1. Framework and commitment

EVAN Care, a brand of FDS Beauty, Lda., is fully committed to protecting the privacy and personal data of its end consumers, users, and partners. This Cookie and Privacy Policy establishes the principles, legal bases, and technical and organizational mechanisms adopted to ensure compliance with Regulation (EU) 2016/679, known as the General Data Protection Regulation, Law No. 58/2019, which ensures its implementation in the national legal system, and with all other applicable national and EU legislation.

2. Scope of application

This policy applies to the website shop.evancare.com, the online store, electronic forms, digital marketing campaigns, CRM systems, and any electronic or face-to-face interactions in which personal data is collected, including customer service, social media, and brand promotional events.

3. Data controller

The entity responsible for data processing is FDS Beauty, Lda., legal entity identification number 510246427, with headquarters at Rua Alexandre Herculano, Centro Empresarial Alto Business Park, sector 6, 2nd floor, 2625-178 Póvoa de Santa Iria, Lisbon, Portugal. Any requests related to data protection can be addressed to the Data Protection Officer via email at geral@evancare.com.

4. Categories of data collected

• Identification data (name, date of birth, gender);
• Contact details (email, phone number, address);
• Billing details (tax ID, purchase history);
• Login details (IP address, browser type, location, device);
• Behavioral data (actions in the store, products viewed, interactions with campaigns);
• Data collected by third parties (Google, Meta, among others, with consent).

5. Purposes of processing

• Contract management and order fulfillment;
• Compliance with legal and tax obligations;
• Customer support, returns, and refunds;
• Sending personalized commercial communications;
• Management of preferences, wish lists, and abandoned carts;
• Analysis of metrics to improve performance and digital experience;
• Compliance with legal obligations and response to judicial or administrative requests.

5A. Commercial communications and newsletters

The sending of newsletters, commercial communications, promotional content, and direct marketing by EVAN Care depends on the prior, free, specific, informed, and explicit consent of the data subject, in accordance with the General Data Protection Regulation. Consent is collected through clear affirmative action, namely by voluntarily entering the email address and activating the subscription button, in the context of subscription forms, account registration, or other equivalent interactions, and no implicit or pre-activated consent mechanism is used. The data subject may withdraw their consent at any time, without prejudice to the lawfulness of the processing carried out up to that date, through the cancellation link present in all communications or by written request to the email geral@evancare.com.

6. Legal basis

EVAN Care bases its data processing on the following legal principles: necessity for the performance of a contract, compliance with legal obligations, legitimate interest (with a balance of rights), and explicit consent of the data subject for purposes such as direct marketing and the use of non-essential cookies.

7. Data retention

• Contractual and billing data: 10 years;
• Customer account data: five years after inactivity;
• Campaign data: two years;
• Consents: while valid or until withdrawal;
• Cookies: up to 24 months (depending on type).

8. Rights of the data subject

Data subjects have the right to access, rectify, or erase their data. They also have the right to restrict or object to its processing, as well as to withdraw their consent at any time. They also have the right to lodge a complaint with the National Data Protection Commission. The exercise of these rights can be requested by emailing geral@evancare.com.

9. Sharing and subcontractors

Personal data may only be shared with subcontractors (logistics, payments, CRM software, email marketing platforms), always under a contract that ensures compliance with the General Data Protection Regulation. In the event of a legal obligation, the data may be communicated to judicial, tax, or administrative authorities.

10. International transfers

Data may be stored or processed outside the European Economic Area in services such as Google, Meta, Stripe, among others. In such cases, EVAN Care ensures protection mechanisms such as standard contractual clauses or adequacy decisions by the European Commission.

11. Security measures

EVAN Care adopts physical, technological, and organizational measures to mitigate risks of loss, misuse, unauthorized access, or disclosure. All data is stored on secure servers, with backups, encryption where applicable, and restricted access through authentication.

12. Cookie policy

EVAN Care uses its own and third-party cookies, classified as:

• Essential: store operation, security, and authentication;
• Analytical: statistics (Google Analytics);
• Functional: personalization of the experience;
• Advertising: retargeting, campaigns, and personalization (example: Meta Ads, among others).

The user can manage or revoke cookie consent at any time through the banner or preferences.

13. Processing of minors' data

EVAN Care does not intentionally collect or process personal data from minors under the age of 16. If the inadvertent collection of personal data from minors of this age is detected, EVAN Care will immediately delete this data, without prejudice to compliance with applicable legal obligations.

14. Changes to the policy

This policy may be updated periodically. The most current version will always be published at shop.evancare.com.

15. Contacts and complaints

Any questions, requests, or complaints should be sent to geral@evancare.com. You can also contact the National Data Protection Commission directly at www.cnpd.pt.

