Logo Easea App
Log inStart your 7-day free trial

Privacy Policy

Privacy notice pursuant to Art. 13 of EU Regulation 2016/679

Last updated: 28/03/2026

1. Data Controller

The data controller for personal data, pursuant to Art. 4 and Art. 24 of EU Regulation 2016/679, is: Luca La Marca Tax Code (Codice Fiscale): LMRLCU98L02F943F Via De Amicis 2, 50018 Scandicci (FI), Italy Email: info@easea.app

Data Protection Officer (DPO)

The Data Controller has not appointed a Data Protection Officer (DPO), as the conditions set out in Art. 37 of EU Regulation 2016/679 do not apply. For any matters relating to the processing of personal data, you may contact the Data Controller at the email address indicated above.

Data Controller's role in relation to boat rental operators

Easea operates in a dual capacity under EU Regulation 2016/679: • Data Controller for the personal data of users registered on the platform (boat rental business owners/operators and their collaborators), in relation to account management, service provision, and the purposes described in this privacy policy. • Data Processor pursuant to Art. 28 of the GDPR for the personal data of end customers (passengers, activity participants) entered by boat rental operators through the platform. In this case, the boat rental operator acts as an independent Data Controller for their customers' data, and Easea processes such data exclusively in accordance with the operator's documented instructions and the data processing agreement entered into between the parties.

2. Types of Data Collected

The Data Controller collects the following categories of personal data:

Account Data

First and last name, email address, password (in encrypted form), registration date, and user profile data.

Browsing Data

IP address (anonymised where technically possible), browser type, operating system, pages visited, access time, technical and analytical cookies (via Google Analytics). This data is collected automatically during use of the website and mobile application.

Booking Data

Information relating to bookings made, details of charter activities, customer data associated with bookings (name, contacts, number of participants).

No payment instrument data (credit cards, bank accounts, etc.) is collected or processed. Payments are handled entirely by third-party payment service providers.

3. Purposes of Processing

Personal data is processed for the following purposes:

  • Creation and management of user accounts on the platform
  • Provision of requested services, including charter booking management
  • Customer management and related bookings
  • Service communications relating to the account and bookings
  • Statistical analysis and service improvement (using pseudonymised and aggregated data)
  • Compliance with legal and regulatory obligations
  • Platform security and abuse prevention

Mandatory or optional nature of data provision

The provision of data marked as mandatory during registration (first name, last name, email address, password) is necessary for account creation and for the provision of the requested services. Failure to provide such data will make it impossible to register on the platform and use its services. The provision of any additional data is optional and does not affect access to the platform's essential services.

4. Legal Basis for Processing

The processing of personal data is based on the following legal bases pursuant to Art. 6 of EU Regulation 2016/679:

Contractual performance (Art. 6.1.b GDPR)

Processing is necessary for the performance of the contract to which the data subject is party, with reference to account registration, user profile management, and the provision of charter booking services.

Legal obligation (Art. 6.1.c GDPR)

Processing is necessary for compliance with a legal obligation to which the Data Controller is subject, including tax, accounting, and document retention obligations.

Legitimate interest (Art. 6.1.f GDPR)

Processing is necessary for the purposes of the following legitimate interests pursued by the Data Controller: (i) ensuring platform security, preventing fraud and unauthorised access through technical log analysis; (ii) monitoring the proper functioning of IT systems; (iii) producing aggregate, non-identifying statistics on platform usage to improve the service offered. The user has the right to object at any time to processing based on legitimate interest, pursuant to Art. 21 of the GDPR, by writing to the Data Controller's email address. In such case, the Data Controller will refrain from further processing of the personal data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject.

Consent (Art. 6.1.a GDPR)

For non-essential cookies and tracking technologies, including Google Analytics, processing takes place only with the prior explicit consent of the user, managed through the Usercentrics Consent Management Platform (CMP). Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before the withdrawal.

5. Processing Methods and Data Retention

Personal data is processed using automated tools for the time strictly necessary to achieve the purposes for which it was collected. Pursuant to Art. 32 of the GDPR, the Data Controller adopts the following technical and organisational security measures: encryption of data in transit via TLS/HTTPS protocol and encryption at rest for stored data; password storage using cryptographic hashing (bcrypt); role-based access control (RBAC) with the principle of least privilege; periodic encrypted backups; monitoring and logging of system access; cloud infrastructure hosted on Amazon Web Services (AWS), compliant with major international security certifications (ISO 27001, SOC 2).

