Cookie Policy

Version 1.0 — In force from 26/04/2026

RECITALS

This Cookie Policy (the "Cookie Policy" or the "Notice") describes the types of cookies and other tracking tools used by Inmedia S.r.l. ("Stravagando" or the "Platform"), controller of the digital platform Stravagando accessible at the main address stravagando.com and related subdomains, on the mobile app for iOS and Android (the "App"), as well as on transactional and marketing email channels using analogous technologies (jointly, the "Tracking Tools").

The use of Tracking Tools by Stravagando takes place in compliance with:

• (a) Regulation (EU) 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data (the "GDPR");

• (b) the italian Legislative Decree of 30 June 2003 no. 196 ("italian Privacy Code"), as amended by italian Legislative Decree of 10 August 2018 no. 101;

• (c) Directive 2002/58/EC of the European Parliament and the Council (ePrivacy Directive), as amended by Directive 2009/136/EC;

• (d) the Guidelines of the italian Data Protection Authority (the "Garante"), in particular the Provision of 10 June 2021 "Guidelines on cookies and other tracking tools" (Reg. provv. no. 231/2021);

• (e) the European Data Protection Board (EDPB) Guidelines 03/2022 on dark patterns and the opinions of the European Data Protection Board;

• (f) for residents in the United States of America, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) and other applicable U.S. state laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA).

This Cookie Policy supplements — and does not replace — the Privacy Notice of the Platform, to which reference is made for all information concerning the processing of personal data carried out by Stravagando that falls outside the use of Tracking Tools. In case of discrepancy, the provisions of the Privacy Notice prevail with respect to general principles of processing, legal basis and Data Subject's rights.

ART. 1 — DEFINITIONS

For the purposes of this Cookie Policy, the following terms have the meaning set out below.

1.1 "Cookies": small text files that the websites visited by the User or the applications used send to and store on the User's device (computer, tablet, smartphone, smart-TV or other connected device), to be retransmitted to the same sites or applications on the next visit. Cookies are used to perform IT authentications, session monitoring, storage of information on User preferences, tracking of browsing behaviors, profiling and other purposes described in this Notice.

1.2 "Tracking Tools": any technology — different from or in addition to Cookies — that allows tracking of the User, accessing information stored on the User's device or storing information on the device itself, including by way of example: unique identifiers, web beacons, pixel tags, clear GIFs, embedded scripts, e-tags, device fingerprinting, Software Development Kits (SDKs) integrated in the Apps, Local Storage and Session Storage of the browser, IndexedDB, Cache API, mobile advertising identifiers (Google Advertiser ID for Android devices, Identifier for Advertisers — IDFA — for iOS devices), email tracking pixels.

1.3 "First-Party Cookies": Cookies and Tracking Tools installed and managed directly by Stravagando for purposes connected to the operation of the Platform and the services offered.

1.4 "Third-Party Cookies": Cookies and Tracking Tools installed and managed by parties other than Stravagando (the "Third Parties"), acting as autonomous controllers of processing or as processors pursuant to art. 28 GDPR depending on the specific contractual relationship and the purposes pursued.

1.5 "Session Cookies": temporary Cookies stored only for the duration of the browsing session and automatically deleted when the browser is closed.

1.6 "Persistent Cookies": Cookies stored on the User's device for a predetermined period (expressed in days, months or years) and retransmitted on the next visit, until expiration or manual deletion by the User.

1.7 "Strictly Necessary Tracking Tools": Cookies and Tracking Tools whose installation does not require the User's prior consent insofar as they are strictly necessary to provide a service explicitly requested by the User or to enable the transmission of a communication on an electronic network (so-called strictly necessary cookies), as well as Cookies of a technical nature used exclusively to obtain aggregated statistical information, where the requirements of paragraph 4.2 of the Garante Provision of 10 June 2021 apply (anonymization, no cross-referencing with other sources, documented opt-out from the third-party provider).

1.8 "Functional Tracking Tools": Cookies and Tracking Tools used to remember the User's choices and preferences in order to improve the browsing experience and provide advanced functionality that is not strictly indispensable. For Functional Tracking Tools, prior consent is required, unless they qualify as Strictly Necessary Tracking Tools pursuant to the previous point.

1.9 "Analytics Tracking Tools": Cookies and Tracking Tools used to collect aggregated or disaggregated information about the number of visitors and the methods of using the Platform, in order to analyze usage statistics, measure performance and improve services.

1.10 "Marketing and Profiling Tracking Tools": Cookies and Tracking Tools used to attribute User's actions to interest profiles, for promotional, advertising, retargeting purposes and for personalization of commercial content offered.

