Privacy Policy

Effective from: [TO BE FILLED ON PUBLIC LAUNCH] Version: 1.0

In short

This policy explains how Alba treats your personal data when you use our loyalty program through this website. The headlines:

• We are DANÇA DAS BORBOLETAS, LDA, a Portuguese company that operates Alba: brunch • coffee • matcha bar. We are responsible for your data.
• We collect only the data we need to run the loyalty program — your email, name, phone, and date of birth if you choose to give it.
• We do not sell your data. We do not advertise based on your data. We do not share it with anyone except the technical services we need to operate the website.
• Most of these services are in the EU. One — the email inbox we use to receive your messages — is hosted by Google in the United States under standard EU safeguards. Details below.
• You can read, change, or delete your data at any time from your account page.

1. Who is responsible for your data

DANÇA DAS BORBOLETAS, LDA, the company operating Alba: brunch • coffee • matcha bar.

• Registered office: Largo do Rato, nº 4 A, 1250-186 Lisboa, Portugal
• Portuguese tax number (NIPC): 518194019
• Commercial registry: Conservatória do Registo Comercial de Lisboa
• For privacy questions, write to: loyalty@albalisbon.com

We are the "data controller" — the legal term for the entity responsible for deciding what to do with your personal data. We do not have a Data Protection Officer (this is not required for a business of our size and activity), but the email above is the dedicated contact for any privacy matter.

2. The data we collect and why

We collect the following data only when you give it to us in registration or in your account, and we only use it for the purposes listed:

Your email address. Used to authenticate you (we send you a one-time login link instead of using a password) and to send you account-related notifications. Without it, the service cannot work.

Your name and surname. Shown on your loyalty card and used to personalize the website ("Hi Maria"). Without them, the service cannot work.

Your phone number. This is how our cashiers find you at the till to give you cashback. Without it, the loyalty program cannot work.

Your date of birth. Required at registration. We use it to verify that you are at least 18 years old and to provide the Birthday benefit, which is part of the Alba loyalty program.

Your marketing consent. A simple yes/no record of whether you've chosen to receive marketing emails from us. You can change this at any time.

Your loyalty card number. Generated automatically by us when you register. Identifies you within Syrve (our point-of-sale and loyalty system).

Your loyalty balance and transaction history. Live data pulled from Syrve when you view your account. We do not store this long-term ourselves.

Technical login records. Your IP address, browser type, and the time of each login. Used to detect suspicious activity and protect your account.

The legal basis for processing each of the above (per GDPR Article 6) is the performance of our contract with you — you signed up, and we provide the loyalty service. The exception is marketing emails, which are sent only if you give us your specific consent at registration or in your account.

3. How long we keep your data

We keep your data for as long as your account is active. We define "active" as having either logged in to the website or made a purchase in the restaurant in the last 36 months.

If 36 months pass without activity, we send you an email reminding you that your account will be anonymized in 6 more months unless you log in. If you do nothing in those 6 months, your personal data is irreversibly anonymized in both our database and Syrve (our point-of-sale and loyalty system).

You can also delete your account at any time from the account page. The same anonymization happens immediately, without waiting.

Specific retention periods for technical data:

• Pending registrations (you signed up but never confirmed your email): 24 hours, then deleted.
• One-time login links: 15 minutes from when they are sent.
• Login records (IP, browser): 12 months, then deleted.
• Marketing consent records: 3 years after you delete your account, then deleted. We keep these as proof that you consented, in case there's ever a dispute.
• Transaction history in Syrve: 10 years, as required by Portuguese tax law (Código Comercial). After your account is anonymized, this history remains in Syrve but is no longer tied to you personally.

4. Who else sees your data

To run the website we need several technical service providers, each of which sees some part of your data only for the specific purpose listed. These are our "data processors". They are contractually bound (via signed Data Processing Agreements, or equivalent transfer safeguards where required) to protect your data and use it only as instructed.

