Last Updated: 09 March 2026
Privacy Policy
1. Introduction
This Privacy Policy explains how ICONIKEDILHA - UNIPESSOAL LDA (NIPC 517613255), trading as WearAttraction ("we", "us", "our"), collects, uses, stores, and protects your personal data when you use our websites, platforms, and services.
We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Portuguese Data Protection Law (Lei n.º 58/2019), and the Portuguese Electronic Communications Privacy Law (Lei n.º 41/2004).
Data Controller:
ICONIKEDILHA - UNIPESSOAL LDA
Tv. Parreiras 70, R/C
1150-299 Lisboa, Portugal
NIPC: 517613255
Email: privacy@wearattraction.com
2. What Data We Collect
2.1. Account and Contact Data
When you register for an account, submit a contact form, or interact with us, we may collect:
| Data | Purpose | Legal Basis |
|---|---|---|
| Full name | Account identification, proposals, communication | Contract performance (Art. 6(1)(b)) |
| Email address | Authentication (magic link), communication, proposals | Contract performance (Art. 6(1)(b)) |
| Phone number / WhatsApp number | Authentication (OTP), communication | Contract performance (Art. 6(1)(b)) |
| Company name and VAT number | B2B proposals, invoicing, legal compliance | Contract performance (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) |
| Preferred language (EN/PT) | Localised service delivery | Legitimate interest (Art. 6(1)(f)) |
| Preferred communication channel | Respecting your communication preferences | Legitimate interest (Art. 6(1)(f)) |
| Date of birth (optional) | Birthday communications, age demographics, personalised experience | Consent (Art. 6(1)(a)) |
Providing your date of birth is entirely optional. If provided, we use it to send you birthday communications and to understand our community demographics in aggregate (e.g., age brackets). You may add or remove your date of birth at any time in your account settings. Aggregate demographic data derived from dates of birth is anonymised and cannot be linked back to individual users.
2.2. NFC and QR Code Tap Data
When someone taps an NFC chip or scans a QR code managed through our platform, we collect the following data server-side, before the redirect occurs:
| Data | Purpose | Legal Basis |
|---|---|---|
| Timestamp | Analytics and service operation | Legitimate interest (Art. 6(1)(f)) |
| Device type (from User-Agent header) | Analytics | Legitimate interest (Art. 6(1)(f)) |
| Country (derived from IP address) | Analytics | Legitimate interest (Art. 6(1)(f)) |
| UTM parameters (auto-generated) | Campaign tracking | Legitimate interest (Art. 6(1)(f)) |
Important: We do not store the scanner's IP address. Country is derived at the time of the tap and only the country code is retained. No cookies are placed on the scanner's device. No device fingerprinting is performed. The tap data is anonymised and cannot be used to identify the person who tapped the chip.
2.3. Proposal and Order Data
When we prepare proposals or process orders, we collect:
| Data | Purpose | Legal Basis |
|---|---|---|
| Order details (products, quantities, specifications) | Order fulfilment | Contract performance (Art. 6(1)(b)) |
| Branding artwork and design files | Production | Contract performance (Art. 6(1)(b)) |
| Billing information | Invoicing and payment | Contract performance (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) |
| Proposal interaction (viewed, accepted, timestamps) | Service delivery and analytics | Legitimate interest (Art. 6(1)(f)) |
2.4. Newsletter and Marketing Data
If you subscribe to our newsletter or marketing communications:
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Sending newsletters and updates | Consent (Art. 6(1)(a)) |
| Subscription preferences | Sending relevant content | Consent (Art. 6(1)(a)) |
| Email engagement (open/click rates) | Improving our communications | Legitimate interest (Art. 6(1)(f)) |
Newsletter subscription uses double opt-in: after signing up, you will receive a confirmation email. Your subscription is only active after you click the confirmation link. You may unsubscribe at any time using the link in every email we send.
