Privacy Policies

Updated and published in: June 2025

1. Scope of application

This Privacy Policy (hereinafter referred to as the “Policy”) aims to present the commitments of Pluris Investments S.A., a public limited company with registered office at Rua de Miragaia, No. 103, Porto, registered with the Commercial Registry Office under the single registration and corporate taxpayer number 508 767 881, and of the corporate group it heads (as defined below), regarding the management of privacy and protection of personal data of the data subjects whose processing falls under its responsibility, and to comply with the requirements of the General Data Protection Regulation (hereinafter referred to as the “Regulation”)[1] and its corresponding national implementing legislation[2].

This Policy therefore applies to all companies that, directly or indirectly, form part of the corporate group headed by Pluris Investments S.A., that is, its current and future subsidiaries. It also applies to companies in which more than 50% of the share capital and voting rights are directly held by the majority shareholders of Pluris Investments S.A. (hereinafter collectively referred to as “PLURIS” or the “Pluris Group”), except, however, for those Pluris Group companies that have their own privacy policy, in which case that specific policy shall prevail and apply instead of this Policy.

It also intends to demonstrate how personal data will be processed within the context of the activities carried out by the Pluris Group and its employees, by defining internal rules that comply with the requirements set out in the Regulation, namely with respect to lawfulness, processing, and storage.

All personal data will be processed and managed under the terms of this Policy, together with the Information Security Management Policy, taking into account an inventory of personal data that is maintained and updated accordingly.

[1]  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as subsequently amended.
[2]  Law No. 58/2019 of 8 August (and its subsequent amendments), which ensures the implementation of the General Data Protection Regulation within the national legal framework.
[3]  For the purposes of this Policy, “subsidiary” shall mean any company in which Pluris Investments S.A. directly or indirectly holds at least 10% of its share capital.

2. Roles and responsibilities

The Management of the Pluris Group shall ensure that this Policy is aligned with the Group’s overall strategy, thereby guaranteeing its continuous improvement in matters relating to information security and privacy.

The Data Protection Officer (DPO) is responsible, among other duties, for ensuring ongoing and systematic compliance with the requirements of the Regulation, verifying that all data subjects’ rights are being respected, and that appropriate security controls are implemented to achieve the objectives defined herein.

The Management of the Pluris Group appoints and assigns to the DPO the functions and responsibilities described above for all companies within the Pluris Group, except for those that have their own DPO, who shall assume such functions and responsibilities within their respective entities.

All Pluris Group employees, as well as its subcontractors — where applicable — are responsible for cooperating with, complying with, and ensuring compliance with the commitments established in this Policy.

For river and ocean vessels, a “Local DPO” shall also be designated for each ship, whose mission is to perform local DPO duties while the vessel is in cruise operation, acting in accordance with the rules set forth in this Policy.

3. Data subjects

In carrying out its activities and the related processing purposes, the Pluris Group collects personal data from the following sources:

  • Corporate clients under contract;
  • Clients registered through web tools;
  • Clients purchasing tickets;
  • Job applicants, whether through spontaneous applications or responses to advertised job offers;
  • Internal employees and contracted service providers;
  • Suppliers and service providers;
  • Visitors to physical or nautical facilities;
  • Third parties requesting contact and/or subscription to newsletters.

4. Guarantee of confidentiality and privacy of personal data

The personal data identified in this Policy shall be processed individually by the entities belonging to the Pluris Group, as the respective controllers of such data.

To ensure the confidentiality and privacy of the data, the Pluris Group guarantees that access to personal data will be restricted solely to employees formally authorized to perform their duties.

Each employee’s responsibilities regarding security, privacy, and personal data protection are detailed in the contracts entered into with the Pluris Group, including the confidentiality and non-disclosure obligations to which they are bound.

Furthermore, personal data collected by the Pluris Group will not be shared with third parties without the data subject’s consent, except in cases permitted by applicable law — for example, when the data subject contracts services from the Pluris Group that are provided by other data controllers, when sharing is required by a legal obligation to which the Pluris Group is subject, or when necessary to fulfill the legitimate interests of the Pluris Group or a third party.

In the event that personal data is shared with third parties, all reasonable efforts shall be made to ensure that the recipient uses such data in accordance with this Policy.

