LakeComoBoatFinderLakeComoBoatFinderSkipper Area
← Back to home

Privacy Policy

Last updated: March 25, 2026

Website: https://lakecomoboatfinder.com

1. Introduction

This Privacy Policy is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (the "GDPR") in order to inform users of the website lakecomoboatfinder.com (the "Platform") about the processing of their personal data.

The Platform enables users to search for and connect with independent boat operators on Lake Como. In this context, personal data may be processed in connection with browsing activities, use of the Platform's functionalities, and, where applicable, user registration.

This Privacy Policy applies to all users of the Platform, including:

  • browsing users (Tourists), who access and use the Platform without creating an account;
  • registered users (Skippers), who create an account and publish listings in order to offer services.

The Policy describes, in particular, the categories of personal data processed, the purposes and legal bases of processing, the methods of processing, the categories of recipients, and the rights of data subjects under applicable data protection laws.

Personal data are processed in accordance with the principles set out in Article 5 GDPR, including lawfulness, fairness, transparency, data minimisation, and storage limitation.

2. Data Controller

The data controller, within the meaning of Article 4(7) GDPR, is the natural person who determines the purposes and means of the processing of personal data carried out through the Platform.

In relation to the processing activities described in this Privacy Policy, the data controller is:

Davide Cairoli
VAT number: [to be assigned]
Registered office: Via Alle Vigne 24, 22034 Brunate (CO), Italy
Email: info@lakecomoboatfinder.com

(hereinafter, the "Data Controller").

The Data Controller processes personal data in compliance with the GDPR and with the applicable Italian data protection legislation, including Legislative Decree No. 196/2003, as amended.

For any request relating to the processing of personal data, including the exercise of rights under Articles 15–22 GDPR, users may contact the Data Controller at the contact details indicated above.

3. Categories of Personal Data

The Data Controller processes different categories of personal data depending on the type of interaction between the user and the Platform. In particular, a distinction is made between data collected automatically during browsing and data voluntarily provided by users when registering or using specific services.

All personal data are processed in accordance with the principles of necessity, proportionality and data minimisation pursuant to Article 5(1)(c) GDPR.

3.1 Data collected automatically (Browsing Data)

When users access and navigate the Platform, certain personal data are collected automatically by the IT systems and protocols used to operate the website. Such data are necessary for the proper functioning, maintenance, and security of the Platform.

These data may include:

Technical and connection data
such as IP address, device type, operating system, browser type, and related technical parameters;

Log and security data
including access logs, timestamps, request metadata, and other information generated by the hosting infrastructure;

Usage data
such as pages visited, navigation paths, search queries (e.g. location, date, budget, number of guests), and interactions with the Platform's functionalities.

Although such data are not collected for the purpose of directly identifying users, they may allow identification, directly or indirectly, and therefore qualify as personal data within the meaning of Article 4(1) GDPR.

3.2 Data collected through cookies and similar technologies

The Platform uses only cookies and similar technologies that are strictly necessary for its operation.

In particular, the following identifiers may be used:

Session identifiers (e.g. cb_session_id)
used to manage user sessions and to track access to unlocked content for a limited period;

Source tracking identifiers (e.g. cb_qr_ref)
used to identify the origin of visits generated through QR codes, for internal operational purposes.

Such tools do not pursue profiling or marketing purposes and are limited to what is strictly necessary to provide the service requested by the user.

Further information on cookies is provided in the relevant section of this Privacy Policy.

3.3 Data voluntarily provided by users (Skippers)

Where users register on the Platform as service providers ("Skippers"), the Data Controller processes personal data that are necessary to create and manage user accounts and to enable the publication of listings.

These data may include:

Identification and contact data
such as first name, last name, email address, and WhatsApp phone number;

Professional and service-related data
including information relating to the boat and services offered (e.g. description, capacity, pricing, operating areas);

Uploaded content and documentation
including photographs of the boat and navigation licences or similar documents;

Authentication data
including login credentials, with passwords stored in encrypted or hashed form.

The provision of such data is necessary for the performance of the service offered by the Platform. Failure to provide such data may result in the inability to create or manage an account.

3.4 Payment-related data

In order to access certain functionalities of the Platform, users may be required to make payments through an external payment service provider.

In this context:

payment data (such as credit card details or banking information) are processed directly by the payment provider (Stripe), which acts as an independent data controller;

the Data Controller does not access or store full payment instrument data, but may process limited information relating to the transaction (e.g. payment status or confirmation), strictly for service delivery and accounting purposes.

3.5 Data not collected

For the sake of transparency, it is specified that the Platform does not collect or process:

special categories of personal data pursuant to Article 9 GDPR;

personal data relating to minors under the age of 18;

personal data obtained from social media platforms;

personal data for profiling, tracking, or marketing purposes.

4. Purposes of Processing and Legal Bases

Personal data are processed by the Data Controller for specific, explicit and legitimate purposes, in accordance with Article 5(1)(b) GDPR. Each processing activity is carried out on the basis of an appropriate legal ground pursuant to Article 6 GDPR.

The purposes of processing differ depending on whether the user interacts with the Platform as a browsing user ("Tourist") or as a registered user ("Skipper").

4.1 Processing of Tourist Data

Personal data relating to browsing users are processed in order to ensure the proper functioning of the Platform and to enable access to its core functionalities.

In particular, personal data may be processed for the following purposes:

Provision of the Platform's functionalities
including enabling search features and matching user-selected criteria (such as location, date, budget, and number of guests) with available Skippers;

Management of payments and access to paid functionalities
including processing payments for unlocking Skipper contact details and managing access to such information;

Prevention of duplicate transactions and service integrity
including tracking which contacts have already been unlocked within a given session, in order to avoid duplicate charges;

Technical management and monitoring of traffic sources
including identifying the origin of visits (e.g. via QR codes) for strictly internal and operational purposes;

Security and proper functioning of the Platform
including prevention of fraud, misuse, or unauthorised access, as well as ensuring the stability and security of the IT systems.

The processing of personal data for the above purposes is based on:

Article 6(1)(b) GDPR (performance of a contract or pre-contractual measures), insofar as the processing is necessary to provide the services requested by the user, including access to Platform functionalities and paid services;

Article 6(1)(f) GDPR (legitimate interest), with particular reference to ensuring the security of the Platform, preventing fraudulent or abusive use, and maintaining the integrity of the service.

The Data Controller has carried out a balancing test to ensure that such legitimate interests do not override the fundamental rights and freedoms of users.

4.2 Processing of Skipper Data

Personal data relating to registered users ("Skippers") are processed in order to enable the creation and management of user accounts and to operate the Platform as an intermediary service.

In particular, personal data may be processed for the following purposes:

Account creation and management
including registration, authentication, and administration of user accounts;

Publication and display of listings
including making available to other users the information provided by Skippers (such as name, description, pricing, operating areas, and images);

Review and moderation of content
including the assessment and approval of listings prior to publication, in order to ensure compliance with the Platform's rules;

Facilitation of contact between users
including disclosure of contact details (e.g. WhatsApp number) to users who have paid the Unlock Fee;

Communication with users
including service-related communications concerning the account, listings, or use of the Platform;

Verification of uploaded documentation (formal check)
limited to verifying that required documents (e.g. navigation licences) have been uploaded, without any validation of their authenticity.

The processing of personal data for the above purposes is based on:

Article 6(1)(b) GDPR (performance of a contract), insofar as the processing is necessary to provide the services requested by the user and to manage the contractual relationship;

Article 6(1)(f) GDPR (legitimate interest), with particular reference to ensuring the proper functioning, integrity, and reliability of the Platform, including content moderation and prevention of misuse.

Such processing is carried out in a manner that is strictly necessary and proportionate to the purposes pursued.

5. Data Sharing

Personal data may be disclosed, to the extent strictly necessary for the purposes described above, to specific categories of recipients who act either as independent data controllers or as data processors duly appointed pursuant to Article 28 GDPR.

The Data Controller ensures that any such disclosure is limited to what is necessary and that appropriate contractual and organisational safeguards are in place.

5.1 Payment service provider (Stripe)

Payments carried out through the Platform are processed by Stripe Inc., which provides payment processing services.

