Easter time! €/£150 OFF your next booking. Code: EASTER150

03
Days
09
Hours
53
Min
Contact us

Privacy Policy

To ensure transparency and compliance with applicable regulations, we provide two distinct sets of Privacy Policy.

The version that applies to you is determined by the country of residence you indicate during the booking process.

Please select the option that corresponds to your country of residence to access the Privacy Policy relevant to your use of the website and purchases.

Your selection ensures you receive accurate information in compliance with the laws applicable to you.

Thank you for your cooperation.

UK Residents
Other Countries

PRIVACY POLICY - website - for UK Resident Customers

Information document pursuant to and for the purposes of articles 13/14 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) This information applies to the website www.weroad.com the "Site" and to its users, both visitors and travellers who purchase one or more trips (“Data Subjects” or "Users").

DATA CONTROLLER

WeRoad UK Limited, company number: 13313382 and registered office address at WeWork Moor Place, 1 Fore Street Avenue, London, EC2Y 9DT, United Kingdom is the controller and responsible for the Users Personal Data (collectively referred to as the “Data Controller”, “Owner”, "we", "us" or "our" in this Privacy Policy). We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy policy. If the User has any questions about this privacy policy, including any requests to exercise legal rights. Please contact the data privacy manager using the details set out below.

Email Address: privacy@weroad.com

Address: WeWork Moor Place, 1 Fore Street Avenue, London, EC2Y 9DT, United Kingdom

The Controller has appointed a Data Protection Officer (DPO) pursuant to Article 37 of the UK GDPR. The Data Protection Officer can be contacted at the following email address: dpo@weroad.com

The User has the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). The Owner would, however, appreciate the chance to deal with the Users concerns before the User approaches the ICO so please contact the Owner in the first instance.

TYPE OF DATA PROCESSED

We may process the following personal data:

  • Access and navigation data (for example: information on the browser used by the User, pages visited, date, time and duration of each visit, as well as other parameters relating to the operating system and the User's IT environment).

  • Contact details (email and/or telephone)

  • Personal data: Name, surname, place and date of birth, tax code, sex (gender), passport and/or identity document (number, date of issue, expiry date)

  • License and willingness to drive

  • other personal data transmitted voluntarily: In some areas of the Site ( https://www.weroad.it/contatti, https://www.weroad.it/become-our-partner) it is possible to contact the Data Controller by email at address booking@weroad.com, by telephone or WhatsApp, via the Owner's Facebook® group or via the Owner's Instagram profile, to request information or clarifications relating to WeRoad trips and the possibility of creating partnerships.

  • Data relating to User preferences collected following the booking of a trip and relating to age, gender, and purchasing preferences shown by Users.

  • Payment data such as credit card / IBAN ("Bank Data")

  • Data relating to the round-trip flight purchased by the user

  • Image and/or voice

  • Contact details in case of emergencies (of a family member/friend)

  • Information about flights

  • Data contained in surveys

  • Data of the beneficiary of the gift card/voucher

  • Data relating to facts/incidents that occurred during the trip, including any behavior in violation of the law or the WeRoader Manifesto (part of the travel agreement with each User participating in a trip)

  • Cookies For all information on the cookies active on the Site and on the related processing of personal data, we invite you to read the relevant information in the "Cookie policy" section of our Site.

In some cases we may also process some particular data:

  • allergies and intolerances, state of health, special needs communicated voluntarily by the User;

  • Data contained in the medical certificate in case of cancellation of the booking.

("Personal data")

PURPOSE AND LEGAL BASIS OF THE PROCESSING

NAVIGATION OF THE SITE: Personal Data may be processed for the collection of anonymous statistical data on the use of the Site by Users, as well as for monitoring the functioning of the Site. The legal basis is the legitimate interest of the Data Controller to operate and control the Site and to obtain data on its use or your consent (Art. 6, par. 1, lett. f) GDPR). The interest of the Data Controller has been balanced with that of the User who will thus be able to use an increasingly performing and optimized Site. The provision of Personal Data is optional, but failure to provide it, by disabling cookies in the browser, may prevent you from accessing all the functions of the Site. The Data does not persist for more than 36 months and is deleted immediately after its aggregation (except for any need to ascertain crimes by the competent Judicial Authority). Our cookie policy is available in the "Cookie policy" section on our Site.

RESPONDING TO CONTACT REQUESTS: You can contact the Data Controller by email at booking@weroad.com, by phone or WhatsApp or through the Data Controller's Facebook® group, to request information or clarifications relating to WeRoad trips and the possibility of creating partnerships and in general in relation to the services offered; to respond to the various requests of Users (for example through the services Avvisami, Newsletter, participation in AperiRoad and WeMeet). The legal basis is the execution of pre-contractual obligations to which the Data Subject is a party (art. 6, par. 1, lett. b) GDPR). The provision is necessary to follow up on the request. In the event of failure to provide Personal Data, WEROAD will not be able to respond to the request. WEROAD will delete the Personal Data processed to respond to requests within 1 year from the date of closure of the management of the request. WeRoad may store tickets in anonymous and aggregate form for internal reporting purposes (by tickets we mean the requests we receive).

USE OF THE CHATBOT: The Data Controller provides users with a virtual assistant (chatbot) through which it is possible to request information regarding the services offered. For its operation, the chatbot does not require the user to provide any personal data. The only data collected is the session ID, generated when the user starts a conversation with the chatbot. This data cannot be linked to an identified or identifiable individual. If, during the interaction with the virtual assistant (chatbot), the user voluntarily provides personal data (such as, for example, name, surname, email contact details or travel-related information), such data will be processed, in accordance with the principles set out in this privacy notice, exclusively within the scope of the requested chatbot service. Users are invited not to share third parties’ personal data or special categories of personal data, such as health-related data, with the chatbot. The legal basis for the processing is the performance of pre-contractual measures requested by the data subject (Art. 6(1)(b) UK GDPR). Personal data processed for handling requests will be retained for a maximum period of 12 months from the closure of the ticket. After this period, the data will be deleted. WeRoad may retain tickets in anonymous and aggregated form for statistical and internal reporting purposes.

RESPOND TO A REQUEST ABOUT A TRAVEL SHIFT ("NOTIFY ME"): the User can ask to receive information about a travel or a specific departure and save it in his/her own account. The legal basis of the processing is the execution of pre-contractual and contractual obligations to which the Data Subject is a party (art. 6, par. 1, lett. b) GDPR). The provision of Personal Data is necessary to follow up on the request of the Data Subject. In the event of failure to provide such data, WEROAD will not be able to follow up on the request of the Data Subject to be notified about the confirmation of a travel shift. The data will be retained for the time necessary to achieve the pursued purpose.

