CP App Privacy Policy

The app has certain areas that are only accessible once the user has registered with myCP. The data collected through registration is intended solely for CP’s use, and the privacy and protection of the data registered by users is guaranteed.

CP - Comboios de Portugal, E.P.E. (hereinafter CP), as the entity responsible for processing the personal data provided to it, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, commonly referred to as the General Data Protection Regulation (GDPR) and other applicable national and EU legislation, has adopted the Personal Data Privacy Policy set out in this document, which establishes how it collects, stores and processes Personal Data, ensuring its confidentiality and security.
This Personal Data Privacy Policy applies to all personal information collected, processed and stored by CP through the various forms and channels.
When accessing areas that require the provision of personal data, referred to as “Personal Data”, the service user (hereinafter referred to as the data subject) must familiarise themselves with this Personal Data Privacy Policy and with CP’s Terms and Conditions of use and service provision. 
For the purposes of Article 8(1) of the GDPR, that is, with regard to the direct provision of services by the so-called information society, CP guarantees that no personal data is requested from minors under the age of 16, unless the prior express consent of their legal representatives has been obtained, whether they be parents, guardians or carers, who must have been made aware of this Personal Data Privacy Policy.
 

The processing operations carried out by CP comply with the fundamental principles of data protection and privacy, which ensure the smooth running of processes, trust among customers and partners, as well as the company’s public image: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and transmission.

CP ensures that all personal data is processed lawfully, that is, in strict compliance with the principles of lawfulness set out in the GDPR. This principle of lawfulness applies where at least one of the following situations applies: The data subject has given their consent for one or more of the purposes for which it is required; the processing is necessary for the performance of a contract to which the data subject is party, or for pre-contractual measures taken at the data subject’s request; for compliance with a legal obligation to which the controller is subject; for the protection of the data subject’s vital interests; for the performance of a task carried out in the public interest or in the exercise of official authority; for the purposes of the legitimate interests pursued by the controller.

The Personal Data provided by the data subject through various means of interaction with CP is intended for one or more of the following purposes:

  1. To enter into the transport contract and manage the contractual relationship established, including validation, monitoring and the drawing up of reports;
  2. To process and respond to requests for information, suggestions and complaints;
  3. To deliver lost property;
  4. To provide the SIM service (Integrated Mobility Service, available to people with reduced mobility);
  5. To receive unsolicited applications and recruitment applications;
  6. To improve the browsing experience on the cp.pt website and the CP App (cookies);
  7. To provide information regarding changes or incidents affecting the services provided (e.g. traffic changes);
  8. To provide information regarding CP’s products and promotions and those of its partners, sending newsletters and running competitions;
  9. To conduct customer satisfaction surveys;
  10. To respond to service evaluation questionnaires;
  11. To manage customer relationships (e.g. bespoke services);
  12. To segment customers to improve service offerings, tariffs and loyalty programmes, in accordance with their tastes and preferences regarding the use of the services provided.

(For the purposes referred to in points 1 to 5, the Data Subject’s consent is not required, in accordance with Article 6(1)(b) of the GDPR)

In order to provide a more personalised service, the cp.pt website uses cookies to collect and store information. A cookie is a small text file that is placed on the user’s device (e.g. PC, mobile phone) and allows the site to remember their choices, dates and previous browsing history; in other words, it stores the user’s preferences regarding the use of the website, personalising their experience so that they do not need to reconfigure the site each time they visit it.

  • Essential cookies
    • Some cookies are essential for accessing specific areas of the website. They enable navigation on the website and the use of its applications, such as accessing secure areas via login. Without these cookies, the services that require them cannot be provided.
  • Analytical cookies
    • These cookies collect information regarding your use of the website, for example, which pages you visit most frequently. This data may be used to help optimise our web pages and make navigation easier. These cookies do not collect information that identifies you. All information collected by these cookies is aggregated and, as such, anonymous. 
  • Functionality cookies
    • These cookies allow pages on the website to remember the choices you make whilst browsing, i.e. they save your preferences regarding the use of the website, so that you do not need to reconfigure the site each time you visit it.
  • Advertising cookies
    • These cookies help measure the effectiveness of advertising. However, they do not identify you.

In most cases, cookies are deleted when you close your browser (session cookies). Some more persistent cookies remain in your browser until you delete them or they expire.
You can change your browser settings to block or delete cookies, or to be notified whenever a new cookie is stored on your computer, allowing you to decide whether to accept or reject it. If you choose to block or delete our cookies, you may not be able to access all of our services, and this may affect the performance of our website on your system.
You can find further information on the settings for each browser (e.g., Firefox, Chrome, Explorer, Opera) on their respective websites.

