Privacy Policy

**Last updated**: 12 May 2026

This Privacy Policy describes how tripstorome.com processes the personal data of users who visit the website or purchase our services, in compliance with EU Regulation 2016/679 (GDPR) and the Italian Personal Data Protection Code (Legislative Decree 196/2003 as amended by Legislative Decree 101/2018).

We believe in transparency: we explain clearly which data we collect, why we collect it, and what you can do to control it.

---

## 1. Data Controller

The data controller is:

**Trip to Italy srl**

Registered office: Via Alessandria 125, 00198 Rome, Italy

VAT: IT17026691000

Email: info@tripstorome.com

WhatsApp: +39 320 112 6777

For any questions regarding the processing of your data or to exercise your rights, you can contact us at the addresses above.

---

## 2. Data security

The security of your data is a priority for us. We have adopted appropriate technical and organizational measures to ensure compliance with data protection regulations, including:

- Encryption of communications (HTTPS site-wide)

- Data access limited to authorized and trained personnel

- Protection systems against unauthorized access

- Periodic backups and disaster recovery procedures

Despite these measures, we point out that data transmission over the Internet (particularly via email) can present intrinsic vulnerabilities. It is not technically possible to completely protect data against any third-party access.

---

## 3. Data collection during browsing

Our web pages can be visited **anonymously**, without providing personal information.

However, for technical reasons, during the connection between your browser and our server, some information is temporarily recorded:

- Visited domain

- Operating system used

- Browser used (version and type)

- Date and time of visit

- URL of the previous page (referrer)

- Access status (file transferred, file not found, etc.)

- IP address of the requesting computer

- Amount of data transferred

This data is used exclusively for statistical purposes, service improvement and system security. **Within 7 days at most** from collection, the IP address is anonymized (truncated to domain level) so that the individual user can no longer be identified.

**Legal basis**: legitimate interest in the secure operation of the website (Art. 6.1.f GDPR).

---

## 4. Types of personal data processed

When you actively interact with the site (registration, order, contact), we may collect:

### 4.1 Registration and contact data

- First and last name

- Email

- Phone number

- Address

- Date of birth (if required for certain services)

- Username and password (for registered accounts)

### 4.2 Order data

- Order history

- Services purchased (tickets, tours, transfers, etc.)

- Number of passengers and travel data

- Any special needs declared (e.g. reduced mobility)

### 4.3 Payment data

Payment data (credit card number, PayPal data) **is not stored on our servers**. It is handled directly by payment providers (see section 7) via encrypted connection.

### 4.4 Communications

- Text of emails you send us

- WhatsApp messages exchanged with our team

- Requests via contact form

### 4.5 Reviews

Any content you publish as post-purchase reviews (see section 11).

---

## 5. Purposes of processing and legal basis

Your data is processed for the following purposes:

### 5.1 Contract performance (Art. 6.1.b GDPR)

- Order management and voucher generation

- Communications related to the purchase (confirmation, pickup, any changes)

- Delivery of the purchased service (tickets, tours, transfers)

- Pre- and post-sales assistance

### 5.2 Legal obligations (Art. 6.1.c GDPR)

- Invoicing and tax compliance

- Retention of accounting documents for the period required by Italian law (10 years)

- Response to requests from competent authorities

### 5.3 Legitimate interest (Art. 6.1.f GDPR)

- IT security and fraud prevention

- Aggregated statistical analysis to improve services

- Response to disputes or complaints

- Anonymized shopping experience personalization

### 5.4 Consent (Art. 6.1.a GDPR)

- Sending newsletters and promotional communications

- Profiling and marketing cookies (see Cookie Policy)

- Any additional processing specified at the time of collection

**Consent can be withdrawn at any time** by emailing the address indicated in section 1. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal itself.

---

## 6. Personalization

Customer information helps us personalize your shopping experience on Trips to Rome and improve it over time. **We do not sell this data to third parties**.

When you place your first order or use functions requiring registration, your data is saved to create a customer account, in order to simplify your future purchases. You can view and modify your account data at any time after logging in.

**Account deletion**: you can request account deletion by sending a request to info@tripstorome.com. We will proceed within 30 days, subject to legal retention obligations (e.g. invoicing).

To prevent abuse, we reserve the right to record your IP address during the registration or purchase process.

---

## 7. Payment processing

Payments for purchased services are managed by specialized payment providers. **Trip to Italy srl does not store credit card data on its servers**. During the payment process, you will be informed of the specific privacy policies of the chosen provider and asked to accept them.

### 7.1 Credit card payments

Credit card transactions are processed through **[INSERT ACTIVE PROVIDER: Stripe / Nexi / other]**.

