Privacy Policy (eng) – Aeterna Grand Tour

Last updated: 22 May 2026

This Privacy Policy describes how AETERNA GRAND TOUR – Società a responsabilità limitata processes the personal data of users who visit the website aeternagrandtour.it, purchase tourism services, fill in contact forms, make bookings, or interact with the online services offered through the website.

This Privacy Policy is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679, the “GDPR”.

1. Data Controller

The Data Controller is:

AETERNA GRAND TOUR – Società a responsabilità limitata
Registered office: Via Portuense 956, 00148 Rome (RM), Italy
Tax Code and VAT Number: 18546271000
REA Number: RM – 1791535
Certified email / PEC: aeternagrandtour@legalmail.it
Email: aeternagrandtour@gmail.com
Legal representative: Petrillo Ernesto

For any request concerning the processing of personal data, users may contact the Data Controller at aeternagrandtour@gmail.com or by certified email / PEC at aeternagrandtour@legalmail.it.

2. Categories of personal data processed

The website may collect and process different categories of personal data, depending on how the user interacts with the website.

Browsing data

While browsing the website, technical data necessary for the operation of the website may be collected, such as IP address, browser type, operating system, pages visited, date and time of access, technical identifiers of the device, and other data automatically transmitted by IT systems.

These data are used to ensure the proper functioning of the website, guarantee system security, prevent abuse or fraudulent activities, and obtain aggregated technical statistics.

Data provided through contact forms

When users fill in a contact form, the website may collect data such as name, surname, email address, telephone number, message content, and any additional data voluntarily entered by the user.

Data relating to purchases and bookings

When users place an order or make a booking through the website, the following data may be processed: name, surname, email address, telephone number, billing address, order details, product or tour purchased, selected date, selected time, any pickup request, number of participants, order notes, and any information necessary to manage the requested tourism service.

The website uses WooCommerce or similar tools to manage orders and bookings. The data provided during checkout are necessary to process the purchase, manage payment, issue tax documents, communicate with the customer, and organise the purchased tourism service.

Payment data

Payments may be processed through third-party providers, including PayPal, Stripe, and Nexi.

The Data Controller does not directly store full payment card details. These data are processed by the relevant payment service providers according to their own privacy policies and contractual terms.

The Data Controller may retain technical or transaction-related information, such as transaction ID, payment result, payment method used, amount paid, and order status, within the limits necessary to manage the purchase, accounting, refunds, or disputes.

Data relating to special requests

In some cases, users may voluntarily provide information relating to specific needs, such as food intolerances, allergies, accessibility requirements, reduced mobility, or other information useful for organising the tour.

Such data are processed exclusively to properly manage the user’s request and provide the service in the most appropriate way. If such information falls within special categories of personal data under Article 9 GDPR, it will be processed only within the necessary limits and, where required, on the basis of the explicit consent of the data subject.

Data for newsletters and promotional communications

If users subscribe to the newsletter or consent to receive promotional communications, the website may process their name, email address, and contact preferences.

Subscription to the newsletter is optional, and users may withdraw their consent at any time through the unsubscribe link included in the communications received or by contacting the Data Controller.

Data contained in reviews, comments, or public communications

If the website allows users to leave reviews, comments, or ratings, the following data may be processed: the name provided by the user, the content of the review, the rating given, the publication date, and any associated technical data.

Users are invited not to include unnecessary personal data, third-party data, or sensitive information in reviews.

3. Purposes of processing and legal bases

Personal data are processed for the following purposes.

Website browsing and technical operation

Technical and browsing data are processed to ensure the proper functioning of the website, guarantee security, and prevent fraud, cyberattacks, or improper use of the services.

The legal basis is the legitimate interest of the Data Controller in ensuring the security and proper operation of the website.

Management of contact requests

Data sent through forms, email, telephone, or other contact channels are processed to respond to users’ requests, provide information about services, manage quotes, assistance, and pre-contractual communications.

The legal basis is the performance of pre-contractual measures or the legitimate interest of the Data Controller in responding to received requests.

Management of orders, bookings, and tourism services

Data provided during purchase or booking are processed to manage the order, confirm the booking, organise the tour, communicate with the customer, manage any changes, cancellations, assistance, or requests related to the purchased service.

The legal basis is the performance of a contract to which the data subject is party.

Payment management

Payment-related data are processed to collect payment for purchased services, verify transaction results, prevent fraud, and manage refunds or disputes.

The legal basis is the performance of a contract and, where applicable, compliance with legal obligations.

Tax, accounting, and administrative obligations

Data relating to orders, invoicing, and payments are processed to comply with tax, accounting, administrative, and civil law obligations.

The legal basis is compliance with legal obligations to which the Data Controller is subject.

Operational communications relating to the service

The Data Controller may use users’ contact details to send communications strictly related to the order or booking, such as confirmations, reminders, meeting point information, organisational changes, service updates, payment communications, cancellations, or refunds.

