PRIVACY POLICY

Effective date: 01 January 2025
Last updated: 01 January 2025

This Privacy Policy explains how DAT SUPPLY and its affiliated entities collect, use, store, share, and protect personal data when you visit our websites, communicate with us, or use our services.

We process personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and relevant local regulations such as the Hong Kong Personal Data (Privacy) Ordinance (PDPO).

By using our websites or providing personal data to us, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Policy, you should not use our websites or services.

1. Data Controllers and Group Structure

Depending on your location and the nature of the processing, your personal data may be controlled or jointly controlled by one or more of the following entities (collectively referred to as “DAT SUPPLY”, “we”, “us”, or “our”):

1.1 Primary EU Controller (GDPR)

Sublime e Otimista - Unipessoal Lda
Avenida Doutor Fernando Raimundo Rodrigues, Nº 1525
3885-412 Esmoriz, Ovar, Aveiro
Portugal
NIF: 518587649

This entity acts as the primary data controller for data subjects located in the European Union and the European Economic Area.

1.2 UK Controller (UK GDPR)

DAT SUPPLY LTD
128 City Road
London
United Kingdom, EC1V 2NX
Company Number: 16756227

This entity acts as data controller for data subjects located in the United Kingdom where applicable.

1.3 Hong Kong Processing Entity

DAT GLOBAL SERVICES LIMITED
Unit B, 3/F., Kai Wan House
146 Tung Choi Street
Mongkok, Kowloon
Hong Kong

DAT GLOBAL SERVICES LIMITED primarily acts as a processing and operations entity for infrastructure, logistics, and business support. Where it processes personal data on behalf of the EU or UK entities, it does so as a processor or joint controller, subject to applicable data protection agreements.

2. Contact for Privacy Matters

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, you may contact us at:

Email: privacy@dat.supply

You may also contact any of the entities listed in Section 1 by written correspondence sent to their registered addresses.

3. Scope of This Policy

This Privacy Policy applies to personal data collected through, or in connection with, the following:

  • Our websites, including dat.supply, brands.dat.supply, tuttibear.com, and any subdomains;
  • Contact forms, quote requests, and lead capture forms for B2B manufacturing and private label services;
  • E-commerce purchases and customer accounts related to our consumer brand TuttiBear;
  • Email, WhatsApp, and other direct communications with our teams;
  • Marketing campaigns, newsletters, and advertising activities.

This Policy does not apply to third-party websites, services, or platforms that we do not control. When you follow links to third-party sites, their own privacy policies will apply.

4. Categories of Personal Data We Collect

We may collect and process the following types of personal data, depending on how you interact with us:

4.1 Identity and Contact Data

  • First and last name;
  • Email address;
  • Telephone number or WhatsApp number;
  • Company name and role/position;
  • Country and region.

4.2 Business and Project Data (B2B)

  • Details about your brand or business;
  • Product specifications and project requirements;
  • Approximate budget, order quantities, timelines;
  • Communication history regarding your project or enquiry.

4.3 Technical and Usage Data

Automatically collected when you visit our websites, including:

  • IP address;
  • Device and browser type, operating system, language settings;
  • Approximate geographic location (based on IP);
  • Pages visited, time spent on each page, click paths, and other usage statistics;
  • Referring URLs and campaign tracking parameters.

This data is collected via technologies such as cookies, server logs, and analytics tools, including Google Analytics, Meta Pixel, and Cloudflare security logs.

4.4 Transaction and Order Data (TuttiBear and other consumer channels)

  • Products ordered and order history;
  • Delivery and billing address;
  • Payment method information (note: full card numbers are processed by payment providers such as Stripe or PayPal and are not stored by us);
  • Order IDs, invoices, and records required for tax and accounting purposes;
  • Customer support interactions related to your orders.

4.5 Marketing and Communication Data

  • Newsletter subscriptions and marketing opt-in status;
  • Email engagement data (opens, clicks) from providers such as Klaviyo, Mailchimp, or similar platforms;
  • Responses to surveys, feedback forms, and promotions;
  • WhatsApp messages and communications when you contact us via WhatsApp Business.

4.6 Cookies and Similar Technologies

We use cookies and similar tracking technologies to operate our websites, remember user preferences, analyze traffic, and support marketing activities. For more information, please refer to our separate Cookie Policy, where applicable.

5. Purposes and Legal Bases for Processing

We process personal data only when we have a valid legal basis to do so. Depending on the context, we rely on one or more of the following legal bases:

5.1 Performance of a Contract or Steps Taken at Your Request

We process personal data when necessary to enter into or perform a contract with you, for example:

  • Responding to B2B enquiries and preparing quotations;
  • Negotiating and fulfilling manufacturing or supply agreements;
  • Processing consumer orders for TuttiBear or other brands;
  • Providing customer service and handling requests, complaints, or returns.

5.2 Legitimate Interests

We process personal data where necessary to pursue our legitimate business interests, provided that such interests are not overridden by your rights and freedoms. These interests include:

  • Developing and improving our websites, services, and offerings;
  • Maintaining network and information security (including via Cloudflare);
  • Understanding how our websites are used, through analytics and statistics;
  • Marketing our services to existing or potential B2B clients in a proportionate way;
  • Preventing fraud, misuse of services, or security incidents.

5.3 Consent

We rely on consent where required by law, including for:

  • Sending newsletters and email marketing to individuals who have opted in;
  • Using non-essential cookies and similar technologies for advertising and tracking;
  • Collecting certain categories of data via forms when clearly indicated.

