Sonitus Turismo

Privacy Policy

Last updated: March 2, 2025

Sonitus in Rome (hereinafter “we”, “us” or “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your personal information when you use our website sonitusturismo.it to book and purchase our Colosseum tour services. It also outlines your rights under the EU General Data Protection Regulation (GDPR) and how you can exercise them.

By using our website and services, you agree to the collection and use of information in accordance with this Privacy Policy.

Data Controller and Contact Information

The data controller responsible for your personal data is:

Sonitus in Rome
Legal Address: Via di S. Giovanni in Laterano, 53A, 00184 Rome, Italy
Email: info@sonitusturismo.com

If you have any questions about this Privacy Policy or how we handle your data, you can contact us at the email address above.

Personal Data We Collect

When you use our site to book a tour (without needing to register an account), we may collect the following personal data from you:

  • Identity and Contact Information: Your name, surname, email address, and phone number (if provided) – used to identify you and communicate about your booking.
  • Booking Details: Information related to your tour booking, such as the tour date, number of participants, and any preferences or notes you provide.
  • Payment Information: To process payments, you will need to provide payment card details. We do not see or store your full card information on our servers – this is handled securely by our payment provider (Stripe). We may retain basic transaction details (e.g. payment confirmation ID, last four digits of card, transaction amount and date) for record-keeping.
  • Technical Information: When you visit our site, certain technical data may be collected automatically by our system or third-party services, such as your IP address, browser type, device information, and cookies (see Cookies section below). This information is collected to ensure the website functions correctly, for security, and to improve user experience. We do not use this data to identify you for marketing purposes.

We do not intentionally collect any sensitive personal data (such as health information or political/religious beliefs) through our site. We ask that you do not provide such information when booking our tours. Our services are intended for adults, and we do not knowingly collect personal data from children under 16 without parental consent.

How We Use Your Personal Data (Purposes and Legal Bases)

We only collect and use your personal data for specific and legitimate purposes. In particular, we use the data you provide for:

  • Providing Our Tour Services: We use your personal and booking information to process and manage your tour reservations, issue your tickets/vouchers, and ensure you receive the service you requested. Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR) – your data is necessary for us to fulfill the tour booking you have requested.
  • Payment Processing: We use the payment information you provide to charge for the booked tours through our third-party payment processor, Stripe. This includes transmitting your card details securely to Stripe and receiving confirmation of payment. Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR) – processing your payment is necessary to complete your purchase.
  • Communication: We use your contact details (email and/or phone) to send you booking confirmations, receipts, and important updates regarding your tour (for example, changes in schedule or meeting point). We may also respond to any inquiries or support requests you send us. Legal Basis: Performance of a contract – these communications are part of delivering our service to you.
  • Legal Obligations: We may process and retain some personal data to comply with legal requirements. For example, we keep transaction records for accounting, tax, and administrative purposes, and we may need to disclose information if required by law or authorities (such as for tax audits or public safety). Legal Basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR).
  • Site Functionality and Security: We use cookies and technical data to maintain the functionality and security of our website (e.g., to keep your booking session active, prevent fraudulent activity, and protect against security threats). Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR) – ensuring the proper functioning and security of our site. These interests do not override your rights and freedoms.

No Marketing Use: We do not use your personal data for marketing or promotional purposes. You will not receive newsletters, advertising, or unsolicited emails from us, unless you separately request such information. We do not sell, rent, or share your data with third parties for marketing.

We will only use your personal data for the purposes described above. If we need to use it for any other purpose, we will inform you and, if required, obtain your consent or ensure another valid legal basis under GDPR.

Third-Party Services and Data Sharing

To provide our services and process your transactions, we rely on trusted third-party service providers. We only share personal data with these parties to the extent necessary for the operations of our services, and each third party has committed to GDPR compliance and protecting your data. The main third-party services we use are:

  • Stripe (Payment Processor): We use Stripe to handle secure online payment transactions. When you make a payment on our site, your payment details (such as credit card number, expiration date, CVV) are transmitted directly to Stripe. Sonitus in Rome does not store or have access to your full payment card details. Stripe processes your payment information securely in accordance with strict financial industry standards (PCI-DSS). Stripe may receive personal data such as your name, email, billing address, and payment amount to process the transaction and for fraud prevention. Stripe acts as a data processor on our behalf for payment processing. For more information on how Stripe handles your data, you can refer to Stripe’s Privacy Policy.

