NOTICE REGARDING THE PROCESSING OF PERSONAL DATA

Introduction

This notice is intended to inform users about how their personal data is processed.

This policy is provided in accordance with Legislative Decree 196/2003 (hereafter "Privacy Code") and Regulation (EU) 2016/679 (hereafter "GDPR") to ensure the privacy and security of each visitor’s personal data.

Data ControllerIRSA PT Ente morale DPR 281/77Registered Office:c/o Museo S.M.I. Viale Luigi Orlando, 325,Campo TizzoroTax Code: 90015710479Email: info@irsapt.it

Types of Data Collected

As with all websites and applications, this site may collect certain information while browsing, including:

• IP address
• Browser type and device parameters used to connect
• Name of the internet service provider (ISP)
• Date and time of visit
• Information on pages visited and time spent
• Referring and exit web pages
• Country of origin
• Possibly the number of clicks

Data Voluntarily Provided by the Visitor

This includes personal data submitted by the user, for example by sending an email.

Newsletter

Subscribing to our newsletter allows users to stay informed of the main content published on the site, free of charge. We will not send more than one newsletter per month and may skip months.

When subscribing, users may submit personal data (such as an email address). Submission is voluntary and implies consent to use the email for sending the newsletter.

The data provided will be stored on secure electronic systems and may be integrated with other databases.

Data is processed solely for delivering the requested services and for communicating with the customer regarding their booking, including confirmations, updates, and relevant service information. This data may also be used to inform customers about news, events, or promotions related to Pistoia Sotterranea, in accordance with applicable consent requirements. It will not be disclosed but may be shared with trusted service providers who assist the Data Controller in delivering these services.

Automatic Newsletter Subscription

When purchasing a ticket through TicketingHub, customers are automatically added to our newsletter mailing list so we can keep them informed about relevant updates, events, or promotions related to Pistoia Sotterranea. You can unsubscribe at any time by using the unsubscribe link in any email or by contacting us directly. We respect your privacy and make opting out easy and immediate.

Users may review and change consent, verify or update active services, or request additional ones at any time.

Providing data is optional, except where necessary to access specific services. Users have the right to know how their data is used, and to request updates, corrections, deletions, or oppose its use under Article 7 of Legislative Decree 196/2003.

To unsubscribe from the newsletter: Use the unsubscribe link in the email, or send an email to unsubscribe@pistoiasotterranea.it requesting removal from the mailing list.

Purpose of Data Processing

• To deliver the requested goods/services, manage contracts, and fulfill related obligations (administrative, tax, legal). This processing is necessary and does not require specific consent.
• To monitor user experience and ensure proper website functionality.
• To ensure site security (anti-spam, firewalls, antivirus). Collected data may include IP addresses used to prevent damage or illegal activity. Such data is not used for profiling or shared with third parties.
• To send promotional communications and offers, where the user has consented, or where communications are related to similar previously purchased services.
• To provide interactive support via the Chatsimple AI chatbot, which may temporarily store user interactions to enhance response quality and improve support services.
• To manage cookie consent and record cookie preferences through CookieYes, in line with EU and Italian cookie laws.
• To process and manage ticket purchases via TicketingHub, including order confirmation, customer communication, and refund handling.

Legitimate Interests

In certain cases, we may process your personal data based on our legitimate interest, such as improving services, preventing fraud, ensuring network and information security, or fulfilling contractual obligations. We always balance our interests with your fundamental rights and freedoms.

Use of Information

Data is used only for the purposes stated and retained only as long as needed. Data will never be sold or shared unless required by judicial authorities.

Data Hosting and International Transfers

This website is built and hosted on the Duda platform, which operates on AWS servers located in the United States. As such, certain technical data (such as IP addresses, device type, and browser activity) may be transferred and processed outside the European Union.

Other services used on this site — including Zoho Forms, Zoho PageSense, and Zoho SalesIQ — are fully hosted and operated within the European Union and comply with EU data protection regulations.

Additional tools used on this site include:

• CookieYes: a third-party cookie consent and management platform that may process certain visitor metadata (such as IP address and consent choices) to manage cookie preferences in compliance with GDPR. Data may be processed outside the EU, including on AWS servers in the United States. We rely on Standard Contractual Clauses to ensure appropriate safeguards.
• TicketingHub: a UK-based online ticketing platform we use to manage ticket sales. When users purchase tickets, their personal data (such as name, email, and transaction details) is processed by TicketingHub in accordance with GDPR. TicketingHub may store and process data outside the EU, and appropriate safeguards are in place to ensure lawful data transfers.
• Chatsimple.ai: an AI-powered chatbot integrated into this website to help users navigate and access information. Chatsimple claims to comply with GDPR and, for EU users, states that data is not transferred outside Europe. However, we recommend reviewing their Privacy Policy for more information.

We rely on Standard Contractual Clauses (SCCs) as the legal basis for any necessary data transfers outside the EU and take appropriate steps to ensure that your personal data remains protected. By continuing to use this site, you consent to the described international data transfers where applicable.

We reserve the right to integrate new tools, platforms, or services in the future to improve our operations, communication, and user experience. Where such tools involve data processing, we will ensure they comply with GDPR or other relevant data protection frameworks and will update this Privacy Policy accordingly.

Data Processing Methods

Personal data is mainly processed electronically (e.g., CRM systems) and only for as long as necessary to fulfill its purpose. Processing complies with principles of lawfulness, fairness, data minimization, and relevance.

Data Transfers Outside the EU

This site may share some data with services based outside the EU, such as Google, Facebook, and Microsoft (LinkedIn) via plugins and Google Analytics. Transfers are covered by the EU's Privacy Shield decision (1250/2016), and further consent is not required.

Social Plugins

The website may use social plugins (e.g., Facebook "Like" buttons), marked by the respective platform’s logo. When users interact with them, the browser sends the data to the social network, which stores it. Users should consult each platform’s privacy policy to understand data use and their rights.

We are not responsible for the privacy practices or the content of third-party sites or services, including those linked from our website or those we integrate with (e.g., social networks, ticketing platforms, analytics tools). We encourage users to review the privacy policies of those platforms.

Security Measures

The site processes data lawfully and fairly, using security measures to prevent unauthorized access, disclosure, modification, or deletion. Data may be accessed by internal staff or external service providers (IT, hosting, communications, etc.).

User Rights

Under GDPR (Regulation EU 679/2016), users may exercise the following rights:

• Access: request confirmation of data processing and receive a copy of their data;
• Correction: update or amend inaccurate data;
• Deletion: request deletion if no longer necessary or processed unlawfully;
• Restriction: limit data processing under certain conditions;
• Objection: oppose data processing based on legitimate interest, especially for marketing purposes;
• General Rights: all rights recognized by law.

Requests should be addressed to the Data Controller. Users may revoke consent at any time without affecting the lawfulness of prior processing.

Finally, users have the right to lodge a complaint with the Supervisory Authority, which in Italy is the Garante per la Protezione dei Dati Personali.

Policy Updates

We may update this Privacy Policy at any time to reflect changes in our operations or legal obligations. When we do, we will revise the “last updated” date at the end of this document. Material changes may be communicated via the website or email. Continued use of the website after such changes constitutes acceptance.

Children’s Data

Our services are not directed to children under the age of 16. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a child without parental consent, we will delete such information as soon as possible.

Last updated: 7 MAY 2025