Privacy Policy

This privacy policy outlines how Tourist Point srl uses and processes your personal data when you use the services of Tourist Point srl, such as through our website. It also informs you of your rights concerning your personal data and how to contact us.

If you reside in the United States, please refer to the section titled “Rights of U.S. Residents” to understand your specific rights. Additionally, you can review our supplementary CCPA information.

1- Data Controller and Contact Information

The Data Controller for the Users’ personal data in accordance with the GDPR is: Controller: Tourist Point srl Address: Corso Vercelli 11 – Milano Contact: touristpointsrl@pec.it The Data Controller has appointed a Data Protection Manager, who is the User’s point of contact for all information and requests relating to data protection and can be reached at the email address: dpo@gruppomilanocard.it. Note: Any data processing by any service providers that offer/promote their services on the platform of Tourist Point srl is subject to their respective privacy policies. These service providers act independently as data controllers.

1.2. Reasons Behind This Document and Target Audience

The Data Controller, consistent with its mission and values, commits to respecting the identity and dignity of every human being and the fundamental freedoms guaranteed by the Constitution in regards to the processing of personal data and the free flow of such data. The company will continually maintain this commitment within the scope of the principle of accountability by implementing adequate technical and organizational measures and suitable policies to ensure and demonstrate that processing is carried out in compliance with the GDPR. This document is addressed to the Users of the Site. Access to some sections of the Site and/or requests for information or services by Users may require the entry of personal data relating to natural persons (“Personal Data”), which will be processed in compliance with the GDPR. For the use of specific services on the Site, Users will be informed through this document, and where necessary, specific consent will be requested for the processing of personal data. This document applies solely to the Site and not to other websites that Users may visit via links possibly referred to on this Site.

2- Automated Data Collection When you visit our websites or mobile apps, we automatically collect certain information. The following data are saved separately from any other information that you may transmit to us:

URL of the accessed page
Geographic area
Date and time
Information about your computer’s hardware and software (such as the operating system, the Internet browser used, software or application version data, and language settings).
Information on clicks and which pages were shown to you.

We store this data for the following purposes:

To ensure the security of our IT systems, that is, to defend against specific attacks on our systems and to recognize patterns of attack;
To ensure the proper operation of our IT systems, e.g., where errors occur that we can only rectify by saving the IP address;
To allow for criminal prosecution, danger prevention, or legal action in case of specific indications of criminal activity.

Your IP address is encrypted to ensure confidentiality and is accessible only when absolutely necessary. It is kept for a period of 45 days. If you use a mobile device, we collect data that identifies the device, as well as data on the settings and specific features of the device. In this case, the processing will be carried out to ensure security in accordance with Article 32 of the GDPR, as well as based on our legitimate interest in protecting ourselves from abuse of our service (Article 6(1)(f) GDPR).

3- Customer Service

3.1 Processing of Requests If you contact our customer service team or contact us through other means such as our social media channels, your request is always processed by us.

3.2 Improvement of Customer Service In order to continuously improve our customer service, we analyze the requests sent to us based on certain parameters and keywords. Although, as a basic principle, no analysis is carried out based on personal data, it is not possible to exclude that, in individual cases, personal data may also be processed within this context. The necessary processing in this context serves our legitimate interest and that of our customers in the continuous improvement of our customer service (Article 6(1)(f) GDPR).

3.3 Translations In some cases, it is necessary to translate incoming requests into a specific language. This may require the processing of personal data necessary to protect our legitimate interest in providing international customer service, Article 6(1)(f) GDPR. To this end, we use the services of Open AI, Inc: https://openai.com/security-and-privacy/. The adequacy decision of the EU Commission – adopted on July 23, 2023, pursuant to Article 45, paragraph 3 of the GDPR, issued regarding the programmatic text known as the EU-US Data Privacy Framework (DPF) in relation to the transfer of personal data from the European Union to the United States – ensures “an adequate level of protection” and establishes a legal basis for the transfer of personal data from the EU to U.S. companies participating in the Data Privacy Framework.

4- Technical Service Providers

We use hosting and some of the services required for the website from technical service providers. Therefore, data processing takes place on the servers of these service providers. These service providers process data only in accordance with our explicit instructions and are required to ensure sufficient technical and organizational measures to protect data. Consequently, our service providers act for us as data processors, under Article 28 GDPR. For hosting our website, we use the services of Aruba Business, based in Italy. Thus, when the user interacts with our website or provides personal data, these are processed on Aruba Business servers. We use only servers located within the European Union.

