Vai al contenuto principale
Italiano

Privacy Policy

Last updated: 2026-04-19

1. Data Controller

The Data Controller is TouraCore S.r.l., with registered office at Via Example 1, 20100 Milano, Italia.

Contact: info@touracore.com Data Protection Officer (DPO): dpo@touracore.com

2. Categories of personal data

We collect and process the following personal data:

  • Registration data: first name, last name, email, hashed password.
  • Usage data: IP address, user agent, visited pages, timestamps.
  • Booking data: guest names, dates, preferences, ID documents when legally required.
  • Payment data: tokenised via Stripe, we do not store card numbers.
  • Cookies and similar technologies: see Cookie Policy.

3. Purposes of processing

Data is processed for:

  1. Contract performance (Art. 6(1)(b) GDPR): providing the booking service.
  2. Legal obligations (Art. 6(1)(c) GDPR): invoicing, AML, guest registration, SDI, tourist tax.
  3. Legitimate interest (Art. 6(1)(f) GDPR): security, fraud prevention, aggregate analytics.
  4. Consent (Art. 6(1)(a) GDPR): marketing, newsletter, non-essential cookies.

4. Legal basis

Each processing activity is based on at least one of the bases listed in section 3.

5. Retention period

Category Retention
Active account Until deletion
Deleted account 30-day soft delete, then hard delete
Invoices and fiscal documents 10 years (Italian DPR 917/1986)
Security logs 12 months
Backups 90 days

6. Recipients

Data may be shared with:

  • Sub-processors: see full list.
  • Public authorities: upon legitimate request.
  • Commercial partners: only with explicit consent.

No transfer outside EEA without Standard Contractual Clauses (SCC).

7. Data subject rights

Under GDPR Arts. 15-22, you have the right to:

  • Access your data
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Portability in structured format (JSON)
  • Object to processing
  • Withdraw consent at any time

Exercise these rights from /account/privacy or writing to dpo@touracore.com.

You have the right to lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it).

8. Security

We adopt appropriate technical and organisational measures: AES-256-GCM encryption at-rest, TLS 1.3 in-transit, database-level RLS, append-only audit log, available MFA, annual penetration testing.

9. Minors

The service is not intended for users under 16. Parental consent is required for minors.

10. Changes

Updates to this policy are notified via email to registered users and via site banner. The current version is available at /legal/privacy.

Template version: cc84ab43f7f1ba60