Privacy Policy
Privacy Policy
Pursuant to articles 13 and 14 of EU Regulation 2016/679 (GDPR). Last updated: 14 July 2026
1. Data Controller
CostabileRent Two S.R.L.S., VAT no. IT09111881216
Via Iasolino 94 — 80077 Ischia, Italy
E-mail: info@openbustourischia.com
Phone: +39 320 421 8039
The Controller has not appointed a Data Protection Officer (DPO) as the conditions of art. 37 GDPR do not apply.
2. Categories of personal data
We process the following categories of personal data:
- Contact and identification data: first name, last name, e-mail, phone number, preferred language.
- Booking data: date, slot, number of adults / children, selected seats, amount, optional notes to the operator.
- Payment data: Stripe transaction identifier (PaymentIntent ID), amount, currency, status. We do not store full credit-card numbers or CVV security codes.
- Account data (registered users): e-mail, hashed password, login IP, session logs.
- Technical data: IP address, user-agent, pages visited, referrers, visit timestamps, session identifiers.
- Consent data: we record your choices on the cookie banner (categories accepted / rejected, date, anonymised IP) to demonstrate that consent was given as required by art. 7 GDPR.
- Marketing communication data (only if you opt in): preferences, opens and clicks on promotional e-mails.
We do not intentionally collect special categories of personal data (art. 9 GDPR — racial origin, political opinions, health data, etc.).
3. Purposes and legal bases
| Purpose | Legal basis | Retention |
|---|---|---|
| Performance of the booking and delivery of the Service | Performance of a contract — art. 6.1.b GDPR | 10 years (Italian accounting rules — art. 2220 c.c.) |
| Invoicing, accounting records, tax obligations | Legal obligation — art. 6.1.c GDPR | 10 years |
| Transactional communications (confirmation, reminders, changes, refunds) | Performance of the contract — art. 6.1.b GDPR | Until service completion + 3 years |
| Managing your user account | Performance of the contract — art. 6.1.b GDPR | Until account deletion |
| Marketing communications (offers, news) | Consent — art. 6.1.a GDPR (revocable at any time) | Until consent is withdrawn |
| Aggregated website analytics | Legitimate interest — art. 6.1.f GDPR (anonymous measurement) or consent (if analytics cookies) | 14 months |
| Security, fraud and abuse prevention, audit log | Legitimate interest — art. 6.1.f GDPR | 12 months (generic logs) / 24 months (security audit) |
| Compliance with legal obligations and legal defence | Legal obligation and legitimate interest — art. 6.1.c and 6.1.f GDPR | For the time strictly necessary to enforce or defend a right |
4. Data recipients
Your data may be shared with:
- Stripe Payments Europe, Ltd. — payment service provider (registered in Ireland; GDPR and PCI-DSS Level 1 compliant).
- Hosting provider: European servers compliant with GDPR; data is physically stored within the European Union.
- Transactional e-mail provider (e.g. SMTP relay): for reliable delivery of confirmation and reminder e-mails.
- Authorised accounting and tax consultants: for compliance with statutory obligations.
- Competent authorities: where required by law or by a court order.
All external providers act as Data Processors appointed under art. 28 GDPR. Data is not sold to third parties for commercial purposes.
5. Transfers outside the EU
We do not systematically transfer data outside the European Economic Area. Should a provider (e.g. Stripe) transfer data to a non-EU group company, the transfer takes place under Standard Contractual Clauses approved by the European Commission (decision 2021/914/EU) and with appropriate supplementary safeguards.
6. Your rights
As a data subject you have the right to:
- Access (art. 15) — obtain confirmation that data is processed and a copy of your data;
- Rectification (art. 16) — request correction of inaccurate or incomplete data;
- Erasure (art. 17) — request deletion of your data in the cases provided;
- Restriction (art. 18) — request the temporary suspension of processing;
- Portability (art. 20) — receive your data in a structured, machine-readable format;
- Object (art. 21) — object to processing based on legitimate interest;
- Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal;
- Lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or with your national supervisory authority.
To exercise your rights please write to info@openbustourischia.com. We will reply without undue delay and in any case within 30 days.
The "My account" panel of the website also offers self-service tools to export and delete your data, integrated with the WordPress native privacy tools (art. 20 GDPR).
7. Cookies and similar technologies
The website uses strictly necessary cookies and, subject to your consent, preference, analytics and marketing cookies. For full details, purposes and duration of each cookie please refer to the Cookie Policy. You can change your preferences at any time through the “Manage cookies” button at the bottom of every page.
8. Security of data
We adopt technical and organisational measures appropriate to the risk: HTTPS connection, password hashing (phpass/bcrypt), role-based access control (admin, manager, customer), audit logging of sensitive activity, encrypted backups, segregation of development and production environments, regular dependency updates.
9. Provision of data
Providing identification and contact data is required to complete the booking and receive the ticket: refusal makes it impossible to deliver the Service. Marketing consent is optional and does not affect access to the Service.
10. Automated decision-making
We do not carry out solely automated decisions, including profiling, producing legal effects or similarly significantly affecting you (art. 22 GDPR).
11. Changes to this Privacy Policy
We will communicate material changes to you by e-mail (if you are a registered user) or by a prominent notice on the website. The updated version is always available on this page.