Privacy Policy | Stravagando

Version 1.0 — In force from 26/04/2026

PREAMBLE

This Privacy Policy (hereinafter the «Privacy Policy» or the «Policy») describes in a transparent manner the ways in which Inmedia S.r.l. (hereinafter «Stravagando» or the «Platform»), data controller and operator of the digital platform Stravagando accessible at the main address stravagando.com and related subdomains, on the mobile App for iOS and Android (hereinafter the «App») and on the related assistance, marketing and communication channels, collects, uses, retains, communicates and transfers the personal data of Data Subjects, in compliance with:

(a) Regulation (EU) 2016/679 of the European Parliament and of the Council, on the protection of natural persons with regard to the processing of personal data (hereinafter «GDPR»);
(b) the Italian Legislative Decree of 30 June 2003 No. 196 («Italian Privacy Code»), as amended by the Italian Legislative Decree of 10 August 2018 No. 101;
(c) the Guidelines of the Italian Data Protection Authority (hereinafter the «Garante») and the decisions of the European Data Protection Board (EDPB);
(d) Directive 2002/58/EC (ePrivacy Directive) as amended, for the profiles of direct marketing and Tracking Tools;
(e) for residents of the United States of America, the applicable state regulations including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA) and subsequent state regulations in force;
(f) for the processing of data presenting tax-related profiles or related to payment processing, the applicable sector regulations including the Italian Legislative Decree of 1 March 2023 No. 32 (DAC7), the Italian Legislative Decree of 21 November 2007 No. 231 (anti-money laundering), the Italian Presidential Decree 600/1973 (assessment of income taxes) and the Italian Presidential Decree 633/1972 (VAT);
(g) Regulation (EU) 2022/2065 (Digital Services Act, «DSA») and Regulation (EU) 2019/1150 (Platform-to-Business, «P2B») for the transparency profiles in digital services and in relations with business users;
(h) Regulation (EU) 2024/1689 (Artificial Intelligence Act, «AI Act») for the transparency profiles of artificial intelligence systems used for the automated moderation of content generated by Users and for the calculation of the Trust Score;
(i) Directive (EU) 2022/2555 (NIS2), for the profiles of information security.

This Privacy Policy constitutes the general policy pursuant to Articles 13 and 14 GDPR and is supplemented, for specific profiles, by the Cookie Policy of the Platform — to which reference is made for the detail of the Tracking Tools — by the General Terms and Conditions of Use (with particular reference to Sections 5, 6, 7, 8, 8-bis, 9, 11, 12, 12-bis, 16 and 16.1), by the Sales Terms and Conditions for the profiles relating to the marketplace of paid Experiences, by the Host Terms, by the Referral Program Terms, by the Technical Specifications of the Service for the operational parameters of processing, as well as by the specific privacy policies possibly provided at the time of collection of personal data for additional purposes (e.g. participation in contests, surveys, pilot programs, beta access).

In case of discrepancy between this Privacy Policy and other specific privacy policies provided to the Data Subject for individual processing operations, the provisions of the most recent specific policy shall prevail — for the specific processing concerned; the provisions of this Policy remain firm for everything not specifically regulated.

ART. 1 — DEFINITIONS

For the purposes of this Privacy Policy, the following terms have the meaning indicated below. The definitions are supplemented by those provided in the General Terms and Conditions, in the Sales Terms and Conditions, in the Host Terms, in the Referral Program Terms and in the Cookie Policy of the Platform.

1.1 «Personal Data»: any information relating to an identified or identifiable natural person, pursuant to art. 4, paragraph 1, no. 1) GDPR. It includes, by way of example: name, surname, address, date of birth, tax code, VAT number, email address, telephone number, IP address, unique identifiers, transaction data, content of communications, geographical coordinates, UGC Content.

1.2 «Processing»: any operation or set of operations, performed with or without the aid of automated processes, applied to Personal Data, pursuant to art. 4, paragraph 1, no. 2) GDPR. It includes collection, recording, organization, structuring, storage, adaptation, modification, retrieval, consultation, use, disclosure by transmission, dissemination, comparison, interconnection, restriction, erasure and destruction.

1.3 «Data Controller» or «Controller»: the natural or legal person who, alone or together with others, determines the purposes and means of the processing of Personal Data, pursuant to art. 4, paragraph 1, no. 7) GDPR. For the processing operations described in this Policy, the Data Controller is Inmedia S.r.l. unless otherwise indicated.

1.4 «Data Processor» or «Processor»: the natural or legal person who processes Personal Data on behalf of the Data Controller pursuant to art. 28 GDPR, on the basis of a contract or other binding legal act.

1.5 «Data Subject»: the identified or identifiable natural person to whom the Personal Data refer. For the purposes of this Policy, the Data Subject typically corresponds to the User of the Platform in one of the capacities defined below.

1.6 «User»: any subject who accesses or uses the Platform. The User may hold one or more of the following capacities, also cumulatively in the same period, pursuant to Section 3-bis of the General Terms and Conditions:

(a) Unregistered Visitor — anyone who accesses the Platform without having registered, including the recipients of the pre-registration assistance service («Guest Help», see Section 17-ter of the General Terms and Conditions);
(b) Social User — natural person registered on the Platform for non-transactional functionalities (Profile, Social/Community, Gamification, exploration of the Places catalogue, publication of UGC Content), pursuant to the General Terms and Conditions. It constitutes the base regime applicable to every registered User;
(c) Customer or Guest — the User who, in addition to the capacity of Social User, searches, books or enjoys the paid Experiences offered through the integrated marketplace, pursuant to the Sales Terms and Conditions;
(d) Host — the User, natural person or legal entity, who publishes and offers paid Experiences on the integrated marketplace, pursuant to the Host Terms;
(e) Referrer — the User who joins the Referral Program by promoting the Platform and receiving its benefits, pursuant to the Referral Program Terms.

The assumption of a special capacity (Customer, Host, Referrer) does not entail the loss of the base capacity of Social User, but entails the cumulative application of the processing operations envisaged for the additional purposes. This Policy describes the processing operations applicable to each capacity in the dedicated sections.

1.7 «Experience»: the paid experiential activity offered by the Host to Customers through the integrated marketplace of the Platform, according to the definitions of the Sales Terms and Conditions.

1.8 «Place» or «POI» (Point of Interest): single locality or geographical entity catalogued in the Places catalogue of the Platform (internal technical denomination: Atlas), identified by geographical coordinates, descriptive attributes (name, category, address) and thematic categorization. Places may include villages, paths, castles, restaurants, natural monuments and other points of interest, on which UGC Content may be applied, such as check-ins, reviews and posts published on the Wall of the Place.

1.9 «Check-in»: the geolocated registration carried out by the User in proximity to a Place present in the catalogue, validated server-side by calculating the distance from the coordinates of the POI. The check-in constitutes the main method of accruing XP in the Gamification System and may be associated with a UGC Tag pursuant to the following definition 1.13.

1.10 «User-Generated Content» or «UGC»: any content published by the User on the Platform, including, by way of example, photographs, reviews with score, narrative posts published on the Wall of a Place, proposals for new Places, suggestions for modifications to existing Places, comments, personal lists (Notebooks), tags, likes, check-ins and direct messages exchanged through the integrated messaging system.

1.11 «Wall»: the interface for displaying UGC Content on the Platform, in two forms:

(a) Personal Feed (route /{locale}/feed) — the personalized aggregate of Content relevant to the User, including Content that mentions the User through UGC Tags;
(b) Wall of a Place — the public space associated with each POI in which Users may publish narrative posts and other Content contextual to the Place.

1.12 «Gamification System»: the playful system of the Platform including XP (experience points), Levels, Achievements (internal technical denomination: Achievement), Streaks (consecutive series of activities), Level Perks (benefits associated with reaching Levels) and Year Review (periodic reporting of activity). The elements of the Gamification System are exclusively symbolic and playful in nature and do not constitute virtual currency nor goods convertible into money, pursuant to Section 9.1 of the General Terms and Conditions.

1.13 «UGC Tag»: the association, within a Content published by a User, of the reference to another registered User. The UGC Tag is applicable within the limits and according to the rules of Section 8-bis of the General Terms and Conditions and, for the specific case of companion tagging in check-ins, of Section 8.

1.14 «Trust Score»: the numerical technical indicator (between 0 and 100) calculated automatically on the basis of the technical consistency of a User's check-ins, described in Section 11 of the General Terms and Conditions. The Trust Score affects the attribution of XP for check-ins, the automatic approval of reviews and access to reserved functionalities.

1.15 «Automated Moderation»: the preventive analysis processing of UGC Content carried out through artificial intelligence systems of Third Parties, including, in particular, a language model for textual classification and an image analysis service, described in Section 12 of the General Terms and Conditions and in compliance with Regulation (EU) 2024/1689 (AI Act).

1.16 «Special Categories of Personal Data» or «Sensitive Data»: the Personal Data referred to in art. 9, paragraph 1 GDPR — i.e. those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation. The Platform does not normally require the provision of Sensitive Data from Users; if a User voluntarily provides Sensitive Data (e.g. by mentioning in communications with the Host a health condition relevant to the enjoyment of the Experience, or by publishing UGC Content that reveals them), their processing takes place on the basis of explicit consent pursuant to art. 9, paragraph 2, letter a) GDPR or, where applicable, on the basis of art. 9, paragraph 2, letter f) GDPR (exercise or defense of a right in court).

1.17 «Criminal Data»: the Personal Data relating to criminal convictions and offenses or related security measures pursuant to art. 10 GDPR. The Platform may process such data exclusively in the cases provided for by law, in particular in the implementation of anti-money laundering, anti-fraud and international sanctions measures.

1.18 «Tracking Tools»: cookies and other similar technologies for tracking the User, as defined in the Cookie Policy of the Platform to which full reference is made.

1.19 «Stripe Connect»: the payment infrastructure provided by Stripe Payments Europe Ltd, used by the Platform for the collection of Customers' payments, the execution of transfers to Hosts and Cashouts to Referrers.

1.20 «KYC» (Know Your Customer): the set of procedures for verifying the identity of Users, carried out directly by Stravagando or through specialized providers such as Stripe Identity, for purposes of security, anti-fraud, anti-money laundering and compliance with tax regulations.

1.21 «DAC7»: Directive (EU) 2021/514, transposed in Italy by Italian Legislative Decree of 1 March 2023 No. 32, which imposes on digital platform operators the collection, verification and communication to the Italian Revenue Agency of data relating to subjects who carry out «Relevant Activities» through the Platform.

1.22 «UIF»: the Financial Intelligence Unit established at the Bank of Italy pursuant to art. 6 of Italian Legislative Decree 231/2007, recipient of reports of suspicious transactions for anti-money laundering purposes.

1.23 «Garante»: the Italian Data Protection Authority, supervisory authority of Italy pursuant to GDPR, with registered office in Rome, Piazza Venezia No. 11.

1.24 «EEA»: the European Economic Area, comprising the Member States of the European Union, Iceland, Liechtenstein and Norway.

1.25 «Transfer Outside the EEA»: the transfer of Personal Data to recipients established in Countries that are not part of the European Economic Area, subject to the guarantees of Chapter V GDPR.

1.26 «Data Breach»: the security breach that accidentally or unlawfully results in the destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or processed, pursuant to art. 4, paragraph 1, no. 12) GDPR.

1.27 «DSA»: Regulation (EU) 2022/2065 (Digital Services Act), which regulates digital services in the European single market.

1.28 «AI Act»: Regulation (EU) 2024/1689, which establishes harmonized rules on artificial intelligence.

1.29 «P2B»: Regulation (EU) 2019/1150 (Platform-to-Business Regulation), which promotes fairness and transparency for business users of online intermediation services.

1.30 «Legal Hold»: the extension, in derogation from the ordinary retention terms, of the retention of Personal Data or specific Content for needs of law, of protection in court, of fulfilment of mandatory obligations or of investigation by competent Authorities, pursuant to art. 9-bis of this Policy and Section 16.1 of the General Terms and Conditions.

1.31 «DPO» (Data Protection Officer): the subject in charge of supervising compliance with GDPR pursuant to arts. 37-39 GDPR. The DPO, where appointed, may be contacted at the address legal@stravagando.com.

ART. 2 — DATA CONTROLLER AND DPO

2.A — Data Controller

2.1 Identification. The Data Controller of the Personal Data collected through the Platform is:

Inmedia S.r.l. Registered office: Via L'Aquila, 22, 65122 Pescara (PE), Italy Tax Code / VAT No.: 02017520681 General assistance email: support@stravagando.com Email for personal data protection requests: legal@stravagando.com Certified email (PEC): inmediasrl@pec.it

2.2 Commercial identity. The Platform is commercially known under the trademark «Stravagando» and its graphic variants, owned exclusively by Inmedia S.r.l.

2.B — Data Protection Officer (DPO)

2.3 DPO. Where appointment is mandatory pursuant to art. 37 GDPR or where Inmedia S.r.l. provides for it on a voluntary basis, the Data Protection Officer (DPO) may be contacted at the address:

legal@stravagando.com (with subject: «DPO»)

Inmedia S.r.l. reserves the right to establish in the future a dedicated email address (by way of example: dpo@stravagando.com), which will be communicated to Data Subjects through the update of this Policy pursuant to Art. 14. Requests addressed to the DPO are handled in accordance with the principle of confidentiality pursuant to art. 38, paragraph 5 GDPR.

2.C — EU Representative (for non-EEA subjects)

2.4 EU Representative. For Data Subjects resident in the European Economic Area, Inmedia S.r.l. is itself established in the European Union (Italy) and therefore does not require the appointment of an EU Representative pursuant to art. 27 GDPR.

2.D — Joint Controllers and Independent Controllers

2.5 Joint Controllers. For some specific processing operations, Inmedia S.r.l. may act as a Joint Controller together with other Controllers, pursuant to art. 26 GDPR. In such cases, the specific configuration of the respective obligations is the subject of a formal agreement between the Joint Controllers, the summary content of which is made available to Data Subjects on request at legal@stravagando.com. Typical Joint Controllership configurations include — by way of example — the use of Meta Business Tools (Facebook Pixel, Custom Audiences) for marketing purposes jointly between Inmedia S.r.l. and Meta Platforms Ireland Limited.

