DATA PROTECTION AND COOKIES POLICIES

PRIVACY POLICY

 

Who is the data controller?[1]

Noleggiare s.r.l., in the person of its legal representative with registered office in via Del Brennero n.62 38123 Trento (TN), (hereinafter, «Controller»),

How can I contact them The contact details of the company are:

Telephone:

Certified email: [email protected]

Email: [email protected]

Address: via Del Brennero, 62 – 38123 Trento (TN)

Has a DPO been appointed? What are their contact details?

The company has appointed as its DPO the lawyer Antonino Polimeni, who can be contacted at the following email address: [email protected]

 

1. Introduction

According to the European Regulation on the protection of personal data (GDPR), legal persons are not considered data subjects and therefore the European regulation does not apply. However, if personal data referring to a natural person are entered in the context of the collection of corporate data, they will be considered a data subject pursuant to the aforementioned regulation with consequent applicability of the reference legislation.

2. What processing is carried out through the site? And what are the legal bases, purposes and storage times?

NEWSLETTER AND SENDING OF COMMERCIAL INFORMATION

PURPOSE

The purpose of data processing is to allow you to subscribe to the newsletter service and for sending you messages for promotional purposes (DEM).

After signing the rental agreement, your data will be exported to a CRM for sending commercial information on products similar to those being purchased.

LEGAL BASIS

After the purchase, the legal basis for registration can be found in Art. 130 para. 4 of Legislative Decree 196/2003

STORAGE TIMES

We will delete the data after 5 years from the last submission. It will always be possible to exercise the optout at any time.

MORE INFORMATION

In case of rental, the provision of data is automatic

Segmentation according to language, type of product, location of residence or rental.

Transfer of data to third parties: with explicit consent, your data will be transferred to FTH s.p.a. and Tomasi Auto s.r.l. for statistical and/or commercial purposes. FTH s.p.a. and Tomasi Auto s.r.l. are subsidiaries and/or contractually linked to Noleggiare s.r.l.

OPEN A RENTAL POINT

PURPOSE

The purpose of the data processing is to allow you to send us requests for information about the opening of one of our rental points.

LEGAL BASIS

Execution of pre-contractual measures carried out at the request of the data subject.

STORAGE TIMES

We will process the data for the time necessary to carry out the negotiation and they will subsequently be deleted after 12 months from the last email or contact. The data may be kept longer only in case of possible disputes and therefore to exercise or defend a right based on the legitimate interest of the data controller.

In the event that, as a result of the negotiations, the contract is concluded, specific information will be provided and the data will be transferred to the appropriate system.

Verification of the obsolescence of the data is carried out every 12 months.

MORE INFORMATION

The User has full freedom to release the requested data, since there is no legal obligation to provide them. However, if the User chooses not to provide data reported as essential, the Data Controller will not be able to provide the requested service.

CONTACT US

PURPOSE

The purpose of data processing is to allow you to send us requests for information about a specific product.

LEGAL BASIS

Execution of pre-contractual measures carried out at the request of the data subject.

STORAGE TIMES

We will process the data for the time necessary to carry out the negotiation and they will subsequently be deleted after 12 months from the last email or contact. They may be kept longer only in case of possible disputes and therefore to exercise or defend a right based on the legitimate interest of the data controller.

Verification of the obsolescence of the data is carried out every 12 months.

MORE INFORMATION

The User has full freedom to release the requested data, since there is no legal obligation to provide them. However, if the User chooses not to provide data reported as essential, the Data Controller will not be able to provide the requested service.

WORK WITH US

PURPOSE

The main purpose of data processing is to allow the sending of a CV for possible recruitment.

LEGAL BASIS

Execution of pre-contractual measures carried out at the request of the data subject.

With regard to the possible inclusion in the CV of «particular» data pursuant to Art. 9 GDPR, they will be processed on the basis of letter b) «processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data subject in the field of employment and social security and social protection law».

STORAGE TIMES

We will keep your CV for one year after sending.

MORE INFORMATION

The User has full freedom to release the requested data, since there is no legal obligation to provide them. However, if the User chooses not to provide data reported as essential, the Data Controller will not be able to provide the requested service.
The selection process will not take place with automated tools.

RENTAL

PURPOSE

The main purpose of the data processing is to rent the car; the secondary purposes are those related to accounting and tax obligations as well as the withdrawal thereof.

