Privacy Policy
This Privacy Policy describes how personal data collected through the website prosecconow.it (also referred to as the “Platform” or “Service”) is processed, in compliance with EU Regulation 2016/679 (“GDPR”) and Italian Legislative Decree 196/2003 (“Italian Privacy Code”).
This is an English translation provided for the convenience of international visitors. The legally binding version is the Italian one, available at prosecconow.it/privacy. In case of discrepancies, the Italian version prevails.
Table of contents
1. Who processes your data (Joint Controllers)
Prosecconow is operated under a regime of joint controllership pursuant to Article 26 GDPR by:
- Italian Tax Code: MZZMTT81R06C957R
- Address: Via Puccini 13, 31033 Castelfranco Veneto (TV), Italy
- Email: [email protected]
- Italian VAT number: 04427770260
- Address: Via Puccini 13, 31033 Castelfranco Veneto (TV), Italy
- Certified email (PEC): [email protected]
The Joint Controllers have entered into an arrangement pursuant to Article 26 GDPR setting out their respective roles. For any request relating to the processing of your data you may contact the single point of contact below, regardless of which of the two Joint Controllers is your commercial counterpart.
📧 [email protected]
2. What data we process and why
2.1 Data collected when you visit the Platform
When you open prosecconow.it, our static hosting provider (Netlify) automatically records certain connection data necessary for the operation and security of the site:
- IP address (in partial form)
- Date, time and duration of the visit
- Pages visited, referrer
- Browser type and operating system
Purpose: technical operation of the Platform, security, anomaly detection.
Legal basis: legitimate interest of the Controller in the security and proper functioning of the Service (Article 6(1)(f) GDPR).
Retention: maximum 30 days (Netlify's default retention).
2.2 Data collected when you request a booking
When you click the “Book now” button on a card, you are redirected to WhatsApp with a pre-filled message containing a reference code [ref:XXXX].
Third-party messaging service. The “Book now” button redirects you to the WhatsApp service, operated by WhatsApp Ireland Ltd. (Meta group). Your use of WhatsApp is governed by the WhatsApp Terms of Service and Privacy Policy, which are independent of Prosecconow's. We recommend that you read them if you have not already done so.
When you send that message to our WhatsApp number, we collect the following through our provider Twilio:
- Your WhatsApp telephone number
- The name you provide in the conversation
- The content of the messages you send us (experience requested, number of people, date, budget, notes)
- The
[ref:XXXX]code identifying the card and the relevant winery - Date and time of contact
Purpose: handling your booking request, putting you in touch with the selected winery, sending you response messages relating to the request.
Legal basis: performance of pre-contractual measures at your request (Article 6(1)(b) GDPR).
Retention: 24 months from the closure of the case. Tax-related data is retained for 10 years by legal obligation.
2.3 Chat with the virtual assistant “Oste” (beta feature)
The Platform includes a conversational virtual assistant called “Oste”, currently in beta. When you interact with Oste, the messages you write are transmitted to the technology provider Anthropic PBC (USA), which processes the response via the Claude model.
Purpose: providing automatic answers to questions about the Prosecco DOCG area, available experiences and itineraries.
Legal basis: performance of the service requested (Article 6(1)(b) GDPR).
Retention: 14 days in our systems (Railway logs), exclusively for debugging and quality analysis of the Prosecconow service. Messages are also retained by the provider Anthropic for a maximum of 30 days as a standard API service feature, without being used to train artificial intelligence models: we have verified that the “optional feedback” setting and the “Development Partner Program” opt-in are disabled on our API account.
Transfers outside the EU: see section 6.
2.4 Data of partner winery representatives
If you are a representative of a winery that has signed a commercial agreement with Prosecconow, we process the following data of the representative to manage the relationship: first name, surname, business role, email, business WhatsApp number, telephone, any signatures on contracts.
Purpose: performance of the partnership agreement, sending of WhatsApp templates with booking requests, invoicing, service communications.
Legal basis: performance of the contract (Article 6(1)(b) GDPR) and legal obligations relating to taxation (Article 6(1)(c) GDPR).
Retention: 10 years from termination of the relationship for tax obligations; non-tax data deleted within 24 months from termination.
3. How we collect the data
We collect data directly from you when: you visit the Platform, send a WhatsApp message via the “Book now” button, interact with the Oste assistant, or contact us by email or WhatsApp for any other reason.
We do not collect your data from public sources, nor do we purchase it from third parties.
4. Transmission of data to the selected winery
⚠ Important point — please read carefully
When you book an experience through Prosecconow, the selected winery receives your WhatsApp number directly, together with the essential data of the request. This is necessary because Prosecconow is a tool that quickly connects you with the winery, not a payment intermediary or post-sale customer service.
4.1 What the winery receives
At the moment of your booking request, we transmit to the selected winery via WhatsApp:
- Your WhatsApp telephone number
- The experience requested and the desired date
- The name you provided in the conversation (if any)
- An identification code for the request (Lead ID, in the format
L+timestamp)
The winery does not receive: your surname (unless you provided it), your address, email, identity documents, or payment data. We do not collect these, so we cannot transmit them.
