Privacy Policy

This Privacy Policy explains how Stonesy Lda. (“Stonesy”, “we”, “us”) processes personal data when you use the STONESYMARKET website, marketplace, and related services (together, the “Platform”).

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Portuguese law.

This policy applies to visitors, registered users, buyers, and suppliers using the Platform. It should be read together with our Terms of Service and Cookie information.

The data controller responsible for personal data processed in connection with the Platform is:

Stonesy Lda. Rua de Trás 249 r/c 4460-837 Porto Portugal NIF: 519066545

Email (general): info@stonesy.de

For data protection enquiries and requests under GDPR, you may contact us at the same address, marking your message “Data protection”.

We process personal data that you provide directly (e.g. when creating an account, completing a profile, listing products, placing requests, or contacting us), data generated through your use of the Platform (e.g. logs, device and usage data), and data we receive from third parties where permitted (e.g. authentication providers, payment providers, analytics partners).

The categories of data may include: identity and contact details, account and profile information, company information, transaction-related data, communications content, technical identifiers (IP address, device/browser data), and marketing preferences.

We do not use automated decision-making within the meaning of Article 22 GDPR as a default part of the marketplace service.

We use Supabase Auth to register and authenticate users. Supabase processes authentication data (such as email address, password hashes where applicable, session tokens, and security logs) on our behalf as a processor, in accordance with its documentation and our configuration.

Where you choose “Sign in with Google” (or similar OAuth providers if offered), Google processes your login in accordance with Google’s policies. We receive from Google the information necessary to create or link your account (typically an identifier, email address, and name), as authorised by you during the OAuth consent flow.

You can review Supabase’s privacy information at https://supabase.com/privacy and Google’s at https://policies.google.com/privacy.

Payments and payment-related features may be processed through Stripe, Inc. and its affiliates (“Stripe”). Depending on the transaction, Stripe may process billing details, payment method information, transaction records, and fraud-prevention data.

Stripe acts as a separate controller or processor depending on the processing activity and Stripe’s terms. We do not store full payment card numbers on our own servers when payment is handled by Stripe.

Stripe’s privacy notice is available at https://stripe.com/privacy.

The Platform is hosted on Vercel Inc.’s infrastructure. Vercel processes technical data required to deliver web pages and applications (e.g. IP addresses, request metadata, performance and security logs) in accordance with Vercel’s privacy policy.

Vercel may process data in the United States and other countries with appropriate safeguards where required (e.g. Standard Contractual Clauses). See https://vercel.com/legal/privacy-policy.

Application data—including marketplace listings, messages, requests, favourites, and account-related records—is stored in a PostgreSQL database operated by Supabase. Supabase provides the database, APIs, and related services as configured for our product.

We implement access controls and, where applicable, row-level security policies. Supabase processes data as a processor for infrastructure and database services. See https://supabase.com/privacy.

We may use Google Analytics (or similar Google measurement products) to understand how the Platform is used (e.g. pages viewed, approximate location, device category), based on cookies or similar technologies where you have consented or where permitted by law.

We may use Meta (Facebook) Pixel or similar tools for conversion measurement and, where applicable, advertising campaigns (Meta Ads). These tools may process identifiers, usage events, and device data in accordance with Meta’s policies.

You can manage advertising preferences through your Google and Meta account settings and, where offered, through our cookie banner or browser controls.

We may send transactional emails (e.g. account security, order or request notifications, service updates) as necessary to perform our contract with you or for our legitimate interests.

Where we send newsletters or promotional emails, we will do so only with your consent or another lawful basis under GDPR. Each marketing email will include a way to unsubscribe or adjust preferences where required by law.

Email delivery may use subprocessors (e.g. email API providers) who process recipient addresses and delivery metadata on our instructions.

We use cookies and similar technologies (e.g. local storage, pixels) for essential operation of the Platform, security, preference storage, analytics, and—where you consent—marketing measurement.

Essential cookies may be strictly necessary for login sessions or security. Non-essential cookies (analytics, marketing) are used based on consent where required.

You can control cookies through your browser settings and, where available, our cookie preferences tool. For more detail, see our Cookie Policy if published separately on the Platform.

Subject to conditions in the GDPR, you have the right to: access your personal data; rectification of inaccurate data; erasure (“right to be forgotten”) in certain cases; restriction of processing; data portability where applicable; object to processing based on legitimate interests or for direct marketing; and withdraw consent where processing is consent-based.

You also have the right to lodge a complaint with a supervisory authority. In Portugal, the competent authority is the Comissão Nacional de Proteção de Dados (CNPD), www.cnpd.pt.

To exercise your rights, contact us using the details in Section 2. We may need to verify your identity before responding.

We retain personal data only as long as necessary for the purposes described in this policy, unless a longer period is required by law (e.g. tax or commercial record-keeping).

Account data is generally retained for the lifetime of the account and a reasonable period thereafter for backups, disputes, and legal claims. Transaction and communications data may be retained in line with statutory limitation periods and operational needs.

When data is no longer needed, we delete or anonymise it in accordance with our internal procedures.

The Platform relies on processors and independent controllers including, without limitation: Supabase (auth, database, storage), Vercel (hosting), Stripe (payments), Google (OAuth and analytics), and Meta (advertising/measurement). Additional subprocessors may be used for email, monitoring, or support tools as our stack evolves.

We select providers with appropriate safeguards. International transfers outside the EEA, where they occur, are made on the basis of adequacy decisions, Standard Contractual Clauses, or other mechanisms permitted under Chapter V GDPR.

For questions about this Privacy Policy or to exercise your GDPR rights, contact:

Stonesy Lda. Email: info@stonesy.de Subject line: Data protection / GDPR request

We will respond within the timeframes required by the GDPR (typically within one month, extendable in complex cases).

Last updated: March 2026.