Legal
Privacy Policy
PrimeWays Portugal explains what personal data we collect, why we collect it, how long we keep it, and the rights you have under the GDPR and Portuguese law.
Legal
Privacy Policy
How PrimeWays collects, uses, and protects personal data.
PrimeWays Portugal, operated by Solidrecord, Lda. (NIF 514662492, Póvoa de Santo Adrião, Portugal), is the data controller for all personal data collected through primeways.pt and its sub-services. This policy explains what data we collect, why, for how long, and what rights you have under the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and Portuguese Law 58/2019.
1. Data Controller
Solidrecord, Lda.
NIF: 514662492
Address: Póvoa de Santo Adrião, Portugal
E-mail: info@primeways.pt
Phone: +351 934 394 347
For any GDPR-related request, please use the subject line "GDPR Request" when contacting us by e-mail.
2. Categories of Personal Data Collected
2.1 Booking & contact data
When you submit a booking or enquiry through our booking portal at /portal on this website, we collect:
- Full name and contact details (e-mail address, phone number)
- Transfer or tour details (date, time, pick-up/drop-off addresses, flight number, number of passengers)
- Special requests (child seats, accessibility needs, luggage details)
- Payment reference data processed by our payment provider (we do not store full card numbers)
2.2 Analytics & performance data
With your consent, we collect anonymised usage data through:
| Service | Provider | Data collected | Transfer to third country |
|---|---|---|---|
| Google Analytics 4 | Google Ireland Ltd. | Pages visited, session duration, device/browser type, anonymised IP, referral source, events and conversions | Possible transfer to the USA under Google's Standard Contractual Clauses (SCCs) |
| Vercel Analytics | Vercel Inc. | Page views, unique visitors, referral source, country-level geolocation — no cookies, no cross-site tracking | Data processed in the EU/EEA where possible; Vercel SCCs apply |
| Vercel Speed Insights | Vercel Inc. | Core Web Vitals (LCP, CLS, FID/INP, TTFB), device type, connection speed — aggregated and anonymised | Same as Vercel Analytics above |
Consent-gated loading. Google Analytics is only loaded after you accept analytics cookies in our cookie banner. Vercel Analytics and Speed Insights are privacy-friendly by design (cookieless) and are loaded on the basis of our legitimate interest in maintaining a well-functioning website.
2.3 Server & proxy logs
Our website is hosted on Vercel. Booking-related requests are proxied to our reservation backend while remaining on the website host. Both services may log standard server access data (IP address, timestamp, HTTP method, response code) for security and debugging purposes. These logs are retained for a maximum of 30 days and are not used for profiling.
3. Legal Basis for Processing
| Processing activity | Legal basis (GDPR Art.) |
|---|---|
| Processing bookings and fulfilling the service | Contract performance — Art. 6(1)(b) |
| Responding to enquiries and customer support | Legitimate interest — Art. 6(1)(f) |
| Google Analytics (behavioural analytics) | Consent — Art. 6(1)(a) |
| Vercel Analytics and Speed Insights (aggregate, cookieless) | Legitimate interest — Art. 6(1)(f) |
| Server/proxy access logs (security and debugging) | Legitimate interest — Art. 6(1)(f) |
| Compliance with legal obligations (invoicing, tax) | Legal obligation — Art. 6(1)(c) |
4. Data Retention
| Data category | Retention period |
|---|---|
| Booking records (name, contact, service details) | 5 years from the date of service (Portuguese commercial law — Art. 40 CCom) |
| Invoices and payment records | 10 years (Portuguese tax law — Art. 52 CIRC) |
| Google Analytics data | 14 months (as configured in our GA4 property) |
| Vercel Analytics / Speed Insights | Retained by Vercel per their data retention policy (typically 90 days for raw events) |
| Server and proxy access logs | 30 days maximum |
| Customer support e-mail correspondence | 3 years from last contact |
5. Sharing of Data
We do not sell or rent your personal data. Data is shared only with:
- Google Ireland Ltd. — analytics (Google Analytics 4), under SCCs.
- Vercel Inc. — website hosting, analytics and Speed Insights, under SCCs.
- Render (onrender.com) — booking dashboard backend processor, under a data processing agreement.
- Payment processor — for secure payment authorisation (no card data stored by us).
- Public authorities — where required by law (for example tax authority or tourism regulation).
6. International Data Transfers
Some of our processors (Google, Vercel, Render) may transfer data outside the EEA, in particular to the United States. Such transfers are carried out under Standard Contractual Clauses (SCCs)approved by the European Commission pursuant to Art. 46(2)(c) GDPR, or on the basis of an adequacy decision where applicable. You may request a copy of the applicable safeguards by contacting us at info@primeways.pt.
7. Your Rights Under the GDPR
As a data subject in the EEA, you have the following rights:
- Access (Art. 15) — obtain a copy of the personal data we hold about you.
- Rectification (Art. 16) — request correction of inaccurate data.
- Erasure (Art. 17) — request deletion of your data where there is no overriding legal ground.
- Restriction (Art. 18) — restrict processing in specific circumstances.
- Data portability (Art. 20) — receive your data in a machine-readable format.
- Objection (Art. 21) — object to processing based on legitimate interest.
- Withdrawal of consent (Art. 7(3)) — withdraw analytics consent at any time via our cookie settings, without affecting prior processing.
To exercise any of these rights, contact us at info@primeways.pt with the subject line "GDPR Request". We will respond within 30 days. You also have the right to lodge a complaint with the Portuguese supervisory authority: CNPD — Comissão Nacional de Proteção de Dados (cnpd.pt).
8. Cookies
For detailed information on the cookies we use, see our Cookie Policy.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including HTTPS encryption for all data in transit, access controls on our backend systems, and regular review of our data processors' security posture. In the unlikely event of a data breach that poses a risk to your rights, we will notify the CNPD within 72 hours and affected individuals without undue delay.
10. Children's Data
Our services are directed at adults. We do not knowingly collect personal data from individuals under 16 years of age. If you believe a minor has submitted data to us, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this policy to reflect changes in our services, technology, or legal obligations. When we do, we will update the “Last updated” date at the top of this page. Material changes will be communicated via a banner on the website. Continued use of our site after the effective date constitutes acceptance of the revised policy.