  • WP Booking (Booking Management Plugin): We use the WP Booking plugin on our WordPress website to manage tour bookings and purchases. When you fill out the booking form on our site, the information you provide (personal details and booking info) is stored in our website’s secure database through this plugin. WP Booking is a tool we use internally and does not transmit your booking data to any external servers or to the plugin developer. It simply helps us organize your reservation and purchase details. We (Sonitus in Rome) remain the sole party controlling that data. The data collected via WP Booking is used only for managing your purchase and booking.

We do not share your personal information with any other third parties except in the following situations:

  • Service Providers and Partners: Besides Stripe and WP Booking, we might share data with other service providers strictly for business operations (for example, an IT hosting provider for our website, or professional advisors like accountants if necessary). In all cases, these parties are bound by confidentiality and data protection obligations and will only use the data to perform services on our behalf.
  • Legal Requirements: If we are under a duty to disclose or share your information in order to comply with a legal obligation, regulation, court order, or governmental request, we may do so. We may also disclose information to enforce our terms of service or to protect the rights, property, or safety of our business, our customers, or others, in accordance with applicable laws.

Importantly, we will never sell or rent your personal data to third parties. Any data sharing is solely for the purposes of providing our service to you or complying with the law, as outlined above.

Cookies and Similar Technologies

Our website uses cookies and similar technologies to ensure it functions properly and to provide a smooth booking experience. Cookies are small text files placed on your device that help us recognize you and remember your preferences. In using our site, you may encounter the following types of cookies:

  • Essential Cookies: These cookies are necessary for the operation of our website and the booking service. For example, they enable you to navigate through the booking process, remember the items in your tour cart, and keep you logged in to your booking session. Without these cookies, the booking functionality of the site would not work correctly.
  • Functional Cookies: We may use cookies to remember certain choices you make on our site (such as language preferences or information you’ve entered on forms) to provide enhanced and personalized features. These cookies ensure that you have a convenient experience (for instance, retaining your entered details during the booking process).
  • Security and Payment Cookies: When processing payments, Stripe may use cookies or similar technologies on our site to help detect and prevent fraudulent activities and ensure the transaction is secure. These third-party cookies are integral to the payment process (for example, Stripe might set cookies to remember your device or other indicators for fraud prevention). Such cookies are considered necessary for security and payment functionality.

We do not use analytic cookies (e.g., Google Analytics) or advertising/tracking cookies on our website. This means we are not tracking your behavior for marketing purposes or providing data to advertising networks through cookies.

Cookie Consent: Because we only use cookies that are necessary for providing our service or for security, we may not require explicit consent for those. By using our site and its features (such as booking a tour or making a payment), you implicitly agree to the use of essential and functional cookies as described. If we ever introduce cookies that require consent, we will inform you and request consent via a cookie banner or similar mechanism.

Managing Cookies: You have the ability to control and manage cookies through your browser settings. Most web browsers allow you to refuse new cookies, delete existing cookies, or alert you when new cookies are being sent to your device. Please note that if you disable or delete cookies, some features of our site (especially the booking and payment functions) may not work properly. For example, disabling cookies could prevent you from completing a tour purchase on our site.

For more information on cookies and how to manage them, you can visit resources like AllAboutCookies or your browser’s help documentation.

