Guest Overflow
Demo

Privacy policy

Last updated: June 10, 2026

1. Who we are

Guest Overflow is a service operated by [LEGAL ENTITY NAME], a company registered in Portugal with registered office at [REGISTERED ADDRESS] and commercial registry / NIPC number [NUMBER] ("we", "us"). We are the controller of the personal data described in this policy. You can reach us about anything in this policy at [email protected]. We are not required to appoint a Data Protection Officer; the email above is our privacy contact.

2. What this policy covers

This policy covers this website only. When we provide booking, website, or Google Business Profile services to a client venue, that processing is governed by the service agreement and data processing terms we sign with the client, not by this policy.

3. What we collect and why

Demo request form.If you ask for a demo we collect your full name, work email, business name and business type (including the description you give if you choose "Other"), and, only if you provide them, the channels where guests find you, a preferred date and time slots, and your message. We use this information solely to respond to your request, schedule the demo, and send you a confirmation email. We do not add you to any marketing list and we do not send newsletters. When you submit the form we also process your IP address in memory only, to prevent spam and abuse; it is not stored.

Cookieless website analytics. We measure how this website is used with a privacy-first analytics system we built ourselves. It uses no cookies, no localStorage, and no third-party trackers. To count unique visitors, our server computes a one-way hash (SHA-256) of a secret salt, your IP address, and your browser's user-agent string. The raw IP address and user-agent are never stored. The salt changes every day and old salts are deleted, which makes it impossible for us to recognize you across days or link your visits together. Your country is derived from a network-level header provided by our hosting platform, not from a stored IP address. The events we record are things like page views, scroll depth, clicks on our own buttons, interactions with the booking demo, and JavaScript errors. For our demo form we record which fields were completed or abandoned and how long they took, never the values you type. Traffic that identifies itself as automated (bots, crawlers) is discarded.

The interactive booking demo. Anything you type into the booking demo widget, including any name or email, is processed entirely in your browser. It is never transmitted to our servers and never stored anywhere.

Email. When you submit a demo request we send a confirmation to you and a notification to ourselves through our email provider, Resend. These are transactional emails related to your request, not marketing.

Hosting and logs. Our hosting provider processes standard technical data (such as IP addresses and request metadata) to deliver the website and keep it secure. Such server logs are kept for a short period, typically under 30 days.

4. Legal bases

  • Demo requests and related emails: taking steps at your request prior to entering into a contract (Article 6(1)(b) GDPR) where you act on your own behalf; otherwise our legitimate interest in responding to business enquiries (Article 6(1)(f)).
  • Spam prevention and rate limiting: our legitimate interest in keeping the website secure (Article 6(1)(f), Recital 49).
  • Website analytics: our legitimate interest in understanding aggregate website usage and improving the site (Article 6(1)(f)). The system is deliberately designed so that the resulting statistics cannot identify you.
  • Hosting and server logs: our legitimate interest in operating and securing the website (Article 6(1)(f)).

5. Cookies and similar technologies

This website does not use cookies for visitors, and we do not show a cookie banner because there is nothing to ask consent for: no advertising, no cross-site tracking, no third-party analytics. There are two narrow technical exceptions. First, when our own staff log in to the administration area, a strictly necessary session cookie is set for that staff member only. Second, we use sessionStorage, a small piece of browser memory that is automatically deleted when you close the tab, to hold a random session identifier so we can count a visit as one session. It contains no personal information and cannot be used to track you across sessions or across sites.

6. Who we share data with

We never sell personal data and we never share it for anyone else's marketing. We use a small number of service providers who process data on our instructions under data processing agreements:

  • Resend (transactional email delivery)

We may also disclose data where the law requires it or to protect our legal rights.

7. International transfers

Our lead database is hosted in the European Union. Where our providers process data in the United States, the transfer is protected by the EU-US Data Privacy Framework for certified providers (Resend is certified) and by the European Commission's Standard Contractual Clauses, supplemented by technical measures.

8. How long we keep data

  • Demo request details: up to 24 months from our last meaningful contact with you, after which they are deleted. If you become a client, your data moves to the client relationship and is kept as required by contract and by Portuguese accounting law (up to 10 years for invoicing records).
  • Analytics events: up to 26 months, after which they are deleted or reduced to aggregate statistics. Because of the daily salt rotation, stored events cannot be linked back to you at any point.
  • Server logs: a short period, typically under 30 days.
  • Rate-limiting IP data: held in memory only, for minutes, and never written to disk.

9. How we protect data

We use encryption in transit, access controls on our systems, an EU-region database, and pseudonymization of analytics data by design. If a personal data breach occurs we will notify the supervisory authority within 72 hours where required, and affected people where the law requires it. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

10. Your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased;
  • restrict how we process it;
  • receive your data in a portable format; and
  • object at any time to processing based on our legitimate interests, including the analytics described above.

One honest note: our analytics is designed so that we cannot identify you. In most cases we are therefore unable to locate analytics data about a specific person (Article 11 GDPR), and rights requests will in practice concern demo request data.

11. How to exercise your rights

Email [email protected]. We may ask you to verify your identity before acting on a request. We respond within one month, extendable by two further months for complex requests, and requests are free of charge unless they are manifestly unfounded or excessive.

12. Complaints

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state where you live or work. Our lead authority is the Portuguese supervisory authority: Comissão Nacional de Proteção de Dados (CNPD), Av. D. Carlos I, 134, 1.º, 1200-651 Lisboa, Portugal, www.cnpd.pt, [email protected].

13. Children

This website and our services are directed at businesses. We do not knowingly collect personal data from anyone under 16.

14. Do you have to provide your data?

Providing your details in the demo form is not a statutory or contractual requirement, but without your name and work email we cannot respond to your request. All other fields are optional.

15. No profiling, no automated decisions, no selling

We do not carry out profiling or automated decision-making, we do not build marketing lists, and we never sell personal data. If we ever introduce a newsletter, it will be strictly opt-in.

16. Changes to this policy

We may update this policy from time to time. We will post the new version here and update the date at the top. For material changes affecting people who have submitted a demo request, we will notify you by email where feasible. See also our Terms of Service.