2.6 Independent Controllers. Numerous Third Parties that receive Personal Data in the context of the Platform act as independent Data Controllers for the purposes determined by them, in particular: (a) Stripe Payments Europe Ltd, for payments and financial services; (b) judicial, tax, administrative and supervisory Authorities national and foreign; (c) banking institutions for the execution of payments; (d) Hosts and Customers for communication and execution of the booked Experiences, each within the limits of their role; (e) other Users of the social community for the enjoyment of UGC Content published with public visibility or extended to the network of mutual follow. This Policy describes the processing carried out by Inmedia S.r.l. as Data Controller; for the processing carried out by Third Parties as independent Controllers, reference is made to their respective privacy policies.

ART. 3 — CATEGORIES OF PERSONAL DATA PROCESSED

Inmedia S.r.l. processes different categories of Personal Data depending on the relationship with the Data Subject and the functionalities of the Platform used. The categories listed below are detailed by type of User (Visitor, Social User, Customer, Host, Referrer); the processing of each category takes place for the purposes and on the legal bases described in the following Art. 4.

3.A — Registration and Profile Data

3.1 Unregistered Visitors. For Unregistered Visitors, Inmedia S.r.l. does not collect registration data. Usage Data described in subsequent paragraph 3.K are automatically collected. In the event that the Visitor contacts pre-registration assistance («Guest Help» pursuant to Section 17-ter of the General Terms and Conditions), the email address provided, the content of the request and the metadata of the temporary access token issued by the system are collected.

3.2 Social Users and registered Customers. For Users registered to non-transactional functionalities (social, gamification, exploration, UGC) — which constitute the base regime applicable to every registered User — and for Customers accessing the integrated marketplace, the following data are collected, upon account creation and subsequent updating:

(a) minimum identification data: name, surname;
(b) contact data: email address (verified through a confirmation message with verification link, according to the methods described in Section 4.1 of the General Terms and Conditions), mobile phone number where required for specific functionalities (with SMS OTP verification), postal address where provided for Experiences booked on the marketplace;
(c) access credentials: password (stored in hashed form with secure cryptographic algorithms such as bcrypt or Argon2; in no case stored in clear text), any two-factor authentication (2FA) tokens based on TOTP and recovery codes, any unique identifiers received from federated authentication providers (SSO Google, Meta/Facebook);
(d) date of birth, where the Platform provides for its collection in implementation of age verification obligations pursuant to art. 28 DSA or for purposes of participation in Experiences with age restrictions; failing this, the User confirms upon registration to have the minimum age of access provided for by Section 3 of the General Terms and Conditions (14 years for residents in Italy, in application of art. 8 GDPR and art. 2-quinquies of the Italian Privacy Code);
(e) preferences: interface language, currency, preferred destination cities, categories of Experiences of interest, marketing preferences, accessibility, time zone;
(f) public Profile data: username (automatically generated by the system upon registration on the basis of the data provided, in accordance with the provisions of Section 4 of the General Terms and Conditions; subsequent modification will possibly be made available as an evolving feature, see Section 29 of the General Terms and Conditions), profile picture (optional), short bio (optional);
(g) visibility and privacy settings of the Profile, autonomously managed by the Data Subject from the account privacy page (route account.privacy), as provided for by Section 5 of the General Terms and Conditions. The settings — independent from each other — include in particular:
- (i) Profile visibility (profile_visibility, default: private);
- (ii) Profile indexing in external search engines (allow_search_indexing, default: disabled; operates jointly with public Profile and reaching of a minimum activity threshold);
- (iii) visibility in public leaderboards (show_in_leaderboards, default: enabled);
- (iv) consent to UGC Tag (allow_ugc_tagging, default: enabled).
(h) IP address and browser user-agent, retained in sessions and main events (by way of example: login, check-in) for security, audit and verification of abuse purposes, pursuant to Section 4.4 of the General Terms and Conditions.

3.3 Hosts. For Hosts registered on the integrated marketplace, the following data are collected, in addition to those referred to in paragraph 3.2 where applicable:

(a) extended identification and tax data: name and surname or company name, business name, registered office, registration number with the Business Register, tax code, VAT number with indication of the tax regime (ordinary, simplified, flat-rate, special regime for farmstay or B&B), any REA code, indication of qualification as consumer or business;
(b) data of the beneficial owner pursuant to Italian Legislative Decree 231/2007 for legal entities;
(c) data of the legal representative: name, surname, tax code, position, valid identity document;
(d) banking data: IBAN for payments, account holder name, BIC/SWIFT for non-SEPA IBAN, any documents of account ownership;
(e) insurance data: professional liability or third-party liability policy (insurance company name, number, maximum limit, expiry date);
(f) compliance data: declarations self-certified pursuant to Italian Presidential Decree 445/2000, certificates of health/safety compliance where required for the category of Experience, any National Identification Code (CIN) for tourist facilities pursuant to Italian Law 191/2023;
(g) data relating to activity: types of Experiences offered, operational locations, availability calendars, textual and visual descriptions of the offer;
(h) data of the Experiences (limited to the part relating to the Host): description, price, duration, capacity, location, photographic/video material, reviews received.

3.4 Referrers. For Referrers registered to the Referral Program, the following data are collected, in addition to those referred to in paragraph 3.2 where applicable:

(a) extended identification and tax data: as for Hosts, distinguishing between occasional regime (natural person without VAT number) and professional regime (natural person with VAT number or legal entity);
(b) banking data: IBAN for Cashouts, BIC/SWIFT;
(c) promotional channel data: identification of the promotional channels used (website, social media, blog, newsletter, podcast), main URLs, indicative audience, description of promotional activity;
(d) Referral Code and Referral Link assigned to the Referrer;
(e) Referral performance data: number of Referees, number of Qualifying Actions, Compensation accrued, Cashouts executed.

3.B — Transaction and payment data

3.5 Transaction data. For each transactional operation carried out on the integrated marketplace of the Platform, the following data are collected:

(a) unique transaction identifier;
(b) amount, currency, date and time;
(c) identifier of the booked Experience, with detail of unit price, participants, options purchased;
(d) data of the Host receiving the payment;
(e) data of the Referrer possibly attributed to the conversion (for purposes of the 90-day last-click Attribution Cookie, according to the rules of the Referral Program Terms);
(f) transaction status: pending, succeeded, failed, refunded, disputed/chargeback;
(g) any refunds, chargebacks, escrow holds.

3.6 Payment data (managed by Stripe). The payment instrumental data — card number, expiry, CVV, 3D Secure authentication, data of the device used for payment — are collected and processed exclusively by Stripe Payments Europe Ltd as an independent Data Controller. Inmedia S.r.l. does not have access to the complete payment card data; it receives from Stripe only:

(a) a tokenized identifier of the payment method (e.g. last 4 digits, card brand, expiry);
(b) the transaction status;
(c) any error codes or refusal reasons.

3.7 Stripe Radar risk score. For each transaction, Stripe Radar elaborates a pseudonymized anti-fraud risk score that is shared with Inmedia S.r.l. for authorisation decisions. The score includes elements of device fingerprinting, behavioural and historical, according to Stripe Radar policies.

3.C — Identity and KYC data

3.8 Identity documents. For Customers who request it in specific cases (e.g. Experiences with age restrictions or specific regulatory requirements) and — systematically — for Hosts and Referrers, the following data are collected, also through the Stripe Identity service:

(a) valid identity document (identity card, passport, driving license): front/back image, document number, issuing authority, date of issue and expiry;
(b) selfie or recognition video for life verification (liveness detection), where applicable;
(c) biometric data generated exclusively by the provider Stripe Identity for the match between document and selfie, as Data Processor of Stripe; such biometric data are not retained by Inmedia S.r.l. and are deleted by the provider according to its retention policies, in compliance with art. 9 GDPR;
(d) proof of residence for legal entities only or for reinforced KYC requests (utility bill, recent bank statement);
(e) chamber of commerce excerpt or equivalent document for legal entities.

3.D — Tax, anti-money laundering and DAC7 data

3.9 Tax data. For Hosts and Referrers, the tax data necessary for fulfilment of regulatory obligations are collected:

(a) tax code (Italian) or TIN (for foreign residents) for each State of tax residence;
(b) VAT number, VAT regime, VIES number for non-Italian EU subjects;
(c) foreign tax residence certificate for application of conventions against double taxation;
(d) Form W-8BEN or W-8BEN-E for US residents or US entities;
(e) Form W-9 with TIN for US residents, for purposes of backup withholding and Form 1099-NEC/1099-K;
(f) tax calculations and certifications elaborated by the system: withholding taxes, VAT, amounts subject to Form 1099, Italian Single Certifications.

3.10 DAC7 data. Inmedia S.r.l. collects and verifies the information required by Directive (EU) 2021/514 (DAC7) and Italian Legislative Decree 32/2023 for non-excluded Sellers:

(a) for natural persons: name, primary address, date and place of birth, tax code/TIN for each State of tax residence, VAT number, financial account identifier (IBAN);
(b) for legal entities: name, registered office, tax code/TIN for each State of tax residence, VAT number, Business Register number, beneficial owner, financial account identifier.

3.11 DAC7 audit log. To ensure the documentary compliance required by Italian Legislative Decree 32/2023, Inmedia S.r.l. maintains an audit log that records the verifications carried out, the inconsistencies detected, the corrections made and the automatic exchanges of data with the Italian Revenue Agency, retained for 10 years.

3.12 Anti-money laundering data. For the anti-money laundering purposes referred to in Italian Legislative Decree 231/2007 and Regulation (EU) 2024/1624, where applicable, data are collected relating to:

(a) origin of funds;
(b) purpose of the economic relationship;
(c) ownership structure of legal entities and identification of the beneficial owner;
(d) exposure to political risk (Politically Exposed Persons — PEP);
(e) presence in international sanctions lists (UN, EU, OFAC, HMT).

3.E — Geolocation data

3.13 Approximate geolocation. Approximate geolocation data (at the level of city or region) derived from the User's IP address are automatically collected, for purposes of content personalization, fraud prevention and anti-money laundering.

3.14 Precise geolocation. Precise geolocation data (GPS) are collected only with the User's explicit consent, in particular:

(a) when the User activates the «Find Experiences near me» function in the App or on the web;
(b) when the User performs a geolocated check-in at a Place (see Art. 3.E-bis);
(c) when the User grants system geolocation to the App.

Precise geolocation can be deactivated at any time from the device settings. Consent can be revoked without prejudice to the lawfulness of the processing based on consent before the revocation.

3.E-bis — Geolocated Check-in data

3.15 Check-in. Upon the User's check-in in proximity to a Place, the following data are collected:

(a) GPS geographical coordinates (latitude, longitude, any altitude) acquired from the User's device, with the precision allowed by the device operating system;
(b) timestamp of the check-in;
(c) identifier of the Place (POI) to which the check-in is associated;
(d) distance calculated from the POI for validation purposes (Haversine geodetic formula);
(e) visibility level chosen by the User for the individual check-in (Only me / Friends / Everyone), pursuant to Section 7.1 of the General Terms and Conditions;
(f) any UGC Tag associated (see Art. 3.K);
(g) technical indicators useful for the calculation of the Trust Score (see Art. 3.H).

3.16 Rounding and technical pseudonymization. The transmitted GPS coordinates are rounded in the system logs in order to limit the level of tracking, according to the precision indicated in the Technical Specifications of the Service. Such operation constitutes technical pseudonymization pursuant to art. 4, paragraph 1, no. 5) GDPR, and not definitive anonymization, since the traceability of the data to the Data Subject remains possible through combination with other account information.

3.17 Anti-spoofing. For purposes of verifying the authenticity of the check-in and preventing position simulations through GPS spoofing or similar techniques, behavioural and pattern indicators may be processed (by way of example: speed of movement between consecutive geographically distant check-ins, congruity with accelerometer data where available) that flow into the calculation of the Trust Score (see Art. 3.H and Art. 11).

3.F — Communication and support data

3.18 Communications with customer service. The contents of communications between the User and Stravagando's customer service are collected, through:

(a) email to support@stravagando.com or to specific addresses (e.g. legal@, dmca@);
(b) internal ticket system of the Platform;
(c) live chat (where activated by a third-party provider) — limited to the chat session;
(d) telephone communications — recorded only with specific consent of the User, with prior notice;
(e) any communications via certified email (PEC);
(f) Guest Help conversations for Unregistered Visitors, handled through a temporary access token issued at the email address provided, pursuant to Section 17-ter of the General Terms and Conditions.

3.19 Direct messaging between Users. The contents of communications between Users through the integrated messaging system of the Platform are collected, retained and — where necessary for purposes of security, anti-fraud, dispute management and compliance with DSA — automatically analysed, in particular:

(a) Host-Customer communications in relation to a booking on the marketplace;
(b) pre-purchase informational requests from potential Customers to Hosts;
(c) direct messages between registered Users within the social community, where such functionality is made available by the Platform.

Communications carried out outside the integrated messaging system (e.g. WhatsApp, direct email) are not collected nor retained by Inmedia S.r.l. and escape the safeguards of security and dispute management offered by the Platform; Users are encouraged to use exclusively the integrated messaging system.

3.20 Reviews and feedback. The contents of reviews and feedback released by Users on Experiences, Places of the catalogue, Hosts and — internally — Customers are collected. Published reviews are visible on the public profile of the Experience/Host/Place and, where indexable, indexed by search engines; the reviewer's username is publicly visible, while complete identification data are not. In compliance with Directive (EU) 2019/2161 (Omnibus), Inmedia S.r.l. adopts adequate measures to verify that published reviews come from Users who have actually used the Experience or frequented the Place, with related attestations in the Experience/Place profile.

3.G — UGC Content and community data

3.21 Content published by the User. All UGC Content published by the User on the Platform is collected and retained, according to the following main types:

(a) photographs uploaded as Profile image, as accompaniment to UGC Content or Experiences;
(b) narrative posts published on the Wall of a Place;
(c) comments on Content of other Users;
(d) likes and other reactions to Content of other Users;
(e) personal lists (Notebooks) with related Places/Experiences inserted;
(f) proposals for new Places to be added to the catalogue;
(g) suggestions for modification to existing Places.

