Privacy Policy

This English version is provided for convenience. In case of discrepancy, the Italian version shall prevail.

Drafted pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 — updated February 2026.

The provisions in this document apply exclusively to the website www.esplorapp.com and refer only to data collected through the same website.

Glossary

Personal data: any data identifying a natural person or making them identifiable.
Data controller: the party that decides and defines the purposes and means of processing personal data.
Data processor: the party that processes personal data on behalf of the controller.
Data subject: the person to whom the personal data refer (you).

Article 1: Data controller

Taking into account the nature, scope, context and purposes of processing, as well as the type and quantity of data processed, the conditions under Article 37 of the GDPR for the mandatory appointment of a Data Protection Officer (DPO) do not apply. Should conditions change, the controller will proceed with the appointment and communicate it by updating this notice.

Article 2: Types of data processed

2.1 — Data provided directly by the user

The following list represents the data you will provide to the platform:

First and last name;
Phone number;
E-mail address;
Information relating to orders placed;
Credit-card or payment-method details, which are not stored by the controller but handled directly by Stripe and PayPal;
Data relating to minors: in case of a minor's participation in an experience, the booking is made by the parent or legal guardian. The controller collects only the data of the parent or guardian making the booking; no personal data is collected directly from minors.

2.2 — Data collected automatically by the platform

The following list represents the data collected automatically:

IP address;
Device;
Browser;
Pages visited;
Referrer URL;
Browsing-session duration;
Server log data.

2.3 — Data excluded from processing

The controller does not collect health data, medical declarations, biometric data, emergency contacts or other special categories of data under Article 9 of the GDPR. The assessment of psycho-physical fitness to participate in outdoor experiences is the user's sole responsibility, as specified in the terms and conditions of sale and use.

Article 3: Purposes and legal bases of processing

Every processing operation we perform has a specific reason and a legal basis legitimising it. Here they are one by one.

To provide the service you requested

When you book an experience, buy a guide, activate a subscription or ask us for support, we need your data to fulfil the request. This includes: managing your account, processing the order, communicating booking information, handling any refunds and sending you receipts or invoices.

Legal basis: necessity to perform the contract or to take pre-contractual steps at your request.
Retention: 10 years from the end of the relationship, in line with tax and accounting obligations, save your revocation.

To comply with legal obligations

Some things we are required to do by law: issue invoices, keep accounting records, respond to authority requests. In these cases we process your data because we have no alternative.

Legal basis: fulfilment of a legal obligation.
Retention: 10 years.

To respond to your requests

If you write to us via the contact form, by e-mail or in any other way, we use the data you provide to get back to you and give you the information you are looking for.

Legal basis: your consent or the execution of pre-contractual measures.
Retention: up to 24 months unless a contractual relationship is established in the meantime.

To send you communications about similar experiences (soft spam)

If you have already purchased one of our experiences, we may send you e-mails about similar experiences or services without asking for specific consent. This possibility is foreseen by Article 130(4) of the Italian Privacy Code. You can block these communications at any time: just click the unsubscribe link at the bottom of every e-mail or write to us directly.

Legal basis: our legitimate interest in offering you services consistent with those you have already chosen.
Retention: until you ask us to stop and/or delete them.

Article 4: Consent to the use of images and videos

During the outdoor experience the controller or the assigned guides may take photos, videos and audio recordings. Use of such material for promotional and commercial purposes occurs only with the user's explicit, free, specific and informed consent, collected via a separate and optional checkbox at the time of experience purchase.

Consent is entirely optional: refusal does not affect in any way the possibility of participating in the experience or enjoying the other platform services.

The user may revoke consent at any time by sending an e-mail to the address indicated in the contact section of this policy. Following revocation, the controller will cease using the material in new contexts, it being understood that revocation cannot have retroactive effect on material already legitimately published and distributed. The controller undertakes, as reasonably possible, to remove the material from its own direct channels.

Any images of the faces of minors present at the experience will be obscured by blurring techniques (blur or similar censorship) to protect their privacy.

Article 5: Personal data retention period

Personal data is kept for the time strictly necessary to achieve the purposes for which it was collected. Details below.