BOOKING A TRIP: finalization of a travel booking through the Site and management of the booking made. The legal basis is the execution of pre-contractual and contractual obligations to which the Data Subject is a party (Art. 6(1)(b) UK GDPR). With reference to any special category data provided (for example, health status, any allergies), the legal basis is the express consent of the Data Subject (Art. 9(2)(a) UK GDPR), and such processing is carried out in accordance with the conditions set out in Schedule 1 of the Data Protection Act 2018. The provision is necessary to follow up on the booking request. In the event of failure to provide the Data, WEROAD will not be able to follow up on the request and finalize the purchase and, with reference to the special category data, will not be able to follow up on the specific needs requested. The Data is stored until the execution of the purchase contract and, in any case, not beyond the limitation periods established by law and except in cases of defense in court. The special category data will be stored until the execution of the contract and for a further 6 months, unless a further term is necessary to exercise or defend a right.

USE THE “MYWEROAD” PERSONAL AREA: the user who has booked a trip, has the possibility of accessing a personal area within MyWeRoad, protected by a password chosen by the User, which allows, for example, to manage and check the status of the booking and/or modify the data provided during the booking of a trip. The legal basis is the execution of pre-contractual and contractual obligations to which the Data Subject is a party (Art. 6(1)(b) UK GDPR). With reference to any special category data provided (for example, any allergies and/or intolerances), the legal basis is the express consent of the Data Subject (Art. 9(2)(a) UK GDPR), and such processing is carried out in accordance with the conditions set out in Schedule 1 of the Data Protection Act 2018. The provision is optional. In the event of failure to provide the Data, the user will not be able to use the personal area. The Data are stored until the Data Subject cancels their account. The Data Controller reserves the right to verify the user's interest in maintaining the account in the event of prolonged inactivity over time. The Owner may cancel, upon notification, inactive accounts.

The interested party may update their data at any time.

SHARING OF INFORMATION RELATING TO INTERNATIONAL FLIGHTS: the user who has booked a trip has the possibility to enter the data of their international flights in their personal MyWeRoad area. This information could be shared, anonymously, to the participants of the same package purchased and to the coordinator of the aforementioned in order to facilitate the management of the groups, and may also be visible to all users holding a MyWeRoad account. The legal basis for processing is the data subject’s consent (Art. 6(1)(a) UK GDPR). Providing such data is always optional. Each interested party may object to the processing at any time by removing the information from the appropriate section within the personal area. There will be no negative repercussions on the user in case of failure to enter and/or opposition to the treatment. The data will be kept for the time necessary to pursue the purpose described above.

BE INCLUDED IN THE WHATSAPP GROUP OF THE TRIP YOU ARE PARTICIPATING IN: Users who have purchased a trip are included in a WhatsApp group formed by the other participants and the coordinator. The group is used to exchange organisational communications relating to the trip and is activated before departure. The legal basis of the processing is the legitimate interest of the Data Controller (art. 6, par. 1, lett. f) UK GDPR) to allow the organization of the trip and communications between the participants in the trip and the coordinator. The group is necessary to provide information and update to all the participants. The interest of the Data Controller has been balanced with that of the Data Subject who will be able to stay updated through communications within the group. The Data Subject can object to the processing at any time, either by leaving the WhatsApp group or by sending their request to the Data Controller. There will be no negative repercussions on the user in the event of objection to the processing. The data will be stored for the time necessary to pursue the purpose described above.

CONTACT USERS WHO HAVE ADDED A TRIP IN THE CART: in the event of a booking not completed, contact the relevant Users by email. The legal basis is the legitimate interest of the Data Controller (Art. 6(1)(f) UK GDPR) to contact the User to ask whether he/she is still interested in finalising the purchase or whether he/she needs more information in relation to a particular destination. The interest of the Data Controller has been balanced with that of the user who will thus be able to complete, at a later time, the booking of a trip not yet completed. The interested party may object to the processing. There will be no negative repercussions on the interested party in the event of objection to the processing. The data will be retained for the time necessary to achieve the purpose described above.

CANCELING A RESERVATION: in the event that a user requests a cancellation of a reservation. The legal basis is the execution of pre-contractual and contractual obligations to which the interested party is a party (Art. 6(1)(b) UK GDPR) and, with respect to the data contained in the medical certificate, the legal basis is the consent of the Data Subject (Art. 9(2)(a) UK GDPR), and such processing is carried out in accordance with the conditions set out in Schedule 1 of the Data Protection Act 2018. The provision is necessary to follow up on the cancellation request. WEROAD will retain the data within and no later than the limitation periods established by law and except in cases of defense in court.

COMMUNICATIONS IN CASES OF EMERGENCY: in order to manage communications for extraordinary emergency cases, the User may be asked to provide contact details of a family member or friend. The data processing is carried out in the legitimate interest of the Data Controller to allow the best management of emergencies, pursuant to Art. 6(1)(f) UK GDPR. The User who provides the personal data of a third party (such as a family member or friend) must ensure that such third party has been informed of this privacy policy prior to providing their data. WEROAD will delete the data once the trip ends and in any case after 1 month from the return.

SENDING OF COMMERCIAL/PROMOTIONAL COMMUNICATIONS: for direct marketing purposes, such as sending newsletters, information and commercial communications, updates on the latest launches, offers and promotions relating to WEROAD services. Such communications may be sent through various contact channels, including email, telephone, SMS, instant messaging systems, social media and app push notifications. The legal basis is the consent of the interested party (Art. 6(1)(a) UK GDPR) and, in relation to electronic communications, Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The provision is optional. In case of failure to provide the Data, WEROAD will not be able to regularly update the interested party on its offers and promotions. The interested party can revoke the consent given at any time by clicking on the "unsubscribe" link included in the marketing email received, by modifying preferences in the MyWeRoad personal area, by disabling notifications through the App or device settings or by sending an email to privacy@weroad.com. The Data processed for this purpose will be stored and processed for 5 years, without prejudice to the revocation of consent by the interested party. The Data Controller may periodically verify the user’s continued interest in receiving commercial and promotional communications, including by sending specific communications aimed at confirming the willingness to continue receiving such communications. In the absence of a response or in case of withdrawal of consent, the data will no longer be used for marketing purposes.

In the event that the interested party has contacted WEROAD, WEROAD may contact or send the interested party communications of a commercial nature relating to the request received. In this case the legal basis of the processing is the legitimate interest of WEROAD to promote its services to the interested parties pursuant to Art. 6(1)(f) UK GDPR. The provision is necessary for the pursuit of the legitimate interest of the Data Controller which is equally balanced with the legitimate interest of the interested parties. The processing is not mandatory and the interested party may object to said processing at any time by sending an email to privacy@weroad.com. WEROAD will delete the Personal Data processed to respond to requests within 1 year from the closing date of the management of the request. WEROAD may contact the interested party again within this

SOFT-SPAM: The email address may be processed to send the interested parties emails relating to the promotion of WEROAD services similar to the services already purchased, in accordance with Regulation 22 of the PECR. The legal basis is the legitimate interest of the Data Controller to promote its services to existing customers. The interested party may object to the use of his/her email address at any time by clicking on the "unsubscribe" link in the email received or by sending an email to privacy@weroad.com. WEROAD will no longer use the email address in the event of opposition - opt-out by the interested party or after 36 months from the date of the last commercial contact with the interested party.

