This Privacy Policy applies to personal data we collect when you:

• browse the Website,
• create a customer account,
• place an order as a registered customer or as a guest,
• sign up to receive marketing communications, or
• contact us for any reason (for example, with a question or complaint).

It does not apply to third-party websites or services that may be linked from our Website (for example, payment providers’ pages or social media platforms). Those services have their own privacy policies.

1. Data You Provide to Us

   We collect personal data that you voluntarily provide to us when interacting with the Website. This includes information you provide when:

   • Creating a customer account: first name, last name, email address, password, phone number (optional), billing/delivery address (optional), VAT number (for business customers).
   • Placing an order (registered or guest): first name, last name, email address, phone number, billing address, delivery address, VAT number (where relevant), order details, communication related to the order.
   • Contacting us: name, contact details, and the content of your message.
   • Signing up for marketing: name, email address, and your marketing preferences.

   We use this data to process orders, manage your account, respond to inquiries, and send marketing communications (with your consent).

   ---

2. Data We Collect Automatically

   When you browse the Website, we automatically collect technical and usage information, including:

   • IP address;
   • browser type and version;
   • operating system;
   • pages visited and time spent on each;
   • referring website or source;
   • information about how you interact with the Website.

   This data is collected using cookies and similar technologies. Essential cookies are necessary for the Website to function (e.g., shopping basket), while non-essential cookies (e.g., analytics, marketing) are used only where permitted by law and your preferences.

   For more details, please see our Cookie Policy.

1. Creating and Managing Your Customer Account

   We process your account data to:

   • register your account;
   • allow you to log in and manage your details and orders;
   • provide customer support related to your account.

   Legal basis: performance of a contract (Article 6(1)(b) GDPR) to provide the account services you request. In some cases, our legitimate interest (Article 6(1)(f)) in operating an efficient e-commerce platform may also apply.

   ---

2. Processing and Delivering Your Orders

   We process personal data provided in connection with an order (including guest orders) in order to:

   • accept and confirm your order;
   • process payment with our payment partners;
   • prepare and deliver products to the delivery address you specify;
   • communicate with you about your order (order confirmation, delivery updates, returns or complaints).

   Legal basis: performance of a contract (Article 6(1)(b) GDPR). Without this data we cannot complete your purchase.

   ---

3. Complying with Legal and Regulatory Obligations

   We keep certain records of your transactions and communications in order to:

   • comply with Portuguese tax, accounting and corporate record-keeping obligations;
   • respond to requests from public authorities where we are legally required to do so;
   • comply with consumer protection and product safety laws, including Decree-Law No. 84/2021 and Law No. 24/96.

   Legal basis: compliance with legal obligations (Article 6(1)(c) GDPR), for example under Portuguese tax law and commercial registry requirements.

   ---

4. Managing Our Relationship and Providing Customer Support

   We use your contact details and correspondence to:

   • respond to your questions and requests,
   • handle complaints and defective product claims,
   • notify you about changes to our terms or this Privacy Policy.

   Legal basis: performance of a contract (Article 6(1)(b) GDPR) and/or our legitimate interest in providing good customer service and protecting our legal position (Article 6(1)(f)).

   ---

5. Sending Marketing Communications

   If you choose to receive marketing emails (for example, about new products, promotions or events), we will use your name and email address to send you such communications.

   Legal basis: your consent (Article 6(1)(a) GDPR), or our legitimate interests (Article 6(1)(f)) where permitted by Portuguese e-privacy rules. You can withdraw consent or opt out of marketing at any time by clicking the “unsubscribe” link in our emails or contacting us.

   ---

6. Website Security, Fraud Prevention and Analytics

   We may use automatically collected data (such as IP address and device information) to:

   • maintain the security and integrity of the Website;
   • detect and prevent fraud or misuse of our services;
   • compile aggregated statistics and analytics to improve our Website, products and services.

   Legal basis: our legitimate interests (Article 6(1)(f) GDPR) in ensuring the security of our Website and improving our business operations.

We do not collect or store your full payment card details. When you pay for an order, you are redirected to (or an embedded frame connects you with) a secure payment provider (for example, Stripe, PayPal, or Portuguese payment processors). We send them only the data necessary to process the payment, such as:

• name;
• billing address;
• email;
• order total and order ID.

The payment provider may collect additional information directly from you and your device (such as card details, device identifiers or IP address) to process the transaction and for fraud prevention. Their use of your personal data is governed by their own privacy policy, which we encourage you to read.

To deliver your order, we share the necessary delivery details with our logistics partners and courier companies operating in Portugal and internationally, including:

• name;
• delivery address;
• phone number;
• email address (where needed for delivery updates);
• order reference.

This information is provided either:

• manually (for example, by inputting data into the courier’s web portal), or
• via an integration (for example, using APIs, CSV export or another secure electronic method).

We only share the data required for the courier to perform delivery and related tracking or notification services.

