{"id":96,"date":"2025-11-17T09:38:15","date_gmt":"2025-11-17T09:38:15","guid":{"rendered":"https:\/\/policy.guidexpress.com\/privacy-policy\/"},"modified":"2026-04-20T09:53:05","modified_gmt":"2026-04-20T09:53:05","slug":"privacy-policy","status":"publish","type":"page","link":"https:\/\/policy.guidexpress.com\/en\/","title":{"rendered":"Privacy Policy"},"content":{"rendered":"<div class=\"container\">\n<h2>Privacy Policy on the Processing of Personal Data \u2014 GuideXpress<\/h2>\n<div class=\"meta\"><strong>Last updated:<\/strong> 17 April 2026<br \/>\n<strong>Version:<\/strong> 1.0<\/div>\n<p class=\"intro\">This privacy policy is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016\/679 (&#8220;GDPR&#8221;) and Italian Legislative Decree no. 196 of 30 June 2003, as amended by Legislative Decree no. 101 of 10 August 2018 (&#8220;Privacy Code&#8221;), to users of the GuideXpress mobile application and related services. Reading is recommended before creating an account, enabling geolocation, or using the App&#8217;s features.<\/p>\n<div class=\"summary\">\n<h3>In brief<\/h3>\n<ul>\n<li><strong>Who we are<\/strong>: RDITALY S.r.l., based in Aosta. For any questions: <a href=\"mailto:info@rditaly.com\">info@rditaly.com<\/a>.<\/li>\n<li><strong>What we collect<\/strong>: name, email, password (encrypted) and, only if you choose, date of birth and gender. If you use social login (Apple, Google, Facebook), we only receive name and email.<\/li>\n<li><strong>GPS location<\/strong>: only if you give us permission. It is used for automatic audio guides (including in the background) and to show you nearby content. We do not track your movements.<\/li>\n<li><strong>No advertising<\/strong>: we do not sell your data, we do not do marketing, we do not use advertising SDKs. Zero.<\/li>\n<li><strong>Anonymous analytics<\/strong>: we analyse the App&#8217;s usage with a random identifier, never linked to your account. You can request its deactivation at any time.<\/li>\n<li><strong>Push notifications<\/strong>: you can enable or disable each type of notification separately (stamps, tour feedback, communications) from the settings.<\/li>\n<li><strong>Your data is yours<\/strong>: you can edit, export, or delete your entire account in one tap from the Account section. Deletion is immediate and permanent.<\/li>\n<li><strong>Security<\/strong>: password encrypted with bcrypt, HTTPS connections, data encrypted at rest (AES-256), database access restricted per user (Row-Level Security).<\/li>\n<li><strong>Retention<\/strong>: account data as long as you are registered; analytics max 24 months; technical logs max 12 months. After that, everything is deleted.<\/li>\n<li><strong>Minimum age<\/strong>: 16 years to register. For younger children, a parent can enable the kids listening mode from their own account.<\/li>\n<\/ul>\n<p class=\"disclaimer\">This summary is provided for convenience and does not replace the full privacy policy that follows.<\/p>\n<\/div>\n<h3>1. Data Controller<\/h3>\n<p>The Data Controller is:<\/p>\n<p><strong>RDITALY S.r.l.<\/strong><br \/>\nRegistered office: Via Lavoratori Vittime del Col du Mont, 21 e 24 \u2014 11100 Aosta (AO), Italy<br \/>\nPrivacy email: <strong><a href=\"mailto:info@rditaly.com\">info@rditaly.com<\/a><\/strong><br \/>\nGeneral email: <a href=\"mailto:info@rditaly.com\">info@rditaly.com<\/a><\/p>\n<p>Any reference to &#8220;we&#8221;, &#8220;the Controller&#8221;, &#8220;the Company&#8221; in this policy shall mean RDITALY S.r.l.<\/p>\n<h3>2. Data Protection Officer (DPO)<\/h3>\n<p>The Controller has voluntarily appointed a Data Protection Officer (DPO) pursuant to Art. 37 GDPR:<\/p>\n<p><strong>Valerio Falcicchio<\/strong><br \/>\nEmail: <strong><a href=\"mailto:info@rditaly.com\">info@rditaly.com<\/a><\/strong><\/p>\n<p>The data subject may contact the DPO for any matter relating to the processing of their personal data and the exercise of their rights under the GDPR.