Privacy Policy

The data controller for your personal data is Attractions4Us LLC, operating the website Rome Vatican Tours at romevaticantours.com (“we,” “us,” or “our”).

• Registered Office: Rome, Italy
• Email: reservations@romevaticantours.com

This Privacy Policy is issued pursuant to Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), the Italian Privacy Code (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018), and Directive 2002/58/EC (ePrivacy Directive) as implemented in Italian law. It applies to all users of this website, regardless of location.

a) Data You Provide Directly

When you make a booking, submit an enquiry, subscribe to our newsletter, or contact us, we may collect: your full name, email address, telephone number, billing and postal address, payment details (processed by PCI-DSS compliant providers—we do not store full card numbers), travel dates, participant details, and any special requests or dietary/accessibility requirements you provide.

b) Data Collected Automatically

When you visit our website, we automatically collect: your IP address, browser type and version, device type, operating system, referring/exit URLs, pages visited, timestamps, and session duration. This data is collected through cookies, server log files, and similar technologies (see Section 7 below).

c) Booking Transaction Data

When you complete a booking we collect: tour/experience selection, date and time, number of participants, pricing category, booking confirmation ID, and transaction amount.

We process your personal data on the following legal bases:

• Contract Performance (Art. 6(1)(b)): Processing necessary to fulfill your booking, provide customer support, send booking confirmations and travel documents, and manage cancellations or modifications.
• Consent (Art. 6(1)(a)): Where you have given explicit, freely given, and informed consent—specifically for: marketing communications, promotional newsletters, personalised offers, and non-essential analytics/profiling cookies. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Legitimate Interest (Art. 6(1)(f)): Processing necessary for our legitimate interests, including website security, fraud prevention, internal analytics for service improvement, and defence of legal claims. Our legitimate interests do not override your fundamental rights and freedoms.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable tax, accounting, anti-fraud, and regulatory obligations under Italian and EU law.

• Process and fulfill tour bookings and reservations
• Send booking confirmations, updates, tickets, and customer service communications
• Process payments securely through PCI-DSS compliant payment partners
• Direct marketing (with consent): Send promotional offers, newsletters, travel inspiration, exclusive deals, and personalised recommendations by email. You may opt out at any time via the unsubscribe link in every marketing email or by contacting us directly.
• Improve our website, services, and user experience through aggregated analytics
• Comply with legal, tax, and regulatory obligations
• Detect and prevent fraud and unauthorised transactions
• Respond to your enquiries, complaints, and support requests

In accordance with GDPR Art. 7 and the Italian implementation of the ePrivacy Directive, we will only send you marketing communications where you have provided prior explicit consent, for example by ticking a consent checkbox during booking or subscribing to our newsletter.

Your consent is freely given, specific, informed, and unambiguous. We maintain a clear record of when and how consent was obtained. Marketing consent is entirely optional and is never a precondition for completing a booking.

What you may receive:

• Exclusive tour deals, seasonal offers, and early-access promotions
• Travel inspiration content: destination guides, planning tips, and curated itineraries
• Personalised recommendations based on past bookings or browsing interests
• Survey invitations and feedback requests to improve our services

Your right to withdraw:

You may withdraw your marketing consent at any time, free of charge, by clicking the “Unsubscribe” link in any marketing email, by emailing reservations@romevaticantours.com with the subject “Unsubscribe,” or by contacting us through any channel listed in Section 15. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Soft opt-in (Italian D.Lgs. 196/2003, Art. 130(4)): Where you have previously purchased a tour or service from us, we may send communications about similar products or services unless you have objected. You may opt out of such communications at any time.

We share your data with the following categories of processors, each bound by data processing agreements in compliance with GDPR Art. 28:

• Bokun (Tripadvisor): Booking and reservation management platform. Processes booking details to confirm and manage tour reservations.
• Payment Processors: PCI-DSS Level 1 certified payment service providers handle payment card transactions. We never store your full card number on our servers.
• Tour Operators: Local operators who deliver the booked experience receive necessary participant details (names, dates, headcount, special requirements).
• Analytics (Google Analytics 4 / Google Tag Manager): Website traffic and usage analytics, with IP anonymisation enabled. Data is processed in accordance with Google’s EU data processing terms.
• Hosting (Amazon Web Services): Website infrastructure and server-side processing. Data may be stored in AWS regions in the United States (see Section 9 on international transfers).
• Email Service Provider: Marketing email delivery platform, used only for communications you have consented to receive.

