Privacy Policy

1. Data Controller

Pursuant to Article 13 of Regulation (EU) 2016/679 (hereinafter "GDPR") and Italian legislation on the protection of personal data (D.Lgs. 196/2003 and subsequent amendments, the "Privacy Code"), this notice describes the methods of processing personal data of users who visit the website travelinfluencer.co (including related subdomains), use the content management platform Horizon Studio and the web application Horizon, including all associated services.

The Data Controller is the entity that determines the purposes and means of processing personal data. For any questions regarding this notice or the processing of your personal data, you may contact the Controller using the details above.

Data Protection Officer (DPO): The Controller has not appointed a Data Protection Officer as it does not fall within the mandatory cases provided for by Article 37 of the GDPR.

2. Types of Data Collected

The personal data collected by the Travelinfluencer.it platform, Horizon Studio, and the Horizon app can be divided into the following categories:

2.1 Data voluntarily provided by the user

• Identification data: first name, last name, email address, phone number
• Contact data: address, city, province, postal code
• Billing data: VAT number, tax code, billing address, payment data
• Profile data: information provided during account setup, created automatically following the purchase of a subscription through the payment provider Paddle, including data related to the travel influencer activity, nickname, bio, avatar, hero banner image, and customized public author profile colors
• Influencer Network data: data voluntarily provided by the Customer for the visibility of their profile in the influencer Network, including but not limited to: contact email, professional bio, niche, follower range, social platforms, Horizon profile link, availability for collaborations, languages spoken, and main destinations. Participation in the Network is optional and subject to the Customer's explicit and separate consent, who can choose which information to make visible and revoke participation at any time
• User-generated content: posts, articles, uploaded images, video links (YouTube/Vimeo) published on the platform through Horizon Studio
• Communications: messages sent via contact forms, email, or other communication channels
• Contact form data: name, email, subject, and message entered in the website contact form, processed through the third-party service FormSubmit.co and forwarded via email to the Controller

2.2 Automatically collected data

• Browsing data: IP address, browser type, operating system, device type, screen resolution
• Usage data: pages visited, time spent, clicks, navigation path, referrer
• Technical data: system logs, errors, performance
• User interface: a scroll progress bar is present at the top of the page to improve the browsing experience. This feature processes exclusively local browsing data and does not transmit any data to external servers
• HorizonAI (local AI assistant): the travel assistant based on an artificial intelligence model processes data entirely locally on the user's device. No personal data is transmitted to external servers. Internet connection is required exclusively for the initial download of the AI model at the first app launch
• Trip management ("My Trips"): data related to trips created by the user (destinations, dates, expense categories such as accommodation/transport/food/activities, amounts, notes, and trip status) are stored and processed exclusively locally on the user's device. No trip data is transmitted to external servers. The user can export individual trips in a dedicated file format (.travel) for data portability
• Travel document import (PDF): the user can import travel documents in PDF format (flight confirmations, hotel reservations, etc.) for automatic extraction of trip-related data. PDF document processing occurs entirely locally on the user's device. No document content is transmitted to external servers
• Interactive map (OpenStreetMap): the app uses third-party map services (OpenStreetMap) for trip visualization. Loading map tiles automatically transmits the user's IP address and requested tile coordinates to OpenStreetMap servers. The feature does not use device GPS or geolocation. For more information: OpenStreetMap Privacy Policy
• Content indexing: content published by users on the platform is publicly accessible and, as such, may be indexed by search engines, web crawlers, and artificial intelligence agents according to normal web dynamics
• Like system: the status of likes placed on articles is stored locally on the user's browser to prevent multiple likes from the same device. This feature does not require authentication and is accessible to all visitors, including anonymous ones. No personal data is transmitted to external servers for this feature
• View monitoring: article view counting is automatic and active by default for all published content. The counter is incremented on each visit to the individual article
• User/influencer profile views: author/influencer profile view counting is automatic and active by default. The counter is incremented on each visit to the author's/influencer's profile
• Promo popup: the app may show a dismissible promotional popup with customized promotional content. The popup may link to third-party sites: in such cases, user data may be collected by those sites according to their respective privacy policies
• WebView and external content: the app uses WebView components to display external web content. When the user navigates to external sites through affiliate links, travel services (flights, hotels, car rentals, insurance, eSIM, tours), or other links, browsing data may be collected by the respective third-party sites according to their privacy policies
• Google Fonts in white-label apps: influencer white-label apps may load fonts from the Google Fonts service (fonts.googleapis.com) at the Customer's choice. This HTTP request may include the user's IP address in Google server logs. Loading occurs at the Customer's choice for customizing their app and is not controlled by the Controller
• Cookies and similar technologies: as described in the dedicated section (Section 5)

