Places & Attractions·Upcoming events·Experiences & Activities

Privacy Policy

This Privacy Policy describes how GuardaMe collects, uses, retains and protects the personal data of users of the SalentoMe.com site (also accessible via the PugliaMe.com domain). The Policy is provided in compliance with Regulation (EU) 2016/679 (GDPR), Italian Legislative Decree 196/2003 as amended (Italian Privacy Code) and Directive 2002/58/EC (ePrivacy).

1. Data controller

The data controller of personal data collected via the Site is GuardaMe. The controller's full identification details (registered name, VAT number, registered office, reference email address) are shown in the Contact section of the Site.

GuardaMe is not currently required to appoint a Data Protection Officer (DPO) under Article 37 GDPR; an internal contact point for privacy matters is however always available via the Contact page.

2. Personal data we collect

GuardaMe processes the following categories of personal data:

  • Account registration data (optional) - first name, last name, email address, password (stored hashed using bcrypt), and optionally preferred language and approximate geographic location (reference municipality) for result personalisation.
  • Site usage data - IP address, browser and device type, pages visited, favourited activities, session duration, referrer page.
  • Contact and support data - name, email address and message content when you write to us via the Contact page.
  • Technical security data - server access logs, failed authentication attempts, session tokens, anti-abuse and anti-spam protection data.
  • Administration data (admin accounts only) - TOTP secret for two-factor authentication.

GuardaMe does not knowingly collect data falling within the special categories under Article 9 GDPR (racial or ethnic origin, political or religious beliefs, health, sexual life, biometric or genetic data).

3. Purposes of processing and lawful bases

Personal data are processed for the following purposes, each grounded in a specific lawful basis under Article 6 GDPR:

  • Service provision (account creation, favourites management, locale and language personalisation) - lawful basis: performance of a contract to which the data subject is party (Art. 6.1.b).
  • Responding to contact requests - lawful basis: legitimate interest in answering users who initiate the communication (Art. 6.1.f).
  • Site security, prevention of abuse, fraud and unauthorised access - lawful basis: legitimate interest in protecting the Site and its users (Art. 6.1.f).
  • Aggregate usage statistics via Google Analytics in aggregated and anonymised mode - lawful basis: legitimate interest in service improvement, subject to the specific consent required for analytics cookies (see Cookie Policy).
  • Compliance with legal obligations - lawful basis: legal obligation (Art. 6.1.c), e.g. for judicial or police authority requests.

Providing registration and contact data is optional; refusal results in the inability to access features that require an account (favourites, profile) or to receive a response from the support team.

4. Recipients and external processors

GuardaMe may share personal data with the following parties, each appointed as a processor under Article 28 GDPR or acting as an independent controller for its own purposes:

  • Amazon Web Services EMEA SARL (Luxembourg / EU data centres) - hosting provider for the Site and backend data.
  • Cloudflare Inc. (USA) - CDN, DDoS mitigation and DNS infrastructure provider. Cloudflare may process the user's IP address as an independent controller for its own security purposes.
  • Google Ireland Ltd. (Ireland, with Google LLC global infrastructure) - provider of Google Analytics, Google Tag Manager, Google Maps Platform and Google Places. For processing details see the Google Privacy Policy.
  • Meta Platforms Ireland Ltd. (Ireland) - provider of the Instagram and Facebook embeds used for event curation. For details see Meta's Privacy Policy.
  • Anthropic PBC (USA) - provider of the AI model (Claude) used for translation and generation of textual descriptions. Only content related to published activities (titles, descriptions in the original language) is sent to the service; no identifying data of Site users is transmitted.
  • Transactional email providers - used to send service emails (account verification, password reset, confirmations). The data transmitted includes the email address and the content of the service message.

GuardaMe does not sell personal data to third parties and does not use them for automated profiling producing legal effects on the data subject.