Data Security

We take data security very seriously and implement appropriate technical and organizational measures to protect your personal information from unauthorized access, loss, alteration, or disclosure. These measures include:

  • Secure Website Connection: Our website is secured via SSL/TLS encryption. This means that all data transmitted between your browser and our site (including personal details and payment information) is encrypted in transit, making it difficult for anyone to intercept or read. You can verify this by the padlock icon in your browser’s address bar and the “https://” in our URL.
  • Payment Security with Stripe: All online payments are processed through Stripe, which is a PCI-DSS Level 1 certified payment provider (the highest level of payment data security standard). Your card information is handled exclusively by Stripe on their secure servers. Stripe uses encryption and tokenization to protect your card data. We never receive or store your full credit card number or security code on our systems.
  • Secure Data Storage: Personal data collected through our site (e.g., booking details) is stored in secure hosting environments. We use reputable hosting services with robust security practices (firewalls, intrusion prevention, regular backups) to safeguard the database that holds your information. Access to this data is restricted to authorized personnel who need it to perform their job (for example, our booking managers or administrators), and they are bound by confidentiality obligations.
  • Monitoring and Updates: We regularly update our website platform (including the WP Booking plugin and other relevant software) to address security vulnerabilities. We also monitor our systems for possible attacks or breaches, and have procedures in place to detect and respond to suspicious activities.
  • Confidentiality: All staff and any third-party service providers who handle personal data are required to treat it confidentially and in compliance with data protection regulations. We ensure that any service providers we use are also taking appropriate security measures.

While we strive to protect your data with high standards, it’s important to note that no method of transmission over the Internet or method of electronic storage is 100% secure. However, we continuously work to improve our security measures to keep your personal data safe.

If you have reason to believe that your interaction with us or your data might no longer be secure (for example, if you suspect a security breach), please immediately notify us at info@sonitusturismo.com so we can investigate and resolve the issue.

Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including to provide you with the requested services and to comply with legal and accounting obligations or resolve disputes. Specifically:

  • Booking and Contact Information: Information such as your name, contact details, and tour booking details will be retained for as long as needed to manage your reservation and deliver the tour service. After your tour is completed, we may retain this information for a certain period in our records. This allows us to handle any post-tour inquiries or issues and to maintain accurate financial and service records.
  • Transaction Records: We are required by law to keep records of financial transactions. Therefore, data related to purchases (such as invoices, payment records, amounts, and dates) will be retained for the period required by applicable law. In Italy, for example, financial and accounting records are generally kept for 10 years. This means your booking and payment information may be kept for up to 10 years in our archives to satisfy tax, audit, and other legal requirements.
  • Correspondence: If you contact us via email or other means, we may retain that correspondence (including your email address and communications) as long as necessary to address your inquiry and keep a record of our communication, in line with our legitimate interests and any legal requirements.

After the applicable retention period ends, or once we no longer need your personal data for the purposes we collected it, we will either securely delete or anonymize the data. Anonymizing data means modifying it so that it can no longer be associated with you personally.

Please note that in some cases we may be unable to fully delete data if it is stored in backup archives or required for legal reasons. However, in those cases, we will ensure the data is not actively processed anymore and is kept securely until deletion is possible.

International Data Transfers

We primarily store and process personal data within the European Union. Our business is based in Italy, and our website servers are generally located in the EU. However, some of our third-party service providers may process data in other countries. In particular:

  • Stripe: Stripe is a global payment provider with servers and operations in multiple countries, including outside the European Economic Area (EEA) (for example, the United States). When you make a payment, your data may be transferred to or accessed from these non-EU jurisdictions. Stripe participates in and complies with frameworks and safeguards for international data transfers. They utilize Standard Contractual Clauses (SCCs) and other legally recognized mechanisms to ensure that European data protection standards travel with the data.
  • Other Service Locations: If any of our other service providers or partners (e.g., email service, hosting provider) are located outside the EEA, we will ensure that any transfer of personal data to those providers is protected by appropriate safeguards as required by GDPR. These safeguards may include an adequacy decision by the European Commission for the destination country, SCCs in contracts, or other certification schemes.

By using our services and providing your information, you acknowledge that your personal data may be transferred to, and stored or processed in, countries outside your country of residence. In all such cases, we will take all necessary steps to ensure that adequate protection is in place for your data, and that any international transfer complies with applicable privacy laws.

If you would like more information about international data transfers or the specific safeguards we employ, please contact us at info@sonitusturismo.com.