When a user makes a payment, the relevant financial data (including payment card details or other payment information) are collected and processed directly by Stripe. The Data Controller does not have access to full payment instrument data and does not store such information.

In this context, Stripe acts as an independent data controller with respect to payment data processing.

Further information is available in Stripe's privacy policy: https://stripe.com/privacy

5.2 Hosting, database and authentication providers

The Platform relies on external service providers for hosting, data storage, and authentication functionalities. Such providers process personal data on behalf of the Data Controller and in accordance with its instructions.

In particular:

Supabase Inc. provides database hosting and authentication services. Personal data relating to registered users (including identification data, account information, and uploaded content) may be stored on Supabase infrastructure;

Vercel Inc. provides hosting services for the Platform and may process technical data such as IP addresses and access logs necessary for the delivery and security of the service.

These providers act as data processors pursuant to Article 28 GDPR and are bound by appropriate contractual arrangements ensuring compliance with applicable data protection laws.

Further information is available in their respective privacy policies:
https://supabase.com/privacy
https://vercel.com/legal/privacy-policy

5.3 Disclosure between users (core service functionality)

As part of the core functionality of the Platform, certain personal data relating to registered users ("Skippers") may be disclosed to other users ("Tourists").

In particular, where a Tourist completes the payment required to unlock contact details, the following data may be made available:

  • name of the Skipper;
  • contact details (e.g. WhatsApp phone number).

Such disclosure is inherent to the operation of the Platform and is necessary to enable direct contact between users.

Skippers are informed of and accept such disclosure at the time of registration. The related processing is therefore based on the performance of a contract pursuant to Article 6(1)(b) GDPR.

5.4 Absence of further data sharing

The Data Controller does not disclose personal data to third parties for purposes unrelated to those described in this Privacy Policy.

In particular, personal data are not shared with:

  • advertising networks;
  • data brokers;
  • social media platforms;
  • third parties for profiling or marketing purposes.

6. International Data Transfers

In the context of the provision of the Platform, certain personal data may be transferred to, or accessed from, countries outside the European Economic Area ("EEA"), including, in particular, the United States.

Such transfers may occur in connection with the use of service providers for payment processing, hosting, database management, and authentication services, as described in Section 5 above.

Where personal data are transferred outside the EEA, the Data Controller ensures that such transfers are carried out in compliance with Chapter V of the GDPR (Articles 44–49) and that an adequate level of protection for the data subjects is guaranteed.

In particular, transfers may be based on one or more of the following safeguards:

Adequacy decisions (Article 45 GDPR)

where the recipient is established in a country recognised by the European Commission as providing an adequate level of data protection, including, where applicable, participation in the EU–US Data Privacy Framework;

Standard Contractual Clauses (Article 46(2)(c) GDPR)

adopted by the European Commission and entered into between the Data Controller and the relevant service providers, together with any supplementary measures deemed necessary to ensure an adequate level of protection;

Other appropriate safeguards

as provided for under Article 46 GDPR, where applicable.

The Data Controller carries out, where required, an assessment of the level of protection afforded by the recipient country and implements supplementary technical and organisational measures where necessary, in line with applicable guidance from European supervisory authorities.

Further information regarding the safeguards adopted for international data transfers may be requested by contacting the Data Controller at the contact details indicated in Section 2.

7. Data Retention

Personal data are retained for a period of time not exceeding that which is necessary to achieve the purposes for which they are collected and processed, in accordance with Article 5(1)(e) GDPR (storage limitation principle).

Retention periods are determined on the basis of the nature of the data, the purposes of processing, and any applicable legal or regulatory obligations.

7.1 Browsing data and technical identifiers

Data collected automatically during the use of the Platform are retained for limited periods, strictly necessary to ensure the proper functioning and security of the service.

In particular:

Session identifiers (e.g. cb_session_id)

are retained for a maximum period of 24 hours and are automatically deleted thereafter;

QR source identifiers (e.g. cb_qr_ref)

are retained for a maximum period of 24 hours and are automatically deleted thereafter;

Technical logs and access data

(e.g. IP addresses and server logs) are retained for a period not exceeding that necessary for security and system maintenance purposes and, in any event, for no longer than 90 days, unless further retention is required to investigate security incidents or comply with legal obligations.

