Privacy Policy — Area Camper Bergamo

Effective: March 2026

GDPR Art. 13 & 14 Compliant

Jurisdiction: Italy / EU

Data Controller

The Data Controller, responsible for determining the purposes and means of processing your personal data, is:

Controller Identity

🏕️ Area Camper Bergamo

📍 Bergamo, Italy

✉️ info@areacamperbergamo.it

🌐 win.areacamperbergamo.it

For any privacy-related enquiries, you may contact us at the email address above, marking the subject as "Privacy Request". We will respond within 30 days.

Personal Data We Collect

We collect only the data strictly necessary to provide our camper-pitch reservation service. The following categories of personal data are processed:

Personal & Contact Information

Data Field	Description	Required?
Full name	Identifies the reservation holder	Required
Email address	Confirmation emails and notifications	Required
Phone number	Operational contact and urgencies	Required
Plate nationality	Country of vehicle registration	Required

Vehicle Information

Data Field	Description	Required?
License plate number	Vehicle identification — treated as personal data per GDPR	Required
Vehicle category	Camper/Van or Caravan	Required
Vehicle length	Determines pitch allocation	Required
Electricity level	Amperage selection (4A/7A/10A)	Required
Extra car/trailer	Whether an additional space is needed	Optional

Booking & Payment Information

Data Field	Description	Required?
Arrival & departure date/time	Determines stay duration and pitch scheduling	Required
Reservation code	Unique identifier for the booking	Auto-generated
Total charge amount	The amount paid for the reservation	Calculated
Payment status	Whether payment has been completed (via Stripe)	Auto-updated
Consent timestamp	Record of when data consent was given	Auto-recorded

⚠️ We do not collect payment card details directly. All card data is processed exclusively by Stripe, our certified PCI-DSS payment processor. We never see or store full card numbers, CVV codes, or bank account details.

No special category data: We do not collect or process data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or any other special category data listed under GDPR Article 9.

Periodic data analysis: We periodically extract a limited subset of operational data from completed-stay records for internal statistical and business analysis purposes. The specific fields extracted are: vehicle category, plate nationality (country only), reservation status (whether it was a reservation), arrival and departure date/time, pitch used, electricity consumption level, and amount paid. No directly identifying personal data — such as name, email address, phone number, or license plate number — is included in these extracts. For more information, see Section 3 (Purpose & Legal Basis).

Purpose & Legal Basis for Processing

We process your data only for specific, explicit, and legitimate purposes. The legal basis for each processing activity is identified below in accordance with GDPR Article 6.

Purpose	Legal Basis (Art. 6)
Executing and managing your camper-pitch reservation	6(1)(b) — Contract performance
Processing payment via Stripe	6(1)(b) — Contract performance
Sending booking confirmation emails	6(1)(b) — Contract performance
Sending day-of arrival reminders	6(1)(b) — Contract performance
Complying with accounting and fiscal obligations	6(1)(c) — Legal obligation
Collecting and managing personal data as described in this policy	6(1)(a) — Consent (freely given, specific, informed, and unambiguous)
Internal operational and statistical analysis of completed-stay records using non-directly-identifying data only (vehicle category, plate nationality, reservation status, arrival/departure dates, pitch used, electricity consumption, amount paid)	6(1)(f) — Legitimate interest

Where processing is based on consent (Article 6(1)(a)), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

Legitimate interest — balancing test (Art. 6(1)(f)): The internal data analysis described above is carried out under our legitimate interest in understanding occupancy patterns, optimising pitch allocation, and improving our service. The data extracted does not include any directly identifying fields (no name, email, phone number, or license plate number). The analysis is performed internally and the extracts are never shared with third parties. As a result, we have assessed that the impact on data subjects' rights and freedoms is minimal and does not override our legitimate interest. You have the right to object to this processing at any time (see Section 6).

Email & phone — reservation use only: Your email address and phone number are used exclusively to contact you in relation to your reservation and stay — for example, to send your booking confirmation, a day-of arrival reminder, or to reach you in case of an operational urgency. We do not use them for newsletters, promotions, or any marketing activity, and we do not intentionally share them with any third party for those purposes.

Data Retention Periods

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, in line with the GDPR storage limitation principle (Article 5(1)(e)).

Data Category	Retention Period	Reason
Incomplete / unpaid reservations	30 days from creation	Automatically deleted after inactivity
Completed stay records — personal identifiers (name, email, phone, plate, nationality)	Anonymised 12 months after departure	GDPR Art. 5(1)(e) — storage limitation. Fields replaced with anonymised placeholders; the row is not deleted.
Completed stay records — financial & booking data (registration code, amount, arrival/departure dates, payment method)	10 years from departure date	Italian fiscal and civil law obligations (D.P.R. 633/1972)
Consent records	For the duration of the reservation + 10 years	Demonstrating compliance with GDPR Art. 7(1)
Analytical extracts (non-directly-identifying operational data: vehicle category, plate nationality, reservation status, arrival/departure dates, pitch used, electricity consumption, amount paid)	Retained for up to 24 months from extraction	Legitimate interest in operational analysis and service improvement. No directly identifying personal data is included in these extracts.

After the applicable retention period, your data will be securely and permanently deleted or anonymised.

Third-Party Processors

We engage the following third-party sub-processors to operate our service. Each has been selected to ensure compliance with GDPR Article 28, and Data Processing Agreements (DPAs) are in place where required.

