PIQOD Cookie Policy
Last updated: April 13, 2026 Version: 1.0.0
Language notice: This is an informal English translation. The legally binding version is the Italian Cookie Policy. In case of discrepancy, the Italian version prevails.
This Cookie Policy explains what cookies are, which cookies we use on piqod.it, how you can manage them, and the legal bases for their use.
This policy should be read together with our Privacy Policy.
1. What are cookies
Cookies are small text files that websites save on a user's device during navigation, to remember information about the visit. Some cookies are technical and serve the site's operation, others serve to analyze usage or for profiling purposes.
Besides cookies, some sites use similar technologies such as:
- localStorage and sessionStorage (browser memory spaces)
- IndexedDB (browser local database)
- Web beacons (small invisible files for tracking)
- Device identifiers or fingerprinting
This policy refers to all these technologies collectively as "cookies" for simplicity.
2. The 6 cookie categories on PIQOD
We group cookies into 6 clear categories. For each we specify:
- What it does
- Whether it requires consent
- How the user can manage it from the Preference Center
🟢 Category 1 — Essential (always active)
Purpose: ensure basic technical site operation. Without these cookies the Site cannot function (login, session persistence, CSRF protection, attack detection).
Legal basis: no consent required (Art. 122 Italian Privacy Code and Garante 2021 Provision for strictly necessary cookies).
Cookies included:
| Cookie name | Purpose | Duration |
|---|---|---|
piqod_session |
Authenticated user session (JWT httpOnly) | 24 hours |
piqod_admin_session |
Admin area session (staff only) | 4 hours |
piqod_csrf |
Protection against Cross-Site Request Forgery | Session |
__cf_bm |
Cloudflare bot management (DDoS protection) | 30 minutes |
NEXT_LOCALE |
Current locale preference (determined by path) | 1 year |
piqod_consent |
Storing preferences for this Cookie Policy | 12 months |
How to manage: not disabable, because without these the site does not work. Users can only delete them from the browser (with consequences on functionality).
🔵 Category 2 — Functional (enabled, opt-out if not wanted)
Purpose: remember user preferences across sessions for better experience (language, currency, light/dark theme).
Legal basis: legitimate interest + opt-out. In EU, no explicit consent is needed for purely technical preference cookies, but users can disable them.
Cookies included:
| Name | Purpose | Duration |
|---|---|---|
piqod_theme |
Selected light/dark theme | 1 year |
piqod_currency |
Displayed currency (EUR, USD, GBP, JPY) | 1 year |
piqod_language_pref |
Preferred language beyond URL locale | 1 year |
piqod_recent_searches |
User's last 5 searches (localStorage) | 30 days |
piqod_wishlist_local |
Locally saved wishlist before login | 90 days |
How to manage: "Functional" slider in Preference Center. Disabling them, preferences will be lost every session.
🟣 Category 3 — Anonymous analytics (opt-in, explicit consent)
Purpose: measure aggregated Site usage to improve it (most visited pages, loading times, device mix, navigation flows). Data is aggregated and anonymized, does not directly identify the user.
Legal basis: explicit consent (Art. 6(1)(a) GDPR + Art. 122 Italian Privacy Code for non-technical cookies).
Cookies included:
| Name | Provider | Purpose | Duration |
|---|---|---|---|
_ga |
Google Analytics 4 | Anonymized user identifier | 2 years |
_ga_<id> |
Google Analytics 4 | Session state | 2 years |
_gid |
Google Analytics 4 | User distinction | 24 hours |
_gat_gtag_UA_* |
Google Analytics 4 | Request throttling | 1 minute |
Protections applied:
- IP anonymization active (last octet zeroed)
- Consent Mode v2 enabled (Google receives aggregated data even without consent, but only for modeling; with consent, detailed data)
ads_data_redaction=true(removal of advertising identifiers)url_passthrough=true(removal of sensitive parameters from URLs)- No advertising cookies activated
- Transfer to Google LLC (USA) based on Standard Contractual Clauses
How to manage: "Anonymous analytics" slider in Preference Center. Disabling it, Google Analytics will stop tracking navigation.
🟠 Category 4 — Behavioral (opt-in, explicit consent)
Purpose: analyze user navigation behavior (clicks, dwell time per experience, applied filters, search sequences) to:
- Personalize search result ranking
- Suggest destinations based on interests
- Train internal recommendation models
Legal basis: explicit consent (Art. 6(1)(a) GDPR + Art. 22 GDPR for profiling).
Included cookies and data:
| Technology | Purpose | Duration |
|---|---|---|
piqod_track_id |
Anonymous navigation identifier | 12 months |
piqod_behavior_buffer |
Local buffer of behavioral events | 7 days |
| Server-side event tracking | Click recording, dwell time, filters | 26 months |
Collected data:
- Search queries performed
- Experiences clicked
- Dwell time on cards
- Filters applied
- Navigation paths (home → search → detail → redirect)
- Redirects to partners (Viator, Tiqets)
- Anonymous sessions linked via fingerprint hash
How to manage: "Behavioral" slider in Preference Center. Disabling it, PIQOD will not use navigation data for personalization or to train ML models. Navigation remains fully functional.
