Last updated: maggio 2026

Privacy Policy

Information on the processing of personal data pursuant to EU Regulation 2016/679 (GDPR) and applicable Italian data protection legislation.

1. Data Controller and contact details

The Data Controller, pursuant to Art. 4(7) GDPR, is:

MAIA Parking LLC

Registered office: Albuquerque, New Mexico, USA

Operational address: Viale Daijiro Kato, 4 – Santa Monica-Cella, Misano Adriatico (RN), Italy

For any matter relating to the processing of personal data, data subjects may contact the Controller exclusively via:

— WhatsApp message to: +39 329 757 6862

— Contact form available at parcheggiosantamonica.it

The Controller has not appointed a Data Protection Officer (DPO) pursuant to Art. 37 GDPR, as the conditions of Art. 37(1)(a)(b)(c) GDPR are not met. Requests regarding the exercise of rights under Arts. 15–22 GDPR must therefore be addressed directly to the Controller through the contact channels indicated above.

2. Legal basis and scope of application

This Privacy Policy is drafted in conformity with: EU Regulation 2016/679 (GDPR) and all related delegated and implementing acts; Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018; guidelines, recommendations and opinions of the Italian Data Protection Authority (Garante) and the European Data Protection Board (EDPB).

This Policy applies to all personal data processing carried out by the Controller in connection with: website navigation; the online booking form; WhatsApp communications for Service management; newsletter subscription; use of the parking Service. It does not apply to processing by autonomous third parties such as Meta Platforms Inc.

3. Categories of personal data processed

The Controller collects and processes the following categories of personal data, strictly limited to what is necessary for the purposes described in Section 4:

Booking form data: first and last name, phone number, vehicle type and model, number of vehicles, selected event, requested parking days, optional covered garage request, optional notes, navigation language.Newsletter data: email address, language preference.WhatsApp communication data: content of messages exchanged via WhatsApp (owned by Meta Platforms Inc.) for booking management. Once transmitted via WhatsApp, such data is subject to Meta Platforms Inc.'s own data management policies as an autonomous controller. Please review WhatsApp's legal terms at whatsapp.com/legal.Technical navigation data: the Controller collects only strictly necessary technical data for website operation (session cookies for language management). No identifying IP addresses or behavioural tracking data are collected.

The Controller does not collect or process special categories of data (Art. 9 GDPR) or data relating to criminal convictions (Art. 10 GDPR). The Controller does not carry out automated decision-making or profiling with legal or similarly significant effects (Art. 22 GDPR).

4. Purposes, legal bases and mandatory/optional nature of data provision

Purpose A — Booking management: data from the booking form are processed to receive, evaluate and confirm bookings, manage WhatsApp communications, and provide the Service. Legal basis: performance of a contract (Art. 6(1)(b) GDPR). Provision of data is necessary; without it, the Service cannot be provided.Purpose B — WhatsApp communications: phone number and message content processed for operational communications regarding bookings (confirmation, price, directions, changes, cancellations). Legal basis: performance of a contract (Art. 6(1)(b) GDPR). Provision of phone number is necessary.Purpose C — Newsletter: email address and language preference processed to send informational communications about events and Service availability. Legal basis: consent (Art. 6(1)(a) GDPR). Provision is entirely voluntary. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.Purpose D — Legal obligations: personal data processed to the extent necessary to comply with applicable legal, fiscal, accounting and regulatory obligations. Legal basis: legal obligation (Art. 6(1)(c) GDPR).Purpose E — Establishment, exercise or defence of legal claims: data processed to the strictly necessary extent for the Controller's establishment, exercise or defence of rights in judicial, arbitral or administrative proceedings. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

5. Processing methods and security measures

Personal data is processed by electronic and IT means, and where necessary by paper means, strictly in connection with the purposes described. The Controller implements appropriate technical and organisational security measures pursuant to Art. 32 GDPR, including pseudonymisation and encryption where feasible, measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems, procedures to restore availability and access to data in the event of a physical or technical incident, and regular testing and evaluation of the effectiveness of measures adopted.

Processing is carried out exclusively by authorised Controller personnel or by parties designated as data processors pursuant to Art. 28 GDPR, bound by confidentiality obligations.

6. Data processors and other data recipients

To provide the Service and pursue the purposes described, the Controller uses the following third-party providers acting as data processors pursuant to Art. 28 GDPR:

Supabase Inc. (San Francisco, California, USA): cloud PostgreSQL database provider for storage of booking data and newsletter email addresses. Data may be stored on servers outside the EU/EEA; transfers are made with safeguards pursuant to Art. 46 GDPR (Standard Contractual Clauses).Resend Inc. (San Francisco, California, USA): transactional email delivery provider for automated service communications. Data may be stored outside the EU/EEA; transfers made with Art. 46 GDPR safeguards.Meta Platforms Inc. (Menlo Park, California, USA): operator of WhatsApp, through which booking-related messages are transmitted. Meta Platforms Inc. acts as autonomous data controller for WhatsApp communications, subject to its own privacy policies at whatsapp.com/legal.

Personal data is not sold, transferred or shared with third parties for commercial, marketing, profiling or any other purpose unrelated to the Service. Data may be communicated to competent public authorities only where required by law.

7. International data transfers

As indicated in Section 6, some processors (Supabase Inc. and Resend Inc.) are based in the USA and may store data on servers outside the EU/EEA. Transfers occur exclusively: (a) on the basis of an adequacy decision by the European Commission (Art. 45 GDPR); or (b) with adequate safeguards pursuant to Art. 46 GDPR, including Standard Contractual Clauses (SCC) adopted by the Commission Decision of 4 June 2021 (2021/914/EU).