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

In accordance with the ePrivacy Directive (2002/58/EC) and Italian Data Protection Authority (Garante) guidelines on cookies, we use the following:

• Strictly Necessary Cookies: Essential for website functionality, secure checkout, and session management. These do not require consent under the ePrivacy Directive.
• Analytics Cookies: Google Analytics cookies to measure website traffic and usage patterns. Installed only with your prior consent.
• Preference Cookies: Store your language, currency, and display preferences. Installed only with your prior consent.
• Marketing Cookies: Used to deliver relevant advertisements and measure campaign effectiveness. Installed only with your prior consent.

On your first visit, a cookie consent banner allows you to accept or refuse non-essential cookies. You may change your cookie preferences at any time through the cookie settings link in the website footer, or by adjusting your browser settings. Refusing non-essential cookies does not affect core website functionality.

We retain personal data only for as long as necessary for the purposes specified:

• Booking records: 10 years from the date of the transaction, as required by Italian tax and civil law (Art. 2220 Italian Civil Code; D.P.R. 600/1973).
• Marketing consent records: Retained for the duration of the consent, plus 2 years after withdrawal, to demonstrate compliance with GDPR Art. 7(1).
• Website analytics data: 26 months (Google Analytics default retention period).
• Customer support correspondence: 3 years from the last communication.

After the applicable retention period, personal data is securely deleted or irreversibly anonymised.

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our hosting infrastructure (AWS) and certain service providers are located.

Such transfers are protected by appropriate safeguards in accordance with GDPR Chapter V, including:

• EU–US Data Privacy Framework: Where the recipient is certified under the EU–US Data Privacy Framework (adequacy decision of 10 July 2023).
• Standard Contractual Clauses (SCCs): Commission-approved standard contractual clauses (Commission Implementing Decision (EU) 2021/914) are in place with all non-EEA processors.

You may request a copy of the applicable transfer safeguards by contacting us at reservations@romevaticantours.com.

We implement appropriate technical and organisational measures pursuant to GDPR Art. 32, including:

• TLS/SSL encryption for all data in transit between your browser and our servers
• Encryption at rest for sensitive stored data
• Regular vulnerability assessments and security monitoring
• Role-based access controls limiting employee access to personal data
• Incident response procedures for potential data breaches

In the event of a personal data breach posing a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (GDPR Art. 33) and, where the risk is high, inform affected individuals without undue delay (GDPR Art. 34).

Under the GDPR (Articles 15–22) and the Italian Privacy Code, you have the following rights regarding your personal data:

• Right of Access (Art. 15): Obtain confirmation of whether your data is being processed and receive a copy of it.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.
• Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object (Art. 21): Object to processing based on legitimate interest, including profiling. You have an absolute right to object to direct marketing at any time.
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time, without affecting the lawfulness of prior processing.
• Right Not to Be Subject to Automated Decisions (Art. 22): We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you.

How to exercise your rights:

Submit your request by emailing reservations@romevaticantours.com with the subject line “Data Rights Request.” We will respond within 30 days (extendable by 60 days for complex requests, with prior notice). We may verify your identity before processing the request. Exercising your rights is free of charge.

For California Residents (CCPA/CPRA)

California residents have the right to know what personal information is collected, request deletion, correct inaccuracies, and opt out of the sale or sharing of personal information. We do not sell or share personal information. To exercise CCPA rights, contact us using the details above.

If you believe your data protection rights have been infringed, you have the right to lodge a complaint with a supervisory authority. The competent authority for Italy is:

• Garante per la protezione dei dati personali
• Piazza Venezia 11, 00187 Roma, Italy
• Website: www.garanteprivacy.it
• Email: garante@gpdp.it

You may also lodge a complaint with the supervisory authority in your country of habitual residence or place of work, if different from Italy.

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately. If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will take steps to delete that data promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. Material changes will be communicated by posting the updated policy on this page with a revised “Last updated” date. Where changes are significant (e.g., new processing purposes or legal bases), we will provide prominent notice and, where required by law, seek your renewed consent.

For any questions about this Privacy Policy, to exercise your data protection rights, or to withdraw marketing consent, please contact us:

• Data Controller: Attractions4Us LLC
• Email: reservations@romevaticantours.com
• Address: Rome, Italy