Privacy Policy
Last updated: 2026-04-25
This Privacy Policy describes how José de Oliveira, Lda. handles the personal data of visitors to this website and of customers of the establishments it operates under the Fado&Food Group brand, in compliance with Regulation (EU) 2016/679 (GDPR) and Portuguese Law No. 58/2019 of 8 August.
1. Data controller
José de Oliveira, Lda.
Registered office: Travessa da Queimada, n.º 10, 1200-365 Lisbon
Tax ID (NIPC): 500 158 584
Email for data protection enquiries: [email protected]
José de Oliveira, Lda. has not currently appointed a Data Protection Officer (DPO), as the conditions of Article 37 GDPR that would require such an appointment are not met. Personal data matters should be addressed to the email above.
2. Categories of data processed, purposes and legal bases
We process the following categories of personal data, for the purposes and under the legal bases set out below.
2.1 Website visitor data
Data processed: IP address, access data (date/time, pages visited, browser, operating system).
Purpose: ensuring the technical operation of the website, security, abuse prevention (bots, attacks) and the production of internal aggregated and anonymised statistics.
Legal basis: legitimate interest of the controller (Article 6(1)(f) GDPR), namely the interest in information system security and in providing a functional web service. This interest has been balanced against the rights and freedoms of data subjects and considered prevailing, given the non-invasive and strictly technical nature of the processing.
Retention period: technical records (server logs) — maximum 30 days, unless longer retention is needed for security reasons or to comply with a legal obligation.
2.2 Booking data
Data processed: name, telephone number, email, number of people, intended date and time, comments or special requests (including any allergies or dietary restrictions when voluntarily provided by the customer), payment-related data where applicable (we do not store card data — payment is processed by the relevant payment service provider).
Purpose: managing the booking, contacting the customer, providing the restaurant and performance service, issuing tax documentation, managing waiting lists and cancellations.
Legal basis: performance of a contract or pre-contractual steps taken at the data subject's request (Article 6(1)(b) GDPR). For invoicing, compliance with a legal obligation (Article 6(1)(c) GDPR) under the Portuguese VAT Code and Commercial Code.
Data relating to allergies and dietary restrictions are considered health data (special category, Article 9 GDPR) and processed on the basis of explicit consent given by the data subject when voluntarily providing them, and only to the extent strictly necessary for the safe provision of the service.
Retention period: booking data is kept for the period necessary for the provision of the service and during the applicable legal periods — in particular 10 years for tax documents (Article 123(4) of the Portuguese Corporate Income Tax Code and Article 52 of the VAT Code). Non-tax data (e.g. notes on preferences) is deleted or anonymised within a maximum of 5 years after the last interaction, unless the data subject has previously objected.
2.3 Contact data sent by form or email
Data processed: name, email, telephone (if provided), message content.
Purpose: responding to the contact request.
Legal basis: performance of pre-contractual steps or legitimate interest in responding to information requests (Article 6(1)(b) and (f) GDPR).
Retention period: up to 2 years after the last contact, unless the interaction has resulted in a contractual relationship, in which case the period in section 2.2 applies.
2.4 Data in the complaint book
Data processed: data provided by the consumer in the complaint book (electronic or paper).
Purpose: handling the complaint under applicable law.
Legal basis: compliance with a legal obligation (Decree-Law No. 74/2017).
Retention period: the applicable legal periods, normally 3 years after closure of the case, without prejudice to longer periods that may arise from the defence of rights in legal proceedings.
3. Recipients of the data
Personal data is processed by authorised employees of José de Oliveira, Lda. and may be transmitted to the following categories of recipients, always strictly to the extent necessary:
- Technical processors, with whom we have entered into the data processing agreements required by Article 28 GDPR:
- Akamai Technologies, Inc. / Linode — website and database hosting (server located in a data centre within the European Union)
- Cloudflare, Inc. — DNS, CDN and attack protection services provider (with sub-processors in the EU and US)
- Payment service providers, where applicable (each provider is an independent controller of the payment data it processes).
- Portuguese Tax and Customs Authority, in compliance with tax obligations.
- Lisbon Consumer Arbitration Centre, where applicable to ADR cases.
- Courts and public authorities, when legally required.
We do not sell, rent or transfer personal data to third parties for commercial purposes.
4. International transfers
Data is generally processed within the European Economic Area (EEA).
Transfers outside the EEA may occur in the context of processor services (in particular, Cloudflare, headquartered in the US). Such transfers are covered by the legal mechanisms set out in Chapter V GDPR, namely the EU-US Data Privacy Framework and/or the Standard Contractual Clauses approved by the European Commission.
5. Data subject rights
Under Articles 15 to 22 GDPR, the data subject has the right to:
- Access their personal data and obtain information about the processing
- Rectification of inaccurate or incomplete data
- Erasure ("right to be forgotten"), under the conditions of Article 17 GDPR
- Restriction of processing, under the conditions of Article 18 GDPR
- Data portability, under the conditions of Article 20 GDPR
- Object to processing based on legitimate interest, under the conditions of Article 21 GDPR
- Withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of prior processing
- Not be subject to automated decisions with significant effects, under Article 22 GDPR (we do not carry out this kind of processing)
These rights may be exercised by sending a request to [email protected], with sufficient identification to allow us to confirm the requester's identity. We will respond within a maximum of one month, extendable up to three months in complex cases, under Article 12(3) GDPR.
6. Right to lodge a complaint with the supervisory authority
The data subject has the right to lodge a complaint with the competent supervisory authority:
Portuguese Data Protection Authority (CNPD)
Av. D. Carlos I, 134, 1.º
1200-651 Lisbon
Telephone: (+351) 213 928 400
Email: [email protected]
Website: www.cnpd.pt
7. Security
José de Oliveira, Lda. adopts appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction or alteration, namely: hosting on secure infrastructure, encrypted communications (HTTPS/TLS) across the entire website, access controls with authentication, logging of operations, regular backups, and periodic review of procedures.
In the event of a personal data breach posing a risk to the rights and freedoms of data subjects, we will notify the CNPD within 72 hours of becoming aware of the breach, under Article 33 GDPR, and the affected data subjects when Article 34 applies.
8. Cookies
The policy on cookies and similar technologies is set out in a separate document: Cookie Policy.
9. Minors
The services are not specifically directed at minors. Bookings are typically made by adults. We do not knowingly collect data from minors under 16 without the consent of those holding parental responsibility. If you become aware that this has occurred, please contact us at [email protected] for deletion.
10. Changes to this policy
This policy may be updated at any time. The version in force is always the one published on this website, with an indication of the date of the last update. Material changes will be highlighted prominently.