Privacy Policy

Multipark collects various types of personal information necessary to provide our services effectively and in a personalized manner. The information we collect includes: Identification Data - full name, date of birth, identification document number (when legally required); Contact Data - email address, phone number, postal address; Vehicle Data - license plate, make, model, color, and year of manufacture of the vehicle; Account Data - username, encrypted password, communication preferences; Booking Data - booking history, dates and times of use, preferred locations; Payment Data - transaction information (we do not store complete credit card data); Navigation Data - IP address, browser type, operating system, pages visited, time spent, referral source; Location Data - when authorized, we collect geolocation data to facilitate finding nearby parking; Communications - content of your communications with us via email, chat, or phone; and Preferences - language, preferred parking type, favorite vehicles. The legal bases for processing your data include: contract performance (to process bookings and provide services), explicit consent (for marketing communications and non-essential cookies), legitimate interests (to improve services and prevent fraud), and compliance with legal obligations (for tax and accounting requirements). You have the right to withdraw consent at any time, without compromising the lawfulness of processing based on consent before its withdrawal. We do not save or store your complete payment information (card number, CVV) on our servers, as this data is processed exclusively by our PCI-DSS certified payment partners.

Multipark uses the personal information collected for multiple essential purposes related to providing, improving, and personalizing our services. Main uses include: Service Provision - create, manage, and process your parking reservations; facilitate premium valet parking services with vehicle pickup and delivery; provide updated and accurate information about garages, parking lots, and facilities in various cities; confirm space availability in real-time; securely process payments through our certified partners; issue receipts, invoices, and booking confirmations; and provide efficient and personalized customer support. Communications - send booking confirmations via email and SMS; notify about changes in booking status; provide check-in and check-out reminders; respond to your questions and support requests; send important updates about services; and communicate changes to these terms and policies. Marketing (with consent) - send newsletters with news and tips; inform about special promotions and exclusive discounts; share personalized offers based on usage history; and conduct satisfaction surveys and collect feedback. Service Improvement - analyze usage patterns to optimize the platform; identify and fix technical issues; develop new features based on user needs; test and implement interface improvements; and perform statistical analysis with aggregated and anonymized data. Security and Fraud Prevention - detect and prevent fraudulent or suspicious activities; protect against unauthorized access and security breaches; verify identities when necessary; investigate terms of service violations; and comply with legal and regulatory obligations. Personalization - adapt user experience based on preferences; suggest relevant locations based on history; offer personalized service recommendations; and save settings and preferences for future visits. We never use your data for purposes incompatible with those for which they were originally collected without obtaining your prior consent.

Multipark may share your personal information with carefully selected third parties, but only to the extent strictly necessary to provide our services, comply with legal obligations, or protect our legitimate rights. We never sell, rent, or trade your personal information to third parties for direct marketing purposes. Categories of recipients with whom we may share data include: Parking Operators - we share essential booking information (name, contact, license plate, dates) with selected parking lot operators to facilitate your booking and ensure a hassle-free experience. Payment Processors - Google Pay and Stripe (to process payments via Google Pay, Apple Pay, and international cards) and SIBS/UNICRE (to process payments via MB Way, Multibanco, and national cards). These partners are PCI-DSS certified and process payments securely without us storing your complete card data. Technology Service Providers - Google LLC (for Google Maps services, Google Analytics for web traffic analysis, Firebase for authentication and notifications, and Google Cloud Platform for hosting); Amazon Web Services (for secure data storage and cloud infrastructure); SendGrid or Mailchimp (for sending transactional and marketing emails); Twilio (for sending SMS and message notifications); and customer relationship management (CRM) system providers. Professional Service Providers - legal consultants, accountants, and auditors when necessary for professional advice; cybersecurity companies for audits and penetration testing; and digital marketing agencies (with anonymized data). Authorities and Regulatory Entities - tax and revenue authorities for legal obligation compliance; law enforcement when legally required by court order; data protection authorities upon legitimate request; and courts in legal proceedings when legally mandatory. Business Partners - in case of merger, acquisition, asset sale, or business restructuring, your data may be transferred to the successor entity, with you being duly notified. All third parties with whom we share data are contractually obligated to protect your information, use it only for specific agreed purposes, and comply with all applicable data protection laws. We implement data processing agreements in compliance with GDPR with all our processors.

