Privacy Policy
This English version is provided for convenience. In case of discrepancy, the Italian version shall prevail.
Drafted pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 — updated February 2026.
The provisions in this document apply exclusively to the website www.esplorapp.com and refer only to data collected through the same website.
Glossary
- Personal data: any data identifying a natural person or making them identifiable.
- Data controller: the party that decides and defines the purposes and means of processing personal data.
- Data processor: the party that processes personal data on behalf of the controller.
- Data subject: the person to whom the personal data refer (you).
Article 1: Data controller
The data controller is EsplorApp of Daniele Cesaro, based at Via Sant'Antonio Abate 20, Ponte San Nicolò (PD), VAT IT05551810285. For any questions on this notice or to exercise your rights you can write to: e-mail [email protected] — PEC [email protected].
Taking into account the nature, scope, context and purposes of processing, as well as the type and quantity of data processed, the conditions under Article 37 of the GDPR for the mandatory appointment of a Data Protection Officer (DPO) do not apply. Should conditions change, the controller will proceed with the appointment and communicate it by updating this notice.
Neither the site nor the controller entrust decisions concerning you to any artificial intelligence system. To run the platform and organise operational activities we use various digital tools: some of them may integrate features based on artificial intelligence, machine learning or algorithmic automation. When this happens, we use them solely as operational support tools; no decision concerning you is left to a machine without human supervision.
Article 2: Types of data processed
2.1 — Data provided directly by the user
The following list represents the data you will provide to the platform:
- First and last name;
- Phone number;
- E-mail address;
- Information relating to orders placed;
- Credit-card or payment-method details, which are not stored by the controller but handled directly by Stripe and PayPal;
- Data relating to minors: in case of a minor's participation in an experience, the booking is made by the parent or legal guardian. The controller collects only the data of the parent or guardian making the booking; no personal data is collected directly from minors.
2.2 — Data collected automatically by the platform
The following list represents the data collected automatically:
- IP address;
- Device;
- Browser;
- Pages visited;
- Referrer URL;
- Browsing-session duration;
- Server log data.
2.3 — Data excluded from processing
The controller does not collect health data, medical declarations, biometric data, emergency contacts or other special categories of data under Article 9 of the GDPR. The assessment of psycho-physical fitness to participate in outdoor experiences is the user's sole responsibility, as specified in the terms and conditions of sale and use.
Article 3: Purposes and legal bases of processing
Every processing operation we perform has a specific reason and a legal basis legitimising it. Here they are one by one.
To provide the service you requested
When you book an experience, buy a guide, activate a subscription or ask us for support, we need your data to fulfil the request. This includes: managing your account, processing the order, communicating booking information, handling any refunds and sending you receipts or invoices.
Legal basis: necessity to perform the contract or to take pre-contractual steps at your request.
Retention: 10 years from the end of the relationship, in line with tax and accounting obligations, save your revocation.
To comply with legal obligations
Some things we are required to do by law: issue invoices, keep accounting records, respond to authority requests. In these cases we process your data because we have no alternative.
Legal basis: fulfilment of a legal obligation.
Retention: 10 years.
To respond to your requests
If you write to us via the contact form, by e-mail or in any other way, we use the data you provide to get back to you and give you the information you are looking for.
Legal basis: your consent or the execution of pre-contractual measures.
Retention: up to 24 months unless a contractual relationship is established in the meantime.
To send you communications about similar experiences (soft spam)
If you have already purchased one of our experiences, we may send you e-mails about similar experiences or services without asking for specific consent. This possibility is foreseen by Article 130(4) of the Italian Privacy Code. You can block these communications at any time: just click the unsubscribe link at the bottom of every e-mail or write to us directly.
Legal basis: our legitimate interest in offering you services consistent with those you have already chosen.
Retention: until you ask us to stop and/or delete them.
To keep you updated via the newsletter
If you subscribe to our newsletter, we use your name and e-mail address to send you updates on our activities, upcoming experiences, content and promotions. Subscription is entirely free and does not affect in any way your use of the platform or of the services you have purchased.
Legal basis: your explicit consent, given at the time of subscription.
