Exclusive tours, guided by locals - Call us directly at (+39) 392 216 3049

Privacy Policy

Last updated:

Raphael Tours and Events
  • Via Boezio 4/c, 00192 Rome, Italy
  • P. IVA IT 14 292 641 009
  • License N. 67846

Introduction

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services. It applies to all interactions with our site and forms.

Data Controller

The data controller is Raphael Tours and Events. See the company details shown above.

What data we collect

  • Contact and inquiry data collected via our forms:
    • first name, last name, email
    • optional: phone, phone country, message, how you heard about us, company name, corporate request flag
    • for tour inquiries: number of people, date preference, tour title, tour URL, optional tour id
  • Review data submitted via our review form:
    • first name, optional last name, email, country, rating, optional review text, optional reservation code, tour title, tour URL, tour id
  • Technical data:
    • IP address and user-agent may be processed by our infrastructure and third-party providers for security and delivery (e.g., CDN, email provider), and by Supabase when storing submissions
    • Cookies for consent and currency preference (see Cookie Policy)

How we collect data

  • When you submit our contact or tour inquiry form, we validate your input and store it in our database.
  • When you submit a review, we store your review details for moderation and publishing.
  • We may process limited technical data via our hosting and analytics stack.
  • Respond to your inquiries and provide customer support (contractual necessity and legitimate interest).
  • Manage bookings, tour inquiries, and customer communication (contractual necessity).
  • Send confirmation and administrative emails related to your submission (legitimate interest/contractual necessity).
  • Moderate and publish reviews (consent and legitimate interest).
  • Ensure security, prevent abuse, and maintain service integrity (legitimate interest).

Where data is stored and processed

  • Database and forms: Supabase (managed Postgres). Submissions are inserted into booking_requests, contact_form_submissions, and reviews tables via secure server actions.
  • Email delivery: Brevo (Sendinblue). We send notification and confirmation emails to customers and admins.
  • Hosting/CDN: Our site is deployed with CDN and build tooling which may process logs for delivery and security.

Third parties and processors

  • Supabase: storage and retrieval of form and review data.
  • Brevo: transactional email delivery for contact, tour inquiry, and review confirmations/notifications.
  • Google Tag Manager (GTM): if enabled, used to manage analytics and marketing tags. Data collection depends on configured tags and your consent settings.
  • Cloudflare Turnstile: if enabled on forms, used to prevent automated abuse. Processes limited request metadata to validate human interactions.

Cookies and similar technologies

We use essential cookies for consent and preferences. See the Cookie Policy for details. GTM-related cookies are only set if consent is granted where required.

Data retention

  • Contact and inquiry submissions: retained as long as necessary to respond and for record-keeping, then deleted or anonymized.
  • Reviews: retained for moderation and as long as they remain published, or until you request removal.
  • Email logs: retained by our email provider per their retention policy.

Your rights

Depending on your jurisdiction, you may have rights to access, rectify, delete, restrict, port, or object to processing of your personal data. To exercise these rights, contact us at [email protected].

International transfers

We may transfer data to service providers located outside your country. We implement appropriate safeguards such as standard contractual clauses when required.

Security

We use technical and organizational measures including server-side validation, tokenized review workflow, and role-restricted access to reduce risk of unauthorized access.

Children

Our services are not directed to children under 13. If you believe a child has provided us personal data, contact us to remove it.

Contact

For privacy requests, contact [email protected].

Changes to this policy

We may update this policy. Please check the “Last updated” date at the top of this page.

Recommended on

Among our customers

Top Destinations

Top Categories

Top Attractions

Top Regions

Our website uses cookies

Our website use cookies. By continuing, we assume your permission to deploy cookies as detailed in our Privacy Policy.