The security and protection of your personal data is an absolute priority for Multipark. We implement rigorous state-of-the-art technical, organizational, and physical security measures to protect your information against unauthorized access, alteration, disclosure, destruction, loss, or accidental damage. Our security measures include: Technical Measures - 256-bit SSL/TLS encryption for all communications and data transmissions between your device and our servers; encryption of sensitive data at rest in our databases; web application firewalls (WAF) for protection against cyber attacks; intrusion detection and prevention systems (IDS/IPS); multi-factor authentication (MFA) for administrative access; cryptographic hashing of passwords using bcrypt or Argon2 algorithms; continuous 24/7 security monitoring with automatic alerts; regular encrypted backups with retention in multiple geographic locations; network isolation and system segmentation; and DDoS attack protection. Organizational Measures - strict role-based access control (RBAC) policies, ensuring that only authorized employees with legitimate need access data; mandatory regular training in information security and data protection for all employees; non-disclosure agreements (NDA) signed by all staff and service providers; documented security incident management procedures; regular internal compliance and security audits; periodic reviews of security policies and procedures; and vulnerability management program with annual penetration tests performed by independent entities. Physical Measures - ISO 27001 and SOC 2 certified data centers with rigorous physical access controls; 24/7 video surveillance of facilities; fire detection and automatic suppression systems; redundant power supply with backup generators; and environmental control (temperature and humidity). Despite implementing industry best security practices, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. In case of a data breach that may pose a high risk to your rights and freedoms, we will notify you and the competent data protection authority within the legal deadline of 72 hours, as required by GDPR.

In compliance with the General Data Protection Regulation (GDPR) and other applicable legislation, you have several fundamental rights regarding your personal data, which Multipark fully respects. Your rights include: Right of Access - you have the right to obtain confirmation about whether or not we process your personal data and, if so, access it and receive a copy of the information we hold about you. Right to Rectification - you can request correction of inaccurate or incomplete personal data, ensuring we maintain accurate and up-to-date information. Right to Erasure ('Right to be Forgotten') - in certain circumstances, you can request deletion of your personal data, namely when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, when you object to processing, or when data was processed unlawfully. Right to Restriction of Processing - you can request restriction of processing of your data in certain situations, such as when you contest data accuracy or object to deletion. Right to Data Portability - you have the right to receive your personal data in a structured, commonly used, and machine-readable format (for example, CSV or JSON) and to transmit it to another controller. Right to Object - you can object to processing of your personal data based on legitimate interests, including objection to processing for direct marketing purposes, in which case we will cease processing. Right to Withdraw Consent - when processing is based on consent, you can withdraw it at any time, without compromising the lawfulness of processing performed before withdrawal. Right Not to be Subject to Automated Decisions - you have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. Right to Lodge a Complaint - you have the right to lodge a complaint with the competent supervisory authority (in Portugal, the National Data Protection Commission - CNPD) if you consider that processing of your data violates GDPR. To exercise any of these rights, please contact us via email at info@multipark.pt or through the contact form available on the website, clearly identifying the right you wish to exercise. We will respond to your request within a maximum of one month, which may be extended by another two months in cases of particular complexity, with you being duly informed. We may request additional information to confirm your identity before processing the request, as a security measure. We do not charge any fee for exercising your rights, except in case of manifestly unfounded or excessive requests.