<\/p>\n<h3>3. Scope of application<\/h3>\n<p>This privacy policy applies to:<\/p>\n<ul>\n<li>the <strong>GuideXpress<\/strong> mobile application (Apple App Store and Google Play Store);<\/li>\n<li>the website <strong>guidexpress.com<\/strong> and its subdomains;<\/li>\n<li>the portal <strong>policy.guidexpress.com<\/strong>;<\/li>\n<li>ancillary services (georeferenced audio guides, gamification, push notifications, geolocated exploration).<\/li>\n<\/ul>\n<p>It does not apply to third-party sites or services linked from the App.<\/p>\n<h3>4. Categories of personal data processed<\/h3>\n<h4>4.1 Data voluntarily provided by the user<\/h4>\n<p><strong>Email\/password registration:<\/strong><\/p>\n<ul>\n<li>first and last name;<\/li>\n<li>email address;<\/li>\n<li>password (encrypted with one-way hash);<\/li>\n<li>optional: date of birth and gender.<\/li>\n<\/ul>\n<p><strong>Social login<\/strong> (Apple, Google, Facebook): provider identifier, email, display name.<\/p>\n<p><strong>During use:<\/strong> avatar, system preferences, favourites, itineraries, feedback, support tickets.<\/p>\n<h4>4.2 Data collected automatically<\/h4>\n<p><strong>Geolocation:<\/strong> real-time and background GPS coordinates (only with the user&#8217;s permission).<\/p>\n<p><strong>Device and usage:<\/strong> pseudonymous UUID, device model, OS, App version, language, FCM token, App interactions, crash reports.<\/p>\n<p><strong>Gamification:<\/strong> POIs visited, stamps earned, wallet transactions, tour completion.<\/p>\n<h4>4.3 Data received from third parties<\/h4>\n<p>In case of social login, only the data indicated in par. 4.1 according to the provider&#8217;s settings.<\/p>\n<h4>4.4 Special categories of data<\/h4>\n<p>The Controller <strong>does not request or intentionally process<\/strong> special categories of data (Art. 9 GDPR).<\/p>\n<h4>4.5 Data relating to minors<\/h4>\n<p>The App is intended for users aged <strong>16 or older<\/strong>. The kids listening mode can only be activated manually by the adult account holder. In this scenario, no data is collected from the minor.<\/p>\n<p>Should the Controller become aware of data relating to minors under 16 without parental authorisation, it will promptly delete the data and the account.<\/p>\n<h3>5. Purposes of processing and legal bases<\/h3>\n<h4>5.1 Service provision (Art. 6.1.b GDPR)<\/h4>\n<p>Account, App features, audio guides, favourites, gamification, technical support.<\/p>\n<h4>5.2 Geolocation (consent \u2014 Art. 6.1.a GDPR)<\/h4>\n<p>Consent collected at two levels: OS permission + in-app information screen.<\/p>\n<table>\n<thead>\n<tr>\n<th>Purpose<\/th>\n<th>Type<\/th>\n<th>Data collected<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Proximity content<\/td>\n<td>Core<\/td>\n<td>GPS coordinates in memory (not persisted)<\/td>\n<\/tr>\n<tr>\n<td>Automatic audio guides<\/td>\n<td>Core<\/td>\n<td>GPS coordinates in memory (not persisted)<\/td>\n<\/tr>\n<tr>\n<td>POI visit registration for stamps<\/td>\n<td>Core<\/td>\n<td>Visit event (not the coordinates)<\/td>\n<\/tr>\n<tr>\n<td>Map navigation<\/td>\n<td>Core<\/td>\n<td>Coordinates sent to Mapbox<\/td>\n<\/tr>\n<tr>\n<td>Location during audio events (analytics)<\/td>\n<td>Improvement<\/td>\n<td>Pseudonymised coordinates, max 24 months<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Revocation possible at any time from the device settings.<\/p>\n<h4>5.3 Push notifications (consent \u2014 Art. 6.1.a GDPR)<\/h4>\n<p>Stamps, tour feedback, informational communications. Each category can be disabled independently.<\/p>\n<h4>5.4 Legal obligations (Art. 6.1.c GDPR)<\/h4>\n<p>Tax, accounting obligations and requests from Authorities.<\/p>\n<h4>5.5 Legitimate interest (Art. 6.1.f GDPR)<\/h4>\n<p>Security, diagnostics, pseudonymised analytics. <strong>GPS coordinates are never processed on the basis of legitimate interest.<\/strong><\/p>\n<p>Objection possible at any time by writing to <a href=\"mailto:info@rditaly.com\">info@rditaly.com<\/a>.<\/p>\n<h4>5.6 Defence in legal proceedings (Art. 6.1.f GDPR)<\/h4>\n<p>For the strictly necessary duration.<\/p>\n<h3>6. Processing methods and security measures<\/h3>\n<ul>\n<li><strong>Encryption<\/strong>: TLS 1.2+, AES-256 at-rest, bcrypt for passwords, iOS Keychain \/ Android Keystore for on-device credentials.