1) Introduction
At Rocha Beach House (Onda da Rocha Lda.), we value your privacy. This Policy explains how we collect, use, share and protect personal data, in compliance with the General Data Protection Regulation (GDPR – EU Regulation 2016/679), the Portuguese Law no. 58/2019, and all applicable consumer protection laws (including DL 24/2014 and DL 84/2021).
By using our website (www.rochabeachhouse.com) and services (online shop, bookings, coworking, Poké Bar, lessons, tours and events), you agree to this Privacy Policy.
Onda da Rocha Lda. – Rocha Beach House
Address: Av. Tomás Cabreira, Ed. Rochamar, Loja 5, 8500-802 Portimão – Portugal
NIPC: 513709770 | Phone: +351 282 039 707 | Email: info@rochabeachhouse.com
If we formally appoint a Data Protection Officer (DPO), we will update this section accordingly.
We process personal data on the following bases:
- Contract performance (Art. 6/1-b GDPR): purchases, reservations, coworking, rentals, lessons/tours/events.
- Legal obligation (Art. 6/1-c): invoicing, tax, guarantees (DL 84/2021), consumer rights (DL 24/2014).
- Consent (Art. 6/1-a): newsletters, non-essential cookies, marketing.
- Legitimate interest (Art. 6/1-f): website and premises security, fraud prevention, statistics and service improvement.
- Browsing/technical data: IP address, date/time, user agent, visited pages, cookies, server logs.
- Online shop (Shopify): name, email, phone, addresses, order details; payment data processed via PSPs (Shopify Payments/Stripe/PayPal/MB Way/Apple Pay/Google Pay/Revolut).
- Coworking (Anny.co): name, email, contact, reservation dates/times.
- Poké Bar: orders via Clickmenu.ai (take-away/dine-in) and Uber Eats (delivery) – processed directly by these platforms.
- Surf Lessons, SUP Tours, Workshops/Events: name, contact, level/experience, preferences, payment data when paid online.
- Newsletter (Mailchimp): email (opt-in).
- Direct contacts: messages/forms, name, email, message content.
- Physical premises (CCTV): video surveillance images (see Section 12).
We do not collect special categories of data (Art. 9 GDPR) unless you provide them voluntarily (e.g., dietary restrictions for events). In such cases, we will request explicit consent.
- Essential cookies: required for the site/checkout to work (always active).
- Analytics and marketing cookies (Google Analytics, Google Ads, Meta Pixel, Instagram insights, etc.): activated only with your consent through our cookie banner.
You can change your cookie preferences at any time via the cookie manager.
We use providers for hosting, e-commerce, reservations, payments, analytics and marketing, including:
- Shopify (online store, infrastructure, CDN, apps).
- Payment providers: Shopify Payments/Stripe/PayPal/MB Way/Apple Pay/Google Pay/Revolut/Visa/Mastercard/Amex/UnionPay.
- Anny.co (coworking bookings).
- Clickmenu.ai / Uber Eats (Poké orders).
- Mailchimp (newsletter).
- Google (Analytics, Tag Manager, Ads, Maps), Meta (Facebook/Instagram), YouTube, LinkedIn (widgets & insights).
- Carriers (CTT/DPD/DHL, when applicable).
- Email, hosting and backup providers (with appropriate security measures).
Whenever international transfers outside the EEA occur, we ensure adequate safeguards, including EU Standard Contractual Clauses (SCCs).
We apply appropriate technical and organisational measures considering the risks:
- Encryption (SSL/TLS) in transit; encryption at rest, where applicable by providers.
- Pseudonymisation/minimisation where possible.
- Access controls, password policies, and access logs.
- Regular backups (encrypted, defined retention); periodic restore tests.
- Monitoring of availability and integrity.
- Internal audits of data protection and information security.
- Staff training on confidentiality and data protection.
- Invoicing/accounting: 10 years (DL 28/2019).
- Reservations/services: up to 2 years after provision (unless legal retention applies).
- Newsletter: until withdrawal of consent (opt-out).
- Server logs: up to 12 months.
- Cookies: session or up to 14 months (depending on type).
When no legal ground remains, data is securely deleted or anonymised.
You have the right to: access, rectification, erasure, restriction, objection, portability, and to withdraw consent(without affecting prior lawful processing).
You may also complain to the Portuguese Data Protection Authority (CNPD) – www.cnpd.pt.
To exercise your rights: email info@rochabeachhouse.com. We may request proof of identity where necessary.
We avoid collecting data from children under 16. If a minor provides data, we will only process it with verifiable parental consent. If we discover data from a minor without consent, it will be safely deleted.
- We only send newsletters/marketing if you explicitly opted in.
- You may unsubscribe at any time via the link in the email or by emailing info@rochabeachhouse.com.
- We may create aggregated/anonymous statistics to improve campaigns and services.
For security of people and property and prevention of unlawful acts, our premises may be monitored by CCTV(signposted on-site).
- Legal basis: legitimate interest (Art. 6/1-f GDPR) and applicable Portuguese law.
- Access restricted to authorised staff; footage may be disclosed to competent authorities upon legal request.
- Retention period: only as necessary, following legal/police timeframes.
Rights of access/erasure may be limited where they conflict with third-party rights or legal obligations.
- Internal access to data is strictly limited to staff who need it, subject to confidentiality obligations.
- Applications/CVs: if you send us an application (spontaneous or in response to a vacancy), we process it only for recruitment and retain it for the necessary time (generally up to 12 months, unless otherwise required by law or consented to).
- We do not sell or share applicant data; we may use GDPR-compliant HR platforms (if applicable, disclosed in each vacancy).
- To exercise rights regarding applications: info@rochabeachhouse.com.
We do not sell personal data. We share it with subcontractors (processors) strictly necessary for: e-commerce, payments, bookings, logistics, analytics/marketing, IT/security.
For international transfers (e.g., to the US), we rely on EU SCCs and additional safeguards (encryption, minimisation).
In the event of a personal data breach that may pose risk to rights/freedoms, we will notify the CNPD without undue delay, and where feasible, within 72 hours of becoming aware (Art. 33 GDPR).
Where the breach poses high risk, we will also inform affected data subjects without undue delay (Art. 34 GDPR), in clear language, describing the nature, affected data, possible consequences and remedial measures taken.
For order shipments (when applicable), we share only the necessary data with carriers (name, address, contact).
You may receive delivery notifications (SMS/email) directly from the carrier.
For e-commerce (Shopify), the following apply:
- Right of withdrawal: 14 days (DL 24/2014).
- Legal guarantee: 3 years (DL 84/2021).
Associated data flows (identification, contact, invoicing, logistics, payment) are processed under the legal bases and retention periods defined in this Policy.
Our site may contain links to third-party sites (e.g., Uber Eats, social networks). We do not control such sites or their policies; please review their privacy policies.
- Electronic Complaints Book (Livro de Reclamações): www.livroreclamacoes.pt
- Alternative Dispute Resolution (ADR): CIMAAL – Centro de Informação, Mediação e Arbitragem de Conflitos de Consumo do Algarve (or the competent entity according to the consumer’s residence).
- EU ODR Platform: https://ec.europa.eu/consumers/odr
For data protection requests (access, rectification, erasure, objection, restriction, portability, consent), contact:
info@rochabeachhouse.com | Phone: +351 282 039 707
We will reply without undue delay and within 30 days maximum.
We may update this Policy to reflect legal or operational changes. The current version is always the one published on our website, showing the last update date.
Last updated: September 2025