We keep personal data only for as long as necessary for the purposes for which it was collected, and to comply with legal, accounting, or reporting obligations. In particular:

• Customer accounts: we retain your account data for as long as your account is active. If you ask us to delete your account, we will deactivate it and either delete or anonymise personal data associated with the account, except for data that we must keep for legal or accounting purposes.
• Orders (including guest orders): we typically retain order information (including your contact and billing details) for up to ten (10) years from the end of the financial year in which the order was placed, in line with Portuguese tax and commercial record-keeping requirements.
• Marketing data: we retain your marketing preferences and related personal data until you unsubscribe or object to receiving marketing communications. We may also keep a minimal record of your opt-out (for example, your email address and the fact you unsubscribed) to ensure we do not send you marketing in future.
• Customer support correspondence: we retain correspondence and related data for as long as necessary to resolve your query or complaint, and for a reasonable period afterwards to protect our legal interests (usually up to five (5) years, in line with general Portuguese limitation periods).

If we are subject to a legal claim, investigation or audit, we may need to retain data beyond the periods stated above for the duration of the matter and for any applicable limitation period.

We do not sell your personal data. We may share your personal data with the following categories of recipients, only to the extent necessary for the purposes described in this Privacy Policy:

• Service providers: such as IT hosting providers, e-commerce platform providers, email service providers, customer support tools and professional advisers (for example, lawyers or accountants) who provide services to us and are subject to confidentiality and data protection obligations.
• Payment providers: third-party payment processors who handle your payments and card details.
• Delivery and logistics partners: courier companies and fulfilment providers who deliver orders or handle returns.
• Group companies and business partners: where necessary for internal administration, reporting or to support our e-commerce operations.
• Public authorities and regulators: where we are legally obligated to do so (for example, to Portuguese tax authorities (AT), Comissão Nacional de Proteção de Dados, law enforcement or other authorities) or where disclosure is necessary to protect our rights, customers or others.

Where we use service providers to process personal data on our behalf, we ensure that they only process the data according to our instructions and under a written data processing agreement as required by the GDPR.

Some of our service providers or group companies may be located outside the European Economic Area (EEA), or may use servers located outside the EEA. If personal data is transferred to a country that has not been recognized by the European Commission as providing an adequate level of data protection, we will ensure that appropriate safeguards are in place, such as:

• using standard contractual clauses approved by the European Commission,
• relying on adequacy decisions, or
• implementing other lawful transfer mechanisms under the GDPR.

You can contact us using the details above if you would like more information about how we protect personal data in relation to international transfers.

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction or damage. These measures include, for example:

• using secure (HTTPS) connections for the Website;
• restricting access to personal data to authorised staff and service providers on a need-to-know basis;
• using hashed passwords for customer accounts;
• maintaining appropriate backup and logging procedures;
• regularly reviewing our security policies and practices.

However, no system can be completely secure. While we do our best to protect your personal data, we cannot guarantee the security of information transmitted to or from the Website over the internet.

Under the GDPR and Portuguese Law No. 58/2019, you have a number of rights in relation to your personal data. These rights are subject to certain conditions and exemptions. In particular, you may have the right to:

• Access: request confirmation as to whether we process your personal data and obtain a copy of the personal data we hold about you.
• Rectification: request that we correct inaccurate or incomplete personal data about you.
• Erasure: request that we delete your personal data, for example where it is no longer necessary for the purposes for which it was collected, or where you withdraw your consent (where applicable). This is sometimes called the “right to be forgotten”.
• Restriction: request that we restrict the processing of your personal data in certain circumstances (for example, while we are verifying the accuracy of your data or assessing an objection).
• Data portability: request to receive personal data that you have provided to us in a structured, commonly used and machine-readable format, and have it transferred to another controller, where the processing is based on your consent or on a contract and is carried out by automated means.
• Objection: object at any time to the processing of your personal data where the legal basis is our legitimate interests. We will stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or where processing is necessary for the establishment, exercise or defence of legal claims.
• Direct marketing: you have an absolute right to object at any time to the processing of your personal data for direct marketing purposes, including profiling related to direct marketing. If you object, we will stop using your data for this purpose.
• Withdraw consent: where we rely on your consent to process personal data (for example, for certain types of marketing), you can withdraw your consent at any time. This does not affect the lawfulness of processing before you withdrew your consent.
• Lodge a complaint: with the Portuguese supervisory authority, the Comissão Nacional de Proteção de Dados (CNPD).

To exercise any of these rights, please contact us using the contact details in section 1. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise your other rights).

If you have any questions or concerns about how we use your personal data, or if you wish to exercise your rights, you can contact us at:

Email: gdpr@spraga.com or info@spraga.com

Postal address: Spraga Beverages PT Ltd Rua da Artilharia Um, 63b, 1250-038 Lisbon, Portugal.

We will respond to your request as soon as reasonably possible and in any event within the time limits set out in the GDPR (generally one month).

If you are unhappy with how we have used your personal data, we would appreciate the chance to resolve your concerns in the first instance. Please contact us using the details above.

You also have the right to lodge a complaint with the Portuguese supervisory authority for data protection, the Comissão Nacional de Proteção de Dados (CNPD):

Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134, 1º
1200-651 Lisboa
Portugal
Website: https://www.cnpd.pt/
Email: geral@cnpd.pt
Telephone: +351 213 928 400

For more information on your rights and how to make a complaint, please visit the CNPD’s website.

We may update this Privacy Policy from time to time, for example to reflect changes in the law, our practices or the Website. The most current version will always be available on the Website and will include the date it was last updated.

We encourage you to review this Privacy Policy periodically to stay informed about how we use your personal data.

Current version: 26 January 2026