Privacy Policy

Information on the processing of personal data pursuant to Art. 13 of Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003 (Personal Data Protection Code)

1. Data Controller

The Data Controller for personal data collected through the website borgoitaliani.it (hereinafter, the "Website") is:

The Data Controller
E-mail: [email protected]

2. Types of data collected

The Website is an informational tourism portal dedicated to Italian borghi (small towns). It does not require registration, does not have restricted areas, contact forms, or e-commerce features.

The data processed are exclusively:

• Browsing data (server logs): IP address, date and time of the request, URL visited, HTTP method, response code, browser user-agent, operating system, referrer. These data are automatically collected by the web server during browsing.
• Technical data transmitted to third parties: when viewing interactive maps, the user's browser establishes a direct connection with OpenStreetMap servers to load map tiles (see section 7).

The Website does not use profiling cookies, analytics tools, newsletters, nor does it collect personal data through forms.

3. Purposes of data processing

Browsing data are processed for the following purposes:

• Ensuring the proper technical functioning of the Website
• Monitoring security and preventing abuse (cyber attacks, unauthorized access)
• Producing aggregate and anonymous statistics on Website usage

4. Legal basis for processing

The processing of browsing data is based on the legitimate interest of the Data Controller (Art. 6, par. 1, letter f) of the GDPR) to ensure the security, stability, and proper functioning of the Website's technical infrastructure.

5. Data processors — Cloudflare

The Website uses the services of Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) as a data processor pursuant to Art. 28 of the GDPR, for the following functionalities:

• CDN (Content Delivery Network) for content distribution
• DNS management
• Protection against DDoS attacks and malicious bots

Cloudflare may process technical browsing data (IP address, HTTP headers) in the course of providing its services. Cloudflare adheres to the EU-US Data Privacy Framework and the Standard Contractual Clauses (SCC) approved by the European Commission for data transfers to the United States.

Cloudflare privacy policy: cloudflare.com/privacypolicy

6. Extra-EU data transfers

Browsing data may be transferred to the United States through Cloudflare. Such transfers are carried out on the basis of the adequate safeguards provided for in Art. 46 of the GDPR, specifically:

• European Commission adequacy decision regarding the EU-US Data Privacy Framework (10 July 2023)
• Standard Contractual Clauses (SCC) approved by the European Commission

7. Maps — OpenStreetMap

Some pages of the Website include interactive maps built with the Leaflet library, which loads map tiles from the servers of the OpenStreetMap Foundation (OSMF).

When a user views a map, the browser establishes a direct connection with OpenStreetMap servers (tile.openstreetmap.org), transmitting the user's IP address. Map loading occurs only on request (lazy loading) and not automatically when the page is opened.

OSMF privacy policy: wiki.osmfoundation.org/wiki/Privacy_Policy

8. Web fonts

The Website uses web fonts (Playfair Display and Source Sans 3) hosted directly on its own server (self-hosted). No connections are made to Google Fonts or other external services for font loading.

9. Data retention period

Server logs containing browsing data are retained for a maximum period of 90 days from the date of collection, after which they are automatically deleted. Any aggregate and anonymous statistics may be retained without time limits.

10. Data subject rights

In accordance with Articles 15-22 of the GDPR, the user has the right to:

• Access (Art. 15): obtain confirmation of the existence of processing and access their personal data
• Rectification (Art. 16): obtain the correction of inaccurate data or the completion of incomplete data
• Erasure (Art. 17): obtain the deletion of their personal data, where the conditions provided for are met
• Restriction (Art. 18): obtain the restriction of processing in the cases provided for by law
• Portability (Art. 20): receive their data in a structured, commonly used, and machine-readable format
• Objection (Art. 21): object to processing based on the legitimate interest of the Data Controller

To exercise these rights, you may send a request to the e-mail address: [email protected]

11. Right to lodge a complaint

The user has the right to lodge a complaint with the competent supervisory authority. In Italy, the authority is the:

Garante per la protezione dei dati personali
Piazza Venezia 11 — 00187 Roma
www.garanteprivacy.it
E-mail: [email protected]
PEC: [email protected]

12. Changes to this privacy policy

The Data Controller reserves the right to make changes to this privacy policy at any time. Any changes will be published on this page with an indication of the date of last update.

Last updated: 3 April 2026