Independent booking service. Tickets sourced from Parques de Sintra – Monte da Lua, S.A. Learn more

Privacy policy

Last updated: 2026-04-19

1. Who we are

Pena Palace Tickets (“we”, “us”, “our”) is an independent booking concierge service. We are the data controller for the personal information you provide to us in connection with booking tickets to Pena Palace.

You can contact us about privacy matters at [email protected].

2. What we collect and why

We only collect the minimum information required to fulfil your booking and run the site.

2.1 Booking information

  • Your name — required to purchase your ticket from Parques de Sintra – Monte da Lua S.A..
  • Your email address — we send your ticket, visit reminders, and support correspondence here.
  • Your visit date and time slot — required to secure your ticket.
  • Payment details — processed directly by Stripe; we never see or store your card number. Stripe gives us a token and the last four digits only, for reconciliation.

2.2 Analytics and site-performance data

  • Anonymised usage data: pages viewed, clicks, approximate geographic region (city-level only), device type, browser.
  • Session recordings via Microsoft Clarity or ContentSquare (masked — we cannot see what you type in form fields).
  • Google Analytics 4 with IP anonymisation enabled.

2.3 Support correspondence

When you email us, we keep the thread so we can help you properly. We do not share it with third parties.

3. Legal basis (GDPR, for EU/UK/EEA visitors)

We rely on the following lawful bases under Article 6 of the GDPR:

  • Performance of a contract — to sell and deliver your ticket (Art 6(1)(b)).
  • Legitimate interest — anonymised analytics to improve the site (Art 6(1)(f)).
  • Consent — for non-essential cookies such as advertising pixels (Art 6(1)(a)), collected via our cookie banner. You can withdraw consent at any time.
  • Legal obligation — to comply with Australian and EU tax and accounting law.

4. Who we share your data with

We only share your data with the processors we need to operate the service:

ProcessorPurposeLocation
Stripe, Inc.Payment processingUS / Ireland (EU)
Parques de Sintra – Monte da Lua S.A.Issuing the ticket you purchasedPortugal (or attraction country)
Google WorkspaceHosting our email (bookings inbox)US / EU
Cloudflare, Inc.Hosting the website, CDN, securityGlobal network
Cloudways (DigitalOcean)Hosting the booking backend and order recordsEU region
Google (Analytics 4)Anonymised site analyticsUS / EU
Microsoft Clarity / ContentSquareMasked session replayUS / EU

Each processor is bound by a data-processing agreement and (where applicable) the European Commission’s Standard Contractual Clauses for transfers outside the EU/EEA. We never sell your data. We never share it for advertising purposes beyond our own Google / Meta conversion tracking.

5. International transfers

Your data may be transferred and processed in jurisdictions with data-protection regimes essentially equivalent to those in the EU/EEA. We rely on the European Commission’s Standard Contractual Clauses (SCCs) for all transfers outside the EU/EEA.

6. How long we keep your data

  • Booking records — 7 years, to meet Australian tax and record-keeping law.
  • Support email threads — 2 years, then deleted.
  • Analytics data — 26 months (GA4 default), anonymised throughout.
  • Marketing consent — we will remove you from all non-transactional lists immediately on request.

7. Your rights

Regardless of where you are, you can ask us to:

  • Access a copy of the data we hold on you
  • Correct data that is inaccurate
  • Delete your data (subject to legal-retention requirements above)
  • Port your data to another provider in machine-readable form
  • Object to processing you disagree with
  • Withdraw any consent you previously gave

To exercise any of these rights, email [email protected]. We respond within 30 days. If you're in the EU/EEA/UK and unhappy with our response, you can complain to your national data-protection authority. In Portugal this is the CNPD.

8. Cookies

We use a small number of cookies. Strictly necessary cookies keep the site working (language preference, currency choice, checkout state). Analytics cookies help us improve the site (anonymised). Advertising cookies track conversions (set only if you consent). See our Cookie Policy for the full list and to change your preferences.

9. Children

Our service is not directed at children under 16. If we discover that we have inadvertently collected personal information from a child under 16 without parental consent, we will delete it.

10. Security

Our site is served over HTTPS, payments are PCI-DSS compliant via Stripe, and access to our booking records is restricted to the small number of people who need it to do their job. No system is perfectly secure; if we ever experience a breach that affects your personal information, we will notify you and the relevant authority within 72 hours as required by the GDPR.

11. Changes to this policy

If we make a material change we will update the “last updated” date at the top, and email anyone affected. Minor clarifications will just get a date bump.