Data transmitted includes: card number, amount, transaction date. Such data is kept exclusively for the time necessary to manage the payment and any disputes or chargebacks (generally no longer than 13 months).

### 7.2 PayPal

For PayPal payments, payment data is transmitted to **PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg**. PayPal's privacy terms apply: https://www.paypal.com/en/legalhub/privacy-full

**Legal basis**: Art. 6.1.b GDPR (contract performance) + Art. 6.1.f GDPR (legitimate interest in fraud prevention).

### 7.3 Other payment methods

[Any other active payment methods should be listed here — to be verified with Persona B/A current PrestaShop payment modules configuration]

---

## 8. Cookies

The site uses technical, preference, analytical and (with consent) marketing cookies. For detailed information on the cookies used, their purposes and how to manage consent, please consult our **[Cookie Policy](/en/cookie-policy)**.

On your first access to the site, you are presented with a cookie banner that allows you to accept, reject or customize your choices. You can change your preferences at any time via the "Cookie management" link in the footer.

---

## 9. Analytics and tracking tools

### 9.1 Google Analytics (with IP anonymization)

The site uses Google Analytics 4, a web analytics service provided by **Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland**.

Google Analytics collects browsing data in **anonymized form** (IP anonymization active, data sharing disabled). Information collected includes: pages visited, visit duration, device used, traffic source.

Information is transmitted to Google servers. Google operates data transfers to the USA based on **Standard Contractual Clauses (SCC) of the EU Commission and the EU-US Data Privacy Framework (operational since 10 July 2023)**.

**Legal basis**: Art. 6.1.a GDPR (consent given via cookie banner).

**To disable Google Analytics**: download the browser plugin available at https://tools.google.com/dlpage/gaoptout

### 9.2 Other tools

[To be completed based on tools actually active: Hotjar, Microsoft Clarity, Facebook Pixel, Google Ads, etc.]

---

## 10. Newsletter

If you wish to receive the Trips to Rome newsletter, we ask for:

- Your email address

- Confirmation that you are the owner of the email (double opt-in)

We also retain the IP address used for registration, date and time of registration, to prevent any abuse.

**Provider used**: [INSERT: MailChimp / Brevo / Sendinblue / Mailgun / other — verify current configuration]

The data is used exclusively to send you the requested communications. **It is not transferred to third parties**.

You can unsubscribe from the newsletter at any time via the link in each email or by writing to info@tripstorome.com.

---

## 11. Post-purchase reviews

After completing an order, you may receive an invitation to leave a review of the purchased service. The review is optional.

Reviews published on the site are **public content** and include: name (or initials upon your request), date of visit, rating, review text. Not published: email, order number, phone, address.

You can request the removal of one of your reviews at any time by writing to info@tripstorome.com.

---

## 12. Contact form

When you send us requests via the contact form, we collect: name, email, subject and message text. This information is used to respond to your request and for any follow-ups.

**Legal basis**: Art. 6.1.b GDPR (pre-contractual request) and Art. 6.1.f GDPR (legitimate interest in responding to your request).

Data will be deleted after the communication has concluded, subject to legal retention obligations.

---

## 13. Data communication and transfer

Your data may be communicated to:

### 13.1 Internal parties

- Authorized and trained Trip to Italy srl staff (Termini, Santa Maria Maggiore, Fiumicino T1 offices)

### 13.2 Third parties (data processors)

- **Hosting providers**: for technical site management

- **Payment providers**: PayPal, [Stripe/Nexi/other] for transaction management

- **Email providers**: for sending transactional communications and newsletters

- **Analytics providers**: Google Analytics 4 in anonymized mode

- **Tourist service providers**: limited to data necessary to deliver the purchased service (e.g. name for Colosseum entry, passenger manifest for transfers)

- **Professional consultants**: accountants, lawyers, when necessary

- **Competent authorities**: in case of legally founded request

### 13.3 Extra-EU transfers

Some technology providers (e.g. Google Analytics) may involve data transfer outside the European Economic Area.

**In such cases we ensure that the transfer takes place on one of the following legal bases**:

- **Adequacy decisions** by the EU Commission for the destination country

- **Standard Contractual Clauses (SCC)** approved by the EU Commission (Decision 2021/914)

- **EU-US Data Privacy Framework** (for adhering US providers, operational since 10 July 2023)

- **Other adequate guarantees** provided by the GDPR (Art. 46-49)

**Important**: this document no longer refers to the "Privacy Shield" as it was **invalidated by the EU Court of Justice with the Schrems II judgment of 16 July 2020**.