You may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

5.4 Legal Obligations

We process personal data where necessary to comply with legal obligations, including:

  • Tax and accounting regulations;
  • Consumer protection and distance selling laws;
  • Product safety and regulatory record keeping;
  • Responding to lawful requests from public authorities.

6. How We Use Your Personal Data

In practical terms, we use personal data for the following purposes:

  • To operate and maintain our websites and online services;
  • To answer enquiries, provide information, and manage B2B relationships;
  • To design, quote, and manage manufacturing and private label projects;
  • To process, fulfill, and deliver consumer orders;
  • To manage payments, invoicing, and accounting records;
  • To provide customer support and respond to your requests;
  • To send transactional emails related to your orders or account;
  • To send marketing communications where permitted by law and your preferences;
  • To analyze website performance, measure campaign effectiveness, and optimize user experience;
  • To protect our rights, security, property, and those of our partners, customers, and users.

7. Data Sharing and Categories of Recipients

We do not sell your personal data. We may share personal data with the following categories of recipients, only to the extent necessary and subject to appropriate safeguards:

  • Intra-group entities: The companies listed in Section 1 may share data among themselves for operational, administrative, and support purposes.
  • Service providers and processors: Including hosting providers, IT support, email service providers (such as Klaviyo or Mailchimp), analytics providers (Google Analytics), advertising platforms (Meta, Google Ads), payment processors (Stripe, PayPal), logistics and shipping partners, and professional advisers (such as accountants or lawyers).
  • Platform operators: Shopify and similar platforms used to operate our consumer-facing online stores.
  • Authorities and regulators: Where required by law or where we believe in good faith that disclosure is necessary to protect our rights or comply with legal obligations.
  • Business transfers: In connection with a merger, acquisition, sale of assets, or restructuring, personal data may be transferred to a successor entity, subject to this Privacy Policy or a substantially similar one.

When we share personal data with processors, they are bound by contractual obligations to process personal data only on our instructions and to implement appropriate security measures.

8. International Data Transfers

Because we operate internationally, your personal data may be transferred to and processed in countries outside your country of residence, including countries outside the European Economic Area (EEA) and the United Kingdom, such as Hong Kong.

When transferring personal data from the EEA or the UK to third countries that do not provide an adequate level of protection, we implement appropriate safeguards, which may include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK Information Commissioner’s Office;
  • Contractual commitments requiring recipients to protect personal data to a level equivalent to EU/UK standards;
  • Technical and organisational measures to ensure data security.

You may contact us using the details in Section 2 if you wish to obtain a copy of the safeguards used for international transfers where legally permissible.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Retention periods may vary depending on the category of data, for example:

  • Customer and order records: kept for the period required by tax and accounting laws (often 6–10 years);
  • B2B contact and project data: retained while the relationship is active and for a reasonable period thereafter to handle follow-up, disputes, or legal claims;
  • Marketing data: retained until you withdraw consent or object to processing, or after a defined inactivity period;
  • Technical logs and security data: retained for a limited period necessary for security and troubleshooting.

When data is no longer needed, it will be securely deleted, anonymised, or aggregated so that it can no longer be associated with an identified individual.

10. Your Data Protection Rights

Subject to applicable law and certain limitations, you have the following rights regarding your personal data:

  • Right of access: To obtain confirmation whether we process your personal data and receive a copy of such data.
  • Right to rectification: To request correction of inaccurate or incomplete personal data.
  • Right to erasure: To request deletion of your personal data in certain circumstances (“right to be forgotten”).
  • Right to restriction of processing: To request that we restrict processing in specific situations.
  • Right to data portability: To receive personal data you provided to us in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.
  • Right to object: To object at any time to processing based on our legitimate interests, including profiling, and to direct marketing.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time.

To exercise any of these rights, please contact us at privacy@dat.supply. We may need to verify your identity before responding to your request. We will handle your request within the timeframes required by applicable law.

If you are not satisfied with our response, you also have the right to lodge a complaint with your local supervisory authority, such as the Portuguese Data Protection Authority (CNPD), the UK Information Commissioner’s Office (ICO), or another relevant authority.

11. Cookies and Tracking Technologies

Our websites use cookies and similar technologies to:

  • Enable core site functionality and security;
  • Remember user preferences;
  • Analyze traffic and usage patterns (via Google Analytics);
  • Support advertising and remarketing campaigns (via Meta Pixel and similar tools).

Where required by law, we obtain your consent before setting non-essential cookies. You can manage or disable cookies through your browser settings and, where provided, through our cookie consent tools.

12. Security of Personal Data

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, where appropriate:

  • Encryption and secure connections (HTTPS);
  • Access controls and authentication procedures;
  • Use of reputable hosting, security, and CDN providers such as Cloudflare;
  • Regular monitoring, backups, and security updates.

However, no method of transmission over the internet or method of electronic storage is entirely secure, and we cannot guarantee absolute security.

13. Data of Children

Our websites and services are not directed at children under the age of 16, and we do not knowingly collect personal data from children under this age. If you believe that a child has provided us with personal data, please contact us so that we can take appropriate steps to delete such data.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make material changes, we will update the “Last updated” date at the top of this page and, where legally required, notify you through our websites or by other appropriate means.

We encourage you to review this Privacy Policy periodically to stay informed about how we process personal data.

If you have any questions about this Privacy Policy or our data protection practices, please contact us at privacy@dat.supply.