
We process certain behavioral and technical data under the legal basis of legitimate interest (Art. 6(1)(f) GDPR) for the purpose of fraud detection, system protection, and abuse prevention.
This includes IP logging, order pattern analysis, and session data to detect misuse or automated behavior.
Such data is not used for profiling or marketing purposes.
—
24.Clause of Dynamic Data Processor Change
Bottle Express, Unipessoal Lda reserves the right to replace or update third-party processors or service providers (e.g. for payments, analytics, geolocation, email delivery) without prior individual notice, as long as the new processor ensures GDPR compliance.
An updated list of data processors can be provided upon request.
—
25. Limitation of Liability for Third-Party Failures
While we carefully select and monitor all third-party service providers (e.g. payment gateways, analytics tools, communication platforms),
Bottle Express, Unipessoal Lda is not liable for data breaches, processing errors, or legal violations caused by those external parties beyond our control.
All third-party services are contractually bound to comply with the GDPR under data processing agreements.
—
26.Refusal or restriction of requests for information
In accordance with Article 23 of the GDPR and Article 20 of Law 58/2019, Bottle Express, Unipessoal Lda may restrict or refuse to disclose certain personal data in response to access requests if doing so is necessary to protect trade secrets, ongoing investigations, fraud prevention systems, or the rights and freedoms of others.
—
27. Explicit protection against GDPR abuse
Bottle Express, Unipessoal Lda reserves the right to reject excessive, unfounded, or systematically abusive data requests in accordance with Article 12(5) GDPR and Article 21 of Law 58/2019.
This includes repetitive or unjustified access, erasure, or objection requests used to disrupt normal business operations.
—
28. Data Sovereignty and Jurisdiction Limitation
All personal data collected and processed by Bottle Express Lda is stored and managed on servers located within the European Union and governed exclusively by European data protection laws, particularly the GDPR and Portuguese Law No. 58/2019.
By using our services, users agree that any legal disputes concerning personal data must be resolved within the jurisdiction of Portugal, under the oversight of the Comissão Nacional de Proteção de Dados (CNPD).
No data will be voluntarily transferred to jurisdictions outside the EU that lack adequate protection under GDPR, unless required by law or covered by valid contractual safeguards (e.g. SCCs).
—
29.No Personal Data Without Technical Context
Personal data is not collected or stored simply by visiting our website.
Any data processing activities only occur when technically or contractually justified – for example, during order placement, location-based delivery processing, payment handling, or analytics.
We do not collect “silent data” in the background.
Any data collection serves a legitimate, user-related purpose and is always either:
• based on consent (Art. 6(1)(a) GDPR),
• required for contract performance (Art. 6(1)(b) GDPR),
• or based on a legitimate interest (Art. 6(1)(f) GDPR) – e.g., fraud prevention or technical functionality.
—
30. Controller / Data Controller
The controller responsible for the processing of your personal data on this website, in accordance with the General Data Protection Regulation (GDPR) and the Portuguese Data Protection Law (Lei n.º 58/2019), is:
Bottle Express, Unipessoal Lda
Avenida do Atlântico, Nº 16, escritório 2.01,
1990-019, Parque das Nações Lisboa
Email: info@bottleexpress.pt
Phone: +351 960 270 862
Bottle Express, Unipessoal Lda is registered in Portugal and processes personal data in compliance with EU data protection regulations. If you have any questions about data protection or wish to exercise your rights, you can contact us via the email address provided above.