USER SEGMENTATION: for sending personalized commercial communications based on age and type of travel purchased. The legal basis is the legitimate interest of the Data Controller (Art. 6(1)(f) UK GDPR) to improve its commercial offer. The interest of the Data Controller has been balanced with that of the user to be able to receive commercial communications in line with their interests. The provision is optional. There will be no negative repercussions on the user in the event of opposition to the processing. The data will be stored for 5 years from the date of the last trip.

CONDUCTING SATISFACTION SURVEYS: Users who have completed a trip will receive an email communication regarding a satisfaction survey. The legal basis is the legitimate interest of the Data Controller (Art. 6(1)(f) UK GDPR) to evaluate and improve the quality and satisfaction with respect to the services offered. The provision is optional. Failure to provide the Data, however, will not allow us to evaluate the expectations and satisfaction of customers with respect to the services offered by the Data Controller. The Data will be stored for 36 months from the time of collection and will subsequently be anonymized and aggregated.

PUBLICATION OF IMAGES OF INTERESTED PARTIES ON THE SITE OR SOCIAL CHANNELS OF WEROAD: the images/videos collected during the trip with WEROAD may be published by the Data Controller on the Site or on social channels and/or travel diaries. The legal basis for this processing is the consent of the Data Subject (Art. 6(1)(a) UK GDPR). The travel participant will be informed of the creation of the photographs/videos both in the contractual context and during the trip and will be asked to provide consent prior to any publication. The interested party may withdraw consent at any time either by asking not to participate in the shots/filming, or by requesting the removal of the published content by writing to privacy@weroad.com. The provision of consent is optional. There will be no negative repercussions on the user in the event of refusal or withdrawal of consent. The data will be stored for 5 years from the publication of the images unless there is a withdrawal of consent or a request for removal of the images.

REPORTS RELATING TO FACTS/ACCIDENTS AND/OR NON-COMPLIANT BEHAVIOURS: The Data Controller may collect and process data relating to facts, incidents, behaviors attributable to the Traveling User, which do not comply with the law or the WeRoader Manifesto. The legal basis is the legitimate interest of the Data Controller (Art. 6(1)(f) UK GDPR) to verify that the travel experience complies with the company standard and monitor/report facts and/or behaviors that are not in line with the WeRoader Manifesto or the law. The report may be made through the travel coordinator, travel companions and local partners. The travel participant is informed of this possibility from the moment the travel contract is signed. Furthermore, the participant is notified in the event that there is a report by the coordinator that concerns him/her and the same has the possibility to oppose and lodge a complaint. The data will be stored for 36 months from the collection of the report.

MANAGEMENT OF ANY CLAIMS AND DEFENSE IN COURT: the legal basis is the execution of pre-contractual and contractual obligations of which the interested party is a party (Art. 6(1)(b) UK GDPR) as well as the legitimate interest of the Data Controller (Art. 6(1)(f) UK GDPR). The provision is necessary both to allow the Data Controller to respond to requests made by interested parties and to defend their rights against the interested party or third parties before the competent authorities. The Data is stored for the duration of the claim and in any case within the limitation periods indicated by the law (usually 3 years without prejudice to a possible longer period, if related to personal injury).

CORPORATE OPERATIONS: Sharing personal data in connection with, or during negotiations of extraordinary operations of all or a portion of WEROAD's business. The legal basis is the legitimate interest of the Data Controller (Art. 6(1)(f) UK GDPR). Data processing is necessary for WEROAD's legitimate interest in following up on the negotiation and execution of corporate transactions. The data stored for this purpose will be deleted at the end of the operation.

Furthermore and without prejudice to the above, the Data Controller undertakes to base the processing of Personal Data on the principles of minimization, verifying on an annual basis the need for their conservation for a period of time not exceeding that required by the purposes for which the data were collected and processed. The Data Controller may retain Personal Data to comply with the law or to exercise or defend any rights or claims in legal proceedings. Once the purposes for which the Personal Data were collected and processed have been achieved, the Data Controller will implement appropriate measures to make them anonymous, so that the interested party cannot be identified.

RECIPIENTS OF THE DATA

The Data will be processed by employees and collaborators of the Data Controller expressly authorized to process the Data on the basis of the instructions and after adopting suitable measures to protect the Data in relation to all the purposes indicated above.

The following subjects may become aware of the Data in relation to the processing purposes envisaged by this privacy policy and may process the Data both as independent data controllers and as data processors duly appointed by the Data Controller (the list of such managers and independent data controllers are available upon request via e-mail to be sent to privacy@weroad.com):

  • subjects that carry out activities functional to achieving the aforementioned purposes, i.e. companies that provide IT infrastructures and IT support and consultancy services, companies that provide data analysis and development services, as well as law, accounting and auditing firms;

  • other companies that belong to the Group to which WEROAD is part and which provide services to WEROAD;

  • hotels and other accommodation facilities, car rentals, airlines, companies that provide travel insurance policies and other third parties who provide the services necessary for the realization of the booked trip;

  • travel coordinator;

  • local tourism partners, for example, local travel agencies, tourist guides;

  • companies offering payment and booking services;

  • insurance companies.

DATA TRANSFER OUTSIDE THE UK AND EEA

In the course of providing its services, the Data Controller may transfer Personal Data outside the United Kingdom and the European Economic Area ("EEA"), for example where the travel destination is located in a country outside the UK and EEA, or where suppliers, partners or group companies involved in the delivery of the services are established outside those territories. The Data Controller is committed to ensuring that all such transfers are carried out in compliance with Chapter V of the UK GDPR and the Data Protection Act 2018.

Where Personal Data is transferred outside the UK and EEA, the Data Controller relies on one or more of the following safeguards, as applicable to the circumstances of the transfer:

  • ensuring that the country or territory to which the personal data will be transferred has been deemed to provide an adequate level of protection by the Secretary of State pursuant to section 17A of the Data Protection Act 2018; or

  • entering into the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the Information Commissioner under section 119A of the Data Protection Act 2018, or relying on such other appropriate safeguards as are recognised under Article 46 of the UK GDPR.

    Where no adequacy decision applies and it is not practicable to put in place an IDTA or other appropriate safeguard, as is frequently the case with local, in-destination suppliers such as local tour guides, small accommodation providers and local transport operators, the Data Controller relies on the derogations set out in Article 49(1) of the UK GDPR, in particular: (i) Article 49(1)(b), where the transfer is necessary for the performance of the contract between the Data Controller and the User (i.e. the booking and delivery of the trip); and/or (ii) Article 49(1)(c), where the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the User between the Data Controller and a third party (e.g. the Data Controller booking accommodation, transport or excursions on behalf of the User).

DATA PROCESSING METHODS

The Data will be processed in compliance with the principles of correctness, lawfulness and transparency, through manual and automated methods and through the use of paper and electronic means, in any case within the limits of the purposes of the data processing(s) established by this information and, in any case, always guaranteeing the security and confidentiality of the Data.

AUTOMATED DECISION-MAKING AND PROFILING: The Data Controller does not carry out any processing that involves solely automated decision-making, including profiling, which produces legal effects concerning the Data Subject or similarly significantly affects the Data Subject within the meaning of Article 22 of the UK GDPR. Where the Data Controller carries out profiling for the purposes of tailoring marketing communications (as described in the "User Segmentation" section above), such profiling does not involve solely automated decision-making and does not produce legal or similarly significant effects on Users. The Data Subject has the right to object to profiling at any time by contacting the Data Controller at privacy@weroad.com.