4.2. Email System For sending emails, we use the service of Aruba Business (“AB”), based in Italy.

5- Communications

The user has the option to register on our website to receive our communications. With our newsletter, we will send the user information about offers or special promotions as personalized as possible. By registering for our newsletter, the user therefore consents to the processing of his email address for the purpose of sending the newsletter. The legal basis for such processing is Article 6(1)(a) GDPR. The user may revoke his consent at any time by unsubscribing from our newsletter. To do this, the user can use the unsubscribe link contained in each email or send us a message at the email address privacy@milanocard.it. In registering to receive our communications, we save the IP address, date, and time of registration. The processing of such data is necessary to be able to prove the provision of such consent. The legal basis derives from our legal obligation to prove the user’s consent (Article 6(1)(c), jointly with Article 7(1) GDPR). If the user has purchased a service through our website, we will send our newsletter based on our legitimate interest in promoting similar services for bookings or the user’s account (Article 6(1)(f) GDPR), unless the user has objected to such use. If cookies are used for the personalization of the newsletter, we will ask for the user’s consent separately. The user may object to this at any time by clicking on the unsubscribe link in the respective emails. For sending our communications and personalizing the content, we use the services of the provider TEAMSYSTEM SpA MAILUP., based in ITALY (“MAILUP”).

6- Bookings and Payments

6.1 Bookings When the user books one of our services on our website, we collect the data necessary to perform the service. This generally includes the following information: full name, email address, number of participants, date and time of use of the service. Depending on the type of service booked, it may be necessary for us to collect additional information, such as the age of the participants. The processing that takes place in relation to this is based on Article 6(1)(b) GDPR. To the extent necessary, we will transfer the user’s data to the provider responsible for the service or activity, who will process the personal data as indicated in their own privacy policy as an independent data controller. Where it is necessary to transfer data outside the European Economic Area, this is based on Article 49(2)(b), (c) GDPR.

6.2 Booking Confirmations In order to keep the user updated regarding his bookings, we will send booking confirmations, as well as reminders and updates for scheduled bookings (for example, changes to times or meeting points) to ensure that he has all the necessary information to participate in the booked services. Booking confirmations are sent to the user’s email address and/or via SMS to the phone number provided by the user during the booking process and/or through push notifications from the Tourist Point srl app. In the event that the user has an account, he can choose in more detail how to receive notifications via the “Settings” -> “Notifications” section of his profile. We process personal data in order to provide the user with such features of our service (Article 6 par. 1 lett. b GDPR).

6.3 Payments The user has various options for paying for the booking. Therefore, we process the necessary data in each case, depending on the selected payment method. In this context, the user’s personal data will be processed as described below, based on Article 6(1)(b) GDPR and it will be necessary to process them in order to perform the selected payment method.

6.3.1 Payments with Credit Card For processing payments with credit cards, we use the service provider Nexi SpA (“Nexi”), based in Italy. The data provided during the user’s payment will be forwarded by Nexi to the respective banks or financial institutions for the purpose of processing the payment. In case of credit card payments, we only receive information about the payment made or not made, along with the first and the last 4 digits of the credit card number. Therefore, we will not be aware of the full credit card number of the user.

7- Fraud Prevention

In order to protect ourselves and activity providers from fraudulent bookings, we evaluate the information provided by our customers during the booking process, including data technically transmitted by their device, to the extent necessary to protect our legitimate interest and that of activity providers in reliable bookings (Article 6(1)(f) GDPR). For this purpose, we use the services of NEXI SpA, based in ITALY. Therefore, we have concluded the standard contractual clauses approved by the EU Commission with NEXI SpA. under Article 46(2)(c) GDPR.

8- Protection Against Bots

To protect ourselves from bots and similar technologies, a WAF is installed and configured on the server provided by Aruba Business. Aruba Business will use the data automatically transmitted by the user’s device to determine whether the request likely comes from a human being. No further data storage will take place. The processing will be carried out to ensure security in accordance with Article 32 of the GDPR, as well as based on our legitimate interest in protecting ourselves from the abuse of our service (Article 6(1)(f) GDPR).

9- Cookies and Other Online Tracking Technologies

We use so-called “cookies” and other online tracking technologies to offer certain functions of our website, optimize the use of our website and our apps, or to execute our marketing and advertising strategy. At the following link, you can find information and your rights regarding the use of our Cookies https://app.legalblink.it/api/documents/637cf2b44ce275001b11200c/cookie-policy-en

10- Customer Research and Visitor Path Recordings

10.1 Customer Surveys At the end of the payment process, we make available to the user a survey form with some questions aimed at offering additional services and targeted to the needs of the customer.