<\/li>\n<li><strong>Access control<\/strong>: Row-Level Security, SECURITY DEFINER for critical functions, max 5 login attempts.<\/li>\n<li><strong>Pseudonymisation<\/strong>: separate analytics schema, UUID not linked to account, no correspondence tables.<\/li>\n<li><strong>Continuity<\/strong>: encrypted backups (max 30 days), dev\/production segregation.<\/li>\n<li><strong>Organisation<\/strong>: staff training, data breach procedure (72h), DPIA available on request.<\/li>\n<\/ul>\n<h3>7. Recipients<\/h3>\n<table>\n<thead>\n<tr>\n<th>Category<\/th>\n<th>Entities<\/th>\n<th>Role<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Cloud infrastructure<\/td>\n<td>Supabase, Inc.<\/td>\n<td>Processor (Art. 28)<\/td>\n<\/tr>\n<tr>\n<td>Push notifications<\/td>\n<td>Google LLC (FCM)<\/td>\n<td>Processor<\/td>\n<\/tr>\n<tr>\n<td>Maps<\/td>\n<td>Mapbox, Inc.<\/td>\n<td>Processor<\/td>\n<\/tr>\n<tr>\n<td>Social login<\/td>\n<td>Apple, Google, Meta<\/td>\n<td>Independent controllers<\/td>\n<\/tr>\n<tr>\n<td>Ticketing<\/td>\n<td>RDITALY (Perfex CRM)<\/td>\n<td>Internal<\/td>\n<\/tr>\n<tr>\n<td>Consultants<\/td>\n<td>Law firms, accountants<\/td>\n<td>Processors\/controllers<\/td>\n<\/tr>\n<tr>\n<td>Authorities<\/td>\n<td>Judicial, tax authorities<\/td>\n<td>Independent controllers<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Data is <strong>not sold or transferred to third parties<\/strong> for marketing or profiling purposes.<\/p>\n<h3>8. Transfers outside the EEA<\/h3>\n<table>\n<thead>\n<tr>\n<th>Provider<\/th>\n<th>Data<\/th>\n<th>Safeguard<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Google LLC<\/td>\n<td>FCM token, ID, email, name<\/td>\n<td>EU-U.S. DPF + SCC<\/td>\n<\/tr>\n<tr>\n<td>Apple Inc.<\/td>\n<td>Apple ID, email relay, name<\/td>\n<td>EU-U.S. DPF + SCC<\/td>\n<\/tr>\n<tr>\n<td>Meta Platforms<\/td>\n<td>Facebook ID, email, name<\/td>\n<td>EU-U.S. DPF + SCC<\/td>\n<\/tr>\n<tr>\n<td>Supabase, Inc.<\/td>\n<td>Account, preferences, stamps, avatar<\/td>\n<td>SCC + supplementary measures<\/td>\n<\/tr>\n<tr>\n<td>Mapbox, Inc.<\/td>\n<td>GPS coordinates, IP<\/td>\n<td>SCC + supplementary measures<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Copy of safeguards available on request at <a href=\"mailto:info@rditaly.com\">info@rditaly.com<\/a>.<\/p>\n<h3>9. Retention period<\/h3>\n<table>\n<thead>\n<tr>\n<th>Category<\/th>\n<th>Period<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Account data<\/td>\n<td>Duration of registration (immediate deletion on request)<\/td>\n<\/tr>\n<tr>\n<td>Gamification<\/td>\n<td>Until account deletion<\/td>\n<\/tr>\n<tr>\n<td>Push tokens<\/td>\n<td>Until deactivation or deletion<\/td>\n<\/tr>\n<tr>\n<td>Technical logs \/ crash<\/td>\n<td>Max 12 months<\/td>\n<\/tr>\n<tr>\n<td>Pseudonymised analytics<\/td>\n<td>Max 24 months<\/td>\n<\/tr>\n<tr>\n<td>Support tickets<\/td>\n<td>24 months from closure<\/td>\n<\/tr>\n<tr>\n<td>Tax data<\/td>\n<td>10 years (Art. 2220 Italian Civil Code)<\/td>\n<\/tr>\n<tr>\n<td>Legal defence<\/td>\n<td>Until conclusion + statute of limitations<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>10. Data subject rights<\/h3>\n<ul>\n<li><strong>Access<\/strong> (Art. 15) \u2014 confirmation and copy of data<\/li>\n<li><strong>Rectification<\/strong> (Art. 16) \u2014 correction of inaccurate data<\/li>\n<li><strong>Erasure<\/strong> (Art. 17) \u2014 right to be forgotten<\/li>\n<li><strong>Restriction<\/strong> (Art. 18) \u2014 restriction of processing<\/li>\n<li><strong>Portability<\/strong> (Art. 20) \u2014 data in JSON format<\/li>\n<li><strong>Objection<\/strong> (Art. 21) \u2014 to legitimate interest<\/li>\n<li><strong>Automated decisions<\/strong> (Art. 22) \u2014 the Controller <strong>does not make any<\/strong><\/li>\n<li><strong>Withdraw consent<\/strong> (Art. 7.3) \u2014 at any time<\/li>\n<li><strong>Complaint<\/strong> (Art. 77) \u2014 to the <a href=\"https:\/\/www.garanteprivacy.it\">Italian Data Protection Authority<\/a><\/li>\n<\/ul>\n<h3>11. How to exercise your rights<\/h3>\n<ul>\n<li><strong>From the App<\/strong>: <em>Account \u2192 Settings<\/em> (immediate deletion)<\/li>\n<li><strong>Email<\/strong>: <a href=\"mailto:info@rditaly.com\">info@rditaly.com<\/a><\/li>\n<li><strong>Post<\/strong>: RDITALY S.r.l., Via Lavoratori Vittime del Col du Mont, 21 e 24 \u2014 11100 Aosta (AO), Italy<\/li>\n<\/ul>\n<p>Response within <strong>30 days<\/strong> (extendable by 2 months). Exercise is free of charge.