Privacy Policy

1. Data Controller

The Data Controller is Andrea Partenope, a natural person responsible for the website https://woliday.co ("Woliday" project). Italian fiscal code: PRTNDR03B20I441V. Postal contact: address available upon request at hello@woliday.co.

For any request regarding the processing of your personal data, and to exercise the rights under Arts. 15-22 GDPR, you can write to: hello@woliday.co.

2. What data we collect

We currently collect only the following personal data, which you voluntarily provide by filling in the waitlist subscription form:

• first name (or chosen name); • email address.

We do not collect last name, postal address, phone number, payment data, precise geolocation, or special categories of data under Art. 9 GDPR. We do not perform profiling or automated decision-making under Art. 22 GDPR.

The website does not automatically collect browsing data for analytics or marketing purposes: see the Cookie Policy for details on technical cookies.

3. Purposes and legal basis

We process your data for the following purposes:

a) Waitlist subscription and sending updates about the launch of the woliday service, related content and promotional communications via email. Legal basis: explicit, specific consent of the data subject (Art. 6(1)(a) GDPR). Consent is given by ticking the dedicated checkbox in the form and can be withdrawn at any time.

b) Protection against automated traffic and spam, via the Cloudflare Turnstile service. Legal basis: legitimate interest of the Controller in protecting the site from abuse (Art. 6(1)(f) GDPR).

c) Compliance with legal obligations and defense in legal proceedings. Legal basis: legal obligation (Art. 6(1)(c) GDPR) and legitimate interest (Art. 6(1)(f) GDPR).

4. Provision of data

Providing your data is optional. Failing to provide name and email makes it impossible to join the waitlist and receive updates.

5. Recipients and processors

Your data may be processed by parties acting as data processors on our behalf, pursuant to Art. 28 GDPR. Specifically:

• Sendinblue SAS ("Brevo") — waitlist management and email communications. Location: France (EU). • Cloudflare, Inc. — anti-spam protection (Turnstile service). Registered office: United States. Cloudflare operates a global edge network with data centers in Italy and other EU countries: for European users, processing typically takes place on the closest EU edge nodes. Cloudflare is certified under the EU-US Data Privacy Framework (adequacy decision of the European Commission dated 10 July 2023, pursuant to Art. 45 GDPR) and additionally relies on Standard Contractual Clauses as a supplementary safeguard. • Google Ireland Ltd. / Google LLC — cloud infrastructure provider hosting the website and backend, with processing localized in the European region. Google is also certified under the EU-US Data Privacy Framework.

Your data is not disseminated and is not transferred to third parties for their own marketing purposes.

6. Transfers outside the EU

Some providers (in particular Cloudflare and Google) are headquartered in the United States and may, in principle, qualify as recipients of an extra-EU transfer under Chapter V of the GDPR. In such cases the transfer takes place on the following grounds, in order of priority:

1. the European Commission's adequacy decision of 10 July 2023 on the EU-US Data Privacy Framework (Art. 45 GDPR), to which the above providers adhere; 2. Standard Contractual Clauses approved by the European Commission (Art. 46 GDPR), as a supplementary and backup safeguard; 3. supplementary technical measures (TLS encryption in transit, minimization of shared data, purpose isolation).

In practice, traffic from Italian users to Cloudflare Turnstile is routed to the closest EU edge nodes (e.g. Milan, Frankfurt) and does not physically transit outside the European Union.

7. Retention period

We will retain your personal data for as long as your waitlist subscription is active, i.e. until you withdraw consent or request deletion. You can do this at any time via the unsubscribe link at the bottom of every email or by writing to hello@woliday.co: in such case we will delete or anonymize your data without undue delay.

Should the Woliday project be discontinued, or should the purpose for which the data was collected cease, we will proceed with full deletion of the data.

Technical security logs (e.g. abuse data) may be retained for a maximum of 12 months, except where needed for investigation of unlawful conduct.

8. Your rights

As a data subject you have the right, at any time, to:

• access your personal data (Art. 15 GDPR); • request rectification (Art. 16 GDPR); • request erasure ("right to be forgotten", Art. 17 GDPR); • request restriction of processing (Art. 18 GDPR); • object to processing (Art. 21 GDPR); • receive your data in a structured format (portability, Art. 20 GDPR); • withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7 GDPR).

To exercise your rights, write to hello@woliday.co. We will respond within 30 days.

You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali, www.garanteprivacy.it) if you believe the processing of your data violates the GDPR.

9. How to withdraw consent or unsubscribe

You can withdraw consent to communications at any time:

• by clicking the "unsubscribe" link at the bottom of any email; • by writing to hello@woliday.co with subject "Waitlist removal".

The removal will be performed without undue delay.

10. Data security

We adopt appropriate technical and organizational measures to protect your data from unauthorized access, loss, alteration or disclosure. Data is transmitted from the form to the backend over an encrypted connection (HTTPS/TLS).

11. Changes to this policy

We may update this policy to reflect regulatory changes or service developments. The updated version will always be published on this page with the last-updated date and version number. In case of material changes, we will notify you by email.