Privacy Policy

Who we are, who is the data controller

VespAway, registered office: Via dei Mille 12, 07040 Stintino (SS), Italy. Email: info@vespaway.it. Phone: +39 340 8239859.

We are the controller of your personal data under EU Regulation 2016/679 (GDPR). For any privacy question, write to info@vespaway.it — we reply within 5 days.

What data we collect, why

When you book: first name, last name, email, phone, date of birth, address, country, driving licence details. Used for booking, rental contract, insurance, legal obligations.

When you write on WhatsApp: name and phone. Only to reply, deleted after 12 months of inactivity.

When you browse: technical cookies always (essential), analytics cookies opt-in (see Cookie Policy). No profiling, no data sale to third parties.

How long we keep them

Booking data: 10 years from end of rental (Italian tax requirement).

Uploaded documents (licence, ID): auto-deleted 90 days after rental end. Marketing email: until your opt-out (one click, link at bottom of every email).

Who sees your data

Only VespAway and our essential tech providers: Stripe (payment, EU/USA servers with SCC), Resend (transactional email, EU servers), Neon Postgres (database, EU), Vercel (hosting, EU). All under DPA.

Your rights

You can ask anytime: copy of your data, correction, deletion, restriction, portability (JSON). Write to info@vespaway.it. We reply within 30 days. Otherwise complain to garanteprivacy.it (Italian DPA).

Non-EU transfers

Stripe processes payments in the USA for some payment methods, under Standard Contractual Clauses. No other data leaves the EU.

Security

Database encrypted at rest. HTTPS/TLS connections. Admin passwords with bcrypt + mandatory 2FA TOTP. Uploaded documents encrypted. Audit log of every personal data access.