Book a Table
Book a Table
BOOK A TABLE

Privacy Policy

Data privacy policy and consent for its use

“We,” “us,” “our,” and other similar pronouns mean, depending on the context, the specific Data Controller as specified below.

Thank you for visiting our website and for your interest in our company.

Our interactions with our customers and stakeholders are a matter of trust. We truly value the trust placed in us, which means we are committed to exercising great care when handling your data and protecting it from misuse.

To ensure that you feel safe and comfortable when visiting our website, we take the protection of your personal data and its confidential treatment very seriously. For this reason, we act solely in accordance with the applicable legislation on personal data protection and data security. The purpose of this data privacy information is to provide you with information about the data we store and how we use it in accordance with applicable case law.

This Privacy Policy applies to all hotels managed and operated under the SANA Hotels brand, their food and beverage establishments, as well as their spa and fitness facilities.

All our companies comply with the EU General Data Protection Regulation, the current Portuguese GDPR Enforcement Law (Law No. 58/2019, of August 8).

To protect your personal data while using the Internet, we are guided by the Portuguese Decree-Law on Electronic Commerce in the Internal Market and Personal Data Processing (Decree-Law No. 7/2004, of January 7).

Below, we explain what information we collect during your visit to our websites and how it is used.

OVERVIEW

NAME AND ADDRESS OF THE DATA CONTROLLER

The entity responsible for the GDPR and other national data protection laws of the Member States, as well as other data protection regulations, is as follows, depending on the website you are visiting and/or the entity that collects and processes your personal data:

SANA HOTELS

www.sanahotels.com

Edifício Myriad Crystal Center, Cais das Naus
Lote 2.15.02
1990-173 Lisboa, Portugal

MYTHIC SANA Downtown Suites
Chatoyant – Investimentos Turísticos, Lda.

https://www.sanahotels.com/pt/hotel/mythic-sana-downtown-suites/

Edifício Myriad Crystal Center, Cais das Naus, Lote 2.15.02
1990-173 Lisboa – Portugal

CONTACT FORM / CONTACT BY E-MAIL
1. Description and scope of data processing:

Insofar as a contact form is provided on our website, it can be used to establish contact electronically. If a user contacts us via the contact form, the data entered in the input template will be transferred to us and stored. This data includes: title, first and last name, address, email address, telephone number, and reason for contact. It is also possible to contact us via the email address provided. In this case, the user’s personal data transmitted with the email will be stored.

Our legitimate interest in processing data in the context of contact with the enquirer constitutes the initial legal basis for data processing. If the purpose of the contact is to conclude a contract, the commencement of a business relationship or a contractual relationship will constitute the additional legal basis for data processing.

We only process personal data taken from the input template of the contact form for the purpose of establishing contact. If we are contacted by email, we also have a necessary legitimate interest in processing the data. Other personal data processed during the submission process serves to prevent misuse of the contact form and to ensure the security of our IT systems.

The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of personal data sent by email, the data is deleted when the respective correspondence with the user has ended. Correspondence ends when it can be inferred from the circumstances that the matter in question has been conclusively resolved. If contact is made on the basis of a pre-contractual relationship (offer or reservation request), the transmitted data will be additionally stored in our hotel and/or event software and used for the execution of contracts. If no contractual relationship arises, the data will be deleted after a period of one year from the end of the year.

The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of personal data sent by email, the data is deleted when the respective correspondence with the user has ended. Correspondence ends when it can be inferred from the circumstances that the matter in question has been conclusively resolved.
The enquirer (data subject) may revoke their consent to the processing of personal data at any time. For this purpose, we have set up the email address privacy@sanahotels.com. In the event of an objection, correspondence cannot continue and we cannot continue to make offers, etc. In this case, all personal data stored at the time of establishing contact will be deleted.

COLLECTION, PROCESSING, AND USE OF PERSONAL DATA
1. Description and scope of data processing:

SANA Hotels Portugal, S.A., Edifício Myriad Crystal Center, Cais das Naus, Lote 2.15.02, 1990-173 Lisbon, Portugal is responsible for making central reservations. To enhance our services, we manage all data received in the central hotel software within the hotel group. The establishment where the reservation is made is responsible for this.

The respective reservation data can only be viewed by the person responsible. Together, access to a guest’s master data is used, for example, to make a reservation for another hotel at a later date, to make a rebooking, or to carry out marketing activities centrally. Central services such as reservations and marketing have access to this data. The legal basis for data processing is our legitimate interest in processing data within the scope of central administration and use of the data of our customers and business partners within the hotel group.

