Back to home

Privacy Policy

Last updated: April 13, 2026Version 1.0.0·3,492 words

PIQOD Privacy Policy

Last updated: April 13, 2026 Version: 1.0.0

Language notice: This is an informal English translation. The legally binding version is the Italian Privacy Policy. In case of discrepancy, the Italian version prevails.

This notice describes how PIQOD collects, uses, stores and shares personal data of users of piqod.it and its connected services (the "Service"). It is drafted in compliance with EU Regulation 2016/679 (GDPR), the Italian Privacy Code and other applicable European regulations, using the clearest possible language.

If you have questions or want to exercise your rights after reading it, write to privacy@piqod.it.

1. Who we are — the Data Controller

The Data Controller of personal data collected through the Service is:

  • Name: PIQOD di Sorrentino Lucio (sole proprietorship)
  • Legal representative: Sorrentino Lucio
  • Registered address: Via Somma n. 10, 80034 Marigliano (NA), Italy
  • VAT / Tax ID: 09825941215
  • Privacy contact: privacy@piqod.it
  • General contact: info@piqod.it
  • Certified mail (PEC): {{LEGAL_ENTITY_PEC}} (to be activated)

PIQOD is not currently required to appoint a Data Protection Officer (DPO) under Art. 37 GDPR, but we have designated an internal Privacy Officer who coordinates all data protection requests, reachable at privacy@piqod.it.

2. What PIQOD does — fundamental operational clarification

PIQOD is a travel experiences metasearch. We aggregate and display tours, attractions, tickets and activities provided by third-party commercial partners (currently Viator and Tiqets, with additional partners being integrated), operating as a comparison aggregator.

What we do:

  • Show partner commercial offers with descriptions, images, prices and availability
  • Provide search engine, filters, ranking and personalization
  • Redirect users to the partner site to complete bookings

What we do NOT do:

  • We do not sell any travel experience directly
  • We do not receive end user payments
  • We do not manage booking, confirmation, cancellation or refunds
  • We do not process user credit card or payment data

Transactions occur entirely on the partner site (Viator, Tiqets, etc.), who is the merchant of record and has its own independent privacy policy. PIQOD receives an affiliate commission when a click generates a partner-confirmed conversion.

This distinction is relevant to understanding who processes which data and with what legal basis.

3. What data we collect and how

We distinguish between data necessary for the Service and optional data that users can choose to share.

3.1 Data provided directly by the user

Category Examples When we collect
Registration data Email, name, hashed password, preferred language, currency, country At account registration
Profile data Avatar (image), travel preferences, country code When user completes or modifies profile
User-generated content (UGC) PIQOD Live photos, caption text, location tags, user tags When publishing a "Live"
Wishlist & reminders Saved experiences, reminder date and time When saving an experience or scheduling a reminder
Support requests Contact messages, reports, DSAR requests When communicating with us
Newsletter Email, sending preferences When voluntarily subscribing

3.2 Data automatically collected during navigation

Category Examples Technical source
Technical connection data IP address, user-agent hash, browser language, timezone HTTP headers
Navigation data Pages visited, search queries, filters applied, clicks on experiences, dwell times Server log + tracking JS
Device identifiers Pseudonymous device fingerprint hash, session cookie ID Generated server-side
Approximate geolocation City, region, country estimated from IP MaxMind GeoLite2 (local database, no third-party calls)
Device data Device type (mobile/desktop), operating system, browser User-agent parsing

3.3 Data collected with explicit browser permissions (opt-in)

For some advanced features, we request explicit permissions through browser APIs. Users can always deny or revoke these permissions from browser or device settings.

Permission When we ask What we collect
Precise geolocation When user decides to publish a Live GPS coordinates (lat/lng) with accuracy, exclusively at upload time
Camera When user chooses to take a photo for a Live Capture frame (video stream is not stored)
Gallery When user uploads an existing photo The selected photo + any EXIF metadata (including GPS if present)

We never collect: biometric data, health data, sensitive data under Art. 9 GDPR, data of minors under 14 (in Italy) or 16 (in other EU states, except with parental consent).

3.4 Cookies and similar technologies

Cookie usage is described in detail in our Cookie Policy. In summary, we group cookies into six categories:

  1. Essential (always active, no consent required)
  2. Functional (language, currency, theme, dismissible without consent in EU)
  3. Anonymous analytics (Google Analytics 4 with IP anonymization and Consent Mode v2)
  4. Behavioral (navigation tracking for personalization and ML learning)
  5. Advertising and profiling (currently unused, reserved for future advertising partners)
  6. Aggregated data sharing with third-party commercial partners (see section 7)

Users can modify their preferences at any time from the Preference Center accessible from the Cookie Policy page or their profile in the Privacy Dashboard.

