Data Processing & Security (RGPD)

Operated by Van Rossum LDA · furniturerentalportugal.com

Last updated: DD/MM/2025

At Furnirent Portugal, we take data protection and security seriously.

This page explains how we process, store, secure, and safeguard personal data in compliance with the Regulamento Geral de Proteção de Dados (RGPD · GDPR – EU 2016/679).

1. Data Controller

Van Rossum LDA

Estrada Malveira da Serra 920

2750-834 Cascais, Portugal

📧 [email protected]

NIF: PT516886894

Van Rossum LDA is responsible for deciding how personal data is collected, processed, and protected.

2. Principles of Data Processing

All processing of personal data follows the principles of the GDPR:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

We only collect data that is necessary to provide our services and meet legal obligations.

3. Legal Basis for Processing

We process personal data only when one of the following legal bases applies:

3.1 Contractual necessity

To prepare quotes, process rentals, deliver items, issue invoices, and manage contracts.

3.2 Legal obligation

For tax compliance, accounting, and document retention required by Portuguese law.

3.3 Legitimate interests

Improving website functionality, fraud prevention, and operational efficiency.

3.4 Consent

For marketing emails, cookie categories, or analytics tools that require user approval.

4. How We Process Personal Data

We process personal data for:

  • Rental management through Booqable
  • Digital signatures (DocuSign / Adobe Sign)
  • Payment processing and fraud prevention (Stripe / Mollie)
  • Delivery and logistics
  • Customer support and communication
  • Legal, tax, and accounting compliance
  • Internal analytics and service improvement
  • Website functionality and security

All processing is documented and regularly reviewed.

5. Data Security Measures

We implement strong technical and organisational measures to protect personal data:

5.1 Technical Measures

  • SSL encryption on all pages
  • Encrypted databases
  • Secure cloud infrastructure
  • Multi-factor authentication for internal systems
  • Regular security updates
  • Intrusion detection and monitoring
  • Encrypted backups

5.2 Organisational Measures

  • Restricted, role-based access
  • Employee confidentiality agreements
  • Mandatory privacy and security training
  • Incident-response procedures
  • Data minimisation practices
  • Secure disposal of data after retention periods

These measures are continuously improved to meet current security standards.

6. Data Retention

We retain personal data only for as long as necessary:

  • Rental and invoice data: 10 years (required by tax law)
  • Contracts and signed documents: until all obligations are fulfilled
  • Customer support interactions: 1–2 years
  • Marketing data: until consent is withdrawn
  • Cookie and analytics data: 26 months

When data is no longer needed, it is securely deleted or anonymised.

7. Data Sharing & Sub-Processors

We share personal data only with trusted partners essential to our operations:

  • Booqable · Rental management system
  • Stripe / Mollie · Payment processing
  • DocuSign / Adobe Sign · Contract signatures
  • Logistics companies · Delivery and collection
  • IT and hosting providers
  • Certified accountant / tax authorities

All sub-processors comply with GDPR and sign data-processing agreements.

8. International Data Transfers

If data is transferred outside the EU (e.g., DocuSign, Stripe), we ensure compliance using:

  • EU–US Data Privacy Framework (if applicable)
  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Advanced encryption requirements

9. Data Subject Rights

Under the GDPR, you have the right to:

  • Access your personal data
  • Request correction
  • Request deletion (“right to be forgotten”)
  • Restrict processing
  • Object to processing
  • Request data portability
  • Withdraw consent for marketing
  • File a complaint with the CNPD (Comissão Nacional de Proteção de Dados)

To exercise your rights, contact us at:

📧 [email protected]

10. Data Breach Procedures

In the event of a data breach:

  • We act immediately to contain the risk
  • We notify affected users without undue delay
  • We notify the CNPD when required (within 72 hours)
  • We document all incidents and corrective actions

Our goal is to ensure transparency and protect all users’ rights.

11. Updates to This Policy

We may update this page periodically to reflect changes in law, technology, or operational practices.

The updated version will always be available with the revision date above.