2.3 Data obtained from third parties

• From commercial partners: data shared by partners for service purposes
• From analytics providers: aggregated and anonymized data relating to web traffic

3. Purposes of Processing

The personal data collected is processed for the following purposes:

3.1 Contractual purposes and service execution

• Provision of services offered by the Travelinfluencer.it platform, including the proprietary Horizon app with AI features, mini-blog, and trip management
• User account management and authentication
• Provision of agency services for travel influencers
• Management of subscriptions and payments through the payment provider Paddle
• Technical assistance and customer support
• Operational communications relating to purchased services
• Management of contact requests through the website form, processed by the external service FormSubmit.co
• Publication and management of the profile in the influencer Network, including but not limited to the display of contact data, professional information, niche, statistics, and availability for collaborations, accessible to users with a Network subscription

3.2 Legitimate interests

• Improvement and optimization of the platform and services
• Anonymous or aggregated statistical analysis of traffic and website usage
• Operation of the HorizonAI AI assistant to improve the user's travel experience, with exclusively client-side processing and no transmission of personal data
• Website security and prevention of fraud, abuse, and unauthorized access
• Compliance with legal obligations, regulations, or requests from competent authorities
• Exercise or defense of rights in legal proceedings
• Dispute management

3.3 Marketing purposes (with consent)

• Sending newsletters and promotional communications via email
• Personalized commercial communications based on user preferences
• Promotion of new services, features, or special offers
• Analysis of user preferences to personalize the experience

3.4 Nature of data provision

The provision of data for the purposes referred to in point 3.1 is necessary for the use of the services. Refusal to provide such data may result in the inability to use the services offered. The provision of data for the marketing purposes referred to in point 3.3 is optional and requires the user's prior consent, which may be revoked at any time.

The provision of data for visibility in the influencer Network is optional and requires the explicit prior consent of the Customer. The Customer may freely choose which information to make visible in the Network and may revoke consent at any time, with immediate effect on the removal of their profile from the Network. Revocation of consent does not entail any consequences on the use of the other services of the platform.

4. Legal Basis for Processing

The processing of personal data is based on the following legal bases pursuant to Article 6 of the GDPR:

• Article 6, paragraph 1, letter a) – Consent: for the processing of personal data for marketing purposes, for the use of non-essential cookies, for the processing of special categories of data (if applicable), and for the publication of Customer data in the influencer Network, including but not limited to contact data, professional information, and statistics, made visible to Network subscribers
• Article 6, paragraph 1, letter b) – Performance of a contract: for processing necessary to provide the services requested by the user and to execute the contract
• Article 6, paragraph 1, letter c) – Legal obligation: for processing necessary to comply with applicable legal, fiscal, and accounting obligations
• Article 6, paragraph 1, letter f) – Legitimate interest: for processing necessary to pursue a legitimate interest of the Controller, such as website security, statistical analysis, fraud prevention, and defense of rights

4.1 Automated Decision-Making and Profiling (Art. 22 GDPR)

The Controller declares that the platform does not use fully automated decision-making processes, including profiling, that produce legal effects or significantly affect users, pursuant to Article 22 of the GDPR.

