Privacy & Cookie Policy

1. Who We Are

Gracious Summit Unipessoal LDA ("Gracious Summit", "we", "us", "our") is a travel agency and Destination Management Company (DMC) incorporated and registered in Portugal.

Registered address: Rua Independência 3, São João de Talha, Santa Iria, 2695-773 Lisboa, Portugal
EU VAT number: PT518961001
Company registration: 518961001
Data Controller contact: info@gracioussummit.com

For the purposes of the EU General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 – and applicable Portuguese data-protection legislation, Gracious Summit Unipessoal LDA is the data controller.

2. Personal Data We Collect

2.1 Information you provide directly

• Identity data: full name, passport or ID number (for bookings)
• Contact data: email address, telephone number, WhatsApp number
• Travel data: travel dates, destination preferences, group size, special dietary or accessibility requirements
• Financial data: payment card details processed via our secure payment processor; we do not store card numbers
• Communications: messages, enquiries and feedback you send us via forms, email, WhatsApp or telephone
• Marketing preferences: whether you have opted in to receive our newsletter and promotional content

2.2 Information collected automatically

• Technical data: IP address, browser type and version, time zone, browser plug-in types, operating system and platform
• Usage data: pages visited, links clicked, referral URLs, session duration
• Cookie data: see Section 10 below

2.3 Information from third parties

• Booking confirmations or passenger details from airline and accommodation partners where you have booked through us
• Analytics data from Google Analytics 4

3. How We Collect Your Data

• Enquiry and contact forms on this website (including our quote request, contact and newsletter forms)
• Email and telephone communications with our team
• WhatsApp messages sent to our business number
• Booking and payment processes when you purchase a tour, package or cruise
• Cookies and tracking technologies when you browse our website (see Section 10)
• Publicly available sources such as LinkedIn for B2B partnership enquiries

4. How We Use Your Personal Data

5. Legal Basis for Processing

We rely on the following legal bases under GDPR Article 6:

• Contract (Art. 6(1)(b)): processing is necessary to perform a contract with you (e.g. fulfil a booking).
• Legitimate interests (Art. 6(1)(f)): we have a legitimate business interest in responding to enquiries, improving our services and preventing fraud, provided these interests are not overridden by your rights.
• Legal obligation (Art. 6(1)(c)): we are required to retain certain financial and booking records by Portuguese law and EU Package Travel Directive (2015/2302/EU).
• Consent (Art. 6(1)(a)): for marketing communications and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

6. Sharing Your Personal Data

We do not sell, rent or trade your personal data. We may share your data with the following categories of recipients:

• Travel suppliers: airlines (e.g. Emirates, TAP Air Portugal, Qatar Airways, Turkish Airlines, Air India, Etihad, Ryanair), hotels, cruise lines (MSC, Costa, Royal Caribbean, P&O, Norwegian), transfer and excursion operators — to fulfil your booking
• Payment processors: Stripe Inc. or similar PCI-DSS-compliant processors, for secure card payments
• IT and cloud service providers: website hosting, email and CRM platforms
• Analytics providers: Google Analytics 4 (pseudonymised data only)
• Professional advisers: lawyers, accountants and insurers under duties of confidentiality
• Regulatory bodies: Turismo de Portugal, tax authorities (AT) and law enforcement, where required by law

7. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). Whenever we transfer personal data internationally, we ensure an adequate level of protection is in place through:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with an EU adequacy decision
• Binding Corporate Rules where applicable

In particular, Google Analytics data may be processed in the United States under the EU–US Data Privacy Framework.

8. Data Retention

9. Your Rights Under GDPR

Under the GDPR you have the following rights in relation to your personal data:

• Right of access (Art. 15): request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17): request deletion of your data where there is no compelling reason for us to continue processing it.
• Right to restrict processing (Art. 18): ask us to pause processing your data in certain circumstances.
• Right to data portability (Art. 20): receive a copy of your data in a structured, machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent: where processing is based on consent, withdraw it at any time by emailing us or clicking the unsubscribe link in any marketing email.
• Right to lodge a complaint: you have the right to complain to the Portuguese data protection authority, the Comissão Nacional de Proteção de Dados (CNPD), at www.cnpd.pt.

To exercise any of the above rights, please email info@gracioussummit.com. We will respond within 30 days. We may need to verify your identity before fulfilling your request.

10. Cookie Policy

10.1 What are cookies?

Cookies are small text files placed on your device when you visit a website. They allow the site to recognise your device and remember certain information about your visit.

10.2 Cookies we use

10.3 Managing cookies

You can control and delete cookies through our cookie consent banner (shown on first visit) or by adjusting your browser settings. Please note that disabling cookies may affect the functionality of this website.

• Chrome
• Firefox
• Safari
• Microsoft Edge

To opt out of Google Analytics across all websites, install the Google Analytics Opt-out Browser Add-on.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction or damage. These include:

• HTTPS/TLS encryption for all data in transit
• Access controls and employee data-handling training
• PCI-DSS compliant payment processing (Stripe)
• Regular security reviews and software updates

Although we take reasonable precautions, no transmission over the internet is entirely secure. Please contact us immediately at info@gracioussummit.com if you suspect any unauthorised use of your personal data.

12. Children's Privacy

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without parental consent. If you believe we have inadvertently collected data about a child, please contact us immediately and we will delete it.

When booking travel on behalf of minors (under 18), a parent or legal guardian must provide consent and accept these terms on the child's behalf.

13. Changes to This Policy

We may update this Privacy & Cookie Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email (if you have provided one) or by posting a prominent notice on our website. The "Last updated" date at the top of this page will always reflect the most recent revision.

We encourage you to review this policy periodically.

14. How to Contact Us / Data Protection Officer

For any questions, concerns or requests relating to this policy or your personal data, please contact us: