CP App Privacy Policy

The app has certain areas that are only accessible once the user has registered with myCP. The data collected through registration is intended solely for CP’s use, and the privacy and protection of the data registered by users is guaranteed.

CP - Comboios de Portugal, E.P.E. (hereinafter CP), as the entity responsible for processing the personal data provided to it, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, commonly referred to as the General Data Protection Regulation (GDPR) and other applicable national and EU legislation, has adopted the Personal Data Privacy Policy set out in this document, which establishes how it collects, stores and processes Personal Data, ensuring its confidentiality and security.
This Personal Data Privacy Policy applies to all personal information collected, processed and stored by CP through the various forms and channels.
When accessing areas that require the provision of personal data, referred to as “Personal Data”, the service user (hereinafter referred to as the data subject) must familiarise themselves with this Personal Data Privacy Policy and with CP’s Terms and Conditions of use and service provision. 
For the purposes of Article 8(1) of the GDPR, that is, with regard to the direct provision of services by the so-called information society, CP guarantees that no personal data is requested from minors under the age of 16, unless the prior express consent of their legal representatives has been obtained, whether they be parents, guardians or carers, who must have been made aware of this Personal Data Privacy Policy.
 

The processing operations carried out by CP comply with the fundamental principles of data protection and privacy, which ensure the smooth running of processes, trust among customers and partners, as well as the company’s public image: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and transmission.

CP ensures that all personal data is processed lawfully, that is, in strict compliance with the principles of lawfulness set out in the GDPR. This principle of lawfulness applies where at least one of the following situations applies: The data subject has given their consent for one or more of the purposes for which it is required; the processing is necessary for the performance of a contract to which the data subject is party, or for pre-contractual measures taken at the data subject’s request; for compliance with a legal obligation to which the controller is subject; for the protection of the data subject’s vital interests; for the performance of a task carried out in the public interest or in the exercise of official authority; for the purposes of the legitimate interests pursued by the controller.

The Personal Data provided by the data subject through various means of interaction with CP is intended for one or more of the following purposes:

  1. To enter into the transport contract and manage the contractual relationship established, including validation, monitoring and the drawing up of reports;
  2. To process and respond to requests for information, suggestions and complaints;
  3. To deliver lost property;
  4. To provide the SIM service (Integrated Mobility Service, available to people with reduced mobility);
  5. To receive unsolicited applications and recruitment applications;
  6. To improve the browsing experience on the cp.pt website and the CP App (cookies);
  7. To provide information regarding changes or incidents affecting the services provided (e.g. traffic changes);
  8. To provide information regarding CP’s products and promotions and those of its partners, sending newsletters and running competitions;
  9. To conduct customer satisfaction surveys;
  10. To respond to service evaluation questionnaires;
  11. To manage customer relationships (e.g. bespoke services);
  12. To segment customers to improve service offerings, tariffs and loyalty programmes, in accordance with their tastes and preferences regarding the use of the services provided.

(For the purposes referred to in points 1 to 5, the Data Subject’s consent is not required, in accordance with Article 6(1)(b) of the GDPR)

The CP App uses only cookies and similar technologies that are strictly necessary for the operation of the application and the provision of services requested by the user.

The cookies used are exclusively intended for the following purposes:

  • user authentication and secure identification;
  • management and maintenance of the authenticated session;
  • security and fraud prevention;
  • technical operation of the application;
  • technical monitoring and aggregated statistical analysis of the application’s performance.

The CP App does not use cookies or identifiers for:

  • personalised advertising;
  • commercial profiling;
  • tracking users across applications, websites, or third-party services;
  • data sharing for behavioural marketing purposes.

Any statistical data that may be collected is intended exclusively for CP’s internal technical analysis and is processed in an aggregated manner without directly identifying the user.
Some functionalities of the CP App, namely authentication, access to the reserved area, and maintenance of the active session, depend on the use of strictly necessary cookies. Disabling these cookies may prevent the proper functioning of the Customer Area.

The CP App uses only cookies and similar technologies that are strictly necessary for the operation of the application and the provision of services requested by the user.

Strictly Necessary Cookies
These cookies are essential for the operation of the CP App and enable:

  • user authentication;
  • maintenance of the active session;
  • secure access to restricted areas;
  • use of the application’s essential functionalities.

Without these cookies, some functionalities of the application may not work properly.

Performance and Statistical Cookies
The CP App may use cookies or similar technologies to collect aggregated and anonymised statistical information for the purpose of:

  • monitoring the technical performance of the application;
  • identifying technical errors;
  • improving the stability and reliability of the services provided.

The data collected is not used to identify users individually or to track them across applications, websites, or third-party services.

When you access services that require location identification, based on your prior, free and informed consent, the application may collect and process geographical location data – either precise or approximate, depending on your choice – from your device, exclusively for the following purposes:

  • Identifying nearby stations;
  • Displaying timetables, routes and personalised information;
  • Improving the user experience.

The user’s location data is treated as strictly confidential and will not be disclosed to third parties without the data subject’s consent, except where such disclosure is necessary for the provision of the requested service or to comply with legal obligations.
Location data is used only for the identified purposes and is not stored as a location history.

Personal Data provided by the data subject may require their express consent, depending on the purpose for which it is intended. In such cases, consent is given freely, specifically in an informed and explicit manner, by the data subject through each of the different channels of interaction with CP. 

At any time, the data subject may request the withdrawal of any consent given for the processing in question. Withdrawal may be made via the website, in the myCP personal area - https://www.cp.pt/pt -, or by completing the relevant form, to be handed in at our points of sale, upon unequivocal identification of the data subject. The withdrawal of consent regarding a specific processing of personal data does not affect the lawfulness of processing already carried out on the basis of that consent.

CP undertakes to adopt administrative, technical, physical and organisational measures that guarantee the security, integrity and privacy of data subjects’ personal data, appropriate to the risk of each processing operation and consistent with established practices in the European Union. These measures are designed to protect personal data against disclosure, misuse, unauthorised access, loss, alteration, or destruction, as well as any other unlawful processing.

Partners and subcontractors who have access to personal data are obliged to adopt the security, organisational and technical measures and protocols necessary to protect such data.

Data used to make payments, in particular credit/debit card data, is provided directly on the platforms of the respective service providers. CP does not have access to this data.

The data subject guarantees that the personal data provided is true and accurate and undertakes to notify any changes thereto. Any damage caused to CP or to any third party through the provision of erroneous, inaccurate or incomplete information in the registration forms shall be the sole responsibility of the person who entered or provided it.

The data subject undertakes not to disclose their username and password. If they do choose to share them with anyone, they are fully responsible for all activities carried out via their personal myCP area.

The provision of information or services by CP may, in some cases, involve the transfer of or access to personal data by partners and subcontractors. CP guarantees that it will only use entities that provide sufficient guarantees regarding the implementation of appropriate technical and organisational measures, ensuring that the processing complies with applicable legislation. The categories of partners and subcontractors include:

  • Other rail operators;
  • Operators of transport services complementary to the rail service;
  • Car hire companies;
  • Accommodation providers;
  • Ticket sales and customer service (travel agencies, helpline);
  • Email services;
  • Information technology services, namely application management and administration and the provision of infrastructure;
  • Audit services and other similar services;
  • Payment and fraud control services.
  • The data provided may also be transferred to official bodies in compliance with legal obligations.

CP only transfers personal data to entities located outside the EU in compliance with legal obligations or where compliance with national and EU legal standards is guaranteed.

CP does not sell, buy or in any way trade personal data.

On its website, CP includes hyperlinks to other websites or to third-party resources, including its partners.
CP accepts no responsibility for the content, accuracy, availability or privacy practices of these websites or external resources. It accepts no liability, either directly or indirectly, for any damage, loss or infringement caused, or allegedly caused, or related to, the use of these websites or external resources.

Data protection legislation grants data subjects the right to information regarding the purposes and processing of their data, as well as the right to access, rectify, erase, restrict processing, and to data portability, and also to object to automated individual decision-making.

To exercise the rights described above, the data subject should contact CP’s Data Protection Officer (protecaodado@cp.pt).

If the customer has only provided their personal data via myCP, deleting their account is equivalent to erasing their data, provided they do not hold a CP Card. In this case, their digital account may be deleted, but their CP Customer account will remain active for the duration of the Card’s validity.

Deleting the myCP account means you will no longer be able to access your personal data or view your purchases. In this case, all after-sales transactions (e.g., exchanges/refunds) must be carried out in person at a ticket office or customer service centre.

The cardholder may also lodge a complaint with the competent national supervisory authority.

Where there is no specific legal requirement, Personal Data will be retained only for as long as is strictly necessary to fulfil the purposes for which it is intended. The period for which the data is retained depends on the purpose for which the information is processed.

The data subject may contact us regarding questions about CP’s application of the General Data Protection Regulation via the website’s Customer Information/Contacts page, by email at protecaodado@cp.pt, or by post to the Data Protection Officer, CP- Comboios de Portugal, Calçada do Duque, 20, 1249-109, Lisbon, Portugal.

To ensure the document remains up to date, CP may amend this Privacy Policy at any time without prior notice and with immediate effect. These changes will be duly publicised on the website and at ticket offices and, if necessary, renewed acknowledgement and consent will be requested.

This Privacy Policy was updated on 20 April 2026.