HorizonAI is a travel planning support assistant with entirely local processing. It does not have the ability to make bookings, payments, or actions with legal effect. The user always retains full control of their decisions.

5. Cookies and Tracking Technologies

5.1 Technical cookies (necessary)

These cookies are essential for the operation of the website and cannot be disabled. They do not require user consent.

• Session cookies: necessary for browsing and authentication
• Preference cookies: store user settings (language, theme)
• Security cookies: protect against CSRF attacks and ensure browsing security
• Cookies related to the FormSubmit.co service: necessary for the contact form functionality and integrated CAPTCHA protection
• Consent cookies from the cookie management service: necessary to store the user's cookie consent preferences. These are technical cookies and do not require prior consent

5.2 Cookie consent banner

The travelinfluencer.co website uses a third-party service for managing cookie consent. The service displays an informational banner to first-time visitors and stores consent preferences. It sets exclusively technical cookies necessary for the banner's operation.

The Controller does not use tracking cookies for affiliate monitoring purposes. Affiliate marketing links present in Customer white-label apps are managed directly by Customers through their respective third-party affiliate platforms.

5.3 Third-party analytics cookies (Google Analytics)

The travelinfluencer.co website may use Google Analytics, a web analytics service provided by Google LLC. Google Analytics uses cookies to analyze website usage and generate statistical reports on traffic (pages visited, time spent, geographic origin, device used). The data collected is aggregated and anonymized.

Google Analytics cookies are classified as third-party analytics cookies and are activated exclusively with the user's consent through the cookie consent banner. The user may revoke consent and disable these cookies at any time. For more information about Google's privacy practices: Google Privacy Policy.

5.4 Marketing and advertising cookies (Google Ads)

The travelinfluencer.co website may use Google Ads (including remarketing and conversion tags) provided by Google LLC for targeted advertising purposes. These cookies allow showing relevant ads to users who have visited the site and measuring the effectiveness of advertising campaigns.

Google Ads cookies are classified as marketing/profiling cookies and are activated exclusively with the user's consent through the cookie consent banner. The user may revoke consent and disable these cookies at any time. You can manage advertising preferences through Google Ads settings: Google Ads Settings.

5.5 Profiling cookies from other platforms

The Controller does not use social media pixels (Facebook Pixel, Instagram, etc.) or other tracking technologies for targeted marketing purposes beyond what is described in section 5.4. Should additional marketing services be activated in the future, this notice will be updated and consent will be managed through the cookie consent banner.

5.6 Cookie management

Users can manage their cookie preferences through their browser settings. Please note that disabling some cookies may affect the functionality of the website. For more information on managing cookies, consult the guides for major browsers:

• Google Chrome
• Mozilla Firefox
• Apple Safari
• Microsoft Edge

5.7 White-label apps and absence of cookies

The influencer Horizon (white-label) apps are cookieless and do not use proprietary tracking cookies. Content displayed through iframes within the apps is under the exclusive responsibility of the third-party sites shown, including the adoption of GDPR-compliant cookie consent systems. The Controller is not responsible for the cookie management practices of sites displayed through iframes.

6. Data Recipients

Personal data may be shared with the following categories of recipients, in compliance with the adequate guarantees provided by the GDPR:

• Euronodes (hosting): hosting provider with servers located in the European Union. Euronodes acts as a data processor pursuant to Art. 28 of the GDPR. The Data Processing Agreement (DPA) is available at: Euronodes GDPR Agreement
• Other technology service providers: cloud services, email marketing platforms, and other technology providers, in compliance with their respective data processing agreements
• Payment provider (Paddle): online payment manager for secure transaction processing and subscription management. Payment data (credit card, etc.) is managed directly by Paddle and is not stored on this site. Paddle acts as a Merchant of Record (MoR) in compliance with PCI-DSS regulations and is legally responsible for international VAT and sales tax management
• Form submission service: third-party service for managing the contact form. Data entered in the form (name, email, subject, message) is forwarded via email to the Controller. The service acts as a data processor for the data entered in the form
• Google LLC: for loading website and Customer white-label app fonts (Google Fonts), for statistical analysis of web traffic (Google Analytics), and for targeted advertising and remarketing purposes (Google Ads). HTTP requests may include the user's IP address in Google server logs. Google Analytics and Google Ads services are activated exclusively with the user's consent. For more information: Google Privacy Policy
• Cookie consent management service: third-party service used on the website for managing cookie consent. It sets technical cookies necessary to store user preferences
• OpenStreetMap: map service used in the app for interactive trip visualization. Loading map tiles transmits the user's IP address to OpenStreetMap servers. For more information: OpenStreetMap Privacy Policy
• Consultants and professionals: accountant, lawyer, tax consultant, to the extent necessary for the execution of their respective assignments
• Commercial partners: entities with whom we collaborate for the provision of integrated services, in compliance with data processing agreements
• Network subscribers: data of Customers who have given their explicit consent for visibility in the influencer Network is accessible to users with an active Network subscription, including but not limited to: contact data, professional information, niche, statistics, and availability for collaborations. Access is regulated by the platform's Terms and Conditions which prohibit improper use of data
• Public authorities: where required by law or orders from competent authorities

The complete and updated list of data processors is available upon request by contacting the Controller at info@travelinfluencer.co.

Data Processing Agreements (DPA): the Controller has entered into — or, in the case of platform services, accepted — a Data Processing Agreement pursuant to Article 28 of the GDPR with each data processor listed above. These agreements define the purposes and duration of processing, the type of personal data processed, the obligations and rights of the Controller, and the security measures adopted by the processor.

App with Customer's custom domain: When the Customer configures their app on a domain they own, the Customer becomes the Data Controller of the personal data of visitors to their website. The platform Controller remains the Data Controller exclusively for data processed by the Travelinfluencer.it platform and backend functionalities. The Customer is responsible for providing their own GDPR-compliant privacy notice on their domain.

7. Data Transfer Outside the European Union

Some of the third-party services used by this site may transfer data outside the European Union (EU) or the European Economic Area (EEA). In such cases, the transfer occurs in compliance with the appropriate safeguards provided by the GDPR, including:

• Adequacy decision: transfer to countries for which the European Commission has adopted an adequacy decision (e.g., United Kingdom, Switzerland, Japan)
• Standard Contractual Clauses (SCC): use of standard contractual clauses approved by the European Commission for data transfer to third countries
• Binding Corporate Rules (BCR): binding corporate rules adopted by multinational companies for intra-group transfers
• Specific derogations: in specific cases provided for by Article 49 of the GDPR (e.g., explicit consent of the data subject, performance of a contract)

8. Data Retention

Personal data will be retained for the time necessary to achieve the purposes for which it was collected, in compliance with the principles of storage limitation and data minimization provided by the GDPR. In particular:

• Contractual and account data: for the entire duration of the contractual relationship and for the subsequent 10 years for legal obligations (fiscal, accounting, civil)
• Browsing and log data: for a maximum of 14 months, as provided by Italian regulations (Garante Privacy Provision of May 8, 2014)
• Marketing data: until consent is revoked by the data subject
• Data relating to support requests: for the time necessary to manage the request and, in any case, no longer than 24 months from the closure of the case
• Cookies: as specified in the dedicated cookies section (Section 5)
• User data after account deletion: to delete the account, the user must first cancel their subscription or let it expire. Once the subscription is expired or cancelled, articles, images, app settings, and other user-generated content are retained for a maximum period of 30 days from the subscription expiry date, during which the platform and all its features are completely inaccessible. If the user renews any subscription within this 30-day period, the deletion process is automatically cancelled and the account returns to fully active. After the 30-day period without an active subscription, all data and the account are deleted permanently and irreversibly.

At the end of the retention period, data will be deleted or anonymized irreversibly, unless otherwise required by law.