1.11 "Attribution Cookies": a subset of Marketing Tracking Tools used to track the origin of incoming traffic on the Platform and the attribution of conversions to specific campaigns, including the attribution of Qualifying Actions of the Stravagando Referral Program to the relevant Referrers under the last-click attribution model on a 90-day window.

1.12 "Preferences Panel" or "Cookie Manager": the technical interface made available by Stravagando on the Platform — accessible via the first-visit banner and via the persistent link "Your cookie choices" or "Cookie and marketing preferences" displayed in the footer and in other accessible positions — through which the User may give, modify or withdraw consent to the installation of non-technical Tracking Tools, on a granular basis by category.

1.13 "User": the subject to whom this Cookie Policy refers, who accesses and/or uses the Platform as an unregistered visitor, Guest/Customer, Host or Referrer, according to the definitions contained in the relevant applicable Terms and Conditions.

1.14 "Data Subject": the identified or identifiable natural person to whom the personal data processed refer pursuant to art. 4(1) GDPR.

1.15 "Usage Data": personal data collected automatically by the Platform or the Tracking Tools and the third-party services used, including — by way of example — the IP addresses or domain names of the devices used by the Users, the URI/URL addresses of the requested resources, the time of requests, the method used to submit the request to the server, the size of the file received in response, the numerical code indicating the response status, the country of origin, the characteristics of the browser and operating system used, the various time-related details of the visit (e.g. the time spent on each page), details of the path followed and other parameters relating to the User's operating system or IT environment.

1.16 "Garante": the italian Data Protection Authority, italian supervisory authority pursuant to the GDPR, with offices in Rome, Piazza Venezia no. 11.

ART. 2 — DATA CONTROLLER AND ROLES

2.A — Data Controller

2.1 Controller. The Controller of the personal data collected through First-Party Tracking Tools is Inmedia S.r.l., with registered office at Via L'Aquila, 22, italian Tax Code and VAT number 02017520681, contactable at the addresses {company_email} and {company_pec}.

2.2 Data Protection Officer (DPO). Where appointed, the Data Protection Officer is contactable at the address support@stravagando.com. The appointment of the DPO is published, where applicable, in the Privacy Notice of the Platform.

2.B — Role of Stravagando and Third Parties

2.3 First-Party Cookies. For First-Party Tracking Tools Stravagando acts as autonomous Controller of processing.

2.4 Third-Party Cookies. For Third-Party Tracking Tools, each Third Party acts, depending on the case:

• (a) as autonomous Controller of processing, where the Third Party autonomously determines the purposes and means of processing (typical case for advertising, retargeting providers, single sign-on identity providers, payment processors benefiting from their own regulatory framework);

• (b) as Processor pursuant to art. 28 GDPR, where the Third Party processes data on documented instructions of Stravagando (typical case for cloud hosting providers, analytics configured in anonymized mode and customer support services).

The analytical list of Third Parties used by Stravagando, with indication of the relevant role, purpose, legal basis and privacy policy, is reported in Art. 5 of this Notice and updated periodically within the Preferences Panel.

ART. 3 — CATEGORIES OF TRACKING TOOLS USED

Stravagando uses the Tracking Tools classified in the four categories described below, compliant with the classification of the Garante Provision of 10 June 2021 and the Cookie consent framework of the European Data Protection Board.

3.A — Strictly Necessary Tracking Tools

3.1 Definition. These are Tracking Tools whose installation does not require the User's prior consent insofar as they are strictly necessary to provide a service explicitly requested by the User, to enable the transmission of a communication, to ensure the security of the Platform or to comply with regulatory obligations.

3.2 Purposes.

• (a) Operation of the website and the App: management of browsing sessions, recognition of the User within the same session, maintenance of authentication state (login), persistence of the booking cart, checkout management;

• (b) Security and fraud prevention: identification of intrusion attempts, brute force, credential stuffing, automated bots, device fingerprinting for anti-fraud purposes integrated with Stripe Connect systems;

• (c) Storage of accessibility settings chosen by the User (font size, contrast, interface language), where configurable without profiling;

• (d) Load balancing and optimization of server performance (load balancing);

• (e) Storage of the User's choices regarding consent to Cookies (so-called consent log), to fulfill the obligation to document the giving of consent pursuant to art. 7 GDPR and the Garante Provision of 10 June 2021;

• (f) Performance of regulatory obligations, including the retention of transaction logs for tax and anti-money laundering purposes (italian Legislative Decree 231/2007) and DAC7 audit logs (italian Legislative Decree 32/2023).