Se os serviços forem utilizados, por regra, apenas esses dados são recolhidos conforme necessário para a prestação dos serviços. Se forem recolhidos mais dados, estes tratar-se-ão de informações voluntárias. Os dados pessoais são tratados exclusivamente com o objetivo de cumprir o serviço solicitado e para proteger os nossos próprios interesses comerciais legítimos de acordo com o art.º 6(1) f) do RGPD.

Contact information from reservations may subsequently be used by the sales department for advertising purposes. Advertising campaigns preferably include the sending of emails. The use of the email address requires the guest’s consent in accordance with Article 6(1)(a) of the GDPR.

Your data will only be processed for purposes other than those mentioned above if such processing is covered by Article 6(4) of the GDPR and is compatible with the original purposes of the contractual relationship. We will inform you of these processing operations before proceeding to process your data in this manner.

The legal basis for data processing is the conclusion of an accommodation contract with the guest.

The transmitted data will be stored in our hotel software and used to conclude the contract. Should no contractual relationship exist, the data will be deleted after one year, at the end of the year.

In order to fulfill the listed purposes, personal data is collected, processed, and used for the following categories:

Reservation data (specifically address data, contact data, booking data, customer requests, billing data)

Other customer data (specifically address, billing, and performance data)

The data may be communicated to the following recipients:

Internal units involved in the execution and fulfillment of respective business processes (e.g., hotels within the hotel group, central reservations, accounting, sales and marketing, IT organization) Public bodies that receive data based on legal regulations (e.g., police forces, public authorities)

External contractors in accordance with Article 28 of the GDPR (service providers)

Other external bodies (e.g., credit institutions, companies, provided that data subjects have given their written consent or that transmission is permitted for overriding legitimate interests)

The primary purpose of collecting, processing, or using personal data is the administration, care, and hospitality of guests within the scope of the accommodation contract, in accordance with Article 6(1)(b) of the GDPR.

The legislator has decreed various obligations and retention periods. After the expiration of these periods, the corresponding data and data records are routinely deleted or anonymized if they are no longer necessary for contract fulfillment.

You may, at any time, object to the processing of personal data. For this purpose, we have set up the email address privacy@sanahotels.com

ONLINE RESERVATIONS THROUGH THE WEBSITE
1. Description and scope of data processing

The conclusion of an accommodation contract and/or Food and Beverage service contract with the user will constitute the legal basis for data processing.

The transmitted data will be stored in our hotel software and used for contract conclusion. Should no contractual relationship arise, the data will be deleted after a period of one year from the end of the year.

The legal basis for data processing is the conclusion of an accommodation contract with the guest.

The transmitted data will be stored in our hotel software and used to conclude the contract. Should no contractual relationship exist, the data will be deleted after one year, at the end of the year.

We only process personal data taken from the contact form entry template for purposes of processing reservation-related inquiries and completing payment transactions.

The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of a contractual relationship, we will delete the received data as soon as national, commercial, statutory, or contractual retention requirements are fulfilled.

You may, at any time, object to the processing of personal data. For this purpose, we have set up the email address privacy@sanahotels.com.

We draw your attention to the fact that, in case of objection, we cannot complete the reservation or continue to send correspondence.

SUPPORT, ADVICE, AND ADVERTISING FOR CORPORATE CLIENTS
1. Description and scope of data processing

For the support, advice, and advertising of corporate clients, in addition to information about the business partner or potential business partner, we also collect and use information about the contact person, telephone number, and postal address. The information is obtained from various sources, either by requesting it (by email or telephone) or at events, trade fairs, business cards received by our sales team, etc.

Our legitimate interest in data processing will otherwise constitute the legal basis for data processing. If the purpose of contact is the conclusion of a contract, the initiation of a business relationship or contractual relationship will constitute the additional legal basis for data processing. To improve our services, we manage all received data in the CRM module of our hotel software.

We use this contact information exclusively for our own purposes and to design our own sales activities based on demand.

No specific deadline has been set regarding deletion. However, if our sales department has not had contact with a corporate contact for a period of three years, the sales team will decide whether the corporate contact person’s data will be deleted.

If the contact is from a pre-contractual relationship (offer, reservation, or reservation request), the transmitted data will be additionally stored in our hotel software and used for contract execution. Should no contractual relationship arise, the data will be deleted after a period of one year from the end of the year.

The corporate contact may, at any time, object to the processing of their personal data. For this purpose, we have set up the email address privacy@sanahotels.com.

