Privacy Policy.

This Policy applies to all personal data processed by our event space and buffet — including clients who commission events (the contracting party), event guests who attend celebrations at our venue, website visitors and anyone whose data is processed in connection with our activities.

Events hosted at Buffet Quintal da Vila involve three distinct groups of data subjects: the client (who commissions and pays for the event), guests (who attend), and in some cases third parties named in event documentation. This Policy addresses all three.

We collect data across three distinct groups:

• Event client data (contracting party): Name, CPF or CNPJ, phone number, email and event specifications — collected when clients commission an event, visit the venue or request a quotation. This is the primary data collection relationship.
• Event guest data (limited): Where strictly required for event management purposes — such as a guest list provided by the client for security, catering headcount or seating plans — we may process guest names and dietary requirements. This data is provided by the event client, not collected directly by us from guests.
• Dietary and allergen information (voluntary): Food allergies and dietary restrictions for guests attending the event — provided by the client or by guests directly prior to the event. See Section XII.
• Billing data: Name and CPF or CNPJ for NF-e issuance — in compliance with SEFAZ-SP and ISS/Prefeitura de São Paulo requirements.
• Contact and enquiry data: Messages via WhatsApp, telephone or online form.
• Technical website data: IP address, browser type, pages visited and access times.

• SEFAZ-SP / Receita Federal: Tax data for NF-e / NFC-e issuance and applicable federal and state tax compliance.
• Prefeitura de São Paulo (ISS): For ISS/ISSQN obligations on event space and buffet service activities.
• ANVISA / VISA-SP: In the context of food safety inspections or regulatory compliance for catering and buffet service — only as legally required.
• Third-party event suppliers (on behalf of client): Where the event requires coordination with decoration suppliers, audio-visual companies, photographers or entertainment — minimum necessary logistics data is shared as instructed by the event client. No personal guest data is shared with third-party suppliers beyond what is operationally required.
• PROCON-SP: When required in a consumer dispute mediation under the CDC.
• Legal authorities: When required by a competent judicial or administrative order.

Guest dietary and allergen information is shared only with our kitchen and catering team for the specific event and never with external suppliers.

Our event operations are exclusively in Vila Olímpia, São Paulo. Primary storage of client and event data is in Brazil. Any technology platforms for communication or event management that operate on international servers do so only under Art. 33 of the LGPD or recognised adequacy mechanisms.

• NF-e / NFC-e and fiscal records: Minimum 5 years under federal and state tax legislation (CTN, Art. 174; SEFAZ-SP).
• Event service records — CDC: Event catering and buffet services are non-perishable services under CDC Art. 26, II — the 90-day warranty period applies to the service quality. Event contract records are retained for up to 5 years for fiscal and dispute documentation.
• Event client contract and planning records: Duration of the event relationship plus 5 years — for contractual, fiscal and dispute documentation.
• Guest dietary and allergen data: Retained only for the duration of the specific event and discarded thereafter — unless the client requests retention for a recurring event series.
• Contact and enquiry data: Up to 1 year from last interaction if no event was commissioned.
• Website analytics: Aggregated and anonymised after 12 months.

• Event client data and contracts accessible only to venue management and authorised event coordination staff;
• Guest lists and dietary information shared only with kitchen and catering teams for the specific event — not retained beyond the event date without client instruction;
• WhatsApp and email event planning communications handled with discretion;
• ANVISA food safety hygiene standards maintained throughout kitchen and catering areas;
• Encryption in transit (HTTPS) for website and digital communications;
• PCI-DSS certified payment terminals — card data never retained;
• As a Ltda, formal internal data handling protocols maintained;
• Incident response procedures and breach notification per LGPD Art. 48.

• Confirmation and Access (Art. 18, I–II): Confirm whether we hold your data and receive a copy — including event contract records and any retained guest data provided by you.
• Correction (Art. 18, III): Request correction of inaccurate data.
• Anonymisation / Blocking / Deletion (Art. 18, IV): Request restriction or deletion — subject to NF-e fiscal and event contract retention obligations.
• Portability (Art. 18, V): Receive your data in a structured format.
• Deletion of consent-based data (Art. 18, VI): Request deletion of consent-based data, including retained dietary information.
• Information on sharing (Art. 18, VII): Find out which entities your data has been shared with.
• Withdrawal of Consent (Art. 8º, §5º): Withdraw consent at any time.
• Complaint to the ANPD (Art. 18, §1º): Lodge a complaint at www.gov.br/anpd.

We respond within 15 business days. Rights relating to guest data provided by the event client should be directed to the contracting client in the first instance, as they are the source of that data.

Our website may use cookies for essential functionality and aggregated performance analysis. We do not use behavioural tracking cookies for advertising without prior consent. Preferences can be managed through browser settings.

We host celebrations that frequently involve children and families — birthday parties, debutante events and family gatherings. We do not directly collect personal data from children under 13. Guest lists that include children's details are provided by the contracting adult client and are used only for event logistics. We never use event guest data for any marketing purpose. For debutante (15 anos) events, the contracting party is always the responsible adult parent or guardian.

Dietary restrictions and food allergies provided for event catering may constitute health-related data under LGPD Art. 11 in certain contexts. We handle this with care:

• Dietary and allergen information is collected to ensure safe and appropriate food service for all event guests — it is used only for the specific event;
• This information is shared only with our kitchen and catering team — never with third-party event suppliers or any external party;
• It is discarded at the conclusion of the event, unless the client requests retention for a recurring event;
• We comply with ANVISA's mandatory allergen declaration requirements under RDC 26/2015 and RDC 727/2022 for all buffet items.

This Policy may be updated to reflect changes in our activities, the LGPD, ANPD guidance, ANVISA regulations or applicable tax legislation. Material changes will be communicated via our website or directly to active event clients by WhatsApp or email.

All privacy requests, questions and complaints should be directed to our Data Protection Officer (Encarregado — LGPD Art. 41):