— Notice

Privacy Policy

Last updated: 2026-05-08

This page explains how Amici delle Eolie collects and processes the personal data you share with us. It's written in plain language and reflects a small, family-run boat-tour operation in Lipari that handles low volumes and treats client information with care.

1. Data controller

Salvatore Puglisi — captain and contact for Amici delle Eolie.
Operating address: Marina Corta, 98055 Lipari (ME), Italy.
Privacy contact: amicidelleeolie@libero.itWhatsApp +39 338 1584128.

Given the size of the operation, appointing a Data Protection Officer (DPO) is not legally required. For any privacy request you can write directly to the controller.

2. Data we collect and how we use it

2.1 When you contact us (email, WhatsApp, contact form)

We only collect what you give us: name, email or phone, dates of interest, group size, optional free-text notes on your request. We do not ask for identifying details we don't need (tax ID, ID document, etc.).

Legal basis: pre-contractual measures at your request (Art. 6.1.b GDPR).
Retention: up to 24 months from last interaction, unless the request becomes a confirmed booking (in which case tax retention applies, see 2.5).

2.2 On-site AI assistant

The AI assistant is powered by Anthropic (Claude Sonnet 4.6). When you write to the assistant, your messages are sent to Anthropic's servers to generate the response. Anthropic states that user inputs are not used to train its models and are retained only for the technical time necessary to deliver the service (see privacy.anthropic.com).

If during the conversation you provide contact details (e.g. an email to receive a reply), they're stored as a regular request (see 2.1) and used only to respond to you.

Legal basis: legitimate interest in offering a first-line information channel (Art. 6.1.f GDPR), or pre-contractual measures if the conversation leads to a booking request (Art. 6.1.b).
Retention: messages are not permanently stored on our servers. Conversations may be reconstructable only from Vercel technical logs (see 2.4) within 30 days.

2.3 Transactional emails

When enabled, the system can send automated confirmation emails (e.g. when you complete a chat request) via Resend. Resend receives the email address and message content for delivery purposes only. It does not use the data for its own purposes.

2.4 Hosting and technical logs

The site is hosted on Vercel. For security and operational needs (abuse mitigation, infrastructure debugging) Vercel automatically collects IP address, user agent and timestamp of HTTP requests. Maximum retention: 30 days.

Legal basis: legitimate interest in systems security (Art. 6.1.f GDPR).

2.5 Accounting and tax obligations

If you actually book an excursion and receive an invoice, we retain tax data for 10 years as required by Italian law (Civil Code Art. 2220 and D.P.R. 600/1973).

3. International transfers

Anthropic and Vercel are based in the United States. Data transfers rely on the European Commission's Standard Contractual Clauses (Art. 46 GDPR) and/or the EU-US Data Privacy Framework where applicable. Resend operates EU/US servers under the same guarantees. All providers self-declare GDPR compliance.

4. Special categories and automated decisions

Special categories of data (Art. 9 GDPR — racial origin, political opinions, health, sexual life, etc.): we don't ask for or process them. If you need to flag a specific need (allergies, reduced mobility) you can mention it, but the information stays only in private communications with Salvo and isn't recorded in any system.

Automated decisions (Art. 22 GDPR): we don't make decisions producing legal or similarly significant effects on individuals through purely automated means. The AI assistant provides information and collects requests, but does not confirm bookings nor enter into contracts: every booking always goes through Salvo, manually.

5. Minors

The site is not directly aimed at minors under 14 years of age (the threshold set by Italian law under Art. 8 GDPR). We do not knowingly collect personal data from minors without parental consent.

Boat excursions are often booked by families with children. In that case, data about minors (name, age — for proper life-jacket sizing) are provided by parents at booking, exclusively for nautical safety and service organisation. They are never profiled or shared with third parties.

6. Breach notification

In case of a security incident that may pose a risk to the rights and freedoms of individuals, we commit to:

  • Notify the Italian Data Protection Authority within 72 hours (Art. 33 GDPR)
  • Inform affected data subjects without undue delay, if the breach poses high risk (Art. 34 GDPR), with concrete steps to mitigate impact
  • Document the incident, the measures taken, and lessons learned

Given the limited nature of the data we process (no payment data on our servers, no user credentials, no sensitive data), the risk of a high-impact breach is considered low.

7. What we don't do

  • We don't profile visitors
  • We don't sell or transfer your data to third parties for commercial purposes
  • We don't use tracking or advertising cookies
  • We don't use analytics tools that identify individuals
  • We don't share your data with our network partners without your explicit request (this happens only if you ask us to book on your behalf with a partner)

8. Your rights (GDPR)

At any time, under EU Regulation 2016/679, you can exercise the following rights:

  • Access to your data (Art. 15)
  • Rectification or completion (Art. 16)
  • Erasure / "right to be forgotten" (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Objection to processing (Art. 21)
  • Withdrawal of consent, where this was the legal basis
  • Complaint to the Italian Data Protection Authority or your local supervisory authority

To exercise a right, email amicidelleeolie@libero.it: we respond within 30 days of receipt. We won't charge you for reasonable requests.

9. Changes to this notice

We may update this notice when our third-party services change or when regulations evolve. Updates will be published here with a new "last updated" date at the top. For substantial changes, we'll flag them in the next useful communication to anyone who has already provided a contact.