Multipark's website and applications use cookies and similar technologies (such as web beacons, pixels, local storage, and session storage) to provide a superior, personalized, and secure user experience, analyze site traffic, understand usage patterns, and optimize platform performance. A cookie is a small text file stored on your device (computer, tablet, or smartphone) when you visit a website. Cookies allow the website to recognize your device on subsequent visits. We use the following types of cookies: Strictly Necessary Cookies (Essential) - these cookies are absolutely essential for basic website functioning and to provide services you request. They include authentication cookies to keep your session active, security cookies for fraud protection, load balancing cookies to distribute traffic across servers, and interface cookies to remember your language preferences. These cookies do not require consent as they are technically necessary. Performance and Analytics Cookies - used to collect information about how visitors use the website, including most visited pages, time spent, bounce rate, and navigation paths. We use Google Analytics and similar tools for aggregated statistical analysis that helps us improve site structure and content. This data is anonymized and does not individually identify users. Functionality Cookies - allow the website to remember choices you make (such as username, language, region, saved vehicles) and provide enhanced and more personalized features. For example, they can remember parking lots you visited or your viewing preferences. Marketing and Advertising Cookies - used to deliver ads relevant to you and your interests. They also limit the number of times you see an ad and help measure campaign effectiveness. These cookies track your browsing activity across different websites. They include social network cookies (Facebook, Instagram, LinkedIn) and advertising platforms (Google Ads, Facebook Ads). You have full control over cookies and can manage your preferences through our cookie consent banner that appears on first site visit, or by changing your web browser settings. You can configure the browser to block all cookies, accept only first-party cookies, or receive notifications when a cookie is sent. Note that disabling cookies may affect website functionality and prevent access to certain features. For more information on how to manage cookies in popular browsers, visit: www.aboutcookies.org or www.allaboutcookies.org. Cookie duration varies: session cookies are temporary and deleted when you close the browser, while persistent cookies remain on the device until they expire or are manually deleted.

In the context of providing our parking and valet parking services, your personal information may, in certain circumstances, be transferred to and processed in countries located outside the European Economic Area (EEA), namely countries that may have different levels of data protection from those in force in the European Union. This may occur when we use cloud service providers, technology partners, or service providers based in non-EEA jurisdictions, including the United States of America. When we make international data transfers, Multipark commits to taking all necessary and appropriate measures to ensure that your personal data receives an adequate and appropriate level of protection, equivalent to that ensured within the EEA, in full compliance with GDPR. The safeguards we implement include: Adequacy Decisions - whenever possible, we transfer data only to countries that the European Commission has recognized as providing an adequate level of data protection through formal adequacy decisions. Standard Contractual Clauses (SCC) - when we transfer data to countries without an adequacy decision, we use Standard Contractual Clauses approved by the European Commission, which are standardized contractual provisions that oblige data recipients to adequately protect it. Certifications and Codes of Conduct - we preferably work with partners who have recognized data protection certifications, such as ISO 27001, SOC 2, or who adhere to approved codes of conduct. Transfer Impact Assessments - we conduct complementary transfer data assessments to verify whether the destination country's laws and practices ensure effective protection. Supplementary Technical Measures - we implement additional security measures, such as strong end-to-end encryption, pseudonymization, and data minimization, to reinforce protection during international transfers. EU-US Data Privacy Framework Agreement - when applicable, we rely on companies certified under the EU-US data privacy framework for transfers to the United States. You have the right to obtain more information about the specific international transfers we make and the implemented safeguards. For this, contact us at info@multipark.pt. We continuously strive to minimize international data transfers, processing information within the EEA whenever technically and economically viable.

Multipark takes the protection of children's and minors' online privacy and security very seriously. Our parking and valet parking booking services are not directed to, intended for, or designed for use by minors under 18 years of age. We do not intentionally collect, solicit, or process personal information from children or adolescents under 18 years of age without express and verifiable parental or legal guardian consent. If you are under 18 years old, please do not use our services, do not create an account on the Multipark platform, and do not provide us with any personal information (including name, address, phone number, or email address). If you are a parent or legal guardian and believe that your minor child has provided us with personal information without your knowledge or consent, please contact us immediately via email at info@multipark.pt or through other provided contact channels. Upon becoming aware that we have inadvertently collected personal data from a child under 18 without appropriate parental consent, we will take immediate steps to delete such information from our systems and databases as soon as possible, normally within 72 hours after verification. We implement age verification processes during account registration to minimize the risk of minors accessing our services. In compliance with GDPR, we recognize that consent to data processing of minors under 16 years (or lower age defined by Member States, not less than 13 years) must be given or authorized by holders of parental responsibilities. We encourage parents and guardians to actively monitor their children's Internet use and educate them about the importance of not sharing personal information online without parental supervision. If you have questions about children's privacy or our practices in this area, please do not hesitate to contact us. We are committed to fully cooperating with parents, guardians, and relevant authorities to protect children's online privacy and security.