10.2 Visitor Path Recordings We use the thermal mapping services of Hotjar Ltd., Dragonara Business Centre, 5th floor, Dragonara Road, Paceville St Julian’s STJ 3141, Malta. The thermal mapping services are used to display and record areas of a page where visitors most frequently move the mouse or click. This shows us where the points of interest are, for the purpose of improving our website and our services. Recording takes place only on certain pages and for a limited daily number of random visitor sessions. The recording is stored for a period of 365 days and then automatically deleted. We process this data based on consent. Hotjar accepts general “Do Not Track” requests (non-tracking); if the user wants to exercise this right, they can access Hotjar’s opt-out information here.

11- Marketing and Remarketing Services

11.1 Google Services We use the services of Google Ireland Limited, Building Gordon House, 4 Barrow Street, Dublin D04 E5W5, Ireland (“Google”) as described below. Google may process some personal data in the United States through Google LLC certified under the EU-US data privacy framework, and Google Ireland Limited relies on this framework to transfer personal information originated in the EEA to the United States. Basic information on the processing of personal data by Google can be found here: https://policies.google.com/privacy?hl=en

The user has the following configuration options with Google: The user can disable personalized advertising from Google: https://adssettings.google.com/anonymous?hl=en&sig=ACi0TCie_PP0WXzD2NDiHGJny9ca0PSQVyMysggnxws0C7Hxy7edd8F9O3gyme7JNE3bplGpLmt8pU3iFPJYnpIHlEL7FSn5hXWg8EhEQAbCywX-v9nEW3M

The user can disable personalized advertising on a device-by-device basis: (https://support.google.com/ads/answer/1660762?hl=en-GB#mob) The user can disable personalized advertising through the browser: ( http://optout.networkadvertising.org/?c=1)

11.2.1 Matomo If the user has given his consent, we use Matomo version On-Premises installed on our servers, a web analytics service. Matomo collects pseudonymous data on the use of our website, including the user’s truncated IP address, and uses cookies. This information is kept on our servers and not transmitted to third parties. We do not use the data for any type of profiling but are collected anonymously through first-party cookies.

11.2.2. Google Ads Campaign Management If you have consented, we use Google’s advertising products. We use cookies, Client tags to record and share the usage behavior of the user on our website and our app, to display advertising based on interests for our products on other pages within the Google advertising network. This includes Google search, Youtube, and other sites managed by Google and its subsidiaries, as well as sites managed by Google’s advertising partners. The information, such as masked identifiers and browsing activity, is accordingly transmitted to Google and Google’s partners. Further processing of data will only take place if the user has given his consent to Google to link the browsing history to his Google account and use the information from his Google account to personalize the ads he sees on the web. The use of these devices is based on the user’s consent (Article 6(1)(a) GDPR).

11.3 Other Remarketing Services We carry out remarketing activities by email for customers who have completed or not completed a payment but who have given consent to privacy processing. The user who has not completed the payment will receive a maximum of 4 emails within 7 days following the purchase attempt. We use these services based on the user’s consent (Article 6(1)(a) GDPR). The user may revoke his consent at any time by sending us communication at privacy@milanocard.it or by subscribing to the newsletter by clicking on “Unsubscribe”. However, this will not compromise the lawfulness of the treatments carried out before the revocation of the consent.

12- CRM System

In order to manage our relationships with customers, we save the user’s personal data in our CRM system. This allows us to respond to any requests in a targeted manner and send the user relevant advertising to the extent permitted. The processing that takes place within this context is based on our legitimate interest in managing the relationship with our customers, Article 6(1)(f) GDPR.

13- Personalization of Website Content

We also process the user’s data to show him personalized content on our website. The legal basis in this regard is our legitimate interest in showing the user tours and activities relevant to him, Article 6(1)(f) GDPR.

