Privacy Policy - JOMINI STUDIO

JOMINI STUDIO ("we") takes the privacy and protection of personal data of its customers and visitors ("you") seriously. This policy describes how we collect, use, store, and share information when you browse our site, create an account, or place an order. By using JOMINI STUDIO, you agree to the terms described here.

This policy complies with the Brazilian General Data Protection Law (LGPD — Federal Law No. 13.709/2018).

1. Data we collect

We collect only what is necessary to operate the store, deliver your orders, and improve your experience:

Registration: name, email, CPF, and phone.
Shipping address: ZIP code, street, number, complement, neighborhood, city, and state.
Payment: chosen method and transaction identifier generated by the gateway. We do not store credit-card data — processing is performed by the payment provider (InfinitePay for orders within Brazil, Stripe for international orders).
Orders: purchase history, items, amounts, status, and tracking code.
Site usage: technical cookies for session, cart, and authentication; access logs containing IP, date/time, and pages visited.
Communication: messages sent via the contact form, email, or WhatsApp, including reference images or attachments you choose to send.
WhatsApp assistant: phone number, message content, menu choices, support requests, custom-order quote details, order/protocol identifiers, and attachment metadata needed to provide automated service.

2. Purposes of use

Execute purchase contracts, process payments, and deliver orders.
Calculate shipping and issue posting labels with carriers.
Authenticate your account, maintain the cart, and personalize navigation.
Send transactional emails (signup confirmation, password reset, order status).
Send transactional WhatsApp messages about your order (status changes such as payment approved, in production, shipped, and delivered) to the phone number registered on your account. You may disable these notifications at any time in your profile.
Operate the WhatsApp assistant to identify your account by phone number, show contextual menus, answer order status and tracking requests, open custom-order quotes, receive reference images, open support protocols, and route unanswered cases to human support.
Handle requests, quotes, and support.
Prevent fraud, abuse, and meet legal and tax obligations.
Analyze browsing trends in aggregate to improve the site.

We do not send marketing communications without prior authorization. If you opt in to receive news, you may unsubscribe at any time.

3. Legal basis for processing

We process your personal data on the following LGPD legal bases:

Contract performance — to process your order and deliver products (art. 7, V).
Compliance with legal and regulatory obligations — issuing tax documents and retention periods (art. 7, II).
Legitimate interest — for fraud prevention, security, and service improvement (art. 7, IX).
Consent — for optional marketing and non-essential cookies (art. 7, I).

4. Data sharing

We share data only with vendors essential to the service, always under confidentiality clauses:

Payment gateways (InfinitePay for orders within Brazil; Stripe for international orders) — to process charges.
Carriers and shipping platforms (Melhor Envio, Correios) — to calculate shipping and deliver orders.
Email provider — to send transactional messages.
WhatsApp integration and automation — we use a self-hosted Evolution API instance and n8n workflows on our infrastructure to send and receive WhatsApp messages through Meta's WhatsApp service. To operate the assistant, this stack may process your phone number, message text, menu choices, attachments, account status, order numbers, tracking information, custom-order details, and support protocol data. We use this information only for store service, transactional notifications, quote handling, and support; we do not share your number with third-party marketing platforms.
Hosting and database provider (MongoDB Atlas; AWS EC2 in us-east-1 for the application servers) — where data is stored or processed.
Public authorities — when required by legal obligation, court order, or competent body request.

We do not sell or rent your personal data to third parties.

5. Cookies and similar technologies

We use cookies for:

Essential: maintain session, cart, authentication, and CSRF protection.
Preferences: remember choices like the "remember me" on login.
Aggregate analytics: anonymous usage statistics (when applicable).

You can disable non-essential cookies in your browser settings — but that may affect features like login and checkout.

The cookie banner lets you accept cookies or continue with essential cookies only. We keep essential cookies active because they are required for login, cart, checkout security, language preference, and account protection.

6. Retention period

We keep your data for the time necessary to fulfill the above purposes:

Order and tax data: 5 years after purchase (art. 174 of the National Tax Code).
Account data: while your account is active or until you request deletion.
Support, contact, and WhatsApp messages: for the time needed to handle the request, quote, order, protocol, or related legal/operational record.
Access logs: 6 months (art. 15 of the Brazilian Internet Civil Framework).

After the period, data is deleted or anonymized.

If you delete your account through your profile, we delete the account registration, saved addresses, orders linked to your user, product reviews, commission/work reviews, and referral coupons linked to your email, subject to legal obligations that may require us to retain or anonymize limited records.

7. Your rights (LGPD, art. 18)

You may, at any time, request:

Confirmation of the existence of processing.
Access to your personal data.
Correction of incomplete, inaccurate, or outdated data.
Anonymization, blocking, or deletion of unnecessary or non-compliant data.
Portability to another provider.
Deletion of data processed based on consent.
Information about entities with which we share your data.
Revocation of consent.

To exercise these rights, contact us at joministudio@gmail.com. We will respond within 15 business days.

You may also request account deletion directly in your profile. This action is permanent and removes the data linked to your user from the application.

8. Security

We adopt technical and administrative measures to protect your data, including: encrypted connections (HTTPS), passwords stored with BCrypt hash, role-based access control (customer/admin), and backups managed by the database provider. In the event of an incident likely to cause significant risk, we will notify you and the Brazilian National Data Protection Authority (ANPD) as required.

9. Minors

Our site is not directed at minors under 18. Minors may only use the service with consent and supervision of parents or legal guardians.

10. Changes to this policy

We may update this policy periodically to reflect legal or operational changes. The "last updated" date at the top will indicate the current version. Significant changes will be communicated by email to registered customers.

11. Contact

Questions, requests, or complaints related to privacy:

Email: joministudio@gmail.com
Data Protection Officer (DPO): JOMINI STUDIO
Address: Fortaleza, CE - Brazil