Hephaesnus

Privacy Policy

01/04/2026

Your privacy is important to us. This Privacy Policy explains how Hephaesnus, Lda. (NIF: 516861450), with registered office at Urbanização Vila Pavão, 4540-322 Escariz, Portugal, collects, uses, stores and protects your personal data when you use the www.sallus.pt website and the associated services.

This policy has been drawn up in compliance with the General Data Protection Regulation (GDPR — Regulamento (UE) 2016/679) and the Diretiva ePrivacy (2002/58/CE), as transposed by Lei n.º 41/2004 and Lei n.º 46/2012 in Portugal.

1. Personal Data We Collect

We collect the following personal data, depending on your interaction with the website:

a) Data provided by the user

  • Registration and authentication: name, email address (via Google OAuth or registration with email/password);
  • Orders: full name, email, NIF (optional), shipping address, telephone;
  • Contact form: name, email, subject and message.

b) Data collected automatically

  • IP address: recorded at the time an order is created, for the purposes of fraud prevention and compliance with legal obligations;
  • Browsing data: pages visited, session duration, device type — only when the user consents to the activation of analytics cookies (Google Analytics 4).

2. Legal Bases for Processing

Your data is processed on the following legal bases (Art. 6.º do RGPD):

  • Processing of orders and payments — Performance of a contract (Art. 6.º(1)(b))
  • Issuance of invoices and tax obligations — Legal obligation (Art. 6.º(1)(c))
  • Fraud prevention (IP logging) — Legitimate interest (Art. 6.º(1)(f))
  • Response to contact requests — Legitimate interest (Art. 6.º(1)(f))
  • Analytics cookies (Google Analytics 4) — Consent (Art. 6.º(1)(a))

3. Cookies and Local Storage

In compliance with the Diretiva ePrivacy and the Portuguese transposing law, the website displays a consent banner on the first visit. No non-essential cookie is activated without the user's explicit consent.

a) Strictly necessary cookies (no consent required)

These cookies are indispensable for the operation of the website and cannot be disabled. Their legal basis is legitimate interest (Art. 6.º(1)(f) do RGPD) and the exception provided for in Art. 5.º(3) da Diretiva ePrivacy.

  • sb-*-auth-token — Authentication and session management (Supabase) — Duration: Session
  • sallus-cookie-consent — Record of the user's cookie choice — Duration: 180 days
  • localStorage: sallus-cart — Persistence of the shopping cart between sessions — Duration: Persistent (local)

b) Analytics cookies (require consent)

These cookies are only activated after the user explicitly consents through the cookie banner. The legal basis is consent (Art. 6.º(1)(a) do RGPD).

  • _ga — Google Analytics 4 — Distinction of unique visitors — Duration: 2 years
  • _ga_* — Google Analytics 4 — Persistence of session state — Duration: 2 years

The user may change or withdraw their consent at any time by clicking on "Manage cookies" in the website footer, or through their browser settings.

4. Sub-processors and Data Transfers

To provide our services, we rely on the following sub-processors:

  • Hosting and CDN — Vercel Inc. — Website hosting (Paris region) — Location: EU (cdg1)
  • Database and authentication — Supabase Inc. — Data storage and authentication — Location: EU
  • Payments — EuPago — Payment processing (MB WAY, Multibanco, card) — Location: Portugal
  • Transactional email — Resend Inc. — Sending of order confirmations and contact emails — Location: USA (SCCs)
  • Analytics — Google LLC — Traffic analysis (only with consent) — Location: USA (SCCs)

Transfers outside the European Economic Area (EEA) are protected by the EU-U.S. Data Privacy Framework (European Commission adequacy decision, July 2023, confirmed by the General Court of the EU in September 2025) and/or by the European Commission's Standard Contractual Clauses (SCCs), in accordance with Art. 46.º(2)(c) do RGPD.

5. Data Retention Period

  • Order and invoicing data: 10 years (Portuguese tax obligation — Art. 40.º do Código Comercial);
  • Account data: until the user requests the deletion of the account;
  • Contact data (form): 12 months after the request has been resolved;
  • IP addresses: 12 months;
  • Analytics data (GA4): 14 months (default Google Analytics 4 configuration).

6. Rights of Data Subjects

Under the GDPR (Arts. 15.º a 22.º), you have the right to:

  • Access — obtain confirmation and a copy of your personal data;
  • Rectification — correct inaccurate or incomplete data;
  • Erasure ("right to be forgotten") — request the deletion of your data, where applicable;
  • Restriction of processing — restrict processing in certain circumstances;
  • Portability — receive your data in a structured, machine-readable format;
  • Objection — object to processing based on legitimate interest;
  • Withdrawal of consent — withdraw consent for analytics cookies at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us by email: info@sallus.pt. We will respond within 30 days, as required by Art. 12.º(3) do RGPD.

You also have the right to lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD)www.cnpd.pt.

7. Security Measures

We implement appropriate technical and organisational measures to protect your data, including:

  • Encrypted communications via HTTPS/TLS;
  • Secure authentication with encrypted tokens (Supabase SSR);
  • Database-level security policies (Row Level Security);
  • Restricted data access — authorised personnel only.

8. Third-Party Links

The website may contain links to external sites that are not operated by us. We are not responsible for the privacy practices of those sites and we recommend reading their respective policies.

9. Changes to this Policy

Hephaesnus, Lda. may update this policy periodically. Any significant changes will be communicated prominently on the website. The date of the last revision appears at the top of this page.

10. Contact

For matters relating to the protection of personal data:

  • Data controller: Hephaesnus, Lda.
  • NIF: 516861450
  • Address: Urbanização Vila Pavão, 4540-322 Escariz, Portugal
  • Email: info@sallus.pt

Last revised on 01/04/2026.