3.3 Legal basis. The use of Strictly Necessary Tracking Tools is based on art. 122(1), first sentence, of the italian Privacy Code, on art. 6(1)(b) GDPR (performance of a contract to which the Data Subject is a party or performance of pre-contractual measures at the Data Subject's request), on art. 6(1)(c) GDPR (compliance with legal obligations) and on art. 6(1)(f) GDPR (legitimate interest of the Controller in security, fraud prevention and functionality of the Platform), depending on the specific purpose.

3.4 Consent. For Strictly Necessary Tracking Tools, the User's prior consent is not required. The deactivation of such Tools through the browser settings may result in the total or partial inability to use the Platform and to enjoy the services.

3.B — Functional Tracking Tools

3.5 Definition. These are Tracking Tools used to remember the User's choices and preferences in order to improve the browsing experience and provide advanced functionality that is not strictly indispensable.

3.6 Purposes.

• (a) storage of the language selected on the interface (where distinct from the browser language);

• (b) storage of the currency selected for displaying prices;

• (c) storage of the destination city or selected search filters to consistently populate subsequent visits;

• (d) storage of wishlists and Experiences marked as favorites for unauthenticated Users;

• (e) integration with video players (e.g. YouTube, Vimeo) and maps (e.g. Google Maps) embedded on Experience detail pages, where the Third Party requires Tracking Tools for the operation of the player/map;

• (f) real-time chat with customer service (where activated by a third-party provider), for the maintenance of conversation history and the identification of the User within the chat session;

• (g) single sign-on through Google, Apple, Facebook accounts, where the User chooses such authentication method.

3.7 Legal basis. The use of Functional Tracking Tools is based on art. 6(1)(a) GDPR — prior consent of the User given freely, specifically, in an informed manner and unambiguously through the Preferences Panel.

3.C — Analytics Tracking Tools

3.8 Definition. These are Tracking Tools used to collect information on the number of visitors and the methods of using the Platform.

3.9 Distinction between aggregated and disaggregated analytics.

• (a) Aggregated analytics assimilable to technical: Tracking Tools used exclusively to obtain aggregated statistical information, where the conditions of paragraph 4.2 of the Garante Provision of 10 June 2021 cumulatively apply: (i) anonymization of the IP address by masking of at least the fourth portion (e.g. 192.168.1.XXX); (ii) absence of cross-referencing of data with other First or Third Party sources; (iii) absence of transfer to Third Parties for autonomous purposes of the provider; (iv) configuration of the provider in mode that does not allow reconciliation with other identities (e.g. disabling signal sharing with advertising services of the same provider). For such analytics prior consent is not required, but the Notice remains published.

• (b) Disaggregated or non-technical analytics: Tracking Tools that do not fully comply with the conditions of point (a) above (e.g. individual cross-page path tracking, session replay, identifying heatmaps, personalized funnel analysis). For such analytics prior consent is required.

3.10 Purposes. Measurement of traffic and performance of the Platform; analysis of browsing behavior on pages, sections and features; identification of errors and technical problems; optimization of the conversion funnel; A/B testing of interfaces; production of statistical reports for internal use.

3.11 Legal basis.

• (a) For aggregated analytics assimilable to technical: art. 122(1) italian Privacy Code and art. 6(1)(f) GDPR (legitimate interest of the Controller in improving the Platform).

• (b) For disaggregated analytics: art. 6(1)(a) GDPR — prior consent of the User.

3.D — Marketing and Profiling Tracking Tools

3.12 Definition. These are Tracking Tools used for profiling activities, targeted advertising and personalization of commercial content offered to the User on the Platform and on third-party sites, apps and social networks.

3.13 Purposes.

• (a) Profiling of the User's browsing behavior in order to propose commercial content consistent with their interests (e.g. categories of Experiences viewed, destination cities, price ranges);

• (b) Remarketing and retargeting towards Users who have visited the Platform without completing a booking, through advertising campaigns on third-party sites, apps and social networks (Google Display, Meta, TikTok, X);

• (c) Lookalike audience: creation of audiences similar to those of Stravagando Users to extend the reach of advertising campaigns, by sending hashed or pseudonymized identifiers to Third Parties;

• (d) Conversion measurement generated by advertising campaigns (conversion tracking) and attribution of incoming traffic;

• (e) Attribution Cookies of the Referral Program: tracking of the origin of traffic generated by Referrers through Referral Links and attribution of Qualifying Actions on a 90-day moving window under the last-click attribution model, for the purposes described in the Terms and Conditions of the Referral Program;

• (f) Personalization of transactional and marketing emails (newsletter, Experience suggestions, post-booking communications) through tracking pixels and unique identifiers, where the User has given consent to receiving marketing communications;

• (g) Affiliation: tracking of traffic originating from publishers adhering to Stravagando affiliation programs.