3.22 Privacy-by-design treatment of photographs (EXIF strip). To protect the privacy of Users, in implementation of art. 25 GDPR (data protection by design and by default), Inmedia S.r.l. removes EXIF metadata from photographs uploaded by the User at the time of their server-side processing, through image re-encoding. In particular, the following are removed: geolocation data (GPS), shooting device model and serial number, original date and time, technical exposure parameters. Inmedia S.r.l. does not retain copies of the removed EXIF metadata: the operation is irreversible. The Data Subject who wishes to preserve the metadata of their own photograph is invited to retain the original autonomously, since the version retained on the Platform will be without them.

3.23 Social relationship data. Data relating to social relationships between Users on the Platform are collected, such as:

(a) follow relationships (who follows whom);
(b) mutual-follow (relationships of reciprocal follow, relevant for the purposes of enabling UGC Tag and some visibility functionalities pursuant to Sections 7 and 8 of the General Terms and Conditions);
(c) blocks between Users and any reports.

3.H — Gamification System data and derived indicators

3.24 Gamification elements. The elements of the Gamification System associated with the User are collected and retained, as described in Section 9 of the General Terms and Conditions:

(a) XP (experience points) accrued and history of increases;
(b) Level reached and progression;
(c) Achievements unlocked (internal technical denomination: Achievement), date and context of unlocking;
(d) Streaks active and history of consecutive series;
(e) Level Perks active, including any discount codes generated and beta access enabled;
(f) data processed for the periodic Year Review.

The elements of the Gamification System are exclusively symbolic and playful in nature and do not constitute virtual currency nor goods convertible into money, pursuant to Section 9.1 of the General Terms and Conditions. Their processing does not constitute profiling pursuant to art. 4, paragraph 1, no. 4) GDPR nor automated decision-making pursuant to art. 22 GDPR.

3.25 Trust Score and anti-fraud indicators. Indicators derived from the User's activity are elaborated and retained, in particular:

(a) Trust Score (numerical value 0-100) calculated automatically on the basis of the technical consistency of the User's check-ins, according to the criteria described in Section 11 of the General Terms and Conditions and detailed in the Technical Specifications of the Service;
(b) behavioural anti-fraud indicators (by way of example: velocity of check-ins, geographical congruity, UGC publication patterns, reports received);
(c) Host reliability indicators (booking acceptance rate, cancellation rate, average rating, percentage of complaints, quality of responses to communications);
(d) Referrer performance indicators (conversion rate, quality of Referees post-onboarding, refund/chargeback rate of bookings of Referees);
(e) anti-fraud risk profile (synthesized from behavioural, technological and historical indicators);
(f) aggregate non-identifying statistics.

The impact of some such indicators on the usability of the Service is described in Art. 11 (Automated decision-making and profiling).

3.I — UGC Tag and automated moderation data

3.26 UGC Tag. For UGC Tags applied by Users, pursuant to Section 8-bis of the General Terms and Conditions, the following data are collected and retained:

(a) numerical identifier of the tagging User and numerical identifier of the tagged User;
(b) identifier of the Content to which the Tag is associated (check-in, post on the Wall of a Place);
(c) creation timestamp of the Tag;
(d) timestamp of any removal of the Tag and numerical identifier of the User who carried out the removal (tagging or tagged);
(e) anonymized history of removal (timestamp and role of the author — tagging or tagged — without personal identifier), retained for a maximum of 24 months for purposes of moderation audit and abuse prevention.

UGC Tags are not used for profiling purposes nor for automated decisions pursuant to art. 22 GDPR. In particular, Tags applied to posts on the Wall do not contribute to the attribution of XP nor to the unlocking of Achievements, consistent with Section 8-bis.8 of the General Terms and Conditions. For Tags applied to check-ins within companion tagging, the discipline of Section 8 of the General Terms and Conditions and the related gamification recognitions, described in Art. 3.H, apply.

3.27 Automated Moderation data. For each Automated Moderation decision adopted by the artificial intelligence systems of Third Parties employed by the Platform, the following metadata are collected and retained in a dedicated system table:

(a) identifier of the Content subject to analysis;
(b) decision adopted (approval, rejection, flagging for manual review, downgrading);
(c) motivational code and risk category detected;
(d) model used and version, confidence threshold applied;
(e) confidence scores elaborated by the system;
(f) latency, cost and operational data of the call to the provider;
(g) outcome of any subsequent human review and identifier of the operator who performed the review.

Such metadata are used for audit, system improvement, complaint management and fulfilment of transparency obligations under the AI Act, DSA (in particular art. 17 — Statement of Reasons) and art. 22 GDPR, according to the methods described in Art. 11.

3.J — Browsing data and Tracking Tools

3.28 Usage Data. The following data are automatically collected, as described in detail in the Cookie Policy:

(a) IP address (anonymized, where configurable);
(b) device identifiers (device fingerprinting, user-agent, operating system, browser version);
(c) session data (duration, pages visited, navigation sequence, clickstream);
(d) mobile advertising identifiers (IDFA for iOS, Google Advertiser ID for Android), only with consent;
(e) referrer URL and UTM parameters of origin;
(f) interactions with the Platform (buttons clicked, searches performed, bookings initiated and abandoned, check-ins attempted and completed).

3.29 Data retained locally on the User's device. The Platform is also designed as a Progressive Web App (PWA) installable on the User's device and includes a Service Worker that uses native browser APIs (Cache API, IndexedDB, localStorage) for purposes of caching, preference storage, offline support and push notifications. Such storage takes place exclusively on the User's device, does not transfer data to Inmedia S.r.l. directly and does not constitute processing of Personal Data by the Data Controller to the extent that it remains confined to the local browser. The User may clear such memory at any time from their browser settings, as provided for by Section 18.1 of the General Terms and Conditions.

3.30 Third-Party Tracking Tools. Additional data are collected through Third-Party Tracking Tools (Google, Meta, TikTok, LinkedIn, Microsoft, Hotjar and others), as detailed in the Cookie Policy, exclusively within the limits of the consent given by the User. Inmedia S.r.l. adopts the Consent Mode v2 model of Google for the granular management of consent and the retention of the history of choices according to append-and-update modalities.

3.K — Third-party data provided by the User

3.31 Data of other participants. When a Customer books an Experience for multiple participants, they may provide third-party data (name, surname, possibly date of birth for Experiences with age restrictions). The User who provides third-party data:

(a) warrants that they have obtained their consent, or have another legal basis for sharing;
(b) undertakes to provide the data subject with the summary privacy notice available in the «Book for others» section of the Platform, containing the essential information about processing;
(c) holds Inmedia S.r.l. harmless from third-party claims arising from the lack or inadequacy of information, pursuant to the indemnity clauses of the General Terms and Conditions.

Analogous responsibility falls on the User who publishes UGC Content containing third-party data (by way of example: photographs depicting identifiable persons beyond the User themselves). The User warrants that they have obtained the necessary authorizations from the depicted or mentioned subjects, pursuant to art. 97 of Italian Law 633/1941 and Section 6.3 of the General Terms and Conditions.

ART. 4 — PURPOSES OF PROCESSING AND LEGAL BASES

The Personal Data collected are processed for the purposes described below, each with its own legal basis pursuant to art. 6 (and, where applicable, art. 9) GDPR. This section constitutes the summary information provided for by art. 13, paragraph 1, letter c) GDPR.

4.A — Contractual purposes and Service provision

4.1 Contract performance. Personal Data are processed for:

(a) creation and management of the User account, including the automatic generation of the username and any federated authentication (SSO);
(b) provision of non-transactional functionalities of the Platform (Profile, Social, Gamification, exploration of the Places catalogue, publication and enjoyment of UGC Content, participation in the community);
(c) provision of marketplace functionalities (search, booking, payment, enjoyment of paid Experiences);
(d) management of bookings, payments, cancellations and refunds, including the execution of applicable Cancellation Policies;
(e) calculation and payment of Host Compensation and Referrer Compensation, management of Cashouts via Stripe Connect;
(f) execution of geolocated check-ins and attribution of the related elements of the Gamification System (XP, Levels, Achievements, Streaks), including the possible attribution of UGC Tags within companion tagging;
(g) publication, visibility and moderation of UGC Content according to the visibility settings autonomously managed by the User and the rules applicable to the UGC Tag;
(h) messaging management between Users (Host-Customer; community); management of Guest Help for Unregistered Visitors;
(i) provision of customer support service;
(j) management of follow relationships, including management of mutual-follow relationships relevant to the applicability of some functionalities (UGC Tag, visibility of «Friends» level check-ins).

Legal basis: art. 6, paragraph 1, letter b) GDPR — performance of a contract to which the Data Subject is party (General Terms and Conditions, Sales Terms and Conditions, Host Terms, Referral Program Terms) or performance of pre-contractual measures at the request of the Data Subject.

4.B — Regulatory compliance purposes

4.2 Legal obligations. Personal Data are processed for:

(a) tax compliance: bookkeeping, electronic invoicing via the Italian Exchange System (SDI), Italian Single Certifications, withholding taxes, VAT returns, US Form 1099;
(b) DAC7 compliance: collection, verification, retention and communication to the Italian Revenue Agency and — through automatic exchange — to foreign tax Authorities of the data of non-excluded Sellers (Hosts and Referrers);
(c) anti-money laundering compliance: customer verification, retention of the customer file, reports of suspicious transactions to the UIF, taking into account the tipping-off prohibition of art. 39 of Italian Legislative Decree 231/2007 (prohibition of disclosing the report);
(d) compliance with international sanctions: screening against UN, EU, OFAC, HMT sanctions lists, blocking of operations or relations with sanctioned subjects;
(e) DSA compliance: publication of the periodic Transparency Report, management of notice and action reports pursuant to art. 16 DSA, guarantee of the anonymity of the reporter unless requested by the competent Authority, retention of the log of moderation decisions and Statements of Reasons, management of Trusted Flaggers pursuant to art. 22 DSA, communications to the competent Authorities through the designated points of contact (Sections 12-bis.4 and 12-bis.5 of the General Terms and Conditions);
(f) AI Act compliance: transparency regarding the use of artificial intelligence systems for the Automated Moderation of Content, pursuant to Regulation (EU) 2024/1689, including the documentation of decisions and related metadata;
(g) P2B compliance: publication of general conditions, management of internal complaints of business Users, designated external mediation;
(h) responses to requests from judicial, tax, administrative, supervisory or public safety Authorities Italian or foreign competent, within the limits provided for by applicable law (by way of example: orders for production, evidentiary seizures, orders for retention pursuant to art. 254-bis of the Italian Code of Criminal Procedure, requests under the Budapest Convention on cybercrime).

Legal basis: art. 6, paragraph 1, letter c) GDPR — compliance with legal obligations.

4.C — Security, anti-fraud and rights protection purposes

4.3 Security, anti-fraud and Trust Score. Personal Data are processed for:

(a) prevention and identification of unauthorized access, brute force, credential stuffing, account takeover, automated bots; management of re-authentication for sensitive operations pursuant to Section 4.2 of the General Terms and Conditions;
(b) prevention of payment fraud (Stripe Radar, device fingerprinting, velocity check);
(c) prevention of fraudulent practices in the Referral Program (Self-Referral, Cookie Stuffing, Click Fraud) and in the Gamification System (multiple accounts, suspicious reciprocal exchanges, simulation of activity);
(d) calculation of the Trust Score of Users on the basis of the technical consistency of check-ins, pursuant to Section 11 of the General Terms and Conditions and arts. 3.E-bis and 3.H of this Policy, with the procedural guarantees described in Art. 11.B;
(e) identification of GPS spoofing attempts and position simulation, for purposes of protecting the integrity of the Places catalogue and the Gamification System;
(f) protection of the assets of the Platform, Hosts, Customers, Referrers and other Users from fraud and abuse;
(g) protection of the information security of the Platform pursuant to NIS2;
(h) investigative support to requests from judicial and public safety Authorities;
(i) protection of the rights of Inmedia S.r.l. in case of judicial or extra-judicial disputes, also with retention of electronic evidence.

Legal basis: art. 6, paragraph 1, letter f) GDPR — legitimate interest of Inmedia S.r.l. in security, fraud prevention, protection of its own rights and Users' rights, balanced with the fundamental rights and freedoms of the Data Subject. For processing operations involving automated risk assessments, reference is made to Art. 11.

4.D — Automated Moderation of UGC Content purposes

4.4 Automated Moderation. UGC Content published by the User is subjected, preventively, to automated analysis through artificial intelligence systems of Third Parties, pursuant to Section 12 of the General Terms and Conditions, in particular:

(a) a language model for the textual classification of reviews, posts, comments and proposals;
(b) an image analysis service for the detection of adult, violent or offensive content in photographs.

The systems are integrated with a manual review fallback for borderline cases, unavailability of automated systems or Content pending due to exceeding operational limits. The specific identity of the models employed, the confidence thresholds, the criteria for access to the fast-track for Users with positive history and the operational expenditure limits are indicated in the Technical Specifications of the Service.

The Data Subject has the right to request human review of the moderation decision within 14 days of notification, according to the methods described in Art. 11.C, consistent with Section 12.3 of the General Terms and Conditions. The review is carried out by qualified personnel of Stravagando and does not take place through the same automated system that issued the contested decision.

Legal basis:

art. 6, paragraph 1, letter b) GDPR — performance of the contract (moderation is a condition for the publication of Content on the Platform);
art. 6, paragraph 1, letter c) GDPR — compliance with legal obligations (DSA, AI Act);
art. 6, paragraph 1, letter f) GDPR — legitimate interest in maintaining the integrity and quality of the community of Users.

4.E — Service improvement purposes

4.5 Analytics and optimization. Personal Data are processed, in aggregated and anonymized form where possible, for:

(a) measurement of Platform performance and conversion rates;
(b) analysis of navigation behaviour to identify areas of improvement (in aggregated form or, where disaggregated, on the basis of consent pursuant to the Cookie Policy);
(c) A/B testing of interfaces and functionalities;
(d) processing of internal statistics on the User population;
(e) iterative improvement of Automated Moderation systems and Trust Score calculation algorithms, on the basis of the decision metadata described in Art. 3.27 and the outcome of any human reviews.

