Privacy Policy

Royal Stranger

Effective date: 03.09.2025

Royal Stranger (hereinafter referred to as “Royal Stranger”, “we”, “our”, “us”) respects your privacy and is committed to protecting the personal data of our clients, partners, and website visitors. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you interact with our website, request product information, or subscribe to our communications.

By using our website, you acknowledge that you have read and understood this Policy. Jurisdiction-specific notes are provided below for the EU/EEA, United Kingdom and United States.

Global overview

• Controller: Rufia Lda., Rua Dr. Florido Toscano, n. 109, 4405-612 Valadares, Portugal,
• Contact for DPO and privacy: [email protected],
• Data sources: we collect personal data directly from you, automatically via cookies and similar technologies when you use our website,
• Data minimization: we only collect the personal data necessary for the purposes described below and avoid sensitive categories unless strictly required for legal compliance or fraud prevention,
• Minors: our services are nor directed to minors. We do not knowingly collect personal data from minors.

Part A – EU/EEA Privacy Notice

1. Identity of the controller and contact

• Controller: Rufia Lda., Rua Dr. Florido Toscano, n. 109, 4405-612 Valadares, Portugal
• Contact for DPO and privacy: [email protected]

2. Scope of this Policy and who this applies to

This section applies if you are in the European Union/EEA. It covers the personal data we process when you:

• Visit or use our websites and online services,
• Contact us, request quotations or place orders,
• Subscribe to newsletter or marketing communications,
• Interact with us as a supplier or business partner.

3. Categories of personal data we process

• Identification and contact details: name, email, phone number, company, role or title, postal address,
• Communication preferences: newsletter subscriptions and opt-in/opt-out status, consent records (timestamp, source, version),
• Technical and usage data: IP address, device and browser type, operating system, pages visited, referring URLs, interactions, cookie identifiers and analytics data,
• Security and compliance logs: access logs, error logs, fraud prevention signals.

We do not intentionally collect data from minors. Our website is not directed to minors.

4. Purposes, legal bases and retention

We process personal data for:

4.1 Responding to inquiries and providing product information:

1. Legal basis: legitimate interests (to manage B2B relationships and respond to requests) or contractual steps at your request,
2. Retention: up to 2 (two) years after the last interaction, unless a contract follows.

4.2 Order processing, production, deliveries and after-sales support:

1. Legal basis: contract performance,
2. Retention: contractual records as needed; invoices/financial records retained for 10 (ten) years to meet accounting and tax obligations.

4.3 Customer relationship management and service improving:

1. Legal basis: legitimate interests (to improve services, ensure quality and grow our business),
2. Retention: up to 3 (three) years after the last interaction, unless longer is required by law or for the establishment, exercise or defense of legal claims.

4.4 Marketing communications (including but not limited to newsletters, updates and invitations):

1. Legal basis: consent. You may withdraw at any time via the unsubscribe link or by contacting us,
2. Retention: until consent is withdrawn or after 2 years of inactivity.

4.5 Analytics and performance (non-essential cookies):

1. Legal basis: consent. Cookies set only after you opt in,
2. Retention: as per our Cookie Policy.

4.6 Security, fraud prevention and legal compliance:

1. Legal basis: legitimate interests (to secure systems and prevent misuse) and/or legal obligation,
2. Retention: security logs up to 12 (twelve) months, extended if investigating incidents.

5. Cookies and consent

We use:

• Essential cookies: required for the website functionality.
• Analytics cookies: help us understand the website usage (e.g., Google Analytics, with IP anonymization where available).
• Marketing cookies: deliver personalized advertising and measure campaigns.

We deploy a consent banner that lets you accept all, reject non-essential or customize cookies. Non-essential cookies load only after consent. You can change your preferences anytime via Cookie Settings. See our Cookie Policy for a full list of cookies, purposes, durations and third parties.

6. Sharing and recipients of personal data

We share personal data with:

• Service providers (processors) under Article 28 GDPR: hosting/IT support, analytics platforms, email marketing tools, payment processors, logistics and shipping providers, accountants, and legal advisers. We bind them by contracts and require appropriate security measures.
• Authorities where required by law or to protect rights.

We do not sell or rent personal data.

7. International transfers

If we transfer your personal data outside the EEA, we implement appropriate safeguards, typically the EU Standard Contractual Clauses (SCCs). We conduct transfer impact assessments and apply supplementary measures (e.g., encryption, minimization) where necessary.

8. Your Rights

Under the GDPR, you have the right to:

• access your personal data,
• request rectification or erasure,
• restrict processing,
• object to processing based on legitimate interests,
• data portability (when processing is based on consent or contract and carried out by automated means),
• withdraw consent at any time without affecting the lawfulness of prior processing,
• lodge a complaint with a supervisory authority: in Portugal, the CNPD (www.cnpd.pt).

To exercise your rights, [email protected]. We will respond within one month (extendable by two months for complexity).