LEGAL BASIS

The legal basis is the execution of the contract and the fulfillment of legal obligations (including accounting and tax).

In the event of a dispute, the data will be processed for taking action or defense in court and this corresponds to the legitimate interest of the data controller.

STORAGE TIMES

The data will be deleted after 10 years from the return of the car.

The data may be kept longer only in case of possible disputes and therefore to exercise or defend a right based on the legitimate interest of the data controller.

MORE INFORMATION

The provision of data is obligatory for the conclusion of the contract. In any case of refusal it will not be possible to send the request.

REVIEWS

PURPOSE

The main purpose of data processing is to import the reviews freely left through Google.

LEGAL BASIS

Legitimate interest of Tomasi Auto.

STORAGE TIMES

The data will be visible until obsolescence or until an advanced deletion request is made to Google.

They may be kept longer only in case of disputes and therefore to exercise or defend a right based on the legitimate interest of the data controller.

MORE INFORMATION

This specific processing is not carried out by Tomasi Auto, but by Google. The company is limited to importing the reviews freely and spontaneously left by users within its website because this is what they refer to.

How to delete them? You will need to click on the trash symbol next to your evaluation directly from Google.

MONTHLY RENTAL

PURPOSE

The main purpose of data processing is to send us a request for a quote.

LEGAL BASIS

The legal basis is the execution of pre-contractual measures carried out at the request of the data subject.

In the event of a dispute, the data will be processed for taking action or defense in court and this corresponds to the legitimate interest of the data controller.

STORAGE TIMES

We will process the data for the time necessary to carry out the negotiation and subsequently they will be deleted after 12 months from the last email or contact. They may be kept longer only in case of possible disputes and therefore to exercise or defend a right based on the legitimate interest of the data controller.

MORE INFORMATION

The User has full freedom to release the requested data, since there is no legal obligation to provide them. However, if the User chooses not to provide data reported as essential, the Data Controller will not be able to provide the requested service.

BUSINESS RENTAL AGREEMENT

PURPOSE

The main purpose of data processing is to send us a request for a quote.

LEGAL BASIS

The legal basis is the execution of pre-contractual measures carried out at the request of the data subject.

In the event of a dispute, the data will be processed for taking action or defense in court and this corresponds to the legitimate interest of the data controller.

STORAGE TIMES

We will process the data for the time necessary to carry out the negotiation and subsequently they will be deleted after 12 months from the last email or contact. They may be kept longer only in case of possible disputes and therefore to exercise or defend a right based on the legitimate interest of the data controller.

MORE INFORMATION

The User has full freedom to release the requested data, since there is no legal obligation to provide them. However, if the User chooses not to provide data reported as essential, the Data Controller will not be able to provide the requested service.

AGENCIES AND TOUR OPERATOR

PURPOSE

The main purpose of data processing is to send us a request for a quote.

LEGAL BASIS

The legal basis is the execution of pre-contractual measures carried out at the request of the data subject.

In the event of a dispute, the data will be processed for taking action or defense in court and this corresponds to the legitimate interest of the data controller.

STORAGE TIMES

We will process the data for the time necessary to carry out the negotiation and subsequently they will be deleted after 12 months from the last email or contact. They may be kept longer only in case of possible disputes and therefore to exercise or defend a right based on the legitimate interest of the data controller.

MORE INFORMATION

The User has full freedom to release the requested data, since there is no legal obligation to provide them. However, if the User chooses not to provide data reported as essential, the Data Controller will not be able to provide the requested service.

LONG TERM RENTAL

PURPOSE

The main purpose of data processing is to send us a request for a quote.

LEGAL BASIS

The legal basis is the execution of pre-contractual measures carried out at the request of the data subject.

In the event of a dispute, the data will be processed for taking action or defense in court and this corresponds to the legitimate interest of the data controller.

STORAGE TIMES

We will process the data for the time necessary to carry out the negotiation and they will subsequently be deleted after 12 months from the last email or contact. They may be kept longer only in case of possible disputes and therefore to exercise or defend a right based on the legitimate interest of the data controller.

MORE INFORMATION

The User has full freedom to release the requested data, since there is no legal obligation to provide them. However, if the User chooses not to provide data reported as essential, the Data Controller will not be able to provide the requested service.

