Last updated: 05/08/2025

Introduction

This Privacy Policy describes how SICILIAN HOLIDAYS SRL collects, processes, stores, and protects users' personal data through its website, any applications (such as the Ncc.it app, if used by the company), and the services offered. In a world where digital products and services are increasingly indispensable, data protection is a top priority. Failure to comply with regulations can result in serious financial consequences and damage to reputation and trust. It is essential that the website complies with legal obligations.

The processing of personal data is mandatory whenever it occurs on a website or application. "Processing" is defined as any operation performed on personal data, whether automated or not, such as collection, storage, reading, or communication. Failure to provide a privacy policy or an incorrect privacy policy is subject to fines of up to €20 million or 4% of global annual turnover, depending on the severity and duration of the violation.

1. Data Controller

Pursuant to Article 4, paragraph 7 of the General Data Protection Regulation (GDPR - EU Regulation 2016/679), the data controller for this website is:

SICILIAN HOLIDAYS SRL Registered Office: Via Vincenzo Bellini 27, 90072 Altofonte (PA), Italy VAT Number/Tax Code: 07299600820 PEC: sicilianholidays.srl@pec.it Legal Representative: ALESSI VINCENZO (Sole Director) Email Contact for Privacy: info@sicilianholiday.com

For any questions regarding your personal data, please contact the email address provided.

2. Main Definitions

• Personal data : Any information relating to an identified or identifiable natural person (the “data subject”), directly or indirectly, such as a name, identification number, location data, online identifier.
• Processing : Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, erasure or destruction.
• GDPR (EU Regulation 2016/679) : The General Data Protection Regulation, which came into force on 24 May 2016 and applies from 25 May 2018 in all member countries of the European Union.

3. Types of Data Collected and Purposes of Processing

SICILIAN HOLIDAYS SRL operates in the chauffeur-driven car rental sector, self-drive rentals, tourist services, management of tourist facilities, and ancillary services. The collection and processing of personal data is necessary to provide these services and to comply with legal obligations.

3.1. Data provided directly by the user (for booking/registration services on the website/app): To use the Ncc.it App (if applicable to your company) or for booking services via the website, you must provide personal data.

• Personal and contact details : name and surname, email address, and mobile number.
  • Purpose : Customer account registration and authentication (e.g., SMS code verification for two-factor authentication). This process is necessary for the conclusion of the service contract.
• Travel data (for NCC) : Time of call, departure and destination coordinates of the ride, start and end time of the service, data of the service user (name).
  • Purpose : Awarding and managing rides, including providing the driver with the data required for the service (pick-up location, name, destination, profile photo if provided). This processing is necessary for the performance of the service contract.
  • Note on the NCC service sheet : Law No. 21 of 15 January 1992, Article 11, paragraph 4, requires the completion and maintenance of a service sheet in electronic format (or paper pending the ministerial decree), which must include: vehicle license plate, driver's name, date, place, and kilometers of departure and arrival, start and end time of service, destination, and data of the service user . The Italian Data Protection Authority has expressed concerns regarding this requirement, noting that the processing of sensitive information such as passenger location and movements does not comply with the proportionality requirement set by the GDPR.
• Optional data : Profile photo, work and home addresses.
  • Purpose : Used for identification purposes (e.g., driver profile photos to prevent fraud) and to simplify saving standard routes (default addresses). This data is collected and processed only if provided voluntarily by the user.
• Driver and passenger rating data : Public ratings of drivers and vehicles. The driver can rate the passenger (friendliness, behavior).
  • Purpose : To improve the quality of services. No personal passenger data is transmitted to the driver through the ratings.

3.2. Data collected automatically (Browsing and usage data):

• Device data : Device ID, Ad ID (Google advertising identifier).
• Usage data : Frequency of app use, number of installations, registration and ride status, language, time zone, and city.
• IP address.
  • Purpose : Bug fixes (operational errors) and improves the functionality of the app or website, adapting to user needs. For data collection via Google Analytics, prior explicit consent is not required if the data does not allow the user to be identified (anonymized IP).

3.3. Geolocation data:

• GPS coordinates : These can be provided by placing a pin on the map, entering an address, or transmitting GPS coordinates.
  • Purpose : Awarding rides (detection of the starting location), calculating the expected cost of the ride and displaying the vehicle's distance (via Google Maps API), preventing fraud and non-payment (GPS tracking of the driver's device during the ride to reconstruct its progress and protect against overpayments).
  • Note : The use of GPS location data can be enabled or disabled later through your device's operating system. GPS location data provided to Google Maps is anonymized.

3.4. Payment data:

• If you use third-party payment methods (e.g. PayPal, Braintree , Wirecard ), the data required for payment processing will be transmitted to these service providers.
  • Purpose : Execution of the payment contract. Payment service providers are PCI DSS (Payment Card Industry Data Security Standard) certified. Only the last four digits of the credit card are transmitted to the company for security and documentation reasons.

3.5. Data from Social Media (if you use access through them):

• Facebook Connect : First name, last name, email address, profile photo, as provided to Facebook.
• Google Account : First and last name, email address, and profile photo, as provided to Google.
  • Purpose : Registration/Login to the App or website using social media credentials.
  • Note : You can prevent this processing by not using the feature or by deleting the app from your social media account settings.

