Privacy Policy

Dear visitor,

On this page you will find, as a User of this website, the information that www.ilmioviaggioanewyork.com, as Data Controller, provides, pursuant to US and European legislation, California Consumer Privacy Act 2018 (“CCPA”) and EU Regulation 2016/679 (“GDPR”), regarding the processing of personal data of visitors to the site. 

Access to this site, viewing its contents and using the services available on it may involve the collection of personal data provided by you by the Data Controller or by third parties (better specified below). 

For information on cookies, please refer to the specific Cookie Policy.

1. Data Controller

1.1. The Data Controller is ilmiovaggio Inc., 235 W 56 Street, Suite 21D, New York NY 10019, e-mail: info@ilmioviaggioanewyork.com, and will process the data according to the principles of lawfulness, correctness, transparency, limitation of purposes and storage, minimization, accuracy, integrity, and confidentiality.

1. Categories of data processed, purposes, and legal bases of processing
   

2.1 The personal data processed by the Data Controller fall into the category of common data.

2.2 Navigation data. Some of your data is processed for the proper technical functioning of the site, therefore, in order to: provide the service, maintain or restore the security of the service, prevent fraud or detect technical failures, measure the audience of the site. The computer systems and software procedures used for the ordinary operation of the site acquire some personal data (session or browsing data) whose transmission is implicit in the use of Internet communication protocols. This data category includes IP addresses or the domain names of computers and terminals used by users, URI/URL (Uniform Resource Identifier/Locator) addresses of requested resources, request time, method used to submit the request to the server, size of the response file, numerical code indicating the server response status (successful, error, etc.), browser version, time zone, and other parameters pertaining to the user’s operating system and IT environment. The legal basis of the processing can be found in the legitimate interest pursued by the Data Controller, i.e. the interest in providing users with a secure and functional website, as well as in the fulfillment of a legal obligation to which the Data Controller is subject. The communication of the personal data necessary to achieve the purposes indicated is mandatory and any refusal to provide your data will not allow the requested services to be provided.

2.3 Data necessary for the provision of services. When the user makes a purchase in the Data Controller’s store, as part of the sales and purchase process, the personal information provided by the user is collected, such as name, email, shipping and billing address, payment details, including credit card numbers, company name, telephone number, and information about orders.

These and other data are collected for the following purposes:

• provision of the services provided through this website, in particular for the creation and management of your account in the reserved area in order to: purchase and use the services advertised on the site (including tours and events); answer your questions and provide assistance in the use of our site and our services; allow you to use the services offered, answer any questions;
• administrative management of relations, including commercial relations, between the Data Controller and third parties;
  

The legal basis for processing for these purposes can be found in the execution of a contract to which the data subject is a party or in the execution of pre-contractual measures adopted at the request of the same. The communication of the personal data necessary to achieve the purposes indicated is mandatory and any refusal to provide your data will not allow the requested services to be provided. For the processing of personal data relating to these purposes, please refer to the information in point 4 of this policy.

2.4 Data collected for promotional, commercial, and direct and indirect marketing purposes. 

Furthermore, the Data Controller may use your personal data, after obtaining your consent, for the following purposes:

• periodic updates on offers, promotions and discounts, including through the use of a newsletter service (email);
• sending promotional communications and advertising material, offering its own or third-party products and/or services, conducting surveys and market research, through the use of telephone with operator and/or automated systems (SMS);
• collection and management of customer feedback on the services provided;
• market research and analysis;
• user profiling for commercial and marketing purposes based on how the site is used, interest shown in the various products, exposure to advertising.
  

The legal basis of the processing, for these purposes, can be found in the explicit consent of the Data Subject, which may be revoked, by the same, at any time, by contacting the Data Controller. The provision of data for the purposes indicated in point 2.4 is optional, and if you decide not to consent to the collection of such data, this would not affect the possibility of using the services of the Data Controller. You will simply not be able to use the services for which you have denied consent (e.g. offers, promotions and discounts, promotional communications, surveys and market research, etc.). Some services of the site are offered, for example, by Google, Meta, Automattic, Complianz, Paypal, which operate as independent Data Controllers, therefore please refer to their respective policies.

• Google: https://policies.google.com/privacy
• Meta: https://www.meta.com/legal/privacy-policy/
• PayPal: https://www.paypal.com/us/legalhub/privacy-full
• Automattic: https://automattic.com/privacy/
• Complianz: https://complianz.io/legal/privacy-statement/

2.5 Data provided voluntarily by the user.

The optional, explicit, and voluntary sending of messages to the Data Controller’s contact addresses, as well as the filling in and forwarding of forms on the site, entail the acquisition of the sender’s contact data, which is necessary to reply, as well as all the personal data included in the communications, in order to better manage the requests. The processing of personal data by the Data Controller is in this case voluntarily activated by the user and necessary to process his/her requests, therefore, the legal basis for this purpose can be found in the execution of a contract to which the Data Subject is a party or the execution of pre-contractual measures adopted at the request of the same. For these purposes, the provision of data is obviously optional, however, failure to provide the necessary data makes it impossible to forward the visitor’s request or to follow up on it, or a less precise and detailed response, or a greater difficulty in being able to contact the Data Subject for more details about the request.

