Privacy Policy

Name: MobyDick-Tours — Whale & Dolphin Watching in São Miguel
Address: Avenida Infante Dom Henrique, Portas do Mar, 9500-150 Ponta Delgada, São Miguel, Açores, PT
Telephone: +351 919 942 831
Price range: €€

Last updated: 21 May 2026

Data controller: J. F. COSTA, ACTIVIDADES MARÍTIMO-TURÍSTICAS, UNIPESSOAL, LDA. · NIPC: 512 079 749 · Registered office: Rua dos Oleiros, n.º 15, 9680 Vila Franca do Campo, São Miguel, Açores, Portugal · Privacy contact: [email protected] · +351 919 942 831

This Privacy Policy explains how MobyDick-Tours collects, uses, stores, and protects personal data when you visit our website, book a tour, or travel with us. It is provided in accordance with the General Data Protection Regulation — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR") — and Portuguese Law no. 58/2019 of 8 August, which gives effect to the GDPR in Portuguese national law.

1. The data we collect

Booking and tour data

When you book a tour we collect the information needed to fulfil the booking and run the trip safely:

Full name of each passenger
Age or date of birth (to apply the correct pricing tier and confirm safety suitability for minors)
Email address and telephone number
Booking date, time, and tour selected
Payment confirmation reference (we do not store full payment-card details — see "Payment data" below)
Any health or accessibility information you choose to disclose, where relevant to safety on board

Payment data

Payment is processed by our payment provider [OPERATOR TO CONFIRM: Mollie B.V., or other provider]. Payment-card details are entered directly into the provider's environment and are not seen or stored by us. We retain only the transaction confirmation reference necessary for accounting and refund handling.

Communications

If you email, call, or contact us via WhatsApp, we keep a record of the correspondence to handle your request and for follow-up.

Website data

Our website does not currently use analytics, advertising, or social- media tracking cookies. The website loads a booking-lightbox script from our booking partner so that the booking flow opens directly inside the site; that script does not set any cookies on this domain. When you click "Book Now" you are taken to our booking portal, which has its own data-handling notice.

2. Why we use this data — and the legal basis

We process your personal data only for clearly defined purposes and on a specific legal basis under the GDPR:

Performing your booking contract (Art. 6(1)(b) GDPR): processing your booking, communicating about the tour, issuing receipts and refunds, and operating the tour itself.
Safety on board (Art. 6(1)(b) and (d) GDPR): ensuring the captain and crew have the information they need to operate the tour safely, including knowing who is on board, ages of minors, and any disclosed health considerations.
Legal obligations (Art. 6(1)(c) GDPR): keeping accounting and tax records as required by Portuguese law (typically ten years for tax-relevant documents), and complying with maritime- tourism reporting obligations.
Defence of legal claims and operational records (Art. 6(1)(f) GDPR — legitimate interests): handling complaints, insurance matters, and any dispute relating to a tour.

We do not use your data for marketing, newsletters, profiling, or behavioural advertising. We do not sell or rent personal data to anyone.

3. Who we share data with

We share data only where it is necessary to deliver the service or where we are required to by law:

Booking portal — Aravia: the booking flow is operated via the Aravia portal. Booking and contact data you submit during checkout is processed by Aravia on our behalf as our processor under a data-processing agreement.
Payment provider: processes the card transaction. Card data is handled in the provider's environment and is not shared with us beyond the transaction confirmation.
Accountant: issued invoices and tax records are shared with our accountant for the purposes of keeping our statutory accounting in order.
Portuguese authorities: where required by law (for example, tax authority, maritime authority, or in response to a valid legal request).
Insurer: only in the event of a claim, accident, or incident that requires insurance involvement.

Our processors operate within the European Economic Area (EEA), or under data-transfer safeguards (Standard Contractual Clauses) where any transfer outside the EEA is necessary for the operation of the booking portal.

4. How long we keep your data

Booking and passenger lists — for the operational period of the tour and a reasonable period afterwards for safety, complaints, and insurance review.
Invoices and accounting records — for the period required by Portuguese tax law (currently ten years).
Email and other correspondence — for as long as reasonably necessary to handle the matter and, where relevant, for defence of legal claims.
Photographs and video taken during tours — see Section 7.

5. Your rights

Under the GDPR you have the right to:

Access the personal data we hold about you
Rectify inaccurate or incomplete data
Erase your data, where one of the GDPR grounds applies
Restrict or object to certain processing
Receive a portable copy of data you have provided to us
Withdraw any consent you have given (without affecting the lawfulness of processing already carried out)

To exercise any of these rights, email [email protected]. We will respond within the period set out in the GDPR (normally one month). For your protection we may ask you to confirm your identity before fulfilling a request.

You also have the right to lodge a complaint with the Portuguese data- protection authority — Comissão Nacional de Proteção de Dados (CNPD) — at www.cnpd.pt.

6. Security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or alteration — including access control to booking records, secure communication channels for payment, and confidentiality obligations on staff and processors. No system is perfectly secure, however, and we cannot guarantee absolute security of data transmitted to or from our website.

7. Photographs and video during tours

Our crew may take general photographs and video during tours for operational, safety, and marketing purposes. By participating in a tour you acknowledge that you may appear in such material. If you do not wish to appear in marketing imagery, please tell the crew at the start of the tour and/or email us — we will exclude you where reasonably practicable and will remove any identifiable image already published on our channels on request.

Where children appear in identifiable form in published imagery, we rely on the express consent of the accompanying parent or guardian and will remove such imagery promptly on request.

8. Cookies

This website does not set tracking, analytics, or advertising cookies. If we add analytics or other non-essential cookies in the future, we will update this Policy and seek your consent first as required by law.

9. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page indicates when the current version came into effect. Material changes will be communicated through the website.

10. Contact

Questions about this Privacy Policy or how we handle your data can be sent to [email protected] or by post to the registered office above.