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To register you as a new customer. (a) Identity;
(b) Contact. 		Performance of a contract with you.
To process and deliver your booking including:
(a) Manage payments, fees and charges;
(b) Collect and recover money owed to us. 		(a) Identity;
(b) Contact;
(c) Financial;
(d) Transaction;
(e) Marketing and Communications. 		(a) Performance of a contract with you;
(b) Necessary for our legitimate interests (to recover debts due to us).
To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or Privacy Policy;
(b) Asking you to leave a review or take a survey. 		(a) Identity;
(b) Contact;
(c) Profile;
(d) Marketing and Communications. 		(a) Performance of a contract with you;
(b) Necessary to comply with a legal obligation;
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services).
To enable you to partake in a prize draw, competition or complete a survey. (a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications 		(a) Performance of a contract with you;
(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business).
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). (a) Identity
(b) Contact
(c) Technical 		(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise);
(b) Necessary to comply with a legal obligation.
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you (a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(f) Technical 		Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences (a) Technical
(b) Usage 		Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you (a) Identity
(b) Contact
(c) Technical
(d) Usage
(e) Profile
(f) Marketing and Communications 		Necessary for our legitimate interests (to develop our products/services and grow our business)
To monitor our communications with you in order to check any instructions given to us, for training purposes, for crime prevention, to improve the quality of our customer service and to defend legal claims (a) Identity
(b) Contact
(c) Technical 		(a) Necessary for our legitimate interests (to assist us in training our employees and defend our business in the event of a claim).
(b) Necessary to comply with a legal obligation;

Change of purpose.

The Owner shall only use the User’s Personal Data for the purposes for which it was collected, unless the Owner reasonably considers that it needs to be used for another reason and that reason is compatible with the original purpose. The User can request an explanation as to how the processing for the new purpose is compatible with the original purpose. The User will be notified if the Owner intends to use their Personal Data for an unrelated purpose and an explanation will be given as to the lawful basis. The Owner may process Personal Data without the User’s knowledge or consent in compliance with the above rules, where this is required or permitted by law

The rights of Users

Users may exercise certain rights regarding their Personal Data processed by the Owner.

In particular, Users have the right to do the following:

  • Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.

  • Object to processing of their Personal Data. Users have the right to object to the processing of their Personal Data if the Owner is relying on a legitimate interest (or those of a third party). Users may object to such processing by providing a ground related to their particular situation to justify the objection. Where Personal Data is processed for direct marketing purposes, Users may object to that processing at any time without providing any justification. To learn whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.

  • Access their Data. Users have the right to learn if Personal Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Personal Data undergoing processing.

  • Verify and seek rectification. Users have the right to verify the accuracy of their Personal Data and ask for it to be updated or corrected. The Owner may have to verify the accuracy of any new Personal Data provided by the user.

  • Restrict the processing of their Personal Data. Users have the right, under certain circumstances, to restrict the processing of their Personal Data. In this case, the Owner will not process their Personal Data for any purpose other than storing it. Certain circumstances include establishing the accuracy of the Personal Data, where the use of the Personal Data is unlawful but the User does not want it erased, where the User needs the Owner to hold the Personal Data longer than they need to in order to establish, exercise or defend legal claims or where the User has objected to their use of Personal Data but the Owner needs to verify whether there are any overriding legitimate interests to allow the Owner to use it.

  • Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Personal Data from the Owner. Users can do this where there is no good reason for the continuation of the processing or where the User has successfully exercised their right to object to processing, where the Owner has processed the Personal Data unlawfully or where the Owner is required to erase the Personal Data to comply with a local law. There may be specific legal reasons that prevents the Owner from erasing the Personal Data, the User will be notified where this is the case.

  • Receive their Personal Data and have it transferred to another controller. Users have the right to receive their Personal Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to controller third party without any hindrance. This provision is applicable provided that the Personal Data is processed by automated means and that the processing is based on the User's consent, on a contract which the User is part of or on pre-contractual obligations thereof.

  • Lodge a complaint. Users have the right to lodge a complaint with the Data Controller regarding the processing of their Personal Data by contacting the Data Controller using the contact details set out in this privacy policy or by using the Data Controller's complaints form available at [●]. The Data Controller will acknowledge receipt of the complaint and respond in accordance with its data protection complaints procedure. Users also have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). However, before doing so please make sure you have first made your complaint to us or asked us for clarification if there is something you do not understand. The ICO will expect you to have done this before reviewing your complaint.

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.

The Owner may need to request specific information from the User to help confirm identity and ensure the Users right to access their Personal Data (or to exercise any other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. The Owner may also contact the User to ask for further information in relation to the request to speed up response times.

Cookies

This Website uses Trackers. To learn more, the User may consult the Cookie Policy.

Additional information about Data collection and processing

Legal action

The User's Personal Data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of this Website or the related Services.

The User declares to be aware that the Owner may be required to reveal Personal Data upon request of public authorities.

Additional information about User's Personal Data

In addition to the information contained in this privacy policy, this Website may provide the User with additional and contextual information concerning particular Services or the collection and processing of Personal Data upon request.

System logs and maintenance

For operation and maintenance purposes, this Website and any third-party services may collect files that record interaction with this Website (System logs) use other Personal Data (such as the IP Address) for this purpose.

Information not contained in this policy

More details concerning the collection or processing of Personal Data may be requested from the Owner at any time. Please see the contact information at the beginning of this document.

Changes to this privacy policy

The Owner reserves the right to make changes to this privacy policy at any time by notifying its Users on this page and possibly within this Website and/or - as far as technically and legally feasible - sending a notice to Users via any contact information available to the Owner. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom.

Should the changes affect processing activities performed on the basis of the User’s consent, the Owner shall collect new consent from the User, where required.

Glossary

Lawful basis

Legitimate interest. the interest of the Owner in conducting and managing their business to enable the Owner to provide the best service/product and the best and most secure experience. The Owner will consider and balance any potential impact on the User (both positive and negative) and the rights of the User before processing any Personal Data for legitimate interests. The Owner will not use Personal Data for activities where the interests are overridden by the impact on the User (unless consent has been provided by the User or are otherwise required or permitted to by law). The User can obtain further information about the assessment of legitimate interests against any potential impact on the User in respect of specific activities.

Performance of contract. Processing of Personal Data where it is necessary for the performance of a contract between the Owner and the User to take steps at the Users request before entering into a contract.

Comply with a legal obligation. Processing of Personal Data where it is necessary for compliance with a legal obligation that the Owner is subject to.

PRIVACY POLICY for NON-UK Resident Customers

Information notice pursuant to and for the purposes of Articles 13/14 Regulation (EU) 2016/679 (GDPR)

DATA CONTROLLER

WeRoad SPA, a company part of the OneDay Group, which has its registered office at Viale Cassala, 30, Milan, 20143, tax code and VAT number 10380820968 (and which shall hereinafter be referred to as "WEROAD" or "Owner").

