Privacy Policy
Privacy Policy www.phlomistours.com
This privacy policy contains important information on the processing and protection of the personal data of users of the site www.phlomistours.com .
Data collected through the Webite are processed in accordance with the principles of fairness, lawfulness, transparency, purpose limitation and storage, minimisation and accuracy, integrity and confidentiality, as set out in EU Regulation 679/2016 (GDPR).
Data Controller
Data controller is Phlomis Tours di Filippetti Giulia, seat in Arezzo, Via Francesco Folli 29, Vat ID 16719061000, mail: giuliafilippetti@phlomistours.com; pec: giuliafilippetti@pec.buffetti.it
Website
Phlomis Tours di Filippetti Giulia is owner and proprietor of the contents of the website www.phlomistours.com, hereinafter “Website”. The Website’s hosting is managed by Aruba – https://www.aruba.it/documents/tc-files/it/11_it_privacy_policy_aruba_spa.aspx – whose server is in Italy.
What personal data is collected and why (type of data, purpose and legal basis)
By browsing this Website, personal data may be collected, as further specified below. Cookies are also installed, as you can read in the cookie policy.
Browsing Data
The Website’s computer systems implicitly collect some personal data (provided for by Internet communication protocols) in the course of their operation. These are not associated with specific subjects, except through a complex and complicated system of processing and association with other data, held by third parties. This category of personal data includes IP addresses or the domain names of the computers used by users connecting to the Website, browsers and the parameters of the computer system used to connect to the Website, navigation data, including time of the request and response obtained from the server.
Processed data: IP adresses or domain names of computer used by users connecting to the Website, browsers and parameters of the computer system used to connect to the website, navigation data, including time request and response obtained from the server.
Purpose: use of Website, anonymous statistics on the use of the Website.
Legal basis: legitimate interest of the Data Controller.
Contact Form
When filling out the Website’s contact form, the user is asked to provide his/her full name, mail address, telephone number, address, which are necessary for the data controller to follow up on the request received.
Processed Data: full name, email address, telephone number, address, user’s message
Purpose: response to a request received from the user
Legal basis: consent given at the bottom of the form, once completed
Data transfer extra UE: no
Purchase of of travel pa ckages and additional tourist services
A section of this Website is dedicated to the sale of travel packages and additional services (insurance). To purchase the package, after choosing the trip, the creation of an account with username and password and the entry of the Data (full name, email address) during the check out operations is necessary.
To purchase the insurance, data entry of the travel package and personal data are required.
The payment of packages and policies (with the conclusion of the transaction) is made through the service provided by Nexi Payments s.p.a., autonomous owner of the data processing, by entering the credit card or bank transfer data in the appropriate form. Here the privacy policy of Nexy Payments s.p.a.
For the purchased insurance, Allianz Global Assistance is autonomous owner of the data process Privacy Policy | Allianz Global Assistance (allianztravelinsurance.com)
Purchase data are also needed for invoicing and purchase management. For invoicing, the www.fattureincloud.it platform is used. Here, the Invoices In Cloud policy: Privacy Policy [ENG] | Fatture in Cloud \ Devs: API V2 & SDKs
Purpose: account creation
Processed Data: user and password
Legal basis: consent
Data transfer extra UE: no
Purpose: Sale of travel packages and travel services and communications relating to the purchased services.
Processed Data: personal data, telephone number, email address, National Insurance Number, data concerning specific needs, copy of documents/passports, data concerning specific needs health conditions if relevant for the purchase of the package/tourist service (included underage), data concerning the purchase travel package.
Legal basis: performance of contractual measures and consent for special data categories only
Data transfer extra UE: yes, if necessay according to the chosen destination
Purpose: travel insurance purchase (data processed by Allianz, autonomous owner)
Processed Data: personal data, telephone number, email address, National Insurance Number, copy if documents/passport, data relating ti the purchased travel
Legal basis and Data transfer extra UE: according to the provider’s policy
Newsletter
To subscribe to our Newsletter, users need to enter their name, email address, that the user entered in the form. Providing this information is voluntary, but necessary for subscription to the newsletter. The personal data provided are processed for the sole purpose of sending the newsletter, as required and authorized by the user through the Website.
Data processing of newsletter subscribers takes place via and on the servers used by Mailchimp, which are located in the United States. Mailchimp acts as data controller under Article 28 GDPR. Mailchimp’s privacy policy may be found here: https://mailchimp.com/legal/privacy/. Here you can learn about the measures taken by Mailchimp so that the data transfer to the United States is compliant with the GDPR: https://mailchimp.com/help/mailchimp-european-data-transfers/.
Data processed: name, email address
Purpose: sending the newsletter.
Legal basis: consent provided by the user.
