Privacy Policy of Another World Lisboa

1. Identification of the Data Controller

This Privacy Policy describes how MOMENTO FORMOSO UNIPESSOAL LDA, tax number 517 517 582 (hereinafter "VR Arena", "we" or the "Controller"), processes the personal data of visitors, customers and users of its services.

Data Protection Officer (DPO): the Controller is not required to appoint a DPO under Article 37 GDPR and has not done so. The contact point for all data protection matters is info@vr-arena.pt.

This Policy applies to the processing of personal data carried out through the website vr-arena.pt (including cookies and analytics and advertising tools), the Resova booking system, telephone, in-person, e-mail and messaging interactions, and the video surveillance systems installed at the establishment.

2. Personal Data Processed

a) Identification and contact data: full name, age or date of birth, phone number, e-mail address, messaging-app identifier (WhatsApp, Instagram, Messenger).

b) Data relating to minors: name, age, and identification of the legal guardian(s), where applicable.

c) Payment data: data strictly necessary to process payments, handled directly by the payment service providers (we do not store full card data).

d) Photographs and videos: captured during events, used exclusively under section 6.

e) Communication content: records of communications exchanged with the customer across all channels (phone, e-mail, messaging, in person), as per section 8.

f) Video surveillance images: as per section 7.

g) Health data: the data subject (or their legal guardian, in the case of a minor) may declare, at booking or at the establishment, health conditions relevant to participation, mainly for their own protection. The signed health declaration is retained for the defence of rights under section 5, on the basis of Article 9(2)(f) GDPR (establishment, exercise or defence of legal claims). Apart from the signed declaration, no other health data is retained after the end of participation.

h) Website usage, analytics and advertising data: IP address or technical information obtained on connection, cookie identifiers, device or browser identifiers, pseudonymised identifiers (namely the Google Analytics Client ID and advertising-pixel identifiers), device type, browser, operating system, approximate location, traffic source, pages visited, interaction events and other browsing data, as per section 14. In Google Analytics 4, the individual IP addresses of users in the EU/EEA/UK/Switzerland are not retained in reports.

3. Purposes of Processing

• Managing bookings, scheduling and providing the contracted services.
• Invoicing and compliance with tax and accounting obligations.
• Communicating with the customer about their booking.
• Verifying the minimum age and the regime applicable to minors.
• Protecting the safety of people and property through video surveillance.
• Service quality control, recording agreements and managing the customer history in CRM.
• Direct marketing (newsletter, commercial communications by e-mail), subject to prior, express consent.
• Promoting the activity on social media and in promotional materials, subject to specific, separate and revocable consent (section 6).
• Defending rights in judicial, extrajudicial, administrative or pre-litigation proceedings, in particular in the event of a claim.
• Compliance with legal obligations.
• Website usage analysis, subject to consent for analytics cookies (section 14).
• Advertising and remarketing on the Google, Meta and Microsoft platforms, subject to consent for advertising cookies (section 14).

4. Legal Bases

• Performance of a contract (Art. 6(1)(b)): managing bookings, providing services and related communications.
• Compliance with a legal obligation (Art. 6(1)(c)): invoicing, accounting, tax retention and retention of commercial documents.
• Legitimate interest (Art. 6(1)(f)): video surveillance, managing the customer history in CRM, service quality, recording calls for the defence of rights, and managing claims.
• Consent (Art. 6(1)(a)): direct marketing, use of image for promotional purposes, and analytics and advertising cookies (section 14).
• Explicit consent (Art. 9(2)(a)): health data at the time of its voluntary declaration for the data subject's own protection during the activity.
• Defence of legal claims (Art. 9(2)(f)): retention of the signed health declaration for the period indicated in section 5, for the exercise or defence of legal claims (in particular in the event of a claim).
• Parental consent (Art. 8 GDPR and Art. 16 of Law No. 58/2019): processing of data of minors under 13 on the basis of consent and, in any case, marketing relating to minors under 18.

5. Retention Periods

After these periods, data is deleted or anonymised, except (i) where a longer legal retention obligation applies or (ii) where retention is necessary for the defence of rights in pending or foreseeable proceedings (in particular ongoing litigation or a claim).