1. Processing methods
   

3.1 The processing of your personal data will take place in compliance with the CPA and the GDPR, with the support of paper, computer or telematic, manual and automated means, for the purposes indicated in point 2 of this information. The personal data processed are not subject to dissemination and can only be processed by the Data Controller’s employees, previously authorized and instructed to process.

3.2 Personal data may be disclosed to the following external parties, independent data controllers or appointed by the Data Controller as Data Processors (“processors”), as they meet the requirements of the law:

• private and public entities for the performance of administrative and legal practices;
• professionals, consultants, companies that assist the Data Controller from an IT and infrastructural point of view, such as, for example, hosting and cloud providers (see point 4), or companies that provide e-mail services;
• professionals, consultants, and companies that perform services related to the provision, monitoring, analysis of navigation, measurement, and optimization of websites;
• professionals, consultants, companies that assist the Data Controller from a fiscal, accounting, commercial, and legal point of view;
• professionals, consultants, and companies that assist the Data Controller in collecting information such as the quality of the services provided, customer satisfaction, etc., as well as in the provision of data processing, storage, and/or analysis services;
• professionals, consultants, companies specializing in marketing, re-marketing, social media, operational management of communication campaigns via the Internet, e-mail and/or telephone systems;
• professionals, consultants, companies that perform services related to the organization and execution of our tours and events (e.g. hotels, transport service operators).
• payment service providers and payment gateways (e.g. Paypal, Stripe, Square, or other payment processors compatible with Woocommerce).
  

Pending an intervention by the legislator regarding transfers of personal data outside the European Economic Area, Ilmioviaggio Inc adopts measures to protect personal data by requiring suppliers to enter into a contract that provides for the adoption of a level of data protection equivalent to that provided by the GDPR. Furthermore, data subjects have actionable rights and effective means of appeal.

3.3 Personal data may also be disclosed to other external parties, acting as independent Data Controllers, such as judicial, administrative, or police authorities or to another public entity entitled to request them, in the cases provided for by law, in order to fulfill legal obligations and/or regulations, including those of a fiscal nature. Ilmioviaggio Inc may disclose your personal information if the law requires us to do so or if you violate our Terms of Service. Ilmioviaggio Inc is subject to the investigative and executive powers of the Federal Trade Commission (FTC) and/or the US Department of Transportation.

3.4 The Website is not intended for persons under the age of 14. We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us to request its deletion.

3.5 The Data Controller does not carry out automated profiling with significant legal effects. Some WooCommerce plugins may use automated decision-making processes limited to fraud prevention and transaction security, which have no legal or otherwise significant effect for Website Users. Services that include automated decision-making elements include: temporary blacklist of IP addresses associated with repeated failed transactions; automatic verification of billing address with credit card for fraud prevention; temporary blacklist of credit cards associated with unauthorized IP addresses (for a few days).

1. Data processing by WooCommerce and related services
   

4.1 The site uses WooCommerce, an open source e-commerce plugin for WordPress, developed by Automattic Inc., a company based at 60 29th Street #343, San Francisco, CA 94110, USA. WooCommerce itself does not collect personal data, but the site may use additional extensions and services from Automattic or third parties that may involve the processing of personal data.

4.2 The payment services used through WooCommerce are WooPayments (payment service managed by WooCommerce/Automattic) and PayPal, which operate as independent data controllers for payment data. We recommend consulting the respective privacy policies of these services:

•          WooPayments: https://woocommerce.com/document/woocommerce-payments/privacy/

•          PayPal: https://www.paypal.com/it/webapps/mpp/ua/privacy-full

4.3 The User’s data is stored in the WordPress database of the website, on a secure server protected by a firewall located in Frankfurt, Germany (European Union). The site collects the name, e-mail address, shipping and billing, payment details (excluding full credit card details that are managed directly by the WooPayments and PayPal payment gateways), company name, telephone number, IP address at the time of order, order information, and information on the device and browser used.

4.4 If a payment gateway is chosen to complete the purchase, sensitive credit card data is transmitted directly to the payment service provider using SSL/TLS encryption. The site does not store complete credit card data. All payment gateways used adhere to PCI-DSS standards as managed by the PCI Security Standards Council.

4.5 In order to protect the personal data processed, the Data Controller takes reasonable precautions and follows the best practices of the sector to ensure that the data is not lost, used inappropriately, consulted, disclosed, altered, or destroyed erroneously. The information is encrypted using Secure Socket Layer (SSL) technology and, where applicable, stored with AES-256 encryption.

1. Data Retention Period

5.1 With reference to the browsing data collected for the purposes referred to in point 2.2, they are kept for a period that allows the Data Controller to guarantee the security of the users’ connection to the site and its correct functioning. With reference to cookies, the storage time of individual cookies is explained in the table in the specific Cookie Policy.

5.2 With reference to the data processed for the purposes referred to in point 2.3, personal data are stored, in accordance with the purpose for which they were provided, for the period strictly necessary to pursue the purposes for which the data were provided, in compliance with the principle of data retention, unless the applicable legislation imposes a further retention period.

