Facebook Twitter Instagram Youtube

Privacy Policy

This information is provided in accordance with Article 13 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter “GDPR”) to all users accessing and interacting with the website www.monumentiaperti.com (hereinafter“Site”) and in the mobile applications, called “Open Monuments” operated by the Data Controller (hereinafter “Applications”). The purpose of this policy is to explain in a clear and transparent manner how the personal data of the users of the Site are processed and what are the rights of the data subjects.

Data Controller

The Data Controller of the personal data collected through the Site and Applications is Imago Mundi OdV, P. IVA 02175490925, with registered office in Via Fleming 2A, 09126 Cagliari (CA). For any request or to exercise your rights regarding the protection of personal data, you can contact the Data Controller at the e-mail address : privacy@monumentiaperti.com

Type of Data Processed

Through the Site and Applications, common personal data provided directly by users are collected and processed, specifically:

  • Personal and contact information: first name, last name, email address, phone number.
  • Additional personal data: age, gender, country, region, city of residence, geographic location data collected through the Application.

No information belonging to special categories of data (such as health data, judicial data, etc.) is requested or processed through the functionality of the Site and Applications.

Purpose of Treatment

Personal data provided by users are collected and used exclusively for the following purposes:

  • Provision of requested services: managing reservations for visits to monuments and responding to inquiries about monuments and cultural activities described on the Site and Applications. Geographic location data is acquired in the background (for the purpose of statistical analysis on the number of visitors to the monuments) and actively in case you want to know your location on the map containing the monuments
  • Sending informative newsletters: send periodically via email an informative newsletter (non-commercial in nature) containing news and updates on tourist and cultural activities related to the Monumenti Aperti project and the territory.

In any case, the data collected will not be used for purposes other than those stated in this policy without informing you in advance and, where necessary, obtaining your consent.

Legal Basis of Treatment

The processing of users’ personal data is based on the following legal bases, pursuant to Article 6 of the GDPR:

  • Consent of the data subject: for sending the informative newsletter and for any activity not strictly related to a service requested by the data subject, processing is based on the free and specific consent provided by the user. The user has the right to revoke any consent given at any time.
  • Execution of a contract or pre-contractual measures: for the management of reservations, the provision of services expressly requested by the user or the response to specific requests, the processing of data is necessary for the execution of a service (or pre-contractual measures) adopted at the request of the user.

Use of Third Party Tools

The Site and Applications may contain tools and components provided by third parties, used for purposes of analysis and integration with social networks, which may involve the processing of user data. In particular, the Site and Applications may use:

Analytics and tracking tools: such as Google Firebase and Google Analytics (where enabled on the Site or Applications) or similar services to enable you to register and access the Application, and to collect aggregate statistical information about your use of the Site and Applications. These tools use cookies or similar technologies to collect browsing data (in anonymized or aggregate form) in order to understand how the Site or Applications is used and to improve the quality of service.

  • Social plugins: links and components provided by third-party platforms such as LinkedIn, YouTube, Instagram, and X (formerly Twitter) that allow interaction with social networks directly from the pages of the Site or Applications (e.g., “Share” buttons or social widgets). These plugins may collect data about your visit to the Site or Applications (e.g., IP address and browser information), as provided by each platform’s privacy settings.

The information collected by these third parties through the above tools is processed by the respective providers according to their own privacy policies and is not directly accessible to the Data Controller. Users are invited to consult the privacy policies of these third-party services for more details on the data processing carried out by them. In any case, through the browser settings or through the appropriate cookie banner (where provided), the user can manage consent to the use of cookies and such tracking tools.

Mode of Treatment

The processing of personal data is carried out using methods and tools that guarantee the security and confidentiality of the data, in accordance with applicable European and national legislation. In particular, the data will be processed:

  • By computer and telematic means: data collected are stored digitally on protected systems.
  • In accordance with the principles of necessity and minimization: only the data strictly necessary to pursue the stated purposes and for the time strictly necessary to achieve the purposes for which they were collected are processed.
  • With adequate security measures: appropriate technical and organizational measures are taken to prevent unauthorized access, disclosure, modification or loss of data. The Controller processes data lawfully and fairly, ensuring the confidentiality of information and avoiding impermissible or risky processing.

Processing is mainly carried out at the Data Controller’s premises and possibly at external IT service providers (e.g., companies providing hosting services for the Site or Applications or platforms for sending newsletters), specifically appointed as Data Processors where necessary, who ensure compliance with privacy regulations.

Recipients of Personal Data

Users’ personal data are processed by the Data Controller and expressly authorized personnel (e.g. collaborators and volunteers of Imago Mundi OdV) for the purposes indicated. Data will not be disclosed to third parties for commercial or marketing purposes.

