Porta Sicilia

Privacy Policy

Last Updated On

This Privacy Policy describes the policies of Sicily Good di Salvatore Guarneri, Cortile Gonzales 7, Lercara Friddi 90025, Italy, email: portasiciliainfo@gmail.com, phone: 3274522382 on the collection, use and disclosure of your information that we collect when you use our website (https://www.portasicilia.com/) (the "Service"). By accessing or using the Service, you are consenting to the collection, use and disclosure of your information in accordance with this Privacy Policy. If you do not consent to the same, please do not access or use the Service.

1. Data Controller

The data controller is:

  • Sicily Good di Salvatore Guarneri (sole proprietorship)
  • Registered office: Cortile Gonzales 7, 90025 Lercara Friddi (PA), Italy
  • VAT and Tax Code: 07069930829
  • REA registration: PA - 455934 — Palermo and Enna Chamber of Commerce
  • Certified email (PEC): infosalvoguarneri@pec.it
  • Email: info@portasicilia.com
  • Phone: +39 327 4522382

Porta Sicilia has not appointed a Data Protection Officer (DPO), as the conditions of Article 37 GDPR do not apply. For any request relating to personal data processing, the data subject may write to info@portasicilia.com.

2. Scope

This Notice applies to the processing of personal data of data subjects who visit the Platform, register as users, book services or purchase products, apply to become Partners, receive commercial communications or interact with the official channels of Porta Sicilia.

3. Categories of data subjects

The personal data processed concerns the following categories of data subjects:

  • Visitors to the Platform (including unregistered visitors).
  • Registered users who book experiences, tours and accommodations or purchase products.
  • Hosts / Partners who publish listings on the Platform.
  • Persons who submit an application to become a Partner.
  • Subscribers to the newsletter and recipients of commercial communications.

4. Categories of personal data processed

The categories of personal data processed vary depending on the relationship with Porta Sicilia. They are as follows:

  • Identification data: first and last name, date of birth (where provided), Partner’s business name where applicable, tax code or VAT number (for Partners).
  • Contact data: email address, phone number, postal address (for shipping and invoicing).
  • Account data: user identifier, password hash, OAuth identifiers (Google, Apple), language preferences and profile settings.
  • Booking data: booking codes, dates, number of participants, any requests communicated to the Host, preferences.
  • Payment-related data: amount, currency, transaction outcome, Stripe transaction identifier. Porta Sicilia does NOT store payment-card data, which is collected and processed directly by Stripe in tokenised form.
  • User-generated content: reviews, uploaded photos, listings (for Hosts), communications exchanged through the Platform.
  • Technical and usage data: IP address, device identifier, browser type and version, operating system, language, referrer URL, pages viewed, session duration.
  • Data relating to commercial communications: newsletter subscription email, open/click events, consent status, subscription and unsubscription dates.
  • Cookie consent data: choices made on the CMP banner, date and version of the consent recorded.

Porta Sicilia does not deliberately collect special categories of personal data within the meaning of Article 9 GDPR (health, ethnic origin, religious belief, biometric data, etc.). Should a data subject voluntarily provide such information in a review or communication, they will be asked to remove it.

5. Sources of the data

Data is collected directly from the data subject (registration, Partner application form, newsletter form, bookings, purchases, communications).

A limited part of the data may be received from third parties: (i) Google and Apple, in case of OAuth registration (email, name, possibly avatar); (ii) Stripe, in case of payment (tokenised outcome and transaction identifier); (iii) iCal synchronisation of the Host’s calendar with external platforms (Airbnb, Booking) — limited to availabilities, without personal data of the customer.

6. Purposes of the processing and legal bases

Personal data is processed for the following purposes and with the corresponding legal bases:

(a) Creation and management of the user account, authentication, maintenance of account security.

Legal basis: performance of the Platform service contract — Art. 6(1)(b) GDPR.

(b) Execution of bookings for experiences, tours and accommodations, including transactional communications and transmission of data necessary to the Host for service provision.

Legal basis: performance of contract — Art. 6(1)(b) GDPR.

(c) Direct sale of food products in the Shop section: order management, invoicing, shipping.

Legal basis: performance of contract — Art. 6(1)(b) GDPR; tax and accounting obligations — Art. 6(1)(c) GDPR.

(d) Payment processing via Stripe, including anti-fraud checks and PSD2/SCA authentication.

Legal basis: performance of contract — Art. 6(1)(b) GDPR; PSD2 regulatory obligations — Art. 6(1)(c) GDPR.

(e) Service communications (confirmations, changes, reminders, booking updates, support).

Legal basis: performance of contract — Art. 6(1)(b) GDPR.

