Privacy Policy
Last updated: 08/05/2026
This Privacy Policy explains how Daniel Xavier de Oliveira, trading as EazyAL
(NIF 316024449, , Portugal — "we", "us", "our") collects, uses,
and protects personal data in connection with https://www.eazyal.com and the
EazyAL platform.
We are the data controller for the personal data of our registered users. For
guest data that hosts process through the platform (see Section 54, the
position is more nuanced — read that section carefully.
This policy is issued in compliance with Regulation (EU) 2016/679 (GDPR) and
Law 58/2019 (the Portuguese GDPR implementation law).
─────────────────────────────────────────────────────────────────────────────
DATA WE COLLECT AND WHY
─────────────────────────────────────────────────────────────────────────────
We collect the following categories of personal data:
A. ACCOUNT AND IDENTITY DATA
What: Full name, email address, password (hashed — we never store it in
plain text), preferred language, and account preferences.
Why: To create and manage your account and provide the Service.
Legal basis: Performance of contract (Art. 6(1)(b) GDPR).
B. BILLING AND PAYMENT DATA
What: Billing name, billing address, and subscription plan. We do NOT
store card numbers or bank details — all payment card data is handled
directly by our payment processor, Stripe (see Section 9).
Why: To process subscription payments and issue fiscal receipts.
Legal basis: Performance of contract (Art. 6(1)(b)) and legal obligation
(Art. 6(1)(c) — IVA/fiscal record-keeping under Portuguese tax law).
C. PROPERTY DATA
What: AL (Alojamento Local) registration number(s), property address(es),
property type, and related configuration data you enter into the platform.
Why: To configure compliance automation for your properties (SIBA, INE,
IPHH submissions).
Legal basis: Performance of contract (Art. 6(1)(b)).
D. USAGE AND TECHNICAL DATA
What: IP address, browser type, operating system, pages visited, feature
interactions, error logs, and session timestamps.
Why: To maintain security, diagnose technical issues, and improve the
Service.
Legal basis: Legitimate interests (Art. 6(1)(f)) — specifically, securing
the platform and improving service quality. You may object to this
processing (see Section 8).
E. COMMUNICATIONS DATA
What: The content of support requests, feedback, and email correspondence
you send us.
Why: To respond to your enquiries and improve support quality.
Legal basis: Legitimate interests (Art. 6(1)(f)).
F. MARKETING COMMUNICATIONS
What: Email address and communication preferences.
Why: To send you product updates, feature announcements, and promotional
offers where you have opted in.
Legal basis: Consent (Art. 6(1)(a)). You may withdraw consent at any time
by clicking "Unsubscribe" in any marketing email or contacting us at
info@eazyal.com.
2. HOW LONG WE KEEP YOUR DATA
─────────────────────────────────────────────────────────────────────────────
We retain personal data only for as long as necessary for the purpose for
which it was collected, or as required by law.
Account data: Duration of your active account, plus 3 years after
account closure (for dispute resolution and legal
claims).
Billing records: 10 years from the date of the transaction, as required
by Portuguese tax law (Art. 123 CIRS / Art. 52 CIVA).
Property data: Duration of your active account; deleted within 30 days
of account closure unless retention is required by law.
Guest data you Retained for as long as you instruct us to store it
enter (see §5): within the platform, subject to a maximum of [X] years
after the relevant stay, in line with the Portuguese
AL regulatory framework. You may delete guest records
at any time via the platform.
Usage/technical 13 months from collection (standard analytics window).
data:
Support comms: 3 years from the date of last correspondence.
─────────────────────────────────────────────────────────────────────────────
3. HOW WE SHARE YOUR DATA
─────────────────────────────────────────────────────────────────────────────
We do not sell your personal data. We share it only in the following
circumstances:
Sub-processors: We use trusted third-party service providers to operate
the Service (see Section 9 for the full list). Each is bound by a Data
Processing Agreement and may only process data for the purposes we specify.
