Home
Category
Activities & ExperiencesDay Trips
FAQs

Privacy Policy

Last updated: 6/1/2026. Your privacy is important to us.

EFFECTIVE: 22 MAY 2026 · GET YOUR ROMAN TOURS S.R.L.S · WWW.GETROMANTOURS.COM

Your privacy is a core responsibility for us. This Privacy Policy explains how Get Your Roman Tours S.R.L.S collects, uses, stores, and protects your personal data in full compliance with Regulation (EU) 2016/679 (GDPR) and the Italian Personal Data Protection Code (Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018).

1. Data Controller

The data controller responsible for your personal data is:

Get Your Roman Tours S.R.L.S
Registered Address: Via Tre Novembre 40, Mentana (RM), CAP 00013, Italy
Company Licence / VAT: IT18457421008
PEC (Certified Email): getyourromantourssrls@pec.it
General Contact: info@getromantours.com
Privacy Enquiries: privacy@getromantours.com
Data Protection Officer (DPO): dpo@getromantours.com

2. Data We Collect

2.1 Information You Provide

We collect personal data that you voluntarily provide when you:

  • Register an account: full name, email address, password (stored as a secure hash), phone number, nationality, date of birth, and billing address.
  • Make a booking: participant names, contact details, dietary requirements, accessibility needs, age of participants (particularly relevant for age-restricted Experiences), and emergency contact information.
  • Submit a review or photo: your display name, rating, written review, and any media you upload.
  • Contact customer support: the content of your enquiry, complaint, or communication and your correspondence history with us.
  • Register as a Supplier or Affiliate: business name, company registration number, VAT/tax identification number, bank account details, and authorised contact persons.
  • Subscribe to marketing communications: email address and communication preferences.
  • Participate in surveys, competitions, or promotions: responses, contact details, and prize-related information.

2.2 Automatically Collected Information

When you use the Platform, we automatically collect:

  • Device and technical data: device type, operating system, browser type and version, screen resolution, unique device identifiers, and IP address.
  • Log data: pages visited, timestamps, referring URLs, links clicked, search terms used, error logs, and session duration.
  • Location data: approximate geographic location inferred from your IP address. Precise GPS location is only collected with your explicit permission.
  • Usage and behavioural data: Experiences viewed and bookmarked, categories browsed, booking history, search filters applied, and interaction patterns.
  • Cookies and tracking technologies: see Section 9 (Cookie Policy) for full details.

2.3 Information from Third Parties

  • Social login providers (e.g., Google, Facebook, Apple): name, email address, and profile photo, where you choose to use social sign-in.
  • Payment processors (e.g., Stripe, Adyen, PayPal): transaction reference numbers, partial payment card data, and payment status. We never store full card numbers.
  • Fraud prevention and identity verification partners: identity verification outcomes and risk scores.
  • Analytics and marketing platforms: aggregated and pseudonymised behavioural insights.

We process your personal data on the following legal grounds under Article 6 GDPR:

  • Contractual Necessity (Art. 6(1)(b)): to process bookings, manage your account, handle payments, deliver customer service, and fulfil our obligations to you.
  • Legitimate Interests (Art. 6(1)(f)): to prevent fraud, maintain Platform security, improve our services, send transactional service communications, and conduct product analytics.
  • Consent (Art. 6(1)(a)): to send marketing newsletters and promotional emails, to place non-essential cookies, and to process precise location data. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.
  • Legal Obligation (Art. 6(1)(c)): to comply with Italian and EU law, including tax, accounting, anti-money laundering (AML), and counter-terrorism financing (CTF) obligations.
  • Vital Interests (Art. 6(1)(d)): in genuine emergency situations where processing is necessary to protect a person's life.

4. How We Use Your Data

  • Account management: creating and maintaining your account, verifying your identity, and communicating account-related information.
  • Booking fulfilment: processing and confirming bookings, transmitting relevant booking details to Suppliers, issuing vouchers and receipts.
  • Payment processing: handling transactions, detecting and preventing fraudulent activity, and processing refunds.
  • Customer support: responding to questions, resolving disputes, and mediating between Customers and Suppliers.
  • Platform improvement: analysing usage patterns, conducting A/B testing, debugging, and developing new features.
  • Personalisation: tailoring search results, Experience recommendations, and content based on your stated preferences and browsing history.
  • Marketing communications: sending newsletters, promotional offers, and personalised recommendations where you have consented or we have a legitimate interest under the soft opt-in provisions of applicable law.
  • Legal compliance and safety: meeting our legal obligations, responding to regulatory enquiries, protecting the rights and safety of our users, Suppliers, and third parties.

5. Sharing Your Data

We do not sell your personal data to third parties. We share data only in the following circumstances:

5.1 With Suppliers

When you book an Experience, we share your name, contact details, booking details, number of participants, and any special requirements with the relevant Supplier to enable them to deliver the Experience. Suppliers are contractually required to process this data solely for the purpose of delivering your booking and in compliance with applicable data protection law.

5.2 With Payment Processors

We share your payment information with our authorised payment processors who handle transactions on our behalf. These processors are independently PCI-DSS certified and are bound by their own privacy policies and data processing agreements.

5.3 With Service Providers

We engage vetted third-party service providers for cloud hosting, email delivery, analytics, fraud detection, customer relationship management, and translation services. All providers act as data processors under signed data processing agreements and are prohibited from using your data for any purpose beyond those specified.

We may disclose your data to Italian or EU courts, law enforcement authorities, tax authorities (including the Agenzia delle Entrate), and other governmental or regulatory bodies where required by law or necessary to protect our legal rights.

5.5 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity, subject to equivalent data protection commitments.

6. International Data Transfers

Our Platform is headquartered in Italy and all core data processing occurs within the European Economic Area (EEA). Where we engage service providers outside the EEA, we ensure that transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other mechanisms permitted under Chapter V of the GDPR.

7. Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this Policy or as required by law:

  • Account data: retained for the duration of your account and for 7 years following account closure to satisfy Italian statutory accounting and tax obligations.
  • Booking data: retained for 10 years from the date of booking in compliance with Italian civil and fiscal law.
  • Customer support communications: retained for 3 years from the date of the last interaction.
  • Marketing preferences and consent records: retained for the duration of your subscription and for 3 years thereafter as evidence of consent.
  • Technical and server logs: retained for a maximum of 12 months.

After the applicable retention period, data is securely deleted or irreversibly anonymised.

8. Your Rights

As a data subject under the GDPR, you have the following rights, exercisable free of charge:

  • Right of Access (Art. 15 GDPR): to request confirmation of whether we process your data and to receive a copy.
  • Right to Rectification (Art. 16 GDPR): to have inaccurate or incomplete data corrected.
  • Right to Erasure (Art. 17 GDPR): to request deletion of your data in specified circumstances (e.g., where it is no longer necessary for the purpose for which it was collected).
  • Right to Restriction of Processing (Art. 18 GDPR): to request that we limit processing while a complaint or dispute is resolved.
  • Right to Data Portability (Art. 20 GDPR): to receive your data in a structured, machine-readable format and to transmit it to another controller.
  • Right to Object (Art. 21 GDPR): to object to processing based on legitimate interests or carried out for direct marketing purposes.
  • Rights Regarding Automated Decision-Making (Art. 22 GDPR): to not be subject to decisions made solely by automated means that produce significant legal or similarly consequential effects.
  • Right to Withdraw Consent: to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise your rights, please contact our DPO at dpo@getromantours.com. We will respond within 30 days of receipt of your request (extendable by a further 60 days for complex cases). You also have the right to lodge a complaint with the Italian Supervisory Authority, the Garante per la protezione dei dati personali, at www.garanteprivacy.it, or with the supervisory authority in your EU member state of residence.

9.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our Platform. They help us to provide a functional, personalised, and secure user experience.

9.2 Categories of Cookies

  • Strictly Necessary Cookies: Essential for the Platform to function correctly (e.g., session management, security tokens). These cannot be disabled.
  • Performance and Analytics Cookies: Help us understand how users interact with the Platform (e.g., pages most visited, error rates). We use tools such as Google Analytics in anonymised/pseudonymised mode.
  • Functionality Cookies: Remember your preferences such as language, currency, and login status.
  • Targeting and Advertising Cookies: Allow us and our advertising partners to deliver relevant content and advertisements based on your browsing behaviour, where you have consented.

You can manage or withdraw your consent to non-essential cookies at any time via our Cookie Preference Centre, accessible at the bottom of every page. You may also configure your browser to block or delete cookies; however, disabling certain cookies may impair Platform functionality.

10. Data Security

We apply rigorous technical and organisational security measures to protect your personal data against unauthorised access, loss, destruction, or disclosure:

  • All data transmitted between your device and our servers is encrypted using TLS/HTTPS.
  • Data at rest is encrypted using AES-256 encryption.
  • Our infrastructure is hosted in EU-based, ISO 27001-certified data centres.
  • Access to personal data is restricted to authorised personnel on a strict need-to-know basis, enforced through role-based access controls.
  • We conduct regular security testing, including vulnerability assessments and penetration tests.
  • Our team receives ongoing training on data protection obligations and information security best practices.

Despite these measures, no internet transmission or electronic storage system is perfectly secure. In the event of a personal data breach posing a high risk to your rights and freedoms, we will notify you and the Garante without undue delay, and no later than 72 hours after discovery, as required by Article 33 GDPR.

11. Children's Privacy

The Platform is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at privacy@getromantours.com. Upon verification, we will promptly delete the relevant data.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in legal requirements, our data practices, or Platform features. We will notify you of material changes by posting the revised Policy on the Platform with an updated effective date and, for registered users, by email notification. We encourage you to review this Policy periodically. The current version is always accessible at www.getromantours.com/privacy-policy.