Processor	Purpose	Data Shared	GDPR Basis
Stripe, Inc.	Payment processing	Email address, amount, reservation ID	DPA in place; PCI-DSS certified; EU SCCs applicable
Google LLC (Gmail API)	Transactional email delivery	Name, email address, reservation details	Google Workspace DPA; EU SCCs applicable

We do not sell, rent, or commercially share your personal data with any third party for marketing purposes. Data is shared with the above processors solely to provide the reservation service.

No other sharing: We do not share your data with analytics services, advertising networks, social media platforms, or any other third parties beyond those listed above. In particular, your email address and phone number are never passed to third parties for commercial, promotional, or marketing purposes. Analytical data extracts (see Section 3) are used exclusively for internal purposes and are never shared with any third party.

Your Rights Under GDPR

As a data subject under EU Regulation 2016/679, you hold the following rights. You may exercise any of these rights free of charge. We will respond within 30 days of receiving a verified request.

👁️

Right of Access

Request a copy of all personal data we hold about you (Art. 15).

✏️

Right to Rectification

Request correction of inaccurate or incomplete data (Art. 16).

🗑️

Right to Erasure

Request deletion of your data ("right to be forgotten") (Art. 17), subject to legal retention obligations.

⏸️

Right to Restriction

Request that we limit processing of your data in certain circumstances (Art. 18).

📦

Right to Portability

Receive your data in a structured, machine-readable format (Art. 20).

🚫

Right to Object

Object to processing based on legitimate interests or for direct marketing (Art. 21). This includes the right to object to the use of your data for internal statistical analysis.

↩️

Right to Withdraw Consent

Withdraw previously given consent at any time without affecting prior processing (Art. 7(3)).

🤖

Right Against Automated Decisions

Not to be subject to solely automated decision-making with legal effects (Art. 22). We do not use such processing.

How to Exercise Your Rights

To exercise any of your rights, please send a written request to our Data Controller using one of the methods below. Please include your full name, reservation code (if applicable), and a description of the right you wish to exercise.

Submit a Privacy Request

✉️ Email: info@areacamperbergamo.it

📝 Subject line: "Privacy Request — [Your Name]"

⏱️ We respond within 30 calendar days (extendable by 2 months for complex requests with prior notice)

We may need to verify your identity before fulfilling a request. This is to protect you and ensure your data is not disclosed to unauthorised persons. Verification will be handled by email.

ℹ️ Erasure requests for completed reservations may be partially limited where retention is required to comply with Italian fiscal law (up to 10 years). We will always communicate clearly what data can and cannot be erased and why.

International Data Transfers

Some of our processors (Stripe and Google) are headquartered in the United States. Transfers of personal data outside the European Economic Area (EEA) are carried out only where appropriate safeguards are in place, in accordance with GDPR Chapter V.

Processor	Country	Transfer Safeguard
Stripe, Inc.	United States	EU Standard Contractual Clauses (SCCs) — Commission Decision 2021/914
Google LLC	United States	EU Standard Contractual Clauses (SCCs) — Commission Decision 2021/914

Data processed by these providers on our behalf remains subject to the contractual protections and security standards of their respective DPAs, and is not used for purposes beyond those specified in this policy.

Security Measures

We implement technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction, in accordance with GDPR Article 25 (Data Protection by Design and by Default) and Article 32.

Technical Measures

All data transmissions are encrypted via HTTPS/TLS. HTTPS is enforced across all pages. Database queries use prepared statements with parameterised inputs to prevent SQL injection. Output data is HTML-escaped at render time to prevent XSS. All forms are protected with CSRF tokens. OAuth 2.0 tokens for Gmail API access are stored outside the web root.

Hosting & Infrastructure

This service is hosted exclusively on Aruba S.p.A. infrastructure, a certified Italian cloud provider whose data centres are located in Italy. As a result, your personal data remains within the European Union at the infrastructure level, with no additional international transfer safeguards required for hosting.

Organisational Measures

Access to personal data in the database is restricted to authorised staff and systems only. Third-party processors (Stripe, Google) are bound by DPAs. Personal data is not used for testing or development purposes. Analytical data extracts containing non-directly-identifying operational data are stored securely with access restricted to authorised personnel only.

Data Breach Notification

In the event of a personal data breach, we will notify the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) within 72 hours of becoming aware, where feasible, in accordance with GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (GDPR Article 34).

Right to Lodge a Complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority, without prejudice to any other administrative or judicial remedy (GDPR Article 77).

Italian Supervisory Authority

🏛️ Garante per la Protezione dei Dati Personali

📍 Piazza Venezia 11, 00187 Roma, Italy

🌐 www.garanteprivacy.it

✉️ protocollo@gpdp.it

📞 +39 06.696771

We nonetheless encourage you to contact us first at info@areacamperbergamo.it so we can address your concern directly and promptly.

Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. We will indicate the version and effective date at the top of this document.

Where changes are material, we will notify active reservation holders via email before the changes take effect. The version number in the URL (e.g. v062025) serves as a versioning reference, where the format is v[MM][YYYY].

Your continued use of our reservation service after the effective date of an updated policy constitutes acceptance of the revised terms. If you do not agree with the revised policy, you may contact us to exercise your rights before making a new reservation.

Current version: v062025 — Effective June 2025.
This policy covers all personal data collected via the online reservation form at win.areacamperbergamo.it.