Legal · GDPR

Privacy Policy

How I collect, use and protect your personal information — on the website, in ads, and in the studio. Plain language, no tricks.

Last updated: 29 May 2026

This privacy policy explains how Maria Fink PMU ("I", "me", "Maria", "we") collects, uses, and protects your personal data. It applies to the whole relationship — when you visit this website, contact me by any channel, submit your details through my Meta (Facebook / Instagram) ad forms, book a consultation, or come into the studio for treatment.

Please read it carefully. By using this website or contacting me, you confirm you have read and understood this policy.

1. Definitions

  • Personal data — any information that identifies you or could identify you, directly or indirectly.
  • Special category data — sensitive data that needs extra protection under GDPR Article 9. In my case, this means health information collected during the consent form.
  • Data controller — the person who decides how and why your data is used. For this site and service, that is me (Maria Fink).
  • Data processor — a company that handles data on my behalf (such as my email provider, hosting provider, Meta, or WhatsApp).
  • GDPR — Regulation (EU) 2016/679, the General Data Protection Regulation. The main EU privacy law.
  • Cookies — small text files placed on your device by websites you visit.

2. Who I am

Maria Fink, sole proprietor operating as Maria Fink PMU. Licensed PMU & Brow Artist. Studio in Monte Estoril, Cascais, Portugal.

I am the data controller responsible for your personal data.

Contact:
Booking form on the website
Email: mariiaillustration@gmail.com
Instagram: @mariafink.pmu

3. Scope

This policy covers:

  • Visiting and using this website (mariafink-pmu).
  • Submitting your details through Meta Lead Ads on Facebook or Instagram.
  • Sending me a message by WhatsApp, email, Instagram DM or any contact form.
  • Booking a consultation or treatment.
  • Being treated in the studio (including paper consent forms, health questionnaire, and photos).

It does not cover external sites I link to (Instagram, Meta, WhatsApp, third-party brand sites). Those have their own privacy policies.

4. What personal data I collect

Depending on how you interact with me, I may collect:

  • Identity data — first and last name, date of birth (only if relevant to treatment safety).
  • Contact data — email, phone number, WhatsApp number, Instagram handle, postal area (Cascais / Lisbon).
  • Booking data — requested service, preferred date, prior PMU history, source (how you found me).
  • Special category data (health) — allergies, medications, skin conditions, history of cold sores, autoimmune conditions, anything that affects whether PMU is safe for you. Collected only on a paper form in the studio.
  • Photographs — before, during and after photos of the treated area, taken in the studio with your explicit consent.
  • Communication records — messages we exchange on WhatsApp, email, Instagram DM, contact forms.
  • Financial data — I do not collect card details on this website. Payment happens in person, or via bank transfer / MB Way. The minimum invoice details (name, NIF if requested) are kept for Portuguese tax law.
  • Technical data — IP address, browser type, device type, pages visited, referring URL. Collected automatically when you visit the site.
  • Marketing preferences — whether you've opted in to occasional emails, and what you've engaged with.

5. Special category data — extra protection

Health information is "special category data" under GDPR Article 9 and gets extra protection. I collect it only to make sure the procedure is safe for you, and only on paper, in the studio, on a consent form signed by you. It is kept in a locked cabinet for five years (Portuguese professional record-keeping requirement), then destroyed.

I never share health data with third parties.

6. How I collect your data

I collect personal data in five ways:

  • You give it to me directly — through messages on WhatsApp, email, Instagram, or any form on this site.
  • Through Meta Lead Ads — when you submit your details through one of my Facebook or Instagram ad forms, Meta passes them to me. Meta acts as a joint controller for that submission.
  • In the studio — through the paper consent form and health questionnaire signed before the procedure.
  • Photographs — taken in the studio with verbal consent at the time, and separate written consent for portfolio use.
  • Automatically — when you visit this website, basic technical data (IP, browser, device) and cookies (see Section 16).

7. Why I use your data

I use your data only for clear, specific reasons:

  • To reply to your question and have a consultation conversation.
  • To book and confirm your appointment.
  • To make sure the procedure is safe for you (health screening).
  • To deliver and document the service (including healing follow-up).
  • To send aftercare reminders.
  • To use anonymised before/after work in my portfolio — only with your separate written consent.
  • To send occasional emails or messages about my services — only with your consent, and you can unsubscribe anytime.
  • To keep tax and accounting records as required by Portuguese law.
  • To improve this website and understand which content is useful.

8. Legal basis (GDPR Article 6 & 9)

I rely on five legal bases, depending on the purpose:

  • Consent — for marketing emails, portfolio use of your photos, non-essential cookies.
  • Contract — to provide the service you booked.
  • Legitimate interest — to reply to inquiries, run business records, prevent fraud, improve the site. Always balanced against your rights.
  • Legal obligation — to keep accounting, tax and professional records under Portuguese law.
  • Explicit consent under Article 9 — for health data and photo consent.

9. Marketing communications

I send marketing messages (email or WhatsApp) only if you've opted in. Two cases:

  • Explicit opt-in — you actively check a box or tell me you want to hear from me.
  • Soft opt-in — you've already booked a service, and I send you related updates (aftercare, refresh reminders, similar services). You can opt out anytime.