In this case, all personal data of the contact person stored for the business partner will be deleted.

ONLINE REVIEWS
1. Description and scope of data processing

Former customers may review the establishment after check-out. We would like to send you an email within 14 days of your departure to request that you submit a review of the establishment. Upon request, reviews may be published anonymously. Should you not have enjoyed your stay at our hotel, or not have felt comfortable at our hotel, we would like to take the opportunity to contact you.

If you submit an online review on our website, the data will be stored in the rating tool of REVIEW RANK, S.A., Calle Aribau, 240, 6-M, CP-08006 Barcelona, Spain. REVIEW RANK, S.A. has committed to processing your transmitted data in a manner compatible with data protection. It has taken all organizational and technical measures to protect your data.

If you, as a former customer, have the opportunity to submit an online review, the data entered in the review template will be stored. This data includes: email address and voluntary information such as first name, surname, and language, as well as review statements.

Our legitimate interest in data processing will otherwise constitute the legal basis for data processing.

The purpose of the establishment review is to communicate and summarize the opinions of hotel guests on our website and on third-party websites so that interested parties can form their own opinion regarding our services. The results are also used for our internal quality management.

The data is used exclusively for publishing reviews and for mediation in case of negative reviews.

The data should not be deleted.

You may object to the use of your email address to send a review email in the registration form. It is also possible, at any time, to delete the published review (right to be forgotten). For this purpose, we have set up the email address privacy@sanahotels.com

Please indicate to us which review your request refers to!

NEWSLETTER SERVICE
1. Description and scope of data processing

You may subscribe to the BLACK MOON newsletter service on our website. If you use this option, the data entered in the entry template (name, email address, telephone, preferences) will be transmitted to SANA Hotels Portugal, SA, Edifício Myriad Crystal Centre, Cais das Naus, Lote 2.15.02, 1990-173 Lisbon, Portugal and stored. Should we receive an email address where the recipient clearly informs us that they would like to receive our newsletter, we will collect their data through the entry template on our website.

The legal basis for data processing is the recipient’s consent. This is ensured by a double opt-in procedure for data collection.

The processing of personal data serves us only for sending individual newsletters.

The data will be deleted as soon as the newsletter service is canceled.

As a newsletter recipient, you have the option to, at any time, object to the use of your data for advertising purposes. Each newsletter gives you the option to unsubscribe from the newsletter service. We have also set up the email address privacy@sanahotels.com.

In your request, please indicate your email address!

APPLICATION FOR A JOB ADVERTISEMENT
1. Description and scope of data processing

On our website and through Internet portals (especially hotelcareer.de), you have the possibility to apply for advertised vacancies. If you choose this option, as an applicant, the data transmitted to us may be stored and used. This data includes:

Title, first name, surname

Contact information (email address, telephone)

Cover letter

Attachment with detailed application

Initially, the data is not shared with third parties in this context. Otherwise, the data is used exclusively for processing the application by the specialized department and for communication.

The legal basis for data processing is the contract negotiation process or the conclusion of a contract with the user. We will obtain your prior consent for long-term storage of application documents and for passing the application to third parties.

Personal data is processed only to enable us to handle the application.

The data will be deleted as soon as it is no longer necessary to fulfill the purpose for which it was collected, at the latest 6 months after rejection. In the case of a contractual relationship, we will delete the received data as soon as national, commercial law, statutory, or contractual retention requirements are fulfilled.

You have the option to, at any time, object to the processing of your data. For this purpose, send an email to the same address used to send the job application. We have also set up the email address privacy@sanahotels.com.

PROVISION OF THE WEBSITE AND CREATION OF LOG FILES
1. Description and scope of data processing

Whenever this website is accessed, our system records data and information from the computer system of the computer, smartphone, or other mobile device that performed the access through an automated system. The following data is collected as part of this process:

Information about the browser type and version used

User’s operating system

User’s IP address

Time and date of access

Websites from which the user’s system reached our website

Websites accessed by the user’s system through our website

This data is also stored in our system’s log files. This data is not stored together with other personal data of the user. In this regard, it is not possible to create personal user profiles. The stored data will be evaluated only for statistical purposes.

The legal basis for temporary storage of data and log files is the safeguarding of our legitimate interests.

The system temporarily stores the user’s IP address to make the website available on the user’s computer. To do this, the user’s IP address must be stored during the session. Storage in log files is performed to ensure the functional capacity of the website. The data also helps us optimize the website and ensure the security of our computer systems. The stored data may be evaluated for statistical purposes or to track cyber-attacks on the website carried out by third parties. This is also the reason behind our legitimate interest in data processing.

