How we handle your data.
This page explains what personal data we collect when you register for the AI Tourism Playbook, why we collect it, where it lives, and what control you have over it. Plain language, no padding. If something here is unclear, write to us.
1 · Who we areThe data controller
The AI Tourism Playbook is published by Mirko Lalli, an independent professional operating under the registered trademark Officina Turistica, based at Via del Tiratoio 1, 50124 Firenze, Italy, VAT IT 02526360512. We are the data controller for any personal data you provide through this site.
For any privacy-related question, write to mirko@officinaturistica.com. We aim to respond within 5 working days, and in any case within the 30 days required by the GDPR.
2 · What we collectThe data you give us
When you register on this site, we ask you for:
- Email address: required, for sign-in and to deliver each new section.
- First name and last name: to address you personally in emails.
- Role: DMO, hotel, operator, consultant, etc. Used in aggregate only, to understand who reads the playbook.
- Country: used in aggregate only, for the same reason.
- Organisation: optional. Used in aggregate only.
- Quarterly briefing opt-in: optional. A separate, granular consent for the once-per-quarter long-form update.
We do not collect anything else through forms. We do not ask for your phone number, postal address, or financial information. We do not run third-party trackers, ad pixels, or cross-site analytics.
3 · Why we collect itPurposes and legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Send you the magic-link to sign in | Performance of a service you requested (Art. 6.1.b) |
| Notify you when a new section is published | Performance of a service you requested (Art. 6.1.b) |
| Send the optional quarterly briefing | Your specific consent (Art. 6.1.a). Withdrawable at any time. |
| Aggregate readership analysis (role, country, organisation type) | Legitimate interest in understanding who the playbook reaches (Art. 6.1.f). Aggregate only, never individual. |
| Security logging (IP, request metadata, short-lived) | Legitimate interest in protecting the service (Art. 6.1.f) |
4 · Who processes your dataService providers we rely on
We use two technology providers to deliver this service. Both are bound by data processing agreements that comply with the GDPR.
- Brevo SA (formerly Sendinblue), based in France (EU). Hosts the contact list and sends the transactional and marketing emails. Brevo's privacy policy.
- Netlify Inc., based in the United States. Hosts the site, runs the registration backend, and stores short-lived request logs. Data transfers to the US rely on the EU Standard Contractual Clauses and Netlify's adherence to the EU–US Data Privacy Framework. Netlify's privacy policy.
We do not sell your data, share it with advertisers, or pass it to any party other than the providers above.
5 · How long we keep itRetention
- Registration data (email and the fields above): kept for the duration of the playbook project plus 24 months from your last interaction with our emails. After that, the contact is deleted from Brevo.
- Sign-in session cookie (
playbook_session): valid for 180 days (6 months) from issue. You can clear it at any time from your browser, or by visiting /api/auth/logout. - Magic-link tokens: valid for 24 hours from issue. After that they are unusable; no manual deletion needed.
- Server logs: kept by Netlify for short periods (typically under 30 days) per their default retention.
You can ask us to delete everything earlier. See Section 7.
6 · CookiesWhat we set on your browser
We use only the cookies strictly necessary to deliver the service. We do not use analytics, advertising, or third-party social cookies.
| Cookie | Purpose | Lifetime |
|---|---|---|
playbook_session |
Keeps you signed in across visits | 180 days (6 months) |
Because this cookie is technically necessary for the service you have actively requested (a registered-users area), Italian and EU cookie law does not require a consent banner for it. We are simply telling you it exists.
7 · Your rightsWhat you can ask us to do
Under the GDPR you can, at any time, ask us to:
- Access a copy of your personal data (Art. 15).
- Rectify any data that is incorrect or incomplete (Art. 16).
- Erase your personal data, the "right to be forgotten" (Art. 17). This unsubscribes you and removes the contact from Brevo.
- Restrict the processing of your data in specific circumstances (Art. 18).
- Export your data in a portable, machine-readable format (Art. 20).
- Object to processing based on legitimate interest (Art. 21).
- Withdraw consent for the quarterly briefing at any time, without affecting the lawfulness of past processing (Art. 7.3).
To exercise any of these rights, write to mirko@officinaturistica.com. We do not require a specific form. A clear sentence is enough.
You can unsubscribe from any email we send by clicking the unsubscribe link at the bottom of every message. That removes you from the mailing list immediately. Unsubscribing also stops the magic-link delivery, so you will need to register again if you want to keep reading.
If you believe we are not handling your data correctly and we have not addressed your concern, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali), garanteprivacy.it, or with the supervisory authority of your EU country of residence.
8 · International transfersData leaving the EU
Brevo processes your data inside the EU. Netlify is a US-based provider, so when you load this site or register, some data (your IP, request metadata, and your registration submission) reaches servers in the United States. This transfer is lawful under Article 46 of the GDPR via the EU Standard Contractual Clauses signed with Netlify, and under Article 45 via Netlify's certification under the EU–US Data Privacy Framework.
9 · Changes to this policyHow we update it
If we change anything material (a new processor, a new purpose, a longer retention period), we will update the date at the top of this page and notify registered readers by email before the change takes effect. Cosmetic edits (typos, clearer wording) do not trigger a notification.
10 · ContactReach a human
For any privacy question, exercise of rights, or concern, the single point of contact is:
Mirko Lalli, Officina Turistica
Via del Tiratoio 1, 50124 Firenze, Italy
VAT IT 02526360512
Email: mirko@officinaturistica.com