1. Data Controller
The data controller responsible for your personal data is:
Chianti Vintage Expeditions srlVia San Cresci 31/32
50022 Greve in Chianti (FI), Italy
VAT: 07474620486
Director: Alberto Troise
Email: info@chiantiexpeditions.com
Tel: +39 055 473 403
2. Data We Collect
We collect the following categories of personal data:
- Contact enquiries: name, email address, phone number, message content.
- Bookings: name, email, phone, address, payment information, tour preferences, dietary requirements.
- Usage and analytics data: pages visited, time on site, browser type, device type, approximate location (country/region), referral source — collected via Google Analytics only if you have given cookie consent. IP addresses are anonymised before storage and are never retained in full.
Dietary requirements are a special category of data and are collected solely for the purpose of arranging appropriate catering during your tour.
3. How We Use Your Data
We process your personal data only for the following specific purposes and on the legal bases indicated. Where processing is based on consent, you may withdraw that consent at any time.
| Purpose | Legal Basis (GDPR Article) |
|---|---|
| Responding to enquiries submitted via the contact form | Legitimate interest — Art. 6(1)(f) |
| Processing and managing tour bookings | Contract performance — Art. 6(1)(b) |
| Processing payments via Stripe | Contract performance & legal obligation — Art. 6(1)(b)(c) |
| Marketing and newsletter communications | Consent — Art. 6(1)(a) — opt-in only; may be withdrawn at any time |
| Website analytics via Google Analytics 4 | Consent — Art. 6(1)(a) — analytics cookies are activated only after you accept via the cookie banner. No data is collected if consent is declined or not given. |
| Legal, tax and accounting compliance | Legal obligation — Art. 6(1)(c) — Italian Civil Code Art. 2220 |
4. Data Retention
- Contact form data: 12 months from the date of enquiry.
- Booking data: 10 years, as required by Italian tax law (Art. 2220 Civil Code).
- Google Analytics data: 14 months in Google Analytics, as configured in our GA4 property settings. Raw event data is automatically deleted after this period. Aggregated, non-identifiable reports may be retained indefinitely.
- Marketing data: Until you withdraw consent.
5. Data Sharing
We may share your data with the following categories of recipients, all acting as Data Processors under a written agreement in compliance with Art. 28 GDPR:
- Stripe Inc. — payment processing. Stripe is PCI DSS Level 1 certified. Stripe Privacy Policy.
- Acuity Scheduling (Squarespace Inc.) — booking and availability management. Squarespace Privacy Policy.
- Google LLC — website analytics via Google Analytics 4, only if you have given cookie consent. Google acts as a data processor under a Data Processing Amendment accepted by us. Google Privacy Policy.
- Web3Forms — contact form processing and message delivery. Web3Forms Privacy Policy.
- Tour partners — wineries and restaurants — strictly limited to information necessary to deliver your booked experience (e.g. dietary requirements, group size).
- Public authorities — only when required by applicable law.
We do not sell, rent, or trade your personal data to any third party.
6. International Data Transfers
Some of our data processors are based outside the European Economic Area (EEA), including in the United States. We ensure that all transfers are protected by appropriate safeguards:
- Google LLC — Google is certified under the EU-US Data Privacy Framework (adopted by the European Commission on 10 July 2023), which provides an adequacy decision for transfers to certified US organisations. Google also offers Standard Contractual Clauses (SCCs) as an additional safeguard. You can verify Google's certification at dataprivacyframework.gov.
- Stripe Inc. — certified under the EU-US Data Privacy Framework and uses SCCs for EEA data transfers.
- Squarespace Inc. (Acuity) — uses SCCs approved by the European Commission for transfers to the US.
A copy of the applicable safeguards can be requested by writing to info@chiantiexpeditions.com.
7. Google Analytics 4
We use Google Analytics 4 (GA4), a web analytics service provided by Google LLC ("Google"), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics uses cookies to collect anonymised information about how visitors use this website. This service is activated only after you have given explicit cookie consent via the banner displayed on your first visit.
What Google Analytics collects
- Pages visited and navigation paths
- Time spent on pages and on the site
- Browser type, operating system, device category
- Approximate geographic location (country and region — derived from IP, which is then discarded)
- Traffic source (how you arrived at the site)
IP anonymisation: We have configured GA4 with IP anonymisation enabled. Google does not log or store full IP addresses — the last octet is masked before any data is stored.
Data Processing Agreement: We have accepted Google's Data Processing Amendment, under which Google acts as a data processor on our behalf, processing data only according to our instructions.
Google Analytics cookies set
| Cookie name | Purpose | Expiry |
|---|---|---|
_ga |
Distinguishes unique users by assigning a randomly generated number as a client identifier | 2 years |
_ga_<container-id> |
Maintains session state and counts page visits for the specific GA4 property | 2 years |
These cookies are only placed after you accept analytics cookies via the consent banner.
How to opt out
- Decline at any time: clear your browser cookies and select "Decline" when the cookie banner reappears on your next visit.
- Browser opt-out: install the Google Analytics Opt-out Browser Add-on.
- Google's privacy controls: manage your data at myaccount.google.com/data-and-privacy.
For more information on how Google processes data, see the Google Privacy Policy and Google Analytics data safeguarding information.
8. Cookies — Full List
The following cookies may be placed on your device when you visit this website:
| Cookie | Type | Purpose | Expiry | Consent required? |
|---|---|---|---|---|
cve_cookie_consent |
Strictly necessary | Stores your cookie consent preference so the banner is not shown on every visit | 1 year | No |
_ga |
Analytics | Google Analytics — identifies unique visitors | 2 years | Yes |
_ga_<id> |
Analytics | Google Analytics — maintains session state | 2 years | Yes |
We do not currently use marketing or advertising cookies. If this changes, this policy will be updated and your consent re-requested.
You may withdraw cookie consent at any time: clear your browser cookies and select "Decline" when the consent banner next appears.
9. Your Rights
Under GDPR, you have the right to:
- Access the personal data we hold about you.
- Rectification of inaccurate or incomplete data.
- Erasure ("right to be forgotten") where no legal obligation requires us to retain it.
- Restriction of processing in certain circumstances.
- Data portability — receive your data in a structured, machine-readable format.
- Object to processing based on legitimate interests.
- Withdraw consent at any time, without affecting the lawfulness of prior processing.
- Not be subject to solely automated decision-making.
To exercise any of these rights, contact us at info@chiantiexpeditions.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Italian Data Protection Authority:
Garante per la Protezione dei Dati Personali — www.garanteprivacy.it
10. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. Payment transactions are processed via Stripe, which is PCI DSS compliant.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email (if you have an active booking) or by a prominent notice on this page. The effective date at the top of this page reflects the date of the most recent revision.