However, some data may be disclosed to third party service providers necessary for the technical or organizational management of the Site and Applications and for the provision of the requested activities, exclusively for the purposes described above. For example, they may be involved:

  • IT companies or suppliers that manage the technical infrastructure of the Site and Applications or reservation systems.
  • Service providers for sending email newsletters.
  • other individuals who provide assistance or advice to the Controller (e.g. in technical, organizational or legal matters).

These individuals will process personal data exclusively on behalf of the Data Controller and in accordance with its instructions; to this end, they have been (or will be) appointed as External Data Processors in accordance with Article 28 GDPR, undertaking to comply with appropriate security measures and data protection levels. The full list of any designated External Processors can be obtained by contacting the Data Controller. Users’ personal data may also be disclosed to public authorities or entities where required by law or necessary to fulfill specific legal obligations.

Transfer of data outside the EU

Personal data are processed mainly within the European Union.

However, the use of particular digital platforms (e.g. email providers or contact forms or newsletters) could, even if only temporarily, result in a partial transfer of some personal data even outside the European Union and in particular to the United States. In such limited cases, the transfer will nevertheless take place in compliance with the rights and safeguards provided for by current legislation, subject to verification that the country in question guarantees an “adequate” level of protection. With regard to the possible transfer of data to providers based in the United States, the transfer will still take place in compliance with the so-called “Privacy Shield 2” referred to in the European Commission’s Adequacy Decision of July 10, 2023 Document No. C(2023) 4745 final.

Data Retention Period

Personal data are retained by the Data Controller for the time strictly necessary to achieve the purposes for which they were collected, in accordance with the principles of data retention limitation and minimization (Art. 5 GDPR). Specifically:

  • Data for booking services and requests: data provided by the user for information requests or for booking guided tours will be kept for the time necessary to fulfill the request or to manage the booking, and thereafter for such further period as may be required by law (e.g., for administrative, accounting, or dispute management purposes).
  • Data for sending newsletters: the data (such as email address) used to subscribe to the informative newsletter will be kept until the user decides to unsubscribe from the service (by revoking consent and requesting deletion from the mailing list). Unsubscription can be done at any time via the appropriate link at the bottom of each email newsletter or by contacting the Owner directly.

At the end of the above retention periods, personal data will be deleted or anonymized, or retained in aggregate form (devoid of identifying elements), unless further retention is necessary to fulfill legal obligations or to protect a right in court.

Rights of Interested Parties

Pursuant to Articles 15-22 of the GDPR, users of the Site or Applications, as data subjects, may exercise the following rights:

  • Right of access: to obtain confirmation of the existence or non-existence of personal data concerning them, to access such data and to receive information about the purposes, categories of data processed, recipients or categories of recipients to whom the data are disclosed and, when possible, the retention period.
  • Right of rectification: to obtain rectification of inaccurate personal data or supplementation of incomplete data concerning them.
  • Right to deletion: to obtain the deletion of personal data concerning them, in the cases provided for in Article 17 GDPR (e.g. if the data are no longer necessary in relation to the original purpose, if the user revokes consent and there is no other legal basis for processing, etc.).
  • Right to restriction of processing: obtain restriction of processing in the cases provided for in Article 18 GDPR (e.g. when the user disputes the accuracy of personal data, for the period necessary to verify that accuracy, or if the processing is unlawful but the user objects to the deletion of the data and instead requests that its use be restricted).
  • Right to object: to object at any time, for reasons related to the user’s particular situation, to the processing of personal data based on a legitimate interest of the Data Controller or a public interest mission. In addition, the user always has the right to object if the data is processed for direct marketing purposes.
  • Right to data portability: receiving in a structured, commonly used, machine-readable format the personal data you provide to the Data Controller and transmitting it to another data controller, where technically feasible, without hindrance from the Data Controller (in accordance with Article 20 GDPR).
  • Right to revoke consent: when processing is based on consent, revoke the consent previously given at any time, without affecting the lawfulness of the processing carried out before revocation.

For the exercise of any right, the user may send a written communication to the Data Controller at the email address: privacy@monumentiaperti.com, specifying the nature of the request. The Data Controller will provide feedback without undue delay and within the time limits established by Article 12 GDPR.

In addition, if a user believes that the processing of his or her personal data is taking place in violation of applicable law, he or she has the right to lodge a complaint with the ItalianData Protection Authority (in Italy, www.garanteprivacy.it) or to take legal action as provided. The user may also appeal to the competent supervisory authority in the other EU member state where he or she normally resides or works, or of the place where the alleged violation occurred.

Updates: This Privacy Policy may be subject to change or update. Any material changes will be notified through the Site or Applications (e.g., through dedicated notices or banners). Users are encouraged to check this page periodically for changes.

Download privacy policy