Privacy Policy

Last updated: 2026-04-22

This notice describes how we process personal data collected through this site, pursuant to art. 13 of EU Regulation 2016/679 (GDPR).

Agenzia di viaggi online Sand Agency
Legal name: SAND Srl
Tax code / VAT: 03401690981
Share capital: € 50.000
Registered office: Via Branze, Brescia (BS) — Italia
R.E.A.: BS-531051
SCIA: 0001835/1410/01/2014
Protocollo generale settore turismo — Provincia di Brescia
Insurance: NOBIS Compagnia di Assicurazioni SPA — Pol. 1505002533/V
Privacy contact: privacy@sandagency.it

1. Data controller

The data controller of personal data is the company identified in the box above.

2. Data collected

We collect the following categories of personal data:

  • Navigation data (IP address, browser, operating system, pages visited) automatically collected by server logs.
  • First name, last name, email, phone number and message voluntarily provided via the contact form.
  • Personal data, address, tax code, ID document and travel information supplied to complete a booking.
  • Payment data (card number, CVV, expiry) are processed directly by our provider Stripe and are never stored on our servers.
  • Anonymous browsing statistics collected via Google Analytics 4, only with your consent.

3. Purposes and legal bases

We process your personal data for the following purposes:

  • Performance of the travel contract: booking, payment, delivery of the service requested (GDPR art. 6.1.b).
  • Legal obligations in tax, accounting and tourism matters, including records required by the provincial SCIA filing (GDPR art. 6.1.c).
  • Sending of promotional communications and newsletters, only with your explicit consent (GDPR art. 6.1.a).
  • Site improvement via aggregated browsing statistics, only with consent (GDPR art. 6.1.a).

4. Retention period

We retain data only for as long as necessary for the purposes it was collected for: booking data for 10 years (tax obligations), contact data for 24 months from the last interaction, analytics data up to a maximum of 26 months.

5. Data sharing with third parties

Data may be shared with the following recipients, appointed as Data Processors pursuant to GDPR art. 28:

  • Hosting and cloud infrastructure provider (Vercel Inc., USA).
  • Payment processor (Stripe Payments Europe Ltd., Ireland).
  • Google Ireland Limited (Google Analytics 4), only with consent.
  • Transactional email provider (SMTP).

6. Transfers outside the EU

Some of our providers (e.g. Vercel, Google) may process data in non-EU countries, notably the United States. In those cases transfers are governed by the Standard Contractual Clauses approved by the European Commission and, for Google and other adherents, by the EU-US Data Privacy Framework.

7. Your rights

As a data subject you have the right to:

  • Access: obtain confirmation of data concerning you and receive a copy.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure (right to be forgotten): request deletion of your data when no longer needed.
  • Restriction: request restriction of processing in specific cases.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object at any time to processing for marketing purposes.
  • Complaint: lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

8. How to exercise your rights

To exercise your rights write to privacy@sandagency.it. We will reply within 30 days.

9. Changes to this notice

We reserve the right to update this notice. Changes will be published on this page with the 'last updated' date highlighted.