Legal basis:

for aggregated analytics assimilable to technical (Italian Garante Provision of 10/06/2021, par. 4.2): art. 122 Italian Privacy Code + art. 6, paragraph 1, letter f) GDPR (legitimate interest in Service improvement);
for disaggregated analytics: art. 6, paragraph 1, letter a) GDPR — consent, according to the Cookie Policy.

4.F — Service communication purposes

4.6 Service communications. Communications are sent to the User in relation to the provision of the Service and the performance of the contract, pursuant to Section 17 of the General Terms and Conditions, distinguished into three categories:

(a) essential categories (by way of example: changes to the Terms, account suspension, security alerts, marketplace receipts, legal communications, account cancellation confirmation): not deactivable as necessary for the performance of the contract and for the fulfilment of obligations of the Data Controller;
(b) service categories (by way of example: social notifications, gamification, marketplace activity of an informative nature): granularly deactivable from the account settings;
(c) marketing utility categories connected to the contractual relationship but of a promotional nature (by way of example: pre-Experience reminders for bookings made, invitations to review after the Experience): sending is subject to the User's opt-in consent, granular for each category.

The channels used include email, web push notifications, mobile push notifications (for future native iOS/Android Apps) and in-app notifications.

Legal basis: art. 6, paragraph 1, letter b) GDPR (performance of the contract) for essential and service categories; art. 6, paragraph 1, letter a) GDPR (consent) for marketing utility categories.

4.G — Direct marketing and newsletter purposes

4.7 Direct marketing on similar services (soft opt-in). For Users who have made at least one booking or created an account, direct marketing communications may be sent on services similar to those booked or used (e.g. new Experiences in the same cities, new Hosts in the same category), via email and in-App notifications.

Legal basis: art. 6, paragraph 1, letter f) GDPR — legitimate interest in direct marketing on similar services, pursuant to Recital 47 GDPR and art. 130, paragraph 4 of the Italian Privacy Code. The Data Subject may object at any time through the opt-out link present in each communication, the account settings or the request to legal@stravagando.com.

4.8 Newsletter and profiled direct marketing. For marketing communications addressed to Users — including those not holding an account — on the periodic newsletter and on general promotional initiatives, Inmedia S.r.l. adopts the double opt-in model pursuant to Section 17-bis of the General Terms and Conditions. The newsletter is offered independently of account ownership; the legal basis is the explicit consent of the Data Subject.

The Data Subject may revoke consent at any time and unsubscribe from the newsletter through:

(a) the unsubscribe link present at the bottom of each marketing email;
(b) the one-click unsubscribe mechanism provided for by industry standards for deliverability (RFC 8058);
(c) the request sent to legal@stravagando.com.

Following unsubscription, Inmedia S.r.l. retains the unsubscription data (email address in a form sufficient for unique identification and revocation metadata) as a suppression list to guarantee the Data Subject the respect over time of the choice not to be contacted again. The legal basis for such retention is the legitimate interest in suppression pursuant to art. 6, paragraph 1, letter f) GDPR, as well as the fulfilment of art. 7, paragraph 3 GDPR (obligation to respect the revocation of consent). The Data Subject has the right to request the deletion also of the suppression record, taking note of the consequences (any future re-subscription will no longer be recognised as such by the system).

4.9 Profiled marketing and marketing on non-similar services. For purposes of direct marketing:

(a) on non-similar services (e.g. promotion of services of Third Parties);
(b) profiled on the basis of disaggregated browsing behaviour;
(c) through advertising channels of Third Parties (Meta, Google, TikTok, LinkedIn, etc.);
(d) via SMS or telephone (where applicable);

the User's prior consent is collected, through the Cookie Policy Preferences Panel, the account settings or a specific checkbox.

Legal basis: art. 6, paragraph 1, letter a) GDPR — consent, revocable at any time.

4.10 Exclusion of advertising targeted at minors. In compliance with art. 28 DSA, Inmedia S.r.l. does not present targeted advertising based on profiling pursuant to art. 4, paragraph 4 GDPR to Users for whom there are indicators of minor age, according to the methods described in the Technical Specifications of the Service and consistent with Section 14-bis.3 of the General Terms and Conditions.

4.H — UGC Tag: differentiated legal basis

4.11 UGC Tag processing. The UGC Tag functionality, described in Section 8-bis of the General Terms and Conditions and in Art. 3.26 of this Policy, entails the processing of Personal Data on a differentiated legal basis in relation to the role of the Data Subject:

(a) for the User recipient of the Tag («incoming» Tag), the processing is based on the explicit consent of the Data Subject expressed through the setting «Allow others to tag me in content» (allow_ugc_tagging), active by default and revocable at any time from the Profile settings, pursuant to art. 6, paragraph 1, letter a) GDPR;
(b) for the User author of the Tag («outgoing» Tag), the processing is based on the performance of the contract and in particular of the social functionalities of the Platform to which the User has adhered through the General Terms and Conditions, pursuant to art. 6, paragraph 1, letter b) GDPR;
(c) for the related notification and visualization functionalities, the processing is based on the performance of the contract pursuant to art. 6, paragraph 1, letter b) GDPR and on the notification preferences expressed by the Data Subject.

The revocation of the allow_ugc_tagging setting operates pro-futuro: subsequent Tag attempts by other Users are silently discarded by the system without notification to the protected recipient. Any Tags already applied before the revocation may be removed by the Data Subject through the Profile panel, with immediate and definitive effect, consistent with Section 8-bis.4 of the General Terms and Conditions.

4.I — Automated profiling purposes

4.12 Internal automated profiling. Inmedia S.r.l. carries out automated profiling activities limited to:

(a) personalization of the search results of Experiences and Places suggested in the catalogue exploration;
(b) suggestions of Experiences and Places consistent with the User's interest profile;
(c) calculation of the rating of Host and Referrer reliability;
(d) calculation of the risk score anti-fraud (described in Art. 11.A);
(e) calculation of the Trust Score (described in Art. 11.B).

The activities referred to in letters (a), (b) and (c) do not produce legal effects on the Data Subject nor significantly affect them. The activities referred to in letters (d) and (e) are potentially likely to produce significant effects and are treated separately in Art. 11.

Legal basis: art. 6, paragraph 1, letters b) and f) GDPR — performance of the contract and legitimate interest in the improvement of the Service, in the quality of the community and in anti-fraud.

4.J — Special categories of data and criminal data

4.13 Exceptional processing. When voluntarily provided by the User or necessary for specific purposes, Sensitive or Criminal Data may be processed exclusively on the basis of:

(a) explicit consent of the Data Subject, pursuant to art. 9, paragraph 2, letter a) GDPR;
(b) performance of employer obligations ex art. 9, paragraph 2, letter b) GDPR, where applicable (e.g. for data of employees involved in the provision of the Service);
(c) substantial public interest ex art. 9, paragraph 2, letter g) GDPR, in implementation of anti-money laundering regulations and combating financial crimes;
(d) establishment, exercise or defense of a right in court ex art. 9, paragraph 2, letter f) GDPR;
(e) processing by public authorities ex art. 10 GDPR, for criminal data, in implementation of regulatory obligations.

ART. 5 — METHODS OF COLLECTING PERSONAL DATA

5.A — Direct collection from the Data Subject

5.1 Registration and profile forms. Registration and Profile Personal Data (paragraphs 3.2-3.4) are collected directly from the Data Subject through the registration and Profile update forms, in the web and App versions of the Platform. The provision of some data is necessary for the use of the services of the Platform; in case of failure to provide, the use of the related functionality may be impossible or limited.

5.2 Publication of UGC Content. UGC Content (paragraphs 3.21-3.23) is collected directly from the Data Subject upon publication on the Platform. Photographs are subjected server-side to the EXIF metadata removal process described in paragraph 3.22.

5.3 Geolocated check-ins. Check-in data (paragraphs 3.15-3.17) are collected directly upon execution of the check-in by the Data Subject, with prior granting of permission to access the GPS of the device. The transmitted coordinates are rounded in the logs according to the provisions of paragraph 3.16.

5.4 Communications with customer service and with other Users. Personal Data of communication (paragraphs 3.18-3.19) are collected directly from the Data Subject through the assistance and messaging channels of the Platform, including Guest Help for Unregistered Visitors.

5.5 Inserting Experiences (Hosts). Data relating to Experiences are entered directly by the Host through the account management panel; the Host is exclusively responsible for the truthfulness and completeness of the data entered, pursuant to the Host Terms.

5.6 Updating privacy settings. The Profile visibility and privacy settings (par. 3.2 letter g) are collected and updated directly by the Data Subject from the page account.privacy, with re-authentication required for sensitive operations pursuant to Section 4.2 of the General Terms and Conditions.

5.B — Collection from Third Parties

5.7 Single Sign-On (SSO). When the User chooses to register or authenticate through SSO from third-party providers (Google, Apple, Meta/Facebook), Inmedia S.r.l. receives from the third-party provider, as an independent Controller, only the strictly necessary data (name, surname, verified email address, any profile image, unique identifier at the provider), in compliance with the provider's policies.

5.8 Stripe Identity (KYC). For KYC procedures, in particular for Hosts and Referrers, Inmedia S.r.l. makes use of the Stripe Identity service of Stripe Payments Europe Ltd. Stripe Identity directly acquires the Data Subject's identity documents and life selfies/videos, performs authenticity and match checks, and communicates to Inmedia S.r.l. the summary outcome (verified/not verified) and the document details. Inmedia S.r.l. does not receive the raw biometric data nor retains the Data Subject's selfie/video.

5.9 VIES verification and public registers. For the VAT numbers provided, Inmedia S.r.l. performs automatic verification through the EU Commission's VIES system for non-Italian EU VAT numbers, and through the archive of the Italian Revenue Agency for Italian VAT numbers. For legal entities, public Business Registers may be consulted for verification of correct constitution and powers of representation.

5.10 International sanctions lists. Inmedia S.r.l. performs periodic screening against UN, EU, OFAC and HMT sanctions lists, through specialized providers operating as Data Processors. The names and tax codes/TINs of Users are compared with the names on the lists; in case of potential match, manual verification is performed to exclude false positives.

5.11 Third-Party anti-fraud providers. For anti-fraud purposes, Inmedia S.r.l. may receive risk information from specialized providers such as Stripe Radar, Sift Science and similar. Such providers operate as Data Processors or independent Controllers depending on the specific contractual configuration.

5.12 Automated Moderation systems. The metadata of Automated Moderation decisions (Art. 3.27) are generated by the interactions of Inmedia S.r.l. with the Third-Party artificial intelligence providers (language model for texts and image analysis service), which operate as Data Processors pursuant to art. 28 GDPR. The User's UGC Content is transmitted to such providers exclusively for the purposes of Automated Moderation and for the time strictly necessary for the analysis.

5.C — Automated collection

5.13 Usage Data through Tracking Tools. Usage Data (paragraphs 3.28-3.30) are collected automatically through Tracking Tools described in the Cookie Policy. Collection takes place on the basis of the preferences expressed by the Data Subject in the Preferences Panel, in compliance with the Italian Garante Provision of 10/06/2021 and the Consent Mode v2 model.

5.14 Security and auditing logs. System security logs (accesses, transactions, check-ins, errors, relevant events) are collected automatically and retained for purposes of information security, incident investigation and auditing pursuant to Section 4.4 of the General Terms and Conditions.

5.15 UGC Tag removal audit trail. The removal of a UGC Tag by the tagged Data Subject or by the Tag author automatically generates an audit trace including timestamp and identifier of the operation author, pursuant to paragraph 3.26 letter (d), retained in anonymized form beyond 24 months for the sole purposes of moderation abuse prevention.

5.D — Collection from public sources

5.16 Public sources. Limited to anti-fraud and compliance purposes (e.g. reinforced KYC for Hosts with high expected volumes), Inmedia S.r.l. may consult information from public sources, such as press publications, public registers, professional social networks within the limits permitted by the policies of such platforms. Such consultations are carried out in compliance with the principle of minimization and for the sole purposes indicated above.

ART. 6 — PROCESSING METHODS AND SECURITY MEASURES

6.A — Processing methods

6.1 Tools. The processing of Personal Data takes place both with automated tools (information systems, automatic processes, artificial intelligence algorithms for Automated Moderation and Trust Score calculation) and, where necessary, manually (consultation, modification, management of requests from Data Subjects, dispute management, human review pursuant to arts. 11 and 12). The data are retained on information systems accessible to authorized personnel of Inmedia S.r.l., to Data Processors and — limited to what is strictly necessary — to competent Authorities.

6.2 Persons authorized to process. The Personal Data are processed by personnel of Inmedia S.r.l. formally authorized and trained on the issues of personal data protection pursuant to art. 29 GDPR and art. 2-quaterdecies of the Italian Privacy Code. Authorizations are granted according to the principle of need-to-know (minimum access necessary for the task) and least-privilege, and are periodically reviewed.

6.3 Principles. Processing is carried out according to the principles of:

(a) lawfulness, fairness and transparency (art. 5, paragraph 1, letter a) GDPR);
(b) purpose limitation (art. 5, paragraph 1, letter b) GDPR) — data collected for one purpose are not processed for incompatible purposes;
(c) minimization (art. 5, paragraph 1, letter c) GDPR) — only data relevant, adequate and limited to what is necessary are collected;
(d) accuracy (art. 5, paragraph 1, letter d) GDPR) — the data are kept updated and accurate;
(e) storage limitation (art. 5, paragraph 1, letter e) GDPR) — the data are retained for the time strictly necessary;
(f) integrity and confidentiality (art. 5, paragraph 1, letter f) GDPR) — the data are protected from unauthorized or unlawful processing, accidental loss, destruction or damage;
(g) accountability (art. 5, paragraph 2 GDPR) — Inmedia S.r.l. maintains documentation of the measures adopted and is able to demonstrate compliance.

