How we handleyour data.

LIVSeating is the export trading name of Marques & Silva, Indústria de Mobiliário, Lda., a Portuguese manufacturer of contract seating. References to “we”, “us” or “LIVSeating”in this policy mean Marques & Silva acting under that trading name.

For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR), Marques & Silva is the controller of the personal data described in this policy.

Controller

Marques & Silva, Lda.

Address

Barro · Aveiro · Portugal

NIPC

—

Email

privacy@livseating.com

DPO

Not formally appointed. Privacy questions are answered by the founder.

We only collect what we need to answer enquiries, fulfil orders and run the business as a manufacturer. We do not buy contact lists. We do not run third-party advertising trackers.

Provided by you

• Contact and quote enquiries. Name, company, role, work email, phone (optional), country, and the message you write. Submitted via our forms or by emailing us directly.
• Sample and download requests. Shipping address for swatch packs; email and company for catalogue / price-list / 3D model (GLB) downloads where those are gated.
• Project conversations. Correspondence, drawings, specifications and attachments you send us during a quotation or commission.
• Newsletter, if you subscribe. Email address; confirmation of double opt-in.

Collected automatically

• Technical request data. IP address, user-agent string and the URL you visited, logged briefly by Cloudflare, our edge provider, for security and operational diagnostics.
• First-party analytics. Anonymised page views and aggregate navigation events recorded by our own analytics endpoint. No cross-site identifiers, no third-party advertising pixels.

We do not intentionally collect special categories of personal data (health, ethnicity, political views, etc.) and do not knowingly collect data from children. Do not send us such data through our public channels.

Each processing activity is grounded in one of the lawful bases set out in Article 6 GDPR. The dominant bases for a B2B export manufacturer are legitimate interests, performance of a contract, and legal obligation; we use consent only for marketing-style communications that are not strictly necessary.

Enquiries

Legitimate interests (Art. 6(1)(f)). To respond to your request, manage the relationship and grow the business. The interests of a prospective B2B counterparty in receiving a reply outweigh privacy risk where the data is professional contact data.

Quotes & orders

Pre-contractual / contract (Art. 6(1)(b)). To issue a quote, confirm an order, ship goods and invoice.

Books & tax

Legal obligation (Art. 6(1)(c)). Accounting, VAT and customs records under Portuguese and EU law.

Marketing

Consent (Art. 6(1)(a)). Newsletter, project news; withdrawable at any time without affecting prior processing.

Security

Legitimate interests. Protecting the site and infrastructure from abuse.

Whistleblowing

Legal obligation (Lei n.º 93/2021). Operating the internal reporting channel. See the whistleblowing channel for the dedicated notice.

We do not sell personal data and we do not share it with marketing third parties. We rely on a small set of processors to run the site and the business; each is bound by a data-processing agreement under Article 28 GDPR.

• Cloudflare, Inc. Hosting (Workers, R2 object storage, D1 database) and edge security. Processor.
• Resend (Resend Labs, Inc.). Transactional email delivery for replies and confirmations. Processor.
• GitHub, Inc. Git-based content authoring back-end for the editorial team (no public-form data is stored there).
• Our certified accountant for tax and book-keeping records.
• Freight forwarders and customs brokers, only where needed to ship a specific order to you.

We may also disclose data when required by law, by a court order, or to defend a legal claim. We always seek to minimise such disclosures.

Some of our processors are established in or operate infrastructure outside the European Economic Area, notably Cloudflare and Resend in the United States, and GitHub which is owned by a US group. Where data leaves the EEA, we rely on appropriate safeguards under Chapter V GDPR:

• European Commission Standard Contractual Clauses (Decision 2021/914), incorporated into the data-processing agreements with each processor.
• Adequacy decisions where applicable, including the EU–US Data Privacy Framework for processors that are self-certified under it.
• Supplementary measures where appropriate (encryption in transit and at rest, access controls, minimisation of data exposure to non-EU sub-processors).

You can ask us for a copy of the relevant safeguards by writing to privacy@livseating.com.

We retain personal data only for as long as we need it for the purposes set out above, and then for any period required by law. Indicative periods:

Enquiries

Up to 24 months from the last contact, then deleted or anonymised, unless a project conversation is underway.

Quotes & orders

For the duration of the relationship and a further period sufficient to handle warranty claims and accounting (typically 10 years under Portuguese tax law).

Newsletter

Until you unsubscribe, plus a short suppression record so we honour the request.

Whistleblowing

As set out in Lei n.º 93/2021: generally five years after closure of the report, with restricted access.

Server logs

Edge request logs are retained briefly (typically up to 30 days) for security and diagnostics.

Under GDPR you have the following rights with respect to your personal data:

• Access. A copy of the data we hold about you.
• Rectification. Correction of inaccurate or incomplete data.
• Erasure. Deletion, where one of the grounds in Art. 17 GDPR applies and no legal obligation requires us to keep the data.
• Restriction of processing, in the circumstances of Art. 18.
• Portability. Receiving the data you gave us in a structured, machine-readable format, where processing is based on consent or contract and carried out by automated means.
• Objection to processing based on our legitimate interests, including any form of profiling.
• Withdrawal of consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise any of these, write to privacy@livseating.com or use the contact form. We respond within one month of receiving a verifiable request, as required by Art. 12(3) GDPR; complex cases may extend that by up to two further months, in which case we will tell you why.

We apply reasonable technical and organisational measures to protect personal data: TLS in transit, encrypted storage at rest with our edge provider, role-based access controls on the admin surfaces, and the principle of data minimisation in our form fields. No system on the public internet is invulnerable; if we ever experience a personal-data breach that is likely to result in a risk to your rights, we will notify the CNPD within 72 hours and, where required, notify you without undue delay.

We update this policy when our processing changes or when the law evolves. The “Last updated” date at the top of the page reflects the most recent material revision. Substantive changes are flagged on the page and, where appropriate, communicated to active contacts and newsletter subscribers.

References: Regulation (EU) 2016/679 (GDPR); Lei n.º 58/2019, de 8 de agosto (Portuguese implementing law); CNPD guidance.