Privacy Policy on the Processing of Personal Data — GuideXpress
This privacy policy is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”) and Italian Legislative Decree no. 196 of 30 June 2003, as amended by Legislative Decree no. 101 of 10 August 2018 (“Privacy Code”), to users of the GuideXpress mobile application and related services. Reading is recommended before creating an account, enabling geolocation, or using the App’s features.
In brief
- Who we are: RDITALY S.r.l., based in Aosta. For any questions: info@rditaly.com.
- What we collect: name, email, password (encrypted) and, only if you choose, date of birth and gender. If you use social login (Apple, Google, Facebook), we only receive name and email.
- GPS location: only if you give us permission. It is used for automatic audio guides (including in the background) and to show you nearby content. We do not track your movements.
- No advertising: we do not sell your data, we do not do marketing, we do not use advertising SDKs. Zero.
- Anonymous analytics: we analyse the App’s usage with a random identifier, never linked to your account. You can request its deactivation at any time.
- Push notifications: you can enable or disable each type of notification separately (stamps, tour feedback, communications) from the settings.
- Your data is yours: you can edit, export, or delete your entire account in one tap from the Account section. Deletion is immediate and permanent.
- Security: password encrypted with bcrypt, HTTPS connections, data encrypted at rest (AES-256), database access restricted per user (Row-Level Security).
- Retention: account data as long as you are registered; analytics max 24 months; technical logs max 12 months. After that, everything is deleted.
- Minimum age: 16 years to register. For younger children, a parent can enable the kids listening mode from their own account.
This summary is provided for convenience and does not replace the full privacy policy that follows.
1. Data Controller
The Data Controller is:
RDITALY S.r.l.
Registered office: Via Lavoratori Vittime del Col du Mont, 21 e 24 — 11100 Aosta (AO), Italy
Privacy email: info@rditaly.com
General email: info@rditaly.com
Any reference to “we”, “the Controller”, “the Company” in this policy shall mean RDITALY S.r.l.
2. Data Protection Officer (DPO)
The Controller has voluntarily appointed a Data Protection Officer (DPO) pursuant to Art. 37 GDPR:
Valerio Falcicchio
Email: info@rditaly.com
The data subject may contact the DPO for any matter relating to the processing of their personal data and the exercise of their rights under the GDPR.
3. Scope of application
This privacy policy applies to:
- the GuideXpress mobile application (Apple App Store and Google Play Store);
- the website guidexpress.com and its subdomains;
- the portal policy.guidexpress.com;
- ancillary services (georeferenced audio guides, gamification, push notifications, geolocated exploration).
It does not apply to third-party sites or services linked from the App.
4. Categories of personal data processed
4.1 Data voluntarily provided by the user
Email/password registration:
- first and last name;
- email address;
- password (encrypted with one-way hash);
- optional: date of birth and gender.
Social login (Apple, Google, Facebook): provider identifier, email, display name.
During use: avatar, system preferences, favourites, itineraries, feedback, support tickets.
4.2 Data collected automatically
Geolocation: real-time and background GPS coordinates (only with the user’s permission).
Device and usage: pseudonymous UUID, device model, OS, App version, language, FCM token, App interactions, crash reports.
Gamification: POIs visited, stamps earned, wallet transactions, tour completion.
4.3 Data received from third parties
In case of social login, only the data indicated in par. 4.1 according to the provider’s settings.
4.4 Special categories of data
The Controller does not request or intentionally process special categories of data (Art. 9 GDPR).
4.5 Data relating to minors
The App is intended for users aged 16 or older. The kids listening mode can only be activated manually by the adult account holder. In this scenario, no data is collected from the minor.
Should the Controller become aware of data relating to minors under 16 without parental authorisation, it will promptly delete the data and the account.
5. Purposes of processing and legal bases
5.1 Service provision (Art. 6.1.b GDPR)
Account, App features, audio guides, favourites, gamification, technical support.
5.2 Geolocation (consent — Art. 6.1.a GDPR)
Consent collected at two levels: OS permission + in-app information screen.
| Purpose | Type | Data collected |
|---|---|---|
| Proximity content | Core | GPS coordinates in memory (not persisted) |
| Automatic audio guides | Core | GPS coordinates in memory (not persisted) |
| POI visit registration for stamps | Core | Visit event (not the coordinates) |
| Map navigation | Core | Coordinates sent to Mapbox |
| Location during audio events (analytics) | Improvement | Pseudonymised coordinates, max 24 months |
Revocation possible at any time from the device settings.
5.3 Push notifications (consent — Art. 6.1.a GDPR)
Stamps, tour feedback, informational communications. Each category can be disabled independently.
5.4 Legal obligations (Art. 6.1.c GDPR)
Tax, accounting obligations and requests from Authorities.
