Privacy Policy

The Data Controller for the personal data collected through this website is:

Amazed S.r.l.

Registered office: Via Volturno 5, 20900 Monza (MB), Italy

VAT number: 14657960960

REA (Italian business register): MB-2798911

Website: amazed.tours

Standard email: privacy@amazed.tours

Certified email (PEC): amazed@pec.it

For any inquiry regarding the processing of personal data, the Data Controller may be contacted at the addresses indicated above.

The Data Controller has not appointed a Data Protection Officer (DPO), as it is not required to do so under Article 37 of the GDPR.

3.1 Data voluntarily provided through the online survey:

Email address (optional); completion timestamp; site language used; source or referral channel; gender; age range; country of origin or residence; travel habits (frequency, means of transport, organizational preferences); opinions and preferences regarding the Amazed product; purchase intent, pricing preferences and acquisition modalities; any additional information voluntarily provided in free-text fields.

3.2 Data voluntarily provided through the waitlist registration form:

Email address; city of interest (optional); site language used; source or referral channel.

3.3 Data automatically collected during navigation:

IP address (used in obfuscated form and not stored in clear text, for security, abuse-prevention and aggregated statistical analysis purposes); browser User-Agent; referring URL; standard HTTP headers; server logs related to requests made; anonymous navigation data collected for statistical purposes, including pages visited, visit duration, interaction events with the interface (clicks, scrolls, form completion), device type, operating system and browser used, browser language, country estimated from the obfuscated IP address.

Navigation data collected for statistical purposes are not associated with a persistent identifier: at each new browsing session, a temporary anonymous identifier is generated, kept exclusively in the browser''s volatile memory and not saved in cookies, local storage or other persistent storage systems on the user''s device. It is therefore not possible to recognize the same user across different visits, nor to correlate navigation with any identification data provided through the survey or waitlist registration.

The website does not collect data belonging to special categories pursuant to Article 9 of the GDPR. Users are nevertheless invited not to enter sensitive information or information exceeding the survey purposes in free-text fields.

Personal data are processed for the following purposes:

4.1 Online survey: collection of opinions, preferences and feedback on the Amazed product; statistical and market analysis; improvement of the service and user experience; possible follow-up contact via email for clarification or further inquiries.

4.2 Waitlist registration: management of the waitlist for the launch of the Amazed product; sending communications related to the product launch, news, availability of the service.

4.3 Security, abuse prevention and proper functioning of the website: prevention of fraudulent activities, abuse and automated attacks (rate limiting, anti-spam); ensuring the proper functioning of the website.

4.4 Statistical analysis of navigation: collection of aggregated and anonymous data regarding the use of the website (pages visited, navigation paths, interaction events, form completion rates) in order to understand how users use the website, identify malfunctions, improve user experience and the effectiveness of content. Data collected for this purpose are not used for individual profiling nor for behavioral advertising.

The legal basis of processing varies according to the purpose:

For purposes 4.1 (survey) and 4.2 (waitlist): free, specific, informed and unambiguous consent of the data subject pursuant to Article 6(1)(a) of the GDPR.

For purposes 4.3 (security) and 4.4 (statistical analysis of navigation): legitimate interest of the Data Controller pursuant to Article 6(1)(f) of the GDPR in protecting its website, preventing abuse and improving the service offered. This legal basis applies because the data collected for purpose 4.4 are statistical in nature, are not associated with a persistent identifier on the user''s device and do not involve any form of individual profiling or behavioral advertising.

For aggregated and anonymized statistical analysis: legitimate interest of the Data Controller within the limits permitted by applicable law.

The data subject has the right to object at any time to processing based on legitimate interest, by writing to privacy@amazed.tours. The data subject also has the right to withdraw consent at any time without affecting the lawfulness of processing based on the consent given before its withdrawal.

Data are processed using electronic and IT tools, through infrastructure developed and managed by Amazed S.r.l. and its Data Processors, in compliance with the technical and organizational security measures provided for by Articles 25 and 32 of the GDPR.

In particular, the Data Controller adopts the following measures: encryption of data in transit (HTTPS / TLS); encryption of data at rest in the databases used; rate-limiting systems to prevent abuse; access to data limited to authorized personnel and appointed Data Processors; Row Level Security policies on databases, preventing unauthorized access to data even in case of compromise of public credentials.

