Introduction
Welcome to keptour.com (the “Website” or the “Application”).
This Privacy Policy explains how Keptour s.r.l. processes your personal data when you use the Website and its travel planning services.
Data Controller
The Data Controller is:
Keptour s.r.l.
Contact email: [email protected]
You can contact us at this address for any questions or requests regarding privacy.
Categories of Data Processed
When you use keptour.com, we may process the following categories of personal data.
2.1 Browsing and usage data
Collected automatically while you use the Website, for example:
- IP address, browser type, device parameters, operating system;
- pages visited, time spent on pages, clicks, itineraries created or viewed;
- date and time of requests, referrer URLs, system logs.
These data are mainly collected through:
- server logs;
- tracking tools (cookies, pixels, local storage, etc.), as described in our Cookie Policy.
2.2 Data voluntarily provided by the user
When you fill in forms or contact us, we may collect:
- first name, last name, email address;
- any information you provide in free-text fields (for example, support requests, feedback);
- if you decide to create an account (when available), the data required for registration (e.g. email, username, credentials or external identifier).
2.3 Travel itinerary and preference data
When you use Keptour’s features, we may process:
- searched destinations, itineraries created or saved, planned travel dates;
- preferences (e.g. budget, preferred activities, trip duration);
- any notes or descriptions you add to your itineraries.
These data are needed to provide the planning features, suggestions and itinerary saving functions.
2.4 Data collected through cookies and tracking tools
We use technical, functional, statistical and – where you consent – marketing cookies.
Details on types of cookies, duration, and third-party providers are set out in the Cookie Policy of keptour.com, which forms an integral part of this Privacy Policy.
Note: at launch, we do not directly process payment data and we do not perform bookings of flights, hotels or other travel services. If we introduce such features in the future, we will update this Privacy Policy before starting any new processing.
Purposes and Legal Bases
We process your personal data for the following purposes and on the legal bases indicated below.
3.1 Technical operation of the Website and security
What we do: technical management of the Website, load balancing, protection against attacks, abuse prevention, system logging, use of services such as Cloudflare for optimization and content distribution.
Data involved: browsing data, logs, technical tracking tools.
Legal basis: performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR); legitimate interest of Keptour s.r.l. in ensuring the security and proper functioning of the platform (Art. 6(1)(f) GDPR).
3.2 Provision of travel planning services
What we do: allow you to browse the Website, create and manage itineraries, save travel preferences, access your account (when available), and respond to support requests.
Data involved: registration data (if any), itinerary and preference data, contact data.
Legal basis: performance of a contract or pre-contractual measures taken at your request (Art. 6(1)(b) GDPR).
3.3 Handling requests and user support
What we do: respond to emails or messages sent via contact forms or other channels.
Data involved: identification and contact data, content of your request.
Legal basis: performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR) and legitimate interest in providing support (Art. 6(1)(f) GDPR).
3.4 Statistical analysis and service improvement
What we do: aggregate and statistical analysis of how the Website is used (e.g. most visited pages, most created itineraries, Website performance) to improve our services and features.
Data involved: usage data, online identifiers, information collected through statistical/analytics cookies.
Legal basis: your consent (Art. 6(1)(a) GDPR) for non-technical cookies where required by applicable law.
3.5 Marketing and communications (where applicable)
What we do: send newsletters or promotional communications about Keptour and its services, and personalise content and messages based on your travel preferences and Website usage.
Data involved: email address, itinerary and preference data, usage data, marketing/profiling cookies.
Legal basis: your consent (Art. 6(1)(a) GDPR), for example when you subscribe to a newsletter or accept marketing cookies; the Controller’s legitimate interest in promoting similar services you already use (within the limits of applicable law), without prejudice to your right to object.
You may unsubscribe from newsletters at any time by using the link in each communication or by contacting the Controller.
3.6 Legal obligations and defence in court
What we do: comply with legal obligations, authorities’ orders, and defend our rights in judicial or extrajudicial proceedings.
Data involved: all categories of data where necessary.
Legal basis: legal obligation (Art. 6(1)(c) GDPR) and legitimate interest in defending our rights (Art. 6(1)(f) GDPR).