These communications are not promotional in nature and are necessary for the performance of the contract.

Promotional communications and newsletters

Contact details may be processed to send newsletters, promotions, offers, tour updates, commercial initiatives, and marketing communications.

The legal basis is the consent of the data subject, which may be withdrawn at any time.

Protection of the Data Controller’s rights

Data may be processed to establish, exercise, or defend a legal claim, either in court or out of court, and to manage complaints, disputes, refund requests, controversies, or abuse.

The legal basis is the legitimate interest of the Data Controller in protecting its rights.

Statistical analysis and website improvement

The website may use statistical analysis tools to understand how the website is used, improve content, products, purchase paths, and technical performance.

Where such tools involve the use of cookies or non-technical tracking technologies, processing takes place on the basis of the user’s consent, as described in the Cookie section.

4. Processing methods

Personal data are processed using IT, electronic, and, where necessary, paper-based tools, in accordance with the principles of lawfulness, fairness, transparency, data minimisation, accuracy, integrity, and confidentiality.

The Data Controller adopts appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, disclosure, alteration, or misuse.

Access to personal data is limited to authorised persons who actually need such data to perform their duties or provide the requested services.

5. Hosting and technical infrastructure

The website aeternagrandtour.it is hosted on OVH Cloud infrastructure.

The hosting provider may process technical and browsing data, including system logs, IP addresses, and information necessary for the technical operation of the website, infrastructure security, and proper provision of web services.

Such data are processed within the limits necessary for the provision of hosting, maintenance, security, and operational continuity services.

6. Provision of data

The provision of data necessary for the technical browsing of the website is essential to allow access to and use of the website.

The provision of data required for purchases, bookings, and payments is necessary to conclude and manage the contract. Without such data, it will not be possible to complete the order or provide the requested service.

The provision of data for marketing, newsletter, reviews, or promotional communications is optional. Failure to provide such data does not prevent the purchase of services.

7. Recipients of personal data

Personal data may be disclosed, within the necessary limits, to the following categories of recipients:

providers of hosting, technical maintenance, IT security, and website management services, including OVH Cloud;

providers of e-commerce platforms, plugins, booking systems, and technical tools connected to the website;

payment gateways and parties involved in transaction management, including PayPal, Stripe, and Nexi;

banks, financial institutions, and payment intermediaries;

tax consultants, accountants, legal consultants, and other appointed professionals;

providers of email, newsletter, CRM, customer support, and operational communication services;

collaborators, guides, tour operators, drivers, transport providers, or partners necessary for organising the tour or purchased service;

companies or parties responsible for accounting, administrative, or tax management;

public authorities, competent bodies, law enforcement agencies, or parties legally entitled to receive the data where required by law.

Parties processing data on behalf of the Data Controller are appointed, where necessary, as Data Processors pursuant to Article 28 GDPR.

8. Transfer of data outside the European Economic Area

Some technical providers used by the website, including payment, hosting, newsletter, analytics, email marketing, anti-spam, or advertising services, may process personal data outside the European Economic Area.

In such cases, the transfer will take place in compliance with the safeguards provided by the GDPR, including adequacy decisions of the European Commission, Standard Contractual Clauses, or other suitable measures provided by applicable law.

The updated list of providers actually used may be requested by contacting the Data Controller.

9. Data retention period

Personal data are retained for the time necessary to achieve the purposes for which they were collected and, thereafter, for the period required by applicable law or necessary to protect the rights of the Data Controller.

In particular:

data relating to orders, payments, invoicing, and accounting documentation are retained for the period required by applicable tax and civil law;

data relating to contact requests are retained for the time necessary to manage the request and, as a rule, for no longer than 24 months, unless further retention is necessary in connection with contractual relationships or disputes;

data relating to customer accounts are retained until account deletion is requested, subject to legal retention obligations;

data processed for marketing purposes are retained until consent is withdrawn or deletion is requested;

technical and security logs are retained for the time necessary to ensure website security and prevent abuse, generally for a period between 6 and 12 months, unless further retention is necessary to investigate unlawful activities;

data contained in cookies are retained according to the durations indicated in the Cookie Policy or in the consent management panel.

10. Customer account

If the website allows the creation of an account, users may register by entering the required data. The account allows users to view orders, bookings, billing details, addresses, and other information connected to the use of the website.

Users are responsible for keeping their login credentials confidential and are encouraged to use strong passwords and not share them with third parties.

Users may request deletion of their account by contacting the Data Controller. Account deletion does not necessarily result in the deletion of data that the Data Controller is required to retain for tax, accounting, legal obligations, or for the protection of its rights.

11. Orders and bookings through WooCommerce

During the purchase process, the website may collect and store information necessary to manage the order, including personal details, contact details, billing data, purchased products, tour date and time, selected options, pickup requests, order notes, payment method, payment status, and order history.