<\/p>\n<h4>11.1 Account deletion<\/h4>\n<p>From the App (<em>Account \u2192 Delete account<\/em>): immediate removal of profile, favourites, stamps, wallet, visits, notifications, tokens, avatar and local data. Residual data: backups (max 30 days), pseudonymised analytics (not linkable), data required by law.<\/p>\n<h3>12. Cookies and tracking technologies<\/h3>\n<p>The App <strong>does not use cookies<\/strong>. It generates a random local UUID for aggregate analytics, not linked to the account or hardware. Retained for max 24 months. Re-identification risk assessed in the DPIA.<\/p>\n<h3>13. Personalisation, automated processing and marketing<\/h3>\n<table>\n<thead>\n<tr>\n<th>Processing<\/th>\n<th>Data<\/th>\n<th>Legal basis<\/th>\n<th>Profile?<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Homepage by proximity<\/td>\n<td>Current GPS<\/td>\n<td>Consent<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td>Listening mode by age<\/td>\n<td>Date of birth<\/td>\n<td>Contract<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td>Sorting by city<\/td>\n<td>City chosen<\/td>\n<td>Contract<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td>Digital stamps<\/td>\n<td>POIs visited<\/td>\n<td>Contract<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td>Analytics<\/td>\n<td>Screens, events<\/td>\n<td>Legitimate interest<\/td>\n<td>No<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>No profiling, no segmentation, no personalised suggestions.<\/strong> No advertising SDK integrated.<\/p>\n<h3>14. Data provision<\/h3>\n<p>Mandatory data is required for the account. Optional data (birth, gender, avatar, GPS, notifications): voluntary, refusal only limits the related features.<\/p>\n<h3>15. Changes to this policy<\/h3>\n<p><strong>Non-substantial<\/strong>: published directly. <strong>Substantial<\/strong>: 30 days&#8217; notice + new consent if required. Continued use does not constitute tacit consent.<\/p>\n<h3>16. Jurisdiction and applicable law<\/h3>\n<p>Italian law and GDPR. Court of the consumer&#8217;s residence or Court of Aosta.<\/p>\n<div class=\"footer\"><strong>Privacy contacts<\/strong><br \/>\nRDITALY S.r.l. \u2014 Via Lavoratori Vittime del Col du Mont, 21 e 24 \u2014 11100 Aosta (AO), Italy<br \/>\nEmail: <a href=\"mailto:info@rditaly.com\"><strong>info@rditaly.com<\/strong><\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Privacy Policy on the Processing of Personal Data \u2014 GuideXpress Last updated: 17 April 2026 Version: 1.0 This privacy policy is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016\/679 (&#8220;GDPR&#8221;) and Italian Legislative Decree no. 196 of 30 June 2003, as amended by Legislative Decree no. 101 of 10 August 2018 (&#8220;Privacy [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"","meta":{"footnotes":""},"class_list":["post-96","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/policy.guidexpress.com\/en\/wp-json\/wp\/v2\/pages\/96","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/policy.guidexpress.com\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/policy.guidexpress.com\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/policy.guidexpress.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/policy.guidexpress.com\/en\/wp-json\/wp\/v2\/comments?post=96"}],"version-history":[{"count":11,"href":"https:\/\/policy.guidexpress.com\/en\/wp-json\/wp\/v2\/pages\/96\/revisions"}],"predecessor-version":[{"id":150,"href":"https:\/\/policy.guidexpress.com\/en\/wp-json\/wp\/v2\/pages\/96\/revisions\/150"}],"wp:attachment":[{"href":"https:\/\/policy.guidexpress.com\/en\/wp-json\/wp\/v2\/media?parent=96"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}