The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. When data is collected to make the website available, this is the case when the respective session ends. When data is stored in log files, this happens, at most, after seven days. It is possible to maintain storage after this period. In that case, users’ IP addresses are deleted or scrambled so that it is not possible to attribute them to the requesting customer (data subject).

The collection of data to make the website available and the storage of data in log files are necessary for the website’s operation. Therefore, it is not possible for the user to object.

USE OF COOKIES
1. Description and scope of data processing

Cookies are small files that allow us to store specific user-related information on your computer when you visit our website. Cookies help us determine the number of users who have used our website, as well as their frequency of use, and allow us to organize our products and services in the most convenient and effective way possible for you. We use “session cookies,” which are temporarily stored on your computer during the period in which you use our website. Session cookies are stored on your data medium and are used to ensure specific settings and functionalities on our website through your browser. The cookies we use will be deleted at the end of the browser session, that is, when you close your browser. We also use cookies on our website that allow analysis of user browsing habits. In this way, the following data may be transmitted: entered search terms, frequency of page views, use of website functions. Technical measures are used to anonymize user data that is collected in this way. Thus, it is not possible to attribute data to a requester (data subject). The data will not be stored together with other personal data of the user. When visiting our website, the user is informed about the use of cookies for analysis purposes. Their consent for the processing of personal data is also obtained in this context. At this time, the user is also directed to the data privacy policy.

Our legitimate interest in data processing constitutes the legal basis for processing personal data using cookies that are technically necessary. The provision of user consent for this specific purpose constitutes the legal basis for processing personal data through analysis-based cookies.

Technically necessary cookies are used to simplify website use by users. Some of our website’s functions cannot be made available without the use of cookies. These services require that the browser be recognized again after a page change. User data collected through technically necessary cookies will not be used to create user profiles. Analysis cookies are used to improve the quality of our website and its content. These cookies allow us to learn how the website is used so that we can continuously improve our offering.

Cookies are stored on the user’s computer, which will transmit them to our website. This grants you, as a user, full control over the use of cookies. You can disable or restrict the transmission of cookies by changing your Internet browser settings. Previously stored cookies can, at any time, be deleted. Cookies can also be deleted automatically. Should cookies be disabled for our website, some features of our website may no longer be available. It is also possible to enjoy our offerings without cookies or scripts. You can disable cookie storage and scripts in your browser, you can restrict cookies and scripts on certain websites, or you can configure your browser to be notified whenever a cookie is activated. You can, at any time, delete cookies from your computer’s hard drive. You can install an add-on in your browser to block scripts. Examples of these add-ons for browsers are NoScript for Firefox and ScriptSafe for Google Chrome. These not only block all types of Javascript but also block selected trackers, Java, Flash, and other plug-ins on websites. If third-party cookies are a concern for you, you can disable only these cookies and still enable cookies that allow our website to function properly. However, these changes may affect how the website is displayed or limit its functionality. Below, we provide more information about the cookies used on our website. These cookies allow us to customize the website’s features and content to your measure by storing your preferences. Cookies can be used, for example, to store your user data in our forum or to select the language. They can also be used to provide interactive information so that you can view our virtual catalogs or watch videos, for example:

Cookie Name

tt-domain-user-id

Cookie Function

The booking function uses this cookie.

In addition to the information provided above regarding the use of cookies, we would like to draw your attention to the following: Use of Google Analytics, Google DoubleClick Cookies, Google Conversion Tracking, and Google Remarketing. Our website may use Google Analytics, Google DoubleClick Cookies, Google Conversion Tracking, and Google Remarketing

These services are provided by Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (“Google”).

This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies.” These are text files stored on the user’s computer that facilitate an analysis of website usage. The information generated by the cookie about the user’s use of this website is generally sent to a Google server in the USA and stored there. However, should IP anonymization be activated on this website, your IP address will first be truncated by Google within member states of the European Union or in other states that are parties to the Agreement on the European Economic Area. The complete IP address will only be sent to a Google server in the USA and truncated there in exceptional cases. IP anonymization is active on this website. On behalf of the operator of this website, Google will use this information to evaluate website usage, to compile reports on website activities, and to provide the website operator with other services related to website activity and Internet usage. The IP address provided by your browser as part of Google Analytics will not be merged with other Google data. You can prevent cookie storage by changing the respective settings in your browser software; however, you may not be able to use all features of this website in full. You can also prevent Google from collecting the data generated by the cookie and related to your use of the website (including your IP address) and from processing this data by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de. As an alternative to using the browser add-on or in mobile device browsers, click this link to prevent future detection by Google Analytics within this website. It will store an opt-out cookie on your device. If you delete your cookies, you must click this link again. The explanations provided above in Section XI(1) to (4) apply accordingly.

