Legal

Privacy Policy

How ORVIDA — operated by Orquideas Etereas, Unipessoal LDA — collects, uses, shares and protects personal data under the EU General Data Protection Regulation.

Last updated: 17 April 2026

1. Introduction

This Privacy Policy explains how ORVIDA — a trade name operated by Orquideas Etereas, Unipessoal LDA, a limited liability company incorporated under Portuguese law with registered office in Lisbon, Portugal — collects, uses, shares and protects personal data when you interact with our website, register as a professional customer, place an order, or otherwise engage with our services.

ORVIDA is the exclusive authorised distributor of Sofiderm-branded medical devices (manufactured by Hangzhou Techderm Biological Products Co., Ltd.) for the Portuguese and Spanish markets. Our services are strictly business-to-business and directed at licensed aesthetic practitioners, medical clinics, and authorised resellers.

We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), Portuguese Law 58/2019, and — where relevant — Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD).

2. Data Controller & Contact

The data controller responsible for your personal data is:

  • Orquideas Etereas, Unipessoal LDA (trading as ORVIDA)
  • Registered office: Lisbon, Portugal (full postal address provided upon written request while our commercial premises are being finalised)
  • General contact: info@orvida.eu
  • Data Protection Officer / Privacy contact: info@orvida.eu — please put "Privacy request" in the subject line

We do not currently operate a call centre for data subject requests. All privacy-related correspondence must be submitted in writing so we can verify identity and maintain an audit trail.

3. What Data We Collect

We only collect the personal data we genuinely need to verify, onboard and serve professional customers. The categories below describe the information we process.

Identification and professional credentials

  • Full legal name and business contact name
  • Clinic or practice name, VAT (NIF/NIPC) and trading address
  • Medical licence number, professional regulator registration (e.g. Ordem dos Médicos, Colegio Oficial de Médicos), and — where relevant — aesthetic speciality and scope of practice
  • Copy of licence or registration certificate for verification (held in a restricted-access folder, never published)

Contact details

  • Business email, phone number, shipping address, billing address
  • Named delivery recipient and preferred cold-chain delivery window

Financial and transactional data

  • Invoice history, purchase orders, payment method metadata (e.g. last 4 digits of card via Stripe — we never see or store full card numbers)
  • Bank transfer remittance references and, where granted, credit line status

Technical and browsing data

  • IP address, browser type, device, operating system, referring page
  • Pages viewed on orvida.eu, time on page, cart interactions
  • Cookie identifiers — see the Cookie Policy for the full list

Pharmacovigilance and traceability data

  • Product lot numbers shipped to you and the date of shipment
  • Any adverse-event report you submit under EU MDR 2017/745 vigilance obligations

We do not knowingly collect special category data (health data about identifiable patients, biometric or genetic data) through this website. If you submit such data by mistake we will delete it on discovery.

Under Article 6 GDPR we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): when you order products, request a quote, or operate a credit account with us.
  • Legal obligation (Art. 6(1)(c)): invoicing, tax reporting, medical device traceability under EU MDR 2017/745, anti-money-laundering checks where applicable.
  • Legitimate interest (Art. 6(1)(f)): verifying that buyers are licensed professionals, preventing fraudulent account creation, direct B2B communication with verified customers about products they have previously purchased, fraud prevention and IT security.
  • Consent (Art. 6(1)(a)): marketing newsletters, educational webinars and — where required — non-essential cookies. Consent can be withdrawn at any time at no cost.

5. How We Use Your Data

We use personal data for the following purposes:

  • Account verification: confirming professional credentials before releasing trade pricing or accepting orders for prescription-only medical devices.
  • Order fulfilment: processing purchase orders, preparing cold-chain shipments, issuing invoices, collecting payment and handling returns or warranty claims.
  • Professional communication: responding to inquiries, sending shipment updates, notifying you of restocks of products you buy regularly, and issuing mandatory safety communications (e.g. Field Safety Notices from the manufacturer).
  • Regulatory traceability: maintaining distribution records linking lot numbers to recipient clinics, as required by EU MDR 2017/745 and ISO 13485 distribution controls.
  • Marketing (with consent): newsletters, product launch announcements, training invitations.
  • Site improvement: analysing aggregated, pseudonymised browsing data to improve product navigation and page performance.
  • Legal defence and compliance: exercising or defending legal claims, complying with lawful requests from authorities.

6. Who We Share Data With

We do not sell personal data. We share only what is necessary with carefully selected processors and recipients:

  • Payment processors: Revolut Ltd. (bank transfer and card acquiring), Stripe Payments Europe Ltd. (card and PayPal), SIBS MB Way (Portuguese mobile payments). These providers process card data under PCI-DSS and operate as independent controllers for fraud-prevention purposes.
  • Shipping and cold-chain partners: CTT Expresso, DHL Medical Express and equivalent courier services in Spain, to deliver temperature-controlled parcels. They receive only the name, delivery address and phone number needed for handover.
  • Accounting and tax advisors: our external certified accountants in Portugal, under written confidentiality and processor agreements, for invoicing, VAT returns and statutory bookkeeping.
  • Tax and regulatory authorities: Autoridade Tributária e Aduaneira (PT), Agencia Tributaria (ES), INFARMED and AEMPS for medical device vigilance, when disclosure is mandated by law.
  • Manufacturer (adverse event reporting only): Hangzhou Techderm Biological Products Co., Ltd. receives pseudonymised lot-tracking and adverse-event data where EU MDR vigilance reporting requires it. We do not share routine sales data with the manufacturer.
  • IT service providers: hosting, email (Google Workspace), helpdesk, backup. All are bound by data-processing agreements and process data only on our instructions.