4.2 What the winery does with your data
Once it has received the data, the winery acts as autonomous data controller and uses your number to:
- Confirm or reschedule the booking
- Contact you for any operational needs (time changes, directions)
- Where applicable, contact you again for commercial offers or future experiences, in accordance with its own privacy policy
For the processing of your data by the winery after the booking (including any subsequent commercial communications), the winery is independently responsible and must provide you with its own privacy policy if it contacts you for purposes other than confirming the requested booking.
4.3 When Prosecconow exits the flow
Once the winery has confirmed your booking, Prosecconow exits the loop: we do not handle changes, cancellations or post-booking customer service, and we do not receive notifications about what happens afterwards. From that moment on, you and the winery manage the relationship directly.
4.4 Partner wineries
The list of partner wineries with which we share booking data is available on prosecconow.it. All partner wineries are contractually bound to use the data received exclusively for the purposes described above and in compliance with the GDPR.
5. Technology providers and other recipients
5.1 Technology providers (Data Processors under Article 28 GDPR)
| Provider | Role | Location | Non-EU transfer |
|---|---|---|---|
| Netlify Inc. | Static hosting of the Platform (web pages, PWA) | USA | Yes — EU-U.S. DPF + SCC |
| Twilio Inc. | WhatsApp messaging management | USA | Yes — EU-U.S. DPF + SCC |
| Google LLC | Google Sheets (operational data storage); Search Console and Business Profile (search engine visibility) | USA / EU | Yes — EU-U.S. DPF + SCC |
| Microsoft Corporation | Bing Webmaster Tools (search engine visibility) | USA | Yes — EU-U.S. DPF + SCC |
| Anthropic PBC | Virtual assistant Oste (Claude API) | USA | Yes — SCC |
| Railway Corp. | Hosting of the Twilio webhook backend | USA | Yes — SCC |
| Resend Inc. | Transactional service emails | USA | Yes — SCC |
| GoDaddy Operating Co., LLC | Domain registrar and business email service | USA | Yes — SCC |
| Cloudflare, Inc. | CDN, Web Application Firewall, DDoS protection and DNS | USA | Yes — EU-U.S. DPF + SCC |
| OpenWeather Ltd. | Weather data for personalising suggested experiences (receives only territorial coordinates, no personal tourist data) | United Kingdom (EU adequacy decision) | Yes — adequacy decision |
| Meta Platforms Ireland Ltd. | WhatsApp Business API provider for message transmission (templates validated by Meta) | Ireland (sub-processor Meta Platforms Inc., USA) | Yes — SCC + EU-U.S. DPF (for USA sub-processor) |
Each provider is bound by a data processing agreement (DPA) imposing appropriate security measures and the use of the data exclusively for the purposes indicated.
5.2 Public authorities
Data may be communicated to public authorities (judicial, public security, tax) where required by legal obligation.
5.3 Professional advisors
Accountant and legal advisor, bound by professional secrecy.
We do not sell and do not transfer your data to third parties for marketing purposes.
6. Transfers outside the European Union
Some of the technology providers are based in the United States. Transfers take place on the basis of:
- EU-U.S. Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023) for participating providers
- Standard Contractual Clauses (SCC) approved by the European Commission (Decision 2021/914) for the others
To receive a copy of the contractual safeguards in place, you may write to [email protected].
7. Your rights
Pursuant to Articles 15-22 GDPR, you have the right to:
- Access your data (Article 15)
- Request the rectification of inaccurate data (Article 16)
- Request the deletion of data (“right to be forgotten”) (Article 17)
- Request the restriction of processing (Article 18)
- Receive your data in a structured format and transfer it to another controller (Article 20)
- Object to the processing on legitimate grounds (Article 21)
- Not be subject to decisions based solely on automated processing (Article 22)
How to exercise your rights: write to [email protected] indicating the right you wish to exercise and an identity document. We will respond within 30 days.
To obtain the deletion of data linked to a booking already transmitted to a winery, you will also need to contact the winery itself, as it acts as autonomous data controller from the moment of transmission.
Right to lodge a complaint with the Italian Data Protection Authority
If you believe that the processing infringes applicable law, you may lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) — www.garanteprivacy.it — or with the supervisory authority of your country of residence.
8. Security
We apply technical and organisational measures appropriate to protect your data, including: HTTPS connection with valid TLS certificate (Let's Encrypt via Netlify), Web Application Firewall and DDoS protection via Cloudflare, application-level rate limiting on public endpoints, credentials managed via environment variables separate from the code, access to data limited to authorised parties only, periodic backups of operational data, validation of incoming requests via Twilio signature, internal procedure for data breach management with notification within 72 hours.
While we operate with the utmost diligence, no system is free from risks. In the event of a data breach posing a high risk to your rights, we will inform you promptly as required by Article 34 GDPR.
9. Cookies and similar technologies
The Platform currently uses exclusively technical cookies necessary for the operation of the Service. We do not use profiling cookies, third-party analytics, or advertising tracking pixels.
For details, see our Cookie Policy.
10. Minors
The Platform and the booking services for wine and food experiences are addressed to persons of legal age (≥ 18 years). We do not knowingly collect data of minors. If you are a parent or guardian and believe that a minor has provided us with data, write to [email protected] and we will delete it promptly.
11. Changes to this Policy
We may update this Policy to reflect legal, technological or organisational changes. The version in force is always available at prosecconow.it/privacy. Material changes will be communicated to you in a visible manner on the Platform before they take effect.