Privacy Policy

1. Data Controller

Petra's Madeira Hideaway is the data controller for your personal information. We are committed to protecting your privacy and ensuring you have a positive experience on our website and in our booking process.

• Business Name: Petra's Madeira Hideaway
• Location: Santo Antonio da Serra, Madeira, Portugal
• Contact Email: info@gomadeira.co
• Website: https://gomadeira.co

2. What Information We Collect

We collect personal information only when you voluntarily provide it through our website. This includes:

2.1 Booking Inquiry Information

• Full name
• Email address
• Phone number (optional)
• Preferred accommodation and dates
• Number of guests
• Special requests or messages

2.2 Contact Form Information

• Name and email address
• Phone number (optional)
• Message content

2.3 Automatic Information Collection

• IP address (server logs)
• Browser type and version
• Access time and pages visited
• Referring URL
• Cookies (see Cookie Policy for details)

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

3.1 Performance of Contract (Article 6(1)(b))

When you submit a booking inquiry, we process your data to:

• Respond to your inquiry
• Check availability
• Confirm booking details
• Process payment and reservation
• Send booking confirmation and updates

3.2 Legitimate Interest (Article 6(1)(f))

We process some data based on our legitimate interests to:

• Improve website functionality and user experience
• Analyze website traffic and usage patterns
• Prevent fraud and ensure security
• Comply with legal obligations

3.3 Consent (Article 6(1)(a))

For non-essential purposes (like marketing emails), we only process data with your explicit consent, which you can withdraw at any time.

4. How We Use Your Information

• Process Bookings: To respond to inquiries and confirm reservations
• Communication: To send you updates about your booking, confirmation emails, and check-in instructions
• Customer Service: To respond to questions and resolve issues
• Service Improvement: To understand user preferences and enhance our services
• Security: To detect and prevent fraudulent activity
• Legal Compliance: To comply with applicable laws and regulations

5. Data Storage, Security & Encryption

5.1 Technical Security Measures

Your booking information is protected using industry-standard security measures:

• Encryption: Booking data is encrypted using AES-256 encryption at rest
• SSL/TLS: All data transmitted to our servers is encrypted in transit (HTTPS)
• Secure Storage: Data is stored on secure servers with restricted access
• Regular Backups: Data is regularly backed up and tested for recovery

5.2 Organizational Security Measures

• Limited employee access to personal data (staff authorized for booking management only)
• Password-protected admin interfaces
• Regular security audits and updates
• Incident response procedures

6. Data Retention Period

We retain your personal data only as long as necessary for the purposes outlined in this policy:

After the retention period expires, your data is securely deleted or anonymized. If required by law (tax regulations, etc.), we may retain data longer.

7. Data Sharing with Third Parties

7.1 What We Don't Do

• We do NOT sell your personal data
• We do NOT trade or rent your personal data
• We do NOT share data with marketing companies
• We do NOT share data with advertising networks

7.2 Who We May Share Data With

We only share your data with the following parties when necessary:

Email Service Provider

• Verpex Mail Server: To send booking confirmations, updates, and customer communications
• Data Processing Agreement: In place to ensure GDPR compliance

Web Hosting Provider

• Verpex Hosting: Your data is stored on their secure servers
• Data Processing Agreement: In place to ensure GDPR compliance

Legal Requirements

• We may disclose data if required by law (court orders, law enforcement, regulatory authorities)
• We will notify you of such disclosure when legally permitted

Service Providers Under GDPR

All service providers we use are bound by Data Processing Agreements (DPAs) that ensure they:

• Process data only as instructed
• Maintain appropriate security measures
• Do not share data with third parties without authorization
• Comply with all GDPR requirements

8. International Data Transfers

Since your data is processed within the European Union (Portugal), it benefits from the standard protections under EU data protection law. We do not transfer your data to countries outside the EU/EEA.

9. Your Data Subject Rights (GDPR Articles 15-22)

Under GDPR, you have the following rights regarding your personal data:

9.1 Right of Access (Article 15)

You have the right to access your personal data. We will provide you with a copy of all personal data we hold about you within 30 days of your request.

How to request: Email us "Please provide all personal data you have about me" with your name and email address. Include your booking reference if applicable.

Response time: Within 30 days in readable format (PDF or document)

9.2 Right to Rectification (Article 16)

You have the right to correct inaccurate data. If your personal data is incomplete or inaccurate, you can request correction.

How to request: Email us "Please correct my email address to [new address]" or specify what information is inaccurate.

Response time: Within 30 days

9.3 Right to Erasure (Article 17 - "Right to be Forgotten")

You have the right to request deletion of your data in certain circumstances, such as:

• Data is no longer necessary for its original purpose
• You withdraw consent and we have no other legal basis
• You object to processing for legitimate interests
• Data was collected unlawfully

Note: We may retain data longer if required by law (tax regulations, accounting requirements).

How to request: Email us "Please delete my personal data" with your name and email address.

Response time: Within 30 days (we'll explain any data we must retain and why)

9.4 Right to Restrict Processing (Article 18)

You can request we restrict how we use your data while you challenge its accuracy or our legal basis for processing.

How to request: Email us with details of what you want restricted and why.

9.5 Right to Data Portability (Article 20)

You have the right to receive your data in a structured, commonly-used format and to transmit it to another organization if you wish.

How to request: Email us "Please provide my data in machine-readable format" and specify CSV or JSON format.

Response time: Within 30 days

9.6 Right to Object (Article 21)

You can object to processing of your data based on legitimate interests or for marketing purposes.

How to request: Email us with your objection and explanation of why you're objecting.

Response time: Within 30 days (we'll explain if we have grounds to continue)

9.7 Rights Related to Automated Decision-Making (Article 22)

You have rights regarding decisions made solely by automated processes. We do not use automated decision-making for booking approvals.

9.8 How to Exercise Your Rights

To exercise any of these rights, please contact us with your request. Include your full name, email address, and a clear description of what you're requesting:

Email: info@gomadeira.co
Address: Santo Antonio da Serra, Madeira, Portugal

We will respond to your request within 30 days (or up to 90 days for complex requests). There is no fee for exercising your rights unless your request is manifestly unfounded or excessive.

10. Cookies and Tracking Technologies

For detailed information about our use of cookies, please see our Cookie Policy.

Summary: We use only essential cookies needed for website functionality. We do NOT use tracking cookies, analytics cookies, or advertising cookies without your explicit consent.

11. Children's Privacy

Our website is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16 without parental consent, we will delete it immediately.

12. Right to Lodge a Complaint

If you believe we have violated your privacy rights, you have the right to lodge a complaint with your local data protection authority:

• Portugal Data Protection Authority (CNPD): https://www.cnpd.pt

You can also file a complaint with the data protection authority in your country of residence.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date. Your continued use of our website after changes constitutes acceptance of the updated policy.

14. Contact Information

For privacy questions, concerns, or to exercise your rights, please contact us:

• Email: info@gomadeira.co
• Business Address: Santo Antonio da Serra, Madeira, Portugal
• Website: https://gomadeira.co

We aim to respond to all privacy inquiries within 7 business days.

15. Legal Compliance

This Privacy Policy complies with:

• EU GDPR: Regulation (EU) 2016/679 - General Data Protection Regulation
• Portuguese Law: Lei da Proteção de Dados Pessoais (LPDP) implementing GDPR in Portugal
• Portuguese Tax Law: Lei Geral Tributária - 3-year record retention for booking records
• ePrivacy Directive: Directive 2002/58/EC on electronic communications privacy