Contacts:

  • by email privacy@weroad.com

  • by mail Viale Cassala no. 30 – 20143 Milan

  • The Controller has appointed a Data Protection Officer (DPO) pursuant to Article 37 of Regulation (EU) 2016/679 (GDPR). The Data Protection Officer can be contacted at the following email address: dpo@weroad.com

TYPE OF DATA PROCESSED

This information applies to the www.weroad.com website and other web pages that link to www.weroad.com

(all the web pages mentioned above, together will be referred to as the "Site").

- Navigation data automatically gathered by the Site: access and navigation data

Whenever Users access the Site, the computer systems and software procedures used to operate the Site acquire, in the course of their normal operation, access and navigation data (e.g. information on the browser used by the User, pages visited, date, time and duration of each visit, as well as other parameters relating to the User's operating system and computer environment - the "Browsing Data").

- Contact data (email and/or telephone)

- Personal data (Name, surname, place and date of birth, tax code, sex (gender), passport and/or identity document (number, date of issue, expiry date)

- other personal data provided voluntarily

On some areas of the Site (https://www.weroad.com/contacts) it is possible to contact the Owner, by email at booking@weroad.com, by phone or WhatsApp or via the Owner's Facebook® group, to request information or clarification relating to WeRoad trips and the opportunity to create partnerships.

- User preference data

Data collected as a result of Users booking a trip and relating to age, sex, and purchase preferences shown by Users.

- Driving License and willingness to drive

- Email address

(i) To activate the "Notify me" function, which allows you to be notified by email (rendered as contact data): when a WeRoad travel route is confirmed, the email addresses of users concerned are requested.

(ii) Users are also able to provide their email to WEROAD as contact information when subscribing to a newsletter service, in order to enable the user to benefit from this service and, as a result, to receive email updates on package tour destinations, the world of travel that is possible thanks to WEROAD, and other related activities of the Controller.

(iii) To contact users who have initiated a booking but have not completed it.

- First name, surname, place and date of birth, tax code, sex (gender), passport (number, issue date, expiry date) ("Personal Data"), address, email address, mobile phone number, emergency contact telephone number ("Contact data"), credit card / IBAN data ("Bank Data"), return flight information (date, time, flight number), passport scan (if required for booking purposes), ID card scan (if required for booking purposes), driving licence scan (if required for booking purposes), driving readiness, allergies and intolerances, health conditions, special needs

Gathered in certain areas of the Site where Users are required to provide specific personal data to book and purchase their WeRoad trip.

- The Interested Parties' image

Potentially collected during the trip made with WEROAD.

- First name, surname, beneficiary's first name, beneficiary's surname ("personal data"), address, beneficiary's address, beneficiary's email address, beneficiary's mobile phone number ("contact data"), credit card/IBAN data ("bank data")

Gathered in some areas of the Site where Users are required to provide specific personal data in order to purchase products from the WeRoad Shop, such as gift cards and vouchers. When the products are purchased for a third party, the data of the beneficiary is also requested.

- Data included on a medical certificate in case of cancellation

- Data relating to the round-trip flight purchased by the user

- Image and/or voice

- Contact details in case of emergencies (of a family member/friend)

- Information about flights

- Data from surveys

Data collected through surveys, both before departure and once the trip has ended, sent to users who have booked a trip.

- Data relating to facts/incidents that occurred during the trip, including any behavior in violation of the law or the WeRoader Manifesto (part of the travel agreement with each User participating in a trip)

- Cookies

The Site uses a number of computer techniques to directly acquire personal data identifying the user, consisting of "strings of code": "cookies".

For all information on the cookies enabled on the Site and the related processing of personal data, we invite you to read the relevant information in the "Cookie policy" section on our Site.

In some cases we may also process some particular data:

  • allergies and intolerances, state of health, special needs communicated voluntarily by the User;

  • Data contained in the medical certificate in case of cancellation of the booking.

PURPOSE AND LEGAL BASIS OF THE PROCESSING

NAVIGATION OF THE SITE: Personal Data may be processed for the collection of anonymous statistical data on the use of the Site by Users, as well as for monitoring the functioning of the Site. The legal basis is the legitimate interest of the Data Controller in making it work. and to control the Site and obtain data on its use or your consent (Art. 6, par. 1, letter f) GDPR). The interest of the Owner has been balanced with that of the User who will thus be able to benefit from an increasingly high-performance and optimized Site. The provision of Personal Data is optional, but failure to provide it, by disabling cookies in the browser, could prevent you from accessing all the functions of the Site. The Data is not stored for more than 36 months and is deleted immediately after its aggregation (except any need for ascertainment of crimes by the competent Judicial Authority). Our cookie policy is available in the "Cookie policy" section on our Site.

RESPONDING TO CONTACT REQUESTS: it is possible to contact the Owner, via email at booking@weroad.com, by telephone or WhatsApp or via the Owner's Facebook® group, to request information or clarifications relating to WeRoad trips and the possibility of creating partnerships and in general in relation to the services offered; to respond to various requests from Users (for example through the Notify Me, Newsletter, participation in AperiRoad and WeMeet services). The legal basis is the execution of pre-contractual obligations of which the interested party is a party (art. 6, par. 1, letter b) GDPR). The provision is necessary to follow up on the request. In case of failure to provide Personal Data, WEROAD will not be able to respond to the request. WEROAD will delete the Personal Data processed to respond to requests within 1 year from the closing date of the management of the request. WeRoad may store tickets in anonymous and aggregate form for internal reporting purposes (by tickets we mean the requests we receive).

USE OF THE CHATBOT: The Data Controller provides users with a virtual assistant (chatbot) through which it is possible to request information regarding the services offered. For its operation, the chatbot does not require the user to provide any personal data. The only data collected is the session ID, generated when the user starts a conversation with the chatbot. This data cannot be linked to an identified or identifiable individual. If, during the interaction with the virtual assistant (chatbot), the user voluntarily provides personal data (such as, for example, name, surname, email contact details or travel-related information), such data will be processed, in accordance with the principles set out in this privacy notice, exclusively within the scope of the requested chatbot service. Users are invited not to share third parties’ personal data or special categories of personal data, such as health-related data, with the chatbot. The legal basis for the processing is the performance of pre-contractual measures requested by the data subject (Art. 6(1)(b) GDPR). Personal data processed for handling requests will be retained for a maximum period of 12 months from the closure of the ticket. After this period, the data will be deleted. WeRoad may retain tickets in anonymous and aggregated form for statistical and internal reporting purposes.

RESPOND TO A REQUEST ABOUT A TRAVEL SHIFT ("NOTIFY ME"): The User can ask to receive information about a travel or a specific departure and save it in his/her own account. The legal basis of the processing is the execution of pre-contractual and contractual obligations of which the interested party is a party (art. 6, par. 1, letter b) GDPR). The provision of Personal Data is necessary to follow up on the interested party's request. In case of failure to provide this information, WEROAD will not be able to follow up on the interested party's request to be notified about the confirmation of a travel shift. The data will be kept for the time necessary to achieve the purpose pursued.