6. Image and Marketing — Specific Consent

6.1. The use of photographs and videos of the data subject to promote VR Arena — social media (Instagram, Facebook, TikTok), website, printed materials and campaigns — requires the prior, specific, informed and express consent of the data subject or, in the case of minors, of the legal guardian(s).

6.2. Consent is collected: online, through a dedicated, separate checkbox on the booking platform, not pre-ticked by default, distinct from acceptance of the Terms & Conditions; in person, through a dedicated form signed at reception; for minors, through the parental consent form, with a specific, separate indication of the promotional purpose.

6.3. Consent may be withdrawn at any time, at no cost, by contacting info@vr-arena.pt; images will be removed from publications under our control within a maximum of 15 working days. Withdrawal does not affect the lawfulness of prior processing.

6.4. The absence of consent does not prevent participation. A private copy of the photographs and videos of their session will always be made available to the customer on request.

6.5. The Controller may capture and publish general images of the establishment in which participants are not individually identifiable, without the need for specific consent.

7. Video Surveillance

• Purposes: protecting the safety of people and property, preventing and investigating unlawful acts, recording damage to equipment, managing claims and defending rights. The images are not used to monitor performance or to assess staff.
• Areas monitored: common areas and the play area, excluding sanitary facilities, changing areas and other reserved areas, and the payment terminals (without capturing PINs/card data).
• Legal basis: legitimate interest (Art. 6(1)(f) GDPR) and Art. 19 of Law No. 58/2019, supported by an internally documented legitimate-interest assessment.
• Retention period: 30 days, with deletion within the following 48 hours, under Art. 31 of Law No. 34/2013, except where retention is needed as evidence in pending proceedings.
• Access: restricted to the manager and, upon legal request, judicial or police authorities.
• Signage: the establishment is signposted at the entrance and in monitored areas, in accordance with CNPD guidelines.

8. Recording of Communications with the Customer

8.1. The Controller records and manages the customer communication history in a CRM system:

• Telephone calls to +351 919 777 900: are recorded, with the caller informed by a notice at the start of the call. Purpose: service quality and recording of commercial agreements. Period: 12 months, except as evidence in pending proceedings.
• E-mail (vr-arena.pt domain) and messaging apps (WhatsApp, Instagram Direct, Facebook Messenger): retained in the CRM for managing the contractual relationship, customer support and the defence of rights.

8.2. Legal bases: performance of a contract (Art. 6(1)(b)) for communications associated with a booking; consent (Art. 6(1)(a)) for call recording, expressed by continuing the call after the notice; legitimate interest (Art. 6(1)(f)) for managing the history in CRM.

8.3. A data subject who does not wish to be recorded may object at the start of the call and choose e-mail or in-person contact.

9. Minors

9.1. Participation of minors under 18 is subject to the written consent of the legal guardian(s), collected through a dedicated form (Buzzshot or printed), including: authorisation to take part; a declaration of health conditions; consent (optional and separate) for image use.

9.2. Under Article 8 GDPR and Article 16 of Law No. 58/2019, the processing of data of minors under 13 on the basis of consent always requires the authorisation of the legal guardian(s); for marketing, parental consent is required for any minor under 18.

9.3. The health declaration of minors is retained under section 5. Consent may be withdrawn at any time.

10. Data Recipients — Processors and Joint Controllers

10.1. Personal data is not sold to third parties, without prejudice to the use of advertising cookies (section 14), subject to consent.

10.2. Processors that process data on behalf of the Controller, under a processing agreement pursuant to Article 28 GDPR:

• Resova — booking system.
• Buzzshot — management of forms and waivers.
• Kommo — CRM and communications management.
• Zadarma (VOICE CLOUD S.L.) — cloud telephony and call recording.
• Stripe and other payment service providers.
• Google Ireland Limited / Google LLC — Google Analytics 4 (measurement).
• Web hosting, e-mail and cloud storage providers.
• Certified accountant responsible for the company's accounting.

