Privacy Policy

Last updated: May 13, 2025

Introduction and Scope
Data Controller
Categories of Personal Data Processed
How We Collect Your Data
Purposes of Processing
Legal Basis for Processing
Sharing and Disclosure of Personal Data
Retention of Personal Data
Data Storage and Security
User Rights
Cookie Policy
Acceptance and Consent
Subcontracting
Hyperlinks to Websites
Changes to the Privacy Policy
Complaints
Contact of the Data Controller

1. Introduction and Scope

Quinta de Calvelos is committed to protecting your privacy and your personal data. This Privacy Policy explains how we collect, use, share, and protect the information we obtain about you when you use our website and our services, in compliance with the General Data Protection Regulation (GDPR) and Law No. 58/2019 of August 8 (Portuguese Personal Data Protection Law).

Scope of the Privacy Policy

This Privacy Policy applies to:

All visits and uses of the website www.quintadecalvelos.pt;
Information provided through contact forms on our website;
Reservations and information requests made through our website or by other means;
Communications by email, phone, or other means between you and Quinta de Calvelos;
Use of our accommodation and rural tourism services.

This policy does not apply to third-party websites that can be accessed through links on our website, so we recommend reading the privacy policies of those websites.

2. Data Controller

Quinta de Calvelos
Lugar de Calvelos, Caniçada
4850-047 Vieira do Minho
Portugal

Contact: quintadecalvelos@hotmail.com
Phone: +351 919 502 538
WhatsApp: +351 919 502 538

Last updated: May 13, 2025

3. Categories of Personal Data Processed

Quinta de Calvelos collects and processes different categories of personal data, depending on the nature of your interaction with us. These categories include:

3.1. Data collected directly

Identification data: full name, date of birth, nationality, tax identification number (when necessary for billing).
Contact data: email address, phone number, postal address.
Booking data: stay dates, accommodation preferences, number of guests, special requirements.
Payment data: credit/debit card information (when applicable), billing data.

3.2. Data collected automatically

Website usage data: IP address, browser type, pages visited, visit time, operating system, referrals.
Cookie data: information stored in cookies as described in our Cookie Policy.

4. Purposes of Processing

We process your personal data for the following purposes:

4.1. Booking and stay management

Processing and confirming bookings.
Facilitating check-in and check-out.
Personalizing your stay according to your preferences and needs.
Communicating with you before, during, and after your stay.
Processing payments and issuing invoices.

4.2. Marketing and communication

Sending newsletters and promotional emails.
Conducting surveys and gathering feedback.
Improving our services and website.

5. Legal Basis for Processing

The processing of your personal data is carried out on the following legal bases:

5.1. Performance of a contract

The processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract (for example, when you make a booking or request information about our services).

5.2. Compliance with legal obligations

The processing is necessary for compliance with legal obligations to which we are subject (for example, tax obligations or guest registration requirements).

5.3. Legitimate interests

The processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms (for example, to improve our services, prevent fraud, or ensure the security of our facilities).

5.4. Consent

You have given consent to the processing of your personal data for one or more specific purposes (for example, for sending marketing communications).

6. Data Retention Period

We retain your personal data only for as long as necessary to fulfill the purposes for which they were collected, including to satisfy any legal, accounting, or reporting requirements.

To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process your personal data and whether we can achieve those purposes through other means, as well as the applicable legal requirements.

In particular, we retain your personal data for the following periods:

Booking and stay data: up to 5 years after the last stay or interaction, for customer management purposes and compliance with legal obligations.
Billing data: up to 10 years, as required by tax and accounting legislation.
Data for marketing purposes: until you request to unsubscribe or withdraw your consent.
Website usage data: up to 2 years for website analysis and improvement purposes.

7. Rights of Data Subjects

As a data subject, you have the following rights regarding your personal data:

7.1. Right of access

You have the right to obtain confirmation as to whether your personal data are being processed and, if so, the right to access your personal data and information relating to their processing.

7.2. Right to rectification

You have the right to obtain, without undue delay, the rectification of inaccurate personal data. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

7.3. Right to erasure ("right to be forgotten")

You have the right to obtain the erasure of your personal data without undue delay where one of the following grounds applies:

The personal data are no longer necessary in relation to the purposes for which they were collected or processed;
You withdraw consent on which the processing is based and there is no other legal ground for the processing;
You object to the processing and there are no overriding legitimate grounds for the processing;
The personal data have been unlawfully processed;
The personal data have to be erased for compliance with a legal obligation.

7.4. Right to restriction of processing

You have the right to obtain restriction of processing of your personal data where one of the following applies:

You contest the accuracy of the personal data, for a period enabling us to verify the accuracy;
The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
We no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims;
You have objected to processing, pending the verification whether our legitimate grounds override yours.

7.5. Right to data portability

You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us.

7.6. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, including profiling. In this case, we shall no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

8. Cookie Policy

Cookies are small text files that are stored on your device by your web browser. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

8.1. What cookies do we use?

We use cookies to improve your experience on our website. We use essential cookies to enable you to navigate the website and use its features, such as accessing secure areas of the website.

