Privacy Policy

Last updated:

1. Controller Information

The data controller responsible for your personal data is:
[Luis Morao]
Email: [email protected]

2. What Data We Collect

For Accommodation Providers:

• Account information (name, email, phone)
• Property details (name, address, NIF, establishment number)
• Team and user management data
• Service usage logs and preferences

For Guests:

• Personal identification (name, date of birth, nationality)
• Travel documents (passport/ID number, issuing country)
• Residence information (country and place of residence)
• Stay details (check-in/check-out dates)
• Document images (passport/ID photographs)
• Email address (when provided)

3. Legal Basis for Processing

We process your personal data based on:

• Legal obligation - Portuguese tourism law requires accommodation providers to register guests with SIBA SEF
• Legitimate interest - Providing guest registration services to accommodation providers
• Contract performance - Delivering the services you've requested
• Consent - For marketing communications (where applicable)

4. How We Use Your Data

• Generate SIBA SEF compliant files for Portuguese authorities
• Facilitate guest registration for accommodation providers
• Verify document authenticity and guest identity
• Provide customer support and service improvements
• Comply with legal and regulatory requirements
• Prevent fraud and ensure platform security

5. Data Sharing

We may share your data with:

• Portuguese Authorities - SIBA SEF system as required by law
• Accommodation Providers - Your guest information for their compliance purposes
• Service Providers - Cloud hosting, email services, and technical support (under strict data processing agreements)
• Legal Authorities - When required by court order or legal obligation

We do not sell, rent, or trade your personal data to third parties for commercial purposes.

6. Data Storage and Security

• Data is stored in secure, encrypted databases within the European Union
• We implement industry-standard security measures including SSL encryption
• Access to personal data is restricted to authorized personnel only
• Regular security audits and vulnerability assessments are conducted

7. Data Retention

• Sensitive Data: Passport images are are automatically deleted 7 days after approval or 10 days after checkout date (whichever comes first). Additionally, passport numbers are masked (keeping first/last 2 characters) and birth dates are changed to keep only birth year.
• Basic Metadata: First names, check-in and check-out dates are retained for service analytics and support purposes
• Account Data: Retained while account is active, deleted 1 year after account closure
• Service Logs: Retained for 1 year for security monitoring and service improvement purposes

Note: This service facilitates data collection and submission file generation only. Hosts are responsible for downloading and submitting files to Portuguese authorities within legal deadlines (typically 3 days after guest departure).

8. Your Rights Under GDPR

As a data subject, you have the right to:

• Access - Request copies of your personal data
• Rectification - Correct inaccurate or incomplete data
• Erasure - Request deletion (subject to legal retention requirements)
• Restriction - Limit processing in certain circumstances
• Portability - Receive your data in a structured, machine-readable format
• Object - Object to processing based on legitimate interests
• Withdraw consent - Where processing is based on consent

To exercise these rights, contact us at [email protected]

9. Cookies and Tracking

We use essential cookies for:

• Authentication and session management
• Security and fraud prevention
• Language and preference settings

We do not use tracking cookies for advertising purposes. You can control cookie settings in your browser.

10. International Data Transfers

Your data is primarily processed within the European Union. Any transfers outside the EU are protected by appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

11. Children's Privacy

Our service is not intended for children under 16. If you are under 16, please have a parent or guardian complete the registration on your behalf.

12. Data Breach Notification

In the event of a data breach that may affect your rights and freedoms, we will notify you within 72 hours of becoming aware of the breach, as required by GDPR.

13. Email Communications and Deliverability

We send only essential service emails (team invitations, account notifications) and implement professional email deliverability practices:

Types of Emails We Send

• Team invitations when you are invited to join an accommodation team
• Essential account notifications (security alerts, service updates)
• Legal notices when required by law or terms changes
• We do not send marketing emails, newsletters, or promotional content

Email Bounce Handling

• We automatically process bounce notifications from email providers
• Permanent bounces (invalid email addresses) are immediately marked as undeliverable
• Temporary bounces are tracked, and after 3 temporary bounces, the email is marked as undeliverable
• Undeliverable email addresses are automatically excluded from future communications

Spam Complaint Handling

• We process spam complaints received from email providers automatically
• Email addresses that generate spam complaints are marked to prevent future communications
• Complained addresses are permanently excluded from all communications

Email Status Tracking

• We maintain detailed records of email deliverability status for each address
• Email statuses include: active, bounced, complained, and unsubscribed
• Our system automatically filters out non-deliverable addresses before sending
• Bounce and complaint events are logged with timestamps for audit purposes

Technical Implementation

• We use AWS Simple Email Service (SES) with proper DKIM and SPF authentication
• Real-time webhook notifications process bounces and complaints automatically
• Email headers include configuration set tracking for deliverability monitoring
• We comply with email provider feedback loops and authentication standards

Your Email Communication Rights

• Since we only send essential service emails, you cannot opt out of most communications
• You can update or correct your email address in your account settings
• Contact us if you have concerns about email communications
• You can close your account to stop all non-essential communications

14. Contact Information

For privacy-related questions or to exercise your rights, contact:
Email: [email protected]

15. Supervisory Authority

You have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD):
Website: www.cnpd.pt
Email: [email protected]
Phone: +351 213 928 400

16. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or through our platform.