(f) Platform security, fraud prevention, abuse monitoring, dispute and chargeback management.

Legal basis: legitimate interest of Porta Sicilia in protecting its systems and customers — Art. 6(1)(f) GDPR.

(g) Anonymised/pseudonymised statistical analysis of Platform usage via Google Analytics 4 in Consent Mode v2 with ads_data_redaction enabled.

Legal basis: consent of the data subject expressed via the CMP — Art. 6(1)(a) GDPR.

(h) Sending of the newsletter and commercial communications on Porta Sicilia’s services and initiatives.

Legal basis: express consent of the data subject — Art. 6(1)(a) GDPR; alternatively, "soft-spam" under Article 130(4) of the Italian Privacy Code for offers of services similar to those already purchased, with the right to free objection in every email.

(i) Publication and moderation of reviews left by users.

Legal basis: performance of contract and legitimate interest in Platform transparency — Art. 6(1)(b) and (f) GDPR; compliance with Article 27-quater of the Italian Consumer Code.

(j) Compliance with transparency and notice-and-action obligations under Regulation (EU) 2022/2065 (DSA).

Legal basis: legal obligation — Art. 6(1)(c) GDPR.

(k) Compliance with legal obligations (tax, accounting, anti-money laundering where applicable), response to requests from public authorities, exercise or defence of rights in judicial proceedings.

Legal basis: legal obligation — Art. 6(1)(c) GDPR; legitimate interest — Art. 6(1)(f) GDPR for defence of rights.

7. Processing modality

Processing is carried out using electronic and organisational tools suitable to ensure the confidentiality, integrity and availability of the data. Data is processed by authorised personnel of Porta Sicilia and by suppliers appointed as processors, bound by agreements (DPAs) compliant with Article 28 GDPR.

Retention Of Your Information

Personal data is retained for the time strictly necessary to pursue the purposes for which it was collected, according to the following criteria:

  • User account data: for the duration of the contractual relationship and up to 24 months after the last activity (the account may be deactivated in case of prolonged inactivity).
  • Booking and sale data: 10 years from contract performance for tax and civil-law purposes (Articles 2220 Italian Civil Code and 22 DPR 600/1973).
  • Accounting and tax documents: 10 years from the date of issue.
  • Newsletter and commercial-communication data: until consent is revoked or processing is objected to; sending histories are retained for 24 months for statistical purposes.
  • Analytics data (Google Analytics 4): 14 months for standard properties, in pseudonymised form and with IP anonymised.
  • Cookie consent records: 24 months from collection, in accordance with the Italian Garante Decision of 10 June 2021.
  • System, access and security logs: 12 months.
  • Partner applications not approved: 24 months from the decision not to proceed; approved applications: for the duration of the relationship with the Partner.

In case of litigation or legitimate interest in defending rights, data may be retained for the time necessary, until the final decision becomes res judicata.

9. Recipients and categories of recipients

Personal data may be communicated to service providers acting as processors under Article 28 GDPR. The current list is as follows:

  • Stripe Payments Europe Ltd (Ireland) and, for certain features, Stripe, Inc. (United States) — payment processing, fraud prevention, SCA. Privacy notice: https://stripe.com/it/privacy.
  • Google Ireland Ltd (Ireland) and Google LLC (United States) — OAuth authentication, Google Analytics 4, Google Tag Manager, Google Cloud Translation (automated listing translation). Privacy notice: https://policies.google.com/privacy.
  • Apple Distribution International Ltd (Ireland) and Apple Inc. (United States) — Sign in with Apple authentication, email relay service. Privacy notice: https://www.apple.com/legal/privacy/.
  • Amazon Web Services EMEA SARL (Luxembourg) — hosting of media files (listing images, profiles, reviews) via Amazon S3, with servers located in the eu-west-2 (London) region. Privacy notice: https://aws.amazon.com/privacy/.
  • Usercentrics GmbH (Germany) — cookie-consent management via the Consent Management Platform. Privacy notice: https://usercentrics.com/privacy-policy/.
  • MailerLite UAB (Lithuania) — newsletter delivery and management of commercial contacts. Privacy notice: https://www.mailerlite.com/legal/privacy-policy.
  • SMTP providers for sending transactional emails (booking confirmations, password recovery, system notifications), bound by DPAs compliant with Article 28 GDPR.
  • Hosts / Partners: receive from Porta Sicilia only the data strictly necessary to perform the booked service (name, contacts, any specific needs) and act as autonomous controllers of the processing for the provision of the service.
  • Judicial authorities, supervisory authorities (Italian Garante, AGCM, AGCOM) and other public authorities, upon reasoned request or by legal obligation.
  • Professional advisers (lawyers, accountants) bound by professional secrecy, to the extent necessary to fulfil legal obligations or defend rights.

