Privacy Policy

Last updated: 26 May 2026

1. Introduction

AL.Web ("we", "us", "our") is a software-as-a-service platform for short-term rental ("Alojamento Local") property managers operating in Portugal. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our service.

We comply with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), Portuguese Law n.º 58/2019 (the Portuguese GDPR implementation), and other applicable Portuguese and EU data protection law. By using AL.Web, you accept the practices described in this policy.

2. Data Controller

AL.Web, Portugal, is the data controller for your account information and any data you upload to the service.

When you use AL.Web to register guests with the Portuguese authorities (SEF/SIBA) or to file tax documents with the Autoridade Tributária (AT), we act as data processor on your behalf for those specific flows — you remain the controller for the underlying guest and accounting data.

Contact: support@alweb.pt

3. What Data We Collect

We collect only what is necessary to run the service:

  • Account data — email address, display name (if you provide one), hashed password (never stored in plain text), language and theme preferences.
  • Property data — addresses, property names, SIBA establishment codes, fiscal NIF, contact details for each accommodation you manage.
  • Guest data — full names, identity-document numbers, nationality, date of birth, travel dates, country of origin. Collected on your behalf for SIBA submission and never used for any other purpose.
  • Booking data — check-in and check-out dates, guest names, booking amounts, OTA platform identifiers. Imported from OTA confirmation emails (when you connect your inbox) or entered manually.
  • Payment data — subscription status and payment timestamps. Card numbers, bank details, and other payment instruments are not stored by us; they are handled by our payment processor (IfThenPay).
  • Technical data — IP address, browser type and version, request timestamps, error logs, cookies (see section 9).

4. Legal Basis for Processing

We process your personal data under one or more of the following legal bases set out in GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)) — account creation, subscription billing, service delivery.
  • Legal obligation (Art. 6(1)(c)) — SIBA submissions are required under Decreto-Lei n.º 23/2007 and subsequent SEF regulations. Tax record retention is required under the Portuguese tax code.
  • Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, error monitoring, service improvement. We balance these against your rights and freedoms.
  • Consent (Art. 6(1)(a)) — optional newsletters and any non-essential cookies. You can withdraw consent at any time without affecting prior processing.

5. Who We Share Data With

We share personal data only with the parties strictly required to run the service:

  • SEF/SIBA (Serviço de Estrangeiros e Fronteiras) — guest registration data, as a legal obligation. We cannot opt out on your behalf.
  • Autoridade Tributária (AT) — monthly SAF-T files and Modelo 30 filings when you enable those features.
  • IfThenPay — our payment processor. We share only what is required to process payments and reconcile your subscription; card data flows through them, not us.
  • Hosting and infrastructure subprocessors — EU-based cloud providers that store our database and serve the application. Data does not leave the EU/EEA without your separate consent or an appropriate safeguard under GDPR Chapter V.
  • Auth.Web — our integrated identity provider (operated by us); credentials and authentication tokens flow through this service.

We do not sell your data. We do not share data with advertisers or marketing partners.

6. How Long We Keep Data

Retention periods vary by data category:

  • Active accounts — data is retained as long as your account is active.
  • Closed accounts — 30 days of grace period for reactivation; after that, account data is erased except for records subject to legal retention below.
  • Tax records, SAF-T files, invoice data — 10 years (Portuguese tax code).
  • SIBA submission records — 1 year per the Portuguese SEF regulation. We retain the submission record itself, not raw unsubmitted guest data.
  • Backups — rolling 30-day window. Backups containing your data also age out after that window.
  • Security logs — up to 12 months for investigation of incidents.

You can request earlier erasure at any time (see section 7). Requests that touch legally-retained records are honored for everything except the items required by law.

7. Your Rights

Under GDPR Articles 15-22, you have the right to:

  • Access (Art. 15) — receive a copy of the personal data we hold about you.
  • Rectification (Art. 16) — correct inaccurate or incomplete data.
  • Erasure (Art. 17) — have your data deleted, subject to the legal retention exceptions in section 6.
  • Restriction of processing (Art. 18) — pause processing while a dispute is being resolved.
  • Data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
  • Object (Art. 21) — object to processing based on legitimate interests.
  • Withdraw consent — for any processing based on consent, at any time, without affecting processing carried out before withdrawal.

To exercise any of these rights, email support@alweb.pt from your registered address and describe your request. We respond within 30 days. For complex requests we may extend by up to 60 additional days and will tell you why.

8. Security

We use commercially reasonable safeguards:

  • TLS encryption for all data in transit.
  • Encryption at rest for sensitive fields.
  • Industry-standard password hashing.
  • Short-lived authentication tokens and anti-CSRF protection on every state-changing request.
  • Role-based access controls: co-workers see only the properties they are explicitly granted access to.
  • Regular security updates and dependency monitoring.

No internet service can guarantee absolute security. If we become aware of a data breach that is likely to result in a high risk to your rights, we will notify you and the supervisory authority within 72 hours as required by GDPR Article 33.

9. Cookies and Similar Technologies

We use cookies in three categories:

  • Strictly necessary (no consent required, exempt under Article 5(3) of the ePrivacy Directive) — session token, anti-CSRF token, language preference, theme preference.
  • Functional (subject to consent where applicable) — UI state preferences that improve your experience but are not strictly required.
  • Analytics (consent required, opt-out anytime) — we do not currently use third-party analytics tools. If we add any, we will notify you and offer a clear opt-out before enabling them.

You can clear cookies at any time via your browser settings; doing so will sign you out and reset your preferences.

10. International Data Transfers

Your personal data is stored and processed within the European Economic Area (EEA). We do not transfer your data to third countries without your separate consent or an appropriate transfer mechanism under GDPR Chapter V (e.g. Standard Contractual Clauses, adequacy decisions).

11. Links to Third-Party Sites

Our service may link to external sites — OTA dashboards (Airbnb, Booking.com), payment portals, tax authority sites. We are not responsible for the privacy practices of those sites; please review their policies separately.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be announced via email and an in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision; the prior version is available on request via support@alweb.pt.

13. Complaints

If you believe we have not handled your personal data correctly, you can lodge a complaint with the Portuguese data protection authority:

Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134, 1.º
1200-651 Lisboa, Portugal
www.cnpd.pt

We would always appreciate the chance to address your concerns directly first — email support@alweb.pt before escalating to the CNPD.

14. Contact

For all data protection inquiries, including the rights described in section 7, contact us at support@alweb.pt.