EasyToday — Terms of Use and Privacy Policy (EN)

1) Key definitions

• Services: SmartToday websites, apps, APIs, and related features.
• Partners: restaurants, bars, hotels, attractions, event organizers and similar venues.
• Account: your user registration within the Services.
• Content: text, images, reviews, preferences, consumption data.

2) Who we are and how we operate

SmartToday provides a digital concierge/marketplace for discovery, bookings, mobile ordering and experiences, and also offers SaaS tools to Partners (e.g., Smart Restaurant/Smart Bars/Smart Booking). We sometimes act as a controller and in other instances as a processor — see the Privacy Policy and Annex B (DPA).

3) Acceptance and updates

By creating an Account or using the Services you accept these Terms and the referenced policies. We may amend these Terms to reflect legal or functional changes. Where required by law, we will provide advance notice. Continued use after the effective date constitutes acceptance.

4) Age and eligibility

The Services are not intended for children under 13. Where local law requires a higher digital consent age (13–16), we apply the relevant threshold. Accounts for minors may require verified parental consent.

5) Account, security and accuracy

Keep credentials secure and information accurate and up‑to‑date. You may close your Account at any time in the settings.

6) Permitted use and prohibitions

You must not: (i) use the Services for unlawful purposes; (ii) interfere with operation; (iii) reverse engineer, scrape without permission, or infringe third‑party rights; (iv) post illegal/offensive content; (v) circumvent technical limits.

7) Bookings, orders and payments

For bookings/purchases made via SmartToday, the contract for the experience is with the Partner. SmartToday may charge service/intermediation fees. Cancellation, no‑show and refund rules are those of the Partner unless stated otherwise. Prices are shown with taxes where applicable. Payments may be processed by payment service providers (PSPs); we do not store full card details.

8) Relationship with Partners

Marketplace/B2C: SmartToday and the Partner are generally independent controllers for the data each collects.

SaaS/B2B: the Partner is controller of its customer data and SmartToday acts as processor (see Annex B — DPA).

9) Sharing your name, email and phone with Partners

To perform bookings/orders and conduct direct follow‑up related to your interaction (e.g., confirmation, logistics, satisfaction), we share with the relevant Partner your name, email and phone under the lawful bases of contract performance and/or legitimate interests.

For Partner marketing (e.g., newsletters, SMS, unrelated promotions), we will only share your contact details with your explicit, separate consent, collected for each Partner. You can withdraw consent at any time in the app or via the instructions in each communication.

10) SmartToday marketing communications

We send marketing only with your consent (opt‑in), always with easy opt‑out in each message. Transactional/service messages do not require consent. Where permitted (see Annex C — UK‑PECR), we may rely on soft opt‑in for existing customers.

11) User content and licence

When you post content (e.g., reviews/photos), you grant SmartToday a worldwide, non‑exclusive, royalty‑free licence to host, reproduce, adapt and display such content in the Services solely to operate and promote the Services. You retain all rights. You may delete content except where already lawfully used.

12) Intellectual property

SmartToday and its licensors own the software, trademarks, logos and proprietary content. No licence is granted beyond what is necessary to use the Services under these Terms.

13) Warranties and disclaimers

The Services are provided as is. We do not guarantee uninterrupted availability nor Partner performance. Nothing limits non‑waivable consumer rights.

14) Liability

To the maximum extent permitted by law, SmartToday is not liable for (i) lost profits, (ii) indirect/incidental damages, (iii) acts/omissions of Partners. Our aggregate liability for claims relating to the Services will not exceed the amounts you paid to SmartToday in the 12 months preceding the event. This does not exclude liability for wilful misconduct, gross negligence or personal injury.

15) Indemnity

You agree to indemnify SmartToday against third‑party claims arising from unlawful use of the Services or breach of these Terms.

16) Suspension and termination

We may suspend or close your Account in case of material breach, fraud or security risk, with prior notice where required by law.

17) Governing law, jurisdiction and ADR

These Terms are governed by Portuguese law. Courts of Lisbon have jurisdiction, without prejudice to mandatory consumer rules. You may also use competent Alternative Dispute Resolution entities and the EU ODR platform.

18) Contact

Questions about these Terms: contato@smarttoday.co.

1) Controller and privacy contact

Controller: SmartToday Unipessoal, Lda., Rua Febo Moniz, 27B — 1150‑152 Lisboa, Portugal.

Privacy contact / DPO channel: contato@smarttoday.co (we will appoint a DPO if/when legally required).

Lead supervisory authority: CNPD (Portugal).

2) Data we process

• Identity and contact: name, email, phone.
• Account and usage: credentials, preferences, booking/order history, interactions, reviews.
• Transactional: booking/order details, dates, venue, spend, payment method (tokenised via PSP; we do not store full card data).
• Technical: IP, device identifiers, cookies/SDKs (see Cookies).
• Support/communications: messages you send to us.

3) Purposes and legal bases (GDPR)

Right to object: where we rely on legitimate interests, you may object at any time on grounds relating to your situation.

4) Sharing

• Partners (restaurants, hotels, attractions): as independent controllers they use data under their own policies. For marketing, they only receive your contacts if you gave specific consent.
• B2B clients (SaaS mode): we act as processor, following the controller's instructions (see Annex B — DPA).
• Vendors (cloud hosting, analytics/measurement, support, communications, PSPs): subprocessors bound by data protection terms and risk assessments.
• Public authorities/courts: where required by law.

5) International transfers

We may transfer data outside the EEA. We use Standard Contractual Clauses (SCCs) and transfer impact assessments, with supplementary safeguards as needed. For the UK, see Annex C (IDTA/Addendum as applicable).

