Easytoday (“Guffo”) — Terms of Use and Privacy Policy (EN)

Version: 0.3
 Effective date: 11 August 2025
 Entity responsible (Controller): Easytoday Unipessoal, Lda., trading as “Guffo” (“Guffo”, “we”)
 Registered address: Rua Febo Moniz, 27B — 1150-152 Lisboa, Portugal
 Contact for general and privacy matters / DPO channel: contato@guffo.co
 Website/App: guffo.ai and Guffo apps

This document applies to end‑users (B2C) and to business customers (B2B) of our Smart BookingSmart Restaurant/Smart Bars, and Marketplace products. For B2B customers, the Data Processing Addendum (DPA) in Annex B forms part of these Terms. See Annex C for regional addenda (Brazil – LGPDUnited Kingdom – UK GDPR/PECR).

PART A — TERMS OF USE

1) Key definitions

Services: Guffo websites, apps, APIs, and related features.
 Partners: restaurants, bars, hotels, attractions, event organizers and similar venues.
 Account: your user registration within the Services.
 Content: text, images, reviews, preferences, consumption data.

2) Who we are and how we operate

Guffo provides a digital concierge/marketplace for discovery, bookings, mobile ordering and experiences, and also offers SaaS tools to Partners (e.g., Smart Restaurant/Smart Bars/Smart Booking). We sometimes act as a controller and in other instances as a processor — see the Privacy Policy and Annex B (DPA).

3) Acceptance and updates

By creating an Account or using the Services you accept these Terms and the referenced policies. We may amend these Terms to reflect legal or functional changes. Where required by law, we will provide advance notice. Continued use after the effective date constitutes acceptance.

4) Age and eligibility

The Services are not intended for children under 13. Where local law requires a higher digital consent age (13–16), we apply the relevant threshold. Accounts for minors may require verified parental consent.

5) Account, security and accuracy

Keep credentials secure and information accurate and up‑to‑date. You may close your Account at any time in the settings.

6) Permitted use and prohibitions

You must not: (i) use the Services for unlawful purposes; (ii) interfere with operation; (iii) reverse engineer, scrape without permission, or infringe third‑party rights; (iv) post illegal/offensive content; (v) circumvent technical limits.

7) Bookings, orders and payments

For bookings/purchases made via Guffo, the contract for the experience is with the Partner. Guffo may charge service/intermediation fees. Cancellation, no‑show and refund rules are those of the Partner unless stated otherwise. Prices are shown with taxes where applicable. Payments may be processed by payment service providers (PSPs); we do not store full card details.

8) Relationship with Partners

  • Marketplace/B2C: Guffo and the Partner are generally independent controllers for the data each collects.
     
  • SaaS/B2B: the Partner is controller of its customer data and Guffo acts as processor (see Annex B — DPA).

9) Sharing your name, email and phone with Partners

To perform bookings/orders and conduct direct follow‑up related to your interaction (e.g., confirmation, logistics, satisfaction), we share with the relevant Partner your name, email and phone under the lawful bases of contract performance and/or legitimate interests.
 For Partner marketing (e.g., newsletters, SMS, unrelated promotions), we will only share your contact details with your explicit, separate consent, collected for each Partner. You can withdraw consent at any time in the app or via the instructions in each communication.

10) Guffo marketing communications

We send marketing only with your consent (opt‑in), always with easy opt‑out in each message. Transactional/service messages do not require consent. Where permitted (see Annex C — UK‑PECR), we may rely on soft opt‑in for existing customers.

11) User content and licence

When you post content (e.g., reviews/photos), you grant Guffo a worldwide, non‑exclusive, royalty‑free licence to host, reproduce, adapt and display such content in the Services solely to operate and promote the Services. You retain all rights. You may delete content except where already lawfully used.

12) Intellectual property

Guffo and its licensors own the software, trademarks, logos and proprietary content. No licence is granted beyond what is necessary to use the Services under these Terms.

13) Warranties and disclaimers

The Services are provided as is. We do not guarantee uninterrupted availability nor Partner performance. Nothing limits non‑waivable consumer rights.

14) Liability

To the maximum extent permitted by law, Guffo is not liable for (i) lost profits, (ii) indirect/incidental damages, (iii) acts/omissions of Partners. Our aggregate liability for claims relating to the Services will not exceed the amounts you paid to Guffo in the 12 months preceding the event. This does not exclude liability for wilful misconduct, gross negligence or personal injury.

15) Indemnity

You agree to indemnify Guffo against third‑party claims arising from unlawful use of the Services or breach of these Terms.

16) Suspension and termination

We may suspend or close your Account in case of material breach, fraud or security risk, with prior notice where required by law.

17) Governing law, jurisdiction and ADR

These Terms are governed by Portuguese law. Courts of Lisbon have jurisdiction, without prejudice to mandatory consumer rules. You may also use competent Alternative Dispute Resolution entities and the EU ODR platform.

18) Contact

Questions about these Terms: contato@guffo.co.