We maintain written data processing agreements (Article 28 GDPR) with every processor and review them on renewal.

7. International Data Transfers

Most of our processing takes place inside the European Economic Area. Two categories of transfer require specific attention:

  • Manufacturer vigilance reporting (China): Hangzhou Techderm is located in the People's Republic of China, which is not the subject of a European Commission adequacy decision. Where EU MDR 2017/745 requires us to forward adverse-event information to the manufacturer, we transfer only pseudonymised lot-tracking and clinical-event data, governed by the 2021 European Commission Standard Contractual Clauses (SCCs) and accompanied by a transfer impact assessment. We do not send customer account data, financial data or marketing data to China.
  • Google Workspace and Stripe infrastructure: these processors may route some data through servers outside the EEA under the EU-US Data Privacy Framework or SCCs.

You may request a copy of the relevant safeguards by writing to info@orvida.eu.

8. How Long We Keep Data

We keep personal data only as long as necessary for the purposes described above, subject to statutory retention rules.

  • Order, invoice and tax records: 10 years, in line with Article 123 of the Portuguese Corporate Income Tax Code and EU MDR 2017/745 Article 10(8) distribution traceability.
  • Medical device distribution records (lot traceability): at least 10 years after the product is placed on the market, as required by MDR Annex IX.
  • Account data for inactive customers: retained until a deletion request is received, or archived after 5 years of inactivity.
  • Marketing consent records: until you withdraw consent, plus 2 years of audit log.
  • Website analytics: up to 14 months in aggregated form.
  • CCTV or visitor logs (if applicable at our future premises): no more than 30 days.

When retention expires we either delete the data securely or anonymise it so it can no longer be linked to you.

9. Your Rights

Under the GDPR you have the following rights, free of charge, subject to limitations set by law:

  • Access: obtain confirmation of whether we process your data and receive a copy.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): ask us to delete your data, subject to the mandatory retention periods above (tax and medical device traceability cannot be shortened).
  • Restriction: ask us to limit processing while a dispute is being resolved.
  • Portability: receive your data in a structured, commonly used format.
  • Objection: object to processing based on legitimate interest, including direct marketing.
  • Withdraw consent: at any time, without affecting processing that took place before withdrawal.
  • Not be subject to automated decision-making: we do not make decisions about you by automated means.
  • Lodge a complaint: with the Portuguese supervisory authority Comissão Nacional de Proteção de Dados (CNPD), or the Spanish Agencia Española de Protección de Datos (AEPD) if your dispute concerns processing in Spain.

To exercise any of these rights, write to info@orvida.eu. We respond within 30 days (extendable by a further 60 days for complex requests, with notice).

10. Cookies

We use a small number of cookies and similar technologies. The full inventory, legal basis and retention for each cookie is described in our Cookie Policy. A cookie banner lets you accept or reject non-essential cookies on your first visit.

11. Security

We take technical and organisational measures proportionate to the risk of the data we handle, including:

  • Encryption in transit (TLS 1.2 or higher) for all connections to orvida.eu and our back-office tools.
  • Encryption at rest for database backups.
  • Role-based access controls; staff see only the data they need for their role.
  • Two-factor authentication on email, accounting and admin systems.
  • Regular review of processor agreements and suppliers' certifications (ISO 27001, SOC 2).
  • Internal incident-response procedure aligned with our ISO 13485 quality management approach.

In the unlikely event of a personal data breach that poses a risk to data subjects, we will notify the CNPD within 72 hours of becoming aware, in line with Article 33 GDPR, and affected individuals without undue delay where required.

12. Minors

Our products are professional medical devices. The website and our services are strictly B2B and are not directed to, nor intended for, individuals under 18. We do not knowingly collect data from minors. If you believe a minor has submitted personal data to us, please contact us and we will delete it.

13. Changes to this Policy

We may update this Privacy Policy to reflect changes in law, our services or our processors. When we make material changes we will post the revised policy on this page and update the "Last updated" date at the top. For substantial changes we will also notify registered customers by email. The current version is the only one in force.

14. Contact

For any privacy question, to exercise a right, or to report a concern, contact us at:

  • Email: info@orvida.eu (subject line: "Privacy request")
  • Postal: Orquideas Etereas, Unipessoal LDA — Privacy, Lisbon, Portugal (full street address provided on request)

Effective date: 17 April 2026.

Questions about your data?

Contact our Data Protection Officer or write to our team — we respond within 72 hours.

Email our DPO