4. Purposes of processing and legal bases

Each data processing operation has a specific purpose and legal basis under Art. 6 GDPR. We list them all, with no omissions.

4.1 Service delivery (basis: contract execution, Art. 6(1)(b) GDPR)

  • User account creation and management
  • Authentication and session management
  • Providing site features (search, filters, wishlist, experience detail, partner redirect)
  • Wishlist email reminder management (when activated by user)
  • User support and request management

4.2 Personalized experience (basis: legitimate interest, Art. 6(1)(f) GDPR)

  • Storing preferences (language, currency, theme)
  • Personalized ranking of search experiences (when user is logged in)
  • Destination suggestions based on navigation activity

Balancing of interests: we evaluated that our interest in providing a relevant experience is proportionate to privacy impact, because we use only navigation data on our platform, never data acquired from external sources, and users can object at any time.

4.3 Site security and abuse prevention (basis: legitimate interest, Art. 6(1)(f) GDPR)

  • Detection of suspicious activity, bot scraping, credential stuffing attempts
  • Blocking of IP addresses involved in abuse
  • Moderation of user-generated content via automated analysis (local ML based on NSFW.js, no data sent to third parties for this purpose)

4.4 PIQOD Live — content moderation (basis: contract execution + legal obligation DSA, Art. 6(1)(b)(c) GDPR)

When a user publishes a photo on the Live service, it is subjected to automated analysis to verify compliance with community guidelines and legal rules (EU Digital Services Act 2022/2065). Analysis takes place on servers we own, with no third-party transfer.

Content judged to violate rules (sexually explicit, violent, illegal, copyright-infringing, spam) is rejected at upload or removed after publication. Users always have the right to request reinstatement by contacting privacy@piqod.it or using the internal complaint flow.

4.5 Service analysis and improvement (basis: consent, Art. 6(1)(a) GDPR)

When user consents via the cookie center to the "Anonymous analytics" category:

  • We use Google Analytics 4 with IP anonymization and Consent Mode v2
  • Collected data is aggregated and pseudonymized, not directly identifying the user
  • Data transfer to Google LLC (United States) is based on EU Commission Standard Contractual Clauses (SCC)

4.6 Behavioral personalization and machine learning (basis: consent, Art. 6(1)(a) GDPR)

When user consents to the "Behavioral" category:

  • We collect detailed browsing session data, clicks, dwell times, search queries
  • This data is used to train internal recommendation and ranking models
  • Data is pseudonymized via session ID hash and not linked to direct personal identity in final models

User can deactivate this collection at any time from the cookie center, with immediate effect. Data collected before revocation remains in already-trained models, which are periodically retrained according to the training cycle.

4.7 Sharing of anonymous aggregated data with third parties (basis: consent, Art. 6(1)(a) GDPR)

When user consents to the "Aggregated data sharing with commercial partners" category:

  • Their behavior data may contribute to anonymized aggregated datasets that PIQOD may in the future share or license to commercial third parties (marketing agencies, tour operators, market researchers)
  • Shared data in no way allows tracing back to user identity: it is aggregated in groups of minimum 100 users and subject to k-anonymity and differential privacy noise injection techniques
  • No personally identifiable information (PII) is ever transferred to third parties: no email, no IP, no user ID
  • Example of saleable aggregated data: "In March, 43% of searches for Rome came from mobile devices, with a modal price range of €25-50"
  • Example of NON-saleable data (never shared): "Marco Rossi searched Rome on March 14 at 14:32 and clicked experience X"

Current state (April 2026): at the time this notice is published, PIQOD is accumulating data but has not yet activated sale or sharing with third parties. Users who deny consent guarantee that their behavior data does not flow into any future commercial dataset.

Register of sharing: we will maintain an internal register of every future sharing of aggregated datasets, available upon request for consultation via the DSAR procedure (section 8).

4.8 Legal obligations (basis: legal obligation, Art. 6(1)(c) GDPR)

  • Retention for tax, accounting, anti-money laundering purposes
  • Response to judicial authority requests
  • DSA compliance for removal of illegal content

5. To whom we communicate your data

PIQOD never sells personally identifiable data. Your data is however inevitably processed by technical providers ("Data Processors" under Art. 28 GDPR), each bound to PIQOD by a Data Processing Agreement (DPA).

5.1 List of Data Processors

Provider Role Country Extra-EU transfer
Cloudflare, Inc. CDN, edge hosting (Workers, R2, KV), DDoS protection, Access USA (HQ), global nodes Yes, with SCC + Data Processing Addendum
OVH SAS Transactional email (SMTP), backend hosting France (EU) No
Cloudinary Ltd. Image transformations, thumbnails Israel / USA Yes, with SCC
MongoDB, Inc. (if MongoDB Atlas in future) USA / EU Yes, with SCC
Google LLC Google Analytics 4, Google OAuth, Google Search Console USA Yes, with SCC + partial adequacy
Sentry.io (Functional Software, Inc.) Backend error tracking Germany (EU) No
Grafana Labs Managed observability (Tempo, Loki, Mimir) USA / EU Yes, with SCC

The updated list is available on the dedicated Sub-processors page (being drafted) and is updated within 30 days of any substantial modification.

