Privacy Policy Mosaico Restaurant & Bar

Statement of Commitment to Privacy and Protection of Personal Data
Seven-O-Five Gestão Hoteleira, Lda., hereinafter “705,” is a hospitality company that owns the 705 Hotel chain, which includes the 705 Porto Gaia Boutique Hotel, 705 Porto Prime Home, 705 Porto Prime Apartments, 705 Porto Houses, 705 Porto Santa Catarina, 705 O’Porto Hotel and Mosaico – Restaurant & Bar, and is an integral part of the Teppe Group. It governs its actions by high standards of integrity, transparency, and responsibility, ensuring the lawful, fair, and secure processing of personal data.

This commitment is transversal to all institutional and commercial relationships maintained with employees, customers, partners, suppliers, and other stakeholders, reflecting an organizational culture oriented toward trust, ethics, and respect for fundamental rights.

The protection of privacy and the information entrusted to us constitutes a strategic pillar of our activity, being considered an operational priority in all processes where personal data processing occurs.

Seven-O-Five Gestão Hoteleira, Lda. is committed to ensuring full compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR), as well as applicable national legislation regarding privacy and data protection.

705 respects your preferences regarding the collection and use of your Personal Data.

By accessing and using this website, the User acknowledges and fully accepts the terms contained in this Privacy Policy, providing their consent, whenever necessary, for the processing of their personal data as defined herein.

This Policy aims to ensure transparent communication regarding the legal grounds, purposes, categories of data processed, as well as retention periods, recipients, and the rights of data subjects.

The processing of personal data will be carried out based on the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability, as provided for in Article 5 of the GDPR.

Within this framework, 705 reaffirms its commitment to all its Clients and other data subjects, ensuring the adoption and maintenance of technical and organizational measures appropriate to the risk, intended to protect personal data against loss, accidental or unlawful destruction, improper alteration, unauthorized access, improper disclosure, or any other form of unlawful or unauthorized processing, taking as reference the best practices in the field of information security, cybersecurity, and personal data protection.

Personal Data – what is it?
Personal data is any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier, such as: name, identification number, location data, electronic identifiers (such as an IP address), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Included in this definition is data that, alone or in combination with other data, allows for the identification of a user or visitor to the website, such as name, email address, telephone number, IP address, among others.

This Privacy Policy allows you to know how 705 collects and uses your Personal Data, how you can control its use, and describes our practices regarding information collected on other Group sites that link to or refer to this Policy (such as websites, software applications, social networks, and electronic messages), as well as offline marketing and sales activities (collectively, “Communication Channels”).

705’s communication channels may include hyperlinks to websites, platforms, social networks, or applications that are not owned or managed by the Group, but by independent third parties. In such cases, we strongly recommend that you previously consult the terms and conditions of use and the privacy policies of those entities before providing any personal data, as this Privacy Policy applies exclusively to the domains and services under the responsibility of 705. 705 assumes no responsibility for the content, practices, or privacy policies adopted by third parties, even if access to those external resources occurs through a hyperlink provided on our channels.

Data Controller
705 is the Data Controller for the personal data collected through this website, under the terms and for the purposes of the provisions of Regulation (EU) 2016/679 (GDPR) and other applicable legislation.

To exercise your rights or for any question related to the processing of your personal data, you may contact 705 through the following postal address:

Seven-O-Five Gestão Hoteleira, Lda.
To the attention of the Data Protection Officer (DPO)
Rua Guerra Junqueiro, 447
4150-389 Porto

Alternatively, you may contact us through the following means:

• Email of the Data Protection Officer (DPO): dpo@teppe.com

The Data Protection Officer is available to clarify any questions regarding this policy, the exercise of your rights as a data subject, or any other matter related to privacy and personal data protection, through the postal address and email indicated above.

What information do we collect about you?
On this 705 website, there are different sections for collecting personal data, and each section has a purpose.

Contact Form
• Data Collected: name, e-mail, telephone, subject.
• Purpose: we may use this data to respond to your requests for information, doubts, complaints, comments, or concerns regarding the information included in the contact form, the processing of personal data, as well as any other questions the user may have. Failure to provide the minimum necessary personal data will make it impossible for 705 to respond to the request.
• Legal Basis: the processing of personal data collected in the contact form is based on the consent of the data subject.

Careers
• Data Collected: name, email, telephone, academic qualifications, languages, CV, message.
• Purpose: management of applications and recruitment of new employees.
• Legal Basis: the processing of personal data collected in the application form is based on the consent of the data subject.

Newsletter Subscription
• Data Collected: name, e-mail, date of birth.
• Purpose: to manage the subscription list, send newsletters with news and commercial information related to our services, events, campaigns, and/or products.
• Legal Basis: the processing of personal data collected in the newsletter form is based on the consent of the data subject, and the subject always has the option to opt-out at any time.

Hijiffy Virtual Assistant
• Data Collected: booking number (if applicable), email.
• Purpose: management of customer support service (bookings, doubts, information about available services).
• Legal Basis: the processing of personal data collected in the virtual assistant chat is based on the consent of the data subject.