Data transfer extra UE: yes
Data acquired through Facebook advertisements
The site acquires some personal data of Facebook users who respond to sponsored advertisements on this social channel. The data acquired via this channel are processed in compliance with the indications provided by the social network’s policies; in particular, these data will never be transferred to data brokers or sold to third parties (except for necessary transfers to a service provider). Here Facebbok’s privacy policy: https://www.facebook.com/about/privacy/.
In any case, the Webite only uses user’s data in any advertisement after obtaining the necessary consent. Users can deactivate the collection and use of information for targeting advertisements. For further information you can visit http://www.aboutads.info/choices and http://www.youronlinechoices.eu/.
Data processed: various navigation data and data collected by ADV service providers.
Purpose: targeting of users.
Legal basis: consent/legitimate interest.
Data transfer extra UE: yes
WordPress.com
WordPress.com is a platform from Automattic Inc. that enables the creation and management of websites. Here the privacy policy: https://wordpress.org/about/privacy/.
Data processed: Website data traffic and data indicated in the service policy.
Purpose: construction and management of the site.
Legal basis: legitimate interest of the owner
Data transfer extra UE: yes
Processing and storage methods
Data processing is carried out in automated form, in compliance with Article 32 of the GDPR 2016/679 on security measures; the data are processed and managed in such a way as to avoid or limit as much as possible the risks of loss, destruction, and misappropriation, and in such a way as to allow their restoration, should any of the described cases occur. According to Article 4 of GDPR 2016/679, the data provided may be: collected, recorded, organized, stored, consulted, processed, modified, selected, extracted, compared, used, interconnected, blocked, communicated, deleted and destroyed. Appropriate data protection systems are in place.
Lenght of data storage
Data are stored for the technical time required for the indicated uses. In any event, the user has the right to request the destruction or deletion of the data provided. The data may also be kept for a longer period of time in order to fulfil tax obligations or as mandated by an authority. At the end of the storage period, the data will be deleted and no longer recoverable.
Data communication and dissemination
Personal data will never be disseminated and will not be disclosed without the explicit consent of the User. However, it is necessary to communicate the data provided to the respective suppliers of the services included in the travel packages/purchased tourist services (air, rail and sea carriers, hotels and accommodation facilities, car rentals, insurance companies, etc.), for the correct execution of the purchased travel package. For the purchase of insurance policies and the online payment service, see the policies of the suppliers Allianz and Nexi.
Access to data
Data could be made accessible due to a legal obligation, which may involve the transfer of data to public institutions, judicial authorities, or insurances. The data could be visible to a consultant/IT technician for the purpose of repair/maintenance of IT tools or for routine maintenance of the Website and the agency in charge of marketing and advertising. Purchasing data will also be accessible to the tax consultant for the fulfilment of tax obligations imposed by law. For further information, please contact: giuliafilippetti@phlomistours.com
Personal data transfer
Data could be transferred to third countries outside the European Union, as further specified above, with reference to each function.
Special categories of personal data
The Website may collect and process data qualifying as “special categories of personal data”, pursuant to articles 9 and 10 of the GDPR 2016/679, only if communicated voluntarily by the data subject and if necessary for the purchase and proper execution of the contract of sale of the services/travel packages and/or in order to meet particular customer requirements related to the purchased services. In this case, the travel agency will only process the data provided with the consent of the data subject.
Data from minors Data of minors may be collected. The data of minors, communicated by the holders of parental authority/guardians, are collected for the sole purpose of performing the contractual service or for legal purposes. The holders of parental authority/guardians assume all responsibility for the provision of correct and truthful data and for the provision of consent to the processing of data from minors, where necessary.
Rights of the Data subject
At any time, pursuant to GDPR 2016/679, Arts. 15 to 22, the user may exercise the right to:
a) request confirmation of the existence of personal data concerning them;
b) obtain information about the purpose of data processing, the categories of personal data, the recipients or categories of recipients with whom the personal data have been or will be shared and, whenever possible, the storage period;
c) obtain the rectification and erasure of data;
d) obtain the restriction of data processing;
e) obtain data portability, receive them from a data controller, in a structured, commonly used, machine-readable format, and transmit them to another data controller without hindrance;
f) refuse the processing of data at any time as well as processing for direct marketing purposes;
g) refuse automated decision-making for individuals, including profiling;
h) request that the data controller grant access to and rectify or erase personal data or restrict processing for data concerning the user or refuse data processing, in addition to the right to data portability;
i) revoke consent at any time without affecting the lawfulness of the processing based on the consent given before revocation;
j) lodge a complaint with the supervisory authority.
Exercise of the rights To exercise the above rights or receive clarification or other information regarding the processing of personal data, please contact us at giuliafilippetti@phlomistours.com and we will answer you within 30 days. If you would like to file a complaint with the Antitrust Authority, please visit https://www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-tuoi-dati-personali, Home – Garante privacy en – Garante Privacy for further information.
Policy drawn up in the month of May 2023