5.2 Commercial partners (travel experience providers)

Partners Viator, Tiqets (and future ones) receive data only at click-out, meaning when the user decides to proceed with booking on their site. At that moment, PIQOD communicates to the partner only affiliate tracking parameters (conversion pixel, generic session identifier, referring URL), not user personal data.

Once the user interacts with the partner site, only the partner's privacy policy regulates processing of their data (the partner becomes autonomous Controller).

5.3 Public authorities

We may be required to communicate data to judicial authorities, law enforcement or supervisory authorities in the presence of legitimate formal requests, under applicable criminal, tax, administrative or public safety laws.

6. International data transfers

Some of our providers are located outside the European Economic Area (EEA), particularly in the United States. For these transfers, we adopt all guarantees provided by Chapter V of GDPR:

  • Standard Contractual Clauses (SCC) approved by the European Commission (decision 2021/914)
  • Data Processing Addendum (DPA) signed with each extra-EU provider
  • Transfer Impact Assessments (TIA) for US providers in light of the Schrems II ruling
  • Supplementary measures when necessary (end-to-end encryption, pseudonymization, minimization)

Users can request copies of relevant SCCs by writing to privacy@piqod.it.

7. How long we retain your data

We follow the principle of storage limitation (Art. 5(1)(e) GDPR): data is retained only for the time strictly necessary for the purposes for which it was collected.

Data category Retention period
Active user account As long as the account is active + 30 days grace period after deletion request
Anonymized navigation data Up to 26 months (aligned with Google Analytics default)
Technical server logs 90 days, then anonymized or deleted
Transactional emails (SMTP log) 12 months
PIQOD Live content 24 hours from publication, then irreversibly deleted from database and storage
Database backups 30 days on off-site systems, cycled
Administrative audit log 24 months
Tax/accounting data 10 years (legal obligation)
DSA complaint management logs 6 months
Cookie consent records Until revocation or account deletion

At term expiration, data is securely deleted or irreversibly anonymized (such that it can no longer be traced back to an individual).

8. Your rights as data subject

Under Art. 15-22 GDPR, you have the right to exercise the following powers on your personal data, at no cost and at any time:

8.1 Right of access (Art. 15)

You can obtain confirmation that we are processing data concerning you and receive a copy in structured, commonly used and machine-readable format (JSON).

From your profile → Privacy Dashboard you can autonomously download a ZIP archive complete with your data.

8.2 Right to rectification (Art. 16)

You can correct inaccurate data or integrate incomplete data, directly from your user profile or by writing to us.

8.3 Right to erasure ("right to be forgotten", Art. 17)

You can request deletion of your data, unless legal obligations apply. The request is processed within 30 days of receipt.

Deleting a PIQOD Live: you can delete your story at any time, with immediate effect, without waiting for the 24-hour expiration. One click from your profile.

Removing a tag: if you have been tagged in someone else's story and don't want to appear, you can request tag removal from the story via a dedicated button or email. We process the request within 72 hours.

8.4 Right to restriction (Art. 18)

You can request temporary suspension of processing of your data pending verification.

8.5 Right to portability (Art. 20)

You can request your data in a structured, commonly used and readable format, to transfer it to another controller.

8.6 Right to object (Art. 21)

You can object to processing based on legitimate interest (sections 4.2 and 4.3) and profiling processing.

8.7 Right not to be subject to automated decisions (Art. 22)

The Service uses automated algorithms for ranking and moderation, but none of these produce significant legal effects on the user. In any case, the user can request human intervention by contacting us.

8.8 How to exercise rights

  • Via Privacy Dashboard (fastest, self-service for access, export, deletion, consent management)
  • Via email: privacy@piqod.it (specifying the request and providing proof of identity if necessary)
  • Via certified mail: {{LEGAL_ENTITY_PEC}}

Our team responds within 30 days of receiving the complete request (extendable by a further 60 days in case of particularly complex requests, subject to notification).