PART B — PRIVACY POLICY (GDPR)

1) Controller and privacy contact

  • Controller: Easytoday Unipessoal, Lda., Rua Febo Moniz, 27B — 1150‑152 Lisboa, Portugal.
     
  • Privacy contact / DPO channel: contato@guffo.co (we will appoint a DPO if/when legally required).
     
  • Lead supervisory authority: CNPD (Portugal).

2) Data we process

  • Identity and contact: name, email, phone.
     
  • Account and usage: credentials, preferences, booking/order history, interactions, reviews.
     
  • Transactional: booking/order details, dates, venue, spend, payment method (tokenised via PSP; we do not store full card data).
     
  • Technical: IP, device identifiers, cookies/SDKs (see Cookies).
     
  • Support/communications: messages you send to us.

3) Purposes and legal bases (GDPR)

Purpose

Legal basis

Examples

Create/manage Account; enable bookings/orders

Contract

Account creation, processing orders, no‑show handling

Share contact details with Partners for performance and follow‑up

Contract / Legitimate interests

Confirm/alter booking, logistics, satisfaction

Share contacts with Partners for Partner marketing

Consent (granular per Partner)

Partner newsletters/SMS

Guffo marketing

Consent (+ soft opt‑in where permitted)

Emails/push with offers; easy opt‑out

Statistics, metrics and product improvement

Legitimate interests + aggregated/anonymous data where possible

Recommendations, product KPIs

Security, fraud, compliance

Legitimate interests / Legal obligation

Security logs, responding to authorities

Customer support

Contract / Legitimate interests

Contact histories, ticket resolution

Right to object: where we rely on legitimate interests, you may object at any time on grounds relating to your situation.

4) Sharing

  • Partners (restaurants, hotels, attractions): as independent controllers they use data under their own policies. For marketing, they only receive your contacts if you gave specific consent.
     
  • B2B clients (SaaS mode): we act as processor, following the controller’s instructions (see Annex B — DPA).
     
  • Vendors (cloud hosting, analytics/measurement, support, communications, PSPs): subprocessors bound by data protection terms and risk assessments.
     
  • Public authorities/courts: where required by law.

5) International transfers

We may transfer data outside the EEA. We use Standard Contractual Clauses (SCCs) and transfer impact assessments, with supplementary safeguards as needed. For the UK, see Annex C (IDTA/Addendum as applicable).

6) Retention (illustrative)

  • Account: while active and up to 24 months after inactivity/closure.
     
  • Bookings/orders records: up to 5 years (defence of claims/tax obligations).
     
  • Guffo marketing: until consent is withdrawn; we retain proof of consent for 5 years after withdrawal.
     
  • Security logs: 12 months, unless under investigation.
     
  • Aggregated/anonymous data: may be kept indefinitely (non‑identifiable).

7) Your rights (GDPR)

Rights of access, rectification, erasure, restriction, portability and objection, plus the right to withdraw consent. To exercise, use the app or write to contato@guffo.co. You may lodge a complaint with the CNPD. We reply within 30 days.

8) Profiling and automated decisions

We use profiling to tailor recommendations and ranking. We do not take decisions producing legal or similarly significant effects solely by automated means without appropriate information and safeguards.

9) Security

We implement appropriate technical and organisational measures (access controls, encryption in transit and at rest, minimisation, pseudonymisation where possible, vulnerability management and regular testing). We maintain records of processing and conduct DPIAs where required.

10) Children

We do not knowingly process data of children under 13. Where parental consent is required for ages 13–16, we will collect and verify it.

11) Cookies and similar technologies

We use cookies/SDKs: (i) strictly necessary, (ii) analytics/measurement, (iii) personalisation/marketing. We show a consent banner with granular choices by purpose and vendor. You can change preferences at any time in the app/website.

12) Changes

We may update this Policy. We will indicate version and date and, where appropriate, notify of material changes.

13) Privacy contact

Email: contato@guffo.co
 Address: Rua Febo Moniz, 27B — 1150‑152 Lisboa, Portugal

ANNEX A — Recommended consent copy (for UX)

  1. Share with venue for Partner marketing (granular opt‑in):
     > “I want to receive marketing communications from [Partner Name]. I authorise Guffo to share my name, email and phone with [Partner Name] exclusively for this purpose. I can withdraw consent at any time in Guffo settings or with the Partner.”
     [ ] I agree
  2. Guffo marketing:
     > “I want to receive newsletters, push notifications and SMS from Guffo about updates and offers. I can withdraw consent at any time.”
     [ ] I agree
  3. Cookies/SDKs (banner summary):
     > “We use cookies for operation, statistics and marketing. You can accept allreject all or customise by purpose/vendor.”

