Herdade das Bernardas

Privacy Policy

Last updated: June 2026

This Privacy Policy explains the rules governing data processing operations carried out when you use our website herdadedasbernardas.com (the "Site"). Personal data processing is the responsibility of Herdade das Bernardas, as data controller.

1. Data Controller

Herdade das Bernardas, N260, 7830-602 Vila Verde de Ficalho, Portugal. For any privacy-related question, contact us at info@herdadedasbernardas.com.

2. Scope of this Policy

This Policy applies to all personal data collected through the Site, in particular when completing booking or contact forms. By using our Site, you declare that you accept the terms of this Policy.

This Policy is governed by Regulation (EU) 2016/679 (GDPR) and Law No. 58/2019 of 8 August.

3. Personal Data Collected

We collect the following data:

  • Identification and contact data: full name, email address, phone number
  • Booking data: check-in and check-out dates, number and type of rooms, number of guests, requested services, additional notes
  • Payment data: payment processing is carried out by Stripe, Inc. Card data is never stored on our servers
  • Navigation data: IP address, country of origin, device type, pages visited, and performance metrics (collected anonymously and in aggregate by Vercel Analytics)

We do not collect sensitive personal data within the meaning of the GDPR (health data, ethnic origin, political opinions, etc.).

4. Purposes of Processing

Booking Management

We process your data to handle your booking, confirm availability, manage payment, and communicate relevant information about your stay.

Customer Service

We process data submitted via the contact form to respond to your enquiries.

Site Improvement

We use anonymous, aggregated navigation data (Vercel Analytics and Vercel Speed Insights) to understand Site usage and improve its quality. These services do not use cookies and do not collect personally identifiable data.

Fraud Detection

We may process your data to detect, prevent, and investigate fraudulent activity, protecting both our customers and our business.

5. Legal Basis for Processing

  • Performance of contract— for booking management and communications related to your stay (Art. 6(1)(b) GDPR).
  • Legitimate interest— for Site security, fraud detection, and service improvement (Art. 6(1)(f) GDPR).
  • Legal obligation— to comply with applicable tax and accounting requirements (Art. 6(1)(c) GDPR).

6. Data Recipients

Your personal data may be shared with the following processors, who act exclusively according to our instructions:

  • Vercel Inc.— application hosting and analytics (USA, with adequate safeguards under GDPR)
  • Neon Inc.— database hosted in the EU-Central region (Frankfurt, Germany)
  • Stripe, Inc.— payment processing (USA, with adequate safeguards under GDPR)
  • Resend Inc.— transactional email communications

We may also disclose your data in response to legal obligations or orders from competent judicial authorities.

7. Data Retention

We retain your personal data for the following periods:

  • Booking data: 10 years from the booking date, as required by Portuguese tax legislation
  • Contact data: 1 year after the request is resolved, unless otherwise required by law
  • Navigation data (analytics): anonymised and aggregated data, no retention period applicable

8. Cookies & Analytics

This Website uses its own cookie consent management system. The consent cookie (hdb_consent) is required for the cookie notice to function.

We use Vercel Analytics and Vercel Speed Insights to collect anonymous, aggregated traffic and performance data (pages visited, country, device, Core Web Vitals). These services do not use cookies and do not collect personally identifiable data. Data is processed by Vercel Inc. under adequate safeguards.

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Accessrequest a copy of the data we hold about you
  • Rectificationrequest correction of inaccurate or incomplete data
  • Erasurerequest erasure of your data, except where a legal retention obligation exists
  • Restrictionrequest restriction of processing in certain circumstances
  • Portabilityreceive your data in a structured, machine-readable format
  • Objectionobject to processing based on legitimate interest

To exercise any of these rights, contact us at info@herdadedasbernardas.com. You also have the right to lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD) at www.cnpd.pt, Av. D. Carlos I, 134, 1st floor, 1200-651 Lisbon, Portugal.

10. Security

We have implemented appropriate technical and organisational measures to protect your personal data against loss, unauthorised access, alteration, or disclosure. All data transmissions are made via encrypted connections (HTTPS). Database data is hosted on secure servers in the EU-Central region (Frankfurt, Germany).

In the event of a personal data breach likely to affect your rights and freedoms, we will notify the CNPD and, where applicable, the affected data subjects within the timeframes required by the GDPR.

11. Changes to this Policy

This Policy may be updated periodically. The most recent version will always be available on this page. In the event of substantial changes, we will notify you by email or via a prominent notice on the Site.