ALerta

Privacy Policy

Last updated: 18 June 2026 Effective date: 29 May 2026

This Privacy Policy explains how ALerta ("we", "us", "our") collects, uses, and protects your personal data when you use our service available at alerta.com.pt and accessible at my.alerta.com.pt (collectively, the "Service").

ALerta is operated by Carlo Dangelo, trading as ALerta. We are the data controller for the personal data described in this policy, except where stated otherwise.

For any questions, contact us at privacy@alerta.com.pt.

Did we contact you before you signed up? If you received marketing outreach from us as a registered AL operator, see our separate Outreach Privacy Notice, which explains how we handle business contact details obtained from the public RNAL register (Article 14 GDPR).

1. What data we collect

Data you give us directly

  • Account information: name, email address, preferred language. We do not store passwords — sign-in is by Google OAuth or by emailed magic link.
  • Property information: addresses, AL license numbers, RNAL numbers, NIPC, SIBA credentials (encrypted), insurance details, safety certificate details
  • Booking information: guest names, booking dates, booking amounts, platform of origin, payment dates
  • Forwarded reservation emails (if you enable email-forward intake): the reservation confirmation emails you forward to your private ALerta address, and the reservation details we extract from them (guest name, dates, listing, amounts). The raw forwarded email is stored only briefly (see Section 5) and the parsed details become draft reservations for your review.
  • Guest information for SIBA submissions: as required by Portuguese law (full name, nationality, date of birth, identity document type and number, country of issue, country of residence, dates of stay)
  • Cleaner and operations contacts (when you use our operations features): name, phone number, role
  • Communications: any messages you send to our support team

Data collected automatically

  • Usage data: pages visited, features used, timestamps
  • Technical data: IP address, browser type, operating system, device type
  • Cookies: strictly necessary cookies for authentication and session management. We do not use advertising or tracking cookies.

Data from third parties

  • Google OAuth: if you sign in with Google, we receive your name, email address, and Google profile ID

2. Why we use your data and our legal basis

PurposeLegal basis
Provide and operate the ServiceContract (Art. 6(1)(b) GDPR)
Process SIBA submissions on your behalfLegal obligation (Art. 6(1)(c)) — DL 76/2024 and SEF requirements
Calculate tax estimates and compliance scoresContract
Send service emails (booking confirmations, SIBA receipts, alerts)Contract
Read forwarded reservation emails to draft reservations for your review (AI-assisted)Contract
Retain financial recordsLegal obligation — Portuguese tax law (10 years)
Operate a secure service (logs, abuse prevention)Legitimate interest (Art. 6(1)(f))
Coordinate cleaners and operationsLegitimate interest
Improve the ServiceLegitimate interest, balanced against your rights
Send marketing emails — product updates, AL compliance tips, and the ALerta blog (only if you opt in)Consent (Art. 6(1)(a) GDPR)

We do not use your data for third-party advertising, profiling, or automated decision-making with legal effects. Marketing emails about ALerta itself are sent only if you opt in, and you can withdraw that consent at any time (see Section 6).

3. Who we share data with

We share data only with the following sub-processors, under written data processing agreements:

  • Vercel — application hosting (EU region)
  • Supabase — database and file storage (EU region)
  • Resend — transactional email delivery
  • Anthropic — AI parsing of forwarded reservation emails (extracts the reservation details); processes the email content transiently and does not use it to train models (only if you enable email-forward intake)
  • Google — authentication (only if you choose Google sign-in)
  • SEF / AIMA via SIBA — guest data submission, as required by law

A current list of sub-processors is available at /legal/subprocessors. We will notify you in advance of any new sub-processor.

We do not sell your data. We do not share data with advertisers.

4. International data transfers

Our primary infrastructure is hosted in the European Union. Where any sub-processor processes data outside the EU (for example, Google for authentication), the transfer is protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or an equivalent safeguard.

ALerta's controller is based in the United States, while your personal data is stored in the European Union (Supabase, Frankfurt). Access to that EU-stored data from the United States is treated as an international transfer; the appropriate mechanism (EU–US Data Privacy Framework certification or Standard Contractual Clauses) is being confirmed.

5. How long we keep data

Data typeRetention period
Account dataFor the duration of your account, plus 30 days after deletion
Property and compliance dataSame as account data
Guest SIBA dataAs required by SEF/AIMA recordkeeping rules
Booking and financial data10 years (Portuguese tax law)
Forwarded email raw content30 days, then deleted (the parsed reservation data is kept as your booking and change history)
Server logs30 days
Support communications2 years

After the retention period, data is deleted or anonymised.

6. Your rights

Under GDPR, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten"), subject to our legal retention obligations
  • Restrict how we process your data
  • Receive your data in a portable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (where consent is the legal basis)
  • Lodge a complaint with the Portuguese supervisory authority, CNPD (cnpd.pt)

Marketing emails: if you opted in, you can withdraw your consent at any time — use the unsubscribe link included in any marketing email, or your account settings. Withdrawing consent stops marketing emails only; service emails and your use of the Service are unaffected.

To exercise any of these rights, contact us at privacy@alerta.com.pt. We will respond within 30 days. We may ask you to verify your identity before acting on your request.

7. Security

We use the following security measures:

  • TLS encryption for all data in transit
  • Encryption at rest for stored data, including AES-256 encryption for SIBA credentials and other sensitive property fields (Wi-Fi password, lockbox code, alarm code)
  • Passwordless authentication via Google OAuth and short-lived emailed magic links
  • Role-based access controls
  • Audit logging of sensitive operations
  • Regular review of access permissions
  • Secure development practices, including code review for changes affecting personal data

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify the CNPD within 72 hours and notify you directly if there is a high risk to your rights.

8. Hosts and guest data

If you are a host using ALerta to manage your properties, you are the primary data controller for your guests' personal data. ALerta acts as your data processor for the purpose of submitting guest information to SIBA. This processing is governed by our Data Processing Agreement (Article 28 GDPR).

This means that:

  • Guests should direct requests about their data to you first
  • You are responsible for informing your guests how their data is handled
  • We will support you in responding to guest requests, and we will respond directly if you do not act on a request within 14 days

9. Children

ALerta is intended for use by adult Portuguese AL hosts. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

Data controller: Carlo Dangelo, trading as ALerta Email: privacy@alerta.com.pt EU representative (Art. 27): Our representative in the EU, appointed under Article 27 GDPR, is Prighter EU Rep GmbH (part of the Prighter Group). To exercise your rights as a data subject, or to contact our representative on any data-protection matter, please visit: https://app.prighter.com/portal/18427641667

GDPR Art. 27 representation by Prighter

Powered by Prighter

Supervisory authority: Comissão Nacional de Proteção de Dados (CNPD) Av. D. Carlos I, 134 - 1.º, 1200-651 Lisboa www.cnpd.pt