USED VEHICLE PICKUP WITH LONG TERM RENTAL (Trade-in)

PURPOSE

The main purpose of data processing is to send us a request for a quote.

LEGAL BASIS

The legal basis is the execution of pre-contractual measures carried out at the request of the data subject.

In the event of a dispute, the data will be processed for taking action or defense in court and this corresponds to the legitimate interest of the data controller.

STORAGE TIMES

We will process the data for the time necessary to carry out the negotiation and they will subsequently be deleted after 12 months from the last email or contact. They may be kept longer only in case of possible disputes and therefore to exercise or defend a right based on the legitimate interest of the data controller.

MORE INFORMATION

The User has full freedom to release the requested data, since there is no legal obligation to provide them. However, if the User chooses not to provide data reported as essential, the Data Controller will not be able to provide the requested service.

WEB CHECK-IN

PURPOSE

The main purpose of data processing is to speed up the check-in process following rental.

LEGAL BASIS

The legal basis is the execution of the contract.

In the event of a dispute, the data will be processed for taking action or defense in court and this corresponds to the legitimate interest of the data controller.

STORAGE TIMES

We will process the data for 10 years from the return of the car. They may be kept longer only in case of possible disputes and therefore to exercise or defend a right based on the legitimate interest of the data controller.

MORE INFORMATION

The provision of data is optional. In any case of refusal it will not be possible to send the request.

BROWSING DATA

PURPOSE

Site security.

LEGAL BASIS

We will process the data based on the legitimate interest of the company in cybersecurity and compliance with legal obligations. The legal basis for the processing of cookies other than those necessary is consent.

STORAGE TIMES

24 months.

MORE INFORMATION

For the regulation on cookies, please refer to the specific information notice.

BLACKLIST 

The blacklisting may be decided internally by the company based on the evaluation of contracts you have signed that have been followed by disputes, damages or accidents.

Your personal data will be processed in order to assess your reliability as a customer and prevent possible fraud. This processing is justified by the legitimate interest of the Data Controller pursuant to Article 6(1)(f) of Regulation (EU) 2016/679 (“GDPR”).

Blacklisting is a processing operation aimed at protecting the Data Controller from risks resulting from untrusted behavior. Such processing is carried out with the utmost care and in accordance with the principles of necessity, proportionality, and data minimization, as stipulated in Article 5 GDPR.

It is important to emphasize that there is no automated decision making in blacklisting; every decision is made with human intervention, ensuring that all relevant aspects of your behavior as a customer are carefully evaluated.

In addition, the Data Controller takes appropriate measures to ensure that blacklisted data is correct and up-to-date.

The processing will last for a 5-year period.

3. What else do I need to know?

The data will be treated in a lawful manner, according to fairness and with the utmost confidentiality, in compliance with the appropriate security measures as provided for by the Code and the Regulation. The processing will be carried out by digital means. The data will not be publicly disclosed (with the exception of the name linked to the review) and the user will not be subjected to automated decision-making processes such as profiling unless they consent to this by flagging the appropriate box or by installing cookies or other tracking tools for whose standardization reference is made to the appropriate information notice.

 

4. To whom will my data be communicated?

The Data Controller may communicate the data to all subjects to whom communication is obligatory by law for the fulfillment of the purposes provided by law.

The Data Controller also makes use of some companies or IT tools that carry out processing activities on the personal data of data subjects in the exclusive interest of the data controller, all appropriately appointed as data processors pursuant to Art. 28 GDPR. The list of data processors can be found on site. For the collection of the car, the data will be communicated to external subjects (collection points) who act as data processors. The data will also be communicated to the payment gateways as independent data controllers.

5. What is the place of storage and transfer of data?

The management and storage of personal data will take place on servers located in Europe of the Data Controller or of companies appropriately appointed as Data Processors.

 

6. What are my rights and how can I exercise them?

a) Rights of the data subject

The user, in their capacity as data subject, has the rights referred to in Art. 15 et seq. of the Regulation and precisely:

1. RIGHT OF ACCESS (Art. 15 GDPR)

The data subject has the right to obtain confirmation of the existence or not of personal data concerning them, even if not yet registered, and their communication in intelligible form.