Disabling Google advertising

(http://www.google.com/privacy_ads.html) or on the Network Advertising Initiative opt-out page (http://www.networkadvertising.org/managing/opt_out.asp)

Google Tag Manager

This website uses Google Tag Manager. Google Tag Manager is a solution that allows website tags to be managed by marketing professionals using this interface. The Tag Manager tool itself (which implements the tags) is a cookieless domain and does not record personal data. The tool causes other tags to be activated, which may, in turn, under certain circumstances, record data. Google Tag Manager does not access this information. If recording has been disabled at the domain or cookie level, this setting will remain implemented for all tracking tags implemented with Google Tag Manager.

Use of Social Media Plug-ins

Plug-ins from the social network Facebook, operated by Facebook Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA, are integrated into the pages of our websites. You can recognize Facebook plug-ins by the Facebook logo or the “Like” button on our pages. You can find an overview of Facebook plug-ins here: developers.facebook.com/docs/plugins/. When you visit our pages, the plug-in establishes a direct connection between your browser and the Facebook server. Thus, Facebook receives the information that you visited our website from your IP address. If you click the Facebook “Like” button while logged into your Facebook account, you can link the content of our pages to your Facebook profile. Thus, Facebook can attribute the visit to our website’s pages to your user account. We, as providers of our website’s pages, do not receive any notification of the content of the data transmitted from Facebook, nor do we receive any notification about its use.

PROTECTION OF MINORS
Overview

This service is intended specifically for adults. We currently have no service specifically directed at minors. As a result, we do not intentionally collect age classification information, nor do we intentionally collect personal information from individuals under 16 years of age. However, we advise all visitors to our website under 16 years of age to avoid disclosing or providing any personal information to our service. Should we discover that a minor under 16 years of age has provided us with personal information, we will delete the personal information of said minor from our files, to the extent technically possible.

DATA SUBJECT RIGHTS
Overview

When your personal data is processed, you become the data subject within the meaning of the GDPR and will have the following rights in relation to us (“the data controller”):

You have the right to information about the personal data stored about you, including the purpose of processing, as well as about any transfer of data to third parties and the duration of data storage.

Should the data be incorrect or no longer necessary for the original purpose for which it was collected, you may request that the data be corrected, deleted, or that data processing be restricted. According to processing procedures, you may also view and correct your data, if necessary.

You have the right to object, at any time, on compelling legitimate grounds related to your particular situation, to the processing of your personal data, provided that the processing is based on a legitimate interest. Following an objection, the data controller cannot continue to process the personal data concerning you, unless the data controller can prove compelling reasons for processing that require protection and that prevail over your interests, rights, and freedoms, or can prove that the processing aims to assert, exercise, or defend legal actions. If personal data concerning you is processed for direct marketing purposes, you have the right to object, at any time, to the processing of personal data relating to you for the purposes of such marketing; this also applies to profiling to the extent that it is directly related to such direct marketing. If you object to processing for direct marketing or profiling purposes, personal data concerning you shall no longer be used for these purposes.

You have the right to, at any time, revoke your declaration of consent under data protection law. The revocation of consent does not affect the legality of processing carried out based on consent up to the moment of revocation.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
Overview

As a data subject, you have the right to lodge a complaint with a data protection supervisory authority, namely in the Member State of your habitual residence, place of work, or place of the alleged infringement if you believe that the processing of personal data relating to you violates data protection.

The regulatory authority with which the complaint was lodged must inform the complainant about the progress and outcome of the complaint, including the possibility of judicial appeal.

Further information can be found on the website of the National Data Protection Commission.

SECURITY
Overview

We are responsible for ensuring the protection of your personal data. To protect your personal data from unauthorized access and illegal use, alteration, distribution, or copying, we take appropriate technical and organizational measures, such as antivirus or anti-spyware, subject to permanent updates, SSL encryption of confidential data (credit card, reservation form), firewalls, frequent backups, or limited access to personal data, when necessary.

We know that no security measure is 100% efficient and secure, but we are committed to protecting the integrity and confidentiality of your personal data. To this end, we will continue to review and improve our security measures. When you access our website using a username and password created or selected by you, you are responsible for the password and proper confidentiality and protection of these credentials.

Last updated March 2026

UP