Privacy Policy
Last updated: 21 aprile 2026
This Policy describes how Orizzonti Web di Donà Mario (hereinafter "BoatPilot") processes the personal data of Providers (charter operators) and End customers who use the boatpilot.eu platform and its services, including the booking widget and transactional communications, in compliance with Regulation (EU) 2016/679 (GDPR) and Italian data protection legislation.
1. Data controller
Data controller for the data collected on the Platform: Orizzonti Web di Donà Mario Via Monte Asolon 70/B, 36022 Cassola (VI) — Italy VAT 04625930245 Email: [email protected] No DPO (Data Protection Officer) has been appointed under art. 37 GDPR as the mandatory conditions are not met.
2. Role of BoatPilot (Controller vs. Processor)
BoatPilot acts as: • Independent CONTROLLER for the data of Providers (charters) who register and use the Platform as a SaaS service (purposes: performance of the SaaS contract, billing, support, platform analytics). • PROCESSOR (Art. 28 GDPR) for the data of End customers collected through the booking widget or the Provider's admin area. In this case the CONTROLLER is the Provider itself, which determines the purposes and means of processing its customer's data. The relationship is governed by a Data Processing Agreement (DPA) provided on request to the Provider.
3. Categories of data collected
Provider data: identifying data (company name, VAT, office, contacts), access credentials, billing data, Platform usage data (logs, analytics), payment data processed via Stripe. End customer data (collected on behalf of the Provider): first name, last name, email, phone number, number of passengers, preferred language, free text notes, booking data (boat, dates, amount). If paying by card: only transaction metadata (no full card data, which is handled by Stripe in PCI-DSS mode). Browsing data: IP address, user agent, pages visited, widget interactions.
4. Purposes and legal basis
• Performance of the SaaS contract with the Provider — basis: art. 6(1)(b) GDPR. • Execution of End customer booking — basis: art. 6(1)(b) GDPR (performance of the contract between Customer and Provider, with BoatPilot as Processor). • Tax and accounting obligations — basis: art. 6(1)(c) GDPR. • Fraud prevention and Platform security — basis: art. 6(1)(f) GDPR (legitimate interest). • Transactional communications (booking confirmations, payment notifications) — basis: art. 6(1)(b) GDPR. • Marketing communications to Providers (optional) — basis: art. 6(1)(a) GDPR (consent).
5. Processing methods
Data is processed using IT tools in automated form, with appropriate technical and organisational measures (TLS encryption in transit, password hashing, backups, access logging) proportionate to risk. Access is restricted to authorised personnel and duly appointed external Processors.
6. Recipients of data — external Processors
To deliver the Service BoatPilot relies on the following external Processors (all with agreements under art. 28 GDPR): • Stripe Payments Europe Ltd. — payment processing (https://stripe.com/privacy). For card operations, data is processed directly by Stripe, which also acts as independent controller for certain processing activities (antifraud, compliance). • Laravel Cloud (application hosting provider) — hosting infrastructure. • Cloudflare, Inc. — CDN, DDoS protection, DNS and email routing. • Resend (https://resend.com) — transactional email delivery. • Accounting and tax service providers — legal obligations. Data is neither sold nor transferred to third parties for external marketing purposes.
7. Transfer of data outside the EU
Some Processors (Cloudflare, Stripe Inc. USA for certain operations) may involve the transfer of personal data outside the European Economic Area. Such transfers take place based on the Standard Contractual Clauses approved by the European Commission (art. 46 GDPR) or, where applicable, under the EU-US Data Privacy Framework adequacy decision. A copy of the safeguards is available on written request to [email protected].
8. Retention period
• Provider account data: for the duration of the SaaS contract + 10 years from termination for tax/accounting obligations. • Booking and End customer data: for the time required by the Provider to deliver the service and to comply with legal obligations (typically 10 years for invoicing). • Navigation data and technical logs: 12 months. • Marketing data (if collected): until consent is withdrawn.
9. Data subject rights
As a Data subject you have the following rights (Arts. 15-22 GDPR): • Access to your data. • Rectification of inaccurate or incomplete data. • Erasure (right to be forgotten), subject to retention obligations. • Restriction of processing. • Data portability in a structured format. • Objection to processing based on legitimate interest. • Withdrawal of consent at any time (for processing that requires it). • Complaint to the Italian Data Protection Authority (www.garanteprivacy.it). Requests may be sent to [email protected]. If you are an End customer of a Provider, you may contact the Provider (Controller) directly or us: we will forward the request without undue delay.
10. Cookies and similar technologies
The Platform uses technical cookies essential to functionality and, in some areas, analytical and preference cookies. For details on cookie types, purposes and management consult the Cookie Policy at boatpilot.eu/cookie-policy.
11. Automated decision-making
BoatPilot does not take decisions based solely on automated processing producing legal effects or similarly significantly affecting data subjects. Anti-fraud systems adopted by Stripe may contribute to automated pre-assessment: in case of significant impact you have the right to human intervention and to contest the decision.
12. Changes to the Policy
This Policy may be updated for regulatory or organisational reasons. The date of the last update is shown at the top. In case of material changes, affected users will be informed by email or in-app notification.
Privacy contact
To exercise your rights or for any queries about the processing of personal data you may write to us at:
[email protected]