Multipark retains your personal data only for the period strictly necessary to fulfill the purposes for which it was collected, to satisfy legal, regulatory, tax, accounting, or reporting requirements, to resolve disputes, and enforce our contractual agreements. Specific retention periods vary depending on data category and processing purpose: Active Account Data - while your account remains active and you continue to use our services, we retain your registration, profile, and preference data. If the account becomes inactive (without login) for a period exceeding 3 years, we may delete or anonymize data after prior notification. Booking and Transaction Data - we retain information about bookings, parking history, and payment transactions for a minimum period of 7 years after the transaction date, to comply with tax and accounting legal obligations as required by Portuguese legislation. This period may be extended if necessary for defense of rights in legal proceedings. Communication Data - emails, chat messages, and telephone call recordings (when applicable and duly informed) are retained for a period of up to 2 years for service quality, training, and dispute resolution purposes. Marketing Data - if you have consented to receive marketing communications, we retain your contact data until you withdraw consent through the unsubscribe link or by contacting us directly. Cookie and Analytics Data - analytics and marketing cookies automatically expire after defined periods (normally between 30 days and 2 years, depending on type). Security and Logs Data - access logs, security logs, and fraud prevention data are retained for up to 1 year to ensure platform security and investigate incidents. Data After Account Deletion - when you request account deletion, we proceed with deletion or irreversible anonymization of your personal data within 30 days, except information we must legally retain (for example, for tax purposes). Backups - deleted data may remain in encrypted security backups for up to an additional 90 days before being permanently erased in the next backup rotation cycle. After the applicable retention periods end, personal data will be securely and irreversibly deleted or anonymized so that it can no longer be associated with you. We apply secure deletion techniques including multiple data overwriting, cryptographic key destruction, and physical degaussing when appropriate. You can request information about specific retention periods applicable to your data by contacting us at info@multipark.pt.

Multipark values transparency and is fully available to clarify any questions, concerns, or issues you may have about our Privacy Policy, personal data processing practices, or how to exercise your data protection rights. We strongly encourage you to contact us if you have questions or concerns. Main Contacts: Privacy and Data Protection Email: privacy@multipark.pt or info@multipark.pt; Contact Form: available in the 'Contact Us' section of our website www.multipark.pt; Phone: +351 965 041 858 (hours: Monday to Friday, 9am-6pm); Postal Mail: Multipark - Parking Management, Ltd., Data Protection Department, Example Street, 123, 1000-001 Lisbon, Portugal. Data Protection Officer (DPO): Multipark has appointed a Data Protection Officer responsible for overseeing data protection issues and ensuring GDPR compliance. You can contact our DPO directly for specific privacy questions via: Email: dpo@multipark.pt; The DPO is available to: answer questions about how your data is processed; assist in exercising your data subject rights; receive and investigate privacy-related complaints; advise on data protection impact assessments; cooperate with the supervisory authority; and act as a contact point between Multipark and data protection authorities. We will respond to all privacy-related inquiries within a maximum of 30 days. For more complex requests, we may need additional time, with you being duly informed. Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of alleged infringement, if you consider that processing of your personal data by Multipark violates GDPR or other applicable legislation. In Portugal, the competent authority is: National Data Protection Commission (CNPD); Address: Av. D. Carlos I, 134, 1º, 1200-651 Lisbon, Portugal; Phone: +351 213 928 400; Fax: +351 213 976 832; Email: geral@cnpd.pt; Website: www.cnpd.pt. While you have the right to directly contact the supervisory authority, we appreciate the opportunity to first resolve any concerns you may have. Please contact us before filing a formal complaint so we can attempt to resolve the issue amicably and satisfactorily. We are committed to working with you and relevant authorities to resolve any privacy concerns fairly, quickly, and transparently.