Privacy Policy

The Data Controller for personal data processing is:

Layers of Rome

Email: support@layersofrome.com

Website: https://layersofrome.com

The Controller is committed to protecting user privacy and processing personal data in compliance with Regulation (EU) 2016/679 (GDPR) and applicable data protection laws.

We collect and process the following categories of personal data:

2.1 Account Registration Data

• First and last name
• Email address
• Password (stored in encrypted form)
• Phone number (optional)
• Registration date and time

2.2 Booking Data

• Participant names
• Contact email
• Phone number
• Booked tour date and time
• Number of participants
• Special requests

2.3 Payment Data

• Transaction information (amount, currency, date)
• Stripe transaction ID
• Payment status

Note: Credit/debit card data is handled exclusively by Stripe and never stored on our servers.

2.4 Browsing Data

• IP address
• Browser and device used
• Pages visited and time spent
• Site interactions (clicks, scrolls, mouse movements) via Microsoft Clarity
• Technical and analytics cookies

We process your personal data for the following purposes:

3.1 Account and Booking Management

Purpose: User account creation and management, booking processing, tour-related communications

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

3.2 Payment Processing

Purpose: Process payments and issue booking confirmations

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

3.3 Transactional Communications

Purpose: Send booking confirmations, reminders, tour updates

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

3.4 Website Analysis and Service Improvement

Purpose: Analyze user behavior, improve user experience, optimize website

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) and consent for analytics cookies

3.5 Legal Obligations

Purpose: Comply with fiscal, accounting, and regulatory obligations

Legal basis: Legal obligation (Art. 6(1)(c) GDPR)

3.6 Marketing (with explicit consent only)

Purpose: Send newsletters, special offers, promotions

Legal basis: Consent (Art. 6(1)(a) GDPR) - you can withdraw consent at any time

Your personal data may be shared with the following recipients:

4.1 Service Providers (Data Processors)

• Supabase Inc. (USA)
  Database hosting, user authentication, file storage
  Privacy policy: https://supabase.com/privacy
• Stripe Inc. (USA/Europe)
  Secure payment processing
  Privacy policy: https://stripe.com/privacy
• Microsoft Corporation (USA)
  Analytics and behavior tracking via Microsoft Clarity
  Privacy policy: https://privacy.microsoft.com
• Hostinger International Ltd. (Lithuania)
  SMTP service for transactional emails
  Privacy policy: https://www.hostinger.com/privacy-policy

International Data Transfers:

Some providers are located in the United States. Data transfers to non-EU countries are safeguarded through:

• Standard Contractual Clauses approved by the European Commission
• Privacy Shield certifications or equivalents
• Adequate technical and organizational security measures

We retain your data only for as long as necessary for the purposes for which it was collected:

• Account data: Until account deletion or deletion request
• Booking data: 10 years for fiscal and accounting obligations
• Payment data: According to Stripe requirements and PSD2 regulations
• Analytics data (Clarity): Maximum 90 days, then anonymized
• Transactional emails: 2 years from last contact
• Marketing data: Until consent withdrawal or 24 months of inactivity

Under Articles 15-22 of the GDPR, you have the right to:

• Access (Art. 15): Obtain confirmation of data existence and receive a copy
• Rectification (Art. 16): Correct inaccurate or incomplete data
• Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Restriction (Art. 18): Limit processing in certain circumstances
• Portability (Art. 20): Receive data in structured format and transfer to another controller
• Objection (Art. 21): Object to processing based on legitimate interest
• Withdraw consent: Withdraw consent at any time (e.g., newsletters)
• Lodge complaint: File a complaint with your supervisory authority

How to exercise your rights:

Send a request via email to support@layersofrome.com specifying the right you wish to exercise. We will respond within 30 days.

Supervisory Authority (Italy):

Garante per la Protezione dei Dati Personali
Website: www.garanteprivacy.it

We implement technical and organizational security measures to protect your data:

Technical Measures:

• TLS/SSL encryption for all communications
• Encrypted passwords using bcrypt/secure hash algorithms
• Secure authentication via Supabase Auth
• Regular backups and data redundancy
• Firewalls and intrusion detection systems

Organizational Measures:

• Data access limited to authorized personnel
• Confidentiality agreements with third-party providers
• Data breach management procedures per Art. 33-34 GDPR
• Ongoing staff privacy training

Our website uses cookies and similar technologies. For detailed information, please see our Cookie Policy.

Cookie Summary:

• Technical cookies: Necessary for website functionality (session, authentication)
• Analytics cookies: Microsoft Clarity for user behavior analysis
• Third-party cookies: Stripe for payment processing, Supabase for authentication

Our services are not intended for individuals under 16 years of age. We do not knowingly collect data from minors without parental or guardian consent.

If we become aware that we have collected data from minors without consent, we will proceed immediately to delete it.

This Privacy Policy may be updated periodically to reflect changes to our services or applicable regulations.

The date of the last update is indicated at the bottom of the page. We will inform you of any substantial changes via email or website banner.

We encourage you to regularly consult this page to stay informed about how we protect your data.

For any questions, concerns, or requests regarding the processing of your personal data, you can contact us:

Email: support@layersofrome.com

Website: https://layersofrome.com/contatti

We commit to responding to all requests within 30 working days.