This information is used to process the order, send confirmations, manage operational communications, provide assistance, comply with tax and administrative obligations, and properly organise the purchased service.

12. Newsletter and marketing

The sending of promotional communications, newsletters, offers, and commercial updates takes place only with the user’s prior consent, except in cases permitted by applicable law.

Users may withdraw their consent at any time by using the unsubscribe link included in the emails received or by contacting the Data Controller.

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

13. Photos, videos, and promotional content

During tours or events, images or videos may be taken for organisational, documentary, or promotional purposes only where this is communicated to the data subjects and, where necessary, subject to consent.

The Data Controller will not use recognisable images of users for promotional, advertising, or social media purposes without an appropriate legal basis and, where required, without the consent of the data subject.

14. Minors

The services offered through the website are not intended to be used independently by persons under the age of 18.

Any bookings involving minors must be made by parents, guardians, or authorised persons. The Data Controller invites users not to provide personal data of minors unless strictly necessary for the management of the purchased service.

15. Cookies and tracking technologies

The website uses cookies and similar technologies to ensure the proper functioning of pages, manage the cart, maintain the user session, remember preferences, and, subject to consent, carry out statistics or marketing activities.

Cookies may be divided into:

technical cookies, necessary for the operation of the website and the provision of services requested by the user;

functional cookies, useful for remembering preferences and improving the browsing experience;

analytics cookies, used to collect statistics on website usage;

profiling or marketing cookies, used to display personalised content or advertisements, where present.

Technical cookies do not require the user’s consent. Non-anonymised analytics cookies, profiling cookies, or marketing cookies are installed only with the user’s prior consent.

The website may use a dedicated cookie consent management plugin, through which users can accept, reject, or modify their preferences regarding cookies and tracking tools.

When WooCommerce is used, technical cookies necessary for managing the cart, user session, and checkout may be installed, for example cookies relating to cart items, user session, and order status.

A detailed description of the cookies actually used by the website, including duration, purposes, and third parties involved, is available in the Cookie Policy generated or managed through the dedicated plugin installed on the website.

16. Plugins, third-party services, and integrated tools

The website may integrate third-party services, such as payment systems, maps, embedded videos, analytics, advertising tools, social networks, anti-spam systems, newsletters, CRM, chat systems, or contact forms.

These services may collect personal data according to their respective privacy policies. The use of third-party services that are not technically necessary for the operation of the website takes place, where required, subject to the user’s consent.

Services that may be used include, by way of example:

WordPress and WooCommerce for website and order management;

OVH Cloud for hosting and technical infrastructure;

PayPal, Stripe, and Nexi for payment processing;

email or SMTP services for sending automatic communications;

analytics services, where installed;

advertising services or tracking tools, where installed;

anti-spam and security services;

plugins for date pickers, product options, bookings, and checkout management;

plugins for managing the Cookie Policy and cookie consent.

The actual list of active services and cookies is managed through the technical tools installed on the website and, where applicable, through the consent management panel.

17. Rights of the data subject

Users, as data subjects, may exercise the rights provided by Articles 15 and following of the GDPR.

In particular, users have the right to:

obtain confirmation as to whether or not personal data concerning them are being processed;

access their personal data;

request rectification of inaccurate data or completion of incomplete data;

request deletion of data, in the cases provided by law;

request restriction of processing;

object to processing, in the cases provided by law;

receive their data in a structured, commonly used, machine-readable format, where applicable;

withdraw consent given, without affecting the lawfulness of processing based on consent before its withdrawal;

lodge a complaint with the competent Data Protection Authority.

Requests may be sent to the Data Controller by email at aeternagrandtour@gmail.com or by certified email / PEC at aeternagrandtour@legalmail.it.

The Data Controller will respond to requests within the time limits provided by applicable law.

18. Complaint to the Supervisory Authority

Users who believe that the processing of their personal data is carried out in breach of the GDPR have the right to lodge a complaint with the Italian Data Protection Authority, according to the procedures indicated on the Authority’s official website.

The right to bring proceedings before the competent judicial authority remains unaffected.

19. Data security

The Data Controller adopts technical and organisational security measures appropriate to the risk, in order to protect the personal data processed.

Such measures may include, by way of example, HTTPS protected connections, confidential credentials, periodic updates of CMS and plugins, anti-spam systems, backups, access restrictions, control of authorised users, and server-side protection measures.

Users are invited to contribute to the security of their data by using strong passwords, avoiding sharing login credentials, and promptly reporting any unauthorised use of their account.

20. Changes to this Privacy Policy

The Data Controller reserves the right to amend or update this Privacy Policy at any time, including as a result of regulatory, technical, organisational, or service-related changes.

The updated version will be published on this page with an indication of the date of the latest update.