14- Transmission of Data

In addition to the cases described, the user’s personal data will be transmitted only without his explicit consent in the following cases: where necessary to clarify unlawful use of our services or for legal actions, personal data will be forwarded to law enforcement agencies and, if necessary, to third parties affected. However, this only happens in the presence of specific indications of illegal or abusive behavior. A transfer could also take place if this serves to enforce terms of use or other agreements. We are also legally obliged to provide information on request to certain public authorities. These are law enforcement agencies, authorities that prosecute administrative offenses subject to fines, and tax authorities. These data are disclosed based on our legitimate interest in combating abuses, prosecuting crimes, and ensuring, asserting, and enforcing legal claims, unless the rights and interests of the user in the protection of personal data prevail, Article 6(1)(f) GDPR or based on a legal obligation under Article 6(1)(c) GDPR. We disclose personal data to auditors, accounting service providers, lawyers, banks, tax consultants, and similar bodies, where necessary for the provision of our services (Article 6(1)(b) GDPR) or the proper management of our business (Article 6(1)(f) GDPR) or we are obliged to act this way (Article 6(1)(c) GDPR). We rely on contractually affiliated third-party companies and external service providers (“data processors”) for the provision of services. In such cases, personal data are transmitted to these data processors to enable them to continue processing. Such data processors are carefully selected and regularly reviewed by us to ensure the protection of the user’s rights and freedoms. The data processors may use the data only for the purposes specified by us and are contractually bound to process the user’s data only in accordance with this privacy policy and data protection laws. The transfer of data to data processors takes place based on Article 28(1) GDPR. As part of the further development of our business, it may happen that the structure of Tourist Point srl changes following the modification of the legal form, the purchase or sale of subsidiaries, parts of the company, or components. In transactions of this type, customer information is transferred along with the part of the company concerned by the transfer. In case of disclosure of personal data to third parties as described above, we will ensure that this is done in accordance with this privacy policy and relevant data protection laws. Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form as necessary to the economic and legal circumstances (Article 6(1)(f) GDPR).

15- Individual Automatic Decisions or Profiling

We do not use automated processing processes regarding a decision or profiling.

16- Deletion of User Data

We delete and anonymize the user’s personal data as soon as they are no longer necessary for the purposes for which they were collected or used, in accordance with the paragraphs above. We continue to retain the user’s data if we are obliged to do so for legal reasons or if the data are necessary for a longer period of time for criminal proceedings or to ensure, assert, or enforce legal claims. If data must be retained for legal reasons, processing will be limited. The data may no longer be used. The retention beyond the contractual relationship is based on our aforementioned legitimate interests, under Article 6(1)(f) GDPR.

17- The User’s Rights as a Data Subject

The user has the rights described below concerning the processing of his personal data. To exercise his rights, he may send a request here by mail or email. You can contact our data protection officer by sending an email to: dpo@gruppomilanocard.it.

17.1 Right of Access to Information The user has the right to receive information from us at any time, upon request, about his personal data processed by us, to the extent and in accordance with the conditions set out in Article 15 GDPR and § 34 BDSG.

17.2 Right to Rectification of Incorrect Data The user has the right to request the timely rectification of any inaccurate personal data concerning him.

17.3 Right to Deletion The user may request the deletion of personal data concerning him under the conditions set out in Article 17 GDPR and § 35 BDSG. These conditions establish, in particular, the right to delete any personal data if they are no longer necessary for the purposes for which they were collected or otherwise processed, as well as in cases of unlawful processing, objections, or the existence of an obligation to delete under the law of the Union or the Member State to which we are subject.

17.4 Right to Restriction of Processing The user has the right to request the restriction of processing under Article 18 GDPR. This is the case, in particular, in the event of disputes between us and the user regarding the accuracy of the personal data, for the time necessary to verify the accuracy, in the event that the data subject requests a restriction of processing instead of deletion, in the presence of a right to deletion, in the event that the data are no longer necessary for the purposes pursued by us but the user requests the restriction for the assertion, exercise, or defense of legal claims, and in the event that the exercise of an objection is still a matter of dispute between us and the user.

17.5 Right to Data Portability The user has the right to receive from us the personal data concerning him that he has provided to us in a structured, commonly used, and machine-readable format, under Article 20 GDPR.

17.6 Right to Object The user has the right to object at any time, for reasons related to his particular situation, to the processing of personal data concerning him, including, among other things, under Article 6(1)(e) or (f) GDPR, in accordance with Article 21 GDPR. We will terminate the processing of his personal data unless we are able to demonstrate the existence of compelling legitimate reasons for the processing that prevail over the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of a legal claim.

17.7 Right to Lodge a Complaint The user may lodge a complaint with a competent supervisory authority of his choice.

17.8 Data Processing in the Exercise of the User’s Rights Finally, we would like to point out that we process the personal data provided by the user in the exercise of his rights under Articles 15-22 GDPR for the purpose of implementing such rights and providing the necessary evidence. The data processing carried out is based on Article 6(1)(c), together with Articles 15-22 GDPR and Article 34(2) BDSG.

