Privacy Policy
Privacy and data protection.
This policy explains how Casa Da Maravilha processes your personal data when you visit this site, check availability, and complete a booking, in accordance with Regulation (EU) 2016/679 (GDPR), Portuguese Law no. 58/2019 and Law no. 41/2004 on privacy in electronic communications.
Last updated: 2026-05-20
1. Data controller
The controller of personal data collected through this site is:
- Entity
- Casa Da Maravilha — [Nome do proprietário / Owner name]
- Address
- Horizon Ocean Gardens, 8125 Vilamoura, Portugal
- Tax ID (NIF)
- [NIF / VAT — a preencher]
- privacidade@casa-da-maravilha.pt
- AL Registration
- AL [n.º a preencher] — Registo Nacional de Turismo
Given the size and nature of the activity (a single short-term tourist rental unit), the controller is not required to appoint a Data Protection Officer (DPO) under article 37 of the GDPR. All data-protection requests should be addressed to the email above.
2. Categories of personal data processed
We process only the data strictly necessary for the purposes set out in section 3:
- Identification and contact data: first name, surname, email, phone number, preferred language.
- Booking data: arrival and departure dates, number of guests, special requests, messages exchanged.
- Billing data: address, tax identification number (NIF/VAT) when requested for invoicing.
- Data required by law for foreign guests: ID document, nationality, date of birth, check-in/out dates — reported to SEF/AIMA pursuant to Decree-Law no. 9/2007 and applicable short-term-rental legislation.
- Payment data: processed directly by the booking-management provider (RentalReady) and its payment processors; we do not store full card numbers on this site.
- Browsing data: IP address, device identifiers, pages visited, dates and times — collected through cookies and similar technologies as detailed in section 7.
3. Purposes and legal bases
Every processing operation relies on one of the legal bases listed in article 6 GDPR:
- Managing booking requests, communicating with the guest, check-in and stay — performance of a contract (art. 6(1)(b) GDPR).
- Compliance with tax obligations (invoicing and 10-year accounting retention under art. 52 of the Portuguese VAT Code) and mandatory reporting of foreign guests to SEF/AIMA — legal obligation (art. 6(1)(c) GDPR).
- Site security, fraud prevention and minimal internal statistics — legitimate interest (art. 6(1)(f) GDPR).
- Non-essential cookies (statistics, preferences, marketing) and any commercial communications — explicit consent (art. 6(1)(a) GDPR and art. 5 of Law no. 41/2004), given through the cookie banner and revocable at any time.
4. Recipients and processors
Your data is processed by the following recipients, all bound by a data-processing agreement under article 28 GDPR:
- RentalReady (Smartrental Group, S.L. / RentalReady Portugal) — booking management platform, guest communication and payment processing.
- Cybot A/S (Cookiebot, Denmark) — cookie consent management and the cookie declaration shown on this page.
- Google Ireland Limited — interactive Google Maps embed on the "Location" section. The map is only loaded after marketing cookies have been consented to.
- Web hosting provider — technical storage and page delivery.
- Portuguese Tax and Customs Authority — for compliance with tax obligations.
- SEF / AIMA — mandatory reporting of foreign guests under short-term-rental legislation.
We do not sell or rent personal data to third parties for marketing purposes.
5. International transfers
Some of our processors (notably Google and the hosting provider) may involve transfers of data outside the European Economic Area, especially to the United States. Such transfers take place on the basis of:
- The adequacy decision of the EU–U.S. Data Privacy Framework, where the processor is certified;
- Standard Contractual Clauses adopted by the European Commission (article 46 GDPR) in all other cases, supplemented by additional technical measures (encryption in transit and at rest).
6. Retention periods
- Booking data and guest communication: 5 years after the end of the stay, to defend against potential claims.
- Accounting documents and invoices: 10 years, as required by article 52 of the Portuguese VAT Code.
- Lodging reports (foreign guests): processed and submitted to SEF/AIMA within the legal deadlines; a copy is retained for 1 year.
- Consent-based marketing data: until consent is withdrawn or after 24 months without interaction.
- Cookies: see the retention period for each cookie in the declaration at the bottom of this page.
7. Your rights as a data subject
As a data subject, you are entitled to the following rights, which can be exercised free of charge with the data controller:
- Right of access to your personal data (art. 15 GDPR).
- Right to rectification of inaccurate or incomplete data (art. 16 GDPR).
- Right to erasure — the "right to be forgotten" (art. 17 GDPR), without prejudice to legal retention obligations.
- Right to restriction of processing (art. 18 GDPR).
- Right to data portability in a structured format (art. 20 GDPR).
- Right to object to processing based on legitimate interests (art. 21 GDPR).
- Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal (art. 7(3) GDPR).
To exercise any of these rights, simply send a request to the email address listed in section 1. We will respond within 30 days at the latest.
You also have the right to lodge a complaint with the competent supervisory authority in Portugal: Comissão Nacional de Proteção de Dados (CNPD), Av. D. Carlos I, 134 – 1.º, 1200-651 Lisboa, geral@cnpd.pt, www.cnpd.pt.
9. Minors
This site is not intended for children under 16. We do not knowingly collect personal data from minors without parental consent. If you become aware of such a situation, please contact us so the data can be deleted immediately.
10. Security measures
We adopt technical and organisational measures appropriate to protect personal data against destruction, loss, alteration, disclosure or unauthorised access — in particular: transmission exclusively over encrypted channels (HTTPS/TLS), restricted access to authorised personnel, access logs and regular backups.
11. Changes to this policy
This policy may be updated to reflect legal, technical or operational changes. The version in force is always available at this address, with the last-updated date shown at the top of the page. We recommend that you review it periodically.