Privacy Policy

1. Who we are: Controller and Data Protection Officer (DPO)

Modabillion is the Controller of the personal data processed in this store, meaning we are the party that decides the purposes and means of processing, pursuant to Article 5, VI, of the LGPD.

Legal name: [legal name to be completed]. CNPJ: [CNPJ to be completed]. Address: [address to be completed].

All responsibility for the sale of the products lies with Modabillion.

Data Protection Officer (DPO): [Officer's name to be completed]. Direct and dedicated contact channel of the Officer for data protection matters: [Officer's email to be completed, e.g., dpo@... to be completed] (or, alternatively, our WhatsApp/customer service email). Please identify the subject as 'LGPD — Officer' so that your request is handled with priority.

Important: the identity and contact details of the Officer will be disclosed clearly and in an easily accessible manner on this page, in accordance with Article 41, §1, of the LGPD.

2. What data we collect and how

We collect only the data necessary for you to shop, receive your order, and be assisted. The data is provided directly by you (when you build your bag, complete your order, contact us, or sign up for the Privé List) or generated to a small extent by the basic operation of the site.

• Identification and contact data: name, phone/WhatsApp, and email.
• Delivery data: delivery address (ZIP code, street, number, complement, neighborhood, city, and state). When you provide the ZIP code, we may query a public address lookup service (ViaCEP) to fill in the fields automatically.
• Order data: items selected, amounts, shipping, and any discount coupon applied.
• Payment data: payment is processed in the secure environment of our payment processing partner (Stripe). Card data is entered directly in the Stripe environment — Modabillion does NOT collect or store card data. We receive only the payment confirmation and the basic order data.
• Privé List data (optional): name and WhatsApp or email, when you choose to receive news and early access to new releases.
• Virtual Fitting Room — measurements provided by you (bust/waist/hips, or height and weight; for footwear, foot length in cm): these measurements are processed exclusively in your own browser (on your device) to generate a guidance-only size recommendation. They are NOT sent to our servers, are NOT stored by us, and there is NO use of artificial intelligence or photos.
• Anonymous product view counter: we keep an aggregated and ANONYMOUS counter of how many times a product has been viewed. It does NOT use cookies and does NOT identify you.
• Strictly necessary local storage in your browser: your shopping bag and an indicator that the welcome notice has already been shown are kept locally in your own browser (in localStorage), solely for the basic operation of the site. This data remains on your device and is not sent to us.

3. Why we use your data (purposes)

• Create, process, confirm, and track your order, including the application of coupons and the calculation of shipping.
• Enable payment securely through our payment processing partner.
• Deliver the products to the address you provided, through operational logistics/delivery partners.
• Provide service and support, including regarding exchanges and returns, through our channels (WhatsApp, Instagram, and email).
• Send you an internal order notification (operational email) so that we can process the purchase; this delivery uses an email sending provider (Resend).
• Send news and early access to new releases, exclusively to those who have freely chosen to sign up for the Privé List.
• Comply with legal and regulatory obligations, especially tax and accounting ones.
• Prevent fraud and ensure the security of transactions and of the site.
• Maintain an ANONYMOUS product view counter, without identifying you.

4. Legal bases for processing (Article 7 of the LGPD)

All data processing we carry out is grounded in one of the legal bases provided for in the LGPD, according to the purpose:

• Performance of a contract and of preliminary procedures (Article 7, V): to process and deliver your order, enable payment, apply coupons, calculate shipping, query the ZIP code you provided, and provide service related to the purchase.
• Consent (Article 7, I): exclusively for sign-up to the Privé List and the sending of news/marketing communications. This consent is free, specific, and may be revoked at any time, without prejudice to the other purposes.
• Compliance with a legal or regulatory obligation (Article 7, II): to retain order data and issue documents required by tax, accounting, and consumer legislation.
• Legitimate interest (Article 7, IX): for fraud prevention and the security of transactions and of the site, always respecting your fundamental rights and freedoms and following an assessment of the impacts on you.
• Regular exercise of rights (Article 7, VI): to defend our interests in any judicial, administrative, or arbitration proceeding.
• Note on the Virtual Fitting Room: since the measurements are processed only in your browser and do not reach our servers nor are stored by us, there is no processing of personal data by Modabillion in this feature — you use the tool on your device, at your own initiative.

5. With whom we share your data

We do not sell your personal data. We share data only with partners (processors) strictly necessary to fulfill your order and our legal obligations, and only to the extent necessary:

• Payment methods partner — Stripe: acts as a processor to handle payment securely and prevent fraud. It receives the data necessary for payment (for example, email, amounts, and order reference); card data is provided by you directly in the Stripe environment.
• Email sending provider — Resend: used to send the operational order notification. For this delivery, data such as name, contact (WhatsApp/email), and the delivery address contained in the order may be processed by this provider, strictly to deliver the message.
• Public address lookup service — ViaCEP: when you provide the ZIP code, it is queried in this service to fill in the address automatically.
• Operational logistics/delivery partners: receive the necessary data (such as name, contact, and address) strictly to deliver your order.
• Infrastructure and technology providers: hosting (CDN/cloud) and database that enable the store's operation.
• Public authorities and regulatory bodies: when required by law, court order, or for the regular exercise of rights.

These partners, when acting as processors, are bound by contract and by law to process data only in accordance with our instructions and to adopt appropriate security measures. You may, at any time, request information about the entities with which we share data (Article 18, VII, of the LGPD).

6. International data transfer (Article 33 of the LGPD)

We use global technology providers, some headquartered outside Brazil, for hosting (CDN/cloud), database, email sending (Resend), and payment processing (Stripe). The ZIP code lookup (ViaCEP) is also performed on a third-party server. For these reasons, part of your data may be processed or stored on servers located outside Brazil.