BOOKING A TRIP: finalizing the booking of a trip through the Site and managing the reservation made. The legal basis is the execution of pre-contractual and contractual obligations of which the interested party is a party (art. 6, par. 1, letter b) GDPR). With reference to any particular data provided (for example the state of health, any allergies), it is the express consent of the interested party (art. 9, par. 2, letter a) GDPR). The provision is necessary to follow up on the booking request. In case of failure to provide the Data, WEROAD will not be able to follow up on the request and finalize the purchase and, with reference to particular data, will not be able to follow up on the specific needs requested. The Data is stored until the execution of the purchase contract and, in any case, for 3 years (or not later than the limitation periods provided for by law and except in cases of defence in court). The particular data will be retained until the execution of the contract and for a further 6 months, unless a further period is necessary to exercise or defend a right.

USE THE “MYWEROAD” PERSONAL AREA: the user who has booked a trip has the possibility of accessing a personal area within MyWeRoad, protected by a password chosen by the User, which allows, for example, to manage and check the status of the booking and/or modify the data provided when booking a trip. The legal basis is the execution of pre-contractual and contractual obligations of which the interested party is a party (art. 6, par. 1, letter b) GDPR). With reference to any particular data provided (for example, any allergies and/or intolerances), it is the express consent of the interested party (art. 9, par. 2, letter a) GDPR). The provision is optional. In case of failure to provide the Data, the user will not be able to use the personal area. The user reserves the right to verify the user's interest in maintaining the account in the event of prolonged inactivity. The user may delete inactive accounts upon notice.

SHARING OF INFORMATION RELATING TO INTERNATIONAL FLIGHTS: the user who has booked a trip has the option to enter the data of their international flights in their personal MyWeRoad area. This information could be shared, anonymously, to the participants of the same package purchased and to the coordinator of the aforementioned in order to facilitate the management of the groups, as well as communication between the trip participants and the coordinator. The legal bases of the processing are the consent of the interested party (art. 6, par. 1, letter a GDPR), the execution of the contractual and pre-contractual relationship of which the interested party is a party (art. 6, par. 1, letter b GDPR), or the legitimate interest of the Data Controller (art. 6, par. 1, letter f) GDPR). The interest of the Owner has been balanced with that of the interested parties to allow them to organize travel efficiently and effectively, based on the flights of all the participants of the various groups. Entering the data is always optional. Each interested party may object to the processing at any time by removing the information from the appropriate section within the personal area. There will be no negative repercussions on the user in case of failure to enter and/or opposition to the treatment. The data will be kept for the time necessary to pursue the purpose described above.

BE INCLUDED IN THE WHATSAPP GROUP OF THE TRIP YOU ARE PARTICIPATING IN: Users who have purchased a trip are included in a WhatsApp group made up of the other participants and the coordinator. The group is used to exchange organizational communications relating to the trip and is activated before departure. The legal basis of the processing is the legitimate interest of the Data Controller (art. 6, par. 1, letter f) GDPR) to allow better organization of the trip and communications between the trip participants and the coordinator. The interest of the Owner has been balanced with that of the Interested Party who will be able to keep himself updated through communications within the group. The interested party can object to the processing at any time, either by leaving the WhatsApp group or by sending their request to the Data Controller. There will be no negative repercussions on the user in case of opposition to the treatment. The data will be stored for as long as necessary for the pursuit of the purpose described above.

CONTACT USERS WHO HAVE ADDED A TRIP IN THE CART: in the event of an unfinished booking, contact the relevant Users by email. The legal basis is the legitimate interest of the Data Controller (art. 6, par. 1, letter f) GDPR) to contact the User to ask if he still has an interest in finalizing the purchase or if he needs more information in relation to a particular goal. A maximum of three communications are sent. The interest of the Owner has been balanced with that of the user who will thus be able to complete, at a later time, the booking of a trip that has not yet been completed. The interested party can object to the processing. There will be no negative repercussions on the interested party in case of opposition to the treatment. The data will be stored for as long as necessary for the pursuit of the purpose described above.

CANCELING A RESERVATION: in the event that a user requests a cancellation of a reservation. The legal basis is the execution of pre-contractual and contractual obligations of which the interested party is a party (art. 6, par. 1, letter b) GDPR) and of the data contained in the medical certificate, consent (art. 9 , par. 2, letter a) GDPR). The provision is necessary to follow up on the cancellation request. WEROAD will retain the data within and, at the latest, after the period of limitation provided for by law and except in cases of defence in court.

COMMUNICATIONS IN CASES OF EMERGENCY: in order to manage communications for extraordinary emergency cases. The interested party is invited to submit this information also to his family members whose contact details are provided. The data processing is carried out in the legitimate interest of the Data Controller to allow the best management of emergencies, pursuant to article 6, par. 1, letter. f) GDPR. WEROAD will delete the data once the trip ends and in any case after 1 month from the return.

SENDING OF COMMERCIAL/PROMOTIONAL COMMUNICATIONS: for direct marketing purposes, such as sending newsletters, information and commercial communications, updates on the latest launches, offers and promotions relating to WEROAD services, via newsletter, via email or telephone, also by automated means (SMS, social media). The legal basis is the consent of the interested party (art. 6, par. 1, letter a) GDPR). The provision is optional. In case of failure to provide the Data, WEROAD will not be able to regularly update the interested party on its offers and promotions. The interested party can revoke the consent given at any time by clicking on the "unsubscribe" link included in the marketing email received or by sending an email to privacy@weroad.com. The Data processed for this purpose will be stored and processed for 5 years, without prejudice to the revocation of consent by the interested party.

In the event that the interested party has contacted WEROAD, WEROAD may contact or send the interested party communications of a commercial nature relating to the request received. In this case the legal basis of the processing is the legitimate interest of WEROAD to promote its services to the interested parties pursuant to article 6, par. 1, letter. f) GDPR. The provision is necessary for the pursuit of the legitimate interest of the Data Controller which is equally balanced with the legitimate interest of the interested parties. The processing is not mandatory and the interested party may object to said processing at any time by sending an email to privacy@weroad.com. WEROAD will delete the Personal Data processed to respond to requests within 1 year from the closing date of the management of the request. WEROAD may contact the interested party again within this period.

SOFT-SPAM: The email address could be processed to send interested parties emails relating to the promotion of WEROAD services similar to the services already purchased. The legal basis is the legitimate interest of the Data Controller to promote its services to existing customers. The interested party can object to the use of their e-mail address at any time by clicking on the "unsubscribe" link in the e-mail received or by sending an e-mail to privacy@weroad.com. WEROAD will no longer use the e-mail address after 36 months from the date of the last commercial contact with the data subject.

It is possible to revoke the consent given for marketing and commercial purposes at any time, without prejudice to the lawfulness of the processing carried out before the revocation based on the consent.

USER SEGMENTATION: for sending personalized commercial communications based on age and type of trip purchased. The legal basis is the legitimate interest of the Data Controller (art. 6, par. 1, letter f) GDPR) to improve its commercial offer. The interest of the Owner has been balanced with that of the user in being able to receive commercial communications in line with their interests. The provision is optional. There will be no negative repercussions on the user in case of opposition to the treatment. The data will be kept for 5 years from collection.