9. Data Subject Rights

Pursuant to Articles 15-22 of the GDPR, the data subject has the right to exercise the following rights against the Data Controller:

9.1 Right of access (Art. 15)

The data subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed, and if so, to obtain access to the personal data and information relating to the processing.

9.2 Right to rectification (Art. 16)

The data subject has the right to obtain the rectification of inaccurate personal data concerning them without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed.

9.3 Right to erasure ("Right to be forgotten") (Art. 17)

The data subject has the right to obtain the erasure of personal data concerning them without undue delay, where one of the grounds provided by law applies (e.g., the data is no longer necessary, consent has been withdrawn, the data subject has objected to processing, the data has been unlawfully processed).

9.4 Right to restriction of processing (Art. 18)

The data subject has the right to obtain the restriction of processing in the cases provided by law (e.g., contesting the accuracy of the data, unlawful processing, opposition to erasure, necessity for the exercise of rights in legal proceedings).

9.5 Right to data portability (Art. 20)

The data subject has the right to receive the personal data concerning them, which they have provided to the Controller, in a structured, commonly used, and machine-readable format, and the right to transmit such data to another Controller without hindrance.

9.6 Right to object (Art. 21)

The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data based on the Controller's legitimate interest, unless compelling legitimate grounds for the processing are demonstrated that override the interests, rights, and freedoms of the data subject.

9.7 Right to withdraw consent (Art. 7)

The data subject has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9.8 Right to lodge a complaint (Art. 77)

The data subject has the right to lodge a complaint with a competent Supervisory Authority. In Italy, the competent authority is the Garante per la protezione dei dati personali (Data Protection Authority), contactable at:

9.9 How to exercise your rights

To exercise one or more of the rights listed above, the data subject may send a request to:

• Email: info@travelinfluencer.co

The Controller undertakes to respond to the request within 30 days of receipt, as required by the GDPR. This period may be extended by a further 60 days in cases of particular complexity, with appropriate communication to the data subject.

10. Protection of Minors

The services offered by Travelinfluencer.it are not intended for minors under 16 years of age. The Controller does not knowingly collect personal data from minors under this age. If the Controller becomes aware that personal data of minors has been inadvertently collected, it will promptly proceed with its deletion.

If you are a parent or guardian and believe that your child has provided personal data without your consent, please contact us at info@travelinfluencer.co.

11. Changes to the Privacy Policy

The Controller reserves the right to make changes to this Privacy Policy at any time, to account for any regulatory, technological, or organizational changes. Changes will be published on this page with the date of the last update indicated.

Users are invited to periodically consult this page to stay informed about the latest developments in data protection. In case of substantial changes, the Controller will inform users through a notification on the site or via email.

12. Image Attribution

The images used on this site were sourced from the platforms Unsplash and Pexels. The authors and artists of the photographs retain their respective rights to the original works, in compliance with the licenses applied by the aforementioned platforms.

13. Contact Information

For any questions, information requests, or to exercise your rights regarding the protection of personal data, you may contact the Data Controller at:

The Controller is available for any clarification regarding this notice and the processing of your personal data.

13.1 Data Breach Notification

In compliance with Articles 33 and 34 of the GDPR, in the event of a personal data breach that may present a risk to the rights and freedoms of data subjects, the Controller undertakes to:

• Notify the breach to the Garante per la protezione dei dati personali within 72 hours from the moment of becoming aware of it, unless it is unlikely that the breach presents a risk to the rights and freedoms of natural persons
• Communicate the breach to the data subjects without undue delay where the breach is likely to present a high risk to their rights and freedoms
• Document all data breaches, including the facts, effects, and corrective actions taken

The Controller has adopted appropriate technical and organizational measures to prevent data breaches and to minimize the impact of any incidents.

14. Detail of Processing by Data Category

This section provides specific details on the categories of data processed, with the related purposes, legal bases, and retention periods.

