Privacy Policy – Matera City Pass

1. Data Controller

The data controller responsible for processing personal data is:

MATERA CITY PASS LTD

Company number: 16843855

Registered address: 71 Stapleton Road, Orpington, England, BR6 9TQ, United Kingdom

Email: hello@materacitypass.com

2. Categories of Personal Data Processed

We collect and process personal data relating to users of the website and, where applicable, business partners.

For visitors and users (tourists), this may include identification and contact information such as first and last name, email address and telephone number where provided, demographic information such as country of origin, technical data generated through navigation and interaction with the website, usage data related to the activation and validation of digital passes via QR codes, and marketing preferences where consent has been given. Payment-related information is processed exclusively through Stripe; Matera City Pass does not store full payment card details.

For business clients and partner merchants, we may process business identification data, contact details, login credentials for access to the merchant dashboard, contractual information, and aggregated and anonymised statistics related to pass usage and QR code scans.

Matera City Pass does not process special categories of personal data as defined under Article 9 GDPR, such as data relating to health, religion, political opinions, or similar.

3. Purposes and Legal Bases of Processing

Personal data is processed to enable the functioning of the Matera City Pass service, including the creation and management of user accounts, issuance and validation of digital passes and QR codes, access to included benefits and discounts, publication of informational content, and the display of reviews where applicable. This processing is necessary for the performance of a contract or pre-contractual measures under Article 6(1)(b) GDPR.

Data is also processed to comply with legal and accounting obligations, including payment verification and record-keeping, on the basis of Article 6(1)(c) GDPR.

We process aggregated and anonymised usage statistics to analyse service performance, improve the platform, and provide high-level insights to partner merchants. This processing is based on our legitimate interest pursuant to Article 6(1)(f) GDPR and does not allow the identification of individual users.

Where users explicitly subscribe to newsletters or promotional communications, personal data is processed on the basis of consent under Article 6(1)(a) GDPR. Consent may be withdrawn at any time.

Personal data may also be processed to ensure platform security, prevent fraud, and manage access credentials, on the basis of legal obligations and legitimate interests under Articles 6(1)(c) and 6(1)(f) GDPR.

4. Events and Content

Any events displayed on the Matera City Pass website are provided for informational purposes only. Matera City Pass does not manage bookings, reservations, ticket sales, or registrations for events. Any interaction with event organisers occurs outside the platform and is subject to the organiser's own terms and policies.

5. Data Recipients

Personal data may be accessed by authorised personnel of Matera City Pass Ltd and by trusted technical service providers acting as data processors, including providers of authentication services, analytics tools, payment processing, hosting, email delivery, and consent management systems.

Partner merchants may receive only aggregated and anonymised statistical information that does not allow individual users to be identified.

All recipients operate within the European Union or the United Kingdom, or are subject to appropriate safeguards as required by applicable data protection law.

6. International Data Transfers

Personal data is primarily processed and stored in the United Kingdom. Transfers from the European Union to the United Kingdom are permitted under the European Commission's adequacy decision of 28 June 2021, which recognises the UK as providing an adequate level of data protection under Article 45 GDPR.

Should this adequacy decision be amended or withdrawn, Matera City Pass will implement alternative safeguards, such as Standard Contractual Clauses, as required by law.

7. Data Retention

Personal data relating to users is retained for a maximum period of two years from the last recorded activity, unless a longer retention period is required by law. Data relating to business clients and partners is retained for up to two years following the end of the contractual relationship. Accounting and billing data is retained for the duration required by applicable legal and tax regulations.

8. Data Security

We implement appropriate technical and organisational measures to protect personal data, including encrypted communications, secure authentication systems, restricted access controls, and the anonymisation of analytics data before sharing with partners. QR code validation systems are designed to minimise fraud and unauthorised use.

9. Data Subject Rights

Under applicable data protection law, you have the right to access your personal data, request rectification or erasure, object to certain processing activities, withdraw consent where processing is based on consent, request data portability, and lodge a complaint with a supervisory authority.

For users in Italy, the competent supervisory authority is the Garante per la protezione dei dati personali (www.garanteprivacy.it).

Requests may be sent to hello@materacitypass.com.

10. Policy Updates

We may update this Privacy Policy from time to time to reflect regulatory changes or updates to our services. The latest version will always be published on this page with the updated revision date.