SurfPortugal

Last updated: 2026-04-10 · Version v1.0

Privacy Policy

1. Who We Are

SurfPortugal (“we”, “us”, “our”) operates the website www.surfcampsportugal.pt. We act as a marketplace coordinator for surf camps, schools, and stays in Portugal. For the purposes of the GDPR, SurfPortugal is the data controller for personal data we collect directly from you.

Contact us at: hello@surfportugal.com

2. Data We Collect

  • Contact information: first name, email address, WhatsApp number — collected when you submit a booking request or inquiry.
  • Travel details: travel dates, party size, skill level, budget range, and any message you include in a booking request.
  • Payment metadata: deposit amount, currency, and Stripe payment identifiers. We do not store full card numbers — these are handled exclusively by Stripe.
  • Usage data: page views, referrer, and approximate location (country/region level) collected via Plausible Analytics (cookieless, anonymised).
  • Communications: records of emails sent between SurfPortugal, you, and partner camps as part of the booking process.

3. How We Use Your Data

PurposeLawful basis
Processing booking requests and inquiriesPre-contractual steps at your request (Art. 6(1)(b))
Sharing anonymised booking details with selected partner campsContract performance (Art. 6(1)(b))
Releasing full contact details to the selected camp after deposit paidContract performance (Art. 6(1)(b))
Processing reservation deposits via StripeContract performance (Art. 6(1)(b))
Fraud prevention and anti-abuse (rate limiting, honeypot)Legitimate interests (Art. 6(1)(f))
Accounting and legal obligations (transaction records)Legal obligation (Art. 6(1)(c))
Aggregated analytics to improve the siteLegitimate interests — anonymised data, no personal profiles

We do not use your personal data for marketing unless you explicitly opt in.

4. Data Sharing

We share your data with the following parties:

  • Selected partner camp: Before deposit — only your first name, travel dates, party size, skill level, and any message. After deposit — your full name, email, and WhatsApp number. The partner acts as an independent data controller for their own processing.
  • Stripe: Payment processor. Your payment card data is handled exclusively by Stripe under their own privacy policy and PCI-DSS certification.
  • Supabase: Database and storage infrastructure, hosted in EU region.
  • Vercel: Hosting and edge infrastructure.
  • Resend: Transactional email delivery.
  • Plausible Analytics: Privacy-first, cookieless analytics. No personal data is sent to Plausible.

We do not sell your data to third parties.

5. Data Retention

  • Booking requests and associated contact data: retained for 2 years from the booking request date for accounting and dispute resolution purposes, then deleted.
  • Payment records: retained for 7 years to meet Portuguese accounting and tax obligations.
  • Communication logs: retained for 2 years.
  • Analytics: anonymised aggregate data, no individual retention limit.

6. Your Rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) — subject to legal retention obligations.
  • Object to processing based on legitimate interests.
  • Data portability — receive your data in a structured, machine-readable format.
  • Lodge a complaint with the Portuguese data protection authority (CNPD): cnpd.pt.

To exercise your rights, email us at hello@surfportugal.com. We respond within 30 days.

7. Cookies

We use no tracking cookies. See our Cookie Policy for details.

8. Changes to This Policy

We will update this policy when our practices materially change. The “Last updated” date at the top reflects the most recent revision. Continued use of the site after an update constitutes acceptance of the new version.