Whenever there is an international transfer, it is carried out with appropriate safeguards, including data protection contractual clauses entered into with the providers and technical security measures such as encryption in transit (TLS/SSL), pursuant to Articles 33 and 34 of the LGPD.

7. How long we keep your data (retention and erasure)

• Order and purchase data: kept for as long as necessary to perform the contract and, thereafter, for the applicable legal periods — as a rule, up to 5 (five) years for tax/accounting purposes and for the exercise of rights provided for in Article 27 of the CDC, which may vary according to the legislation in force.
• Customer service data: kept for the time necessary to respond to your request and, where applicable, for the period of any regular exercise of rights.
• Privé List data (consent): kept until you revoke consent or request deletion, whichever occurs first.
• Virtual Fitting Room: the measurements are processed in your browser at the time of use and are not stored by us; therefore, there is no retention of this data by Modabillion.
• Anonymous view counter: this is an aggregated figure, without identifying you; it may be kept anonymously for internal statistical purposes.
• Upon the end of processing, the data is erased securely, except for the retention scenarios authorized by Article 16 of the LGPD (such as compliance with a legal obligation and the regular exercise of rights).

8. Information security

We adopt technical and administrative measures to protect your data against unauthorized access and situations of destruction, loss, alteration, or improper disclosure.

Among the measures are: encryption in transit (TLS/SSL); access control to the administrative panel via an authenticated session (httpOnly cookie); payment processing in the secure environment of a specialized partner (without the store storing card data); and recognized infrastructure providers.

No system is entirely immune to risks; for this reason, we maintain ongoing security review processes. Should an incident occur that may result in relevant risk or harm to data subjects, we will take the measures and make the communications required by the LGPD, including to the ANPD and to you, where applicable.

9. Cookies and similar technologies

We use only cookies and local storage that are STRICTLY NECESSARY for the operation of the site. We do not use advertising cookies, tracking pixels, or third-party analytics tools for marketing purposes.

• Administrator session: first-party httpOnly cookie, used only to authenticate access to the administrative panel (it does not apply to the ordinary store visitor).
• Visitor's browser local storage (localStorage): stores your shopping bag and an indicator that the welcome notice has already been shown. This data remains on your own device.
• Payment partner cookies (Stripe): when you are directed to the payment environment, Stripe may use its own cookies, necessary to process the payment and prevent fraud, in accordance with Stripe's own privacy policy.
• Product view counter: aggregated and ANONYMOUS, without cookies and without identifying you.

The bag is necessary for you to complete your purchase. The welcome notice display indicator serves only to avoid repeating the notice and does not influence checkout. Because they are strictly necessary or part of the basic operation, these resources do not depend on prior consent, in accordance with the applicable regulations.

10. Data of children and adolescents (Article 14 of the LGPD)

Modabillion is a women's fashion store aimed at an adult audience and is NOT intended for children or adolescents. By using the site and making a purchase, you declare that you are over 18 years of age or are duly assisted/represented by your parents or legal guardian.

We do not intentionally collect data of minors. Currently, the purchase does not require registration of a date of birth; for this reason, we emphasize that use by minors must always be subject to the supervision and the specific, prominent consent of at least one parent or legal guardian, in the best interest of the minor, pursuant to Article 14, §1, of the LGPD.

If you are a legal guardian and identify that a minor under your responsibility has provided data without proper authorization, please contact us through our channels so that we can address your request and, where applicable, erase such data.

11. Your rights as a data subject (Article 18 of the LGPD)

The LGPD guarantees you, the data subject, several rights. You may, at any time and free of charge:

• Confirm the existence of processing of your data;
• Access your data;
• Correct incomplete, inaccurate, or outdated data;
• Request the anonymization, blocking, or erasure of unnecessary or excessive data or data processed in noncompliance with the LGPD;
• Request the portability of your data to another service or product provider, subject to commercial and industrial secrets;
• Request the erasure of data processed on the basis of your consent (except for the legal retention scenarios in Article 16);
• Obtain information about the public and private entities with which we share your data;
• Obtain information about the possibility of not providing consent and about the consequences of refusal;
• Revoke consent at any time.

To exercise any of these rights, please contact our Officer through the channel provided in Section 1. We may request information to confirm your identity and protect your data. We will respond in the shortest possible time, observing the periods set out in the LGPD.

12. Revocation of consent

When processing is based on your consent (the Privé List and marketing communications), you may revoke it at any time, simply and free of charge, through our customer service channels or through the unsubscribe link present in communications sent by email.

Revocation does not affect the lawfulness of the processing carried out before the request, nor processing based on other legal bases (such as performance of the contract and compliance with a legal obligation).

13. Complaint to the ANPD

If you believe your rights have not been met, you may file a complaint with the National Data Protection Authority (ANPD), through the official channels available on the gov.br/anpd website. Even so, we ask that you first contact our Officer, so that we can resolve your request as quickly as possible.

14. Changes to this Policy

This Privacy Policy may be updated periodically to reflect legal, technical, or business changes. The version in force will always be available on this page, with the date of the last update indicated at the end.

We recommend checking periodically. Relevant changes may be communicated through our channels.

Date of the last update: [date to be completed].

15. Applicable law and jurisdiction

This Policy is governed by Brazilian law, in particular the LGPD (Lei nº 13.709/2018) and the Consumer Defense Code (Lei nº 8.078/1990).

The jurisdiction of the consumer's domicile is hereby elected to settle any disputes, in accordance with the Consumer Defense Code.