6.B — Technical security measures

6.4 Technical measures. Inmedia S.r.l. adopts technical security measures adequate to the risk of processing pursuant to art. 32 GDPR, including:

(a) encryption of data in transit through TLS 1.2 or higher for all communications with the Platform;
(b) encryption of data at rest for sensitive data and data of particular relevance (e.g. identity documents, banking data) through industry-standard encryption algorithms (AES-256 or equivalent);
(c) secure hashing of passwords through cryptographic algorithms (bcrypt, scrypt or Argon2) with unique salt per password;
(d) two-factor authentication (2FA) based on TOTP authenticator application and recovery codes, available for all accounts; mandatory for Hosts and Referrers with significant volumes and for Inmedia S.r.l. personnel with access to critical systems, pursuant to Section 4.2 of the General Terms and Conditions;
(e) re-authentication for sensitive operations (email modification, password, visibility settings, indexing, leaderboard, UGC Tag) even with active session, to protect against account takeover attacks;
(f) segregation of environments for development, staging and production;
(g) firewall, intrusion detection and intrusion prevention at network boundaries;
(h) periodic vulnerability scans and annual penetration tests;
(i) encrypted and geographically distributed backups, with periodic verification of restoration;
(j) timely security updates (patch management) on operating systems, applications and libraries;
(k) pseudonymization of analytical data where possible, including the rounding of GPS coordinates of check-ins in system logs (par. 3.16);
(l) irreversible removal of EXIF metadata from uploaded photographs, as a privacy by design technical measure (par. 3.22);
(m) retention of IP address and user-agent in sessions and main events for audit purposes, according to the principle of minimization.

6.C — Organizational security measures

6.5 Organizational measures. The following organizational measures are also adopted:

(a) documented and periodically updated security policies;
(b) training of personnel on data protection issues;
(c) classification of information by sensitivity levels;
(d) data protection by design and by default integrated in new developments (art. 25 GDPR), with particular reference to social and geolocation functionalities (default restrictive privacy settings, granular choice of visibility for individual check-in, granular opt-outs);
(e) Data Protection Impact Assessment (DPIA) pursuant to art. 35 GDPR for high-risk processing operations, including those concerning Automated AI Moderation, Trust Score calculation and the processing of geolocated check-ins;
(f) record of processing activities pursuant to art. 30 GDPR;
(g) periodic internal and independent audits, also on the effectiveness of Automated Moderation systems;
(h) security incident management procedure integrated with the Data Breach notification procedure.

6.D — Security pursuant to NIS2

6.6 NIS2 compliance. Limited to the requirements applicable to Inmedia S.r.l. pursuant to Directive (EU) 2022/2555 (NIS2) as transposed in Italy, information security measures proportionate to the level of identified risk are adopted, with particular reference to: cyber risk management, incident response, business continuity, supply chain security, personnel training.

6.E — Data Breach

6.7 Procedure. In case of Data Breach with risk for the rights and freedoms of Data Subjects, Inmedia S.r.l. notifies the Italian Garante within 72 hours of knowledge of the incident (art. 33 GDPR) and — when the risk is high — promptly communicates the event to the Data Subjects in the manner and with the contents provided for by art. 34 GDPR. Inmedia S.r.l. maintains an internal register of all Data Breaches, regardless of their severity.

ART. 7 — RECIPIENTS OF PERSONAL DATA AND COMMUNICATION

Personal Data may be communicated to the categories of recipients described below, each within the limits and for the purposes indicated below. The communication is regulated by specific contractual agreements or, where required by law, takes place in fulfilment of regulatory obligations.

7.A — Data Processors

7.1 Processors. The following categories of subjects act as Data Processors pursuant to art. 28 GDPR, on the basis of contractual agreements (DPA — Data Processing Agreement) that regulate nature, object, duration, purposes of processing, types of data, categories of data subjects, obligations and rights of the Controller:

(a) cloud hosting providers (e.g. Amazon Web Services, Google Cloud, Microsoft Azure, Laravel Cloud) — hosting of the application infrastructure;
(b) security and edge service providers (e.g. Cloudflare, Akamai) — DDoS protection, Web Application Firewall, Content Delivery Network, edge caching;
(c) analytics service providers (configured as Processors — e.g. Matomo self-hosted, Plausible Analytics) — web analytics in anonymized mode;
(d) transactional email and newsletter service providers (e.g. SendGrid, Mailgun, Postmark, Brevo, Klaviyo) — sending of transactional, service and marketing emails;
(e) SMS and push notification service providers (e.g. Twilio, Firebase Cloud Messaging) — sending of OTP, alerts, push notifications;
(f) customer support service providers (e.g. Intercom, Zendesk, Freshdesk, HubSpot) — technical management of the ticket system and Guest Help;
(g) anti-fraud service providers (configured as Processors) — risk scoring, device fingerprinting;
(h) KYC service providers (e.g. Stripe Identity for the part of processing operated on instruction) — document verification;
(i) providers of artificial intelligence systems for Automated Moderation of UGC Content, in particular:
- (i.1) Anthropic, PBC — language model for the textual classification of reviews, posts, comments and proposals;
- (i.2) Google LLC — image analysis service (Vision API) for the detection of adult, violent or offensive content in photographs;
(j) law firms and consultants bound by professional secrecy, for the activities of legal, tax and compliance consultancy;
(k) accounting auditing and certification companies, for legal obligations.

7.2 Updated list. The updated list of Data Processors appointed by Inmedia S.r.l., with indication of their location and the transfer guarantees adopted, is available upon request from the Data Subject at the address legal@stravagando.com.

7.B — Independent Controllers

7.3 Independent Controllers. The following categories of subjects receive Personal Data as independent Data Controllers, pursuing purposes autonomously determined by them. Inmedia S.r.l. is not responsible for the processing operations carried out by such subjects, to which reference is made for their respective privacy policies:

(a) Stripe Payments Europe Ltd — for payment services, escrow, Connect, Radar anti-fraud, KYC Identity (for the independent part of the processing), tax reporting;
(b) banking institutions of the Controller and of the Users — for the execution of SEPA and SWIFT payments;
(c) advertising platforms and social networks (Meta, Google, TikTok, LinkedIn, Microsoft, Pinterest, X, Reddit, Snapchat) — for marketing and profiling purposes, on the basis of consent given by the User, without prejudice to the limitations for minors referred to in Art. 4.10;
(d) SSO providers (Google, Apple, Meta/Facebook) — for single sign-on authentication services;
(e) judicial, tax, administrative, supervisory and public safety Authorities Italian and foreign competent, in fulfilment of regulatory obligations or legitimate authoritative requests, including the Digital Services Coordinators pursuant to DSA, the Trusted Flaggers recognized pursuant to art. 22 DSA, the EU Commission for exchanges within the Statements of Reasons database;
(f) Italian Revenue Agency — for DAC7 and tax compliance;
(g) UIF at the Bank of Italy — for anti-money laundering reports;
(h) US Internal Revenue Service (IRS) — for Form 1099 and US tax compliance of US resident Users.

7.4 OpenStreetMap Foundation. A significant part of the Places catalogue data is obtained from OpenStreetMap, distributed under the Open Database License (ODbL) v1.0. Such circumstance does not entail processing of Users' Personal Data by OpenStreetMap Foundation in relation to the use of the Service by Users, and the attribution «© OpenStreetMap contributors» is displayed on each page presenting OSM data pursuant to Section 15.2 of the General Terms and Conditions.

7.C — Communication between Users of the Platform

7.5 Transparency between Host and Customer. Personal Data are communicated between Host and Customer, to the extent strictly necessary for the execution of bookings on the marketplace, according to the following rules:

(a) before booking confirmation: the Host sees the first name and initial of the surname of the Customer, the profile image, the aggregated rating and the number of Experiences already completed;
(b) after booking confirmation: the Host receives the Customer's full name, email and telephone contact details for operational communication;
(c) the Customer always sees the Host's public profile, with commercial data (name, city, rating, public reviews).

Host and Customer each act as an independent Data Controller for the data communicated in this way, and undertake — pursuant to their respective Terms and Conditions — to process the data received exclusively for the purposes of executing the booked Experience, in compliance with the regulations on the protection of personal data. Inmedia S.r.l. is not responsible for the processing operations carried out by Host or Customer as independent Controllers.

7.6 Visibility between Users of the social community. Within the social functionalities of the Platform, the User's Personal Data are visible to other registered Users and — when the Profile is set as public and indexable — to the general public, according to the settings autonomously managed by the Data Subject (par. 3.2 letter g). Such visibility includes, according to the settings:

(a) the username, the Profile image and the short bio;
(b) UGC Content published with public visibility or extended to the mutual-follow network (posts, comments, reviews, photographs, check-ins with «Friends» or «Everyone» visibility);
(c) the position in public leaderboards (Level, XP of the period), for Users who keep the show_in_leaderboards setting active;
(d) the mentions received through validly applied UGC Tags;
(e) follow relationships where rendered visible.

Other Users who enjoy such Content each act for personal purposes or, if commercial, as independent Data Controllers, without prejudice to the use restrictions provided for in the General Terms and Conditions (in particular the prohibition of unauthorized scraping, referred to in Section 14).

7.7 Public reviews. Reviews released by Users on Experiences, Places and Hosts are published on the public profile of the Experience/Place/Host with visibility of the reviewer's username, and are indexable by search engines when the reviewer's Profile is set as indexable or when the public is set at the level of the Place. The User who publishes a review:

(a) consents to publication and public visibility;
(b) warrants that the content is truthful, based on a real experience pursuant to Directive (EU) 2019/2161, and does not violate the rights of third parties;
(c) may request the modification or deletion of their review through the account panel or request to legal@stravagando.com.

7.8 DSA — Notice & Action and protection of the reporter's anonymity. In compliance with Regulation (EU) 2022/2065 (DSA), Inmedia S.r.l. makes available a mechanism for reporting potentially illegal Content or Content infringing the rights of third parties (notice and action procedure), accessible from the dedicated section of the Platform. Reports and moderation decisions are recorded and retained, with reference to the subjects involved, according to the retention timeframes referred to in Art. 9.

The identity of the reporter is not exposed to the reported User at any stage of the procedure, consistent with Section 12-bis.1 of the General Terms and Conditions and to protect against retaliation and to guarantee the freedom of reporting. The identity of the reporter may be disclosed only upon request of the competent Authority.

7.D — Communications in case of extraordinary operations

7.9 Transfer, merger, acquisition. In case of transfer, merger, acquisition or other extraordinary operation involving Inmedia S.r.l. (or branch of business comprising the Platform), Personal Data may be transferred to the transferee/incorporating entity as the new Data Controller, according to methods compliant with art. 4 GDPR and with adequate prior information to Data Subjects where provided for by applicable law. The right of the Data Subject to object to the transfer remains firm where the legal basis of subsequent processing so permits.

7.E — Prohibition of sale

7.10 No sale. Inmedia S.r.l. does not sell Users' Personal Data to third parties for commercial purposes. For US residents, see subsequent Art. 13 regarding CCPA/CPRA for the definition of «sale» and «sharing».

ART. 8 — TRANSFERS OUTSIDE THE EEA

8.1 Principle. Some of the processing operations described entail the transfer of Personal Data outside the European Economic Area (EEA), in particular to the United States of America, the United Kingdom and other third Countries, in connection with the provision of services essential to the Platform (payments, cloud hosting, marketing, customer support, KYC, Automated Moderation with artificial intelligence systems).

8.2 Guarantees adopted. Transfers outside the EEA take place in compliance with Chapter V GDPR, through one or more of the following guarantees:

(a) Adequacy Decisions of the EU Commission pursuant to art. 45 GDPR, where applicable (United Kingdom, Switzerland, Israel, Canada partially, Andorra, Argentina, Japan, New Zealand, Republic of Korea, Uruguay, United States limited to organizations certified to the EU-US Data Privacy Framework);
(b) EU-US Data Privacy Framework for transfers to the United States, with confirmation of the certification of the recipient to the framework approved by the EU Commission with Adequacy Decision of 10 July 2023;
(c) Standard Contractual Clauses (SCC) approved by the EU Commission with Implementing Decision 2021/914, pursuant to art. 46, paragraph 2, letter c) GDPR, supplemented by additional technical and organizational measures where necessary on the basis of the Transfer Impact Assessment (TIA) conducted by Inmedia S.r.l.;
(d) Binding Corporate Rules (BCR) approved pursuant to art. 47 GDPR, where applicable to the recipient;
(e) derogations ex art. 49 GDPR, in specific and residual cases (e.g. explicit consent of the Data Subject, performance of a contract upon their request, reasons of public interest).

8.3 Transparency. Inmedia S.r.l. provides the Data Subject who requests it — at the address legal@stravagando.com — a copy of the guarantees adopted for the specific extra-EEA transfer, according to methods compliant with art. 13, paragraph 1, letter f) GDPR.

8.4 Main specific transfers. By way of information, the main extra-EEA transfers currently carried out concern:

(a) United States — payments: Stripe Payments Europe Ltd shares with Stripe Inc. (parent company) part of the payment data, with adoption of SCC supplemented by additional technical measures;
(b) United States — cloud and security: Google Cloud, Microsoft Azure (limited to selected non-EU regions), Cloudflare, Amazon Web Services for the only non-European regions where exceptionally employed, under EU-US Data Privacy Framework and residual SCC where necessary;
(c) United States — Automated Moderation: Anthropic, PBC for the language model of textual classification of UGC Content, under supplemented SCC and — where the certification is maintained by the recipient — EU-US Data Privacy Framework; Google LLC for the Vision API image analysis service, under the same conditions;
(d) United Kingdom: some analytics and security providers have part of operations in the United Kingdom, under UK Adequacy Decision;
(e) United States — marketing: the advertising partners Meta, Google, TikTok, LinkedIn, Microsoft for marketing purposes, under SCC and EU-US DPF.

ART. 9 — RETENTION OF PERSONAL DATA

Personal Data are retained for the time strictly necessary for the pursuit of the purposes for which they were collected, according to the principle of storage limitation referred to in art. 5, paragraph 1, letter e) GDPR. The typical retention timeframes are reported below, save for causes of extension connected to disputes, to investigations by competent Authorities, to supervening regulatory obligations, to exercise of rights of the Data Subject, or to cases of Legal Hold referred to in Art. 9-bis.