6) Retention (illustrative)

• Account: while active and up to 24 months after inactivity/closure.
• Bookings/orders records: up to 5 years (defence of claims/tax obligations).
• SmartToday marketing: until consent is withdrawn; we retain proof of consent for 5 years after withdrawal.
• Security logs: 12 months, unless under investigation.
• Aggregated/anonymous data: may be kept indefinitely (non‑identifiable).

7) Your rights (GDPR)

Rights of access, rectification, erasure, restriction, portability and objection, plus the right to withdraw consent. To exercise, use the app or write to contato@smarttoday.co. You may lodge a complaint with the CNPD. We reply within 30 days.

8) Profiling and automated decisions

We use profiling to tailor recommendations and ranking. We do not take decisions producing legal or similarly significant effects solely by automated means without appropriate information and safeguards.

9) Security

We implement appropriate technical and organisational measures (access controls, encryption in transit and at rest, minimisation, pseudonymisation where possible, vulnerability management and regular testing). We maintain records of processing and conduct DPIAs where required.

10) Children

We do not knowingly process data of children under 13. Where parental consent is required for ages 13–16, we will collect and verify it.

11) Cookies and similar technologies

We use cookies/SDKs: (i) strictly necessary, (ii) analytics/measurement, (iii) personalisation/marketing. We show a consent banner with granular choices by purpose and vendor. You can change preferences at any time in the app/website.

12) Changes

We may update this Policy. We will indicate version and date and, where appropriate, notify of material changes.

13) Privacy contact

Email: contato@smarttoday.co

Address: Rua Febo Moniz, 27B — 1150‑152 Lisboa, Portugal

C.1 — Brazil — LGPD (Law 13.709/2018)

• Controller & DPO channel: SmartToday Unipessoal, Lda. DPO contact: contato@smarttoday.co.
• Legal bases (Art. 7): (i) contract performance; (ii) legal/regulatory obligation; (iii) legitimate interests (with Legitimate Interest Assessment/Report as applicable); (iv) consent (sharing with Partners for Partner marketing and SmartToday marketing).
• Data subject rights (Arts. 18 & 20): confirmation of processing, access, correction, anonymisation/deletion, portability, information on sharing, consent withdrawal, review of automated decisions. Timing: responses within 15 days for confirmation/access, and promptly for others.
• Children & adolescents (Art. 14): data of children under 12 only with specific, highlighted consent from legal guardian and in the best interests of the child.
• Sharing with Partners: for performance/related follow‑up (legitimate interest/contract); for Partner marketing, consent is required.
• International transfers (Arts. 33–36): contractual safeguards/adequacy and proof of compliance.
• Authority: ANPD; contact channel: contato@smarttoday.co.

C.2 — United Kingdom — UK GDPR & PECR

• Controller: SmartToday Unipessoal, Lda.
• UK representative: if/when applicable (if we target UK individuals without a UK establishment).
• Electronic marketing (PECR):
  • Requires prior consent for email/SMS/push to individuals, except soft opt‑in when: (a) details were obtained in the context of a sale or negotiation of a sale of a SmartToday product/service; (b) messages are about similar products/services; and (c) a clear opt‑out is offered at collection and in each message.
  • Sharing contacts with Partners for Partner marketing requires separate, specific consent per Partner.
• Cookies/SDKs: consent required before setting non‑essential cookies (analytics/marketing).
• Rights & redress: equivalent to GDPR; UK supervisory authority: ICO.
• Transfers: use SCCs + UK Addendum or IDTA as applicable.

1) What are cookies and SDKs?

Cookies are small files placed on your device by websites you visit. SDKs are code components embedded in apps that can access device identifiers and storage. Both can be first‑party (set by us) or third‑party (set by our vendors).

2) Legal basis

Under EU/UK law (ePrivacy/PECR): – Strictly necessary cookies/SDKs: no consent required, but we inform you.

– Non‑essential (e.g., analytics, personalisation, marketing/advertising): consent is required before placement. You may withdraw consent at any time through our preference centre.

3) How we use cookies/SDKs

• Strictly necessary: session management, load balancing, authentication, security/fraud prevention, cookie consent storage.
• Analytics/measurement: to understand usage, quality and performance, and to improve the Services.
• Personalisation/marketing: to remember preferences and, where permitted by consent/soft opt‑in rules, to tailor recommendations and measure campaigns.

4) Managing your choices

• Consent banner & preferences: on first visit/app launch, you can accept all, reject all, or customise by purpose/vendor. You can change settings at any time in Settings → Privacy → Cookies.
• Browser/device controls: you can delete cookies and block new ones via browser/device settings; doing so may affect some features.
• Do Not Track/Global Privacy Control: where technically feasible, we will honour such signals for non‑essential cookies.

5) Retention

• Session cookies expire when you close the browser/app.
• Persistent cookies last up to 13 months (analytics/marketing) unless you withdraw consent earlier.
• SDK identifiers are retained no longer than necessary and are resettable (e.g., advertising ID).

6) Third‑party cookies/SDKs

We use reputable service providers acting as our processors or, in some cases, as independent controllers (e.g., when they collect data for their own purposes upon your consent). A current list of third‑party cookies/SDKs (name, purpose, provider, type, duration) is available in Settings → Privacy → Cookie details and will be updated as integrations change.

7) International transfers

Where third‑party providers are located outside the EEA/UK, we implement SCCs (and, for the UK, IDTA/Addendum) plus supplementary measures as needed.

8) Changes to this Cookie Policy

We will update this Policy as needed and indicate the effective date. Material changes will be notified where appropriate.

9) Contact

Questions about cookies? contato@smarttoday.co.