---

## 14. Data retention period

Data is retained for the time strictly necessary for the purposes for which it was collected:

| Data type | Retention period |

|---|---|

| Order and invoicing data | 10 years (Italian tax obligation) |

| User account data | Until user-requested deletion or prolonged inactivity (24 months) |

| Customer support/contact data | 24 months from communication conclusion |

| Newsletter data | Until consent withdrawal |

| Browsing data and logs | Maximum 12 months (IP anonymized after 7 days) |

| Published reviews | Indefinite time (public content) |

| Payment data (at provider) | Maximum 13 months (chargeback management) |

After these periods, data is deleted or anonymized.

---

## 15. Your rights

In compliance with the GDPR, you have the right to:

- **Access your data** (Art. 15 GDPR) and obtain a copy

- **Rectify** inaccurate or incomplete data (Art. 16)

- **Erase** your data ("right to be forgotten") in the cases provided (Art. 17)

- **Restrict processing** in certain circumstances (Art. 18)

- **Data portability**: receive your data in structured format or transfer it to another controller (Art. 20)

- **Object to processing** for legitimate reasons (Art. 21)

- **Withdraw consent** at any time (for processing based on consent)

To exercise these rights, contact us at: **info@tripstorome.com**

We will respond within **30 days** of the request (extendable to 60 in complex cases, with prior notice).

### 15.1 Complaint to the Supervisory Authority

If you believe that the processing of your data violates the GDPR, you have the right to lodge a complaint with the **Italian Data Protection Authority (Garante per la Protezione dei Dati Personali)**:

- Website: https://www.garanteprivacy.it/

- Email: protocollo@gpdp.it

- Address: Piazza Venezia 11, 00187 Rome

If you reside in another EU country, you may also lodge a complaint with the supervisory authority of your country.

---

## 16. Minors

Our service **is not intended for minors under 16 years of age**. We do not knowingly collect data from minors under 16 without parental consent or that of those exercising parental authority.

If we become aware of a case of processing of a minor's data without adequate consent, please contact us immediately: we will proceed with deletion.

---

## 17. Links to third-party websites

The tripstorome.com website may contain links to third-party websites (e.g. payment providers, social networks, tourist providers). **Trip to Italy srl is not responsible for the privacy policies of such sites**. We invite you to read each site's policy before providing your data.

---

## 18. Changes to the Privacy Policy

We may update this Privacy Policy over time to adapt to regulatory changes, new services offered or feedback received.

The updated version will always be available on this page, with the date of last update indicated. **In case of substantial changes, we will inform you by email or visible notice on the website**.

We recommend you consult this page regularly.

---

## 19. Contacts

For any questions regarding the processing of your personal data or to exercise your rights:

**Trip to Italy srl**

Registered office: Via Alessandria 125, 00198 Rome, Italy

VAT: IT17026691000

Email: info@tripstorome.com

WhatsApp: +39 320 112 6777

Cookie	Provider	Finalità	Scadenza
`cart`	PrestaShop	Cart state during navigation.	Session
`optcp_anon`	Optimus Cookie Pro	Anonymous session identifier for CSRF validation of the cookie banner.	1 year
`optcp_consent`	Optimus Cookie Pro	Stores the user cookie consent preferences.	1 year
`PHPSESSID`	PHP / Server	Server session identifier. Necessary for site operation.	Session
`PrestaShop-*`	PrestaShop	PrestaShop user session (cart, language, currency, login).	480 days

Cookie	Provider	Finalità	Scadenza
`_clck`	Microsoft Clarity	Microsoft Clarity: persistent user ID for analytics and heatmaps.	1 year
`_clsk`	Microsoft Clarity	Microsoft Clarity: single session identifier for replay.	24 hours
`_ga`	Google Analytics	Google Analytics 4 unique ID cookie used to distinguish users.	2 years
`_ga_*`	Google Analytics	Property-specific GA4 session cookie (e.g. _ga_XXXXXXXX).	2 years
`_gid`	Google Analytics	Used by Google Analytics to identify the user in the last 24h.	24 hours
`_hjSessionUser_*`	Hotjar	Hotjar unique identifier for user session analysis (heatmaps, recordings).	1 year

Cookie	Provider	Finalità	Scadenza
`_fbc`	Facebook (Meta) Pixel	Facebook Pixel: click ID from Meta ads (fbclid).	90 days
`_fbp`	Facebook (Meta) Pixel	Facebook Pixel: identifies the browser for remarketing and Meta campaign optimization.	90 days
`_gac_*`	Google Ads	Google Ads: campaign information for analytics import.	90 days
`_gcl_au`	Google Ads	Google Ads conversion linker: associates visits with ad campaigns.	90 days
`_gcl_aw`	Google Ads	Google Ads: conversion measurement from ad clicks.	90 days

Privacy Policy

OUR 3 LOCATIONS

Explore

SUPPORT

Legal

FOLLOW US