2. RIGHT TO RECTIFICATION (Art. 16 GDPR)

The data subject has the right to obtain the rectification of inaccurate personal data concerning them and also the integration of incomplete personal data.

3. RIGHT TO ERASURE (Art. 17 GDPR)

The data subject has the right to obtain the erasure of personal data in the presence of particular reasons such as withdrawal of consent, objection to processing or if the data are no longer necessary with respect to the purposes for which they were collected and processed or in case of unlawful processing. It will not always be possible to proceed with erasure but it will certainly be the responsibility of the data controller to provide adequate motivation.

4. RIGHT TO RESTRICTION OF PROCESSING (Art. 18 GDPR)

The data subject has the right to obtain restriction of processing in the presence of particular hypotheses such as, for example, in the case of a request for rectification or objection during the request evaluation time.

5. RIGHT TO PORTABILITY (Art. 20 GDPR)

If the processing is based on consent or on the contract and is carried out with automated tools, the data subject can receive them in a structured format, commonly used and readable by the device or ask to transmit them to another controller.

6. RIGHT TO OBJECT (Art. 21 GDPR)

The data subject has the right to object, in whole or in part:

a) for legitimate reasons to the processing of personal data concerning them, even if pertinent to the purpose of collection;

b) to the processing of personal data concerning them for the pursuit of purposes not contemplated by Art. 2.

The user can make a request for objection to the processing of their personal data pursuant to Article 21 of the GDPR in which they give evidence of the reasons that justify the objection: the Data Controller reserves the right to evaluate the request, which would not be accepted in case of existence of compelling legitimate reasons to proceed with the processing that prevail over the interests, rights and freedoms of the user.

7. RIGHT TO LODGE A COMPLAINT

The data subject has the right to lodge a complaint with the competent supervisory authority pursuant to Article 77 of the GDPR if they consider that the processing of their data is contrary to current legislation.

b) Exercising methods:

The data subject may at any time exercise the rights referred to in the previous article by contacting the data controller at the addresses indicated above.

COOKIE INFORMATION NOTICE

Who is the data controller?[1]

Who is the data controller?[2]

Noleggiare s.r.l., in the person of its legal representative with registered office in via Del Brennero n.62 38123 Trento (TN), (hereinafter, «Controller»),

 

How can I contact them The contact details of the company are:

Telephone:

Certified email: [email protected]

Email: [email protected]

Address: via Del Brennero, 62 – 38123 Trento (TN)

Has a DPO been appointed? What are their contact details?

The company has appointed as its DPO the lawyer Antonino Polimeni, who can be contacted at the following email address: [email protected]

 

What are cookies?

Cookies are text strings that websites visited by users (so-called Publishers or “first parties”) or different sites or web servers (so-called “third parties”) place and store within the user’s terminal device, so that they are then retransmitted to the same sites on the next visit. *

What are they for?

Cookies are used for different purposes: carrying out electronic authentications, monitoring sessions, storing information on specific configurations concerning users accessing the server, storing preferences, or to facilitate the use of online content, such as to track items in a shopping cart or information for filling out a computer form etc.; but they can also be used to profile the user, that is to «observe» their behavior, for example in order to send targeted advertisements, measure the effectiveness of the advertising message and adopt consequent commercial strategies. In this case we talk about profiling cookies. *

What are technical cookies?

These are cookies that are used for browsing or providing a service requested by the user. They are not used for any other purposes and are normally installed directly by the website owner.

Without the use of these cookies, some operations could not be carried out or would be more complex and/or less secure. *

Are analytics cookies technical cookies?

Analytics cookies can be assimilated to technical cookies if used for site optimization purposes directly by the owner of the site itself, which can collect statistical information in aggregate form on the number of users and how they visit the site.

If, on the other hand, the processing of these statistical analyses is entrusted to third parties, the user data must be minimized in advance and may not be combined with other processing or transmitted to other third parties. Under these conditions, the same rules, in terms of information and consent, provided for technical cookies also apply for analytics cookies. *

What cookies does this site use?