2.5. Website Usage Data
When you visit our websites, we collect:
| Data | Purpose | Legal Basis |
|---|---|---|
| Pages visited, time on page, referral source | Website analytics and improvement | Consent (Art. 6(1)(a)) — via cookie consent |
| Browser type, screen resolution, operating system | Technical compatibility | Consent (Art. 6(1)(a)) — via cookie consent |
| IP address (anonymised by Google Analytics) | Approximate geographic analytics | Consent (Art. 6(1)(a)) — via cookie consent |
See Section 8 (Cookies) for full details.
2.6. Social Login Data
If you choose to sign in using a third-party social login provider, we receive the following data from that provider:
| Provider | Data Received | Purpose | Legal Basis |
|---|---|---|---|
| Google (including Google Workspace) | Name, email address, profile photo | Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| Microsoft (including Microsoft 365) | Name, email address, profile photo | Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| Name, email address, profile photo | Account creation and authentication | Contract performance (Art. 6(1)(b)) | |
| Apple | Name, email address (may be a relay address) | Account creation and authentication | Contract performance (Art. 6(1)(b)) |
Important: We only request the minimum data necessary for account creation (basic profile and email). We do not request access to your contacts, calendar, files, or other data from these providers. We do not receive or store your password from any social login provider.
Social login providers are independent data controllers — they process your data according to their own privacy policies. By using social login, you also agree to the applicable provider's terms:
- Google: Google Privacy Policy
- Microsoft: Microsoft Privacy Statement
- LinkedIn: LinkedIn Privacy Policy
- Apple: Apple Privacy Policy
2.7. Communication Data
When you contact us via email, WhatsApp, phone, or contact form, we retain:
| Data | Purpose | Legal Basis |
|---|---|---|
| Message content and metadata | Responding to your enquiry, record-keeping | Contract performance (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)) |
3. How We Use Your Data
We use your personal data for the following purposes:
- Account management: Creating and maintaining your account, authenticating your identity.
- Service delivery: Preparing proposals, processing orders, fulfilling deliveries, managing NFC configurations.
- NFC analytics: Providing tap/scan analytics to account holders through the Customer Portal.
- Communication: Responding to enquiries, sending transactional notifications (order updates, proposal status), and sending marketing communications (with your consent).
- Legal compliance: Meeting our obligations under Portuguese tax, commercial, and data protection law.
- Service improvement: Analysing how our Services are used to improve functionality and user experience.
- Security: Detecting, preventing, and responding to fraud, abuse, or security incidents.
4. Legal Bases for Processing
We rely on the following legal bases under GDPR Article 6(1):
- (a) Consent — For newsletter subscriptions, marketing communications, and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
- (b) Contract performance — For processing necessary to deliver our Services, manage your account, prepare proposals, and fulfil orders.
- (c) Legal obligation — For processing required by Portuguese law (e.g., tax records, invoicing, commercial record-keeping).
- (f) Legitimate interest — For processing where we have a legitimate business interest that is not overridden by your rights, including: service analytics, NFC tap analytics (anonymised), fraud prevention, and direct marketing to existing B2B customers about similar products and services (with an easy opt-out).
Legitimate Interest Assessment (NFC Tap Analytics)
We have conducted a legitimate interest assessment for NFC tap analytics and concluded that:
- The data collected is minimal and anonymised (no IP address stored, no cookies, no fingerprinting);
- The processing is necessary for the core NFC redirect service;
- Account holders have a reasonable expectation that tap analytics will be provided;
- The impact on the scanner's privacy is negligible as the data cannot identify them;
- Scanners can see the NFC/QR redirect URL and choose not to interact.
5. Marketing Communications
5.1. Newsletter
We send marketing newsletters only to individuals who have given explicit consent via our double opt-in process. You may unsubscribe at any time by clicking the unsubscribe link in any email, or by contacting us at privacy@wearattraction.com.
