Privacy notice
Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR).
1. Data controller
The controller of your personal data is Escursioni La Torre SRL, with registered office at Via Giosuè Carducci 43, 73040 Morciano di Leuca — VAT no. 03861260754.
- Email: braceriautopia@gmail.com
- Certified email (PEC): latorre.sas@legalmail.it
2. Data we collect
Table booking (/prenota): name, phone, email (optional), party size, date, time, soul of the venue, notes. Takeaway order (/asporto): name, phone, email (optional), items ordered, pickup time, notes. Private event inquiry (/spazi-eventi): name, phone, email (optional), event date, party size, occasion, message. Optional account: email, hashed password, name, phone, language preference. Live chat: messages exchanged with staff. Bug report: description of the issue and logged-in account details.
When you browse the site we automatically collect technical authentication cookies (Supabase), the IP address (in anonymised hashed form, only for security purposes) and aggregated usage data.
3. Why we process your data (legal bases)
| Purpose | Legal basis |
|---|---|
| Handling your booking/order | Performance of a contract (Art. 6.1.b GDPR) |
| Sending you confirmations and reminders via email | Performance of a contract (Art. 6.1.b GDPR) |
| Responding to inquiries | Pre-contractual measures (Art. 6.1.b GDPR) |
| Complying with tax and accounting obligations | Legal obligation (Art. 6.1.c GDPR) |
| Improving the service (anonymous analytics cookies) | Legitimate interest (Art. 6.1.f GDPR) — only if consented |
| Sending promotional communications | Consent (Art. 6.1.a GDPR) — only if given |
4. How long we keep your data
- Bookings and orders: 10 years (civil/tax obligation).
- Account: as long as it is active. You may request deletion at any time from your profile or by writing to braceriautopia@gmail.com.
- Event inquiries: 24 months from the last contact.
- Live chat: 12 months.
- Technical logs (IP hash, audit): 12 months.
- Bug reports: 24 months.
5. Who we share your data with
Your data may be processed by service providers acting as processors:
- Supabase Inc. (database, authentication) — servers in EU (eu-west-1).
- Vercel Inc. (hosting) — United States, safeguards under Arts. 44-49 GDPR.
- Brevo (Sendinblue SA) (transactional email) — France.
- Stripe Payments Europe Ltd. (online payments, when active) — Ireland.
- Google LLC (Gemini AI, only if equipment guides are enabled by admin) — USA, safeguards under Arts. 44-49 GDPR.
We do not sell your data. We do not share it with third parties for marketing purposes.
6. Your rights
At any time you can:
- Access your data (Art. 15 GDPR);
- Request rectification (Art. 16);
- Request erasure (Art. 17);
- Restrict processing (Art. 18);
- Receive your data in a structured format — portability (Art. 20);
- Object to processing based on legitimate interest (Art. 21);
- Withdraw consent at any time (Art. 7.3).
To exercise these rights write to braceriautopia@gmail.com or, if you have an account, use the "Your rights" section of your profile.
You also have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or your local DPA.
7. Security
We use encrypted connections (HTTPS/TLS), hashed passwords, role-based access controls (Postgres RLS), audit logs for every sensitive admin action. IP addresses are stored only in anonymised form (SHA-256 hash).
8. Cookies
This site only uses technical cookies necessary for operation (authentication, language preference). For details see our Cookie Policy.
9. Changes
This notice may be updated. The date of the last update is shown at the bottom of the page.