Privacy Policy

Privacy notice pursuant to Art. 13 of EU Regulation 2016/679

Last updated: 04/03/2026

1. Data Controller

The data controller for personal data, pursuant to Art. 4 and Art. 24 of EU Regulation 2016/679, is: Luca La Marca Domicile: Scandicci (FI), Italy Email: info@easea.app

Data Protection Officer (DPO)

The Data Controller has not appointed a Data Protection Officer (DPO), as the conditions set out in Art. 37 of EU Regulation 2016/679 do not apply. For any matters relating to the processing of personal data, you may contact the Data Controller at the email address indicated above.

2. Types of Data Collected

The Data Controller collects the following categories of personal data:

Account Data

First and last name, email address, password (in encrypted form), registration date, and user profile data.

Browsing Data

IP address (anonymised where technically possible), browser type, operating system, pages visited, access time, technical and analytical cookies (via Google Analytics). This data is collected automatically during use of the website and mobile application.

Booking Data

Information relating to bookings made, details of charter activities, customer data associated with bookings (name, contacts, number of participants).

No payment instrument data (credit cards, bank accounts, etc.) is collected or processed. Payments are handled entirely by third-party payment service providers.

3. Purposes of Processing

Personal data is processed for the following purposes:

  • Creation and management of user accounts on the platform
  • Provision of requested services, including charter booking management
  • Customer management and related bookings
  • Service communications relating to the account and bookings
  • Statistical analysis and service improvement (using pseudonymised and aggregated data)
  • Compliance with legal and regulatory obligations
  • Platform security and abuse prevention

Mandatory or optional nature of data provision

The provision of data marked as mandatory during registration (first name, last name, email address, password) is necessary for account creation and for the provision of the requested services. Failure to provide such data will make it impossible to register on the platform and use its services. The provision of any additional data is optional and does not affect access to the platform's essential services.

4. Legal Basis for Processing

The processing of personal data is based on the following legal bases pursuant to Art. 6 of EU Regulation 2016/679:

Contractual performance (Art. 6.1.b GDPR)

Processing is necessary for the performance of the contract to which the data subject is party, with reference to account registration, user profile management, and the provision of charter booking services.

Legal obligation (Art. 6.1.c GDPR)

Processing is necessary for compliance with a legal obligation to which the Data Controller is subject, including tax, accounting, and document retention obligations.

Legitimate interest (Art. 6.1.f GDPR)

Processing is necessary for the purposes of the following legitimate interests pursued by the Data Controller: (i) ensuring platform security, preventing fraud and unauthorised access through technical log analysis; (ii) monitoring the proper functioning of IT systems; (iii) producing aggregate, non-identifying statistics on platform usage to improve the service offered. The user has the right to object at any time to processing based on legitimate interest, pursuant to Art. 21 of the GDPR, by writing to the Data Controller's email address. In such case, the Data Controller will refrain from further processing of the personal data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject.

Consent (Art. 6.1.a GDPR)

For non-essential cookies and tracking technologies, including Google Analytics, processing takes place only with the prior explicit consent of the user, managed through the Usercentrics Consent Management Platform (CMP). Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before the withdrawal.

5. Processing Methods and Data Retention

Personal data is processed using automated tools for the time strictly necessary to achieve the purposes for which it was collected. Specific technical and organisational security measures are adopted to prevent data loss, unlawful or incorrect use, and unauthorised access, pursuant to Art. 32 of the GDPR.

Data retention periods are as follows:

  • Account data: for the entire duration of the contractual relationship and for the subsequent 10 (ten) years from termination, in compliance with civil and tax obligations under applicable law
  • Booking data: for 10 (ten) years from the date of the booking, in compliance with tax and document retention obligations
  • Technical logs and browsing data: for a maximum period of 12 (twelve) months from collection, for security and diagnostic purposes
  • Data collected via Google Analytics: for a maximum period of 26 (twenty-six) months from collection

6. Data Communication and Disclosure

Personal data may be communicated to:

  • Entities that need to access data for purposes ancillary to the contractual relationship (e.g., hosting service providers, cloud services), acting as data processors pursuant to Art. 28 of the GDPR
  • Competent authorities, in compliance with legal obligations
  • Google LLC, acting as a data processor pursuant to Art. 28 of the GDPR, for the Google Analytics service. Data collected through Google Analytics constitutes pseudonymised personal data (online identifiers, browsing data). The user's IP address is anonymised before transmission to Google servers. Processing takes place only with the user's prior consent (Art. 6.1.a GDPR)

Personal data will not be disclosed to unauthorised third parties.

Data transfers outside the EEA

Some service providers used by the Data Controller, including Google LLC, may process personal data in the United States of America. Such transfers are carried out on the basis of adequacy decisions of the European Commission pursuant to Art. 45 of the GDPR (EU-U.S. Data Privacy Framework) or, alternatively, on the basis of standard contractual clauses approved by the European Commission pursuant to Art. 46.2.c of the GDPR. The user may request a copy of the safeguards adopted by contacting the Data Controller at the email address indicated in this privacy policy.

7. Data Subject Rights

Pursuant to Articles 15-22 of EU Regulation 2016/679, the user has the right to:

  • Access: obtain confirmation of the existence of processing and access their personal data (Art. 15)
  • Rectification: obtain correction of inaccurate data or completion of incomplete data (Art. 16)
  • Erasure: obtain the deletion of their personal data in the cases provided for (Art. 17)
  • Restriction: obtain restriction of processing in the cases provided for (Art. 18)
  • Portability: receive their data in a structured, commonly used, and machine-readable format (Art. 20)
  • Objection: object at any time to the processing of their data based on the Data Controller's legitimate interest, on grounds relating to their particular situation (Art. 21)
  • Withdrawal of consent: withdraw consent at any time for processing based on consent, without affecting the lawfulness of processing carried out before the withdrawal (Art. 7.3)

The user also has the right to lodge a complaint with the competent supervisory authority (Italian Data Protection Authority — Garante per la Protezione dei Dati Personali — www.garanteprivacy.it) if they believe that the processing of their personal data is carried out in violation of EU Regulation 2016/679.

To exercise their rights, the user may send a request to the email address: info@easea.app

8. Cookies and Tracking Technologies

The website uses technical cookies necessary for the operation of the platform, installed without user consent pursuant to Art. 122 of Italian Legislative Decree 196/2003, and third-party analytical cookies (Google Analytics), installed only with the user's prior consent.

Cookie preference management is entrusted to the Usercentrics Consent Management Platform (CMP), accessible through the cookie banner displayed on first access to the website and, subsequently, through the dedicated link in the website footer. The user may modify their cookie preferences at any time by accessing the CMP.

A detailed list of cookies used, including their purpose, duration, and provider, is available within the CMP cookie management panel.

The user has the right to withdraw consent to non-essential cookies at any time through the CMP, without affecting the lawfulness of processing based on consent given before the withdrawal.

9. Automated Decision-Making

The Data Controller does not carry out automated decision-making processes, including profiling, within the meaning of Art. 22 of EU Regulation 2016/679, that produce legal effects concerning the data subject or similarly significantly affect them.

10. Changes to the Privacy Policy

The Data Controller reserves the right to make changes to this privacy policy at any time. Changes will be published on this page with an indication of the last update date. Users are invited to periodically review this page to stay informed of the updated policy.

11. Contacts

For any questions or requests regarding this privacy policy, you can contact the Data Controller at: Email: info@easea.app Luca La Marca Scandicci (FI), Italy