🔴 Category 5 — Advertising and profiling (opt-in, explicit consent)
Purpose: serve targeted advertising and measure promotional campaign effectiveness.
Current state: NO COOKIE OF THIS CATEGORY IS CURRENTLY ACTIVE at the time of this policy publication. The category has been prepared for the future, when PIQOD will eventually integrate advertising partners.
Legal basis: explicit consent (Art. 6(1)(a) GDPR + Art. 22 GDPR).
When the category will be activated with real cookies, we will update this section with the detailed list and notify users via prominent banner.
How to manage: "Advertising" slider in Preference Center, initially visually disabled (grey, with note "not yet active").
🟤 Category 6 — Aggregated data sharing with commercial partners (opt-in, explicit consent)
Purpose: contribute your behavioral data to aggregated and anonymized datasets that PIQOD may use for internal market research or, in the future, share/license to third-party commercial partners (travel marketing agencies, tour operators for competitive analysis, academic researchers).
Mandatory guarantees:
- No personally identifiable data ever transferred: no email, no IP, no user ID
- Minimum aggregation k=100: each aggregated record contains data from at least 100 users
- Differential privacy: mathematical noise injection to prevent de-anonymization
- B2B contracts with rigid non-re-identification clauses for every buyer
- Internal register of sharing, maintained and consultable by the user upon DSAR request
Examples of shareable aggregated data:
- "43% of travel searches for Rome in month X came from mobile devices"
- "The modal price range for Colosseum experiences is €25-50"
- "Average mobile conversion is on Tuesdays at 8:00 PM CET"
Examples of NEVER-shareable data (prohibited):
- Email lists
- Individual search queries with user ID
- Individual navigation history
- GPS coordinates
- PIQOD Live content with author identity
Legal basis: separate explicit consent (Art. 6(1)(a) GDPR).
Current state: at publication time, PIQOD is accumulating data but has not yet initiated sale or sharing with third parties. A user who gives consent now "reserves" the fact that their aggregated data may flow into future commercial datasets. Those who deny consent guarantee total exclusion.
How to manage: "Aggregated data sharing" slider in Preference Center. Revocation has immediate effect: future user data will not flow into any dataset. Data already aggregated in past datasets cannot be retroactively removed (the irreversible nature of anonymization makes it mathematically impossible), but contribution is mathematically non-attributable to the individual user.
3. Preference Center — how to manage cookies
The PIQOD Preference Center is accessible:
- During first visit: bottom banner with 6 sliders
- At any time: "Cookie Preference Center" link at the bottom of the page (footer)
- From user profile:
/profilo/privacy→ "Cookie Preferences" tab
In the Preference Center you can:
- See current state of each category
- Activate/deactivate each category individually
- Activate/deactivate all optional categories with one click
- Consult the list of active cookies in real time
- Review the history of your consent choices
Your choices are stored in the piqod_consent cookie (12 months duration) and, if logged in, synchronized with your account via the user_consents table in our database. This ensures consistency across devices.
4. Withdrawal of consent
You can withdraw consent for any optional category at any time, with immediate effect, from the Preference Center. Withdrawal:
- Immediately stops new data collection for that category
- Does not prejudice the lawfulness of processing before withdrawal
- Does not result in negative consequences on Site usage (no paywall, no functional block for revoking optional cookies)
5. Third-party cookies
Third-party cookies are those installed by domains other than piqod.it. Some external services we use may install third-party cookies:
| Service | Domain | Category | Purpose |
|---|---|---|---|
| Google Analytics 4 | google-analytics.com, googletagmanager.com |
Analytics | Site usage measurement |
| Google OAuth | accounts.google.com |
Essential (only during Google login) | User authentication |
| Cloudinary | res.cloudinary.com |
Technical | Optimized image loading |
| Cloudflare | cloudflare.com (invisible) |
Essential | DDoS protection and delivery |
Users can block third-party cookies from their browser settings.
6. Automatically collected data (non-cookie)
Besides cookies, during navigation we automatically collect some technical data necessary for operation:
| Data | How | Why |
|---|---|---|
| IP address | HTTP header | Anti-abuse, approximate geolocation, security |
| User-Agent | HTTP header | Compatibility rendering, device detection |
| Referer | HTTP header | Incoming traffic attribution |
| Accept-Language | HTTP header | Language suggestion on arrival |
| Request timestamps | Server log | Auditing, debugging |
This data is technically necessary and does not fall under cookie consent. It is retained for a maximum of 90 days in server logs, then anonymized or deleted.
7. Responsibility and contacts
The Data Controller of this data is PIQOD di Sorrentino Lucio (see Privacy Policy for complete details).
For any question related to this Cookie Policy or cookie management:
- Privacy email:
privacy@piqod.it - Preference Center: /en/cookie-policy#center
- Italian Data Protection Authority (complaints): https://www.garanteprivacy.it
8. Updates
This Cookie Policy may be updated to reflect technological changes, new providers or new features. In case of substantial modifications (new category, new external provider, new cookies), active users will be informed via email and prominent banner, with at least 30 days advance notice.
The date of the last update is always indicated at the top of the document. Continued use of the Site after modifications constitutes acceptance, but users retain the right to modify their consent preferences at any time.
End of document.