Privacy Policy

1) Data Controller (who is responsible)

2) What this policy covers

This policy covers personal data processed:

• when you browse our website,
• when you contact us (e.g., via forms/email/phone),
• when you book through third-party booking platforms linked from our website (e.g., Airbnb links shown on our site). (Crossdeira)

It also covers data we process to operate your stay (guest communications, concierge services, and legal compliance).

3) Where your data comes from

We obtain personal data from:

1. You (website forms, email, phone, messages).
2. Booking platforms (where you book via Airbnb or other booking sites)—they share booking details needed to manage the stay. (Crossdeira)
3. Automatic collection on the website (technical logs and analytics cookies—see Section 10).

4) What personal data we process

Depending on your interaction, we may process:

A. Enquiries and communication

• Name, email, phone number
• Message content and correspondence
• Dates / interests you share (e.g., preferred stay dates)

B. Bookings and guest management

• Booking reference, dates, number of guests, communication history
• Guest names and stay-related preferences (e.g., arrival times)

C. Concierge / experience requests

Information required to arrange services you request (e.g., private chef, tours, training sessions), potentially including preferences and dietary requirements (see Section 5 on sensitive data).

D. Website technical data

IP address, device/browser details, pages visited, timestamp, referral URL, and similar usage metrics.

Payments: We do not process card payments on our website. Payments are handled via the booking platforms you use (Section 7).

5) Special category data (sensitive data)

We do not request sensitive data (health data, etc.). If you voluntarily provide sensitive details (e.g., health-related accessibility or dietary needs), we will only use them to deliver the requested service and protect guests' interests, and we will minimise access and retention.

6) Why we process data and our legal bases (GDPR Art. 6)

We process personal data only where a lawful basis applies:

1. To respond to enquiries and manage pre-booking communications
   Legal basis: legitimate interests (Art. 6(1)(f)) and/or steps prior to contract (Art. 6(1)(b)).
2. To manage bookings and provide accommodation services (check-in/out coordination, guest support, concierge arrangements you request)
   Legal basis: performance of a contract (Art. 6(1)(b)).
3. To comply with legal obligations applicable to accommodation providers (including reporting obligations concerning foreign guests, where applicable)
   Legal basis: legal obligation (Art. 6(1)(c)). SIBA is described as a system supporting the legally required communication of accommodation of foreigners. (siba.ssi.gov.pt)
4. To protect our website, prevent fraud/abuse, and maintain security logs
   Legal basis: legitimate interests (Art. 6(1)(f)).
5. To measure and improve our website using analytics cookies
   Legal basis: consent (Art. 6(1)(a)) where required for non-essential cookies (see Section 10).

7) Sharing data (recipients) and booking platforms

We share personal data only when necessary, with appropriate safeguards:

A. Booking platforms (separate controllers)

If you book via a third-party booking site (e.g., Airbnb), that platform processes your personal data under its own privacy policy and acts as an independent controller for its platform operations. We receive the booking details necessary to manage your stay. (Crossdeira)

B. Service providers acting on our instructions (processors)

• Website hosting / IT support / security providers
• Email and communications tools
• On-island operational support (e.g., cleaning, maintenance) strictly on a need-to-know basis
• Concierge partners you request (e.g., chefs, guides, trainers) only to fulfil your request

C. Professional advisors and authorities

• Accountants, auditors, legal counsel (confidentiality obligations)
• Competent authorities where required by law (see Section 8)

We do not sell personal data.

8) Legal compliance: reporting of foreign guests (Portugal – SIBA)

Where applicable, Portuguese accommodation providers have legal obligations connected to the communication of accommodation of foreign guests, supported by the SIBA system. (siba.ssi.gov.pt)

Data typically involved (depending on legal requirements and guest status):

• Full name, nationality, date of birth
• Identification document details (type/number, issuing country)
• Country of residence
• Check-in / check-out dates

Legal basis: legal obligation (GDPR Art. 6(1)(c)). (siba.ssi.gov.pt)

9) Data retention (how long we keep data)

We retain personal data only as long as necessary for the purposes described, then delete or anonymise it.

Typical retention periods:

• Enquiries (no booking): up to 24 months after last contact.
• Bookings / guest communications: typically up to 5 years after the stay (to handle disputes and legal claims).
• Accounting and tax records (invoices, supporting documents): generally 10 years, consistent with Portuguese requirements for keeping books/records and supporting documents. (diariodarepublica.pt)
• Security/technical logs: typically 6–12 months, unless needed for incident investigation.

Where litigation, regulatory enquiries, or enforcement actions are reasonably anticipated, we may retain relevant data longer to establish, exercise, or defend legal claims.

10) Cookies and analytics

We use:

• Strictly necessary cookies (security and core website functionality)
• Analytics cookies to understand website usage and improve performance

Analytics cookies are not essential. Where required, we will only set analytics cookies after you consent via our cookie banner/preferences tool.

What analytics may collect (examples):

• Pages visited, clicks, session duration, approximate region, device/browser info
• IP address may be collected by your browser/network but we aim to minimise data and use privacy-friendly settings where available.

Cookie details: The specific cookies, providers, and lifetimes are shown in our cookie banner / preferences interface (which should remain accessible from the site footer).

11) International transfers

Some service providers (including analytics or hosting providers) may process data outside the EEA. Where this occurs, we rely on appropriate safeguards such as adequacy decisions or Standard Contractual Clauses (SCCs), plus supplementary measures where required.

12) Your rights (GDPR)

Subject to legal conditions and exemptions, you can request:

• Access to your data
• Rectification
• Erasure
• Restriction
• Data portability (where applicable)
• Objection (especially to processing based on legitimate interests)
• Withdrawal of consent (for consent-based processing, including analytics cookies)

How to exercise rights: email hello@crossdeira.com. (Crossdeira)

We may request verification to prevent unauthorised access.

Right to lodge a complaint: You may complain to Portugal's supervisory authority, the CNPD (Comissão Nacional de Proteção de Dados). (Comissão Nacional de Proteção de Dados)

13) Security

We implement reasonable technical and organisational measures to protect personal data, including access controls, least-privilege access, and operational security measures. No system is perfectly secure, but we work to reduce risk and respond to incidents appropriately.

14) Third-party links (Airbnb, Google, social media)

Our website includes links to third-party platforms (e.g., Airbnb booking links and Google review links). When you click those links, the third parties process your data under their own policies and terms. (Crossdeira)

15) Children

Our accommodation services are intended for adults. We do not knowingly collect personal data from children without appropriate parental authorisation where required.

16) Updates to this policy

We may update this Privacy Policy from time to time. The "Last updated" date indicates when changes were made. Material changes will be posted on the website.