Booking Area (site/booking engine/direct contacts)
• Data Collected (as applicable): name, email, telephone, country of residence, payment card data (card number, cardholder name, expiration date, CVV), additional information.
• Booking/stay data: check-in/check-out dates, number of guests, age, room type, special requests (e.g., extra bed, crib, expected arrival time, history of changes/cancellations…).
• Billing and tax data: name/entity for billing, NIF/VAT (when applicable), billing address, elements necessary for the issuance of the invoice/receipt.
• Payments: data necessary for guarantee and/or payment (e.g., card number, expiration date and, when applicable, security code only for authorization/validation at the time of payment), transaction proofs generated by the payment provider.
• Communications and support: messages exchanged with us (e.g., requests, doubts, complaints), contact records, and service history.
• Technical data (when the booking is online): IP address, device/browser identifiers, date/time logs, and technical events for security and fraud prevention.
• Additional information provided by the client: e.g., accessibility preferences or dietary restrictions only if indicated (may imply sensitive data).

Purpose:

• Management of pre-bookings and bookings (creation, confirmation, changes, cancellations, waiting list, no-show management, and related communications);
• Pre-contractual measures or execution of the accommodation contract and provision of associated services, including stay preparation, operational personalization (preferences), and internal coordination;
• Processing and management of payments (guarantees, deposits, pre-authorizations, refunds, billing, collection, and financial reconciliation);
• Customer service and request management, including responding to contacts, assistance before/during/after the stay and handling complaints;
• Quality and customer satisfaction management, improvement of services and experience (e.g., post-stay surveys and internal analysis).
• Prevention and detection of fraud and security, (e.g., transaction validations, protection of the website/booking engine, records for audit and security).
• Compliance with applicable legal and regulatory obligations (e.g., tax/accounting obligations and other legal requirements that impose records or communications).
• Management of disputes, exercise or defense of rights in administrative, judicial, or extrajudicial proceedings, when applicable.
• Commercial/marketing communications (only when permitted by law and/or through consent, as applicable), including management of preferences and proof of consent/objection.

Legal basis:

• Pre-contractual measures and contract execution: to process bookings and provide the requested accommodation/services.
• Compliance with legal obligations: billing, accounting, and other applicable obligations.
• Legitimate interests: fraud prevention, systems security, continuous improvement, complaint management, and defense in disputes, provided that the rights of the subject do not prevail.
• Consent: when applicable, such as for marketing communications and for information not necessary for the booking/stay.
• Sensitive data (when the client provides them): if a special request reveals health data (e.g., accessibility needs, medical restrictions), the processing will be done only when necessary to respond to the request and, as a rule, with explicit consent or another applicable legal basis, as the case may be.

Contacts through the means of contact provided on the site
We also collect information about you when you voluntarily write to us or call us through the contacts provided on the site. The personal data collected are those necessary for the purpose for which you contacted us, processing in this context data such as name, address, telephone number, email address, subject, and Tax ID (in the case of a commercial transaction). By providing your personal data, you are authorizing the collection, use, and disclosure of the same according to the rules defined herein. We ask you not to send or share with 705 any sensitive personal information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data, data relating to health, or data relating to sex life or sexual orientation.

Website usage information is collected using cookies, but they do not specifically identify you; the following data is or may be collected:

• IP address.
• Geographic location.
• Information about the device accessing the website, namely, type and version of the browser, operating system, screen resolution, preferred language, information contained in HTTP headers, and agent version.
• The search engine you used to locate and access the website.
• Date and time of activity on the website, as well as web pages and content visited and clicked.

It is important to emphasize that this usage information does not deliberately identify you and, if it exceptionally does, it will be immediately anonymized.

Minors
705 only accepts registrations and data submissions from users aged 16 or older. 705’s communication channels and online services are not intended for minors. If you become aware of the inadvertent collection of personal data from a minor, we request that you inform us immediately so that we can delete the record in accordance with applicable law.

Marketing and Communications
Based on your consent, 705 may send you communications about products, promotional campaigns, services, events, and Group solutions that may be of interest to you. The Client may cancel the subscription to these communications at any time through the link included in the messages received or by sending a request to dpo@teppe.com. In processing dependent on consent, the subject may, at any time, withdraw their consent, without compromising the lawfulness of the previous processing. If you agree, we may also send your personal information to the various companies of 705 so that they can offer you their products, services, and updated information. Newsletters may contain a monitoring pixel solely for statistical purposes (for example, to check open and click rates), without any impact on your privacy. Your personal data may be shared with service providers contracted by 705, such as marketing platforms and data analysis tools, which are subject to contractual obligations of confidentiality and data protection. The marketing and commercial process does not involve automated decision-making, including profiling. On this website, no comparisons, interconnections, or any other form of interrelating the recorded information are carried out.