5.2. Existing Customer Communications
In accordance with Article 13A of Lei n.º 41/2004 (Portuguese ePrivacy law), we may send marketing communications about similar products and services to existing customers without prior consent, provided that:
- You were given a clear opportunity to opt out when your data was first collected;
- Every communication includes a simple and free opt-out mechanism;
- The communications relate to products or services similar to those you have previously purchased.
You may opt out of these communications at any time.
5.3. B2B Contact Form Submissions
If you submit a contact form on our website and tick the marketing consent box, we will send you marketing communications based on your consent. If you do not tick the box, we will only contact you regarding your specific enquiry.
6. Data Sharing and Recipients
We do not sell, rent, or trade your personal data. We share your data only with the following categories of recipients:
6.1. Service Providers (Sub-processors)
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting (App Runner, Amplify), email (SES), file storage (S3) | EU (Ireland, eu-west-1) | AWS GDPR DPA; EU-based processing |
| Google LLC | Website analytics (Google Analytics 4) | EU/US | Google GDPR terms; IP anonymisation enabled; data processing in EU where possible |
We maintain a current list of sub-processors and will update this Privacy Policy when sub-processors change.
6.2. Professional Advisers
We may share data with our legal, accounting, and tax advisers as necessary for professional advice and legal compliance.
6.3. Legal Requirements
We may disclose personal data if required by law, regulation, legal process, or governmental request, or to protect our rights, property, or safety, or that of our users or the public.
6.4. Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the successor entity. We will notify you of any such transfer and any choices you may have regarding your data.
7. International Data Transfers
Your personal data is processed and stored within the European Economic Area (EEA). Our hosting infrastructure is located in AWS eu-west-1 (Ireland).
Where data is transferred outside the EEA (e.g., certain Google Analytics processing), we ensure adequate safeguards are in place, including:
- European Commission adequacy decisions;
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- The recipient's participation in recognised certification mechanisms.
8. Cookies and Tracking Technologies
8.1. What Are Cookies
Cookies are small text files placed on your device when you visit a website. They serve various purposes including remembering your preferences and providing analytics.
8.2. Cookies We Use
Strictly Necessary Cookies (no consent required):
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Maintaining your authenticated session | Session (expires on browser close) |
| Locale preference | Remembering your language choice (EN/PT) | 1 year |
| Cookie consent | Remembering your cookie preferences | 1 year |
Analytics Cookies (require consent):
| Cookie | Purpose | Duration | Provider |
|---|---|---|---|
| _ga | Distinguishing unique users | 2 years | Google Analytics |
| _ga_* | Maintaining session state | 2 years | Google Analytics |
8.3. Managing Cookies
When you first visit our website, you will be presented with a cookie consent banner. You may:
- Accept all cookies — enables analytics cookies;
- Reject non-essential cookies — only strictly necessary cookies are used;
- Manage preferences — choose which categories of cookies to accept.
You can change your cookie preferences at any time by clicking the cookie settings link in our website footer.
You can also control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our Services.
8.4. NFC/QR Tap Events
NFC tap and QR scan events are processed server-side only. No cookies are placed on the device of the person tapping or scanning. No client-side tracking scripts are loaded during the redirect process.
9. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 36 months after last login | Service delivery; B2B reorder cycles span multiple budget years |
| NFC tap analytics (raw) | 36 months from tap event | Year-over-year trend analysis for account holders |
| NFC tap analytics (aggregated) | Indefinite | Anonymised aggregate data with no privacy risk |
| Proposals and order records | 7 years from date of completion | Portuguese commercial record-keeping obligations (Código Comercial) |
| Invoicing and billing records | 10 years | Portuguese tax obligations (Código do IRS/IRC) |
| Contact form submissions | 12 months from submission | Follow-up window; deleted if no engagement |
| Newsletter subscription data | Until you unsubscribe + 30 days | Processing unsubscribe request |
| Cookie consent records | 3 years | Demonstrating GDPR compliance |
| Communication records | 36 months from last communication | Service delivery and dispute resolution |
After the retention period expires, data is securely deleted or anonymised. Raw NFC tap data is aggregated (anonymised) before deletion, preserving trend analytics without personal data. For inactive accounts, we will send a reminder email 30 days before deletion to give you the opportunity to reactivate.
