← Back to home
PT|EN

Privacy Policy

Last updated: 26/05/2026

1. Data Controller

Marca lá (marcala.pt) is responsible for processing personal data collected through this Platform, under Regulation (EU) 2016/679 (GDPR).

2. Data Collected

We collect the following categories of data:

  • Businesses: business name, owner's name, email address, tax number (NIF), phone number and address.
  • Associated staff: name, email (optional) and availability.
  • End Clients: only the data necessary for the booking (name, email and/or phone), voluntarily provided for each appointment, without creating permanent profiles.
  • Technical data: IP address, user agent and access logs, for security and error diagnostics.

3. Legal Basis for Processing

Data processing is based on the following legal grounds (Art. 6 GDPR):

  • Performance of a contract (Art. 6.1.b): to process and manage bookings and billing.
  • Legitimate interests (Art. 6.1.f): for Platform security, fraud prevention and service improvement.
  • Consent (Art. 6.1.a): for End Client data provided at the time of booking.
  • Legal obligation (Art. 6.1.c): to comply with tax and accounting obligations.

4. Purposes of Processing

Data is used exclusively for:

  • Creating and managing Business accounts.
  • Processing and managing bookings.
  • Sending notifications and reminders (email and SMS) to End Clients.
  • Automatic billing and prepaid balance management.
  • Compliance with legal and tax obligations.
  • Platform security and integrity.

5. Subprocessors

To provide the service, Marca lá uses the following trusted subprocessors who process personal data on our behalf:

  • Resend (USA) — transactional email delivery, with Standard Contractual Clauses (SCC) in place.
  • Twilio (USA) — SMS delivery, with Standard Contractual Clauses (SCC) in place.
  • Ifthenpay (Portugal) — payment processing via MB Way and bank card.
  • Hetzner (Germany, EU) — server and database hosting.

6. Data Retention

Business data is retained for as long as the account remains active and for 3 years after closure, as required by Portuguese tax legislation. End Client data associated with each booking is retained for the same period. After the retention period, data is anonymised or securely deleted.

7. International Data Transfers

Some subprocessors (Resend and Twilio) are based in the USA. Data transfers to these providers are made on the basis of Standard Contractual Clauses approved by the European Commission, ensuring a level of protection equivalent to that required by the GDPR. The other subprocessors (Ifthenpay and Hetzner) operate within the European Economic Area.

8. Data Security

Marca lá implements appropriate technical and organisational measures to protect personal data, including:

  • Password hashing with bcrypt (cost factor 12).
  • Encrypted communications via HTTPS/TLS.
  • Role-based access control (RBAC).
  • Session cookies with HttpOnly, Secure and SameSite=Strict attributes.
  • Regular database backups with encryption at rest.

9. Data Subject Rights

Under the GDPR, data subjects have the right to: access processed data; rectify inaccurate data; erase data ('right to be forgotten'); restrict processing; data portability; object to processing. To exercise any of these rights, contact: privacidade@marcala.pt

10. Cookies

The Platform uses only technical cookies necessary for the service (authentication session). No third-party tracking, advertising or behavioural analytics cookies are used.

11. Minors

The Platform is intended exclusively for Businesses whose account holders are 18 years of age or older. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with data, please contact us so we can delete it.

12. Personal Data Breaches

In the event of a personal data breach that poses a risk to the rights and freedoms of data subjects, we will notify the Portuguese Data Protection Authority (CNPD) within 72 hours. Where the breach is likely to result in a high risk to data subjects, they will also be notified without undue delay.

13. Changes to this Policy

This Policy may be updated periodically. Material changes will be notified by email with at least 30 days' notice. Continued use of the Platform after that period constitutes acceptance of the updated policy.

14. Contact

For privacy queries or to exercise your rights, contact us at: privacidade@marcala.pt