Last updated: June 12th 2026
This policy explains how XYZ Prints collects, uses, shares and retains your personal data when you use this website to order fine-art prints, scanning and related services.
Who we are (data controller)
This website is operated by XYZ Prints, a fine-art printing studio based in Lisbon, Portugal, part of the XYZ ecosystem (XYZ Books / XYZ Press / XYZ Prints). XYZ Prints is the controller responsible for your personal data.
- Legal entity: Pedro Duarte Guimarães – FOTOGRAFIA, Unipessoal, Lda.
- Registered address: Rua Ilha do Príncipe 3A, Armazém E, 1170-182 Lisboa, Portugal
- Tax number (NIF): 514471182
- Contact for privacy matters: info@xyz-prints.com
What data we collect
- Account & contact data — name, email address, and (if you create an account) a password you set. We never see your password in readable form.
- Order & billing data — billing and delivery name, address, phone number, and your tax number (NIF / VAT number) when you provide one for invoicing.
- Your artwork & uploaded files — the image files you upload to be printed (for example TIFF, JPEG, PNG or HEIC). These files may contain embedded metadata (EXIF), which can include camera information and, in some cases, GPS location. We use your files only to produce the print order you place.
- Payment data — the amount, currency and payment method of your order. Card and payment-account details are entered with and processed by the payment provider; we do not receive or store your full card number.
- Technical data — IP address, browser type and server log data, kept for security and to operate the site.
Why we use it and our legal bases
- To fulfil your order — producing, packing and shipping your prints, and managing your account — on the basis of performance of a contract (Art. 6(1)(b) GDPR/RGPD).
- To meet legal obligations — issuing the legally required invoice (fatura-recibo) with your NIF and keeping fiscal records — on the basis of a legal obligation (Art. 6(1)(c)).
- To keep the site secure and improve our service — on the basis of our legitimate interests (Art. 6(1)(f)).
- Cookies and any marketing messages — only with your consent (Art. 6(1)(a)), which you can withdraw at any time.
Who we share your data with
We share data only with the service providers (processors) we need to run the studio, and only as far as necessary:
- KeyInvoice (invoicing) — your name, NIF, billing address and order details, to issue the legally required fatura-recibo.
- Dropbox (secure file archival) — your uploaded artwork and order reference are archived so we can produce, reprint and account for your order. Dropbox is operated by Dropbox, Inc. in the United States; this involves an international transfer (see below).
- CTT – Correios de Portugal (shipping) — recipient name, delivery address, phone and order reference, to deliver your prints and provide tracking.
- Payment providers — when you pay, your payment is handled by the relevant provider (for example MB WAY / Multibanco today; Stripe, PayPal or others if enabled in future). They process your payment data as their own controllers under their own privacy policies.
- Email delivery — a transactional email service is used to send you order confirmations and updates.
- Hosting — our website and data are hosted in Portugal by our hosting provider (PTISP).
We do not sell your personal data, and we do not use it for profiling or advertising.
International transfers
Most of your data stays within the EU/EEA. Where a provider processes data outside the EU/EEA (for example Dropbox in the United States), we rely on an appropriate safeguard recognised under the GDPR — [DROPBOX TRANSFER SAFEGUARD — Standard Contractual Clauses and/or the EU-US Data Privacy Framework; confirm with your adviser].
Cookies and consent
We use only the cookies needed to run the site unless you give consent for more. Non-essential scripts (such as a card payment provider, if enabled) are blocked until you consent through our cookie banner. You can review categories and change or withdraw your choice at any time. For the full list of cookies and purposes, see our Cookie Policy.
Your rights
Under the GDPR/RGPD you have the right to access your data, to correct it, to erase it, to restrict or object to its processing, and to data portability. Where processing is based on consent, you can withdraw consent at any time without affecting prior processing. To exercise any of these rights, contact us at info@xyz-prints.com.
You also have the right to lodge a complaint with the Portuguese supervisory authority, the Comissão Nacional de Proteção de Dados (CNPD) — Av. D. Carlos I, 134, 1.º, 1200-651 Lisboa; tel. +351 213 928 400; geral@cnpd.pt; www.cnpd.pt.
Changes to this policy
We may update this policy as our services or legal obligations change. We will post the updated version here and change the date at the top.