14.1 Authentication and security data

• Type of data collected: Email, password (stored in encrypted form), security questions and related answers (stored in encrypted form via one-way hash)
• Purpose: User authentication, account recovery in case of forgotten password, access security
• Legal basis: Legitimate interest (Art. 6, par. 1, lett. f) of EU Regulation 2016/679, protection of user account security
• Retention period: Data is retained for the duration of the account and deleted within 30 days of the profile deletion request

14.2 User profile data

• Type of data collected: Display name, avatar, bio, company name, phone, website, primary color, app title
• Public author profile (Horizon Studio): hero banner image, avatar, bio with HTML formatting, custom nickname, customizable colors for profile appearance. Author profiles are public and visible to all visitors
• Purpose: Personalization of the user profile, the related application, and the public author page on Horizon Studio
• Legal basis: Performance of a contract (Art. 6, par. 1, lett. b) of EU Regulation 2016/679
• Retention period: For the duration of the account. The user can modify or delete this data at any time from their profile settings

14.3 User-generated content

• Type of data collected: Posts, uploaded images, video links (YouTube/Vimeo)
• Purpose: Publication and management of the user's personal blog through Horizon Studio
• Legal basis: Consent of the data subject (Art. 6, par. 1, lett. a) of EU Regulation 2016/679
• Retention period: For the duration of the account and up to a maximum of 30 days after account closure or subscription expiry, for possible recovery. After this period, content is permanently deleted. The user can delete their content at any time

14.4 Payment data (Paddle)

• Type of data: Subscribed plan, subscription status. Payment data is managed directly by Paddle and is not stored on this site
• Purpose: Subscription and plan management
• Legal basis: Performance of a contract (Art. 6, par. 1, lett. b) of EU Regulation 2016/679

14.5 Security questions

• Type of data: Custom security questions chosen by the user and related answers. Answers are stored exclusively in encrypted form (one-way hash) and are not readable even by the site administrator
• Purpose: Account recovery in case of forgotten password
• Legal basis: Legitimate interest (Art. 6, par. 1, lett. f) of EU Regulation 2016/679
• Retention period: For the duration of the account. The user can modify their questions and answers at any time from settings

14.6 Technical data

• Type of data: Username (failed access attempts monitored per individual account, without IP address tracking)
• Purpose: Prevention of unauthorized access attempts per individual account through monitoring of failed login attempts
• Legal basis: Legitimate interest (Art. 6, par. 1, lett. f) of EU Regulation 2016/679
• Retention period: Failed attempt counters are automatically reset after the 10-minute lockout period

14.7 Travel document import data

• Type of data: Content of PDF documents imported by the user (flight confirmations, hotel reservations, etc.) for automatic extraction of travel data
• Purpose: Automatic compilation of trip data in the "My Trips" section
• Legal basis: Performance of a contract (Art. 6, par. 1, lett. b) of EU Regulation 2016/679
• Retention period: PDF documents are processed exclusively locally on the user's device and are not transmitted or stored on external servers

14.8 Browsing data for map services

• Type of data: IP address, requested tile coordinates (not GPS)
• Purpose: Loading interactive maps for trip visualization
• Legal basis: Legitimate interest (Art. 6, par. 1, lett. f) of EU Regulation 2016/679
• Recipient: OpenStreetMap. For more information: OpenStreetMap Privacy Policy
• Retention period: Data is processed by OpenStreetMap according to their privacy policy

15. Data Subject Rights: Practical Information

In compliance with EU Regulation 2016/679 (GDPR), in addition to the rights described in Section 9, the user can concretely exercise their rights through the following methods:

• Access: View all personal data directly from profile settings
• Rectification: Modify personal data at any time from profile settings
• Erasure: Delete the account and all associated data through the "Delete Profile" function
• Portability: Request the export of personal data by contacting the administrator at info@travelinfluencer.co
• Objection: Object to data processing by contacting the administrator at info@travelinfluencer.co