Every marketing email contains a clear unsubscribe link. To opt out of marketing WhatsApp messages, reply STOP.

10. Who I share your data with

I do not sell, rent, or trade your data. I share it only with carefully chosen processors that help me run the service:

  • Meta Platforms Ireland Ltd — when you submit through a Facebook / Instagram Lead Ad. Joint controller with me for that submission.
  • WhatsApp (Meta) — for messages we exchange there.
  • Email service provider — to send and store our email correspondence.
  • Hosting provider — to serve this website.
  • Accountant or tax advisor — only the minimum needed for legal compliance.
  • Authorities — only if I am legally required to (court order, tax audit).

Each processor has signed a contract committing to GDPR-level protection.

11. International data transfers

Some of the services I use (Meta, WhatsApp, and possibly Google / Microsoft for email and analytics) are based in the United States. Your data may be transferred outside the European Economic Area.

When this happens, I rely on:

  • EU Standard Contractual Clauses (the European Commission's approved transfer agreement), and
  • EU-US Data Privacy Framework certification of the receiving company, where applicable.

This ensures your data keeps an essentially equivalent level of protection.

12. How long I keep your data

  • Contact details and booking history — 5 years (Portuguese tax and accounting requirement).
  • Medical questionnaire and consent form — 5 years (professional record-keeping).
  • Before/after photos in portfolio — until you withdraw consent.
  • Lead Ad submissions that do not become a booking — 90 days, then deleted.
  • Marketing list — until you unsubscribe.
  • Website technical data (logs, cookies) — 12 months maximum.

After these periods I delete or anonymise the data.

13. How I keep your data secure

  • Paper consent forms are stored in a locked cabinet in the studio.
  • Digital files are stored in password-protected, encrypted accounts.
  • Photos are stored in an encrypted cloud folder with two-factor authentication.
  • I do not use shared computers or accounts.
  • I never store payment card numbers.
  • If a data breach happens that puts you at risk, I will notify you and CNPD within 72 hours, as GDPR requires.

14. Your rights under GDPR

You have the right to:

  • Access — request a copy of the personal data I hold about you.
  • Rectification — correct anything that's inaccurate or incomplete.
  • Erasure (right to be forgotten) — request deletion, unless I am legally required to keep the data.
  • Restriction — ask me to limit how I use your data.
  • Object — to processing based on legitimate interest, including direct marketing.
  • Data portability — receive your data in a structured, machine-readable format, or have it sent to another controller.
  • Withdraw consent — at any time, for any purpose based on consent. Withdrawal does not affect processing already done.
  • Not be subject to automated decision-making — I do not make automated decisions about you.

15. How to exercise your rights

Email me at mariiaillustration@gmail.com. I reply within 1 hour during business hours (9am–7pm Lisbon time) and complete the request within 30 days, free of charge.

If your request is repetitive or excessive, I may charge a small fee or refuse — and I will explain why.

16. Right to lodge a complaint

If you believe I have mishandled your data, you have the right to complain to the Portuguese Data Protection Authority:

— Comissão Nacional de Proteção de Dados (CNPD)

Av. D. Carlos I, 134, 1.º · 1200-651 Lisboa, Portugal
geral@cnpd.pt · www.cnpd.pt

If you live in another EU country, you may also complain to your local data protection authority.

17. Cookies and tracking

This website uses cookies sparingly. There are three types:

  • Strictly necessary — needed for the site to work (page navigation, accessibility, security). No consent required, no opt-out.
  • Analytics — to understand how visitors use the site so I can improve it. Enabled only with your consent via the cookie banner.
  • Marketing / advertising — used by Meta Pixel and similar tools to measure ad performance. Enabled only with your consent via the cookie banner.

You can withdraw consent anytime by clearing cookies in your browser settings.

18. Children

This service is for adults only. PMU is not performed on anyone under 18. I do not knowingly collect data from anyone under 18. If a parent or guardian believes their child has submitted data, please contact me and I will delete it.

19. Links to other websites

This site links to other websites (Instagram, WhatsApp, Meta, and brands like Swiss Colour, FK Irons, Cheyenne, Kwadron, Mast). These sites have their own privacy policies. I am not responsible for their content or practices.

20. Changes of business ownership

If I sell, transfer or restructure the business, your data may be transferred to the new owner. The new owner will be required to honour this policy.

21. Changes to this policy

I may update this policy occasionally — to reflect new tools, new legal requirements, or new services. Any change will be published on this page with the new "Last updated" date. Material changes that affect your rights will be notified to you by email (if I have your address).

22. Governing law

This policy is governed by Portuguese law. The Portuguese courts have exclusive jurisdiction over any dispute arising from it.

23. Contact me

If you have any question about this policy or how I handle your data, contact me through the booking form, by email at mariiaillustration@gmail.com, or on Instagram.

This policy is provided in English for the international audience of this site. In case of dispute, the English version prevails unless a translated version is officially published on this page.