Type of data	Retention period
Account data	For the entire duration of the contractual relationship and, subsequently, until user revocation or for a maximum of 5 years from termination.
Tax and accounting data	10 years from the transaction date, pursuant to Article 2220 of the Italian Civil Code.
Data for direct marketing	Until consent revocation or for a maximum of 5 years from consent collection, save renewal.
Data relating to images and videos	Until consent revocation. Following revocation, material will be removed from the controller's direct channels within reasonable time.
Security logs and technical data	Maximum 12 months, save documented security need or legal obligation.
Cookies and browsing data	As specified in the Cookie Policy.

At the end of the retention period, personal data will be deleted securely or anonymised irreversibly.

Article 6: Place of processing and transfer outside the EU

Processing of personal data occurs predominantly within the European Economic Area. Should some providers or services involve a data transfer to third countries, such transfer will take place in compliance with Articles 44 et seq. of the GDPR, on the basis of an adequacy decision by the European Commission or via other appropriate safeguards under applicable legislation, including, where necessary, standard contractual clauses.

Stripe (USA): adheres to the EU-U.S. Data Privacy Framework, on the basis of the European Commission's adequacy decision of 10 July 2023.
Brevo (sub-processors in USA and India): for the USA relies on the Data Privacy Framework; for India and other countries without an adequacy decision, uses Standard Contractual Clauses approved by the Commission with Implementing Decision EU 2021/914.
PayPal (Luxembourg, with possible USA transfers): any transfers to the United States occur on the basis of the Data Privacy Framework.

Article 7: E-mail tracking

Promotional e-mails and newsletters we send via Brevo may contain tracking pixels: microscopic 1×1-pixel images, usually invisible to the naked eye, which let us know whether an e-mail has been opened and collect some technical information about the device used to read it. In particular, they may detect:

whether you opened the message, when and how many times;
which device or e-mail client you used;
your IP address at the time of opening;
any clicks on links in the e-mail.

We use these tools in compliance with the GDPR, the ePrivacy Directive (2002/58/EC), Article 122 of the Italian Privacy Code and the Guidelines issued by the Italian Data Protection Authority by ruling No. 284 of 17 April 2026, specifically dedicated to the use of tracking pixels in e-mail.

Tracking is activated only with your specific consent, collected when subscribing to the newsletter. You have several options to manage it:

you can unsubscribe from the newsletter (and with it the tracking) via the link at the bottom of every e-mail;
where technically possible, you can revoke only the tracking consent and keep receiving the newsletter without pixels;
you can disable automatic image loading in your e-mail client settings.

On our side, we undertake to apply privacy-by-design and by-default principles (Article 25 GDPR), minimising data collected and transparently managing your preferences.

Article 8: Third-party tools and providers

Here are the technical services and platforms we rely on, with full details on who they are, what they do with your data and where they process it.

8.1 — Hosting and servers

The web platform and the app run on server infrastructure with data centre in Frankfurt, Germany. This service handles the technical operation of the site, backups, attack protection and operational continuity. IP addresses, access logs, technical device information and system backups may pass through hosting.

Legal basis: contract execution, legal obligations and our legitimate interest in system security (Art. 6.1 lett. b, c, f GDPR).
Location: Germany. Hostinger Privacy Policy.

8.2 — CDN: DigitalOcean, LLC

To deliver media content quickly and reliably we rely on DigitalOcean, operating as a Content Delivery Network. The reference data centre is in Frankfurt.

Location: European data centre (Frankfurt). DigitalOcean Privacy Policy.

8.3 — E-mail marketing: Brevo

To manage newsletters and promotional communications we use Brevo (formerly Sendinblue), an e-mail marketing platform based in Paris. Brevo processes your name and e-mail and provides us with statistics on e-mail interaction (open rates, link clicks).

Legal basis: your consent provided at subscription (Art. 6.1 lett. a GDPR).
Unsubscription: by clicking the link at the bottom of every e-mail. Cancellation is immediate.
Location and transfers: France (EU). Brevo uses sub-processors in the USA (covered by the Data Privacy Framework) and in India (covered by Standard Contractual Clauses under Implementing Decision EU 2021/914). You may request a copy of the safeguards adopted.
Brevo Privacy Policy.