10. Your Rights Under GDPR
As a data subject, you have the following rights under GDPR:
10.1. Right of Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data and receive a copy.
10.2. Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data and completion of incomplete data.
10.3. Right to Erasure (Article 17)
You have the right to request deletion of your personal data where: (a) it is no longer necessary for its original purpose; (b) you withdraw consent; (c) you object to processing and there are no overriding legitimate grounds; (d) the data has been unlawfully processed; or (e) deletion is required by law. This right does not apply where processing is necessary for legal compliance or the establishment, exercise, or defence of legal claims.
10.4. Right to Restriction of Processing (Article 18)
You have the right to request restriction of processing in certain circumstances, including where you contest the accuracy of data or have objected to processing.
10.5. Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV) and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.
10.6. Right to Object (Article 21)
You have the right to object to processing based on legitimate interests, including profiling. You also have the right to object to processing for direct marketing purposes at any time, without needing to provide a reason.
10.7. Right to Withdraw Consent (Article 7(3))
Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
10.8. Right to Lodge a Complaint
You have the right to lodge a complaint with the Portuguese Data Protection Authority:
Comissao Nacional de Proteccao de Dados (CNPD)
Av. D. Carlos I, 134 - 1.o
1200-651 Lisboa, Portugal
Website: www.cnpd.pt
Email: geral@cnpd.pt
10.9. How to Exercise Your Rights
To exercise any of these rights, please contact us at:
- Email: privacy@wearattraction.com
- Post: ICONIKEDILHA - UNIPESSOAL LDA, Tv. Parreiras 70, R/C, 1150-299 Lisboa, Portugal
We will respond to your request within 30 days. If your request is complex, we may extend this by a further 60 days, in which case we will inform you of the extension and the reasons for it.
We may ask you to verify your identity before processing your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
- Encryption at rest: Databases and file storage use encryption at rest.
- Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis.
- Authentication: Passwordless authentication (magic link, OTP) eliminates password-related vulnerabilities.
- Secure cookies: Authentication tokens are stored in HTTP-only, secure, SameSite cookies.
- Regular updates: Our infrastructure and dependencies are regularly updated and patched.
- Sub-processor security: We select sub-processors that maintain appropriate security standards and certifications (e.g., AWS SOC 2, ISO 27001).
While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us immediately at security@wearattraction.com.
12. Children's Privacy
Our Services require users to be at least 16 years of age to create an account. Users between 16 and 18 years of age must have parental or legal guardian consent to use the Services. We do not knowingly collect personal data from children under 16.
WearAttraction sells products designed for all ages, including children's apparel. Products for children under 16 are purchased and managed by parents or legal guardians through their own accounts. NFC-enabled children's products for children under 16 are configured and monitored exclusively by the parent or guardian.
If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that data promptly. If you believe that a child under 16 has provided us with personal data, please contact us at privacy@wearattraction.com.
13. Third-Party Links
Our Services may contain links to third-party websites, including NFC redirect destinations configured by our users. We are not responsible for the privacy practices or content of those third-party websites. We encourage you to read the privacy policies of any website you visit.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated Privacy Policy on our website with a new "Last Updated" date;
- Sending an email notification to registered users (for material changes);
- Displaying a notice on our website.
Your continued use of our Services after the changes take effect constitutes your acknowledgement of the updated Privacy Policy.
15. Contact Us
If you have any questions about this Privacy Policy or our data processing practices, please contact us:
ICONIKEDILHA - UNIPESSOAL LDA (trading as WearAttraction)
Tv. Parreiras 70, R/C
1150-299 Lisboa, Portugal
NIPC: 517613255
Privacy Contact: privacy@wearattraction.com
General Contact: hello@wearattraction.com
Website: www.wearattraction.com