9.A — Account and Profile

9.1 Active account. Account and Profile data are retained for the entire duration of the contractual relationship (active account).

9.2 Voluntary self-service cancellation. In case of account cancellation upon direct request of the Data Subject through the self-service functionality of the Platform (route account.gdpr.delete, pursuant to Section 20 of the General Terms and Conditions), account identification data are subjected to soft-delete and retained for 90 days from the date of the request, after which they are permanently deleted. Such period is justified by the need to manage any complaints, ascertainment of abuse and legal compliance, consistent with the retention rules applied to sanctioned Users.

9.3 Account suspension, sanction or ban. In case of suspension or ban of the account pursuant to Section 13 of the General Terms and Conditions, public Content of the User is immediately hidden and retained in soft-delete for 90 days, after which it is permanently deleted, without prejudice to cases of Legal Hold.

9.4 Account not actively dismissed. In the absence of explicit request for cancellation by the Data Subject and in the absence of sanctions, account data may be retained for a further 24 months after the last significant activity detected, for purposes of management of any disputes and requests from competent Authorities. Inmedia S.r.l. reserves the right to introduce, pursuant to Section 21 of the General Terms and Conditions, a mechanism for automatic closure for prolonged inactivity, with prior notice of not less than 30 days by email.

9.B — UGC Content

9.5 UGC Content voluntarily deleted. UGC Content deleted by the Data Subject through the Platform functionalities is subjected to soft-delete: rendered immediately not visible from the public interface and retained in the database for 30 days for purposes of any audits, security checks and internal disciplinary procedures, after which it is permanently deleted, pursuant to Section 6.5 of the General Terms and Conditions and without prejudice to cases of Legal Hold.

9.6 UGC Content published and active. Published and active UGC Content is retained for the duration of publication, normally for the duration of the Data Subject's account who published it, unless requested for cancellation by the Data Subject or exercise of rights.

9.7 Public reviews. Reviews released on Experiences and Places are retained for the time of publication of the Experience/Place profile, unless requested for rectification or cancellation by the reviewer or exercise of rights of the Data Subject. The cessation of the Host's activity does not automatically entail the deletion of historical reviews, as they are relevant for the community of Users.

9.C — Check-in and Gamification System

9.8 Check-ins. Check-ins are retained in the User's activity history for an indefinite time during the life of the account, unless deleted upon request of the Data Subject or exercise of the rights referred to in Art. 10. The deletion of a check-in removes it from the public interface and from the personal history, but does not automatically entail the reduction of the accrued XP nor the loss of the achieved Achievements, in consideration of the historical irrevocability of the gamification recognitions, without prejudice to cases of ascertainment of abuse or fraud pursuant to Section 7.2 of the General Terms and Conditions.

9.9 Elements of the Gamification System. XP, Levels, Achievements, Streaks and other elements of the Gamification System are retained for the duration of the User's account. In case of account cancellation, the elements are deleted without right to compensation, consistent with their symbolic nature (Section 9.1 of the General Terms and Conditions). The retention in aggregated and anonymized form of statistical data, where technically irreversible, remains firm.

9.D — UGC Tag and Automated Moderation

9.10 UGC Tag. UGC Tags associated with Content are retained for the lifetime of the Content to which they are associated. In case of removal of the Tag by the Data Subject (tagging or tagged), the association between User identifier and Content identifier is immediately deleted; the historical fact of the removal remains retained in anonymized form (timestamp and role of the author — tagging or tagged — without personal identifier) for a maximum of 24 months, for purposes of moderation audit and abuse prevention, consistent with paragraph 3.26 letter (e).

9.11 Automated Moderation metadata. The metadata of Automated Moderation decisions (par. 3.27) are retained for 36 months from the decision, extendable in case of dispute, DSA complaint not yet defined or investigations by competent Authorities. The retention responds to the purposes of audit, system improvement, complaint management, fulfilment of transparency obligations under AI Act and DSA, and protection of the rights of Inmedia S.r.l. in litigation.

9.E — Transaction, tax and anti-money laundering data

9.12 Transaction and invoicing data. Retained for 10 years from the date of the transaction, pursuant to art. 2220 of the Italian Civil Code and tax regulations (Italian Presidential Decree 600/1973, Italian Presidential Decree 633/1972).

9.13 DAC7 data. DAC7 audit log and datasets transmitted to the Italian Revenue Agency: 10 years from transmission, pursuant to Italian Legislative Decree 32/2023.

9.14 Anti-money laundering data. 5 years from the cessation of the relationship, pursuant to art. 31 of Italian Legislative Decree 231/2007 and Regulation (EU) 2024/1624. For reports of suspicious transactions to the UIF, retention according to the indications of applicable regulations and in compliance with the prohibition of tipping-off.

9.15 KYC data and identity documents. For the duration of the contractual relationship and for 5 years thereafter, without prejudice to anti-money laundering needs. Biometric data possibly generated by Stripe Identity are not retained by Inmedia S.r.l. and are subject to Stripe's retention policies.

9.F — Communications, security and marketing

9.16 Communications with customer service. 24 months from the date of the communication, extendable in case of dispute or investigations by Authorities.

9.17 Guest Help conversations. Conversations with Unregistered Visitors handled through email token are subject to automatic closure for inactivity after a determined period (indicated in the Technical Specifications of the Service), after which the data are retained according to the retention rules applied to UGC Content.

9.18 Messaging between Users through the Platform. 18 months from the date of the last message in the conversation, extendable in case of dispute or DSA report. Operational communications linked to a completed booking may be retained for the duration of the related warranty/claim period of the service.

9.19 Security and anti-fraud data. 24 months from collection, extendable in cases of investigative needs or disputes.

9.20 Marketing and profiling data. Up to 24 months from the User's last interaction with the marketing communication or, if earlier, until consent revocation. Disaggregated profiling data: according to the specific timeframes of the individual Tracking Tools, indicated in the Cookie Policy.

9.21 Newsletter suppression lists. Indefinite retention of only the minimum information necessary to prevent the re-subscription of a Data Subject who has unsubscribed, until request for deletion also of the suppression record by the Data Subject themselves.

9.22 Tracking Tools (Cookie) data. See Cookie Policy for the specific timeframes by category.

9.23 Consent log. 10 years from the collection of consent or from revocation, for evidentiary and accountability purposes.

9.24 Security audit log. 24 months, extendable in case of investigations or disputes.

9.25 Data relating to disputes. For the duration of the dispute and for the subsequent prescriptive timeframes pursuant to the Italian Civil Code (typically 10 years from the cessation of the case), or for longer timeframes provided for by competent Authorities.

9.G — Deletion and anonymization

9.26 Automatic deletion. After the retention terms have elapsed, Personal Data are deleted or anonymized irreversibly. Deletion is performed automatically by information systems, with periodic verification through audit.

9.27 Retention in anonymized form. Data may be retained in anonymized form (i.e. no longer attributable to an identified or identifiable person) also beyond the timeframes indicated above, for statistical and Service improvement purposes. Anonymization is performed according to recognized technical standards that prevent re-identification.

ART. 9-bis — LEGAL HOLD AND EXTENSION OF RETENTION

This article describes the regime of Legal Hold, i.e. the extension of the retention of specific Personal Data or Content in derogation from the ordinary terms indicated in Art. 9, consistent with Section 16.1 of the General Terms and Conditions.

9-bis.A — Conditions

9-bis.1 Legal Hold scenarios. Inmedia S.r.l. reserves the right to extend the retention of specific data or Content beyond the standard term referred to in Art. 9, limited to what and for the time strictly necessary, upon the occurrence of one of the following circumstances:

(a) formal request from the judicial Authority, the judicial Police or other competent Authority — by way of example: orders for production, evidentiary seizures, retention orders pursuant to art. 254-bis of the Italian Code of Criminal Procedure, requests pursuant to the Budapest Convention on cybercrime, provisions of the Italian Garante;
(b) internal disciplinary procedure or DSA complaint in progress pursuant to Sections 12-bis and 13 of the General Terms and Conditions, until its related definition;
(c) legal dispute, judicial or extra-judicial, pending or reasonably foreseeable, concerning the data or Content in question, for the establishment or defense of a right in court (art. 17, paragraph 3, letter e) GDPR);
(d) specific legal obligation that requires retention — by way of example: tax obligations pursuant to art. 2220 of the Italian Civil Code for data relating to transactions on the marketplace; anti-money laundering obligations pursuant to Italian Legislative Decree 231/2007 and Regulation (EU) 2024/1624; tax reporting obligations pursuant to EU Directive 2021/514 (DAC7) and Italian Legislative Decree 32/2023; obligations of retention of telematic traffic data pursuant to Italian Legislative Decree 196/2003.

9-bis.B — Application methods

9-bis.2 Criteria. In all cases of Legal Hold:

(a) retention is limited to the specifically relevant data and Content for the purpose justifying the extension and does not extend to the entire information assets of the Data Subject;
(b) the data in Legal Hold are accessible exclusively to authorized personnel and to the recipients of the legitimate request, and do not fall within the ordinary visibility of the Platform;
(c) the duration is that strictly necessary for the achievement of the purpose; once the cause has ceased, the data are deleted without further delay;
(d) unless prohibited by the requesting Authority or by legal rules (by way of example: investigative secrecy pursuant to art. 329 of the Italian Code of Criminal Procedure), Inmedia S.r.l. informs the Data Subject of the extension carried out and of the related motivation, in a manner compatible with investigative needs.

9-bis.C — Effects on the rights of the Data Subject

9-bis.3 Exercise of GDPR rights. The existence of a Legal Hold procedure does not in itself suspend nor limit the rights of the Data Subject referred to in arts. 15-22 GDPR, without prejudice to the exceptions provided for by art. 23 GDPR and by applicable regulations (investigative secrecy, judicial needs, etc.). The exercise of the right to erasure (art. 17 GDPR) may be temporarily suspended, for the only data and for the time strictly necessary, consistent with art. 17, paragraph 3 GDPR. The Data Subject is informed of any suspension, save for the provisions of paragraph 9-bis.2 letter (d).

9-bis.4 Right to portability. The export of data for portability purposes referred to in art. 20 GDPR does not include Content possibly subject to Legal Hold; the inclusion of such Content is possible exclusively upon formal request of the competent Authority.

ART. 10 — RIGHTS OF DATA SUBJECTS

The Data Subject has the right to exercise, at any time and free of charge (save for manifestly unfounded or excessive requests, in particular due to their repetitive nature, for which Inmedia S.r.l. may charge a reasonable expense contribution or refuse to satisfy the request, pursuant to art. 12, paragraph 5 GDPR), the rights described below.

10.A — Rights provided for by GDPR

10.1 Right of access (art. 15 GDPR). The Data Subject has the right to obtain confirmation as to whether or not processing of Personal Data concerning them is taking place and, where so, access to such Personal Data and to the information indicated in this Policy. Upon request, Inmedia S.r.l. provides a copy of the Personal Data subject to processing.

10.2 Right to rectification (art. 16 GDPR). The Data Subject has the right to obtain the rectification of inaccurate Personal Data concerning them without undue delay, as well as the integration of incomplete Personal Data, including by providing an integrative declaration. Most Profile data can be autonomously modified by the Data Subject from the reserved area of their account.

10.3 Right to erasure («right to be forgotten») (art. 17 GDPR). The Data Subject has the right to obtain the erasure of their Personal Data, in the cases provided for by art. 17 GDPR, in particular when:

(a) the data are no longer necessary in relation to the purposes for which they were collected;
(b) the Data Subject revokes consent and there is no other legal basis for processing;
(c) the Data Subject objects to the processing pursuant to art. 21 GDPR and there is no overriding legitimate ground for Inmedia S.r.l. to proceed with processing;
(d) the data have been unlawfully processed;
(e) the data must be erased to comply with a legal obligation.

The Data Subject may exercise the right to integral deletion of their account directly from the Platform, through the self-service functionality described in Section 20 of the General Terms and Conditions, or by writing to legal@stravagando.com.

Specific limits to erasure. The right to erasure does not apply in the cases provided for by art. 17, paragraph 3 GDPR, in particular:

(i) for compliance with legal obligations (e.g. tax retention of marketplace transaction data pursuant to art. 2220 of the Italian Civil Code — 10 years; anti-money laundering retention — 5 years; DAC7 audit log — 10 years);
(ii) for the establishment or defense of a right in court;
(iii) in cases of Legal Hold pursuant to Art. 9-bis;
(iv) for public reviews which, while being depersonalizable (by replacing the reviewer's identifier), may be kept online for purposes of informational transparency towards the community of Users.

The cancellation of the account entails the symbolic decadence of the elements of the Gamification System (XP, Levels, Achievements, Streaks), consistent with their nature pursuant to Section 9.1 of the General Terms and Conditions, without right to compensation. The deletion of an individual check-in does not entail the automatic reduction of attributed XP nor the loss of achieved Achievements, in consideration of the historical irrevocability of gamification recognitions (par. 9.8). The cancellation also entails the deletion of «incoming» UGC Tags (Tags that have tagged the Data Subject in Content of other Users) and the deletion of active follow relationships.

10.4 Right to restriction of processing (art. 18 GDPR). The Data Subject has the right to obtain the restriction of processing of their Personal Data, in the cases provided for by art. 18 GDPR. During the restriction period, the data may be retained but not further processed, save for specific legal exceptions.

10.5 Right to data portability (art. 20 GDPR). The Data Subject has the right to receive their Personal Data — limited to those provided directly by the Data Subject themselves to the Controller and processed by automated means on the basis of consent or performance of a contract — in a structured, commonly used and machine-readable format, and has the right to transmit them to another Controller without hindrance. Where technically feasible, the Data Subject has the right to obtain the direct transmission of the data to another Controller. Inmedia S.r.l. makes available a self-service export functionality, pursuant to Section 20 of the General Terms and Conditions, which includes, where relevant:

(a) Profile and account data;
(b) published UGC Content;
(c) personal check-in history (with the original coordinates provided by the Data Subject, without prejudice to the fact that copies in system logs remain rounded pursuant to paragraph 3.16);
(d) booking and transaction history;
(e) gamification data (XP, Achievements, Streaks);
(f) privacy settings and preferences.

