Information on the Processing of Personal Data for the Terre dei Malaspina Platform
We care about your privacy and the protection of your personal data. In compliance with the requirements of EU Regulation 679/2016 on the Protection of Personal Data (hereinafter, the “Regulation”), this website’s Privacy Policy is intended to provide you with information on how we collect and process your data when you interact with Terre dei Malaspina (hereinafter, the “Platform”) and use our services. This information applies only to this website and not to any other websites that may be published on this website but refer to resources outside the terredeimalaspina.it domain.
Who is the Data Controller?
The Data Controller is Associazione Thara Rothas (hereinafter Thara Rothas), with registered office in Milan (MI) – 20154, Via Guercino 6 and operational headquarters in Varzi (PV) – 27057, Via Pietro Mazza 6, email: info@thararothas.it, certified email: thara.rothas@pec.it
What type of data do we collect?
a) Information collected automatically when using the Platform. When you visit the Platform for informational purposes only, we automatically collect some of your information, the transmission of which is implicit in the use of Internet communication protocols. This category of data includes the IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.), and other parameters relating to the user’s operating system and IT environment.
b) Information collected at the time of booking (hereinafter “Booking Data”). When you book an experience, we ask for your basic name and a valid email address. Depending on the booking, we may ask for additional information such as your address, telephone number, date of birth, the names of any other people traveling with you, your preferences (e.g., dietary preferences and mobility limitations), and payment information.
c) Information collected when you sign up for our newsletter or other marketing communications (“Direct Marketing”)
d) If you sign up for our newsletter or other marketing communications, we collect your email address and other contact information.
e) Information collected when you interact with us (“Contact Us”). If you wish to contact our Help Center or contact us, we collect the information included in the request: subject/purpose of contact; name (first and last name); email address; and other personal data included in communications.
f) Personal data you provide about other people. You may also wish to make a Booking for other people traveling with you. In these cases, the information provided will be used only as described on the relevant service pages. We encourage you to inform the people whose data you share so that they understand and agree to how we use their information (i.e., as described in this Privacy Policy).
Geolocation
Some features offered by the platform require the use of location services provided by your browser (e.g., Chrome, Safari, Edge, etc.) or operating system (e.g., Windows, Apple OS, Linux, etc.) to perform geolocation, which is essential for the proper functioning of our Services. For example, to facilitate the search for Locations and experiences, for events at locations near you, with your express consent, you are “geolocated,” meaning information about your location is collected using data from your internet connection and/or your mobile device’s GPS. Depending on the chosen feature, localization can be specific, showing the Locations near your current location when the feature is activated, or more continuously, highlighting the Locations along your route from the moment the feature is activated. In any case, localization is limited to the duration of the chosen feature’s activation. Please note that most devices allow you to control or disable the location option for applications in the browser and device settings menu. Use of Google Maps/Earth maps and geolocation services is subject to the Google Maps/Earth Terms of Use and the Google Privacy Policy (https://www.google.com/intl/it/help/terms_maps/), which we encourage you to read carefully.
We may use your data for the following purposes (hereinafter “Purposes of Processing”):
a) Website navigation: to allow you to browse our website and other digital platforms.
LEGAL BASIS: processing necessary for the pursuit of the data controller’s legitimate interests.
PERIOD OF RETENTION OF PERSONAL DATA: for the duration of the browsing session. For navigation, see the cookie policy.
b) Data collection via Contact forms: to allow you to obtain information about our services by making a request on the “Contact” page or by completing forms on our website.
LEGAL BASIS: Processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the data subject’s request.
PERIOD OF RETENTION OF PERSONAL DATA: 1 year for contacts
c) Booking experiences: Fulfillment of contractual obligations arising from the General Terms and Conditions of Sale, for the purpose of providing the services offered by the platform, for the information and/or services requested, including newsletter subscription;
Administrative and accounting purposes, i.e., to carry out organizational, administrative, financial, and accounting activities, such as internal organizational activities and activities necessary for the fulfillment of contractual and pre-contractual obligations;
Legal obligations, i.e., to fulfill obligations established by law, by an Authority, by a regulation, or by European legislation.
Customer support, to provide you with support or information about your booking and/or respond to you when you need it.
LEGAL BASIS: Processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the data subject’s request;
processing is necessary to fulfill a legal obligation;
processing is necessary for the pursuit of the data controller’s legitimate interests. PERIOD OF RETENTION OF PERSONAL DATA: Such data will also be processed electronically, recorded in dedicated databases, and used strictly and exclusively within the scope of the existing contractual relationship. They will be retained for the entire duration of the contractual relationship, for ten (10) years from the end of the existing contractual relationship.
Providing your data for the aforementioned purposes is necessary to perform the contract to which you are a party. Failure to provide such data may make it impossible to provide the specific services.
d) Defense of a right in court: We may use your personal data to defend our rights in and out of court in the event of contractual or non-contractual breaches to the detriment of the Data Controller, for example, to pursue any debt collection actions, should this become necessary due to failure to pay the amounts stipulated in the contract within the agreed deadlines.