9. Security

We implement appropriate technical and organizational measures, including TLS encryption in transit, access controls and least privilege, multi-factor authentication for admin access, backups, logging and monitoring, staff training, data minimization, retention and deletion policies, and incident response. In case of a personal data breach that is likely to result in a risk to individuals, we will notify the CNPD within 72 hours and affected individuals when required.

10. Updates to this notice

We may update this Notice to reflect changes in our practices or legal requirements. We will post updates with a revised Effective Date. If changes are material, we may provide additional notice (e.g., banner or email).

Part B – United Kingdom Privacy Notice (UK GDPR)

This section applies if you are in the United Kingdom or if our processing is caught by the UK GDPR’s extraterritorial scope.

1. Identity of the controller and contact

• Controller: Rufia Lda., Rua Dr. Florido Toscano, n. 109, 4405-612 Valadares, Portugal
• Contact for DPO and privacy: [email protected]

2. Legal bases and purposes

The purposes and legal bases mirror those set out in Part A (EU Notice). Where we rely on legitimate interests, we have assessed these and consider they are not overridden by your interests or fundamental rights and freedoms. You may object at any time.

3. Cookies and consent

We operate a consent framework in line with the UK Privacy and Electronic Communications Regulations (PECR): non-essential cookies and similar technologies are set only with your consent. You can manage preferences through the cookie banner and Cookie Settings at any time.

4. International transfers

When transferring personal data from the UK to countries without adequacy, we use appropriate safeguards such as:

• The UK International Data Transfer Agreement (IDTA), or
• The UK Addendum to the EU SCCs, and perform transfer risk assessments. Supplementary measures may be applied as needed.

5. Your rights (UK GDPR)

You have rights to access, rectification, erasure, restriction, objection (including to direct marketing), and data portability (where applicable), as well as the right to withdraw consent at any time. You can lodge a complaint with the Information Commissioner’s Office (ICO): www.ico.org.uk.

• Contact us at [email protected] to exercise your rights. We aim to respond within one month (extendable by two months for complexity).

6. Security and Updates

We apply appropriate security measures as described in Part A and update this Notice as required for the UK.

Part C – United States Privacy Notice (State Laws, including California)

This section applies to “consumers” residing in U.S. states with applicable privacy laws (e.g., California CCPA/CPRA; Virginia VCDPA; Colorado CPA; Connecticut CTDPA; Utah UCPA), to the extent those laws apply to our processing. If we do not meet applicability thresholds in a given state, this section may not apply.

1. Categories of personal information we collect

• Identifiers: name, email, phone number, postal address, IP address, online identifiers (e.g., cookie IDs).

• Commercial information: product interests, quotations, orders, delivery details.
• Internet or network activity: browsing history on our site, interactions, device and browser information.
• Geolocation (coarse): derived from IP, for analytics and localization.
• Inferences: preferences derived from interactions (if used for personalization).
• Sensitive personal information: we do not intentionally collect or process sensitive personal information as defined by the CPRA (e.g., precise geolocation, government IDs) except to the extent strictly necessary for compliance or fraud prevention.

2. Sources of personal information

Directly from you (forms, email, phone), automatically from your device via cookies/trackers (with your consent where required), and from service providers or publicly available sources in a business-to-business context.

3. Purposes for use

We use personal information for: providing and improving services; fulfilling requests and orders; customer service; marketing (with opt-in/opt-out mechanisms as applicable); analytics; security and fraud prevention; compliance with law. See Part A for more detail.

4. Disclosures of personal information

We disclose personal information to service providers and contractors for business purposes (hosting, analytics, email marketing, logistics, payment processing, professional advisors). We may disclose to authorities when required by law. We do not “sell” personal information for monetary consideration. We also do not “share” personal information for cross-context behavioral advertising unless specified.

5. Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Notice, meet legal obligations, resolve disputes, and enforce agreements. Typical periods: leads and inquiries up to 2 years; customer/accounting records 10 years (tax); security logs up to 12 months; cookies per our Cookie Policy.

6. Your Privacy Rights

Subject to applicable law, you may have the right to:

• Know/access the categories and specific pieces of personal information we collected about you,
• Correct inaccurate personal information,
• Delete personal information,
• Opt out of sale or sharing of personal information (if applicable),
• Limit the use and disclosure of sensitive personal information (if applicable),
• Opt out of targeted advertising and certain profiling (in some states),
• non-discrimination for exercising your rights.

To exercise rights, contact: [email protected]

7. Minor’s data

Our services are not directed to minors. We do not knowingly sell or share personal information of minors.

8. Metrics and appeals

Where required, we will maintain records of requests and provide appeal mechanisms for denied requests (e.g., Colorado, Virginia). Instructions will be provided in our response if a request is denied.

9. Changes to this U.S. Notice

We may update this section to reflect changes in state laws or our practices.   For U.S. matters: use the contact details above; include “U.S. Privacy Request” in the subject line.