18- Rights of U.S. Residents

18.1 Disclosure If you reside in certain states, including California, Colorado, Connecticut, or Virginia, you may enjoy specific rights. Further information and rights relating to residents of some U.S. states that have adopted data protection laws and regulations are indicated below. This section also provides the necessary information about the personal data we collect and how we may use such information. The California Consumer Privacy Act of 2018, the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act of 2020 (“CPRA”), and the privacy laws of other states provide some U.S. residents with specific rights regarding personal information. This section of the Privacy Policy describes such rights and how to exercise them. This section does not apply to information available to the public. Some information is automatically collected when you access our website (see Section 3 Automated Data Collection of this Privacy Policy). You can find more details about the personal information we collect, how we collect it, and why we collect it below: Where you need customer assistance (see Section 3 Customer Assistance); From our service providers (see Section 9 Technical Service Providers); When you subscribe to our newsletter (see Section 5 Newsletter); When you book activities on our Platform (see Section 6 Bookings and Payments); For the purposes of fraud prevention (see Section 7 Fraud Prevention); To protect ourselves from bots (see Section 8 Bot Protection); Using cookies (see Section 9 Cookies); For marketing purposes (see Section 11 Marketing and Remarketing Services); For customer assistance purposes (see Section 12 CRM System); For product development;

18.2 Access to Specific Information Rights You have the right to request that we disclose certain information about how we have collected and used your personal information. Once we receive a valid request from you, we will inform you, to the extent permitted by law: The categories of personal information we have collected about you. The categories of sources of the personal information we have collected about you. The business or commercial purpose for collecting, selling, or sharing your personal information, if applicable. The categories of third parties with whom we share your personal information. If we disclose your personal information for business purposes, the categories of personal information obtained from each category of recipient.

18.3 Right to Deletion Residents of some states have the right to request that we delete the personal information we have collected about them, subject to some exceptions described in Section 19.3 of this Privacy Policy and as established by applicable laws.

18.4 Right to Correction Residents of some states have the right to request the correction of inaccurate personal information we hold about them as explained in Section 19.2 of this Privacy Policy, subject to some exceptions established by applicable laws.

18.5 No Discrimination We will not discriminate against you for exercising any of your privacy rights.

18.6. Do Not Sell or Share My Personal Information You are free to change your cookie preferences at any time and request to deactivate the sharing of your personal information to third parties, subject to some exceptions established by applicable laws. With “sharing,” we refer to the processing of personal data as described above in Section 11 Cookies and Section 9 Marketing and Remarketing Services.

18.7 Opt-Out of Targeted Advertising Some data collection and processing on our website for purposes of interest-based advertising may be considered “targeted advertising” or a “sale” or “sharing” of personal information under some state laws, such as under the CDPA. Depending on your cookie preferences and to the extent permitted by law, we may disclose your personal information to our trusted partners for targeted advertising. You can ask us to stop using and sharing your personal information for such targeted advertising by sending us an email at privacy@milanocard.it

18.8 Do Not Share or Disclose My Sensitive Personal Information You have the right to limit how your sensitive personal information is disclosed or shared with third parties. To exercise the rights described in this Privacy Policy, we invite you to contact us at the email privacy@milanocard.it

18.9 Exercising Your Rights You can exercise all your rights described in this Privacy Policy to the extent permitted by applicable laws. Please provide sufficient information and describe your request with sufficient detail to allow us to respond adequately to your request. We will take reasonable measures to verify your identity before we can respond to your request. If you reside in California, you or a person registered with the California Secretary of State that you authorize to act on your behalf, can submit a request. If you reside in Connecticut or Colorado, you have the option to designate an authorized agent to submit a request on your behalf. You may also submit a verifiable consumer request on behalf of your minor child.

Depending on your cookie preferences, we may “share” categories of personal information, as defined by California law, with third parties and for the business and commercial purposes described in this Privacy Policy. According to the CPRA, “sharing” refers to the disclosure of personal information to third parties or intercontextual behavioral advertising, for a fee or not for a fee. See Sections 18.6 and 18.7 below for further information on the context in which we share your personal information and how you can request to opt out. We do not “sell” personal information as defined by the CPRA or the Consumer Data Protection Act (Virginia privacy law) (“CDPA”). We do not “sell” your personal information as defined by the CCPA. We do not “share” knowingly the personal information of minors under the age of 16.

19- Changes to This Privacy Policy

The current version of the privacy policy is always accessible at this link page

Last updated: October 22, 2024