10.3. Joint controllers (Article 26 GDPR): with regard to the data collected by the advertising tools, the following operators act as joint controllers, determining their own processing purposes:

• Meta Platforms Ireland Limited / Meta Platforms, Inc. — Meta Pixel and Meta Ads.
• Google Ireland Limited / Google LLC — Google Ads (in the functions where Google determines its own purposes).
• Microsoft Ireland Operations Limited / Microsoft Corporation — Microsoft Advertising (Bing) and Universal Event Tracking (UET).

10.4. Other recipients: public authorities (upon a reasoned legal request) and the insurance company (in the event of a claim).

10.5. All processors are bound by a written agreement; with the joint controllers, the respective joint-controllership terms apply.

11. International Transfers

11.1. Some recipients process, or may process, data outside the European Economic Area (EEA). Transfers take place on the basis of appropriate safeguards under Chapter V GDPR:

11.2. The applicable Standard Contractual Clauses are those approved by Commission Implementing Decision (EU) 2021/914, and also serve as a complementary safeguard for situations not covered by an adequacy decision.

11.3. Data subjects may obtain a copy of the applicable safeguards by request to info@vr-arena.pt.

12. Rights of the Data Subject

12.1. Under Articles 15 to 22 GDPR: access; rectification; erasure (except where a legal obligation or the defence of rights applies); restriction; portability; objection (in particular to marketing); withdrawal of consent at any time without affecting the lawfulness of prior processing; and not being subject to automated individual decisions with significant legal effects (which the Controller does not carry out).

12.2. Exercised through info@vr-arena.pt, with identification of the data subject and a description of the request. Response within a maximum of 30 days, extendable by a further 60 days in complex cases.

12.3. Free of charge, except for manifestly unfounded or excessive requests.

13. Right to Lodge a Complaint with the Supervisory Authority

13.1. Without prejudice to contacting the Controller directly, the data subject may lodge a complaint with the competent supervisory authority in Portugal:

13.2. Under Article 77 GDPR, a data subject residing in another EU Member State may also lodge a complaint with the supervisory authority of their State of habitual residence or place of work.

14. Cookies, Analytics and Advertising

14.1. The website vr-arena.pt uses cookies and similar technologies. Cookies strictly necessary for the technical operation of the site do not require consent. Non-essential cookies — analytics and advertising — are only used after the user's consent has been obtained, collected through the consent management banner (CookieYes) shown on the first visit, as required by Law No. 41/2004 and the GDPR for users in the EEA.

14.2. Analytics (Google Analytics 4): used to understand how visitors use the site. VR Arena does not use Google Analytics to identify a specific visitor and does not send name, phone, e-mail, payment data, health data or other directly identifying data. For users in the EU/EEA/UK/Switzerland, Google Analytics 4 does not retain individual IP addresses in reports.

14.3. Advertising and remarketing:

• Meta Pixel (Meta Platforms) — campaigns and remarketing on the Meta platforms (Facebook, Instagram).
• Microsoft/Bing — Universal Event Tracking (UET) (Microsoft Advertising) — Microsoft campaigns and remarketing.
• Google Ads (Google) — conversion measurement and Google remarketing.

Activated only after consent for advertising cookies.

14.4. Consent management and Consent Mode v2: the site is configured so that analytics and advertising cookies are not set, and the corresponding signals are not transmitted, before consent is obtained; consent signalling is managed through the CookieYes platform and, for Google services, through Google Consent Mode v2.

14.5. Use of data by Google: for more information on how Google processes personal data when the user gives consent, see the Google Business Data Responsibility Site: business.safety.google/privacy.

14.6. Categories and list of cookies used:

Strictly necessary cookies (do not require consent):

Analytics cookies (require consent):

Advertising and remarketing cookies (require consent):

Technical note (to be synced): the exact cookie names and durations should be confirmed against the CookieYes automatic scan and kept up to date.

14.7. User management: the user may accept, refuse or change their consent at any time through the cookie settings icon/link on the site or through their browser settings; withdrawal is as easy as giving consent. Basis: consent (Art. 6(1)(a) GDPR).

15. Changes to the Privacy Policy

15.1. This Policy may be updated. The version in force is always available at vr-arena.pt/politica-de-privacidade.

15.2. Material changes will be communicated, where possible, with prior notice.