5. Identification of the person responsible for the processing of personal data

Each company belonging to the Pluris Group that, in particular, enters into a contract with the data subject is solely and individually responsible for the processing of personal data carried out in the course of its activities and for the pursuit of its purposes.

Without prejudice to the above, the Pluris Group, in accordance with applicable legislation and this Policy, may engage third-party entities, subcontracted by it, to process personal data on its behalf and in accordance with its instructions (for further details, see point 7.3 a) below).

6. Data protection impact assessment

In cases where data processing operations are likely to result in a level of risk deemed unacceptable by the Pluris Group, the Group shall, prior to the commencement of processing, carry out a Data Protection Impact Assessment, in accordance with Article 35 of the Regulation, with the purpose of identifying, reducing, and/or eliminating such risks.

7. Collection, processing, sharing and retention of personal data

The personal data collected and processed by the Pluris Group essentially consists of information relating to name, gender, date of birth, telephone, mobile phone, email, address, tax identification number, and credit card details (collected only for payment purposes). Other personal data may also be collected when necessary or appropriate for the provision or collection of services by the Pluris Group.

 

7.1. Collection of Personal Data

a) Directly collected
Personal data is collected directly through the following means:

  • Spontaneous job applications or responses to job offers, including submission of a Curriculum Vitae;
  • Completion of paper forms;
  • Capturing of images and videos at fixed facilities or on board sea or river vessels;
  • Biometric data;
  • Email;
  • Telephone (in the case of employees);
  • Purchase of tickets, marketing products, or other materials in physical stores or on Pluris Group vessels, including restaurant services;
  • Online shopping websites.

b) Indirectly collected
Personal data may be collected indirectly through the following means:
Importing the contents of a Curriculum Vitae into the human resources database;

  • Importing data under shared responsibility with contracted business partners;
  • Marketing points of sale, restaurant services, or similar activities;
  • Employment recruitment agencies;
  • Medical service providers;
  • Life insurance service providers;
  • Marketing automation tools and online advertising platforms of subcontracted partners;
  • From subcontracted partners regarding order placements, namely, the purchase of tickets granting access to exhibitions and/or to products and/or services of the Pluris Group.

The collection of sensitive personal data shall only occur in cases strictly necessary and justifiable by the nature of the activities carried out by the Pluris Group and in accordance with applicable legislation.

In addition, for personal data collected electronically, the Cookies Policy complements this matter, presenting the available “opt-in” and “opt-out” options for this component of the websites. This Policy can be accessed via the following link https://www.mysticocean.de/cookie-policy/.

Data subjects may also exercise “opt-out” rights from online advertising services on social platforms, namely Facebook, Google Ads, Instagram, LinkedIn, among others.

The Pluris Group ensures that no manual or electronic form contains pre-filled options, and that all selections are made directly by the data subject.

Personal data shall be collected on the basis of the lawful grounds set forth in this Policy and in compliance with the principle of data minimization.

 

7.2. Processing of Personal Data – Use, Purposes, and Legal Basis

In general terms, the Pluris Group uses personal data in the situations and for the justifications, purposes, and legal bases presented below:

There will be no use of personal data for the creation or use of sales profiles or indicators relating to products, regions, or trends.

 

7.3. Sharing of Personal Data – Third Parties

As previously stated, the Pluris Group discloses personal data to third parties — whether subcontracted or not — of a public or private nature, for the justifications, purposes, and legal bases outlined above. These entities are legally bound to process personal data in accordance with the provisions of the GDPR.

 

a) Recipients of personal data:
In general, the Pluris Group communicates personal data to the following recipients:

  • Social Security;
  • Tax and Customs Authority, enforcement agents, or other legal entities;
  • Insurance companies;
  • Software and systems licensing, maintenance, support, and technical assistance companies;
  • Security/surveillance companies and companies providing preventive and corrective maintenance of security systems;
  • Occupational health companies;
  • AIMA (former SEF – Immigration and Borders Service);
  • Trade unions;
  • Travel agencies and tour operators;
  • Temporary employment agencies;
  • Consultants and lawyers.

 

b) Subcontracted entities
Personal data may be shared with subcontracted entities under the terms of contracts entered into with them. The Pluris Group only engages subcontractors who, in accordance with the law, ensure the implementation of adequate technical and organizational measures for the protection of personal data through data processing agreements established under Article 28 of the Regulation, thereby safeguarding the rights of data subjects under applicable data protection law.

