Privacy Policy

Index

Last updated: February 2026

This Privacy Policy describes how personal data of users of the website esperienze.yallayalla.it (hereinafter "Site") is collected, used and protected, in accordance with EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003 (Privacy Code), as amended by Legislative Decree 101/2018.

1. Data controller

The data controller of personal data is:

YallaYalla
Viale Adriatico 127, 00141 Rome (RM), Italy
Legal name: DICA SRL
VAT no.: 13366331000
Email: privacy@yallayalla.it

2. Personal data collected

Data provided voluntarily by the user
  • Registration data: first name, last name, email address, password (encrypted).
  • Booking data: first and last name of participants, nationality, date of birth, document number (when required by the experience supplier), any special requirements.
  • Contact data: email address, phone number (when provided).
  • Communications: content of messages sent through the contact form or by email.
Data collected automatically
  • Browsing data: IP address, browser type, operating system, pages visited, date and time of access, session duration.
  • Cookies: information collected through technical, analytics and marketing cookies. For more details, see our Cookie Policy.
Payment data

Payment card data (number, expiry, CVV) is handled exclusively by the payment gateway HiPay and is never stored on YallaYalla servers. HiPay is PCI-DSS certified for transaction security.

3. Purpose and legal basis of processing

PurposeLegal basis
Managing user registration and accountPerformance of contract (Art. 6.1.b GDPR)
Processing of bookings and paymentsPerformance of contract (Art. 6.1.b GDPR)
Sending booking confirmations, vouchers and service-related communicationsPerformance of contract (Art. 6.1.b GDPR)
Customer support and complaint handlingPerformance of contract / Legitimate interest (Art. 6.1.b/f GDPR)
Sending newsletters and commercial communicationsConsent of the data subject (Art. 6.1.a GDPR)
Statistical analysis and service improvementLegitimate interest (Art. 6.1.f GDPR)
Compliance with tax and legal obligationsLegal obligation (Art. 6.1.c GDPR)
Marketing and retargeting via cookiesConsent of the data subject (Art. 6.1.a GDPR)

4. Data recipients

Personal data may be shared with the following categories of recipients:

  • Experience suppliers: participant data needed to deliver the booked experience (first name, last name, nationality, any documents).
  • Technology partners: Civitatis Tours S.L. (booking platform), for catalog and booking management.
  • Payment gateway: HiPay, for secure payment processing.
  • Email services: for sending booking confirmations and commercial communications (newsletter).
  • Analytics services: Google Analytics, for statistical analysis of web traffic.
  • Marketing services: Google Ads and Meta (Facebook/Instagram), for advertising and retargeting campaigns.
  • Competent authorities: when required by law or by an order of judicial authority.

5. Non-EU data transfers

Some of the third-party services used (Google Analytics, Google Ads, Meta) may involve the transfer of personal data to countries outside the European Union, particularly the United States.

Such transfers take place on the basis of:

  • Adequacy decisions by the European Commission (EU-US Data Privacy Framework).
  • Standard Contractual Clauses (SCC) approved by the European Commission.

6. Data retention

Data typeRetention period
Account dataFor the entire duration of the account + 12 months after deletion
Booking data10 years from the booking date (tax obligations)
Browsing data and cookiesUp to 26 months (see Cookie Policy)
Newsletter and marketing consentsUntil consent is withdrawn by the user
Support requests24 months from request closure

7. Data subject rights

Under articles 15-22 of the GDPR, the user has the right to:

Access

Obtain confirmation of the processing of their data and a copy of it.

Rectification

Correct inaccurate or incomplete data.

Erasure

Request the deletion of their data, within the limits permitted by law.

Restriction

Restrict the processing of their data in certain circumstances.

Portability

Receive their data in a structured format and transfer it to another controller.

Objection

Object to the processing of their data on legitimate grounds, including direct marketing.

To exercise their rights, the user can send a request to privacy@yallayalla.it. The request will be handled within 30 days of receipt.

The user also has the right to lodge a complaint with the competent supervisory authority: Italian Data Protection Authority (www.garanteprivacy.it).

The Site uses technical, analytics and marketing cookies. For detailed information about the cookies used and how to manage your preferences, please see our Cookie Policy.

9. Changes to this policy

YallaYalla reserves the right to update this Privacy Policy at any time. Changes will be published on this page with the date of the last update. We recommend checking this page periodically to stay informed about how personal data is protected.

10. Contact

For any question about this Privacy Policy or the processing of personal data:

Discount on your first order!

Don't miss the best deals!

Subscribe to the newsletter and instantly get a discount code for your first purchase, plus exclusive previews and travel inspiration.