ANNEX B — Data Processing Addendum (DPA) — summary for B2B clients

  1. Scope & duration: processing of the Partner’s end‑customer data for the term of the commercial agreement.
     
  2. Documented instructions: Guffo processes data only on the Partner’s instructions.
     
  3. Confidentiality & training: staff bound by confidentiality and trained.
     
  4. Security: appropriate technical and organisational measures (technical annex).
     
  5. Subprocessors: authorised under equivalent contracts; Guffo remains responsible.
     
  6. Assistance: support with data subject requests, incidents, DPIAs and prior consultations.
     
  7. Breach notification: without undue delay with necessary information.
     
  8. International transfers: SCCs or other valid mechanisms.
     
  9. Return/deletion: upon termination, data is deleted or returned per instructions.
     
  10. Audit: Partner’s audit rights (subject to security and reasonable notice).

ANNEX C — Regional Addenda (Brazil – LGPD; United Kingdom – UK GDPR/PECR)

C.1 — Brazil — LGPD (Law 13.709/2018)

Controller & DPO channel: Easytoday Unipessoal, Lda. DPO contact: contato@guffo.co.
 Legal bases (Art. 7): (i) contract performance; (ii) legal/regulatory obligation; (iii) legitimate interests (with Legitimate Interest Assessment/Report as applicable); (iv) consent (sharing with Partners for Partner marketing and Guffo marketing).
 Data subject rights (Arts. 18 & 20): confirmation of processing, access, correction, anonymisation/deletion, portability, information on sharing, consent withdrawal, review of automated decisions. Timing: responses within 15 days for confirmation/access, and promptly for others.
 Children & adolescents (Art. 14): data of children under 12 only with specific, highlighted consent from legal guardian and in the best interests of the child.
 Sharing with Partners: for performance/related follow‑up (legitimate interest/contract); for Partner marketingconsent is required.
 International transfers (Arts. 33–36): contractual safeguards/adequacy and proof of compliance.
 AuthorityANPD; contact channel: contato@guffo.co.

C.2 — United Kingdom — UK GDPR & PECR

Controller: Easytoday Unipessoal, Lda.
 UK representativeif/when applicable (if we target UK individuals without a UK establishment).
 Electronic marketing (PECR):
 – Requires prior consent for email/SMS/push to individuals, except soft opt‑in when: (a) details were obtained in the context of a sale or negotiation of a sale of a Guffo product/service; (b) messages are about similar products/services; and (c) a clear opt‑out is offered at collection and in each message.
 – Sharing contacts with Partners for Partner marketing requires separate, specific consent per Partner.
 Cookies/SDKsconsent required before setting non‑essential cookies (analytics/marketing).
 Rights & redress: equivalent to GDPR; UK supervisory authority: ICO.
 Transfers: use SCCs + UK Addendum or IDTA as applicable.

Cookie Policy (EU/UK)

Version: 0.3
 Effective date: 11 August 2025
 Controller: Easytoday Unipessoal, Lda. (“Guffo”)
 Contact: contato@guffo.co

1) What are cookies and SDKs?

Cookies are small files placed on your device by websites you visit. SDKs are code components embedded in apps that can access device identifiers and storage. Both can be first‑party (set by us) or third‑party (set by our vendors).

2) Legal basis

Under EU/UK law (ePrivacy/PECR): – Strictly necessary cookies/SDKs: no consent required, but we inform you.
 – Non‑essential (e.g., analytics, personalisation, marketing/advertising): consent is required before placement. You may withdraw consent at any time through our preference centre.

3) How we use cookies/SDKs

  • Strictly necessary: session management, load balancing, authentication, security/fraud prevention, cookie consent storage.
     
  • Analytics/measurement: to understand usage, quality and performance, and to improve the Services.
     
  • Personalisation/marketing: to remember preferences and, where permitted by consent/soft opt‑in rules, to tailor recommendations and measure campaigns.

4) Managing your choices

  • Consent banner & preferences: on first visit/app launch, you can accept allreject all, or customise by purpose/vendor. You can change settings at any time in Settings → Privacy → Cookies.
     
  • Browser/device controls: you can delete cookies and block new ones via browser/device settings; doing so may affect some features.
     
  • Do Not Track/Global Privacy Control: where technically feasible, we will honour such signals for non‑essential cookies.

5) Retention

  • Session cookies expire when you close the browser/app.
     
  • Persistent cookies last up to 13 months (analytics/marketing) unless you withdraw consent earlier.
     
  • SDK identifiers are retained no longer than necessary and are resettable (e.g., advertising ID).

6) Third‑party cookies/SDKs

We use reputable service providers acting as our processors or, in some cases, as independent controllers (e.g., when they collect data for their own purposes upon your consent). A current list of third‑party cookies/SDKs (name, purpose, provider, type, duration) is available in Settings → Privacy → Cookie details and will be updated as integrations change.

7) International transfers

Where third‑party providers are located outside the EEA/UK, we implement SCCs (and, for the UK, IDTA/Addendum) plus supplementary measures as needed.

8) Changes to this Cookie Policy

We will update this Policy as needed and indicate the effective date. Material changes will be notified where appropriate.

9) Contact

Questions about cookies? contato@guffo.co.

Instagram

Privacy

Terms

© 2025 Easytoday Unipessoal, Lda. All rights reserved.

Contato