Privacy Policy

Template for Bookforest / Лес Книг (lesknig.com). Operator: Marina Aromshtam, established in Portugal. Audience: children up to 16 years.

Fill in [MARINA_ADDRESS_PT], [HOSTING_PROVIDER], [DATE] and add tool-specific sections for analytics, payment, fonts, embeds, newsletter, and accounts once the tech stack is final.

Cookie consent banner and Accessibility Statement must be implemented separately.

1. Overview

This Privacy Policy explains how personal data is processed when you use the website lesknig.com (“the website”). Processing complies with Regulation (EU) 2016/679 (GDPR), Lei n.º 58/2019 (the Portuguese law implementing the GDPR), and Lei n.º 41/2004 (the Portuguese e-Privacy law implementing Directive 2002/58/EC, as amended).

Because the website is directed at children up to 16 years of age, special protections under Article 8 GDPR and Article 16 of Lei n.º 58/2019 apply (see section 5).

2. Controller

The controller responsible for the processing of personal data on this website is:

Marina Aromshtam

[MARINA_ADDRESS_PT]

Portugal

Email: info@lesknig.com

3. Your Rights

Under the GDPR you have the following rights, exercisable at any time by contacting the controller at the address above:

• Right of access (Art. 15 GDPR) — confirmation whether data concerning you is processed and a copy of that data.
• Right to rectification (Art. 16 GDPR) — correction of inaccurate or incomplete data.
• Right to erasure / “right to be forgotten” (Art. 17 GDPR).
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format.
• Right to object (Art. 21 GDPR) — including objection to processing for direct marketing at any time.
• Right to withdraw consent (Art. 7 (3) GDPR) at any time, without affecting processing already carried out.
• Right not to be subject to automated decision-making (Art. 22 GDPR).
• Right to lodge a complaint with the Comissão Nacional de Protecção de Dados (CNPD) — Av. D. Carlos I, 134, 1.º — 1200-651 Lisboa, Portugal — www.cnpd.pt — or with the supervisory authority of your habitual residence.

4. Legal Bases for Processing

We process personal data on the following legal bases:

• Consent (Art. 6 (1) (a) GDPR; Art. 9 (2) (a) for special-category data; Art. 49 (1) (a) for transfers to third countries; Art. 8 GDPR for children under 13, requiring parental consent).
• Contract performance / pre-contractual measures (Art. 6 (1) (b) GDPR).
• Legal obligation (Art. 6 (1) (c) GDPR).
• Legitimate interest (Art. 6 (1) (f) GDPR), where the controller’s interest in the proper, secure and efficient operation of the website outweighs the interests of the data subject.

For the storage of cookies and similar technologies on your device, the legal basis is your prior consent under Article 5 (3) of Directive 2002/58/EC, as transposed by Article 5 of Lei n.º 41/2004.

5. Children's Data — Article 8 GDPR

This website is directed at children up to 16 years of age. We apply heightened protection in line with Article 8 GDPR, Article 16 of Lei n.º 58/2019 (Portugal sets the age of digital consent at 13 years), and the recommendations of the European Data Protection Board (EDPB) on processing children's data.

For users under 13 years, any processing of personal data based on consent requires the express consent or authorisation of the holder of parental responsibility (parent or legal guardian). We make reasonable efforts to verify such consent using technical means proportionate to the risks of processing.

For users aged 13 to 16, consent may be given directly by the minor for ordinary processing; processing posing higher risks may still require parental involvement.

We collect only the minimum data necessary for the service (“data minimisation”, Art. 5 (1) (c) GDPR). We do not profile children for advertising purposes.

Privacy information is also provided in clear, age-appropriate language at relevant points in the user journey.

Parents and guardians may at any time review, correct, or request deletion of their child's data by contacting info@lesknig.com.

If we become aware that personal data has been collected from a child under 13 without verified parental consent, we will delete that data without undue delay.

6. Data Collected on This Website

6.1 Server Log Files

When you visit the website, the hosting provider automatically records technical information transmitted by your browser:

• Browser type and version
• Operating system
• Referrer URL
• Host name of the accessing device
• Date and time of access
• IP address (anonymised where technically feasible)

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in secure, error-free operation). Storage period: as short as necessary for security and stability, typically up to 7 days; longer only in case of attack analysis. This data is not merged with other data sources.

6.2 Hosting

The website is hosted by [HOSTING_PROVIDER]. The hosting provider may process server log data on our behalf as a processor pursuant to Art. 28 GDPR. A data processing agreement (DPA) is in place. Details are available in the hosting provider's privacy policy.

6.3 Cookies and Similar Technologies

The website may use cookies and comparable technologies (local storage, session storage, pixels). Cookies are categorised as:

• Strictly necessary — required for core functionality (e.g. session, security, consent storage). Legal basis: Art. 6 (1) (f) GDPR; no consent required under Art. 5 (3) of Directive 2002/58/EC.
• Functional / preference — remember user choices (language, settings). Stored only with consent.
• Analytics — help us understand site usage. Stored only with consent.
• Marketing / advertising — not used. This site does not run behavioural advertising directed at children.

Consent is collected via a cookie consent banner shown on first visit and can be reviewed and withdrawn at any time through the “Cookie settings” link in the footer. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

A complete list of cookies, purposes, retention periods, and third-party recipients will be made available in the cookie banner / preference centre once the technical implementation is complete.

6.4 Contact by Email

If you contact us by email, your message and contact details will be processed solely to handle your enquiry and any follow-up. Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) or Art. 6 (1) (f) GDPR (legitimate interest in answering enquiries). Data is retained for as long as necessary for processing the enquiry and any statutory retention obligations.

7. SSL / TLS Encryption

For security reasons and to protect the transmission of confidential content, this site uses SSL/TLS encryption. You can recognise an encrypted connection by the “https://” prefix and the padlock symbol in your browser's address bar. When SSL/TLS encryption is active, the data you transmit cannot be read by third parties.

8. International Data Transfers

Where personal data is transferred to processors or service providers outside the European Economic Area (EEA), such transfers are protected by appropriate safeguards in accordance with Chapter V of the GDPR — typically the European Commission's Standard Contractual Clauses (SCCs), an adequacy decision under Art. 45 GDPR, or your explicit consent under Art. 49 (1) (a) GDPR. Specific recipients and safeguards will be listed in the cookie / processor disclosures once the tech stack is finalised.

9. Storage Periods

Personal data is retained only for as long as necessary for the purposes for which it was collected, or as required by applicable law. When the purpose ceases, data is deleted or anonymised without undue delay, unless legal retention obligations apply.

10. Recipients of Personal Data

Personal data is shared with third parties only where:

• it is necessary for the performance of the service or a contract;
• there is a legal obligation to do so;
• there is an overriding legitimate interest pursuant to Art. 6 (1) (f) GDPR;
• you have given consent;
• the recipient acts as a processor under a data processing agreement pursuant to Art. 28 GDPR.

Categories of recipients currently include the hosting provider. Additional categories (analytics provider, payment processor, email service, etc.) will be listed here once the tech stack is finalised.