7.2 Data relating to payments and unlocked contacts

Data relating to transactions and access to paid functionalities are retained for a period proportionate to the purposes of service delivery, fraud prevention, and compliance with legal obligations.

In particular:

  • records of unlocked contacts and related transactions
  • are retained for the time necessary to manage the service (including the prevention of duplicate charges) and, thereafter, for a period consistent with applicable accounting and tax obligations.

Where such data are relevant for accounting purposes, they may be retained for up to 10 years, in accordance with applicable Italian law.

7.3 Data relating to registered users (Skippers)

Personal data relating to registered users are retained for the duration of the contractual relationship and, thereafter, for a limited period necessary to comply with legal obligations or to protect the rights of the Data Controller.

In particular:

  • account and profile data
  • are retained for as long as the account remains active;
  • upon account deletion, such data are retained for a period not exceeding 10 years, where necessary to comply with legal, tax, or accounting obligations or to establish, exercise, or defend legal claims;
  • uploaded documentation (e.g. navigation licences)
  • are retained for as long as the relevant listing is active and are deleted within 30 days from account closure, unless further retention is required by law;
  • uploaded content (e.g. photographs)
  • are retained for the duration of the listing and are deleted within 30 days from account closure.

7.4 Data processed by third-party providers

Personal data processed by third-party service providers (such as hosting or payment providers) may be retained in accordance with their respective retention policies, where such providers act as independent data controllers.

Where such providers act as data processors on behalf of the Data Controller, retention periods are defined in accordance with the Data Controller's instructions and applicable contractual arrangements.

8. Your Rights Under GDPR

Under the GDPR, you have the following rights:

Right of access (Article 15): You can request a copy of all personal data we hold about you.

Right to rectification (Article 16): You can request correction of inaccurate data.

Right to erasure (Article 17): You can request deletion of your data ("right to be forgotten"), subject to legal retention obligations.

Right to restriction (Article 18): You can request that we limit how we use your data.

Right to data portability (Article 20): You can request your data in a structured, machine-readable format.

Right to object (Article 21): You can object to processing based on legitimate interest.

Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at info@lakecomoboatfinder.com. We will respond within 30 days as required by GDPR.

If you believe your rights have been violated, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at https://www.garanteprivacy.it.

9. Data Security

The Data Controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks for the rights and freedoms of natural persons.

Such measures are designed to ensure, in particular, the confidentiality, integrity, availability and resilience of processing systems and services.

In particular, the Data Controller has implemented, inter alia, the following measures:

Encryption of data in transit

all data transmitted between the user's browser and the Platform are protected under HTTPS/TLS encryption protocols;

Secure management of authentication credentials

user passwords are stored using secure hashing mechanisms and are not accessible in plain text;

Access control measures

access to personal data is restricted on a need-to-know basis and users can access only their own data, in accordance with their role and permissions;

Protection of stored data and restricted environments

sensitive documentation (such as navigation licences) is stored in restricted-access environments, accessible only to authorised personnel;

Security configurations and protection against common vulnerabilities

the Platform adopts security headers, secure cookies, and other technical measures aimed at preventing common web vulnerabilities;

Administrative access controls

access to administrative systems and databases is limited to authorised personnel and protected by appropriate authentication mechanisms.

The Data Controller regularly reviews and updates such measures to ensure an adequate level of security in light of technological developments and evolving risks.

10. Children's Privacy

The Platform is not directed at persons under the age of 18. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at info@lakecomoboatfinder.com and we will take steps to delete such data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For material changes, we will make reasonable efforts to notify registered Skippers via email.

Continued use of the Platform after changes constitutes acceptance of the updated policy.

12. Contact

For any questions regarding this Privacy Policy, or to exercise your data protection rights, please contact:

LakeComoBoatFinder
Email: info@lakecomoboatfinder.com
Website: https://lakecomoboatfinder.com

Data Controller: Davide Cairoli, P.IVA [to be assigned], Via Alle Vigne 24, 22034 Brunate (CO), Italy