wavesAgua Qlub Park

Privacy Policy

1. Data collected

We collect: email and/or phone number for authentication (OTP codes); name and seat count for each booking; chosen language and timezone; consents granted (privacy, park rules) with date and time; IP address for security and fraud prevention. Card details are processed directly by Stripe and never stored on our servers: we only retain opaque references (intent IDs) to manage payments, refunds and no-show penalties.

2. Purpose of processing

We process your data to: (a) manage your booking and generate the entry QR ticket; (b) send operational email/SMS (confirmations, reminders, password resets, OTP codes); (c) charge the no-show fee defined in the Terms of Service when applicable; (d) ensure service security (rate limiting, abuse prevention); (e) comply with tax and accounting obligations. Legal basis: contract performance (GDPR Art. 6.1.b) and legitimate interest for security and antifraud (Art. 6.1.f).

3. Cookies and tracking technologies

We use only strictly necessary and functional cookies, exempt from prior consent: (1) enjoyu-session (server session, HttpOnly); (2) enjoyu_auth_token (logged-in user authentication, HttpOnly, Secure in production); (3) XSRF-TOKEN (CSRF protection); (4) enjoyu_locale (chosen language). We do not use profiling, analytics or advertising cookies. Stripe Checkout may set its own cookies on the checkout.stripe.com domain to process payments: see Stripe's notice for details.

4. Data sharing and processors

We do not sell or share your data for marketing. Data is processed by the following processors (GDPR Art. 28): Stripe Inc. (USA, payments, SCC compliant), Twilio Inc. (USA, OTP codes via SMS, SCC compliant), Resend (USA/EU, transactional email delivery), Railway (USA, infrastructure and database hosting). All providers are bound by data processing agreements (DPAs) and adopt adequate security measures.

5. Data retention

We retain booking data for 10 years as required by Italian and European tax legislation. OTP codes and session tokens are deleted within 24 hours of use. Security logs (auth_event_logs) are kept for 12 months. Upon request we can anonymize personal data, retaining only information needed for accounting obligations.

6. Your rights (GDPR Art. 15-22)

You have the right to: (a) access your data and receive a copy; (b) request rectification of inaccurate data; (c) request deletion ("right to be forgotten"), subject to retention obligations; (d) request restriction of processing; (e) receive your data in portable format; (f) object to processing based on legitimate interest; (g) withdraw consent at any time; (h) lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or the supervisory authority in your country of residence. To exercise these rights write to privacy@enjoyu.com: we respond within 30 days.

7. Data controller and contacts

Data controller: EnjoyU / Agua Qlub Park, Vilamoura, Portugal. Email: privacy@enjoyu.com. For booking or service requests: info@enjoyu.com.

Last updated: May 2026