8.9 Right to complain

If you believe that the processing of your data violates GDPR, you have the right to lodge a complaint with the competent supervisory authority:

  • Italian Data Protection Authority: https://www.garanteprivacy.it
  • Supervisory authority of your EU state of habitual residence, place of work or alleged controller

9. Data security

We adopt technical and organizational measures appropriate to risks, including:

Technical:

  • Encryption in transit (TLS 1.3) on all connections
  • Encryption at rest for databases and storage (AES-256)
  • Password hashing with modern algorithms (bcrypt/argon2)
  • Network segregation between application components (edge, backend, database)
  • Mandatory two-factor authentication (2FA) for administrative access
  • Periodic rotation of cryptographic keys and secrets
  • Content moderation via local ML (no third-party transfer for this purpose)
  • Rate limiting, web application firewall (WAF) and DDoS protection
  • Audit log of all administrative operations with retention

Organizational:

  • Periodic staff training
  • Access policies based on least privilege principle (RBAC)
  • Internal code of conduct for data management
  • Incident response and 72-hour Garante notification procedures in case of breach

In case of data breach involving risks to rights and freedoms of data subjects, PIQOD will notify the Garante within 72 hours and inform affected users as required by Art. 33-34 GDPR.

10. Minors

The PIQOD Service is aimed at persons aged 14 and over (in Italy, under Italian Legislative Decree 101/2018) and 16 and over in other EU Member States unless explicit consent from a parent or guardian.

We do not intentionally collect data from minors under such age. If we discover we have done so, we delete the data as quickly as possible. Parents or guardians of minors can report the presence of a minor's account by writing to privacy@piqod.it to request its deletion.

If a user uploads a Live in which recognizable minors appear, PIQOD reserves the right to remove the content even without notification, to protect the minors represented.

11. User-generated content (UGC) — specific rules for PIQOD Live

The PIQOD Live service allows registered users to publish photographic content (up to 2 photos per "Live") visible to other registered users for 24 hours.

11.1 Usage license

By publishing a Live, the user retains ownership of the content but grants PIQOD a non-exclusive, free, worldwide license to use it solely for Service delivery purposes. This license automatically terminates when the Live expires or is deleted by the user.

PIQOD will not use UGC content for external advertising purposes, third-party sale, or training of generative AI models without further explicit consent.

11.2 Prohibited content

Content that will be removed includes:

  • Nudity, sexual acts or sexually explicit content
  • Depictions of violence, injury, animal cruelty
  • Incitement to hatred, discrimination, violence against persons or groups
  • Violations of third-party intellectual property rights (stolen photos, etc.)
  • Recognizable minors in inappropriate contexts
  • Personal information of third parties without consent (addresses, license plates, documents)
  • Promotion of illegal activities, scams, deceptive content
  • Unauthorized advertising spam

For more details see our Community Guidelines.

11.3 Automated moderation

Every photo uploaded is analyzed by a local ML model (NSFW.js) running on our servers, with no third-party transfer. The model assigns a safety score and:

  • Photos with safe score are published immediately
  • Photos with doubtful score are placed in manual review queue
  • Photos with clearly violating score are rejected with notification to the user

Users who believe a removal was incorrect can appeal via privacy@piqod.it within 14 days of notification. The appeal is examined by a human operator and resolved within 72 business hours.

11.4 Content reporting (DSA)

Under EU Regulation 2022/2065 (Digital Services Act), we have implemented a notice-and-action mechanism allowing any user to report content alleged to be illegal or in violation of community rules. Reporting occurs via the "Report" button on each Live.

Reports are examined in good faith and without delay. Content reported as manifestly illegal is removed as quickly as possible. The reporter and content author are provided with reasoning for the decision taken.

12. Automated decisions and profiling

The Service uses ranking and recommendation algorithms to order search results, suggest destinations, personalize experience. These algorithms:

  • Use user navigation data (if consent provided for behavioral category)
  • Use aggregated patterns from other users
  • Do not produce decisions with significant legal effects on the user (do not deny access to services, do not evaluate creditworthiness, do not discriminate in relevant ways)

The user has the right to:

  • Know the logic behind algorithms
  • Request human intervention for alternative assessment
  • Express their point of view and contest automatic decision

These rights are exercised by contacting privacy@piqod.it.

13. Updates to this notice

We update this notice periodically to reflect regulatory, technological or Service changes. The date of the last update is indicated at the top of the document.

In case of substantial modifications (e.g. new categories of processed data, new providers, new purposes), we will inform registered users via email and prominent site notice, with at least 30 days advance notice before modifications take effect.

Continued use of the Service after modifications constitutes acceptance of them. Users who do not agree with modifications can always exercise their deletion right (section 8.3).

14. Contacts

For any question regarding this notice or the processing described:

  • Privacy email: privacy@piqod.it
  • General support email: info@piqod.it
  • PEC: {{LEGAL_ENTITY_PEC}}
  • Postal mail: PIQOD di Sorrentino Lucio, Via Somma n. 10, 80034 Marigliano (NA), Italy

We commit to respond within 30 days of every written request.

End of document.

Other legal documents

Cookie PolicyTerms of ServiceCommunity Guidelines