8.4 — Payments: Stripe, Inc.

To process credit-card and Stripe Link payments we rely on Stripe. Your card data is processed directly by Stripe: we only receive confirmation that the payment has been successful, without ever seeing or storing the card numbers.

Legal basis: contract execution (Art. 6.1 lett. b GDPR), legal obligations (Art. 6.1 lett. c GDPR) and our legitimate interest in fraud prevention (Art. 6.1 lett. f GDPR).
Location and transfers: USA. The transfer occurs on the basis of Stripe's adhesion to the EU-U.S. Data Privacy Framework, pursuant to the European Commission's adequacy decision of 10 July 2023.
Stripe Privacy Policy.

8.5 — Payments: PayPal

For some experiences we also offer PayPal as a payment option. PayPal acts as an independent financial intermediary: it connects your account or card without sharing financial data with us. As regards data collected during the transaction, PayPal acts as autonomous data controller.

Legal basis: contract execution (Art. 6.1 lett. b GDPR) and tax obligations (Art. 6.1 lett. c GDPR).
Location: Luxembourg (EU). Any transfers to the USA are covered by the Data Privacy Framework.
PayPal Privacy Policy.

8.6 — Social buttons

On the platform you'll find buttons linking to our social profiles. Warning: even if you don't click them, social platforms may still collect some data on the traffic of pages where these buttons are installed. The processing they perform follows their rules, not ours.

Instagram (Meta Platforms, Inc.) — data processed: cookies and usage data. Location: Ireland. Instagram Privacy Policy.
Facebook (Meta Platforms, Inc.) — data processed: cookies and usage data. Location: Ireland. Facebook Privacy Policy.

To limit tracking by social platforms, you can act through our cookie banner, your social account privacy settings, or by blocking third-party cookies in your browser.

Article 9: Protection systems

We take your data security very seriously. We adopt technical and organisational measures appropriate to the risk, as required by Article 32 of the GDPR. Concretely, this means:

data encryption both in transit and at rest;
two-factor authentication (2FA) available for your account via e-mail or TOTP app;
rotation of security keys every 90 days, including those of payment systems;
multi-level access controls with backend authorisation checks;
secure session management: if you change your password or delete the account, all active sessions are invalidated immediately;
periodic backups;
hosting on European infrastructure (Frankfurt data centre) compliant with industry security standards.

Article 10: Protection of minors

EsplorApp is intended for adult users. You must be at least 18 years old to create an account. Minors may participate in outdoor experiences only if the booking is made by a parent, a legal guardian or a written-delegated adult.

We do not knowingly collect data from minors. Should we discover we have done so by mistake, we will delete it as soon as we become aware or upon notice from the parent/guardian.

As already mentioned in the previous sections, the faces of any minors in photos or videos of the experiences are always obscured before any use.

Article 11: Cookies

This website uses cookies, small text fragments used for various purposes. They may be technical and, with prior consent where required, also analytical, marketing and profiling, both first-party and third-party. They may be:

necessary: useful for the correct operation of the website;
analytical: such as marketing, profiling and tracking cookies;
third-party: belonging to third parties;
profiling.

To learn more, please consult our Cookie Policy.

Article 12: Your rights

Here is a brief list of all the rights you may exercise by sending an e-mail to the controller's address:

request confirmation of the existence or otherwise of your personal data;
obtain information about processing purposes, categories of personal data, recipients or categories of recipients to whom the personal data have been or will be communicated and, where possible, the retention period;
obtain rectification and erasure of the data;
obtain restriction of processing;
obtain data portability, i.e. receive them from a controller in a structured, commonly-used, machine-readable format, and transmit them to another controller without hindrance;
object to processing at any time and also in the case of processing for direct marketing purposes;
object to automated decision-making relating to natural persons, including profiling;
request from the controller access to the personal data and rectification or erasure thereof or restriction of processing that concerns them or to object to their processing, as well as the right to data portability;
revoke consent at any time without affecting the lawfulness of processing based on consent given before revocation;
lodge a complaint with a supervisory authority.

As established by Articles 15 to 22 of Regulation (EU) 2016/679.

Privacy Policy updated to May 2026.