When you access services that require location identification, based on your prior, free and informed consent, the application may collect and process geographical location data – either precise or approximate, depending on your choice – from your device, exclusively for the following purposes:

  • Identifying nearby stations;
  • Displaying timetables, routes and personalised information;
  • Improving the user experience.

The user’s location data is treated as strictly confidential and will not be disclosed to third parties without the data subject’s consent, except where such disclosure is necessary for the provision of the requested service or to comply with legal obligations.
Location data is used only for the identified purposes and is not stored as a location history.

Personal Data provided by the data subject may require their express consent, depending on the purpose for which it is intended. In such cases, consent is given freely, specifically in an informed and explicit manner, by the data subject through each of the different channels of interaction with CP. 

At any time, the data subject may request the withdrawal of any consent given for the processing in question. Withdrawal may be made via the website, in the myCP personal area - https://www.cp.pt/pt -, or by completing the relevant form, to be handed in at our points of sale, upon unequivocal identification of the data subject. The withdrawal of consent regarding a specific processing of personal data does not affect the lawfulness of processing already carried out on the basis of that consent.

CP undertakes to adopt administrative, technical, physical and organisational measures that guarantee the security, integrity and privacy of data subjects’ personal data, appropriate to the risk of each processing operation and consistent with established practices in the European Union. These measures are designed to protect personal data against disclosure, misuse, unauthorised access, loss, alteration, or destruction, as well as any other unlawful processing.

Partners and subcontractors who have access to personal data are obliged to adopt the security, organisational and technical measures and protocols necessary to protect such data.

Data used to make payments, in particular credit/debit card data, is provided directly on the platforms of the respective service providers. CP does not have access to this data.

The data subject guarantees that the personal data provided is true and accurate and undertakes to notify any changes thereto. Any damage caused to CP or to any third party through the provision of erroneous, inaccurate or incomplete information in the registration forms shall be the sole responsibility of the person who entered or provided it.

The data subject undertakes not to disclose their username and password. If they do choose to share them with anyone, they are fully responsible for all activities carried out via their personal myCP area.

The provision of information or services by CP may, in some cases, involve the transfer of or access to personal data by partners and subcontractors. CP guarantees that it will only use entities that provide sufficient guarantees regarding the implementation of appropriate technical and organisational measures, ensuring that the processing complies with applicable legislation. The categories of partners and subcontractors include:

  • Other rail operators;
  • Operators of transport services complementary to the rail service;
  • Car hire companies;
  • Accommodation providers;
  • Ticket sales and customer service (travel agencies, helpline);
  • Email services;
  • Information technology services, namely application management and administration and the provision of infrastructure;
  • Audit services and other similar services;
  • Payment and fraud control services.
  • The data provided may also be transferred to official bodies in compliance with legal obligations.

CP only transfers personal data to entities located outside the EU in compliance with legal obligations or where compliance with national and EU legal standards is guaranteed.

CP does not sell, buy or in any way trade personal data.

On its website, CP includes hyperlinks to other websites or to third-party resources, including its partners.
CP accepts no responsibility for the content, accuracy, availability or privacy practices of these websites or external resources. It accepts no liability, either directly or indirectly, for any damage, loss or infringement caused, or allegedly caused, or related to, the use of these websites or external resources.

Data protection legislation grants data subjects the right to information regarding the purposes and processing of their data, as well as the right to access, rectify, erase, restrict processing, and to data portability, and also to object to automated individual decision-making.

To exercise the rights described above, the data subject should contact CP’s Data Protection Officer (protecaodado@cp.pt).

If the customer has only provided their personal data via myCP, deleting their account is equivalent to erasing their data, provided they do not hold a CP Card. In this case, their digital account may be deleted, but their CP Customer account will remain active for the duration of the Card’s validity.

Deleting the myCP account means you will no longer be able to access your personal data or view your purchases. In this case, all after-sales transactions (e.g., exchanges/refunds) must be carried out in person at a ticket office or customer service centre.

The cardholder may also lodge a complaint with the competent national supervisory authority.

Where there is no specific legal requirement, Personal Data will be retained only for as long as is strictly necessary to fulfil the purposes for which it is intended. The period for which the data is retained depends on the purpose for which the information is processed.

The data subject may contact us regarding questions about CP’s application of the General Data Protection Regulation via the website’s Customer Information/Contacts page, by email at protecaodado@cp.pt, or by post to the Data Protection Officer, CP- Comboios de Portugal, Calçada do Duque, 20, 1249-109, Lisbon, Portugal.

To ensure the document remains up to date, CP may amend this Privacy Policy at any time without prior notice and with immediate effect. These changes will be duly publicised on the website and at ticket offices and, if necessary, renewed acknowledgement and consent will be requested.

This Privacy Policy was updated on 20 April 2026.