3.6. Data for News and Personalized Offers (Marketing):

• First and last name, passenger ID, email address, home or work address (optional), mobile number, profile photo (optional), payment method, registration date, language setting, Ncc.it app profile (business or private customer), type of ride, Ncc.it app version, login information, GPS coordinates at the time of the call and at the end of the ride, or pick-up location and destination, device ID, GAID, IP address, and usage data (frequency of use, number of app installations, registration and ride status), language, time zone, and city.
  • Purpose : Sending personalized advertising (news, offers, coupons) via email, SMS, MMS, in-app notifications, push notifications .
  • Note : Consent to receive personalized news and offers must be actively provided by the user and can be revoked at any time. Direct advertising to existing customers (e.g., email/SMS after a completed trip) may be based on legitimate interest in strengthening the customer relationship, unless the user objects.

4. Legal Basis of the Processing

The processing of personal data is based on various legal bases, in accordance with the GDPR:

• Consent of the data subject (Art. 6, paragraph 1, letter a, GDPR): For specific and optional processing, such as sending newsletters, personalized advertising, or for optional data. Consent must be freely given, specific, informed, and unambiguous; implied or presumed consent is not permitted. For sensitive data or automated processing, such as web profiling, consent must be explicit.
• Performance of a contract or pre-contractual measures (Art. 6 para. 1 lett. b GDPR): To provide the services requested by the user, such as registering for the app, awarding rides, and managing payments.
• Fulfillment of a legal obligation (Art. 6 par. 1 lett. c GDPR): To comply with the regulations to which the company is subject, such as the electronic service sheet requirement for NCC.
• Legitimate interest of the Data Controller (Art. 6(1)(f) GDPR): For purposes such as improving services, fixing bugs, preventing fraud (e.g., GPS driver tracking), and direct marketing to existing customers. Legitimate interest must be real and current, not hypothetical, and balanced with the rights and freedoms of the data subjects.

5. Data Retention Period

Personal data is retained only for the time strictly necessary to achieve the purposes for which it was collected, or as required by law or official regulations. In principle, personal data is anonymized after three years, unless the data controller has a legitimate interest in a longer retention period (e.g., accounting obligations or statutory limitation periods). Personal data may not be retained longer than necessary for the purposes of the processing. The need for retention should be assessed within a short timeframe (e.g., to identify damages, 1-2 days is usually sufficient).

6. Data Recipients

The personal data collected may be disclosed to third parties only if strictly necessary for the purposes indicated. These include:

• Drivers and transport companies (for NCC services): will receive the pick-up location, name, destination and, if applicable, profile photo.
• Payment service providers : PayPal, Braintree , Wirecard , for transaction management.
• Technical and IT service providers : for the management and maintenance of the website, app, and systems (e.g., Google Maps API, social authentication services).
• Competent authorities : In case of legal obligation, for example to communicate data to the Police Headquarters via the CarGOS portal for self-drive rentals (excluding shared mobility services).

7. The Rights of the Interested Party

As an interested party, the user enjoys the following rights, which can be exercised at any time and free of charge by sending a written request to the Data Controller's email address:

• Right of access (Art. 15 GDPR): Obtain confirmation as to whether or not your personal data is being processed and, if so, receive a copy of the data, including the retention period and the safeguards in the event of transfer to third countries.
• Right to rectification (Art. 16 GDPR): Request the rectification of inaccurate or incomplete data.
• Right to erasure (Right to be forgotten - Art. 17 GDPR): Obtain the erasure of your personal data under certain conditions, such as when it is no longer necessary for the purpose for which it was collected or if the processing is unlawful. If the data controller has made the video recordings public, it must take reasonable steps to inform other data controllers of the erasure request.
• Right to restriction of processing (Art. 18 GDPR): Request restriction of data processing.
• Right to data portability (Art. 20 GDPR): Receive your personal data in a structured, commonly used and machine-readable format and transmit that data to another controller, if the processing is based on consent or a contract and is carried out by automated means.
• Right to object (Art. 21 GDPR): The right to object to the processing of your personal data for reasons related to your particular situation, unless the controller demonstrates compelling legitimate grounds that override your interests. In the case of direct marketing, the right to object is absolute.
• Right to lodge a complaint with a supervisory authority: Regardless of any other administrative or judicial remedy, you have the right to lodge a complaint with the Italian Data Protection Authority.

8. Data Security

We adopt appropriate technical and organizational measures to ensure data security, particularly to protect personal data and prevent it from being disclosed to third parties, accidentally or intentionally altered, lost, or destroyed. These measures are regularly reviewed and updated to reflect the latest state of the art. Personal data is generally transmitted encrypted. Article 25 of the GDPR introduces the principles of " Privacy by Design " and " Privacy by Default ." This means that data processing systems and processes are designed from the outset with privacy protection in mind and that, by default, only the data strictly necessary for the intended purposes and for the necessary period are processed. The measures adopted take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, as well as the risks to the rights and freedoms of natural persons. Companies must conduct a data protection impact assessment (DPIA) for processing operations that pose a high risk to privacy.

9. Cookie Policy

This website also uses cookies. For detailed information on the cookies used, their purposes, and how to manage them, please consult our dedicated Cookie Policy , accessible via a link in the website footer . The Cookie Policy explains which cookies are set by the website and for what purposes. Profiling cookies, used to deliver interest-based advertising, require the user's express consent, typically via a banner visible upon accessing the website; simply scrolling the page is not sufficient.

10. Updates and Changes to the Privacy Policy

We reserve the right to modify this privacy policy in the future. If any changes are made, we will promptly notify users and provide them with the opportunity to opt-in or opt-out.