1 · Introduction

Nova Quinta dos Machados – Turismo Rural, S.A. (trading as DOMA Portugal) ("DOMA", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose and safeguard your personal data when you visit https://doma.pt or any related media (collectively, the “Site”).

If you disagree with any part of this Policy, please discontinue use of the Site. We may modify this Policy at any time; the “Last updated” date above will be amended accordingly.

2 · Who is responsible for your data?

• Data controller: Nova Quinta dos Machados – Turismo Rural, S.A. (NIF 503 480 487)
• Registered address: Quinta dos Machados – Barras, 2665‑153 Gradil, Mafra, Portugal
• E‑mail (privacy enquiries & data‑subject requests): tech@doma.pt
• Data Protection Officer (DPO): reachable at the same e‑mail address
• Supervisory authority: Comissão Nacional de Proteção de Dados (CNPD) – www.cnpd.pt (you have the right to lodge a complaint with CNPD).

3 · Personal data we process

• Identification & contact data such as name, postal address, e‑mail and phone, provided by you through booking or forms.
• Booking & billing data including reservation details, invoice data and masked card tokens, generated during the hotel‑booking flow in the MEWS engine.
• Membership data such as profession, date of birth and answers in the membership application, supplied by you.
• Usage data such as anonymised IP address, browser/OS details, pages viewed, clicks and referring URL, collected automatically via cookies and analytics.
• Marketing preferences such as newsletter opt‑in status and your cookie‑consent string.

We do not knowingly process data of children under 13 years. If we discover such data, we erase it promptly.

4 · Why and on what legal basis do we process your data?

• Handle hotel bookings – Contract performance (GDPR art. 6 (1)(b)).
• Process membership applications and accounts – Contract performance (art. 6 (1)(b)).
• Customer support and operational messages – Contract performance (art. 6 (1)(b)) and, where applicable, Legal obligation (art. 6 (1)(c)).
• Site analytics and optimisation – Consent for EU visitors (art. 6 (1)(a)); Legitimate interest for all other regions (art. 6 (1)(f)).
• Direct marketing e‑mails and marketing cookies – Consent (art. 6 (1)(a)).
• Fraud prevention and security logging – Legitimate interest (art. 6 (1)(f)).
• Accounting and tax compliance – Legal obligation (art. 6 (1)(c)).

Where processing relies on consent, you may withdraw it at any time via the “Cookie Settings” banner or by contacting us.

5 · Cookies and similar technologies

We use cookies to operate the Site, remember preferences and analyse traffic. Cookie categories and regional defaults (EU vs. World) are described in our Cookie Policy. You can change or withdraw consent at any time via the banner link in the footer or through your browser settings.

6 · Who receives your data?

• MEWS Systems B.V. (Netherlands) – hotel‑booking engine and PCI‑DSS payment gateway (processor). Data remain in the EU; SCC apply if mirrored to US support.
• Google Ireland Ltd. / Google LLC – analytics and tag‑management services (processor). Data are stored in EU data‑centres; SCC (2021) and the EU–US Data Privacy Framework apply for US support.
• E‑mail service provider (SendGrid or equivalent) – transactional and support e‑mail delivery (processor) under SCC/DPF.
• IT & security providers – hosting, CDN and backup infrastructure in EU or under SCC.

We do not sell your personal data.

7 · International data transfers

When data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses (Commission Decision 2021/914), vendor certification under the EU–US Data Privacy Framework, or another recognised mechanism to ensure adequate protection.

8 · How long do we keep your data?

• Booking and invoicing records: 10 years, as required by Portuguese accounting law.
• Approved membership files: for the duration of membership plus 3 years.
• Rejected membership applications: 12 months.
• Customer support tickets: 3 years after closure.
• Web‑server logs: 12 months.
• Google Analytics aggregated reports: 26 months.
• Marketing‑e‑mail subscription data: until you opt out or after 2 years of inactivity.

After these periods, data are securely deleted or anonymised.

9 · Your rights

You have the right to access, rectify or erase your data; to restrict or object to processing; to data portability; and to withdraw consent at any time. To exercise any right, e‑mail tech@doma.pt. You may also lodge a complaint with CNPD.

10 · Security

We use HTTPS/TLS 1.3, strict access controls, encryption at rest and periodic penetration tests to safeguard data. Payment card information is handled only by MEWS; DOMA servers never store full card numbers.

11 · Third‑party links

Our Site may contain links to external sites or widgets (e.g., Instagram, YouTube). Their privacy practices are governed by their own policies, which we encourage you to review.

12 · Contact us

Questions about this Policy or your data? Write to tech@doma.pt or mail the address in section 2.