Your Rights Under GDPR

As a user of our website and services, and as a data subject under the GDPR, you have various rights regarding your personal data. We respect and uphold these rights. You may exercise the following rights at any time:

  • Right of Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to access that data. We will provide you with a copy of your personal data we hold, along with information on how it’s being used, subject to any legal restrictions.
  • Right to Rectification: If any of the personal data we have about you is incorrect or incomplete, you have the right to request that we correct or update it. We encourage you to contact us to keep your information accurate and current.
  • Right to Erasure: You have the right to request the deletion of your personal data (“right to be forgotten”) in certain circumstances. For example, if the data is no longer needed for the purposes it was collected, or if you withdraw consent (where consent is the legal basis) and no other legal basis for processing applies. We will honor valid requests for erasure, provided we do not have an overriding legal obligation to retain the data (e.g. retaining transaction records for tax purposes).
  • Right to Restrict Processing: You can ask us to suspend or limit the processing of your personal data in certain cases – for instance, if you contest the accuracy of the data or object to our processing, we will review your request and inform you before lifting the restriction.
  • Right to Data Portability: For data that you have provided to us and that we process by automated means based on your consent or on a contract with you, you have the right to request a copy in a structured, commonly used, machine-readable format (for example, CSV file), and you have the right to have that data transmitted to another controller where technically feasible. In practice, this right may apply to the basic data you provided for booking (since processing is based on contract).
  • Right to Object: You have the right to object to our processing of your personal data when such processing is based on our legitimate interests. You also have the right to object at any time if we were to use your data for direct marketing (however, as noted, we do not process your data for marketing purposes). If you raise an objection, we will consider it and stop or adjust processing unless we have compelling legitimate grounds to continue or if it’s needed for legal claims.
  • Right to Withdraw Consent: In cases where we rely on your consent for any processing of personal data (for example, if we ever requested consent for optional cookies or similar), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal. (Note: for most of our processing, we rely on contract or legal obligations, not consent, so this right may not be frequently applicable in our context.)
  • Right to Lodge a Complaint: If you believe that we have not complied with data protection laws in the way we have processed your personal data, you have the right to lodge a complaint with a supervisory authority. You may do this in the EU member state where you reside, where you work, or where the alleged infringement occurred. In Italy, the supervisory authority is the Garante per la Protezione dei Dati Personali (Italian Data Protection Authority).

Exercising Your Rights: You can exercise any of your rights by contacting us via email at info@sonitusturismo.com. Please specify which right you wish to exercise and provide information to verify your identity (we may need to request certain details to confirm you are the person associated with the data, to protect your privacy). We will respond to your request as soon as possible, and in any case within the timeframes required by law (generally within 1 month, extendable by up to 2 further months if necessary, depending on complexity). There is no fee for exercising your rights unless the requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request with explanation.

No Marketing or Profiling

We want to reassure you that we do not use your data for marketing, nor do we engage in automated decision-making or profiling of individuals using their personal data. We will not send you promotional communications unless you explicitly ask us to (for example, if you were to sign up for a newsletter, which is not part of our standard tour booking process). Additionally, we do not use any systems that make decisions about you solely by automated means without human involvement. All processing of your data is related to providing you with the service you requested (tour bookings and payments) or meeting legal obligations, as described in this Policy.

Updates to this Privacy Policy

We may update or modify this Privacy Policy from time to time, for example to reflect changes in our practices, services, or legal requirements. When we make changes, we will post the updated Privacy Policy on this page and update the “Last updated” date at the top. If the changes are significant, we may also notify you by email or by a notice on our website’s homepage.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. Your continued use of our website and services after any modifications to this Policy will constitute your acknowledgment of the changes and agreement to be bound by the updated terms.

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please feel free to contact us:

Sonitus in Rome
Email: info@sonitusturismo.com
Address: Via di S. Giovanni in Laterano, 53A, 00184 Rome, Italy

We will be happy to assist you and address any issues related to your privacy and data protection. Your privacy is important to us, and we commit to resolving any concerns to the best of our abilities.

Thank you for trusting Sonitus in Rome with your tour experience. We are dedicated to keeping your personal information safe and ensuring transparency in how we handle your data. Enjoy your visit to Rome and the Colosseum with peace of mind regarding your privacy!