Internal Recipients of Your Data
The internal departments of 705 that may have access to personal data, depending on the type of contact or interaction, include:

• Marketing Department;
• Human Resources Department;
• Finance Department;
• Hospitality Department;

The treatment will be limited to the purposes for which the data were collected, and the principle of minimization will always be ensured. Regarding the confidentiality of the processing, 705 will ensure that any person authorized by it to process customer data, including its employees, will be under the proper obligation of confidentiality.

Subcontractors and Data Sharing
In the exercise of its activity, 705 may resort to third-party subcontractors for the provision of specific services (e.g., hosting, booking platforms, technical support, campaign management, CRM, etc.). In these situations:

• Access to personal data is limited to what is strictly necessary for the execution of the service;
• Contractual guarantees in compliance with the GDPR are ensured;
• Subcontractors act exclusively under the instructions of 705, adopting technical and organizational measures appropriate for the protection of personal data, in order to protect personal data against accidental or unlawful destruction, accidental loss, alteration, dissemination, or unauthorized access and against any other form of unlawful processing;

Your data may also be shared with:

• Other companies of the Teppe Group, of which 705 is a part, with the objective of presenting solutions, products, or services that may be of interest to you, based on your consent;
• Service provider entities acting on behalf of 705;
• Public, administrative, or judicial authorities, when required by law and in a limited manner, whenever necessary for the fulfillment of legal obligations or within the scope of legitimate proceedings;
• For the protection of the rights and legitimate interests of 705 or third parties, in legal process situations;
• To maintain the security of our services; to protect lives, protect property rights, compliance, and audits;
• In the context of the analysis or processing of certain requests, it may also be necessary to share data with credit assessment agencies and entities specialized in the prevention and detection of fraud, exclusively for the legally provided purposes.

Rights of Data Subjects
705 guarantees its Clients the full exercise of the rights provided for in the GDPR. The data subject may, at any time, exercise the following rights:

• Access to their personal data;
• Rectification of incorrect or outdated data;
• Erasure when applicable;
• Limitation of processing, in certain circumstances;
• Objection to processing, namely in direct marketing;
• Data portability, in a structured and readable format;
• Withdrawal of consent, when the processing is based on that legal basis.

The subject may exercise their rights by contacting the Data Protection Officer (DPO) through the e-mail dpo@teppe.com or by post to the institutional address indicated in this Policy. In accordance with Article 12 of the GDPR, if a request is manifestly unfounded or excessive, 705 may charge a reasonable administrative fee or refuse its processing, upon justification. Additionally, the data subject has the right to lodge a complaint with a competent Supervisory Authority, namely the National Data Protection Commission (CNPD), if they believe their rights have been violated. 705 will cooperate with the competent authorities, providing all relevant information within the scope of the exercise of its legal powers.

Retention Periods
705 retains the personal data of the subjects only during the period strictly necessary for the fulfillment of the purposes that motivated its collection, or during the time required by applicable legal or regulatory obligations. Retention periods may vary depending on the nature of the data processed and the associated purpose, being defined based on legal, contractual, and operational criteria, respecting the principle of storage limitation established in the GDPR.

As a rule:

• Data associated with the execution of contracts or the provision of services are kept as long as the contractual relationship lasts and for the legal period necessary for the defense of rights in court (up to 10 years after the end of the relationship, for compliance with tax and accounting obligations).
• Data collected based on consent (for example, for sending marketing communications) are kept until the subject withdraws consent or exercises the right to object.
• Data processed based on legitimate interest, when applicable, will be kept as long as that interest persists, assessed according to principles of necessity and proportionality.

Once the retention period has ended, the data will be securely deleted or anonymized, so that the subject can no longer be identified. 705 carries out periodic reviews of the data it holds, deleting or anonymizing those that prove unnecessary or outdated, in accordance with its internal retention policies and the guidelines of the National Data Protection Commission (CNPD).

Cookies
We collect cookies when you visit our website. These are small text files stored on your computer that serve to collect information about your device and information about your user experience. This information is used to record the number of visits made and compile statistical information about the activity of the website. 

Information Security
705 has a computer system with the capacity to resist, with a given level of confidence, accidental events or malicious or unlawful actions that compromise the availability, authenticity, integrity, and confidentiality of the stored or transmitted Personal Data, as well as the security of the related services offered or accessible through these networks and systems, preventing unauthorized access, disclosure, alteration, or accidental or unlawful destruction. 705’s websites include SSL certificates, that is, a security protocol that makes data travel integrally and securely; in other words, the transmission of data between a server and the website user and in feedback is fully encrypted. Despite the implemented measures, 705 cannot guarantee the absolute security of electronic communications, and is not responsible for incidents arising from external factors outside its control.

Changes to this privacy statement
This Policy is reviewed periodically to reflect legal, technological, or organizational changes. If you believe that 705 has not adhered to this statement, or if you have any questions about our privacy policy or the information we have about you, contact us through the email address dpo@teppe.pt. We will respond to questions within 30 days. All updates will be published on this website, with an indication of the respective date. The version currently in force was updated in February 2026.