Personal data will never be sold or transferred to third parties for commercial purposes.

Data may only be communicated to entities acting as Data Processors pursuant to Article 28 of the GDPR, on the basis of specific data-processing agreements ensuring compliance with the GDPR. In particular:

Vercel Inc. (United States): hosting of the website and APIs.

Supabase Inc. (European Union, Frankfurt): storage of survey responses and waitlist registrations.

Upstash Inc. (European Union / United States): abuse prevention and traffic control.

Resend Inc. (United States): sending service emails and operational communications.

PostHog Inc. (United States; EU instance with data processing location in Frankfurt, Germany): anonymous statistical collection and analysis of navigation data, without the use of cookies or persistent identifiers.

Data may also be communicated to employees and collaborators of Amazed S.r.l. expressly authorized, and to competent authorities where required by law.

The updated list of Data Processors is available upon request by writing to privacy@amazed.tours.

Some of the providers listed in section 7 (in particular Vercel, Resend, PostHog and partially Upstash) are based in the United States of America or may process data outside the European Economic Area. For the processing of analytics data through PostHog, storage takes place in the provider's EU instance (Frankfurt, Germany); the parent company nevertheless remains subject to US jurisdiction.

In all cases of extra-EU transfer, Amazed S.r.l. ensures that the transfer takes place in compliance with Articles 44-49 of the GDPR, through adequate safeguards, in particular:

Standard Contractual Clauses (SCC) approved by the European Commission with Implementing Decision (EU) 2021/914; EU-US Data Privacy Framework, where the provider has adhered to it; supplementary technical and organizational security measures, including encryption and pseudonymization.

The data subject may request a copy of the safeguards adopted by writing to privacy@amazed.tours.

Personal data collected through the survey will be retained for the time strictly necessary to achieve the purposes indicated above and, in any case, for a period not exceeding 24 months from collection.

Data collected through the waitlist registration form will be retained until the withdrawal of consent by the data subject or until the completion of the product launch process, and in any case for a period not exceeding 24 months from registration in the absence of interactions.

Data collected for security and server log purposes are retained for a period not exceeding 30 days, unless retention for investigation purposes is necessary in case of abuse.

Statistical analytics data collected through PostHog are retained for a period not exceeding 12 months, after which they are deleted or irreversibly anonymized.

Data used for aggregated and fully anonymized statistical analysis, no longer traceable to the data subject, may be retained for longer periods.

Upon expiration of the retention periods, data will be deleted or irreversibly anonymized.

The provision of data requested in the survey is voluntary. Failure to provide mandatory data will make it impossible to complete and submit the survey. The email address field is optional: failure to provide it does not prevent completion of the survey, but will make it impossible for the Data Controller to contact the data subject for any clarification.

For waitlist registration, providing the email address is necessary. Failure to provide it will make it impossible to register for the waitlist.

The data subject has the right to:

Access their personal data (Art. 15 GDPR);

Obtain rectification of inaccurate or incomplete data (Art. 16 GDPR);

Obtain the erasure of their data (Art. 17 GDPR, right to be forgotten);

Request the restriction of processing (Art. 18 GDPR);

Obtain data portability in a structured and readable format (Art. 20 GDPR);

Object to processing based on legitimate interest (Art. 21 GDPR);

Withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal;

Lodge a complaint with the Italian Data Protection Authority (Piazza Venezia 11, 00187 Rome — www.garanteprivacy.it) or with the supervisory authority of the EU country of residence.

To exercise their rights, the data subject may write to privacy@amazed.tours or via certified email (PEC) to amazed@pec.it.

The Data Controller will respond to requests within 30 days of receipt, extendable by a further 60 days in case of particularly complex requests.

The Data Controller reserves the right to modify, update or supplement this privacy policy at any time, including in response to regulatory changes or modifications to the service.

Changes will be published on this page with indication of the date of last update. Users are invited to periodically consult this privacy policy. In case of substantial changes, the Data Controller may notify users who have provided their email address.

By submitting the survey or registering for the waitlist, the user declares to have read this privacy policy and gives consent to the processing of personal data for the purposes indicated, pursuant to Article 6(1)(a) of the GDPR.