Privacy Policy
Privacy Policy
Last updated:
Your privacy matters. This policy explains what data we collect when you book parking or shuttle for Rock in Rio Lisboa at Parque Tejo, why we use it, and your rights under the EU General Data Protection Regulation (GDPR).
Who controls your data
The controller of your personal data is the entity operating Check-in Park, located near Lisbon Airport, Portugal.
For any privacy-related question, write to geral@checkinpark.pt.
What data we collect
Only what is strictly necessary:
- Identity: name.
- Contact: email and mobile phone number.
- Vehicle: licence plate. If unknown (rental car), «to be defined» is accepted and you update it up to 24h before the concert.
- Tax ID (optional): requested only at exit, if you want an invoice.
- Booking: concert date, chosen plan, language.
- Payment at exit: method (cash, MBWay or card) and amount. We do not store card data — the terminal connects directly to the bank.
- Operational: entry/exit times.
- Marketing & analytics (consent-based only): UTM parameters, Google Analytics 4, Meta Pixel.
Why we use your data
- Booking management and on-site service.
- Operational communication: confirmation email, important notices, customer support.
- Marketing & analytics (optional consent): measure our ads and improve the site.
- Legal compliance: tax retention of invoices.
Legal basis
- Contract performance (Art. 6(1)(b) GDPR) — booking data.
- Explicit consent (Art. 6(1)(a) GDPR) — marketing/analytics cookies.
- Legal obligation (Art. 6(1)(c) GDPR) — invoice retention.
- Legitimate interest (Art. 6(1)(f) GDPR) — security & fraud prevention.
Who we share data with
We do not sell your data nor share it with data brokers. Only the following access it:
- Check-in Park's operational team.
- Technical sub-processors: Google / Firebase (hosting + emails), Google Analytics 4 (consent-based), Meta Pixel (consent-based).
- Public authorities, only when legally compelled.
When transfers occur outside the EU, they happen under the European Commission's Standard Contractual Clauses.
How long we keep your data
- Operational data: up to 90 days after the concert (by ).
- Invoices with Tax ID: 10 years (Portuguese tax law).
- Analytics/marketing cookies: per platform (GA4 up to 14 months, Meta up to 180 days per cookie).
- Consent records: 6 months.
Your rights
Under GDPR you have the right to:
- Access, rectification, erasure, restriction, portability and objection.
- Withdraw consent at any time, with no retroactive effect.
- Not be subject to fully automated decisions with significant legal effects.
To exercise these rights, email geral@checkinpark.pt with subject «GDPR». We respond within 30 days.
Complaints
If you think we are mishandling your data, talk to us first. Either way, you can lodge a complaint with the Portuguese supervisory authority:
CNPD — Comissão Nacional de Protecção de Dados
Av. D. Carlos I, 134 — 1.º, 1200-651 Lisboa, Portugal
www.cnpd.pt
Security
HTTPS, role-based access control, encryption at rest (Firestore), rate-limiting and periodic audits. We do not store passwords or card data on our side.
In case of a high-risk security incident we notify you and the CNPD within the 72-hour legal deadline.
Changes to this policy
If practice or law changes, we update the date at the top. Material changes are announced by email to customers with an active booking.