Skip to content
Ericeira Review
Privacy

Privacy policy

Last updated · 2026-05-02

This policy explains how Ericeira Review handles personal data for visitors, account holders, reviewers and business owners. It also covers newsletter subscribers and people who contact us.

1. Controller and contact

Ericeira Review is operated by David Dacruz. For privacy requests, data-rights requests, account questions, or legal questions, use the contact form and choose privacy/data request.

No Data Protection Officer is appointed for this project.

2. Personal data we process

  • Account data: email address, display name, authentication provider, profile details, public profile settings, and account timestamps.
  • User content: reviews, ratings, listings, replies, announcements, community posts, images, tags, and public profile content you submit.
  • Business and claim data: business email, listing links, ownership notes, verification details, and dashboard settings.
  • Contact and support data: name, email, topic, listing URL, message content, and related admin notes.
  • Newsletter data: email address and signup source.
  • Analytics data: where consent is given, page views, clicks, referrer, device type, session identifier, user agent, and aggregate listing performance data.
  • Assistant and security data: assistant messages, responses, selected result cards, timestamps, account ID when signed in, hashed IP/user-agent derived identifiers, rate-limit state, and abuse-prevention audit logs.
  • Browser storage: consent choices, auth/session state, language preference, pending form recovery, dismissed UI prompts, and other explicit preferences.

3. Purposes and legal bases

  • Provide the service: accounts, reviews, listings, profiles, owner dashboards, Marvin knowledge, and community features. Legal basis: contract or steps requested before a contract.
  • Moderation and safety: review approval, fraud prevention, rate limiting, security logs, abuse detection, and platform integrity. Legal basis: legitimate interests and legal obligations where applicable.
  • Business support: claim verification, corrections, partner/editorial requests, and contact replies. Legal basis: legitimate interests and requested pre-contract communication.
  • Newsletter: local updates and editorial content. Legal basis: consent, which can be withdrawn.
  • Analytics: site-wide traffic and listing performance insights. Legal basis: consent for non-essential analytics storage and tracking.
  • Legal compliance: responding to data-rights requests and keeping necessary records. Legal basis: legal obligation.

4. Retention

We keep personal data only as long as needed for the purpose collected, unless a longer period is required for legal, security, or dispute reasons.

  • Newsletter data is kept until you unsubscribe or request deletion.
  • Contact and claim messages are kept only as long as needed for support, verification, admin records, and dispute handling.
  • Assistant audit and rate-limit logs are kept for limited abuse-prevention, quality, debugging, and audit purposes.
  • Analytics data is used for aggregate business and product insight and is not sold.
  • Account content remains while your account or submitted public content remains active, subject to moderation, deletion, or legal retention needs.

5. Processors and recipients

We use service providers to operate the site, including Supabase for database, authentication, storage, and serverless functions; Netlify or the active hosting provider for hosting and edge functions; Google services for OAuth, Places data, Tag Manager, and Analytics where enabled; Gemini/Google AI services for assistant features where enabled; and Sentry if error reporting is configured.

Data may be processed outside Portugal or the European Economic Area depending on the provider and configuration. Where required, transfers rely on appropriate safeguards such as contractual protections and provider transfer mechanisms. We do not sell personal data.

6. Your rights

Under GDPR, you may have rights to access, rectify, erase, restrict, object to processing, receive portability, withdraw consent, and lodge a complaint with a supervisory authority. In Portugal, the supervisory authority is the CNPD.

To exercise rights, use the privacy/data request contact form. We aim to respond within one month. We may need enough information to verify your identity before acting on a request.

Signed-in users can also request account deletion from account settings. Account deletion removes the authentication user and cascades related profile data where configured, but some public content, moderation records, backups, or legal records may need separate handling.

7. Cookies and analytics choices

Essential storage is used to make the site work. Analytics storage and scripts are optional and only run after consent. You can review or change choices on the cookie policy.

8. Changes

We may update this policy as the site, providers, or legal requirements change. The latest update date appears at the top of this page.