Legal obligations: We may disclose data to public authorities (e.g. AT —
Autoridade Tributária, CNPD, courts) where required by law.
Business transfers: If we transfer the business to a successor, personal
data may be transferred as part of that transaction. We will notify you
and your rights under this Policy will continue to apply.
With your consent: In any other circumstances, only with your explicit
prior consent.
─────────────────────────────────────────────────────────────────────────────
4. GUEST DATA — A SPECIAL NOTE
─────────────────────────────────────────────────────────────────────────────
This section is important because EazyAL processes personal data about your
guests (their names, nationalities, passport/identity document numbers, dates
of birth, and stay dates) in order to help you fulfil your legal obligations
as an Alojamento Local operator under Portuguese law (DL 128/2014 and
subsequent amendments, SIBA obligations, and SEF/AIMA guest registration
requirements).
Who is responsible for guest data?
You (the host) are the data controller for your guests' personal data. You
collect it from them and you are responsible for having a valid legal basis
to process it (which is typically legal obligation — Art. 6(1)(c) GDPR, in
conjunction with Portuguese AL law).
EazyAL acts as your data processor for guest data. We process it only on
your instructions and solely to provide the compliance automation features
of the Service (e.g. SIBA submissions, guest manuals, INE reporting). We do
not use guest data for our own purposes.
[NOTE: If you would like a formal Data Processing Agreement (DPA) to
govern this relationship, please contact us at info@eazyal.com. Under GDPR Art. 28,
a written DPA is required between a controller and processor.]
Your obligations to your guests:
As the data controller, you must inform your guests that their data will be
processed and submitted to Portuguese authorities (SIBA, SEF/AIMA, INE) in
compliance with your legal obligations. We recommend including this
information in your property listing and/or a check-in information sheet.
─────────────────────────────────────────────────────────────────────────────
5. INTERNATIONAL DATA TRANSFERS
─────────────────────────────────────────────────────────────────────────────
Some of our sub-processors are based outside the European Economic Area (EEA),
including in the United States. Where data is transferred outside the EEA, we
ensure appropriate safeguards are in place, including:
Standard Contractual Clauses (SCCs) approved by the European Commission
(Decision 2021/914), where required; and/orAn adequacy decision by the European Commission for the destination
country.
A list of countries to which data may be transferred is included in Section 9
(Sub-processor list). You can request a copy of the applicable transfer
safeguards by contacting us at info@eazyal.com.
─────────────────────────────────────────────────────────────────────────────
6. SECURITY
─────────────────────────────────────────────────────────────────────────────
We implement appropriate technical and organisational measures to protect
personal data against unauthorised access, loss, destruction, or alteration,
including:
Encryption of data in transit (TLS/HTTPS)
Encrypted storage of passwords (hashing)
Access controls limiting data access to authorised personnel only
Regular security reviews
No method of transmission over the internet is 100% secure. If we become
aware of a personal data breach, we will notify the CNPD within 72 hours
where required by GDPR Art. 33, and notify affected individuals without
undue delay where the breach is likely to result in high risk to them.
─────────────────────────────────────────────────────────────────────────────
7. YOUR RIGHTS
─────────────────────────────────────────────────────────────────────────────
Under the GDPR and Law 58/2019, you have the following rights in relation to
your personal data:
Right of access (Art. 15):
Request a copy of the personal data we hold about you.
Right to rectification (Art. 16):
Ask us to correct inaccurate or incomplete data.
Right to erasure (Art. 17):
Ask us to delete your personal data where there is no lawful reason for
continued processing. Note: some data must be retained for legal reasons
(e.g. billing records under tax law).
Right to restriction of processing (Art. 18):
Ask us to pause processing of your data in certain circumstances (e.g.
while accuracy is contested).
Right to data portability (Art. 20):
Receive a copy of the data you provided to us in a structured,
machine-readable format (applies to data processed by contract or consent).