Photographs possibly included in the export are without original EXIF metadata, pursuant to paragraph 3.22. Content subject to Legal Hold is not included in the export, pursuant to Art. 9-bis.4.

10.6 Right to object (art. 21 GDPR). The Data Subject has the right to object at any time, for reasons related to their particular situation, to the processing of Personal Data concerning them based on art. 6, paragraph 1, letter e) or f) GDPR (public interest or legitimate interest), unless Inmedia S.r.l. demonstrates the existence of compelling legitimate grounds for processing that prevail over the interests, rights and freedoms of the Data Subject, or for the establishment, exercise or defense of a right in court.

The Data Subject has the right to object at any time and without need for motivation to the processing of Personal Data for direct marketing purposes, including profiling related to such marketing. Such right may be exercised through:

(a) the opt-out link present in each marketing communication;
(b) account settings (notification and marketing preferences);
(c) the Cookie Policy Preferences Panel;
(d) the request sent to legal@stravagando.com.

Specifically, the Data Subject may autonomously:

(i) deactivate their visibility in public leaderboards by modifying the show_in_leaderboards setting;
(ii) disable the UGC Tag by modifying the allow_ugc_tagging setting, with immediate effect on subsequent attempts;
(iii) modify Profile visibility (profile_visibility) and external indexing (allow_search_indexing);
(iv) set the visibility level of each individual check-in upon execution (Only me / Friends / Everyone);
(v) revoke consent to the processing of precise geolocation data from device settings.

10.7 Right to revoke consent (art. 7, paragraph 3 GDPR). Where the processing is based on consent, the Data Subject has the right to revoke it at any time, without prejudice to the lawfulness of the processing based on consent prior to its revocation. Revocation can be exercised through the same channels used to provide consent.

10.B — Specific rights linked to automated processing

10.8 Rights ex art. 22 GDPR. The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them in a similar way, save for the exceptions provided for by art. 22, paragraph 2 GDPR (necessity for the conclusion/performance of the contract, authorization of law, explicit consent). For processing operations falling within such case — payment anti-fraud, Trust Score, Automated AI Moderation — the Data Subject has the right to obtain human intervention from Inmedia S.r.l., to express their opinion and to contest the decision, according to the methods described in Art. 11.

10.C — Methods of exercise

10.9 Contact channels. To exercise the rights above, the Data Subject may:

(a) send a written request to the email address legal@stravagando.com (with subject: «Exercise of privacy rights»);
(b) use the self-service functionalities available in the reserved area of the Platform (Profile modification, management of privacy and marketing preferences, data export, account cancellation);
(c) send a registered letter or PEC to the Data Controller at the contact details indicated in Art. 2;
(d) contact the DPO, where appointed, at the address legal@stravagando.com (with subject: «DPO»).

10.10 Identification of the requester. To ensure data security and prevent unauthorized access, Inmedia S.r.l. may ask the Data Subject to provide proof of their identity, in a manner proportionate to the request. For sensitive operations carried out from the reserved area of the Platform, re-authentication is required pursuant to Section 4.2 of the General Terms and Conditions.

10.11 Response times. Inmedia S.r.l. provides response to the Data Subject's request without undue delay and, in any case, within 1 month from receipt of the request. Such term may be extended by a further 2 months where necessary, taking into account the complexity and number of requests; the Data Subject is informed of the extension within 1 month from receipt of the request, together with the reasons for the delay.

10.12 Free response. Requests are processed free of charge. Inmedia S.r.l. may charge a reasonable expense contribution only in the cases provided for by art. 12, paragraph 5 GDPR (manifestly unfounded or excessive requests).

10.D — Right to complaint

10.13 Complaint. Without prejudice to any other administrative or judicial remedy, the Data Subject has the right to lodge a complaint with the competent supervisory Authority, according to the methods described in Art. 15.

ART. 11 — AUTOMATED DECISION-MAKING AND PROFILING

Inmedia S.r.l. carries out certain processing operations that involve automated decisions pursuant to art. 22 GDPR, likely to produce legal effects or significantly affect the person of the Data Subject. The relevant processing operations are described separately below, with indication of the logic used, the importance envisaged, the consequences and the procedural guarantees adopted. For processing operations that do not produce significant effects (by way of example: personalization of search results, suggestions of Experiences, calculation of aggregated rating), reference is made to Art. 4.12.

11.A — Payment and marketplace relationship anti-fraud

11.1 Processing. Inmedia S.r.l., jointly with Stripe Payments Europe Ltd as an independent Controller for the part of its competence, elaborates an anti-fraud risk score for transactions on the integrated marketplace and for relationships with Hosts and Referrers, on the basis of:

(a) transaction indicators: amount, frequency, BIN, country of issue, alignment with the User's historical profile, velocity;
(b) device indicators: device fingerprinting, user-agent, IP address, emulator indicators, geographical congruity;
(c) behavioural indicators: browsing history, time spent in checkout, presence of previous chargebacks;
(d) risk subject lists and internal and external reports.

11.2 Logic and importance. The system applies automatic threshold rules and statistical models. Based on the score, the following may automatically occur: (i) transaction allowed; (ii) additional verification required (e.g. 3D Secure, card retry, reinforced KYC); (iii) transaction refused; (iv) Service provision suspended or Host/Referrer payout frozen; (v) manual anti-fraud investigation initiated.

11.3 Consequences. Significant effects on the Data Subject may occur: inability to complete the booking, suspension of payments, account blocking, reporting to competent Authorities.

11.4 Procedural guarantees. The Data Subject has the right:

(a) to human intervention by an operator of Inmedia S.r.l. who reviews the decision;
(b) to express their opinion on the situation and to provide elements in their defense;
(c) to contest the decision, according to the methods referred to in Art. 10.

Review requests may be sent to legal@stravagando.com with reference to the transaction or procedure identifier.

11.B — Trust Score

11.5 Processing. Inmedia S.r.l. elaborates a numerical score (Trust Score) between 0 and 100, attributed to each User on the basis of the technical consistency of the check-ins performed, according to the rules described in Section 11 of the General Terms and Conditions and detailed in the Technical Specifications of the Service. The indicators include: proximity between transmitted coordinates and POI, congruity of the time elapsed between consecutive geographically distant check-ins, plausibility of movement speed, any GPS spoofing indicators, reports received, outcome of previous disciplinary procedures.

11.6 Logic and importance. The Trust Score affects:

(a) attribution of XP for check-ins: lower Trust Scores correspond to a reduction of the XP attributed to the check-in or, in extreme cases, its nullification;
(b) automatic approval of reviews: for high Trust Scores, reviews may access the fast-track approval (Section 12.4 of the General Terms and Conditions) and receive immediate visibility; for low Trust Scores manual review is required;
(c) access to reserved functionalities: some functionalities (by way of example: proposing new Places to the catalogue, participation in beta programs) may require exceeding a minimum threshold of Trust Score;
(d) visibility of own Content: in cases of very low Trust Score, a downgrade factor may be applied in the publication order.

11.7 Consequences. The Trust Score may produce significant effects on the usability of the Service for the Data Subject, in particular on participation in the Gamification System and on access to reserved functionalities.

11.8 Procedural guarantees. The Data Subject has the right to ask Inmedia S.r.l. for explanations on the attributed Trust Score, to request manual review and to contest it, consistent with the rights referred to in art. 22 GDPR. Review requests may be sent to legal@stravagando.com. The Trust Score is not in itself made visible to the User or to third parties in its raw numerical form, consistent with its nature as an internal technical indicator; the summary results relating to the attribution of XP per individual check-in and the related motivational codes are made visible to the User, where requested.

11.C — Automated AI Moderation of UGC Content

11.9 Processing. UGC Content published by Users is subject, before publication, to automated analysis through artificial intelligence systems of Third Parties, pursuant to Section 12 of the General Terms and Conditions and Art. 4.4 of this Policy.

11.10 Logic and importance. The Automated Moderation systems:

(a) classify texts through a language model for risk categories (by way of example: hate speech, pornographic content, intellectual property infringement, spam, fraud);
(b) analyse images through an image analysis service for the detection of adult, violent or offensive content;
(c) apply confidence thresholds to determine whether the Content is automatically approved, downgraded, subject to manual review or refused;
(d) access a fast-track for Users with positive history and high Trust Score;
(e) operate with a manual review fallback in case of unavailability of automated systems or exceeding of operational limits.

The specific identity of the models employed, the confidence thresholds, the criteria for access to the fast-track and the operational limits are indicated in the Technical Specifications of the Service.

11.11 Consequences. The Automated Moderation decision may entail:

(a) approval and publication of the Content;
(b) refusal of publication, with notification to the Data Subject and motivational code (Statement of Reasons pursuant to art. 17 DSA);
(c) downgrading of the Content (reduced visibility);
(d) submission to manual review before publication;
(e) in the most serious cases, initiation of disciplinary proceedings against the Data Subject pursuant to Section 13 of the General Terms and Conditions.

11.12 Procedural guarantees. The Data Subject has the right:

(a) to receive the Statement of Reasons of the decision, pursuant to art. 17 DSA, containing at least the motivational code, the risk category detected, the indication of the automated system employed and the indication of the right to request human review;
(b) to request human review of the decision within 14 days from notification of the automated decision, pursuant to Section 12.3 of the General Terms and Conditions. The review is carried out by qualified personnel of Stravagando, distinct from the automated system that issued the decision;
(c) to express their opinion and provide elements in their defense within the review procedure;
(d) to contest the decision confirmed in the review through internal complaint to the Controller and, subsequently, through complaint to the Garante or judicial appeal, pursuant to Art. 15;
(e) limited to cases falling within the scope of the DSA, to access the alternative dispute resolution mechanism provided for by art. 21 DSA, through dispute resolution bodies certified by the competent Digital Services Coordinator;
(f) to appeal to the Trusted Flagger pursuant to art. 22 DSA or to AGCOM as the Italian Digital Services Coordinator.

11.13 AI Act transparency. In compliance with Regulation (EU) 2024/1689 (AI Act), Inmedia S.r.l. ensures adequate transparency on the artificial intelligence systems used in the context of Automated Moderation. The summary information on the models employed, on the known limits of their performance and on the guarantee mechanisms are published in the Technical Specifications of the Service and updated periodically. Inmedia S.r.l. carries out periodic audits on the effectiveness and impartiality of the systems and adopts corrective measures in case of biases detected.

ART. 12 — PROCESSING OF DATA OF MINORS

The Platform is designed for adult Users and for minor Users who have reached the minimum age for access provided for by the regulations applicable to their residence, according to the regime described below. Inmedia S.r.l. actively protects minors from unauthorized collection of Personal Data and from targeted advertising profiling, in compliance with GDPR, the Italian Privacy Code, the DSA and — for US residents — the Children's Online Privacy Protection Act (COPPA).

12.A — Minimum age of access

12.1 Residents in Italy: 14 years. For residents in Italy, the minimum age of access to the Platform is 14 years, in implementation of art. 8 GDPR and art. 2-quinquies of the Italian Privacy Code (Italian Legislative Decree 196/2003 as amended by Italian Legislative Decree 101/2018), which sets such threshold for Italy for the direct offer of information society services to minors on the basis of the minor's consent. For minors under 14 years residing in Italy, access to the Platform is prohibited and Personal Data are not collected on the basis of the minor's own consent.

12.2 Residents in other EU Member States. For residents in other Member States of the European Union, the respective national minimum age thresholds for consent to information society services apply pursuant to art. 8, paragraph 1 GDPR (by way of example: 16 years in Germany, Luxembourg, Netherlands, Poland, Romania, Hungary; 15 years in France, Czech Republic, Slovenia; 14 years in Austria, Bulgaria, Cyprus, Italy, Lithuania, Spain), or, failing specific indication, the age of 16 years.

12.3 Residents in the United States of America: 13 years. For residents in the United States of America, the minimum age of access is 13 years, in compliance with the Children's Online Privacy Protection Act (COPPA) and with the Federal Trade Commission (FTC) COPPA Rule. For minors under 13 years residing in the United States, access to the Platform is prohibited and Personal Data are not collected on the basis of the minor's own consent.

12.4 Residents in other Countries. For residents in other Countries, the minimum age provided for by the applicable national law applies or, failing this, the age of 16 years.

12.B — Regime for minor Users who have reached the minimum age

12.5 Declaration upon registration. Upon registration, the User confirms that they have the minimum age required by the law applicable to their residence, pursuant to Section 3 of the General Terms and Conditions. Such declaration is made under their own responsibility; providing false declarations entails the suspension and closure of the account pursuant to Section 13 of the General Terms and Conditions.

12.6 Restrictions applicable to minor Users (under 18). For Users who have reached the minimum age but are still minors (under 18) according to applicable law, and for whom there are indicators of minor age according to the procedures adopted by Inmedia S.r.l.:

(a) exclusion from targeted advertising based on profiling (art. 4.10 of this Policy and art. 28 DSA);
(b) limitation of access to the marketplace as Customer, based on the reduced contractual responsibility of the minor according to applicable law; for bookings exceeding the contractual capacity of the minor, confirmation by a person exercising parental responsibility may be required, according to the procedures described in Section 3 of the General Terms and Conditions;
(c) limitation of access to 18+ Experiences where categorized by the Host as reserved for adults;
(d) privacy settings more restrictive by default (by way of example: non-public Profile by default, reduced visibility in searches, external indexing disabled).

12.7 Joining the Referral Program, Host qualification. Joining the Referral Program is reserved for Users who have reached the age of majority according to applicable law (in Italy, 18 years), pursuant to the Referral Program Terms. The Host qualification is normally reserved for adults, save for specific cases regulated by the Host Terms. Such limitations derive from the economic/commercial nature of such qualifications and the related profiles of contractual responsibility.

12.C — Age verification

12.8 Adopted measures. Inmedia S.r.l. adopts reasonable and proportionate measures to verify the age of Users, consistent with art. 28 DSA, based on:

(a) declaration of the User upon registration;
(b) date of birth, where required;
(c) behavioural and content indicators;
(d) request for document verification, in borderline or high-risk cases.

The specific measures are indicated in the Technical Specifications of the Service and are periodically updated in light of best practices in the sector and indications of competent Authorities.

