Ollive

Privacy Policy

Last updated: 21 May 2026

1. Data controller

Ollive is the data controller for the personal data you provide when using this Service. For any privacy-related questions or to exercise your rights, contact us at privacy@ollive.art.

2. Data we collect

We collect the following categories of personal data:

  • Account data: name and email address provided at registration (via email/password or Google Sign-In).
  • Shipping data: postal address you provide for illustration delivery.
  • Payment data: billing details handled directly by Stripe; we do not store your card number.
  • Subscription data: your plan type, billing history, and shipment records.
  • Usage data: pages visited, referral source, and aggregated analytics collected by Vercel Analytics (privacy-preserving, no persistent identifiers).
  • Communications: messages you send us via email or support channels.

3. Legal bases for processing

We process your data under the following legal bases (GDPR Article 6):

  • Contract performance (Art. 6(1)(b)): to create and manage your account, process payments, and fulfil shipments.
  • Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and consumer-protection obligations.
  • Legitimate interests (Art. 6(1)(f)): to improve the Service, prevent fraud, and ensure platform security — balanced against your privacy rights.
  • Consent (Art. 6(1)(a)): for any optional marketing communications; you may withdraw consent at any time.

4. How we use your data

  • Create and maintain your account.
  • Process subscription payments and renewals.
  • Organise and ship your monthly illustration.
  • Send transactional emails (order confirmations, shipping updates).
  • Send marketing emails if you have opted in (unsubscribe link in every email).
  • Detect and prevent fraud and abuse.
  • Improve and develop the Service using aggregated, anonymised analytics.
  • Comply with legal and regulatory obligations.

5. Third-party processors

We share data only with processors necessary to operate the Service:

  • Stripe: payment processing. Stripe is certified PCI-DSS Level 1 and processes card data under its own privacy policy.
  • Vercel: hosting and infrastructure for the web application.
  • MongoDB Atlas: encrypted cloud database for account, subscription, and shipment data.
  • Google (optional): OAuth sign-in, used only if you choose to register with Google.

We do not sell your personal data to third parties. We do not share it for advertising purposes.

6. International transfers

Some processors operate infrastructure outside the European Economic Area (EEA). In such cases, data is transferred only under an appropriate safeguard, such as the EU Standard Contractual Clauses (SCCs) or an adequacy decision by the European Commission.

7. Data retention

  • Account data is retained for as long as your account is active.
  • After account deletion, we retain billing and shipment records for 7 years to comply with tax and accounting obligations.
  • Anonymised analytics data (Vercel) has no persistent identifiers and is not subject to deletion requests.

8. Your rights under GDPR

As a data subject in the EU/EEA, you have the following rights:

  • Access (Art. 15): request a copy of your personal data.
  • Rectification (Art. 16): correct inaccurate or incomplete data.
  • Erasure (Art. 17): request deletion of your data where no legal ground for retention exists.
  • Restriction (Art. 18): ask us to limit processing in certain circumstances.
  • Portability (Art. 20): receive your data in a structured, machine-readable format.
  • Objection (Art. 21): object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email privacy@ollive.art. We will respond within one month. Some rights are subject to exceptions under applicable law.

9. Supervisory authority

You have the right to lodge a complaint with a data-protection supervisory authority. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD) at cnpd.pt. You may also contact the supervisory authority of your country of residence.

10. Changes to this Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes by email and by updating the “Last updated” date above. We encourage you to review this page periodically.