Right to object (Art. 21):
Object to processing based on legitimate interests. We will stop processing
unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent:
Where processing is based on consent (e.g. marketing emails, analytics
cookies), you may withdraw it at any time without affecting the lawfulness
of prior processing.
Right not to be subject to automated decision-making (Art. 22):
We do not carry out automated individual decision-making that produces legal
or similarly significant effects.
To exercise any of these rights, contact us at:
Email: info@eazyal.com
We will respond within 30 days (extendable by a further 60 days for complex
requests, with notice). We will not charge a fee for reasonable requests.
If you are not satisfied with our response, you have the right to lodge a
complaint with the Portuguese data protection supervisory authority:
CNPD — Comissão Nacional de Proteção de Dados
Rua de São Bento, 148–3.º, 1200-821 Lisboa
Website: www.cnpd.pt
Email: geral@cnpd.pt
─────────────────────────────────────────────────────────────────────────────
8. SUB-PROCESSORS (THIRD-PARTY SERVICE PROVIDERS)
─────────────────────────────────────────────────────────────────────────────
We use the following sub-processors to operate the Service. Each is bound by
a Data Processing Agreement:
Stripe, Inc.
Purpose: Payment processing
Data: Billing name, billing address, transaction data
Location: United States
Safeguards: SCCs / EU-US Data Privacy Framework adequacy decision
Privacy: https://stripe.com/privacy
HOSTING PROVIDER — e.g. Vercel / Supabase
Purpose: Cloud infrastructure and database hosting
Data: All platform data
EMAIL SERVICE PROVIDER — Resend
Purpose: Transactional and marketing email delivery
Data: Email address, name
Framer
Purpose: Public website hosting (eazyal.com marketing site)
Data: Technical/analytics data of website visitors
Location: United States
Safeguards: SCCs
Privacy: https://www.framer.com/legal/privacy-statement/
ANALYTICS PROVIDER — PostHog
Purpose: Platform usage analytics
Data: Anonymised/pseudonymised usage data, IP address
─────────────────────────────────────────────────────────────────────────────
9. CHILDREN'S DATA
─────────────────────────────────────────────────────────────────────────────
The Service is not directed at individuals under 18 years of age. We do not
knowingly collect personal data from minors. If you believe a minor has
provided us with personal data, please contact us at info@eazyal.com and we will
delete it promptly.
Note: Guest data submitted through the platform may include minors (as guests
of AL properties). This data is processed solely to fulfil your legal
obligations under Portuguese AL law and is handled in accordance with Section
5 of this Policy.
─────────────────────────────────────────────────────────────────────────────
10. LINKS TO THIRD-PARTY WEBSITES
─────────────────────────────────────────────────────────────────────────────
Our website or platform may contain links to third-party websites (e.g.
SIBA portal, SEF/AIMA, INE, Portal das Finanças). We are not responsible for
the privacy practices of those sites and encourage you to review their privacy
policies.
─────────────────────────────────────────────────────────────────────────────
11. CHANGES TO THIS POLICY
─────────────────────────────────────────────────────────────────────────────
We may update this Privacy Policy from time to time to reflect changes in
our data practices or applicable law. When we make material changes, we will
notify registered users by email and update the "Last updated" date at the
top of this page at least 14 days before the changes take effect.
We encourage you to review this Policy periodically.
─────────────────────────────────────────────────────────────────────────────
12. CONTACT AND DATA CONTROLLER DETAILS
─────────────────────────────────────────────────────────────────────────────
Data Controller: Daniel Xavier de Oliveira
Trading as: EazyAL
NIF: 316024449
Contact email: info@eazyal.com
Data protection
enquiries: info@eazyal.com
Website: https://www.eazyal.com
Cookies
─────────────────────────────────────────────────────────────────────────────
EazyAL uses Google Analytics to understand how visitors use the website and improve the user experience. Analytics cookies are only activated after consent is provided.