5. International data transfers

Some of the providers listed above are based in the United States. The transfer of data outside the European Economic Area takes place only with appropriate legal safeguards, under the mechanisms provided by Chapter V GDPR:

  • the EU-US Adequacy Decision (Data Privacy Framework, European Commission Decision 2023/1795) for certified providers (Google LLC, Meta Platforms Inc., Cloudflare Inc., Anthropic PBC where applicable);
  • otherwise, Standard Contractual Clauses approved by the European Commission (Decision 2021/914), supplemented where necessary by additional measures.

You may obtain a copy of the safeguards applied by contacting GuardaMe via the Contact page.

6. Retention periods

GuardaMe retains personal data only for as long as is strictly necessary to achieve the purposes for which they were collected. In particular:

  • Account registration data - until the user deletes the account, plus 30 days of technical retention to enable possible restoration or residual obligations.
  • Server technical logs and security data - typically 90 days, subject to extensions justified by security incidents or requests from competent authorities.
  • Contact and support data - up to 24 months from the last communication, unless a legal obligation requires longer retention.
  • Data collected via cookies and measurement tools - according to the periods indicated in the Cookie Policy.

At the expiry of the indicated periods, data are deleted or irreversibly anonymised.

7. Cookies and similar technologies

The Site uses technical and preference cookies and - subject to consent under Article 122 of the Italian Privacy Code - analytics and third-party cookies. Detailed information on categories, individual cookies, providers and retention periods is available in the Cookie Policy, which forms an integral part of this Privacy Policy. You can change your preferences at any time via the cookie-management banner available at the foot of every page of the Site.

8. Data subject rights

Under Articles 15-22 GDPR you have the right, at any time, to:

  • Access (Art. 15) - obtain confirmation of processing and a copy of your personal data;
  • Rectification (Art. 16) - request the correction of inaccurate data or completion of incomplete data;
  • Erasure (Art. 17, "right to be forgotten") - request deletion of your data in the cases provided by law;
  • Restriction (Art. 18) - request restriction of processing in the cases provided by law;
  • Portability (Art. 20) - receive your data in a structured, commonly used and machine-readable format, and transmit them to another controller;
  • Objection (Art. 21) - object to processing based on legitimate interest, except for compelling grounds that justify continuation;
  • Withdrawal of consent (Art. 7.3) - where processing is based on consent, with effect for the future.

Requests may be submitted via the Contact page. GuardaMe responds within 30 days, extendable by a further 60 days for complex requests.

You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) (website: garanteprivacy.it) or with any other competent supervisory authority.

9. Minors

The Site is not intended for minors under 14. Under Article 2-quinquies of the Italian Privacy Code (introduced by Legislative Decree 101/2018), a minor aged 14 or over may independently consent to the processing of their data for information-society services; below that age the consent or authorisation of the holder of parental responsibility is required.

GuardaMe does not knowingly collect data from minors under 14. Should a parent or guardian become aware that a minor has provided personal data without authorisation, deletion may be requested via the Contact page.

10. Data security

GuardaMe applies appropriate technical and organisational measures to protect personal data against destruction, loss, alteration, unauthorised disclosure or access. These measures include, among others: encrypted HTTPS transmission with HSTS, passwords stored via bcrypt hashing, two-factor authentication for administrator accounts, database access segregation, security logs and regular backups.

However, no system can guarantee absolute security. In the event of a personal-data breach posing a risk to the rights and freedoms of data subjects, GuardaMe will make the notifications required by Articles 33 and 34 GDPR within the prescribed timeframes.

11. Changes to this Policy

GuardaMe reserves the right to update this Privacy Policy at any time, including to adapt to regulatory changes, new Site features or new providers. Material changes will be communicated by notice on the Site and, for registered users, by email, with reasonable advance notice before they take effect. The date of the most recent update is shown at the bottom of this page.

12. Contact

For any request concerning this Policy or the exercise of GDPR rights, you can contact GuardaMe via the Contact page. Responses are typically provided within 30 days of receipt.