Methods of Processing
Processing is mainly carried out using electronic tools, according to organisational procedures and logics strictly related to the purposes indicated and in compliance with appropriate security measures designed to prevent unauthorised access, loss, unlawful use or disclosure.
In addition to the Controller, data may be accessed by:
- authorised internal staff (e.g. administration, IT, marketing, customer support);
- technical service providers, hosting providers, maintenance providers, analytics tools, email platforms, etc., acting as Processors under Art. 28 GDPR, where required.
An updated list of Processors can be requested from the Controller.
Place of Processing and Extra-EU Transfers
Data are processed at the operational offices of Keptour s.r.l. and at the servers of our service providers (e.g. hosting, CDN, analytics), which may be located outside the European Union.
Where data are transferred to countries that do not provide an adequate level of protection according to the European Commission, Keptour s.r.l. adopts appropriate safeguards, such as adequacy decisions (where available), Standard Contractual Clauses (SCCs), and additional technical measures (e.g. encryption, pseudonymisation).
You can request more information about extra-EU transfers and the safeguards in place by contacting the Controller.
Data Retention
Unless otherwise specified:
- Account and itinerary data are kept for the duration of the contractual relationship (i.e. as long as you keep your account) and thereafter for the time necessary to comply with legal obligations or to protect Keptour s.r.l.’s rights;
- Contact data used to respond to requests are kept for the time needed to handle your request and for a limited subsequent period, where necessary to document the activities carried out;
- Marketing data are kept until you withdraw your consent or exercise your right to object, subject to technical deletion times;
- Technical logs and browsing data are generally kept for no longer than 12 months, unless otherwise required by law or security needs;
- Cookies are stored for the periods indicated in the Cookie Policy (duration varies by type and provider).
Once the retention periods have expired, data will be deleted or irreversibly anonymised.
User Rights under the GDPR
As a data subject, you have the right to:
- Access your personal data and obtain a copy;
- Request rectification of inaccurate data or completion of incomplete data;
- Request erasure of your personal data in the cases provided for by Art. 17 GDPR;
- Obtain restriction of processing in the cases provided for by Art. 18 GDPR;
- Object to processing based on legitimate interest, on grounds relating to your particular situation;
- Object at any time to processing for direct marketing purposes, including profiling related to such marketing;
- Receive your data in a structured, commonly used and machine-readable format and have them transmitted to another controller (data portability);
- Withdraw your consent at any time, without prejudice to the lawfulness of processing based on consent before its withdrawal;
- Lodge a complaint with a competent supervisory authority (for example, in Italy the Garante per la protezione dei dati personali, or the authority of your place of residence or work).
To exercise your rights, you can contact: [email protected]. The Controller will respond as soon as possible and in any case within one month.
Users Outside the EU (e.g. USA – CCPA/CPRA)
Keptour s.r.l. aims to ensure a high level of data protection also for users accessing the Website from non-EU countries.
If you reside in jurisdictions with specific consumer privacy laws (for example California – CCPA/CPRA or other regions with similar regulations), you may have additional rights, such as the right to know which categories of personal data we collect, use or disclose, the right to request deletion of your personal data (within the limits set by local law), and the right to opt out of the “sale” or “sharing” of personal data, where Keptour s.r.l. engages in activities qualifying as such under local laws.
To exercise such rights, you can contact us at [email protected], specifying your place of residence. Where specific mechanisms are required (e.g. a “Do Not Sell or Share My Personal Information” link), they will be made available on the Website.
Defence in Court and System Logs
Personal data may be used by the Controller in legal proceedings or in the preparatory stages thereof to defend against misuse of the Website or related services.
For operation and maintenance purposes, the Website and any third-party services used may collect system logs, i.e. files that record interactions and may also contain personal data (such as IP addresses and timestamps).
Changes to this Privacy Policy
Keptour s.r.l. reserves the right to modify this Privacy Policy at any time.
In case of material changes (for example, introduction of new functionalities such as bookings and payments), we will inform users through a prominent notice on the Website and, where necessary, seek renewed consent for processing activities that require it.
The updated version is always available on this page, with the date of the latest revision.