8.2. Types of cookies we use

We use the following types of cookies on our website:

Essential/necessary cookies: They are indispensable for the basic functioning of the website. They allow you to navigate the website and use its features.
Preference cookies: They allow the website to remember information that changes the way the website behaves or appears, such as your preferred language or the region you are in.
Statistical/analytical cookies: They help us understand how visitors interact with the website by collecting and reporting information anonymously.
Marketing cookies: They are used to track visitors across websites. The intention is to display ads that are relevant and engaging to the individual user.

8.3. Cookie control

Most web browsers allow some control of most cookies through browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.

You can choose to disable cookies in your browser settings. However, note that if you disable cookies, you may not be able to access certain areas of our website or some features may not work properly.

9. Security Measures

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

These measures include, among others:

Encryption of sensitive data;
Role-based access control;
Backup and recovery procedures;
Regular security assessments;
Staff training on data protection.

Despite the security measures implemented, no security system is impenetrable. We cannot guarantee the absolute security of data transmitted or stored in our systems. In the event of a personal data breach that results in a risk to your rights and freedoms, we will notify the competent supervisory authority and, when required by law, inform the affected data subjects.

10. International Data Transfers

Your personal data may be transferred and processed in countries outside the European Economic Area (EEA), which may not offer the same level of data protection as Portugal.

When we transfer your personal data outside the EEA, we ensure an adequate level of protection, ensuring that at least one of the following safeguards is implemented:

Transfer to countries that have been recognized by the European Commission as providing an adequate level of data protection;
Use of specific contractual clauses approved by the European Commission;
Implementation of binding corporate rules, when applicable.

For more information about international data transfers and the safeguards applied, please contact us through the means indicated in the Contact of the Data Controller section.

11. Sharing Data with Third Parties

We may share your personal data with third parties in the following circumstances:

11.1. Service providers

We may share your personal data with service providers who help us operate our business and provide our services, such as:

Web hosting and website maintenance service providers;
Email and communication service providers;
Payment service providers;
Analysis and marketing service providers;
Professional consultants (such as lawyers, accountants, auditors).

These service providers have access only to the personal data necessary to perform their functions and cannot use them for other purposes. We contractually require them to process personal data in accordance with applicable data protection laws.

11.2. Legal requirements

We may disclose your personal data if we are required to do so by law, regulation, court order, request from any governmental or regulatory authority, or if such disclosure is necessary to protect our rights, the safety of our customers or others.

11.3. Business reorganization

In the event of a merger, acquisition, or sale of all or part of our assets, your personal data may be transferred as part of that transaction. We will notify you about any change in ownership or use of your personal data, as well as the options you may have regarding your personal data.

12. Protection of Minors' Data

Our website and services are not directed at children under 16 years of age and we do not knowingly collect personal data from children under 16 years of age without parental or guardian consent.

If we become aware that we have collected personal data from a child under 16 years of age without verification of parental consent, we will take steps to remove that data from our servers.

If you believe we may have inadvertently collected information from a child under 16 years of age, please contact us through the means indicated in the Contact of the Data Controller section.

13. Marketing Communications

We may send you marketing communications about our products and services, promotions, and events that may be of interest to you, but only if you have given your consent to receive such communications.

You can choose to stop receiving marketing communications at any time by following the unsubscribe instructions included in our marketing communications or by contacting us through the means indicated in the Contact of the Data Controller section.

Note that, even if you opt out of receiving marketing communications, we may continue to send you service-related communications, such as booking confirmations and important information about your stay.

14. Hyperlinks to Websites

Our website may contain hyperlinks (links) to other websites that are not operated or controlled by us. This policy does not apply to third-party websites that can be accessed through links on our website, so we recommend that you read the privacy policies of those websites.

We are not responsible for the privacy practices or content of these third-party websites. The inclusion of hyperlinks to these websites does not imply our approval or endorsement of their content or privacy practices.

Examples of hyperlinks to third-party websites on our website include:

Links to social networks such as Facebook, Instagram, etc.
Links to online booking platforms.
Links to websites of local tourist attractions or other services that may be of interest to our guests.

We recommend that you check the privacy policies of these websites before providing any personal data.

15. Changes to the Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our privacy practices, legislative changes, or other factors. We recommend that you regularly check this page to stay informed about any changes.

Significant changes to this Privacy Policy will be notified through a prominent notice on our website or, when appropriate and possible, by email. The date of the last update of this policy is indicated at the beginning and end of this document.

By continuing to use our website and our services after the publication of changes to this Privacy Policy, you are accepting these changes. If you do not agree with the changes, you should stop using our website and our services.

16. Complaints

If you have any complaint related to the processing of your personal data, please contact us first through the means indicated in the Contact of the Data Controller section. We will do our best to resolve your complaint quickly and satisfactorily.

If you are not satisfied with our response, you have the right to lodge a complaint with the competent data protection supervisory authority. In Portugal, the supervisory authority is the National Data Protection Commission (CNPD):

Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134, 1.º
1200-651 Lisboa
Portugal

Phone: +351 213 928 400
Email: geral@cnpd.pt
Website: www.cnpd.pt

17. Contact of the Data Controller

If you have any questions about this Privacy Policy or about the processing of your personal data, or if you wish to exercise any of your rights as a data subject, please contact us through the following means: