Privacy Policy

The data controller for personal data collected through the website apiediperilmondo.com and in the context of the travel services offered is:

For any matter relating to the processing of personal data, including requests to exercise your rights, you may write to the email address indicated above. We undertake to respond within 30 days of receipt of the request (art. 12 GDPR).

We process the following categories of personal data, each for specific and distinct purposes:

We do not process special categories of data within the meaning of art. 9 GDPR (health, biometric, data relating to health, sexual orientation, etc.), unless the user spontaneously communicates them in the context of travel planning (e.g. specific dietary requirements, physical conditions relevant to the route). In such cases, processing takes place exclusively on the basis of explicit consent.

Each processing activity is based on one of the following legal bases provided by art. 6 GDPR:

• Performance of a contract (art. 6.1.b): where processing is necessary to provide the requested travel service or to fulfil pre-contractual obligations (e.g. responding to a quote request).
• Consent (art. 6.1.a): for sending the newsletter, for activating analytical and marketing cookies, and for profiling. Consent may be withdrawn at any time without prejudice to processing already carried out.
• Legal obligation (art. 6.1.c): where processing is necessary to fulfil fiscal, accounting or regulatory obligations.
• Legitimate interest (art. 6.1.f): for site security, fraud prevention and for direct marketing purposes towards existing customers (within the limits of recital 47 GDPR).

Data is retained for the period strictly necessary for the purposes for which it was collected, in compliance with the principle of storage limitation (art. 5.1.e GDPR):

• Navigation data: deleted or anonymised within 90 days of collection.
• Contact requests without contract: retained for 12 months from the request, unless necessary for legal defence.
• Contractual data (customers): retained for 10 years from the end of the relationship, in accordance with Italian and Spanish fiscal and accounting obligations (art. 2220 c.c., Ley General Tributaria).
• Newsletter data: retained until consent is withdrawn or the subscription is cancelled. Deletion is immediate.
• Marketing data (cookies): according to the duration indicated in the Cookie Policy.

Personal data is not sold or transferred to third parties for their own purposes. It may be communicated exclusively to the following parties, to the extent strictly necessary:

• Tourist service providers: accommodation facilities, transport companies, local guides, for the purpose of providing the purchased trip;
• Data processors (art. 28 GDPR): software and cloud service providers (Google Workspace, Pipedrive, MailerLite) who process data on our behalf, on the basis of specific processing agreements;
• Accounting and legal professionals: for the fiscal and accounting management of the company, within the limits of legal obligations;
• Public authorities: upon reasoned request, within the limits permitted by law.

The updated list of data processors is available upon written request to info@apiediperilmondo.com.

Some tools we use (Google, Meta, MailerLite) involve the transfer of data to third countries, in particular the United States. Such transfers take place in compliance with the safeguards provided by arts. 44–49 GDPR:

• Standard Contractual Clauses (SCC) adopted by the European Commission by decision of 4 June 2021;
• EU–US Data Privacy Framework (adequacy decision of July 2023), for certified providers.

You can verify the certification status of individual providers on the official EU–US DPF register. Regarding bookings of facilities or services in non-EU countries (Japan, Morocco, etc.), the transfer is necessary for the performance of the contract (art. 49.1.b GDPR).

With your consent, we use the following tools for digital marketing activities and campaign measurement. All the processing described is activated exclusively after collecting consent via the cookie banner.

Meta Pixel (Facebook/Instagram)
Collects data on interactions with the site to optimise ads on Facebook and Instagram and for remarketing activities. Data is pseudonymised and does not allow direct identification. Meta privacy policy: facebook.com/privacy/policy.

LinkedIn Insight Tag
Records conversions generated by LinkedIn campaigns and enables the creation of custom audiences. LinkedIn privacy policy: linkedin.com/legal/privacy-policy.

TikTok Pixel
Measures the effectiveness of advertising campaigns on the TikTok social network. Browsing data is not linked to the user's identity. TikTok privacy policy: tiktok.com/legal/privacy-policy.

Google Ads and Google Analytics 4
We use Google Analytics with anonymised IP for aggregate traffic analysis, and Google Ads for acquisition and remarketing campaigns. Google privacy policy: policies.google.com/privacy.

If you choose to subscribe to our newsletter, we collect your name and email address. We use this data to send you editorial content (blog articles, guides, destination updates) and information about our travel services.

The legal basis is explicit consent (art. 6.1.a GDPR), expressed via double confirmation (double opt-in). You may unsubscribe at any time by clicking the unsubscribe link in every email: cancellation is immediate and results in the deletion of your data from the email marketing system.

The email marketing tool used is MailerLite (MailerLite UAB, Vilnius, Lithuania, EU). Data is protected by encryption and accessible only to authorised personnel. Privacy policy: mailerlite.com/legal/privacy-policy.

We adopt technical and organisational measures appropriate to the risk, pursuant to art. 32 GDPR, to protect personal data from unauthorised access, loss, destruction or accidental disclosure. In particular:

• Data transmission exclusively via HTTPS/TLS protocol;
• Access to management tools protected by two-factor authentication (2FA);
• Data stored on systems with encryption at rest;
• Access to data restricted to strictly authorised personnel, bound by confidentiality obligations;
• Periodic review of security measures and service providers.

In the event of a personal data breach that poses a risk to the rights and freedoms of data subjects, we will notify the supervisory authority within 72 hours of becoming aware of the event (art. 33 GDPR) and, if necessary, communicate the incident to the data subjects involved (art. 34 GDPR).

Our services are not intended for persons under the age of 16. We do not knowingly collect personal data from minors. If a parent or guardian discovers that a minor has provided personal data without their consent, they are requested to contact us immediately: we will proceed with the immediate deletion of the data.

In the case of bookings for trips that include minors, their data is processed exclusively for the purpose of performing the contract and at the initiative of the parent or legal guardian who signed the travel contract.

As a data subject, you may exercise the following rights provided by arts. 15–22 GDPR at any time, by writing to info@apiediperilmondo.com:

We respond to all requests within 30 days, extendable by a further 60 days in the case of complex requests, with communication of the reasons for the delay.

Competent supervisory authorities:

• Italy: Garante per la protezione dei dati personali
• Spain: Agencia Española de Protección de Datos

This notice may be updated to reflect regulatory changes, changes in the corporate structure or variations in the tools used. In the event of substantial updates, we will provide notice via a prominent banner on the homepage or by email to newsletter subscribers.

The updated version takes effect from the date of publication. We invite you to check this page regularly. The current version is 3.0 of March 2026, which supersedes all previous versions (including those in the name of Get Walks Travel SLU).

To exercise your rights, request information on data processing or report any issues, you can contact us through the following channels:

We will respond within 30 days of receipt, as required by art. 12 GDPR.