Privacy Notice — Tarhata
tarhata.com

Privacy Notice

Last updated: April 2026  ·  Version 1.0

1. Who we are

Tarhata is a knitwear practice based in Porto, Portugal, operating at tarhata.com. We design and produce knitwear pieces and publish digital guides on colour, garment care, and dressing with intention.

For the purposes of the General Data Protection Regulation (EU) 2016/679 (GDPR), Tarhata is the data controller responsible for your personal data. To contact us regarding this notice or any data matter, write to hello@tarhata.com.

2. What data we collect and why

We collect only what is necessary for the purpose stated. The table below sets out each category of data, the purpose, and the legal basis under Article 6 GDPR.

Category Data collected Purpose Legal basis
Digital product orders
e.g. PDF guides via Gumroad		 Name, email address, country of purchase. Payment card details are processed entirely by Gumroad — we do not see or store them. Delivering your purchase; sending your download link; issuing receipts. Performance of a contract (Art. 6(1)(b))
Physical product orders
knitwear pieces		 Name, email address, postal address (including country), telephone number (if provided). Payment is processed by our payment partner — we do not store card details. Fulfilling and shipping your order; communicating about delivery; after-sale support; legal record-keeping. Performance of a contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) for invoicing and tax records.
Email list
via the website sign-up form		 Email address; first name (optional). Sending editorial communications: new collections, guides, and occasional studio notes. You may unsubscribe at any time. Consent (Art. 6(1)(a))
Enquiries
via email or contact form		 Name, email address, and any information you choose to include in your message. Responding to your question or request. Legitimate interests (Art. 6(1)(f)) — responding to communications directed at us.
Website security
Cloudflare Turnstile		 Browser and device signals used to distinguish humans from automated traffic. No personal profile is created or stored by us. Protecting our contact and sign-up forms from spam and abuse. Legitimate interests (Art. 6(1)(f)) — securing our systems.

We do not collect sensitive personal data (as defined in Art. 9 GDPR), and we do not use your data for automated decision-making or profiling.

3. Third parties who process your data

We share data only with processors who help us operate the business. Each is bound by a data processing agreement and the obligations of GDPR.

Processor Purpose Location Safeguard
Gumroad Digital product delivery, payment processing, receipts. United States Standard Contractual Clauses (SCCs); Gumroad Privacy Policy at gumroad.com/privacy
Brevo (Sendinblue) Email list management and sending editorial communications. France (EU) EU-based processing; GDPR compliant. Data Processing Agreement in place.
Cloudflare Website security, CAPTCHA (Turnstile), content delivery. United States SCCs; Cloudflare Privacy Policy at cloudflare.com/privacypolicy
WordPress hosting provider Hosting the website and its database. Depends on your provider — confirm with your host. Confirm with your hosting provider that a DPA is in place.
Shipping carriers
physical orders only		 Delivery of physical knitwear pieces. Varies by carrier and destination. Minimum data shared (name, address, contact number). Carrier's own privacy policy applies to transit data.

We do not sell, rent, or trade your personal data to any third party. We do not share your data with advertisers.

4. International data transfers

Some processors listed above are based outside the European Economic Area (EEA), primarily in the United States. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses approved by the European Commission as the transfer mechanism, unless an adequacy decision applies.

You may request a copy of the safeguards in place for any specific transfer by writing to us at hello@tarhata.com.

5. How long we keep your data

Data type Retention period Reason
Order records (digital and physical) 10 years Portuguese and EU tax and commercial law obligations.
Shipping addresses and delivery records 3 years from order date Consumer rights and after-sale support period.
Email subscriber records Until you unsubscribe, plus 12 months (to record the consent and its withdrawal) Consent accountability requirement under GDPR Art. 7(1).
Enquiry correspondence 2 years from last contact Operational necessity; potential dispute resolution.

When data is no longer needed, it is securely deleted or anonymised.

6. Your rights

Under GDPR, you have the following rights in relation to your personal data:

  • Access. You may request a copy of the personal data we hold about you.
  • Rectification. You may ask us to correct inaccurate data or complete incomplete data.
  • Erasure. You may request that we delete your data, where no overriding legal obligation requires us to retain it.
  • Restriction. You may ask us to pause processing while a dispute is resolved.
  • Portability. Where processing is based on consent or contract and carried out automatically, you may request your data in a structured, machine-readable format.
  • Objection. You may object to processing based on legitimate interests. We will assess whether our interests are overridden by yours.
  • Withdrawal of consent. Where we rely on your consent (e.g. the email list), you may withdraw it at any time. This does not affect the lawfulness of processing before withdrawal. To unsubscribe from our emails, use the link in any email or write to us directly.

To exercise any of the above rights, write to hello@tarhata.com with the subject line Data Request. We will respond within 30 days. We may ask for proof of identity before processing the request.

Right to lodge a complaint

If you believe we have handled your data unlawfully, you have the right to lodge a complaint with the Portuguese data protection authority:

Comissão Nacional de Proteção de Dados (CNPD)
Rua de São Bento, 148–3.º, 1200-821 Lisboa
www.cnpd.pt
geral@cnpd.pt

You may also complain to the supervisory authority of the EU member state where you reside or work.

7. Cookies

Our website uses cookies for essential operation and security only. We do not use advertising or tracking cookies, and we do not use analytics services that create personal profiles.

Cookie Provider Purpose Duration
cf_clearance Cloudflare Security — records that the Turnstile challenge has been passed. 30 minutes to 24 hours
WordPress session cookies WordPress Maintains login state for admin users only. Not set for visitors. Session

If we add any further cookies in future, this notice will be updated before they are deployed.

8. Children's data

Our products and communications are directed at adults. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with data, please contact us and we will delete it promptly.

9. Changes to this notice

We may update this notice from time to time. Where changes are material, we will note the revision date at the top of this page and, where appropriate, notify you directly. We encourage you to review this notice periodically.

Contact

For any question about this notice or your data: hello@tarhata.com

Tarhata  ·  Porto, Portugal  ·  tarhata.com