Retention: until you revoke consent, and in any case no longer than 24 months from collection, save renewal. To unsubscribe you can use the unsubscribe link at the bottom of every e-mail or write to us directly.
Article 4: Who we share your data with
Your data is not publicly disclosed nor transferred to third parties for purposes other than those indicated in this notice. We never sell it or make it available to anyone for their own advertising purposes.
Only the following categories of parties may access it:
- Our collaborators: the people who work with us and need your data to carry out their tasks. They are formally authorised to process data pursuant to Article 29 of the GDPR and Article 2-quaterdecies of the Italian Privacy Code, suitably instructed and bound to confidentiality.
- The expert guides: the guides leading the outdoor experiences receive from us only your first and last name, i.e. the bare minimum to manage the activity on the field. They operate as parties authorised to process data pursuant to Article 29 of the GDPR, have received specific instructions and are bound by confidentiality agreements.
- External service providers: third parties providing services essential to the platform's operation (hosting, CDN, e-mail marketing, payment systems, tax advice). Details on each provider are in the article dedicated to third-party tools and providers. Where legislation requires it, we have designated them as Data Processors with a specific contract pursuant to Article 28 of the GDPR. You may request the updated list at any time.
- Authorities and parties provided for by law: where the law requires it, we communicate your data to public bodies, tax, judicial or administrative authorities, supervisory bodies and any other party provided for by applicable legislation.
Article 5: Consent to the use of images and videos
During the outdoor experience the controller or the assigned guides may take photos, videos and audio recordings. Use of such material for promotional and commercial purposes occurs only with the user's explicit, free, specific and informed consent, collected via a separate and optional checkbox at the time of experience purchase.
Consent is entirely optional: refusal does not affect in any way the possibility of participating in the experience or enjoying the other platform services.
The user may revoke consent at any time by sending an e-mail to the address indicated in the contact section of this policy. Following revocation, the controller will cease using the material in new contexts, it being understood that revocation cannot have retroactive effect on material already legitimately published and distributed. The controller undertakes, as reasonably possible, to remove the material from its own direct channels.
Any images of the faces of minors present at the experience will be obscured by blurring techniques (blur or similar censorship) to protect their privacy.
Article 6: Personal data retention period
Personal data is kept for the time strictly necessary to achieve the purposes for which it was collected. Details below.
| Type of data | Retention period |
|---|---|
| Account data | For the entire duration of the contractual relationship and, subsequently, until user revocation or for a maximum of 5 years from termination. |
| Tax and accounting data | 10 years from the transaction date, pursuant to Article 2220 of the Italian Civil Code. |
| Data for direct marketing | Until consent revocation or for a maximum of 5 years from consent collection, save renewal. |
| Data relating to images and videos | Until consent revocation. Following revocation, material will be removed from the controller's direct channels within reasonable time. |
| Security logs and technical data | Maximum 12 months, save documented security need or legal obligation. |
| Cookies and browsing data | As specified in the Cookie Policy. |
At the end of the retention period, personal data will be deleted securely or anonymised irreversibly.
Article 7: Place of processing and transfer outside the EU
Processing of personal data occurs predominantly within the European Economic Area. Should some providers or services involve a data transfer to third countries, such transfer will take place in compliance with Articles 44 et seq. of the GDPR, on the basis of an adequacy decision by the European Commission or via other appropriate safeguards under applicable legislation, including, where necessary, standard contractual clauses.
- Stripe (USA): adheres to the EU-U.S. Data Privacy Framework, on the basis of the European Commission's adequacy decision of 10 July 2023.
- Brevo (sub-processors in USA and India): for the USA relies on the Data Privacy Framework; for India and other countries without an adequacy decision, uses Standard Contractual Clauses approved by the Commission with Implementing Decision EU 2021/914.
- PayPal (Luxembourg, with possible USA transfers): any transfers to the United States occur on the basis of the Data Privacy Framework.
- LogRocket (USA): data collected via LogRocket may be transferred to and stored on servers located in the United States; such transfer occurs on the basis of the Standard Contractual Clauses approved by the Commission with Implementing Decision EU 2021/914.