3.14 Legal basis. The use of Marketing and Profiling Tracking Tools is based on art. 6(1)(a) GDPR — prior consent of the User given freely, specifically, in an informed manner and unambiguously through the Preferences Panel, on a granular basis by category and — where required — by individual Third Party.

3.15 Automated profiling. Save as specifically indicated for individual Third Parties, the use of Marketing and Profiling Tracking Tools does not entail fully automated decision-making processes that produce legal effects on the User or significantly affect them pursuant to art. 22 GDPR. Any relevant decisions — such as account suspension or the outcome of anti-fraud checks — are subject to human review under the terms described in the General Terms and Conditions and the applicable Host/Referrer Terms.

ART. 4 — GIVING, MODIFICATION AND WITHDRAWAL OF CONSENT

4.A — First-visit banner

4.1 Banner characteristics. Upon access to the Platform by a User who has not yet expressed their preferences, or pursuant to paragraph 4.4, a short information banner is displayed (the "Cookie Banner") which sets out:

• (a) the indication of the presence of Tracking Tools and their purposes;

• (b) the reference to this Cookie Policy;

• (c) the three choice commands, equivalent in size, position, background color and contrast: "Accept all", "Reject all" and "Customize".

In compliance with the Garante Provision of 10 June 2021 and the EDPB Guidelines 03/2022 on dark patterns, the "Reject all" command has equal prominence and immediacy compared to the "Accept all" command. Closing the banner through the "X" close button alone does not constitute the giving of consent: in such case only Strictly Necessary Tracking Tools will be used and the banner will be re-presented on subsequent visits under paragraph 4.4 below.

4.2 Granularity. By clicking "Customize", the User accesses the Preferences Panel and may give consent on a granular basis for each of the categories referred to in Art. 3, and possibly by individual Third Party where the Platform offers such level of granularity.

4.B — Preferences Panel

4.3 Permanent access. The Preferences Panel is accessible at any time through:

• (a) the link "Your cookie choices" or "Cookie and marketing preferences" displayed in the footer of all pages of the Platform;

• (b) the "Privacy" section of the registered User's Panel;

• (c) the settings of the mobile App;

• (d) direct link included in every marketing email;

• (e) direct request to Customer Service via email at support@stravagando.com.

The choices made by the User are stored in a consent log kept by Stravagando for ten years for evidentiary and accountability purposes pursuant to art. 5(2) GDPR.

4.C — Re-presentation of the banner and duration of choice

4.4 Re-presentation. The banner is re-presented to the User:

• (a) after six months from the last expression of preferences, unless the User has expressly accepted all Tracking Tools and the purposes have not subsequently been modified;

• (b) on the occasion of significant changes to the processing purposes, to the list of Third Parties or to the categories of Tracking Tools used;

• (c) where the User accesses from a different device or browser or deletes the technical consent log Cookies;

• (d) at the natural expiry of the technical consent log Cookie.

4.D — Withdrawal

4.5 Withdrawal as easy as giving. The User may withdraw the consent given at any time, easily and with the same ease with which they gave it, through the Preferences Panel. Withdrawal does not affect the lawfulness of processing carried out on the basis of consent prior to withdrawal.

4.6 Effects of withdrawal. Following withdrawal, the Tracking Tools for which consent has been withdrawn will no longer be used for new processing operations. Data already collected remains subject to processing until the achievement of the purposes for which it was lawfully collected, according to the retention periods set out in Art. 7 below. The User may request the deletion of past data through the exercise of GDPR rights pursuant to Art. 8 of this Notice.

4.E — Cross-device and cross-platform

4.7 Synchronization of preferences. The preferences expressed by the registered User are — where technically possible and where the User accesses their account — synchronized across all devices and all platforms (website, iOS App, Android App, email) on which they use Stravagando services, by associating the preferences with their unique account identifier.

4.8 Unregistered Users. For unregistered Users, preferences are stored locally on the specific device/browser used and are not synchronized between different devices. The User who accesses from a different device will find the first-visit banner.