Data subjects may obtain a copy of the adequate safeguards adopted by the Controller for third-country transfers by submitting a request via the contact channels in Section 1.

8. Data retention periods

Personal data is retained for the minimum period necessary to achieve the purposes for which it was collected, in compliance with the storage limitation principle (Art. 5(1)(e) GDPR).

Booking data: retained for the current event season and twelve (12) months after its conclusion, then permanently deleted or anonymised, unless longer retention is required by law or for legal claims.Newsletter data (email, language): retained until consent is withdrawn. In case of no newsletter engagement for more than 24 consecutive months, the Controller may delete the address at its own initiative.WhatsApp communication data: retained for the time necessary to manage the Service, and no longer than twelve (12) months after the reference season. Also subject to Meta Platforms Inc. retention policies.Data retained for legal obligations: retained for the period established by applicable law.

Upon expiry of retention periods, data is securely and permanently deleted or irreversibly anonymised.

9. Cookies and tracking technologies

The website uses only strictly necessary technical cookies for correct site operation. Specifically:

Session cookies: to maintain active browsing sessions and remember language preferences. These expire at browser closure.Functional technical cookies: necessary for specific website features (e.g. booking form). Contain no personally identifying information.

The Controller does not use profiling cookies, behavioural tracking cookies, marketing cookies, third-party advertising cookies, beacons, tracking pixels, fingerprinting or any other tracking technology. No third-party social network plugins or widgets are integrated into the website. No user consent is required for strictly necessary technical cookies.

10. Data subject rights

As a data subject, pursuant to Arts. 15–22 GDPR, you have the right to:

Access (Art. 15 GDPR): obtain confirmation of whether your personal data is being processed and, if so, access to such data and information including processing purposes, data categories, recipients, retention period, source of data and the existence of automated decision-making.Rectification (Art. 16 GDPR): obtain without undue delay the rectification of inaccurate or incomplete personal data concerning you.Erasure ("right to be forgotten") (Art. 17 GDPR): obtain without undue delay the erasure of your personal data where it is no longer necessary for the purposes for which it was collected, where consent is withdrawn, where processing is unlawful, or where erasure is required by law, unless processing is necessary for legal compliance or legal claims.Restriction of processing (Art. 18 GDPR): obtain restriction of processing where the accuracy of data is contested, processing is unlawful, data is no longer needed but required for legal claims, or you have objected to processing pending verification.Data portability (Art. 20 GDPR): receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller, where processing is based on consent or contract and carried out by automated means.Objection (Art. 21 GDPR): object at any time to processing based on the Controller's legitimate interest, unless the Controller demonstrates compelling legitimate grounds overriding your interests.Withdrawal of consent (Art. 7(3) GDPR): withdraw consent at any time without affecting the lawfulness of prior processing.Not to be subject to automated decision-making (Art. 22 GDPR): not to be subject to a decision based solely on automated processing, including profiling.Lodge a complaint (Art. 77 GDPR): lodge a complaint with the competent supervisory authority. In Italy: Garante per la protezione dei dati personali — Piazza Venezia 11, 00187 Roma; phone +39 06 696771; email garante@gpdp.it; website www.garanteprivacy.it.

To exercise any of the above rights, please send a written request to the Controller via WhatsApp at +39 329 757 6862 or via the website contact form. The Controller will respond without undue delay and in any event within one month of receipt, extendable by a further two months in cases of particular complexity.

11. Personal data breaches

In the event of a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data (Art. 4(12) GDPR), the Controller will:

Notify the supervisory authority: notify the Italian Data Protection Authority without undue delay and where feasible within 72 hours of becoming aware, pursuant to Art. 33 GDPR, where the breach is likely to result in a risk to individuals' rights and freedoms.Communicate to data subjects: where the breach is likely to result in a high risk to individuals, communicate the breach to data subjects without undue delay, pursuant to Art. 34 GDPR.Document the breach: document all breaches, including circumstances, consequences and remedial measures, pursuant to Art. 33(5) GDPR.

12. Minors

The Controller's website and parking Service are not intended for persons under 18 years of age. The Controller does not knowingly collect personal data from persons under 18. If the Controller discovers that data from minors has been provided, it will delete such data as soon as technically possible.

13. Data protection principles

The Controller processes personal data in compliance with Art. 5(1) GDPR principles:

Lawfulness, fairness and transparency: data is processed lawfully, fairly and transparently.Purpose limitation: data is collected for specified, explicit and legitimate purposes and not further processed incompatibly.Data minimisation: data is adequate, relevant and limited to what is necessary.Accuracy: data is kept accurate and up to date.Storage limitation: data is retained no longer than necessary.Integrity and confidentiality: data is processed with appropriate security.Accountability: the Controller is responsible for and able to demonstrate compliance.

14. Amendments to this Policy

The Controller reserves the right to amend this Privacy Policy at any time. Amendments will be published on the website with an updated date. Data subjects are advised to periodically review this Policy. Continued use of the website or Service after publication constitutes acceptance of the updated Policy.

15. Applicable law

This Privacy Policy is drafted in compliance with EU Regulation 2016/679 (GDPR) and applicable Italian data protection legislation. The competent supervisory authority for Italy is the Garante per la protezione dei dati personali (www.garanteprivacy.it).