LEGAL BASIS: Processing necessary to pursue the data controller’s legitimate interest.
PERIOD OF RETENTION OF PERSONAL DATA: In the event of legal disputes, the data will be retained for the entire duration of the dispute, until the time limit for exercising appeals has expired.
e) Soft spam: We may send you emails for commercial and promotional purposes regarding the sale of our products and/or services, of the same type as your previous purchases, unless you object to processing, which can be opposed at any time.
LEGAL BASIS: Processing necessary for the pursuit of the data controller’s legitimate interest.
PERIOD OF RETENTION OF PERSONAL DATA: The data will be retained for a period not exceeding twenty-four months from its registration, unless you request to opt out (unsubscribe).
f) Direct Marketing: Subject to your consent and until you object, for: direct marketing activities by the Data Controller, direct sales, sending of newsletters and promotional, commercial, or event-related materials by the Data Controller and its affiliated companies, via automated means such as email, fax, SMS, MMS, or other messages, as well as operator-assisted telephone calls, including automated ones, and postal mail, and other informational materials.
LEGAL BASIS: Consent to the processing of your personal data.
Consent to the processing of your data is voluntary and you may withdraw it at any time by making a request to the Data Controller or by sending an email to: privacy@terredeimalaspina.it. You may also opt out of receiving further promotional communications via email by clicking the appropriate link in each promotional email.
PERIOD OF RETENTION OF PERSONAL DATA: Your data will be retained for a period no longer than twenty-four months from the date of registration, unless you request to opt out.
g) Click-to-chat and click-to-call functionality: The click-to-chat functionality allows you to initiate a live chat and receive real-time customer support. You can contact our Help Center via live chat both as a guest and as a registered customer. In the latter case, to process and respond to your requests, the Help Center may have access to certain parts of your Account Data, such as your name and contact information.
If you request the activation of the click-to-call functionality, you may be called back by the Help Center. In this case, we may collect: your phone number and the time you prefer to be called back.
How do we handle the personal data of minors under 16?
The services offered by Terre dei Malaspina are intended only for persons over 18. In limited cases, such as booking an experience or other associated services, the number and other information relating to minors and their companions may be collected. In all other cases, we collect and use information from minors only with the consent of their parents or legal guardian.
Data Source
The data is provided by you (the data subject) or collected from third parties.
To whom do we disclose the data?
Thara Rothas employees and collaborators may access your personal data, acting as authorized persons, in relation to the data and information necessary to perform their assigned tasks and within the limits strictly relevant to the obligations, duties, and purposes described above.
Furthermore, personal data may be disclosed to third parties who perform activities necessary to provide the services we offer. Each of these third parties processes the data as data processors, or they may act as independent data controllers.
Specifically, data may be processed by the following entities or categories of entities:
Participating entities, such as entities, organizations, and operators offering experiences through our service (“Participating Entities”);
Companies and consultants providing legal, accounting, and tax assistance and advice;
Entities providing services for managing information systems and telecommunications networks, including email, website management, and newsletters.
Competent authorities, for compliance with legal obligations and/or provisions of public bodies, upon request;
Payment service providers.
The complete and updated list of Data Processors is available at the company headquarters.
Your personal data is not and will not be disclosed.
Do we transfer data abroad?
The personal data we collect for the purposes described in this Policy may be disclosed and transferred to companies and individuals located in other European Union countries. Any transfer of data to companies and/or third parties located in countries outside the EU is always carried out within the limits and under the conditions set forth in Articles 44 et seq. of EU Regulation 2016/679 (GDPR). In particular, it is acknowledged that the Data Controller uses the services of companies that transfer personal data to the U.S., guaranteeing an adequate level of personal data protection pursuant to specific Data Transfer agreements to protect the personal data provided by their customers.
What are your rights?
You can exercise your rights under Articles 15, 16, 17, 18, 19, 20, and 21 of EU Regulation 2016/679 at any time by requesting access to your personal data, rectification, erasure, restriction of processing, and data portability from the joint data controllers, where applicable. Furthermore, you have the right to object, at any time, to processing of your data based on consent and/or legitimate interest. To no longer receive automated direct marketing communications (e.g., emails, text messages), simply use the appropriate automatic unsubscribe services or send an email at any time to privacy@terredeimalaspina.it with the subject line “Unsubscribe.” To exercise the above rights, you may contact the Data Controller at the following address: privacy@terredeimalaspina.it
Without prejudice to any other administrative or judicial remedy, if you believe that the processing of your data violates the provisions of EU Regulation 2016/679, pursuant to Article 15, letter f) of the aforementioned EU Regulation 2016/679, you have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).
How can I contact the Data Controller for information?
If you have any questions, you can contact us through the Help Center or by sending a message to any of the contact details provided in the footer or in the contact section of the Terre dei Malaspina website.
Changes to this Privacy Policy
This policy may be subject to changes and/or additions as a result of any subsequent regulatory changes and/or additions, the updating or provision of new services, or technological innovations.
Last updated: September 23, 2025