ART. 5 — LIST OF TRACKING TOOLS AND THIRD PARTIES

5.A — Disclaimer and link to the Panel

5.1 List dynamically updated. The analytical and updated list of Tracking Tools used, including name, purpose, legal basis, duration, third-party provider, country of processing, link to the third-party provider's privacy policy and opt-out mechanism, is available and updated in real time within the Preferences Panel. This Art. 5 provides a descriptive overview by category of the Third Parties used at the time of the last revision of this Notice, without claim to be exhaustive with respect to the version of the Preferences Panel, which is authoritative.

5.B — Strictly Necessary Tracking Tools (First-Party)

5.2 Session and authentication functionality.

• Session Cookies managed by Stravagando's application infrastructure for authentication and persistence of the browsing session.

• Duration: session-based (deleted on browser closure) or persistent up to 30 days in "Stay logged in" mode.

• Legal basis: art. 6(1)(b) GDPR.

5.3 Anti-fraud and security functionality.

• Cookies and fingerprinting for device identification, velocity check and risk analysis during booking and payment, integrated with Stripe's anti-fraud systems.

• Duration: variable, from session to 24 months for pseudonymized risk identifiers.

• Legal basis: art. 6(1)(f) GDPR (legitimate interest in fraud prevention).

5.4 Consent log.

• Technical Cookie for the storage of the User's choices on Cookies.

• Duration: 6 months.

• Legal basis: art. 6(1)(c) and (f) GDPR (compliance with legal obligations under art. 7(1) GDPR and Garante Provision of 10 June 2021).

5.C — Payments and anti-fraud (Stripe)

5.5 Stripe Payments Europe Ltd.

• Service: payment processing, escrow, Connect and anti-fraud (Radar).

• Tracking Tools: First-Party and Third-Party technical Cookies, device fingerprinting, unique payment session identifiers.

• Category: Strictly Necessary Tracking Tools (essential for payment execution and fraud prevention).

• Place of processing: Ireland (seat of the European controller) and United States (parent company Stripe Inc.). For extra-EEA transfers, Stripe has adopted the Standard Contractual Clauses approved by the EU Commission pursuant to art. 46(2)(c) GDPR.

• Privacy policy: https://stripe.com/en/privacy

• Legal basis: art. 6(1)(b) GDPR.

5.D — Aggregated analytics assimilable to technical

5.6 Internal and/or Third-Party analytics tools configured in anonymized mode.

• Stravagando uses, where technically possible, analytics tools configured in compliance with the four conditions of paragraph 4.2 of the Garante Provision of 10 June 2021.

• Typical providers (under evaluation and indicated by way of example, subject to confirmation in the Preferences Panel): Google Analytics 4 with IP anonymization and disabling of signal sharing, Plausible Analytics, Matomo self-hosted, Cloudflare Web Analytics.

• Category: Aggregated Analytics Tracking Tools assimilable to technical (consent not required, where fully compliant).

5.E — Functional Tracking Tools (Third Parties)

5.7 Maps.

• Google Maps, provided by Google Ireland Limited.

• Place of processing: Ireland. Privacy policy: https://policies.google.com/privacy

• Legal basis: art. 6(1)(a) GDPR — consent.

5.8 Video players.

• YouTube, provided by Google Ireland Limited; Vimeo, provided by Vimeo, Inc.

• Place of processing: Ireland; United States (with SCC).

• Legal basis: art. 6(1)(a) GDPR — consent.

5.9 Chat and customer support.

• Indicated by way of example, subject to confirmation in the Preferences Panel: Intercom, Zendesk, Freshdesk, HubSpot.

• Category: Functional Tracking Tools (consent required if not strictly necessary for the provision of the service requested by the User at the time of opening the chat).

5.10 Single sign-on (SSO).

• Sign in with Google, Sign in with Apple, Login with Facebook (where integrated as alternative authentication options).

• Category: Functional Tracking Tools; the authentication flow is activated by the User who chooses such method.

5.F — Disaggregated Analytics Tracking Tools

5.11 Advanced analytics.

• Any tools for session replay, heatmap, personalized funnel analysis, identifying A/B testing (e.g. Hotjar, Microsoft Clarity, Smartlook, Optimizely).

• Category: Disaggregated Analytics Tracking Tools (consent required).

• The activation of such tools is subject to the User's prior consent in the Preferences Panel and — where used — is documented in real time in the same Panel.

5.G — Marketing and Profiling Tracking Tools

5.12 Google advertising.

• Google Ads, Google Display Network, Google DV360, Doubleclick / Floodlight, provided by Google Ireland Limited.

• Place of processing: Ireland; United States (with SCC).

• Privacy policy: https://policies.google.com/privacy ; additional opt-out: https://adssettings.google.com

• Legal basis: art. 6(1)(a) GDPR — consent.

