Privacy Policy
Last updated: 3 May 2026 Effective date: [Launch date]
This Privacy Policy explains how ALerta ("we", "us", "our") collects, uses, and protects your personal data when you use our service available at alerta.com.pt and accessible at my.alerta.com.pt (collectively, the "Service").
ALerta is operated by [Legal entity name], registered in Portugal at [address], NIF [tbd]. We are the data controller for the personal data described in this policy, except where stated otherwise.
For any questions, contact us at privacy@alerta.com.pt.
1. What data we collect
Data you give us directly
- Account information: name, email address, preferred language. We do not store passwords — sign-in is by Google OAuth or by emailed magic link.
- Property information: addresses, AL license numbers, RNAL numbers, NIPC, SIBA credentials (encrypted), insurance details, safety certificate details
- Booking information: guest names, booking dates, booking amounts, platform of origin, payment dates
- Guest information for SIBA submissions: as required by Portuguese law (full name, nationality, date of birth, identity document type and number, country of issue, country of residence, dates of stay)
- Cleaner and operations contacts (when you use our operations features): name, phone number, role
- Communications: any messages you send to our support team
Data collected automatically
- Usage data: pages visited, features used, timestamps
- Technical data: IP address, browser type, operating system, device type
- Cookies: strictly necessary cookies for authentication and session management. We do not use advertising or tracking cookies.
Data from third parties
- Google OAuth: if you sign in with Google, we receive your name, email address, and Google profile ID
2. Why we use your data and our legal basis
| Purpose | Legal basis |
|---|---|
| Provide and operate the Service | Contract (Art. 6(1)(b) GDPR) |
| Process SIBA submissions on your behalf | Legal obligation (Art. 6(1)(c)) — DL 76/2024 and SEF requirements |
| Calculate tax estimates and compliance scores | Contract |
| Send service emails (booking confirmations, SIBA receipts, alerts) | Contract |
| Retain financial records | Legal obligation — Portuguese tax law (10 years) |
| Operate a secure service (logs, abuse prevention) | Legitimate interest (Art. 6(1)(f)) |
| Coordinate cleaners and operations | Legitimate interest |
| Improve the Service | Legitimate interest, balanced against your rights |
We do not use your data for advertising, profiling, or automated decision-making with legal effects.
3. Who we share data with
We share data only with the following sub-processors, under written data processing agreements:
- Vercel — application hosting (EU region)
- Supabase — database and file storage (EU region)
- Resend — transactional email delivery
- Google — authentication (only if you choose Google sign-in)
- SEF / AIMA via SIBA — guest data submission, as required by law
A current list of sub-processors is available at /legal/subprocessors. We will notify you in advance of any new sub-processor.
We do not sell your data. We do not share data with advertisers.
4. International data transfers
Our primary infrastructure is hosted in the European Union. Where any sub-processor processes data outside the EU (for example, Google for authentication), the transfer is protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or an equivalent safeguard.
5. How long we keep data
| Data type | Retention period |
|---|---|
| Account data | For the duration of your account, plus 30 days after deletion |
| Property and compliance data | Same as account data |
| Guest SIBA data | As required by SEF/AIMA recordkeeping rules |
| Booking and financial data | 10 years (Portuguese tax law) |
| Server logs | 30 days |
| Support communications | 2 years |
After the retention period, data is deleted or anonymised.
6. Your rights
Under GDPR, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase your data ("right to be forgotten"), subject to our legal retention obligations
- Restrict how we process your data
- Receive your data in a portable format
- Object to processing based on legitimate interest
- Withdraw consent at any time (where consent is the legal basis)
- Lodge a complaint with the Portuguese supervisory authority, CNPD (cnpd.pt)
To exercise any of these rights, contact us at privacy@alerta.pt. We will respond within 30 days. We may ask you to verify your identity before acting on your request.
7. Security
We use the following security measures:
- TLS encryption for all data in transit
- Encryption at rest for stored data, including AES-256 encryption for SIBA credentials and other sensitive property fields (Wi-Fi password, lockbox code, alarm code)
- Passwordless authentication via Google OAuth and short-lived emailed magic links
- Role-based access controls
- Audit logging of sensitive operations
- Regular review of access permissions
- Secure development practices, including code review for changes affecting personal data
No system is perfectly secure. If we become aware of a breach affecting your data, we will notify the CNPD within 72 hours and notify you directly if there is a high risk to your rights.
8. Hosts and guest data
If you are a host using ALerta to manage your properties, you are the primary data controller for your guests' personal data. ALerta acts as your data processor for the purpose of submitting guest information to SIBA.
This means that:
- Guests should direct requests about their data to you first
- You are responsible for informing your guests how their data is handled
- We will support you in responding to guest requests, and we will respond directly if you do not act on a request within 14 days
9. Children
ALerta is intended for use by adult Portuguese AL hosts. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact
Data controller: [Legal entity name] Email: privacy@alerta.pt Postal address: [address], Portugal
Supervisory authority: Comissão Nacional de Proteção de Dados (CNPD) Av. D. Carlos I, 134 - 1.º, 1200-651 Lisboa www.cnpd.pt