Article 8: E-mail tracking
Promotional e-mails and newsletters we send via Brevo may contain tracking pixels: microscopic 1×1-pixel images, usually invisible to the naked eye, which let us know whether an e-mail has been opened and collect some technical information about the device used to read it. In particular, they may detect:
- whether you opened the message, when and how many times;
- which device or e-mail client you used;
- your IP address at the time of opening;
- any clicks on links in the e-mail.
We use these tools in compliance with the GDPR, the ePrivacy Directive (2002/58/EC), Article 122 of the Italian Privacy Code and the Guidelines issued by the Italian Data Protection Authority by ruling No. 284 of 17 April 2026, specifically dedicated to the use of tracking pixels in e-mail.
Tracking is activated only with your specific consent, collected when subscribing to the newsletter. You have several options to manage it:
- you can unsubscribe from the newsletter (and with it the tracking) via the link at the bottom of every e-mail;
- where technically possible, you can revoke only the tracking consent and keep receiving the newsletter without pixels;
- you can disable automatic image loading in your e-mail client settings.
On our side, we undertake to apply privacy-by-design and by-default principles (Article 25 GDPR), minimising data collected and transparently managing your preferences.
Article 9: Third-party tools and providers
Here are the technical services and platforms we rely on, with full details on who they are, what they do with your data and where they process it.
9.1 — Hosting and servers
The web platform and the app run on server infrastructure with data centre in Frankfurt, Germany. This service handles the technical operation of the site, backups, attack protection and operational continuity. IP addresses, access logs, technical device information and system backups may pass through hosting.
Legal basis: contract execution, legal obligations and our legitimate interest in system security (Art. 6.1 lett. b, c, f GDPR).
Location: Germany. Hostinger Privacy Policy.
9.2 — CDN: DigitalOcean, LLC
To deliver media content quickly and reliably we rely on DigitalOcean, operating as a Content Delivery Network. The reference data centre is in Frankfurt.
Location: European data centre (Frankfurt). DigitalOcean Privacy Policy.
9.3 — E-mail marketing: Brevo
To manage newsletters and promotional communications we use Brevo (formerly Sendinblue), an e-mail marketing platform based in Paris. Brevo processes your name and e-mail and provides us with statistics on e-mail interaction (open rates, link clicks).
Legal basis: your consent provided at subscription (Art. 6.1 lett. a GDPR).
Unsubscription: by clicking the link at the bottom of every e-mail. Cancellation is immediate.
Location and transfers: France (EU). Brevo uses sub-processors in the USA (covered by the Data Privacy Framework) and in India (covered by Standard Contractual Clauses under Implementing Decision EU 2021/914). You may request a copy of the safeguards adopted.
Brevo Privacy Policy.
9.4 — Payments: Stripe, Inc.
To process credit-card and Stripe Link payments we rely on Stripe. Your card data is processed directly by Stripe: we only receive confirmation that the payment has been successful, without ever seeing or storing the card numbers.
Legal basis: contract execution (Art. 6.1 lett. b GDPR), legal obligations (Art. 6.1 lett. c GDPR) and our legitimate interest in fraud prevention (Art. 6.1 lett. f GDPR).
Location and transfers: USA. The transfer occurs on the basis of Stripe's adhesion to the EU-U.S. Data Privacy Framework, pursuant to the European Commission's adequacy decision of 10 July 2023.
Stripe Privacy Policy.
9.5 — Payments: PayPal
For some experiences we also offer PayPal as a payment option. PayPal acts as an independent financial intermediary: it connects your account or card without sharing financial data with us. As regards data collected during the transaction, PayPal acts as autonomous data controller.
Legal basis: contract execution (Art. 6.1 lett. b GDPR) and tax obligations (Art. 6.1 lett. c GDPR).
Location: Luxembourg (EU). Any transfers to the USA are covered by the Data Privacy Framework.
PayPal Privacy Policy.
9.6 — Social buttons
On the platform you'll find buttons linking to our social profiles. Warning: even if you don't click them, social platforms may still collect some data on the traffic of pages where these buttons are installed. The processing they perform follows their rules, not ours.
