Casa São Bento

Privacy Policy

1. Data Controller

ARMOLUSO UNIPESSOAL LDA, NIF PT514691492, Rua de São Bento 111, 4970-451 Arcos de Valdevez, Portugal. DPO contact: contact@casasaobento.pt

2. Data Collected

We collect the following categories of data:

  • Identity data: full name, date of birth, nationality, document type and number, country of residence, address
  • Contact details: email, phone number
  • Booking data: stay dates, number of guests, special requests, reserved property
  • Payment data: processed exclusively by Stripe (we do not store your banking details)
  • Browsing data: technical cookies and, with your consent, analytics cookies (Google Analytics)

Identity data is collected via optical character recognition (OCR) using Google Gemini when you upload your identity document. The document image is deleted after text data extraction.

3. Purposes of Processing

Your data is used for the following purposes:

  • Booking management and execution of the rental contract
  • Stay-related communication (confirmation, arrival instructions, access code)
  • Mandatory declaration to SEF/AIMA (Portaria 287/2007) for non-Portuguese guests
  • Legal and accounting obligations (invoicing, tax declarations)
  • INE statistical reporting (aggregated and anonymous data)
  • Property access control via Nuki smart locks (temporary PIN code generation)

4. Legal Basis

Each processing activity relies on a GDPR legal basis (Art. 6):

  • Contract performance (Art. 6.1.b): booking, payment, property access
  • Legal obligation (Art. 6.1.c): SEF/AIMA declarations, accounting, invoicing
  • Legitimate interest (Art. 6.1.f): property security, fraud prevention
  • Consent (Art. 6.1.a): analytics cookies, marketing communications

5. Data Retention

Data is retained for the following periods:

  • Guest identity data (KYC): 1 year after the stay, in accordance with Portaria 287/2007
  • Booking and invoicing data: 10 years (Portuguese accounting obligation)
  • Contact form data: deleted after processing the request
  • Nuki access codes: automatically deleted after check-out
  • Analytics cookies: maximum 12 months

6. Sub-processors and Transfers

Your data is shared with the following GDPR-compliant service providers:

  • Stripe (Ireland/EU): payment processing — stripe.com/privacy
  • Vercel (EU/US, Standard Contractual Clauses): website hosting and storage
  • Neon (EU): database
  • Resend (EU): transactional email delivery
  • Google (EU/US, Standard Contractual Clauses): OCR extraction (Gemini), analytics (GA4)

7. Your Rights (GDPR)

Under the GDPR and Lei 58/2019 (Portuguese data protection law), you have the following rights:

  • Right of access: obtain a copy of your personal data
  • Right to rectification: correct inaccurate data
  • Right to erasure: request deletion of your data (subject to legal obligations)
  • Right to data portability: receive your data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interest
  • Right to withdraw consent: withdraw your consent at any time for analytics cookies

To exercise your rights, contact us at contact@casasaobento.pt. We will respond within 30 days. If you believe your rights are not being respected, you may file a complaint with the CNPD (Comissão Nacional de Proteção de Dados): www.cnpd.pt

8. Cookies

This site uses the following cookies:

  • Technical cookies (strictly necessary): session, language preferences — no consent required
  • Analytics cookies (Google Analytics): anonymised audience measurement — only with your consent
  • No advertising or tracking cookies are used
  • You can withdraw your consent at any time via the 'Manage Cookies' link at the bottom of the page

Consent for analytics cookies expires after 12 months.

9. Security

We implement appropriate technical and organisational measures to protect your data: encryption in transit (TLS), access control, passwordless magic link authentication, hosting in certified data centres (SOC 2, ISO 27001).

10. Changes

This policy may be updated. The last modification date is indicated below. In case of substantial changes, we will notify you by email if you are a customer.

11. Contact

For any questions regarding the protection of your data: contact@casasaobento.pt — ARMOLUSO UNIPESSOAL LDA, Rua de São Bento 111, 4970-451 Arcos de Valdevez, Portugal.

In case of discrepancy between language versions of this policy, the Portuguese version shall prevail. Last updated: March 2026.