5.13 Meta advertising.

• Meta Pixel, Meta Conversion API, Meta Custom Audiences, Meta Lookalike, provided by Meta Platforms Ireland Limited.

• Place of processing: Ireland; United States (with SCC).

• Privacy policy: https://www.facebook.com/policy.php

• Legal basis: art. 6(1)(a) GDPR — consent.

5.14 TikTok advertising.

• TikTok Pixel, TikTok Conversion API, TikTok Custom Audiences, provided by TikTok Information Technologies UK Limited / TikTok Technology Limited.

• Place of processing: United Kingdom, Ireland; extra-EEA transfers subject to SCC.

• Privacy policy: https://www.tiktok.com/legal/privacy-policy-eea

• Legal basis: art. 6(1)(a) GDPR — consent.

5.15 Microsoft / LinkedIn advertising.

• Microsoft Advertising (Bing Ads) UET; LinkedIn Insight Tag, provided by Microsoft Ireland Operations Limited and LinkedIn Ireland Unlimited Company.

• Privacy policy: https://privacy.microsoft.com ; https://www.linkedin.com/legal/privacy-policy

• Legal basis: art. 6(1)(a) GDPR — consent.

5.16 Pinterest, X, Reddit, Snapchat advertising, etc.

• Advertising tools on other social platforms, activated for specific Stravagando campaigns.

• All subject to the same consent regime and documented in the Preferences Panel.

5.17 Dynamic retargeting.

• Criteo Dynamic Retargeting, RTB House, and other programmatic advertising networks.

• Category: Marketing and Profiling Tracking Tools (consent required).

5.18 Affiliation and conversion tracking.

• Affiliation networks for the promotion of Stravagando by third-party publishers, with conversion tracking through Cookies and/or postback.

• Category: Marketing Tracking Tools (consent required if not attributable to the First-Party Attribution Cookie mechanism of the Referral Program).

5.19 Attribution Cookies of the Referral Program.

• First-Party Cookies of Stravagando (alternatively, Third-Party Cookies where the Platform uses an affiliation technology provider).

• Purpose: tracking the origin of new Users who register through a Referral Link of a Referrer adhering to the Stravagando Referral Program, under the last-click attribution model on a moving window of 90 days.

• Duration: 90 days (extendable through reinstallation upon subsequent qualifying click).

• Category: Marketing Tracking Tools (consent required). In the absence of consent, attribution may take place exclusively through direct entry of the Referral Code by the Referred at the time of registration, in accordance with art. 6 of the Terms and Conditions of the Referral Program.

5.H — Email marketing

5.20 Email tracking pixels.

• Transactional and marketing emails sent by Stravagando contain open tracking pixels and link tracking for measuring open rates, click-through and conversion.

• Providers indicated by way of example: SendGrid, Mailgun, Postmark, Brevo (Sendinblue), Klaviyo, HubSpot.

• Category: for transactional emails, legal basis art. 6(1)(b) GDPR (performance of the contract). For marketing emails, legal basis art. 6(1)(a) GDPR — consent, withdrawable at any time through the opt-out link present in every email.

ART. 6 — EXTRA-EEA TRANSFERS

6.1 Principle. Some of the Tracking Tools used involve the transfer of personal data outside the European Economic Area (EEA), in particular to the United States of America, the United Kingdom and other third countries.

6.2 Safeguards adopted. For extra-EEA transfers, Stravagando relies on the following protection instruments pursuant to Chapter V GDPR:

• (a) Adequacy decisions of the EU Commission pursuant to art. 45 GDPR, where applicable (e.g. United Kingdom, Switzerland, Israel, partial Canada, Andorra, Argentina, Japan, New Zealand, Republic of Korea, Uruguay);

• (b) EU-US Data Privacy Framework: for transfers to the United States, where the third-party provider is certified under the framework approved by the EU Commission with Adequacy Decision of 10 July 2023;

• (c) Standard Contractual Clauses (SCC) approved by the EU Commission with Implementing Decision 2021/914, pursuant to art. 46(2)(c) GDPR, supplemented by appropriate technical and organizational supplementary measures where necessary on the basis of the Transfer Impact Assessment conducted by Stravagando;

• (d) Binding Corporate Rules approved pursuant to art. 47 GDPR, where applicable to the third-party provider;

• (e) Derogations pursuant to art. 49 GDPR, in specific and residual cases (e.g. explicit consent of the Data Subject, performance of a contract at the Data Subject's request, important reasons of public interest).

6.3 Transparency. For each Third-Party Tracking Tool, the Preferences Panel indicates the country of processing and — where extra-EEA — the protection mechanism adopted.