In particular:

•          Order data: kept for the period required by tax legislation (minimum 10 years)

•          User account data: stored until the user deletes the account

•          Transaction logs: kept for 3 years for security and fraud prevention purposes

5.3 With reference to the data processed for the purposes referred to in point 2.4, personal data are kept until the revocation of consent or, at most, for 36 months from the time of collection of consent.

5.4 With reference to the data processed for the purposes referred to in point 2.5, the personal data provided voluntarily by the user are kept, at most, for 24 months from the time of provision, in compliance with the principle of data retention, unless the applicable legislation imposes a further retention period.

1. Location and transfer of data in non-EU countries
   

6.1 If you are a citizen of the European Economic Area, we inform you that the Data Controller may use, also through its Data Processors, telematic communication service companies and, in particular, email, as well as hosting and cloud services, which could transmit users’ messages and personal information also in countries outside the European Union, or which in such countries could save backup copies of data, in order to limit the risks associated with any data loss.

6.2 These service companies are selected for reliability, security, and compliance with national and European legislation on the processing of personal data and among those that provide adequate guarantees, as required by Article 46, GDPR. The transfer abroad thus carried out is in line with this legislation, since it is implemented only to countries that have been the subject of an adequacy decision and that, therefore, guarantee an adequate level of personal data protection, or on the basis of the “standard contractual clauses” (“SCC”) issued on June 4, 2021 by the EU Commission.

6.3 Considering the effects of the “Schrems II” ruling of the EU Court of Justice, pending an intervention by the legislator on the subject of transfers of personal data outside the European Economic Area, Ilmioviaggio Inc adopts measures to protect personal data by requiring suppliers to enter into a contract that provides for the adoption of a level of data protection equivalent to that provided for by the GDPR. Data subjects also have enforceable rights and effective remedies.

6.4 Your personal data is stored on databases located at our hosting provider in Frankfurt, Germany (European Union), thus ensuring that the data remains within the European Economic Area. Payment service providers (WooPayments and PayPal) may transfer data in accordance with relevant data protection legislation, to other countries, including the United States, according to their respective privacy policies.

 6.5 Cookie Management and Consent: The site uses Complianz for cookie and consent management in accordance with the GDPR and other privacy regulations. Complianz guarantees that:

•        Non-essential  cookies are activated only after the user’s explicit consent

•        Users can change their cookie preferences at any time

•         A consent log  is maintained to demonstrate regulatory compliance

•         Cookies are categorized correctly (necessary, functional, statistical, marketing)

For more details on the cookies used, please refer to the Cookie Policy managed through Complianz, accessible through the cookie banner and the link in the footer of the site.

1. Third-party apps
   

7.1 The site may use third-party plugins and services to improve e-commerce functionality, including:

•          Analysis   services (Google Analytics, with anonymized data)

•          Marketing and remarketing services

•          Chat and customer support services

•          Review and feedback services

•          Shipping and tracking services

7.2 Each third-party service operates as an independent data controller. Please refer to the respective privacy and cookie policies of these services.

1. Rights of the Data Subject
   

8.1 The Data Controller takes all reasonable measures to ensure the quality of the data and to eliminate incorrect or unnecessary personal data.

8.3 If you are a citizen of the European Economic Area, you are granted the rights provided by the GDPR. As a data subject, in fact, you can exercise the following rights by contacting the Data Controller at the addresses referred to in point 1 of this policy:

• where applicable, Right to withdraw consent (Article 13, par. 2, letter a, and Article 9, paragraph 2, letter a, GDPR);
• Right of access to personal data (Article 15);
• Right of rectification (Article 16);
• Right to erasure (Article 17); in this case, the Data Controller verifies that the applicant coincides with the data subject, confirms that there are no legal reasons to keep such data and proceeds to remove the personal data from the site database, however the personal data cannot be erased while they are associated with a pending order or tax/legal obligations;
• Right to restriction of processing (Article 18);
• Right of notification to recipients, in case of rectification or erasure of personal data or restriction of processing, and right to have communication of such recipients (Article 19);
• Right to portability (Article 20);
• Right to object (Article 21);
• Right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects that concern them or that significantly affects their person (Article 22).
  

8.3 If you are a California citizen, under the California Consumer Privacy Act (CCPA), you have the right to:

•          Know what personal data is collected

•          Know if your personal data is sold or disclosed and to whom

•          Say no to the sale of personal data

•          Access your personal data

•          Request the deletion of your personal data

•          Not be discriminated against for exercising your privacy rights

8.4 The possibility of lodging a complaint with the competent supervisory authority on the protection of personal data is reserved.

1. Changes to the policy

The Data Controller reserves the right to make changes to this privacy policy at any time, informing Users of such on this page. Please consult this page regularly and check the date of the latest change, which is indicated at the bottom of the page.

For any questions regarding this privacy policy, you can contact us using the following contact information:

ilmiovaggio Inc.
 235 W 56 Street, suite 21D
 New York NY 10019
 Email: info@ilmioviaggioanewyork.com

This information was updated on October 25, 2025.