The sharing of data classified as sensitive shall only occur with lawful entities, partners providing medical services, and similar entities, as legally permitted.

These data-sharing arrangements will generally take place within the European Economic Area (EEA).

However, there are specific situations that require the sharing of data with entities outside the EEA, namely:

  • With port authorities, for security and immigration control purposes on ocean cruise vessels, in compliance with applicable legal provisions;
  • With companies within the Pluris Group, to support activities of legitimate interest, ensuring data minimization in all processing.

There is also the possibility of data sharing with formally authorized subcontractors for digital marketing purposes, provided that the personal data involved in such sharing are subject to the explicit consent of the respective data subject. Data subjects retain the right to opt out and withdraw consent at any time.

These data-sharing arrangements may result in transfers of data outside the EEA, for example, in cases of digital marketing campaign segmentation with intercontinental subcontracting partners. In such cases, the organization will take care to implement appropriate security controls for each identified risk situation and ensure the unconditional enforcement of data subjects’ rights and compliance with all requirements of the Regulation.

 

7.4. Retention of Personal Data

Data are retained for the period necessary for the purposes for which they are processed, and this period varies depending on those purposes. When data are retained for longer periods, the legally prescribed measures for such retention are applied.

Personal data are thus stored, inter alia, to ensure compliance with applicable laws (e.g., tax, labor, and/or accounting obligations), and/or for the operational needs and legitimate interests of the Pluris Group (e.g., prevention of money laundering and terrorist financing, or support in legal proceedings), and/or for the protection of the vital interests of the data subject or another natural person.

In general terms, the table below indicates the retention period adopted by the Pluris Group, depending on the type of personal data concerned.

 

In any case, and prevailing over what is indicated in the table above, if it is necessary to retain personal data for the purpose of handling a complaint, an inspection process of an administrative offence nature, an administrative or judicial procedure, a work accident/occupational disease compensation process, among others, such data shall be retained for a period of 7 years after the date on which that inspection, complaint, administrative offence, administrative or judicial process has been definitively concluded, without the possibility of appeal or further challenge; or, in the case of data relating to the compensation of a work accident/occupational disease, for a period of 5 years after the worker’s incapacity has become permanently stabilized, without any possibility of future alteration.

Furthermore, for all purposes, the Pluris Group reserves the right to retain personal data that have been processed in specific matters until the expiry of the applicable statute of limitations for such matters, whenever that period is longer than any of those indicated in the table above.

For the purposes of this Policy, retention means the secure storage of data, in digital and/or paper format, ensuring proper access management conditions to guarantee confidentiality, integrity, information availability, and non-repudiation, as well as preservation under appropriate conditions for use during the defined retention period.

As stated, the legal requirements that mandate the retention of personal data for a minimum period for each purpose will be observed.

When no minimum period is legally imposed, personal data shall be retained:

(i) where applicable, for the period determined by the competent data protection authority for the specific cases in question; or
(ii) for the periods indicated above, deemed necessary for the purposes for which the data were collected or will subsequently be processed,
after which the data shall be permanently deleted in a secure manner.

8. Use & purpose of cookies

Cookies are used to personalize content and advertisements according to user characteristics, to enable interaction with social media functionalities, to analyze website traffic, and to support the security controls implemented.

The websites on which cookies are used are the following:
www.douroazul.comwww.mysticcruises.comwww.mysticocean.dewww.riversightseeing.ptwww.portosightseeing.ptwww.worldofdiscoveries.comwww.quintadacarlota.comwww.almada234.comwww.pluris.comwww.fotobeleza.com.

Depending on the options selected by the user, data may be shared with our social media partners for advertising purposes, for analyzing traffic and browsing behavior on the websites, and for social media tools within the scope of this Policy.

Under no circumstances will personal data be collected through cookies.

For more details, the applicable policy — namely, the Cookies Policy — may be consulted on the institutional websites of the Pluris Group, via the following link https://www.mysticocean.de/cookie-policy/, and on its internal networks.

 

8.1. Types of Cookies

Cookies are text files that can be used by websites to make the user experience more efficient.
According to the applicable legislation, cookies may be stored and operated on the user’s device if they are strictly necessary for the functioning of the website.
For all other types of cookies, the user, as the data subject, is entitled to exercise their right to informed consent.
Some cookies may be automatically installed by our business partners. However, such installation is always carried out in an explicit manner for the user.

