Privacy Policy

The data controller responsible for your personal data is the operator of the Azores Guest Guide platform:

RAFM Investimentos, Lda.

Registered address: Rua Isabel Gusmão, Nº 4, Livramento, 9500-778 Ponta Delgada, Azores, Portugal

NIF (Tax Identification Number): 517992892

Email: hello@azoresguestguide.com

For all data protection enquiries, including requests to exercise your rights, please contact us at hello@azoresguestguide.com. We aim to respond within 30 days.

We collect personal data only to the extent necessary to provide our service. The categories of data we process are:

• Account data: full name, email address, phone number (optional), and password (stored as a one-way hash — we cannot read your password).

• Property data: property name, address, descriptions, amenities, house rules, and any images or content you upload to create guest guides.

• Guest access tokens: secure, time-limited tokens generated when you share a guest guide link. We store the token, its expiry date, and a label. We do not collect personal data about your guests — your guests access guides without creating accounts.

• Technical and usage data: IP address, browser type, pages visited, and timestamps of platform interactions, collected automatically for security and service improvement purposes.

• Communications: emails we send you (account confirmation, password reset, announcements) and any messages you send to our support team.

We do not collect payment card data directly. If and when paid plans are activated, payment processing is handled entirely by our third-party payment processor.

We process your personal data only when we have a valid legal basis to do so:

• Contract performance (Art. 6(1)(b)): processing your account data, property data, and guest tokens is necessary to deliver the services you signed up for. Without this data, we cannot provide the Platform.

• Legitimate interests (Art. 6(1)(f)): we process technical and usage data (IP addresses, access logs, aggregate analytics) to protect the security and integrity of the Platform and to improve our service. We have balanced these interests against your rights and concluded they do not override your fundamental privacy interests.

• Legal obligation (Art. 6(1)(c)): where Portuguese or EU law requires us to retain or disclose certain data (for example, for tax or accounting purposes), we will process data to fulfil those obligations.

We do not use consent as a legal basis for processing, except for optional marketing communications (if introduced in the future, a clear opt-in will be provided).

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on you.

We use your data exclusively for the following purposes:

• To create and manage your account and provide access to the Platform;

• To store and serve the property guides you create;

• To generate and validate secure guest-access links;

• To send you transactional emails (password resets, account confirmations, important service announcements);

• To detect, investigate, and prevent security incidents, fraud, and abuse;

• To analyse aggregate, anonymised usage patterns to improve the Platform;

• To comply with applicable legal obligations.

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

We keep your data for as long as necessary for the purposes described in this Policy:

• Account data (name, email, phone): retained for the duration of your active account, plus 3 years after account closure to comply with legal and contractual obligations.

• Password hash: deleted immediately upon account deletion.

• Property data and uploaded content: retained for the duration of your account. After account closure, data is available for export for 30 days, then permanently deleted.

• Guest access tokens: deleted automatically when they expire, or within 30 days of your account closure.

• Technical logs (IP addresses, access records): retained for 90 days for security purposes, then deleted.

• Aggregate, anonymised usage analytics: retained for up to 12 months; as anonymised data it is no longer personal data.

• Support correspondence: retained for 2 years after the conversation is closed.

After the applicable retention period, data is securely deleted or irreversibly anonymised.

We share your data only with trusted third-party service providers ("sub-processors") who process data on our behalf under written data processing agreements. These are:

• Vercel Inc. (United States) — cloud hosting and infrastructure. All data served by the Platform transits Vercel's servers.

• Supabase Inc. (United States / EU) — managed PostgreSQL database. All stored data resides in Supabase.

• Google LLC (United States) — Google Maps API for map display within property guides. Property location data (approximate) may be sent to Google.

• OpenWeatherMap (Openweather Ltd, UK) — weather forecast data. No personal data is sent.

• Resend Inc. (United States) — transactional email delivery. Your email address is shared when we send you emails.

• Payment processor (to be confirmed) — if and when paid plans are activated, payment card data is processed by our payment provider. We do not receive or store full card numbers.

We do not share your data with any other third parties except where required by law (for example, in response to a lawful court order or regulatory request).

Some of our sub-processors are based in the United States, which is outside the European Economic Area (EEA). Transfers of personal data to these providers are safeguarded by:

• Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Art. 46(2)(c), which contractually bind the recipient to EU-equivalent data protection standards.

• Where applicable, the EU–US Data Privacy Framework (DPF) adequacy decision.

You can obtain further information about these safeguards by contacting us at hello@azoresguestguide.com.

We use cookies and similar storage mechanisms solely to operate the Platform:

• Authentication cookie: a single HttpOnly, Secure session cookie containing a signed JSON Web Token (JWT). This cookie is strictly necessary to keep you logged in. It cannot be read by JavaScript and is transmitted only over HTTPS. No consent is required for this cookie under GDPR because it is essential to provide the service you requested.

• We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

• We do not use browser fingerprinting or similar tracking techniques.

Because we only set strictly necessary cookies, no cookie consent banner is required or displayed. If this changes in the future, we will update this Policy and implement appropriate consent mechanisms.

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction:

• All data is transmitted over encrypted HTTPS connections (TLS 1.2+).

• Authentication tokens are signed and stored in HttpOnly cookies, inaccessible to client-side scripts.

• Passwords are stored as one-way cryptographic hashes (bcrypt); plaintext passwords are never stored.

• Access to the database and production infrastructure is restricted to authorised personnel.

• The Platform is hosted on Vercel's enterprise-grade infrastructure with built-in DDoS protection.

Despite these measures, no system is completely secure. If you believe your account has been compromised, please contact us immediately at hello@azoresguestguide.com.

Under GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): you may request a copy of the personal data we hold about you.

• Right to rectification (Art. 16): you may ask us to correct inaccurate or incomplete data.

• Right to erasure / "right to be forgotten" (Art. 17): you may ask us to delete your personal data where there is no compelling reason to continue processing it.

• Right to restriction of processing (Art. 18): you may ask us to suspend processing of your data in certain circumstances.

• Right to data portability (Art. 20): you may request your data in a structured, machine-readable format (e.g., JSON or CSV) so you can transfer it to another provider.

• Right to object (Art. 21): you may object to processing based on our legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.

• Rights related to automated decision-making (Art. 22): we do not carry out automated decision-making or profiling, so this right does not currently apply.

To exercise any of these rights, email us at hello@azoresguestguide.com. We will respond within 30 days. If we are unable to accommodate your request, we will explain why. These rights are free of charge.

The Platform is intended for use by adults (aged 18 and over) operating short-term rental properties. We do not knowingly collect personal data from children under the age of 16.

If you believe we have inadvertently collected data from a child, please contact us at hello@azoresguestguide.com and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

For material changes, we will provide at least 30 days' advance notice by email to the address associated with your account and/or by a prominent notice within the Platform.

The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this Policy periodically.

Continued use of the Platform after a change becomes effective constitutes your acceptance of the revised Policy.

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact:

Email: hello@azoresguestguide.com

Postal address: RAFM Investimentos, Lda., Rua Isabel Gusmão, Nº 4, Livramento, 9500-778 Ponta Delgada, Azores, Portugal

─

If you are not satisfied with our response, you have the right to lodge a complaint with the competent supervisory authority:

CNPD — Comissão Nacional de Proteção de Dados

Website: www.cnpd.pt

Address: Rua de São Bento, 148–3.º, 1200-821 Lisboa, Portugal

Phone: +351 213 928 400

Email: geral@cnpd.pt