This site uses third-party cookies to:

  1. Monitor visits and obtain statistics on user activity on the site
  • Google Analytics (GA4)

Google Analytics is necessary to monitor visits and to obtain aggregated statistics on site activity. We do not know your identifier and have no ability to identify the user who visits the website. But Google can do that. Data processing takes place in Europe if you are a browser connected with a European IP. Here is the link to the privacy policy: https://policies.google.com/technologies/cookies?hl=en

  • PHP

PHP transparently supports HTTP cookies. Cookies are a mechanism for storing data in the remote browser and then tracking or identifying returning users. Cookies are part of the HTTP header, so setcookie must be called before any output is sent to the browser. This is the same limitation that header has. You can use output buffering functions to delay script output until you decide whether to set cookies or send headers. Here the link to the privacypolicy: https://www.php.net/privacy.php

  • Hotjar

Cookies are small portions of data that a website adds to a user’s browser. Hotjar tracking code cookies are set on a visitor’s browser when they visit a website that loads the Hotjar tracking code. These cookies allow Hotjar’s tracking code to function properly. In addition to cookies, Hotjar’s tracking code also uses local and session storage. Here is the link to the privacy policy: https://www.hotjar.com/legal/policies/privacy/

  • Criteo

Criteo helps brands, e-commerce sites and other advertisers promote their products and services. We do this by allowing advertisers to tailor their campaigns and/or offers to the audience they wish to reach with the content they wish to promote, which in turn means you may receive advertisements that may interest you on our partners’ websites, mobile apps and other platforms. Here is the link to the privacy policy: https://www.criteo.com/privacy/

  1. Targeting and Advertising
  •  Remarketing with Google

Remarketing with Google is a remarketing and behavioral targeting service provided by Google LLC or Google Ireland Limited, depending on the location where the site is used, which connects the tracking activity carried out by Google Analytics and its Cookies with the Google Ads advertising network and the Doubleclick Cookie.

In essence, Google assigns an ID to the browser of the website, stored in a cookie. This ID will then be needed to customize the ads on the Google network and on all websites that use Adsense.

Data processing takes place in Europe if you are a browser connected with a European IP. Here is the link to the privacy policy: http://www.google.com/intl/it/policies/privacy/

  • Facebook

Facebook identifies the user with their own IDs in order to personalize the advertising and profile the user. These IDs are then associated with the Facebook profile (if active) and, as a result of browsing our website, you may find ads on Facebook and Instagram.

In essence, when you browse our website, Facebook installs a cookie on your hard drive and, subsequently, when you browse on Facebook or Instagram, these two platforms will search for the cookie and then target the advertisements according to the instructions provided by it.

The processing is entirely by Facebook and we have no way of identifying the user.

The service is provided by Facebook Inc. or Facebook Ireland Ltd, depending on the location of the site visitor. Data processing takes place in Europe if you are a browser connected with a European IP. Here is the link to the privacy policy: https://it-it.facebook.com/policy.php

Below is the list of cookies used by the site:

Cookies

Description

Duration

Party

_ga_W0J8BBX7ZJ

Preserve and count page views

1 year 

Google Analytics

_hjSessionUser_1556309

Keep a unique ID address

1 year

Hotjar

_hjAbsoluteSessionInProgress

Keep unique visits

Session

Hotjar

_hjSession_1556309

Keep functions between pages

Session

Hotjar

cto_bundle

Keep functions between pages

13 months

Criteo

_fbp

Store and track visits between websites 

3 months 

Facebook

_ga

Preserve and count page views 

2 years 

Google Analytics 

PHPSESSID

Provide functions between pages

session

PHP

__Secure-3PSIDCC

Use site options and services

1 year

google.com

__Secure-1PSIDCC

Use site options and services

1 year

google.com

Sidcc

Identify web traffic

1 year

Google Maps

__Secure-3PAPISID

Send more relevant advertising to you and your interests

2 years 

google.com

Ssid

unknown 

2 years 

Google Ads Optimization

__Secure-1PAPISID

Use site options and services

2 years 

google.com

Hsid

Prevent fraud

2 years 

Google Ads Optimization

__Secure-1PSID

Use site options and services

2 years 

google.com

SID

Provide ad delivery or retargeting, prevent fraud

2 years 

Google Ads Optimization

Apisid

unknown 

2 years 

Google Ads Optimization

Sapisid

unknown 

2 years 

Google Ads Optimization

1P_JAR

Provide ad delivery or retargeting

1 month

Google Ads Optimization

Nid

Provide ad delivery or retargeting, store user preferences.