Websites may use the following types of cookies:

a) Necessary
Necessary cookies support the execution of basic functions such as page navigation and traceability.
It is important to note that the website may not function properly without these cookies; therefore, they are considered essential and justified.

b) Statistical or Functional
Statistical cookies help the website administrator understand how users interact with the website’s pages, collecting and processing information anonymously.

c) Marketing
Marketing cookies are used to track the user’s access and sequence of page usage.
They allow for the personalization of advertisements and/or other marketing materials presented to the user, making them relevant and appealing, thus creating a more personalized and dynamic browsing experience.

The website user, as the data subject, must select, in each available box, the type of cookies they expressly authorize.
By clicking the “Accept” button, the user acknowledges acceptance of this Policy and the Cookie Policy and confirms authorization for the types of cookies previously selected.

9. Holders' Rights

As provided for in data protection legislation and depending on the specific situation, the data subject may have the right to:

i. Request access to their personal data:

The data subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed and, if so, to request access to such data. They may have the right to obtain a copy of the personal data being processed.

ii. Request rectification of their personal data:

The data subject has the right to obtain the rectification of inaccuracies concerning their personal data. Considering the purpose of the processing, they have the right to have incomplete personal data completed, including by means of an additional statement.

iii. Request erasure of their personal data:

In certain circumstances, the data subject may have the right to obtain the erasure of their personal data, and the Pluris Group, where legally required, undertakes to delete such data.

iv. Request restriction of processing:

In certain circumstances, the data subject may have the right to obtain restriction of processing of their personal data. In such cases, the data will be marked and may only be processed by the Pluris Group with consent or for specific purposes.

v. Request data portability:

In certain circumstances, the data subject may have the right to receive the personal data they have provided to the Pluris Group in a structured, commonly used, and machine-readable format, and to transmit that data to another entity without hindrance from the Pluris Group.

vi. Object to data processing:

In certain circumstances, the data subject may have the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them.

vii. Withdraw consent at any time.

Finally, data subjects are informed that a complaint may be lodged with the national supervisory authority (Comissão Nacional de Proteção de Dados – https://www.cnpd.pt/index.asp) when satisfaction has not been obtained in exercising their rights.
Data subjects will be provided with the means to exercise their rights under the Regulation.

The DPO appointed by the Pluris Group will be involved in all matters relating to personal data protection. Any questions that data subjects deem necessary should preferably be submitted in writing to the following email address: dpo.mysticinvest@mysticinvest.com.

If the data subject wishes to report a privacy breach, they should use the Whistleblowing Channel available, or, if not applicable, submit a complaint via complaint.mysticinvest@mysticinvest.com or directly to the competent supervisory authority.

Alternatively, the data subject will have access to a web communication portal, where they may carry out all the interactions mentioned above and obtain information about the processing of such requests.

Following the registration of a complaint and/or privacy breach, the Pluris Group undertakes to inform the data subject of each step and progress of their complaint process, without prejudice to the time limits defined by the Regulation.

The right to be forgotten or the erasure of personal data by its owners will only be carried out by the Pluris Group when there is no applicable legislation requiring its retention for a specific legal period (e.g., prevention of money laundering and terrorist financing).

10. Review and continuous improvement

This Policy may be reviewed at any time, particularly whenever there are significant changes to the inventory of personal data and/or to the Pluris Group’s IT or documentary systems.
Each review will result in a new version of this Policy.

11. Dissemination and publication

This Policy is classified as public access information and will be available for consultation online, either on the institutional website, business-support Internet tools, or on the Pluris Group’s internal social networks.

During the onboarding process, new employees will be made aware of this Policy and will be required to participate in mandatory training and awareness sessions on security, privacy, and personal data protection as part of the onboarding process.

After publication and dissemination of this Policy, employees are required to:
➢ Protect the information assets under their responsibility;
➢ Collaborate in managing the associated risks;
➢ Report any event that may compromise information security;
➢ Comply with and enforce this Policy.

Employees may consult this Policy at any time through the document management platform on the Pluris Group’s internal network.
Entities/employees who, due to their role, do not have access to the platform will be made aware of this Policy through appropriate means of communication in each case.

12. Term of the policy:

This Policy was approved by the Pluris Group’s Board of Directors and becomes effective on the date of its publication.
Any subsequent amendments will take effect immediately upon publication.