5.5 Legitimate interest (Art. 6.1.f GDPR)
Security, diagnostics, pseudonymised analytics. GPS coordinates are never processed on the basis of legitimate interest.
Objection possible at any time by writing to info@rditaly.com.
5.6 Defence in legal proceedings (Art. 6.1.f GDPR)
For the strictly necessary duration.
6. Processing methods and security measures
- Encryption: TLS 1.2+, AES-256 at-rest, bcrypt for passwords, iOS Keychain / Android Keystore for on-device credentials.
- Access control: Row-Level Security, SECURITY DEFINER for critical functions, max 5 login attempts.
- Pseudonymisation: separate analytics schema, UUID not linked to account, no correspondence tables.
- Continuity: encrypted backups (max 30 days), dev/production segregation.
- Organisation: staff training, data breach procedure (72h), DPIA available on request.
7. Recipients
| Category | Entities | Role |
|---|---|---|
| Cloud infrastructure | Supabase, Inc. | Processor (Art. 28) |
| Push notifications | Google LLC (FCM) | Processor |
| Maps | Mapbox, Inc. | Processor |
| Social login | Apple, Google, Meta | Independent controllers |
| Ticketing | RDITALY (Perfex CRM) | Internal |
| Consultants | Law firms, accountants | Processors/controllers |
| Authorities | Judicial, tax authorities | Independent controllers |
Data is not sold or transferred to third parties for marketing or profiling purposes.
8. Transfers outside the EEA
| Provider | Data | Safeguard |
|---|---|---|
| Google LLC | FCM token, ID, email, name | EU-U.S. DPF + SCC |
| Apple Inc. | Apple ID, email relay, name | EU-U.S. DPF + SCC |
| Meta Platforms | Facebook ID, email, name | EU-U.S. DPF + SCC |
| Supabase, Inc. | Account, preferences, stamps, avatar | SCC + supplementary measures |
| Mapbox, Inc. | GPS coordinates, IP | SCC + supplementary measures |
Copy of safeguards available on request at info@rditaly.com.
9. Retention period
| Category | Period |
|---|---|
| Account data | Duration of registration (immediate deletion on request) |
| Gamification | Until account deletion |
| Push tokens | Until deactivation or deletion |
| Technical logs / crash | Max 12 months |
| Pseudonymised analytics | Max 24 months |
| Support tickets | 24 months from closure |
| Tax data | 10 years (Art. 2220 Italian Civil Code) |
| Legal defence | Until conclusion + statute of limitations |
10. Data subject rights
- Access (Art. 15) — confirmation and copy of data
- Rectification (Art. 16) — correction of inaccurate data
- Erasure (Art. 17) — right to be forgotten
- Restriction (Art. 18) — restriction of processing
- Portability (Art. 20) — data in JSON format
- Objection (Art. 21) — to legitimate interest
- Automated decisions (Art. 22) — the Controller does not make any
- Withdraw consent (Art. 7.3) — at any time
- Complaint (Art. 77) — to the Italian Data Protection Authority
11. How to exercise your rights
- From the App: Account → Settings (immediate deletion)
- Email: info@rditaly.com
- Post: RDITALY S.r.l., Via Lavoratori Vittime del Col du Mont, 21 e 24 — 11100 Aosta (AO), Italy
Response within 30 days (extendable by 2 months). Exercise is free of charge.
11.1 Account deletion
From the App (Account → Delete account): immediate removal of profile, favourites, stamps, wallet, visits, notifications, tokens, avatar and local data. Residual data: backups (max 30 days), pseudonymised analytics (not linkable), data required by law.
12. Cookies and tracking technologies
The App does not use cookies. It generates a random local UUID for aggregate analytics, not linked to the account or hardware. Retained for max 24 months. Re-identification risk assessed in the DPIA.
13. Personalisation, automated processing and marketing
| Processing | Data | Legal basis | Profile? |
|---|---|---|---|
| Homepage by proximity | Current GPS | Consent | No |
| Listening mode by age | Date of birth | Contract | No |
| Sorting by city | City chosen | Contract | No |
| Digital stamps | POIs visited | Contract | No |
| Analytics | Screens, events | Legitimate interest | No |
No profiling, no segmentation, no personalised suggestions. No advertising SDK integrated.
14. Data provision
Mandatory data is required for the account. Optional data (birth, gender, avatar, GPS, notifications): voluntary, refusal only limits the related features.
15. Changes to this policy
Non-substantial: published directly. Substantial: 30 days’ notice + new consent if required. Continued use does not constitute tacit consent.
16. Jurisdiction and applicable law
Italian law and GDPR. Court of the consumer’s residence or Court of Aosta.