Data retention periods are as follows:

  • Account data with tax and contractual relevance (billing data, transaction history): for the entire duration of the contractual relationship and for the subsequent 10 (ten) years from termination, in compliance with civil and tax obligations under applicable law. Profile data without tax relevance (preferences, settings) will be deleted or anonymised within 3 (three) years from the termination of the relationship
  • Booking data: for 10 (ten) years from the date of the booking, in compliance with tax and document retention obligations
  • Technical logs and browsing data: for a maximum period of 12 (twelve) months from collection, for security and diagnostic purposes
  • Data collected via Google Analytics: for a maximum period of 14 (fourteen) months from collection
  • Inactive accounts: in case of prolonged inactivity, the Data Controller will send a notification to the user after 24 (twenty-four) months of non-use. If no response is received, the account and non-tax-relevant data will be deleted after a further 6 (six) months from the notification

6. Data Communication and Disclosure

Personal data may be communicated to:

  • Service providers acting as data processors pursuant to Art. 28 of the GDPR, specifically: Amazon Web Services, Inc. (AWS) for infrastructure hosting and file storage (S3); Stripe, Inc. for payment processing and management
  • Competent authorities, in compliance with legal obligations
  • Google LLC, acting as a data processor pursuant to Art. 28 of the GDPR, for Google Analytics and Google APIs services (including Google Maps and related services). Data collected through Google Analytics constitutes pseudonymised personal data (online identifiers, browsing data). The user's IP address is anonymised before transmission to Google servers. Processing via Google Analytics takes place only with the user's prior consent (Art. 6.1.a GDPR). Google APIs services necessary for platform operation are used on the basis of legitimate interest (Art. 6.1.f GDPR)

Personal data will not be disclosed to unauthorised third parties.

Data transfers outside the EEA

Some service providers used by the Data Controller — specifically Amazon Web Services, Inc. (AWS), Stripe, Inc. and Google LLC — may process personal data in the United States of America. Such transfers are carried out on the basis of the European Commission's adequacy decision of 10 July 2023 pursuant to Art. 45 of the GDPR (EU-U.S. Data Privacy Framework, or DPF). The aforementioned providers are certified entities under the DPF; certification status can be verified on the official website dataprivacyframework.gov. Alternatively, transfers are supported by standard contractual clauses approved by the European Commission pursuant to Art. 46.2.c of the GDPR. The Data Controller actively monitors the validity of the adequacy framework and, in the event of invalidation of the DPF by the Court of Justice of the EU, will promptly adopt adequate alternative safeguards or cease the transfers. The user may request a copy of the safeguards adopted by contacting the Data Controller at the email address indicated in this privacy policy.

7. Data Subject Rights

Pursuant to Articles 15-22 of EU Regulation 2016/679, the user has the right to:

  • Access: obtain confirmation of the existence of processing and access their personal data (Art. 15)
  • Rectification: obtain correction of inaccurate data or completion of incomplete data (Art. 16)
  • Erasure: obtain the deletion of their personal data in the cases provided for (Art. 17)
  • Restriction: obtain restriction of processing in the cases provided for (Art. 18)
  • Portability: receive their data in a structured, commonly used, and machine-readable format (Art. 20)
  • Objection: object at any time to the processing of their data based on the Data Controller's legitimate interest, on grounds relating to their particular situation (Art. 21)
  • Withdrawal of consent: withdraw consent at any time for processing based on consent, without affecting the lawfulness of processing carried out before the withdrawal (Art. 7.3)

The user also has the right to lodge a complaint with the competent supervisory authority (Italian Data Protection Authority — Garante per la Protezione dei Dati Personali — www.garanteprivacy.it) if they believe that the processing of their personal data is carried out in violation of EU Regulation 2016/679.

To exercise their rights, the user may send a request to the email address: info@easea.app

To exercise the right to erasure (Art. 17 GDPR), the user may request the deletion of their account and all associated data through the dedicated account deletion page. The deletion will be effective after a 15-day grace period, during which the account can be reactivated.

8. Cookies and Tracking Technologies

The website uses technical cookies necessary for the operation of the platform, installed without user consent pursuant to Art. 122 of Italian Legislative Decree 196/2003, and third-party analytical cookies (Google Analytics), installed only with the user's prior consent.

Cookie preference management is entrusted to the Usercentrics Consent Management Platform (CMP), accessible through the cookie banner displayed on first access to the website and, subsequently, through the dedicated link in the website footer. The user may modify their cookie preferences at any time by accessing the CMP.

A detailed list of cookies used, including their purpose, duration, and provider, is available within the CMP cookie management panel.

The user has the right to withdraw consent to non-essential cookies at any time through the CMP, without affecting the lawfulness of processing based on consent given before the withdrawal.

9. Automated Decision-Making

The Data Controller does not carry out automated decision-making processes, including profiling, within the meaning of Art. 22 of EU Regulation 2016/679, that produce legal effects concerning the data subject or similarly significantly affect them.

10. Changes to the Privacy Policy

The Data Controller reserves the right to make changes to this privacy policy at any time. Changes will be published on this page with an indication of the last update date. Users are invited to periodically review this page to stay informed of the updated policy.

11. Contacts

For any questions or requests regarding this privacy policy, you can contact the Data Controller at: Luca La Marca Tax Code (Codice Fiscale): LMRLCU98L02F943F Via De Amicis 2, 50018 Scandicci (FI), Italy Email: info@easea.app