CONDUCTING SATISFACTION SURVEYS: Users who have completed a trip will receive an email communication regarding a satisfaction survey. The legal basis is the legitimate interest of the Data Controller (art. 6, par. 1, letter f) GDPR) to evaluate and improve the quality and satisfaction with the services offered. The provision is optional. Failure to provide the Data, however, will not allow us to evaluate customer expectations and satisfaction with the services offered by the Owner. The Data will be stored for 36 months from the time of collection and will subsequently be anonymized and aggregated.

PUBLICATION OF IMAGES OF INTERESTED PARTIES ON THE SITE OR SOCIAL CHANNELS OF WEROAD: the images/videos collected during the trip made with WEROAD may be published by the Owner on the Site or on social channels and/or in travel diaries. The basis of the processing is the legitimate interest of the Data Controller to promote its business (art. 6, par. 1, letter f) GDPR). The travel participant is informed of the taking of photographs/videos both in the contractual context and during the trip and has the possibility to abstain and request not to be photographed during the trip. The interested party can object at any time either by asking not to participate in the shots/filming, or by requesting the removal of the published contents by writing to privacy@weroad.com. The interest of the Owner has been balanced with that of the user in being part of the filming of group. The provision is optional. There will be no negative repercussions on the user in case of opposition to the treatment. The data will be kept for 5 years from the publication of the images unless an objection is made and the images are removed.

REPORTS RELATING TO FACTS/ACCIDENTS AND/OR NON-COMPLIANT BEHAVIOURS: the Data Controller may collect and process data relating to facts, incidents, behaviors referable to the Traveling User, which do not comply with the legislation or the WeRoader Manifesto. The legal basis is the legitimate interest of the Data Controller (art. 6, par. 1, letter f) GDPR) to verify that the travel experience complies with the company's standards and monitor/report non-compliant facts and/or behaviors with the WeRoader Manifesto or the law. The report can be made through the trip coordinator, travel companions and local partners. The travel participant is informed of this possibility as soon as the travel contract is signed. Furthermore, the participant is notified in the event that there is a report from the coordinator that concerns him and he has the possibility to object and lodge a complaint. The data will be kept for 36 months from the collection of the report.

MANAGEMENT OF ANY CLAIMS AND DEFENSE IN COURT: the legal basis is the execution of pre-contractual and contractual obligations of which the interested party is a party (art. 6, par. 1, letter b) GDPR) as well as the legitimate interest of the Data Controller (art. 6, par. 1, letter f). The provision is necessary both to allow the Data Controller to respond to requests made by interested parties and to defend their rights against the interested party or third parties before the competent authorities. The Data is stored for the duration of the claim and in any case within the limitation periods indicated by the law (usually 3 years without prejudice to a possible longer period, if related to personal injury).

CORPORATE OPERATIONS: Sharing personal data in connection with, or during negotiations of extraordinary operations of all or a portion of WEROAD's business. The legal basis is the legitimate interest of the Data Controller (art. 6, par. 1, letter f) GDPR). Data processing is necessary for WEROAD's legitimate interest in following up on the negotiation and execution of corporate transactions. The data stored for this purpose will be deleted at the end of the operation.

Furthermore and without prejudice to the above, the Data Controller undertakes to base the processing of Personal Data on the principles of minimization, verifying on an annual basis the need for their conservation for a period of time not exceeding that required by the purposes for which the data were collected and processed. The Data Controller may retain Personal Data to comply with the law or to exercise or defend any rights or claims in legal proceedings. Once the purposes for which the Personal Data were collected and processed have been achieved, the Data Controller will implement appropriate measures to make them anonymous, so that the interested party cannot be identified.

RECIPIENTS OF THE DATA

The Data will be processed by employees and collaborators of the Data Controller expressly authorized to process the Data on the basis of the instructions and after adopting suitable measures to protect the Data in relation to all the purposes indicated above.

The following subjects may become aware of the Data in relation to the processing purposes envisaged by this privacy policy and may process the Data both as independent data controllers and as data processors duly appointed by the Data Controller (the list of such managers and independent data controllers are available upon request via e-mail to be sent to privacy@weroad.com):

  • subjects that carry out activities functional to achieving the aforementioned purposes, i.e. companies that provide IT infrastructures and IT support and consultancy services, companies that provide data analysis and development services, as well as law, accounting and auditing firms;

  • other companies that belong to the Group to which WEROAD is part and which provide services to WEROAD;

  • hotels and other accommodation facilities, car rentals, airlines, companies that provide travel insurance policies and other third parties who provide the services necessary for the realization of the booked trip;

  • travel coordinator;

  • local tourism partners, for example, local travel agencies, tourist guides;

  • companies offering payment and booking services;

  • insurance companies.

DATA TRANSFER TO A NON-EU COUNTRY

Personal data may be transferred to non-EU countries, for example if the travel destination is a non-EU country.

The Data Controller undertakes to transfer personal data to third countries if necessary:

  • ensuring that the country to which the personal data will be sent guarantees an adequate level of protection, as required by Article 45 of the GDPR; or

  • complying with the standard contractual clauses approved by the European Commission for the transfer of personal information outside the EEA (these are clauses approved pursuant to Article 46 (2) of the GDPR).

DATA PROCESSING METHODS

The Data will be processed in compliance with the principles of correctness, lawfulness and transparency, through manual and automated methods and through the use of paper and electronic means, in any case within the limits of the purposes of the data processing(s) established by this information and, in any case, always guaranteeing the security and confidentiality of the Data.

RIGHTS OF INTERESTED PARTIES

The interested party may at any time exercise the following rights under the conditions and within the limits established by Articles 12-22 of the GDPR by sending an email to privacy@weroad.com:

  • Right of access: the interested party has the right to obtain confirmation from the data controller as to whether or not personal data concerning him or her are being processed and, in this case, to obtain access to the personal data (Article 15 GDPR) ;

  • Right to rectify inaccurate personal data and to obtain integration of incomplete personal data (Article 16 GDPR);

  • Right to erasure of personal data: the interested party may request that their data be erased if they are no longer necessary for the aforementioned purposes, in the event of revocation of consent or opposition to the processing, in the event of unlawful processing, or there is an obligation legal cancellation (Article 17 GDPR);

  • Right to limit processing: the interested party has the right to obtain the limitation of processing when one of the following hypotheses occurs: the interested party contests the accuracy of the personal data, for the period necessary for the Data Controller to verify the accuracy of such data personal; the processing is unlawful and the interested party opposes the deletion of the personal data and requests instead that their use be limited; although the Data Controller no longer needs them for the purposes of the processing, the personal data are necessary for the interested party to ascertain, exercise or defend a right in court; the interested party has objected to the processing, pending verification of the possible prevalence of the legitimate reasons of the Data Controller over those of the interested party (Article 18 GDPR);

  • Right to object to processing: the interested party may object at any time to the processing of their data, unless the Data Controller demonstrates the existence of compelling legitimate reasons to proceed with the processing which prevail over the interests, rights and freedoms of the interested party or for the establishment, exercise or defense of a right in court, pursuant to Article 6(1), letters (e) or (f), of the GDPR, including profiling (Article 21 GDPR);

  • Right to portability: the interested party has the right to receive the personal data concerning him or her provided to a data controller in a structured, commonly used and machine-readable format and has the right to transmit such data to another data controller processing without impediments by the data controller to whom it was provided if: the processing is based on consent, or on a contract (article 20 GDPR);

  • Right to lodge a complaint with the supervisory authority (Article 77 GDPR).

