Privacy Policy

Last updated: February 2025

1. Introduction & Data Controller

This Privacy Policy explains how Livin Stays Algarve ("we", "us", "our") collects, uses, and protects your personal data when you use our website livinstaysalgarve.com and its subdomains.

Data Controller:
Helder & Rufino, Lda.
Email: info@livinstaysalgarve.com

We operate this website and manage bookings on behalf of multiple property owners:
- Helder & Rufino, Lda. (Quinta da Capelinha)
- Nelson Manuel Martins Rufino (Villa Miramar)
- Rodrigo Manuel Rufino, Lda. (other properties)

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and Portuguese data protection laws.

2. Data We Collect

We collect the following categories of personal data:

Booking Data:
- Full name (first and last)
- Email address
- Phone number
- Country of residence
- Check-in and check-out dates
- Number of guests and guest ages
- Special requests or notes
- Terms & Conditions and Privacy Policy acceptance (with timestamp)

Contact Form Data:
- Name
- Email address
- Message content
- Area of interest

Technical Data:
- IP address
- Browser type and version
- Device information
- User agent

Payment Data:
- Payment transactions are processed securely by Stripe. We do not store your credit card numbers on our servers.

Analytics Data (with your consent):
- Pages visited
- Time spent on pages
- Interactions with website elements

3. How We Use Your Data

We process your personal data for the following purposes:

Contract Performance (Art. 6(1)(b) GDPR):
- Processing and confirming your booking
- Communicating about your reservation (confirmations, reminders, check-in instructions)
- Managing your stay and providing guest services
- Processing payments and refunds

Legitimate Interest (Art. 6(1)(f) GDPR):
- Responding to your inquiries via contact form
- Preventing fraud and ensuring website security
- Improving our services and website functionality

Legal Obligation (Art. 6(1)(c) GDPR):
- Maintaining records for tax and accounting purposes (Portuguese law)
- Complying with legal requests from authorities

Consent (Art. 6(1)(a) GDPR):
- Sending marketing communications (newsletters, offers) - only with your explicit opt-in
- Website analytics and performance tracking

4. Third-Party Data Sharing

We share your data with the following trusted service providers:

Service	Purpose	Location	Safeguards
Stripe	Payment processing	USA	EU-US Data Privacy Framework, Standard Contractual Clauses
Resend	Email delivery (confirmations, notifications)	USA	Data Processing Agreement, Standard Contractual Clauses
Avaibook	Property management and channel manager	Spain (EU)	GDPR compliant, within EEA
Google Analytics 4	Website analytics	USA	Consent-based, IP anonymization, EU-US Data Privacy Framework
Google Maps	Property location display	USA	Limited data exposure (no personal data shared)

We do not sell your personal data to third parties. Data is only shared as necessary to provide our services or comply with legal obligations.

5. Cookies & Tracking

Our website uses the following types of cookies:

Strictly Necessary Cookies (no consent required):
- Session management
- CSRF protection tokens
- Language preferences

Analytics Cookies (consent required):
- Google Analytics 4 cookies for traffic analysis
- Duration: up to 2 years
- Purpose: understanding how visitors use our website

You can manage your cookie preferences through our cookie consent banner. You can withdraw consent at any time by clearing your browser cookies and revisiting our website.

How to disable cookies:
- Most browsers allow you to refuse cookies through settings
- Note that disabling essential cookies may affect website functionality

6. Data Retention

We retain your personal data for the following periods:

Data Type	Retention Period	Reason
Booking and financial records	5 years	Portuguese tax and accounting requirements
Contact form inquiries	2 years	Until resolved or no longer needed
Marketing consent records	Until withdrawal + 3 years	Proof of consent compliance
Analytics data	26 months	Google Analytics 4 default setting
Technical logs	90 days	Security and troubleshooting

After the retention period expires, your data is securely deleted or anonymized.

7. Your Rights (GDPR Articles 15-22)

Under the GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15): You can request a copy of all personal data we hold about you.

Right to Rectification (Art. 16): You can request correction of inaccurate or incomplete data.

Right to Erasure (Art. 17): You can request deletion of your data ("right to be forgotten"), subject to legal retention requirements.

Right to Restrict Processing (Art. 18): You can request limitation of how we process your data.

Right to Data Portability (Art. 20): You can request your data in a structured, machine-readable format.

Right to Object (Art. 21): You can object to processing based on legitimate interests, including direct marketing.

Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint: You have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD - Comissao Nacional de Protecao de Dados) at www.cnpd.pt.

To exercise your rights:
Email us at: info@livinstaysalgarve.com
Response time: Within 30 days (may be extended to 90 days for complex requests)

8. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), primarily in the United States.

When transferring data outside the EEA, we ensure appropriate safeguards are in place:

- EU-US Data Privacy Framework: For certified US companies
- Standard Contractual Clauses (SCCs): Approved by the European Commission
- Adequacy Decisions: Where applicable

These safeguards ensure your data receives protection equivalent to that within the EU.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

- Encryption: All data transmitted via HTTPS/TLS encryption
- CSRF Protection: Cross-site request forgery prevention
- Rate Limiting: Protection against automated attacks
- Input Validation: Sanitization of all user inputs
- Secure Payments: PCI DSS compliant payment processing via Stripe
- Access Controls: Limited access to personal data on a need-to-know basis
- Regular Reviews: Periodic security assessments

While we take all reasonable precautions, no method of transmission over the Internet is 100% secure.

10. Children's Privacy

Our services are not directed at children under 18 years of age. The minimum age to make a booking is 18 years.

We do not knowingly collect personal data from children under 18. If you believe we have inadvertently collected such data, please contact us immediately at info@livinstaysalgarve.com, and we will take steps to delete it.

11. Marketing Communications

We only send marketing communications (newsletters, promotional offers, discount codes) to users who have explicitly opted in.

Your choices:
- You can unsubscribe at any time using the link in our emails
- You can contact us at info@livinstaysalgarve.com to opt out
- Opting out of marketing does not affect transactional emails (booking confirmations, etc.)

We never share your email address with third parties for their marketing purposes.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

How we notify you:
- Material changes will be communicated via email to registered users
- The "Last updated" date at the top will be revised
- Previous versions are available upon request

We encourage you to review this policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Data Controller:
Helder & Rufino, Lda.

Email: info@livinstaysalgarve.com

Supervisory Authority:
CNPD - Comissao Nacional de Protecao de Dados
Website: www.cnpd.pt