ART. 7 — DURATION AND RETENTION

7.1 Duration of Cookies. The duration of each Cookie and Tracking Tool is indicated in the Preferences Panel. By way of guidance:

• (a) Session Cookies: deleted on browser closure or after a predetermined inactivity period;

• (b) Functional persistent Cookies: variable duration from 7 days to 12 months;

• (c) Analytics Cookies: maximum duration of 14 months (Google Analytics 4 default) or 24 months;

• (d) Marketing Cookies: variable duration from 30 days to 24 months depending on the provider;

• (e) Attribution Cookies of the Referral Program: 90 days;

• (f) Consent log Cookies: 6 months.

7.2 Retention of collected data. Personal data collected through Tracking Tools is retained for the time strictly necessary for the pursuit of the purposes for which it was collected, according to the criteria indicated in the Privacy Notice of the Platform. In summary:

• (a) security and anti-fraud data: 24 months unless retention beyond such period is necessary for investigative needs;

• (b) analytics data: up to 26 months for Google Analytics 4 and similar (with automatic deletion of individual records and retention of aggregates only);

• (c) profiling and marketing data: up to 24 months from the last interaction, or until consent withdrawal if earlier;

• (d) referral attribution data: for the duration of the Referrer contractual relationship + 24 months (litigation management);

• (e) consent log: 10 years from collection of consent or from withdrawal, for evidentiary purposes.

ART. 8 — DATA SUBJECT'S RIGHTS

8.1 Recognized rights. The Data Subject may exercise at any time the following rights provided for in arts. 15-22 GDPR:

• (a) right of access to their personal data (art. 15) — to obtain confirmation of processing and a copy of the data processed;

• (b) right of rectification (art. 16) — to obtain the correction of inaccurate data or the integration of incomplete data;

• (c) right to erasure or "right to be forgotten" (art. 17) — to obtain the deletion of data in the cases provided for by the rule;

• (d) right to restriction of processing (art. 18);

• (e) right to data portability (art. 20) — to receive in a structured, commonly used and machine-readable format the data concerning them and to transmit it to another controller;

• (f) right to object to processing (art. 21), including the right to object at any time to the processing of their data for direct marketing purposes;

• (g) right not to be subject to fully automated decisions (art. 22), without prejudice to legal exceptions;

• (h) right to withdraw consent at any time (art. 7(3) GDPR), without prejudice to the lawfulness of processing based on consent prior to withdrawal;

• (i) right to lodge a complaint with the competent supervisory authority (art. 77), in particular with the italian Data Protection Authority (Garante) in the case of Italy, in accordance with the procedures published on the website www.garanteprivacy.it.

8.2 Methods of exercise. Rights may be exercised:

• (a) through the Preferences Panel of the Platform for the modification/withdrawal of consent to Cookies and to marketing purposes;

• (b) through the "Privacy" section of the registered User's Panel for requests of access, rectification, erasure, portability;

• (c) through written request sent to support@stravagando.com or to {company_pec} (for formal requests), accompanied by an identity document for the verification of the requester's identity;

• (d) through paper mail to the address of the Controller indicated in Art. 2.1.

8.3 Response times. Stravagando provides a response to requests for the exercise of rights within 30 days of receipt, extendable by a further 60 days in cases of particular complexity with prior communication to the Data Subject.

ART. 9 — BROWSER AND DEVICE SETTINGS

9.1 Control via browser. In addition to the mechanisms made available by Stravagando, the User may configure their browser to view, delete and block Cookies. Each browser has its own settings; updated operational instructions are available on the official pages of major browsers:

• (a) Google Chrome: https://support.google.com/chrome/answer/95647

• (b) Mozilla Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

• (c) Apple Safari: https://support.apple.com/en-us/guide/safari/sfri11471/mac

• (d) Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge

• (e) Opera: https://help.opera.com/en/latest/web-preferences/

9.2 Limits of browser settings. Browser settings do not allow granular control by Cookie category equivalent to that available in the Platform's Preferences Panel. The total deactivation of Cookies via browser may result in the total or partial inability to use the Platform.

9.3 Mobile advertising identifiers. On mobile devices, the User may limit advertising tracking through the operating system settings:

• (a) iOS: "Settings > Privacy & Security > Tracking" and deactivation of consent to tracking for the Apps, with consequent transmission of an IDFA equal to a string of zeros by the Stravagando App;

• (b) Android: "Settings > Privacy > Ads" and activation of "Delete advertising ID" or "Disable ad personalization".

