Algarve Atlas

Privacy Policy

Last updated: 2026-04-19

This Policy explains what data we collect, why and how we use it, and how you can exercise your rights under the General Data Protection Regulation (GDPR).

1. Data Controller

The controller of your personal data is Algarve Atlas. For any privacy-related question, contact us at privacy@algarveatlas.com.

2. Data We Collect

We collect only the data strictly necessary to operate the service:

  • Account data: email, name (optional), password (stored hashed with bcrypt), profile type, and preferences.
  • Usage data: pages visited, features used, conversion events — only if you consent to analytics.
  • Favorites, saved trips, and AI chat history linked to your account.
  • Payment data: processed exclusively by Stripe. We never store card numbers. We only keep the Stripe customer ID and subscription status.
  • Email for newsletter and push notifications (VAPID) — only if you explicitly subscribe.

3. Purposes

We use data for: authentication, personalizing suggestions, managing subscriptions, sending notifications you've requested, aggregate analytics to improve the product, and complying with legal obligations.

4. Legal Basis

We process data on the basis of: contract performance (account and subscription), consent (analytics, push notifications, newsletter), legitimate interest (security and fraud prevention), and legal obligations (accounting, responses to authorities).

5. Sharing with Third Parties

We share only what's minimally necessary with sub-processors:

  • Stripe (US/EU) — payment processing. Subject to EU Standard Contractual Clauses.
  • OpenAI (US) — AI generation for Trip Planner and Chat. Only the message and necessary context; no identifiable data when avoidable.
  • Sentry (EU) — error tracking. We may send email/id to correlate errors.
  • PostHog (EU) — product analytics, with consent only.
  • MailerLite (EU) — newsletter delivery, only if subscribed.

6. Retention Period

We keep your data while your account is active. After you delete your account, data is erased within 30 days, except records we must keep by law (invoicing, 10 years).

7. Your Rights

You have the right of access, rectification, erasure, restriction of processing, portability, and objection. You can exercise them by emailing privacy@algarveatlas.com. You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD).

8. Security

We use HTTPS across all communications, passwords hashed with bcrypt, JWT tokens with expiration, and rate limiting. No system is 100% secure — in case of a serious breach, we will notify affected users within 72 hours as required by the GDPR.

9. Children

The service is not intended for users under 16. If you believe we've collected data from a minor without parental consent, contact us so we can remove it immediately.

10. Changes to this Policy

We may update this Policy. Substantial changes will be communicated by email. The last-updated date is shown at the top of the document.

11. Contact

For privacy questions, contact privacy@algarveatlas.com.