- Instagram (Meta Platforms, Inc.) — data processed: cookies and usage data. Location: Ireland. Instagram Privacy Policy.
- Facebook (Meta Platforms, Inc.) — data processed: cookies and usage data. Location: Ireland. Facebook Privacy Policy.
To limit tracking by social platforms, you can act through our cookie banner, your social account privacy settings, or by blocking third-party cookies in your browser.
9.7 — Session recording: LogRocket, Inc.
To analyse user behaviour, detect technical errors and improve the user experience we use LogRocket, provided by LogRocket, Inc., a company based in the United States. Through this service, data relating to interaction with the platform is collected and recorded, including — by way of example and not exhaustively — mouse movements, clicks, scrolling, content of visited pages, data entered in forms (where not explicitly excluded via masking), device and browser information, IP address, system errors and technical performance. This data is used to reconstruct, as a visual replay, the browsing session, in order to identify technical problems, application errors and usability issues.
Legal basis: your consent (Art. 6.1 lett. a GDPR).
Location and transfers: USA. The transfer occurs on the basis of the Standard Contractual Clauses under Implementing Decision EU 2021/914.
LogRocket Privacy Policy.
Article 10: Protection systems
We take your data security very seriously. We adopt technical and organisational measures appropriate to the risk, as required by Article 32 of the GDPR. Concretely, this means:
- data encryption both in transit and at rest;
- two-factor authentication (2FA) available for your account via e-mail or TOTP app;
- rotation of security keys every 90 days, including those of payment systems;
- multi-level access controls with backend authorisation checks;
- secure session management: if you change your password or delete the account, all active sessions are invalidated immediately;
- periodic backups;
- hosting on European infrastructure (Frankfurt data centre) compliant with industry security standards.
Data breach
Should your personal data suffer a breach (e.g. unauthorised access, accidental loss, unexpected disclosure) entailing a risk to your rights and freedoms, we will notify the Italian Data Protection Authority within 72 hours of discovery, as required by Article 33 of the GDPR. Should the risk be particularly high, we will contact you directly and without undue delay pursuant to Article 34 of the GDPR, explaining what happened, what consequences it might have and what measures we are taking to remedy it and prevent recurrence.
Article 11: Protection of minors
EsplorApp is intended for adult users. You must be at least 18 years old to create an account. Minors may participate in outdoor experiences only if the booking is made by a parent, a legal guardian or a written-delegated adult.
We do not knowingly collect data from minors. Should we discover we have done so by mistake, we will delete it as soon as we become aware or upon notice from the parent/guardian.
As already mentioned in the previous sections, the faces of any minors in photos or videos of the experiences are always obscured before any use.
Article 12: Cookies
This website uses cookies, small text fragments used for various purposes. They may be technical and, with prior consent where required, also analytical, marketing and profiling, both first-party and third-party. They may be:
- necessary: useful for the correct operation of the website;
- analytical: such as marketing, profiling and tracking cookies;
- third-party: belonging to third parties;
- profiling.
To learn more, please consult our Cookie Policy.
Article 13: Your rights
Here is a brief list of all the rights you may exercise by sending an e-mail to the controller's address:
- request confirmation of the existence or otherwise of your personal data;
- obtain information about processing purposes, categories of personal data, recipients or categories of recipients to whom the personal data have been or will be communicated and, where possible, the retention period;
- obtain rectification and erasure of the data;
- obtain restriction of processing;
- obtain data portability, i.e. receive them from a controller in a structured, commonly-used, machine-readable format, and transmit them to another controller without hindrance;
- object to processing at any time and also in the case of processing for direct marketing purposes;
- object to automated decision-making relating to natural persons, including profiling;
- request from the controller access to the personal data and rectification or erasure thereof or restriction of processing that concerns them or to object to their processing, as well as the right to data portability;
- revoke consent at any time without affecting the lawfulness of processing based on consent given before revocation;
- lodge a complaint with a supervisory authority.
As established by Articles 15 to 22 of Regulation (EU) 2016/679.
You may also lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali), Piazza Venezia 11, 00187 Rome — website www.garanteprivacy.it, e-mail [email protected], PEC [email protected].
Privacy Policy updated to May 2026.