12.9 Reports of minors not having the minimum age. Where Inmedia S.r.l. becomes aware, also through reports from third parties, of the presence of a minor User below the minimum age required for their residence:

(a) it proceeds with the immediate suspension of the account in a manner to prevent further interactions;
(b) it deletes the Personal Data collected without valid legal basis, unless retention is necessary for the fulfilment of legal obligations, for the exercise of a right in court or for another purpose allowed by art. 17, paragraph 3 GDPR;
(c) it informs, where possible and when appropriate, the persons exercising parental responsibility about the existence of the account and the actions adopted.

12.D — Parental consent (COPPA)

12.10 COPPA procedure for US residents. For residents in the United States of America, in compliance with the Children's Online Privacy Protection Act, where Inmedia S.r.l. knowingly collects Personal Data from a child under 13 years — a case which, for the Platform, is prohibited by the access threshold — measures are adopted for:

(a) notification to persons exercising parental responsibility, pursuant to 16 CFR § 312.4;
(b) collection of verifiable parental consent, pursuant to 16 CFR § 312.5;
(c) guarantee of the right of parents to access, modify and request deletion of the child's Personal Data, pursuant to 16 CFR § 312.6;
(d) prohibition of targeted advertising profiling of children, pursuant to 16 CFR § 312.5(c).

Requests for the exercise of such rights may be sent to legal@stravagando.com.

ART. 13 — ADDENDUM FOR US RESIDENTS (CCPA, CPRA AND OTHER STATE REGULATIONS)

This Addendum describes integrations and modifications to this Privacy Policy applicable to residents in the United States of America. In case of conflict between the general provisions of this Policy and those of this Addendum, for US residents the provisions of this Addendum shall prevail.

13.A — Relevant definitions

13.1 Definitions. For the purposes of this Addendum, and pursuant to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and similar state regulations:

(a) «Consumer»: resident in the United States of America who uses the Platform;
(b) «Personal Information»: information that identifies, describes, concerns, is linked to or can reasonably be linked to a Consumer or household;
(c) «Sensitive Personal Information»: the sub-category of Personal Information referred to in Cal. Civ. Code § 1798.140(ae);
(d) «Sale»: the sale, disclosure or transfer of Personal Information to third parties for monetary or other valuable consideration, according to the definition of Cal. Civ. Code § 1798.140(ad);
(e) «Sharing»: the sharing of Personal Information with third parties for purposes of cross-context behavioral advertising, according to the definition of Cal. Civ. Code § 1798.140(ah);
(f) «Business»: Inmedia S.r.l. as the subject determining the purposes and means of processing;
(g) «Service Provider» / «Contractor»: subjects who process Personal Information on behalf of the Business, according to the definition of Cal. Civ. Code § 1798.140(ag) and (j).

13.B — Categories of Personal Information collected

13.2 Categories pursuant to Cal. Civ. Code § 1798.140(v). In the previous twelve months, Inmedia S.r.l. has collected or may collect the following categories of Personal Information of Consumers:

(a) identifiers: name, postal address, unique online identifier, IP address, email address, account name, tax code/TIN, passport/document number;
(b) categories of information of Cal. Civ. Code § 1798.80(e) (commercial information): name, contact details, payment data (limited to what is communicated by processors);
(c) commercial information: booking history, products purchased or considered;
(d) biometric information: biometric data generated exclusively by Stripe Identity for Consumers registering as Host or Referrer and for high-risk Experiences (the biometric element is not retained by Inmedia S.r.l.);
(e) Internet or other electronic network usage information: browsing, search history, interactions with advertising;
(f) geolocation data, including precise geolocation collected with the Consumer's consent (paragraph 3.14) and check-in data (paragraph 3.15-3.17);
(g) audio, electronic, visual, thermal, olfactory or similar data: photographs and UGC Content published by the Consumer, recordings of calls if authorized;
(h) professional or occupational information: information on the activity of Hosts;
(i) inferences: profiles created for personalization purposes (recommendations, suggestions) and Trust Score.

13.3 Sensitive Personal Information. The following categories of Sensitive Personal Information pursuant to Cal. Civ. Code § 1798.140(ae) may be collected:

(a) government-issued identification numbers (tax code/TIN/SSN, passport number);
(b) access credentials to the Platform;
(c) precise geolocation;
(d) financial information (banking details for payments);
(e) biometric data (managed through Stripe Identity).

Consumers have the right to limit the use and disclosure of Sensitive Personal Information pursuant to Cal. Civ. Code § 1798.121.

13.C — Purposes of collection

13.4 Purposes. The Personal Information listed above is collected for the purposes described in Art. 4 of this Policy.

13.D — Categories of third parties

13.5 Disclosure. Inmedia S.r.l. may disclose the categories of Personal Information listed above to the categories of third parties described in Art. 7 of this Policy.

13.E — No Sale of Personal Information

13.6 No Sale. Inmedia S.r.l. does not sell (no sale) Consumers' Personal Information for monetary or other valuable consideration. Inmedia S.r.l. may share (share) Personal Information with advertising partners for cross-context behavioral advertising purposes, exclusively on the basis of the Consumer's consent given through the Cookie Policy Preferences Panel. Such sharing is limited to the modalities described in the Cookie Policy and is subject to the right of opt-out.

13.F — Consumer rights

13.7 CCPA/CPRA rights. Consumers residing in California have the following rights:

(a) right to know — Cal. Civ. Code § 1798.110, 1798.115;
(b) right to delete — Cal. Civ. Code § 1798.105;
(c) right to correct — Cal. Civ. Code § 1798.106;
(d) right to opt-out of Sale or Sharing — Cal. Civ. Code § 1798.120;
(e) right to limit use of Sensitive Personal Information — Cal. Civ. Code § 1798.121;
(f) right to non-discrimination for the exercise of rights — Cal. Civ. Code § 1798.125;
(g) right to portability — Cal. Civ. Code § 1798.130(a)(2);
(h) right to know about any automated decision-making and to request opt-out, where applicable based on the regulations adopted by the California Privacy Protection Agency (CPPA).

13.8 Rights of Consumers in other US States. Consumers residing in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA) and other States that have adopted similar regulations benefit from substantially equivalent rights, according to the respective applicable state regulations.

13.G — Methods of exercising rights

13.9 Channels. Consumers may exercise their rights through:

(a) the dedicated privacy requests page, accessible from the Platform;
(b) sending an email to legal@stravagando.com;
(c) the dedicated toll-free number, where established;
(d) the Global Privacy Control (GPC) mechanism for opt-out rights from Sale or Sharing, automatically recognized by the Platform as a signal from the Consumer's browser.

13.10 Identity verification. Inmedia S.r.l. adopts reasonable procedures to verify the identity of the requesting Consumer, in proportion to the nature of the request and the sensitivity of the data.

13.11 Authorized agent. The Consumer may designate an authorized agent to exercise their rights on their behalf, pursuant to Cal. Civ. Code § 1798.135(c) and applicable regulations.

13.12 Response times. Inmedia S.r.l. responds to requests for the right to know, deletion and correction within 45 days from receipt, extendable by a further 45 days when reasonably necessary.

13.H — Complaints

13.13 Supervisory bodies. US-resident Consumers have the right to lodge a complaint with:

(a) California Privacy Protection Agency (CPPA) for California Consumers: https://cppa.ca.gov;
(b) Attorney General of the State of residence for the other States;
(c) Federal Trade Commission (FTC): https://www.ftc.gov.

ART. 14 — AMENDMENTS TO THIS POLICY

14.A — Updates

14.1 Right to amend. Inmedia S.r.l. reserves the right to make amendments to this Privacy Policy, both to adapt to regulatory, jurisprudential or regulatory developments, and to introduce new functionalities of the Platform or new processing operations, and for internal needs of organization and security.

14.2 Version and entry into force date. Each version of the Policy is uniquely identified by a version number and an entry into force date, indicated at the opening of the document. The currently in-force version is always the one published on the Platform at the dedicated URL.

14.3 Version history. Inmedia S.r.l. keeps available to Data Subjects, in a dedicated section of the site, the history of previous versions of the Privacy Policy with indication of the main changes made, in compliance with the principle of transparency ex art. 12 GDPR.

14.B — Communication of amendments

14.4 Substantial amendments. For substantial amendments — being those that significantly affect the rights of Data Subjects or the essential modalities of processing — Inmedia S.r.l. notifies amendments to Users with prior notice of not less than 30 days with respect to the entry into force date, consistent with Section 19 of the General Terms and Conditions, through:

(a) email to the registration address, where the User has an active account;
(b) in-app notice and/or banner on the Platform;
(c) publication of the new version on the Platform with evidence of changes.

During the prior notice period, the Data Subject who does not intend to accept the amendments may exercise the right to withdraw from the contract, through self-service account closure (Section 20 of the General Terms and Conditions), without charges.

14.5 Non-substantial amendments. For non-substantial amendments (corrections of typos, formal clarifications, updates of Data Processors or other elements of mere operational detail), Inmedia S.r.l. may proceed with their publication with immediate effect, giving evidence in the register of amendments.

14.6 Amendments for compelling reasons. For amendments that become immediately necessary in compliance with supervening legal obligations, orders of competent Authorities or for security needs, Inmedia S.r.l. may proceed with the introduction of the amendments with immediate effect, providing Data Subjects with subsequent communication as soon as possible.

14.C — Processing based on consent

14.7 New purposes based on consent. Where amendments to the Policy introduce new processing purposes based on consent pursuant to art. 6, paragraph 1, letter a) GDPR or art. 9, paragraph 2, letter a) GDPR, such processing operations will not be initiated for existing Data Subjects unless following specific collection of consent, according to methods compliant with art. 7 GDPR.

ART. 15 — CONTACTS AND COMPLAINTS

15.A — Contacts

15.1 Data Controller. For any request or communication regarding personal data protection, Data Subjects may contact Inmedia S.r.l. at the following contact details:

Inmedia S.r.l. Registered office: Via L'Aquila, 22, 65122 Pescara (PE), Italy Tax Code / VAT No.: 02017520681 General assistance email: support@stravagando.com Email for personal data protection requests: legal@stravagando.com Certified email (PEC): inmediasrl@pec.it

15.2 DPO. The DPO, where appointed, may be contacted at the address:

legal@stravagando.com (with subject: «DPO»)

The right of Inmedia S.r.l. to establish a dedicated address (by way of example: dpo@stravagando.com) remains firm, which will be communicated through update of this Policy pursuant to Art. 14.

15.3 DSA contact points. Pursuant to arts. 11 and 12 of Regulation (EU) 2022/2065 (Digital Services Act), Inmedia S.r.l. designates the following contact points, described in Section 12-bis of the General Terms and Conditions:

(a) contact point for Authorities of Member States, EU Commission and European Board for Digital Services pursuant to art. 11 DSA: legal@stravagando.com (with subject: «DSA — Authorities»);
(b) contact point for recipients of the service pursuant to art. 12 DSA: legal@stravagando.com (with subject: «DSA — Recipients»);
(c) the languages of communication of the Data Controller for the aforementioned purposes are Italian and English.

15.4 Notice & Action. For reports of potentially illegal Content or Content infringing the rights of third parties, pursuant to art. 16 DSA, a dedicated notice and action mechanism is available on the Platform; alternatively, reports may be sent to legal@stravagando.com with subject «DSA — Notice». The identity of the reporter is not exposed to the reported User, save for request of the competent Authority.

15.B — Right to complaint

15.5 Complaint to the Italian Garante. Without prejudice to any other administrative or judicial remedy, the Data Subject has the right to lodge a complaint with the Italian Data Protection Authority, pursuant to art. 77 GDPR and art. 141 of the Italian Privacy Code, according to the methods indicated on the institutional website of the Authority:

Italian Data Protection Authority (Garante per la protezione dei dati personali) Piazza Venezia n. 11 — 00187 Rome Email: protocollo@gpdp.it PEC: protocollo@pec.gpdp.it Telephone: +39 06.69677.1 Fax: +39 06.69677.3785 Complaint form: https://www.garanteprivacy.it/home/modulistica-e-servizi-online

15.6 Other EU Member States. For Data Subjects resident in other EU Member States, the possibility to lodge a complaint with the supervisory Authority of their Member State of residence, work or the place of the alleged infringement remains firm, pursuant to art. 77 GDPR. The list of EU supervisory Authorities is available on the European Data Protection Board website: https://www.edpb.europa.eu

15.7 US Residents. For US residents, the competent supervisory bodies are indicated in Art. 13.13.

15.8 AGCOM as Digital Services Coordinator. For reports falling within the scope of Regulation (EU) 2022/2065 (DSA), Data Subjects residing in Italy may also turn to the Italian Authority for Communications Guarantees (AGCOM), designated Italian Digital Services Coordinator, according to the methods indicated on the institutional website: https://www.agcom.it.

15.C — Judicial appeal

15.9 Appeal to the Court. The Data Subject also has the right to lodge a judicial appeal against the Data Controller pursuant to art. 79 GDPR and art. 152 of the Italian Privacy Code, before the judicial authority of their Member State of habitual residence or of the Member State in which Inmedia S.r.l. has its main establishment.

Document approved and adopted by Inmedia S.r.l.

Version: 1.0 Entry into force date: 26/04/2026
Main regulatory references:

Regulation (EU) 2016/679 (GDPR)
Italian Legislative Decree 196/2003 (Italian Privacy Code) as amended by Italian Legislative Decree 101/2018
Provision of the Italian Data Protection Authority of 10 June 2021 — Guidelines on cookies and other tracking tools
Directive 2002/58/EC (ePrivacy)
Regulation (EU) 2022/2065 (Digital Services Act)
Regulation (EU) 2024/1689 (AI Act)
Regulation (EU) 2019/1150 (Platform-to-Business)
Directive (EU) 2022/2555 (NIS2)
Italian Legislative Decree 32/2023 (DAC7)
Italian Legislative Decree 231/2007 (Anti-money laundering)
California Consumer Privacy Act (CCPA) as amended by CPRA
Virginia CDPA / Colorado CPA / Connecticut CTDPA / Utah UCPA
Children's Online Privacy Protection Act (COPPA)