16. Jurisdiction and applicable law

This policy is governed by Portuguese and European law. The Judicial Court of the District of Lisbon has jurisdiction to resolve any disputes arising from the application of this policy.

17. Incident management plan

EVAN Care has a structured internal plan for managing information security incidents. This plan provides for the identification, analysis, containment, and mitigation of any personal data breaches. Whenever the breach poses a risk to the rights and freedoms of data subjects, notification will be made to the National Data Protection Commission within the legal deadline of 72 hours and, where applicable, individual communication to the data subjects affected.

18. Privacy by design & DPIA

All EVAN Care projects, features, and processes are designed and implemented based on the principle of Privacy by Design and by Default. Whenever the processing involves high risks, Data Protection Impact Assessments are carried out in accordance with Article 35 of the General Data Protection Regulation.

19. Legitimate interests and opposition

Certain processing operations are based on EVAN Care's legitimate interests, namely fraud prevention, continuous service improvement, and non-intrusive segmentation. These interests are always weighed against the rights and expectations of data subjects. The right to oppose these processing operations is guaranteed at any time by sending a request to the Data Protection Officer.

20. Consent management

All consents collected through the website, newsletters, or campaigns are stored securely. Users may review or revoke their consent at any time through the customer area or by sending a request to geral@evancare.com. EVAN Care keeps a verifiable record of the consents obtained, including the date, time, means, and purpose, for auditing purposes and to comply with applicable legal obligations.

21. Browsing and personalization data

EVAN Care uses browsing data, interactions, purchase history, and preferences to improve the digital experience. No automated decisions with significant impact are made without human intervention. Content and product personalization is based on non-sensitive data, respecting users' rights.

22. Third-party integrations and platforms

The operation of the EVAN Care store depends on integrations with external platforms such as Shopify, Google Analytics, Klaviyo, Meta, Stripe, among others. These services are selected based on criteria of compliance with the General Data Protection Regulation and are contractually obliged to ensure adequate protection of data processed on behalf of EVAN Care.

23. Transparency and identity verification

EVAN Care provides, upon request, a list of subcontractors with access to personal data. All requests for access, rectification, or deletion are subject to identity validation, as a way to protect data subjects against abuse or fraud.

24. Operational and practical examples

To reinforce transparency and understanding for data subjects, some real-life data processing situations are illustrated below:

• Contact details provided during a purchase are used to send delivery notifications via SMS through a contracted service;
• EVAN Care uses purchase history data to suggest complementary products by email, based on demonstrated preferences;
• Abandoned shopping carts are identified by cookies and automatically processed by the marketing platform to send a repurchase reminder.

25. Contractual terms with subcontractors

All EVAN Care subcontractors are bound by contracts that include specific clauses on:

• Confidentiality obligation;
• Technical and organizational security measures;
• Mandatory notification in case of data breach;
• Joint liability and contractual audit rights on the part of EVAN Care.

26. Data processing on social media

When interacting with EVAN Care through platforms such as Instagram or Facebook, among others, the user's personal data may be processed in accordance with the policies of those networks. In campaigns involving data collection (e.g., Meta Ads forms), consent is always explicitly obtained and the data is processed in accordance with this policy.

27. Legal basis - Article 6 of the General Data Protection Regulation

EVAN Care's data processing operations are based on legal grounds defined in Article 6 of the General Data Protection Regulation:

•  Paragraph a) Consent of the data subject;
•  Paragraph b) Performance of a contract;
•  Paragraph c) Compliance with a legal obligation;
•  Paragraph f) Legitimate interest duly weighed.

28. Table of data subjects' rights

Rights and how to exercise them:
| Right | Description | Exercise |
|--------|-----------|-----------|
| Access | Know what data the company has | Email to geral@evancare.com |
| Rectification | Correct incorrect or incomplete data | Customer area |
| Erasure | Permanent removal of data | Written request by email |
| Portability | Transfer to another controller | Request via email |
| Objection | Refuse processing based on legitimate interest | Email to Data Protection Officer |
| Restriction | Temporarily suspend processing | Justified request |

29. Integration with terms and conditions

This Cookie and Privacy Policy should be read in conjunction with the General Terms and Conditions of Sale available on the official EVAN Care website: shop.evancare.com/pages/terms-conditions.

30. Governance and policy review

EVAN Care adopts a policy of continuous improvement of its data protection governance. This document is reviewed annually by the Data Protection Officer or whenever there are relevant legislative, technological, or operational changes. Any new version will be published at shop.evancare.com/pages/privacy-policy.

31. Certification and compliance seal

EVAN Care may submit this policy to external certification or validation processes (e.g., ISO 27701, AFNOR, ePrivacySeal), reinforcing its commitment to security and legality in the processing of personal data.

Date of last update: January 9, 2026