• Vercel (Frankfurt, EU): hosts our website. Sees the technical requests your browser makes when they happen.
• Neon (EU): hosts the database where your account is stored.
• Resend (EU): sends our emails to you. Sees your email address and the email content.
• Cloudflare (worldwide infrastructure, EU contract): handles website security and routing, and forwards email sent to loyalty@albalisbon.com to our operational inbox via Cloudflare Email Routing. Sees your IP address and, in transit, the contents of any email you send us.
• Syrve (api-eu.syrve.live): our point-of-sale and loyalty backend. Stores your customer profile and transaction history.
• Google (Google Mail) (United States): hosts our operational inbox albalisbon.loyalty@gmail.com, which is the final destination for emails sent to loyalty@albalisbon.com. Sees the content of those emails and our replies. See section 8 below on the international transfer to the US.

We do not sell your data to anyone. We do not share it with any third party for marketing or advertising.

5. Your rights

Under GDPR, you have the following rights over your data. Most of these you can exercise directly from your account page without contacting us; for the others, write to loyalty@albalisbon.com and we'll respond within 30 days (sometimes up to 90 days for complex requests, in which case we'll tell you why).

• Access. See what data we hold about you. Your account page shows this directly; for a formal copy, email us.
• Correction. Fix any data that's wrong. You can edit your name and email from the account page; for phone or date of birth, use the in-account contact form.
• Deletion. Delete your account and all personal data. One click in your account page.
• Restriction. Ask us to stop processing your data temporarily while a question is being resolved. Email us.
• Portability. Get a copy of your data in a machine-readable format that you can take to another service. Email us.
• Objection. Object to specific uses of your data, especially marketing. The marketing toggle in your account is the immediate self-service version.
• Withdraw consent. Where we rely on your consent (currently this applies to marketing emails only), you can withdraw it at any time. Withdrawing consent does not affect anything we did with your data before you withdrew it.

If you think we've handled your data incorrectly, you can also complain directly to the Portuguese data protection authority: Comissão Nacional de Proteção de Dados (CNPD), www.cnpd.pt, without going through us first.

6. Cookies

Our website uses only the cookies that are strictly necessary to keep you logged in, remember your language choice, and protect against form abuse and bots. We do not use analytics cookies. We do not use marketing or tracking cookies.

Because we use only necessary cookies, no consent banner is required by law. For the full list of cookies and what each one does, see our Cookie Policy.

7. Security

We protect your data with industry-standard measures: encrypted connections (HTTPS), encrypted database storage, restricted access to our infrastructure, and an audit log of sensitive actions. Our login system never uses passwords — we send you a one-time link by email each time, which removes the most common cause of account compromise.

If something does go wrong, we are obliged to notify the CNPD within 72 hours of becoming aware of any incident affecting your data, and to notify you directly if the incident creates a serious risk to you.

8. International transfers

Most of our service providers store and process your data in the European Union. One exception exists: emails sent to our contact address (loyalty@albalisbon.com) are forwarded by Cloudflare Email Routing to our operational inbox albalisbon.loyalty@gmail.com, hosted by Google (Google Mail) in the United States.

This transfer is covered by the European Commission's Standard Contractual Clauses (SCC), which Google incorporates into the Gmail Terms of Service. The SCC are the EU-approved legal mechanism for transferring personal data to countries outside the EU and oblige the recipient to apply protections equivalent to those required by GDPR.

If you would prefer not to send your message via this transfer route, you can write to us by post at the registered office address in section 11.

9. Children

Our service is for adults only. You must be at least 18 years old to register. We do not knowingly collect data about anyone under 18. If we discover an account belongs to someone under 18, we anonymize it immediately. If you are a parent or guardian and believe your child has registered, please contact us at loyalty@albalisbon.com.

10. Changes to this policy

We may update this policy from time to time, for example if the law changes or if we change how we work. When we make a material change, we update the version number at the top and notify you the next time you log in. You'll need to accept the new version before continuing to use your account.

11. How to contact us

For any question, request, or complaint about your data, write to loyalty@albalisbon.com. We aim to reply within a few working days; for formal data-rights requests under GDPR, the legal maximum is one calendar month.

You can also write to us by post at our registered office:

DANÇA DAS BORBOLETAS, LDA Largo do Rato, nº 4 A 1250-186 Lisboa, Portugal