9.4 Do Not Track and Global Privacy Control signals. Stravagando recognizes the Global Privacy Control (GPC) signal as an automated expression of refusal to process personal data for marketing purposes for U.S. residents under CCPA/CPRA. The browser Do Not Track (DNT) signal is considered for EU Users as a further expression of preference, although its technical interpretation is not currently standardized.

ART. 10 — PROVISIONS FOR U.S. RESIDENTS

10.1 Regulatory framework. For residents in the United States of America, the following state laws apply on a supplementary basis, where applicable based on the User's State of residence: California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), and subsequent state laws in force.

10.2 Rights of California residents. Residents in California are entitled, under CCPA/CPRA, to: right to know (to know the categories of data collected and shared), right to delete, right to correct, right to opt-out of sale and sharing, right to limit use of sensitive personal information, right to non-discrimination (non-discrimination in the exercise of rights), right to portability.

10.3 No sale/no share. Stravagando does not sell the Personal Information of U.S. residents to third parties for commercial purposes under CCPA/CPRA. The sharing of Personal Information with Third Parties for cross-context behavioral advertising purposes takes place exclusively on the basis of consent given by the User in the Preferences Panel and/or the GPC signal, and is subject to the opt-out right through the link "Do Not Sell or Share My Personal Information" / "Your Privacy Choices" published on the Platform.

10.4 Exercise of rights. U.S. residents may exercise their rights through the "Your Privacy Choices" portal of the Platform or through email to support@stravagando.com, with response within 45 days extendable to 90 in cases of particular complexity. For U.S. residents, the supervisory authority of the italian Garante does not apply; the competent bodies are the Office of the Attorney General of the State of residence and — for California residents — the California Privacy Protection Agency (CPPA).

ART. 11 — MINORS

11.1 Minimum age. The Platform is intended for adults. Stravagando does not knowingly collect personal data of minors under the age of 14 in Italy (threshold under art. 2-quinquies of the italian Privacy Code for consent to data processing in the context of information society services) nor, for Users resident in other EU Member States, of an age lower than the threshold established by local legislation. For U.S. residents, Stravagando does not knowingly collect personal data of minors under the age of 13, in compliance with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501-6506).

11.2 Method of requesting deletion. Should a parent or legal guardian believe that their minor child has provided personal data to Stravagando in violation of age limitations, they may request its deletion through email to support@stravagando.com, with consequent prompt removal of data and deletion of any accounts.

ART. 12 — AMENDMENTS TO THIS COOKIE POLICY

12.1 Updates. Stravagando reserves the right to amend this Cookie Policy at any time, in particular to reflect regulatory changes, technological developments, the introduction of new Tracking Tools or new Third Parties, the update of processing purposes.

12.2 Communication. Significant changes — such as the introduction of new categories of Tracking Tools, new purposes or new Third Parties — are communicated to the User through:

• (a) platform notice with a minimum 30 days' notice prior to effectiveness;

• (b) email to the registered address, where the User holds an account;

• (c) re-presentation of the banner of first visit for the new giving of consent, where required.

12.3 Previous versions. Previous versions of the Cookie Policy are archived and available upon request of the Data Subject for purposes of historical reconstruction of processing.

12.4 Current version. The current version of the Cookie Policy bears the date of entry into force at the top of the document and replaces every previous version.

ART. 13 — CONTACTS AND COMPLAINTS

13.1 Data Controller.

Trade name: Stravagando Legal name: Inmedia S.r.l. Registered office: Via L'Aquila, 22, 65122 Pescara (PE), Italy Tax Code / VAT: 02017520681 Privacy email: support@stravagando.com PEC: inmediasrl@pec.it

13.2 Data Protection Officer (DPO).

Email: support@stravagando.com

13.3 Complaint to the supervisory authority.

italian Data Protection Authority (Garante per la protezione dei dati personali) Piazza Venezia no. 11 — 00187 Rome (RM), Italy Website: https://www.garanteprivacy.it Email: protocollo@gpdp.it PEC: protocollo@pec.gpdp.it Complaint template available at: https://www.garanteprivacy.it/home/modulistica-e-servizi-online

For Users resident in other EU Member States, the possibility remains to lodge a complaint with the supervisory authority of the State of residence, of work or of the place of the alleged violation, pursuant to art. 77 GDPR.

Document approved and adopted by Inmedia S.r.l.

Version: 1.0 Date of entry into force: 26/04/2026 Reference document: Provision of the italian Data Protection Authority (Garante) of 10 June 2021 — Guidelines on cookies and other tracking tools (Reg. provv. no. 231/2021)