10. Transfers of data outside the EEA

Some of the providers listed above are based or operate in the United States (Stripe Inc., Google LLC, Apple Inc.). Transfers of personal data to these destinations take place in compliance with Chapter V of the GDPR and in particular:

  • on the basis of the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) for certified providers;
  • as an alternative, on the basis of the Standard Contractual Clauses adopted by the European Commission with Decision 2021/914/EU, supplemented by additional technical and organisational measures where necessary (Transfer Impact Assessment).

The data subject can obtain a copy of the safeguards adopted by writing to info@portasicilia.com.

Your Rights

The data subject has the right, under Articles 15-22 GDPR, to:

  • obtain confirmation of the existence of processing of their personal data and access it (Art. 15 GDPR);
  • obtain rectification of inaccurate data or completion of incomplete data (Art. 16 GDPR);
  • obtain the erasure of the data ("right to be forgotten") in the cases provided for (Art. 17 GDPR);
  • obtain restriction of processing (Art. 18 GDPR);
  • receive the data in a structured, commonly used and machine-readable format and transmit it to another controller (Art. 20 GDPR);
  • object to processing based on legitimate interest or for direct marketing purposes (Art. 21 GDPR);
  • withdraw at any time consent previously given, without prejudice to the lawfulness of consent-based processing carried out before the withdrawal (Art. 7(3) GDPR);
  • not be subject to a decision based solely on automated processing, including profiling, which produces legal or significantly similar effects (Art. 22 GDPR).

12. How to exercise rights

The data subject may exercise their rights by writing to info@portasicilia.com, attaching a copy of an identity document where necessary for verification. Porta Sicilia will respond within 30 days of receipt of the request, extendable by 60 days in case of complexity, with reasoned communication to the data subject. The exercise of rights is free of charge, except in case of manifestly unfounded or excessive requests (Article 12(5) GDPR).

13. Complaint to the supervisory authority

The data subject has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Rome — https://www.garanteprivacy.it) or with the supervisory authority of their Member State of habitual residence or of the place of the alleged infringement (Article 77 GDPR).

Cookies

The use of cookies and similar technologies is governed by the Cookie Policy, which forms an integral part of this Notice. Consent is collected through the Consent Management Platform of Usercentrics GmbH and may be modified at any time from the "Cookie settings" panel available in the site footer.

15. Marketing and commercial communications

Newsletter subscription is based on the data subject’s free, specific, informed and revocable consent, collected at the time of subscription. Every email includes a direct link to unsubscribe. In the case of prior purchases of services/products, Porta Sicilia may send communications relating to similar offers (soft-spam, Article 130(4) of the Italian Privacy Code), with the right to free objection at any time.

16. Profiling and automated decision-making

Porta Sicilia does not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect the data subject (Article 22 GDPR). Listing ranking algorithms are used in search results, described in the Partner Terms under Article 5 of the P2B Regulation (EU 2019/1150): such algorithms do not produce significant effects on end users and do not constitute profiling under Article 22 GDPR.

Security

Porta Sicilia adopts technical and organisational measures appropriate to the risk, including: encryption of data in transit (HTTPS/TLS) and at rest for sensitive data, password hashing with strong algorithms, role-based access controls, principle of least privilege, access and security-event logging, environment segregation, periodic audits, encrypted backups, staff training and vulnerability management. Despite the adoption of such measures, no system can guarantee absolute security; in case of a breach, Porta Sicilia will notify the Garante within 72 hours (Article 33 GDPR) and the data subjects in the cases provided for by Article 34 GDPR.

18. Data relating to minors

The Platform is not addressed to minors under 18; registration and purchases are reserved to adults. For the processing of data of minors between 14 and 18 years of age in the context of bookings made by a parent, authorisation by the holder of parental responsibility is required. Processing of data of minors under 14 requires the consent of the holder of parental responsibility pursuant to Article 2-quinquies of the Italian Privacy Code. Where Porta Sicilia becomes aware of processing of minors’ data in the absence of such authorisation, it will proceed to delete it.

19. Changes to this Notice

This Notice may be updated at any time to adapt it to regulatory changes, new processing methods or service developments. The updated version will be published on this page with indication of the last revision date. Material changes will be communicated to data subjects via email or a notice on the Platform.

20. Contact

For any question, request or clarification regarding the processing of personal data, the data subject may write to info@portasicilia.com or by ordinary mail to: Sicily Good di Salvatore Guarneri, Cortile Gonzales 7, 90025 Lercara Friddi (PA), Italy.