In the event that you believe that the processing of personal data carried out by the Data Controller occurs in violation of the provisions of Regulation (EU) 2016/679, the interested party has the right to lodge a complaint with the Supervisory Authority, in particular in the Member State in which where he habitually resides or works or in the place where the alleged violation of the regulation occurred (in Italy the Privacy Guarantor https://www.garanteprivacy.it/), or to take action in the appropriate judicial offices.

Where the legal basis of the processing is express consent, the interested party has the right to withdraw consent at any time. The revocation of consent does not affect the lawfulness of the processing based on consent before the revocation.

Purpose/ActivityType of dataLawful basis for processing including basis of legitimate interestTo register you as a new customer.(a) Identity; (b) Contact.Performance of a contract with you.To process and deliver your booking including: (a) Manage payments, fees and charges; (b) Collect and recover money owed to us.(a) Identity; (b) Contact; (c) Financial; (d) Transaction; (e) Marketing and Communications.(a) Performance of a contract with you; (b) Necessary for our legitimate interests (to recover debts due to us).To manage our relationship with you which will include: (a) Notifying you about changes to our terms or Privacy Policy; (b) Asking you to leave a review or take a survey.(a) Identity; (b) Contact; (c) Profile; (d) Marketing and Communications.(a) Performance of a contract with you; (b) Necessary to comply with a legal obligation; (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services).To enable you to partake in a prize draw, competition or complete a survey.(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications(a) Performance of a contract with you; (b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business).To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).(a) Identity (b) Contact (c) Technical(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise); (b) Necessary to comply with a legal obligation.To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) TechnicalNecessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)To use data analytics to improve our website, products/services, marketing, customer relationships and experiences(a) Technical (b) UsageNecessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)To make suggestions and recommendations to you about goods or services that may be of interest to you(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing and CommunicationsNecessary for our legitimate interests (to develop our products/services and grow our business)To monitor our communications with you in order to check any instructions given to us, for training purposes, for crime prevention, to improve the quality of our customer service and to defend legal claims(a) Identity (b) Contact (c) Technical(a) Necessary for our legitimate interests (to assist us in training our employees and defend our business in the event of a claim). (b) Necessary to comply with a legal obligation;

Change of purpose.

The Owner shall only use the User’s Personal Data for the purposes for which it was collected, unless the Owner reasonably considers that it needs to be used for another reason and that reason is compatible with the original purpose. The User can request an explanation as to how the processing for the new purpose is compatible with the original purpose. The User will be notified if the Owner intends to use their Personal Data for an unrelated purpose and an explanation will be given as to the lawful basis. The Owner may process Personal Data without the User’s knowledge or consent in compliance with the above rules, where this is required or permitted by law.

The rights of Users

Users may exercise certain rights regarding their Personal Data processed by the Owner.

In particular, Users have the right to do the following:

  • Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.

  • Object to processing of their Personal Data. Users have the right to object to the processing of their Personal Data if the Owner is relying on a legitimate interest (or those of a third party), Users may object to such processing by providing a ground related to their particular situation to justify the objection.. Users must know that, however, their Personal Data should be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn, whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.

  • Access their Data. Users have the right to learn if Personal Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Personal Data undergoing processing.

  • Verify and seek rectification. Users have the right to verify the accuracy of their Personal Data and ask for it to be updated or corrected. The Owner may have to verify the accuracy of any new Personal Data provided by the user.

  • Restrict the processing of their Personal Data. Users have the right, under certain circumstances, to restrict the processing of their Personal Data. In this case, the Owner will not process their Personal Data for any purpose other than storing it. Certain circumstances include establishing the accuracy of the Personal Data, where the use of the Personal Data in unlawful but the User does not want it erased, where the User needs the Owner to hold the Personal Data longer than they need to in order to establish, exercise or defend legal claims or where the User has object to their use of Personal Data but the Owner needs to verify whether there are any overriding legitimate interests to allow the Owner to use it.

  • Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Personal Data from the Owner. Users can do this where there is no good reason for the continuation of the processing or where the User has successfully exercised their right to object to processing, where the Owner has processed the Personal Data unlawfully or where the Owner is required to erase the Personal Data to comply with a local law. There may be specific legal reasons that prevents the Owner from erasing the Personal Data, the User will be notified where this is the case.

  • Receive their Personal Data and have it transferred to another controller. Users have the right to receive their Personal Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to controller third party without any hindrance. This provision is applicable provided that the Personal Data is processed by automated means and that the processing is based on the User's consent, on a contract which the User is part of or on pre-contractual obligations thereof.

  • Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.

The Owner may need to request specific information from the User to help confirm identity and ensure the Users right to access their Personal Data (or to exercise any other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. The Owner may also contact the User to ask for further information in relation to the request to speed up response times.

Cookies

This Website uses Trackers. To learn more, the User may consult the Cookie Policy.

Additional information about Data collection and processing

Legal action

The User's Personal Data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of this Website or the related Services.

The User declares to be aware that the Owner may be required to reveal Personal Data upon request of public authorities.

Additional information about User's Personal Data

In addition to the information contained in this privacy policy, this Website may provide the User with additional and contextual information concerning particular Services or the collection and processing of Personal Data upon request.

System logs and maintenance

For operation and maintenance purposes, this Website and any third-party services may collect files that record interaction with this Website (System logs) use other Personal Data (such as the IP Address) for this purpose.

Information not contained in this policy

More details concerning the collection or processing of Personal Data may be requested from the Owner at any time. Please see the contact information at the beginning of this document.

Changes to this privacy policy

The Owner reserves the right to make changes to this privacy policy at any time by notifying its Users on this page and possibly within this Website and/or - as far as technically and legally feasible - sending a notice to Users via any contact information available to the Owner. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom.

Should the changes affect processing activities performed on the basis of the User’s consent, the Owner shall collect new consent from the User, where required.

Glossary

Lawful basis

Legitimate interest. the interest of the Owner in conducting and managing their business to enable the Owner to provide the best service/product and the best and most secure experience. The Owner will consider and balance any potential impact on the User (both positive and negative) and the rights of the User before processing any Personal Data for legitimate interests. The Owner will not use Personal Data for activities where the interests are overridden by the impact on the User (unless consent has been provided by the User or are otherwise required or permitted to by law). The User can obtain further information about the assessment of legitimate interests against any potential impact on the User in respect of specific activities.

Performance of contract. Processing of Personal Data where it is necessary for the performance of a contract between the Owner and the User to take steps at the Users request before entering into a contract.

Comply with a legal obligation. Processing of Personal Data where it is necessary for compliance with a legal obligation that the Owner is subject to.

Date of update: march 2026