6 months

Google Ads Optimization

SEARCH_SAMESITE

Mitigate the risk of cross-origin information leakage

6 months

google.com

CONSENT

Retain consent for cookies

20 years

Google Ads Optimization

__Secure-ENID

Preserve User preferences

13 months

google.com

__Secure-3PSID

Preserve User preferences

2 years

google.com

ln_or

fonts-loaded

OTZ

AEC

__Secure-3PSIDTS

__Secure-1PSIDTS

HOW TO DISABLE COOKIES?

  • HOW TO DISABLE COOKIES:

We also inform you that, below, you can find instructions for disabling cookies:

– If using Internet Explorer: http://windows.microsoft.com/it-it/windows7/block-enable-or-allow-cookies

– If using Chrome: https://support.google.com/accounts/answer/61416?hl=it

– If using Firefox: https://support.mozilla.org/it/kb/Attivare%20e%20disattivare%20i%20cookie

– If using Safari on iPad, iPhone, iPod: https://support.apple.com/it-it/HT201265

– If using other browsers: http://en.wikihow.com/Disable-i-Cookies”),

  • ANONYMOUS BROWSING

To find out how to activate the option on the main search engines click on the browser you use:

Internet Explorer (http://windows.microsoft.com/en-US/windows7/Block-enable-or-allow-cookies),

Google Chrome (https://support.google.com/chrome/answer/95464?hl=en),

Mozilla Firefox (https://support.mozilla.org/en/kb/Anonymous browsing),

Opera Browser (http://help.opera.com/opera/Windows/1781/en/private.html#privateWindow),

Apple Safari (https://support.apple.com/en-us/HT6074).

What are my rights and how can I exercise them?

  1. RIGHT OF ACCESS (Art. 15 GDPR)

The data subject has the right to obtain confirmation of the existence or not of personal data concerning them, even if not yet registered, and their communication in intelligible form.

  1. RIGHT TO RECTIFICATION (Art. 16 GDPR)

The data subject has the right to obtain the rectification of inaccurate personal data concerning them and also the integration of incomplete personal data.

  1. RIGHT TO ERASURE (Art. 17 GDPR)

The data subject has the right to obtain the erasure of personal data in the presence of particular reasons such as withdrawal of consent, objection to processing or if the data are no longer necessary with respect to the purposes for which they were collected and processed or in case of unlawful processing. It will not always be possible to proceed with erasure but it will certainly be the responsibility of the data controller to provide adequate motivation.

  1. RIGHT TO RESTRICTION OF PROCESSING (Art. 18 GDPR)

The data subject has the right to obtain restriction of processing in the presence of particular hypotheses such as, for example, in the case of a request for rectification or objection during the request evaluation time.

  1. RIGHT TO PORTABILITY (Art. 20 GDPR)

If the processing is based on consent or on the contract and is carried out with automated tools, the data subject can receive them in a structured format, commonly used and readable by the device or ask to transmit them to another controller.

  1. RIGHT TO OBJECT (Art. 21 GDPR)

The data subject has the right to object, in whole or in part:

  1. a) for legitimate reasons to the processing of personal data concerning them, even if pertinent to the purpose of collection;
  2. b) to the processing of personal data concerning them for the pursuit of purposes not contemplated by Art. 2.

The user can make a request for objection to the processing of their personal data pursuant to Article 21 of the GDPR in which they give evidence of the reasons that justify the objection: the Data Controller reserves the right to evaluate the request, which would not be accepted in case of existence of compelling legitimate reasons to proceed with the processing that prevail over the interests, rights and freedoms of the user.

  1. RIGHT TO LODGE A COMPLAINT

The data subject has the right to lodge a complaint with the competent supervisory authority pursuant to Article 77 of the GDPR if they consider that the processing of their data is contrary to current legislation.

  1. b) Exercising methods:

The data subject may at any time exercise the rights referred to in the previous article by contacting the data controller at the addresses indicated above.

(* taken from: privacy supervisory authority – faq cookie)

[1] Pursuant to Art. 4 No.7 GDPR: the data controller determines the purposes and means of the processing of personal data and its responsibilities are identified by Art. 24 GDPR.

[2] Pursuant to Art. 4 No.7 GDPR: the data controller determines the purposes and means of the processing of personal data and its responsibilities are identified by Art. 24 GDPR.