Privacy Policy

Privacy Policy

Pursuant to articles 13 and 14 of EU Regulation 2016/679 (GDPR). Last updated: 14 July 2026

1. Data Controller

CostabileRent Two S.R.L.S., VAT no. IT09111881216
Via Iasolino 94 — 80077 Ischia, Italy
E-mail: info@openbustourischia.com
Phone: +39 320 421 8039

The Controller has not appointed a Data Protection Officer (DPO) as the conditions of art. 37 GDPR do not apply.

2. Categories of personal data

We process the following categories of personal data:

  • Contact and identification data: first name, last name, e-mail, phone number, preferred language.
  • Booking data: date, slot, number of adults / children, selected seats, amount, optional notes to the operator.
  • Payment data: Stripe transaction identifier (PaymentIntent ID), amount, currency, status. We do not store full credit-card numbers or CVV security codes.
  • Account data (registered users): e-mail, hashed password, login IP, session logs.
  • Technical data: IP address, user-agent, pages visited, referrers, visit timestamps, session identifiers.
  • Consent data: we record your choices on the cookie banner (categories accepted / rejected, date, anonymised IP) to demonstrate that consent was given as required by art. 7 GDPR.
  • Marketing communication data (only if you opt in): preferences, opens and clicks on promotional e-mails.

We do not intentionally collect special categories of personal data (art. 9 GDPR — racial origin, political opinions, health data, etc.).

3. Purposes and legal bases

PurposeLegal basisRetention
Performance of the booking and delivery of the ServicePerformance of a contract — art. 6.1.b GDPR10 years (Italian accounting rules — art. 2220 c.c.)
Invoicing, accounting records, tax obligationsLegal obligation — art. 6.1.c GDPR10 years
Transactional communications (confirmation, reminders, changes, refunds)Performance of the contract — art. 6.1.b GDPRUntil service completion + 3 years
Managing your user accountPerformance of the contract — art. 6.1.b GDPRUntil account deletion
Marketing communications (offers, news)Consent — art. 6.1.a GDPR (revocable at any time)Until consent is withdrawn
Aggregated website analyticsLegitimate interest — art. 6.1.f GDPR (anonymous measurement) or consent (if analytics cookies)14 months
Security, fraud and abuse prevention, audit logLegitimate interest — art. 6.1.f GDPR12 months (generic logs) / 24 months (security audit)
Compliance with legal obligations and legal defenceLegal obligation and legitimate interest — art. 6.1.c and 6.1.f GDPRFor the time strictly necessary to enforce or defend a right

4. Data recipients

Your data may be shared with:

  • Stripe Payments Europe, Ltd. — payment service provider (registered in Ireland; GDPR and PCI-DSS Level 1 compliant).
  • Hosting provider: European servers compliant with GDPR; data is physically stored within the European Union.
  • Transactional e-mail provider (e.g. SMTP relay): for reliable delivery of confirmation and reminder e-mails.
  • Authorised accounting and tax consultants: for compliance with statutory obligations.
  • Competent authorities: where required by law or by a court order.

All external providers act as Data Processors appointed under art. 28 GDPR. Data is not sold to third parties for commercial purposes.

5. Transfers outside the EU

We do not systematically transfer data outside the European Economic Area. Should a provider (e.g. Stripe) transfer data to a non-EU group company, the transfer takes place under Standard Contractual Clauses approved by the European Commission (decision 2021/914/EU) and with appropriate supplementary safeguards.

6. Your rights

As a data subject you have the right to:

  • Access (art. 15) — obtain confirmation that data is processed and a copy of your data;
  • Rectification (art. 16) — request correction of inaccurate or incomplete data;
  • Erasure (art. 17) — request deletion of your data in the cases provided;
  • Restriction (art. 18) — request the temporary suspension of processing;
  • Portability (art. 20) — receive your data in a structured, machine-readable format;
  • Object (art. 21) — object to processing based on legitimate interest;
  • Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal;
  • Lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or with your national supervisory authority.

To exercise your rights please write to info@openbustourischia.com. We will reply without undue delay and in any case within 30 days.

The "My account" panel of the website also offers self-service tools to export and delete your data, integrated with the WordPress native privacy tools (art. 20 GDPR).

7. Cookies and similar technologies

The website uses strictly necessary cookies and, subject to your consent, preference, analytics and marketing cookies. For full details, purposes and duration of each cookie please refer to the Cookie Policy. You can change your preferences at any time through the “Manage cookies” button at the bottom of every page.

8. Security of data

We adopt technical and organisational measures appropriate to the risk: HTTPS connection, password hashing (phpass/bcrypt), role-based access control (admin, manager, customer), audit logging of sensitive activity, encrypted backups, segregation of development and production environments, regular dependency updates.

9. Provision of data

Providing identification and contact data is required to complete the booking and receive the ticket: refusal makes it impossible to deliver the Service. Marketing consent is optional and does not affect access to the Service.

10. Automated decision-making

We do not carry out solely automated decisions, including profiling, producing legal effects or similarly significantly affecting you (art. 22 GDPR).

11. Changes to this Privacy Policy

We will communicate material changes to you by e-mail (if you are a registered user) or by a prominent notice on the website. The updated version is always available on this page.