Privacy & Cookie policy

Privacy and Cookie Policy

Version 1.0 - March 2026

1. Data controller

The Data Controller of personal data collected through the VisitBrembo.it portal is:

VisitBrembo Association
Via A. Locatelli, 111
C.F.: 95237460167
VAT: IT04659680161
Email: info@visitbrembo.it

For any inquiries regarding the processing of personal data, you can contact the Controller at the above addresses.

2. Data collected and purpose of processing

The VisitBrembo.co.uk portal collects personal data under the following circumstances:

2.1 Site navigation (technical data)

During browsing, technical data such as IP address, browser type, operating system, pages visited and access times are automatically recorded by the servers. This data is processed exclusively for security purposes, technical diagnostics and aggregate traffic analysis. They are not associated with identified individuals.

Legal basis: legitimate interest of the Owner (Art. 6, par. 1, lett. f GDPR).

2.2 Contact form

Through the contact form, name, email address and the text of the message are collected. The data are used only to respond to the request received and are not kept beyond the time necessary to handle the communication.

Legal basis: Execution of pre-contractual measures or consent of the data subject (Art. 6(1)(b/a GDPR).

2.3 Newsletter subscription

Those who choose to subscribe to the newsletter provide their email address. The data is processed to send informative and promotional communications related to the Brembana Valley (events, itineraries, initiatives). The service is managed through Brief (Sendinblue SAS, France), acting as data controller. The data are stored on servers located in the European Union.

Legal basis: data subject's consent (art. 6, par. 1, lett. a GDPR), revocable at any time via the unsubscribe link in each email.

2.4 AI Chatbot

The portal provides an artificial intelligence-based virtual assistant to guide visitors in discovering the area. Typed questions are transmitted to a processing server and processed via third-party APIs (OpenAI). Messages are not associated with the user's identity and are not stored in named form. It is recommended not to enter sensitive personal data into the chatbot.

Legal basis: Legitimate interest of the Controller/expressed consent during use (Art. 6(1)(f/a GDPR).

3. Statistical analysis of the site

The site uses Google Analytics (Google LLC) to collect anonymous and aggregated data on portal usage patterns (pages visited, session duration, approximate geographic origin). Tracking is done only with the user's explicit consent via the cookie banner. Google Analytics is configured with IP address anonymization. For more information: policies.google.com/privacy.

4. Data Retention.

Personal data are kept for the time strictly necessary for the purposes for which they were collected:

  • Navigation technical data: maximum 12 months.
  • Contact form: until the closing of the application, but no later than 24 months.
  • Newsletter: Until consent is revoked by the member.
  • Chatbot interactions: current session; no named retention beyond the session.

5. Sharing with third parties

Personal data are not sold or given to third parties for commercial purposes. They may be disclosed only to the following parties, to the extent necessary for the provision of services:

  • Brief (Sendinblue SAS, France) - newsletter management
  • Google LLC - statistical analysis (Google Analytics)
  • OpenAI LLC - processing requests to the chatbot
  • Netsons Ltd. - portal technical infrastructure management

Where applicable, the transfer of data to non-EU countries is done on the basis of Standard Contractual Clauses approved by the European Commission, or other guarantee mechanisms provided by the GDPR.

6. Rights of the data subject

According to the Regulation (EU) 2016/679 (GDPR), every user has the right to:

  • Access their personal data (art. 15);
  • Obtain correction of inaccurate data (Art. 16);
  • Request deletion of data “right to be forgotten” (Art. 17);
  • Request restriction of processing (Art. 18);
  • Request data portability (Art. 20);
  • object to the processing (art. 21);
  • revoke consent at any time, without prejudice to the licentiousness of the processing based on the previously given consent.

Requests can be sent to the Holder at the address given in Section 1. The Holder responds within 30 days of receipt. In the event of an unsatisfactory response, a complaint may be submitted to the Data Protection Authority (garanteprivacy.co.uk).

7. Cookie Policy

7.1 What are cookies

Cookies are small text files that websites save to the user's browser as the user browses. They allow the site to remember user preferences, analyze browsing behavior and, in the case of third-party cookies, track activity on multiple sites.

7.2 Types of cookies used

Technical cookies (strictly necessary)
Essential for the operation of the site. Do not require consent. They include session management cookies, consent preferences, and site security.

Analytical cookies (with consent)
They allow us to measure the performance of the site and understand how users use it. They are activated only after explicit consent. The portal uses Google Analytics with IP anonymization.

Third-party cookies (with consent)
The site may include embedded content from external services (e.g. Google Maps, YouTube). These services may set their own cookies and are activated only after explicit consent.

List of cookies used on the site
The list of cookies is available below:

7.3 Consent management

The first time the site is accessed, a banner is shown that allows the user to choose which categories of cookies to accept. Consent is optional for all non-technical categories. You can change your preferences at any time via the link Cookie management available in the footer of the site.

The consent management system is implemented with CookieYes, a tool that complies with the GDPR and the Privacy Guarantor's Guidelines (order of June 10, 2021).

7.4 How to disable cookies

In addition to management via the banner, you can disable cookies directly from your browser settings. Disabling technical cookies may affect the proper functioning of the site.

8. Data security

The portal takes appropriate technical and organizational measures to protect personal data from unauthorized access, loss, destruction, or accidental disclosure. Among the measures taken: encrypted connection (HTTPS / SSL), application firewall (WAF), protection against brute-force attacks.

9. Updates to this policy

The Owner reserves the right to update this policy in the event of changes in regulations, technology, or in the services offered. The updated version will always be available at this URL. In case of substantial changes, registered users (newsletter subscribers) will be notified accordingly.

Last revision: March 10, 2026