Privacy Policy

1. Introduction

Zeah Property Investments, Lda. ("Zeah", "we", "us", or "our") is committed to protecting the privacy and personal data of our clients, tenants, website visitors, and business partners. As a property management company operating in Portugal and the European Union, we fully comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Portuguese Data Protection Law (Lei n.o 58/2019).

This Privacy Policy explains how we collect, use, store, and protect your personal data when you interact with us through our website, contact forms, property management services, or any other means.

2. Data Controller

The data controller responsible for processing your personal data is:

If you have any questions or concerns about how we handle your personal data, you may contact us at any time using the details above.

3. Personal Data We Collect

We collect and process various categories of personal data depending on your relationship with us. These include:

3.1 Property Owner Data

• Full name and contact details (email, telephone, address)
• Tax identification number (NIF) and fiscal residency status
• Bank account and payment information (IBAN)
• Copies of identification documents (Cartao de Cidadao, passport)
• Property ownership documentation and caderneta predial details
• Signed management contracts and correspondence

3.2 Tenant and Guest Data

• Full name, date of birth, and nationality
• Contact details (email, telephone)
• Identification documents (as required by Portuguese law for SEF/immigration reporting)
• Rental agreement details and payment records
• Check-in and check-out dates

3.3 Property Data

• Property address, typology, and registration details
• Alojamento Local (AL) or long-term rental licence numbers
• Energy performance certificates
• Photographs of properties (interior and exterior)
• Maintenance records and inspection reports

3.4 Website and Contact Form Data

• Name and email address provided via our contact form
• Message content and subject of enquiry
• IP address, browser type, and device information (collected automatically)
• Pages visited and interaction data on our website

4. Legal Basis for Processing

Under Article 6 of the GDPR, we process your personal data based on one or more of the following legal grounds:

• Contractual Necessity — Processing is necessary for the performance of a property management contract between you and Zeah, or to take pre-contractual steps at your request.
• Legal Obligation — Processing is required to comply with Portuguese and EU legal requirements, including tax reporting to Autoridade Tributaria e Aduaneira (Financas), guest registration with SEF, and anti-money laundering regulations.
• Legitimate Interest — Processing is necessary for our legitimate business interests, such as improving our services, maintaining property security, and communicating with clients, provided these interests do not override your fundamental rights.
• Consent — Where you have given clear, informed consent for specific processing activities, such as receiving marketing communications or newsletters. You may withdraw your consent at any time.

5. How We Use Your Data

We use the personal data we collect for the following purposes:

• Managing properties on behalf of owners, including tenant sourcing, rent collection, and property maintenance coordination
• Preparing and executing rental and management agreements
• Issuing invoices, processing payments, and managing financial records
• Complying with Portuguese tax obligations, including IRS/IRC reporting and recibos de renda
• Registering guests with the Portuguese immigration authorities (SEF) as required by law
• Communicating with property owners about their investments, occupancy, and financial performance
• Coordinating maintenance, repairs, and property inspections with contractors
• Responding to enquiries submitted through our website contact form
• Improving our website functionality, user experience, and service offerings
• Sending marketing communications where consent has been provided

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. However, we may share your data with the following categories of recipients when necessary:

6.1 Portuguese Authorities

• Autoridade Tributaria e Aduaneira (Financas) — Tax declarations, income reporting, and fiscal compliance
• SEF / AIMA — Guest and tenant registration as required by immigration law
• Camara Municipal — Licensing matters related to Alojamento Local or rental permits

6.2 Service Providers

• Maintenance and repair contractors engaged for property upkeep
• Cleaning service providers
• Accounting and legal professionals assisting with financial and regulatory compliance
• Website hosting and IT service providers
• Payment processing partners

6.3 Booking Platforms

• Where properties are listed on third-party platforms (e.g., Airbnb, Booking.com), limited data may be exchanged as necessary for managing bookings

All third-party service providers are contractually bound to process data in accordance with the GDPR and to implement appropriate security measures.

7. International Data Transfers

Your personal data is primarily processed and stored within the European Economic Area (EEA). In the event that data is transferred to a country outside the EEA, we ensure that adequate safeguards are in place, such as:

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules where applicable

We will never transfer your data to a third country without ensuring an appropriate level of protection in compliance with Article 46 of the GDPR.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our general retention periods are:

• Property management contracts and related records — Retained for the duration of the contract plus 10 years, in compliance with Portuguese commercial and tax law
• Tax and financial records — Retained for a minimum of 10 years as required by the Portuguese Tax Code (Codigo Fiscal)
• Tenant and guest records — Retained for the duration of the tenancy plus 5 years, or as required by SEF regulations
• Contact form enquiries — Retained for up to 2 years unless a business relationship is established
• Website analytics data — Retained for up to 26 months in anonymised or pseudonymised form
• Marketing consent records — Retained for as long as consent remains active, plus 3 years

When personal data is no longer required, it is securely deleted or anonymised.

9. Cookies & Tracking Technologies

Our website may use cookies and similar technologies to enhance your browsing experience. Cookies are small text files stored on your device that help us understand how visitors use our site.

9.1 Types of Cookies We Use

• Strictly Necessary Cookies — Essential for the website to function correctly (e.g., language preferences, session management). These do not require consent.
• Analytics Cookies — Help us understand visitor behaviour and improve our website. These are only placed with your consent.
• Functional Cookies — Remember your preferences and settings to provide a more personalised experience.

9.2 Managing Cookies

You can manage or disable cookies through your browser settings at any time. Please note that disabling certain cookies may affect website functionality. For more information on managing cookies, visit allaboutcookies.org.

10. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR. You may exercise any of these rights by contacting us at info@zeah.pt.

• Right of Access (Article 15) — You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to request a copy of that data.
• Right to Rectification (Article 16) — You have the right to request the correction of inaccurate personal data or the completion of incomplete data.
• Right to Erasure (Article 17) — You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to legal retention requirements.
• Right to Restriction of Processing (Article 18) — You have the right to request that we limit how we use your data in certain circumstances.
• Right to Data Portability (Article 20) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to Object (Article 21) — You have the right to object to processing based on legitimate interests or direct marketing at any time.
• Right to Withdraw Consent — Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

We will respond to all rights requests within 30 days of receipt. If a request is particularly complex, we may extend this period by an additional 60 days, and we will inform you accordingly.

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Portuguese Data Protection Authority:

11. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration. These measures include:

• SSL/TLS encryption for all data transmitted through our website
• Secure, access-controlled storage of physical and digital records
• Regular security reviews and updates to our systems and processes
• Restricted access to personal data on a need-to-know basis among our team
• Confidentiality agreements with all employees and contractors who handle personal data
• Secure disposal of personal data when it is no longer required

While we strive to protect your personal data, no method of transmission or storage is completely secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the CNPD within 72 hours and inform affected individuals without undue delay, as required by Articles 33 and 34 of the GDPR.

12. Children's Privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a minor without appropriate parental consent, we will take immediate steps to delete that data. If you believe that a child's personal data has been provided to us, please contact us at info@zeah.pt.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. When we make material changes, we will update the "Effective Date" at the top of this page. We encourage you to review this policy periodically.

Where significant changes affect the way we process your data, we will endeavour to notify you directly via email or through a prominent notice on our website.

14. Contact Information

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or need to report a concern, please contact us:

We aim to respond to all enquiries and data subject requests within 30 days.