Privacy Policy
Last updated: June 13, 2026
This Privacy Policy explains how Quinck srl processes the personal data of users of the website https://viaggia.app and of the ViaggIA platform (the "Service"), in accordance with Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.
1. Data Controller
The Data Controller is Quinck srl, P.IVA 03916551207, with registered office at via Filippo Turati 15/C, 40026 Imola (BO), Italia. For any request regarding the processing of personal data you may write to viaggia@quinck.io.
The Controller has not appointed a Data Protection Officer (DPO), as the conditions requiring such appointment do not apply. This assessment is reviewed periodically.
2. Scope and roles
This Policy applies to the corporate website and to the ViaggIA platform, a SaaS software addressed to travel agencies and tour operators.
Quinck srl acts as Data Controller for data relating to website browsing, account registration and management, marketing communications and contact requests. With respect to the personal data of end customers, suppliers and contacts that the agency enters and processes through the Service, Quinck srl acts as Data Processor on behalf of the agency, which is the Controller; this relationship is governed by a Data Processing Agreement referenced in the Terms of Service.
3. Categories of data, purposes, legal bases and retention
Personal data is collected directly from the data subject (registration, use of the Service, completion of forms) or provided by the agency user in the course of delivering the Service. The main categories are summarised below.
| Category of data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Registration and account data (name, email address, profile image, role and organisation), managed through the authentication provider Clerk | Account creation and management, authentication and delivery of the Service | Performance of the contract (Art. 6.1.b GDPR) | For the duration of the contractual relationship; deletion within 30 days of account closure |
| Service content and usage data (conversations with the AI assistant, travel briefs such as destinations, dates, number and type of travellers including the age of any minors, budget, interests and constraints; quotes containing customer and supplier data) | Supplier search, itinerary building and quote generation features | Performance of the contract (Art. 6.1.b); for the agency's customer and supplier data, processing on behalf of the agency-Controller (Art. 28 GDPR) | For the duration of the relationship; cascading deletion when the workspace is deleted |
| Data collected through the public widget (leads): email address, first request and conversation content | Handling of prospective-customer requests and follow-up by the agency | Legitimate interest (Art. 6.1.f) or consent (Art. 6.1.a) where required | 24 months from the last contact, unless otherwise instructed by the agency |
| Knowledge-connection data: OAuth tokens (stored encrypted), metadata and content of documents synced from Google Drive, OneDrive or Dropbox upon user activation | Indexing and search within the agency's knowledge base | Performance of the contract (Art. 6.1.b) | Until the connection is revoked or the workspace is deleted |
| Technical and browsing data: IP address, device and browser identifiers, system logs, technical cookies | Security, correct operation and diagnostics of the Service | Legitimate interest (Art. 6.1.f) | 12 months for system logs |
| Contact data and demo requests (email address, message content) | Responding to requests and pre-contractual activities | Pre-contractual measures (Art. 6.1.b) and legitimate interest (Art. 6.1.f) | 24 months from the last contact |
Website traffic statistics are collected through Vercel Web Analytics in aggregated, anonymous form, without the use of cookies and without identifying individual visitors. For the cookies used, please refer to the Cookie Policy.
4. Data relating to minors
Travel briefs may include the age of minors, entered by the agency user solely for the purpose of planning the trip. ViaggIA does not knowingly collect data directly from minors and does not offer the Service directly to individuals under 18. Such data is processed on the agency's instructions, and the agency remains responsible for the lawfulness of its collection.
5. Processing based on artificial intelligence
The Service uses artificial-intelligence models (in particular Anthropic Claude and Google Gemini) to generate quote suggestions, supplier matches and itinerary drafts.
This processing is decision-support in nature: the agency operator always reviews and approves the output before any use or sending to the customer. No solely automated decisions producing legal effects or similarly significant effects on data subjects within the meaning of Art. 22 GDPR are taken.
In line with Regulation (EU) 2024/1689 (the AI Act), the Controller ensures transparency about the use of AI. Under their respective commercial terms, the model providers do not use customer content to train their systems.
6. Processors and sub-processors
To deliver the Service, the Controller relies on third-party providers appointed as Data Processors pursuant to Art. 28 GDPR, listed below.
| Provider | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Clerk, Inc. | Authentication and user management | United States | Standard Contractual Clauses (SCC) |
| Anthropic, PBC | Large language model (AI assistant) | United States | SCC; no training on customer data |
| Google LLC (Gemini) | Embedding generation for semantic search | United States / EU | SCC |
| Google, Microsoft, Dropbox | Document sync (Drive/OneDrive/Dropbox) upon user activation | United States | SCC |
| Amazon Web Services (AWS) | Database hosting and file storage | European Union (Ireland, eu-west-1) | Processing within the EEA |
| Firecrawl | Retrieval of content from supplier websites | United States | SCC |
| LangChain (LangSmith) | Technical monitoring of the AI service | European Union (EU endpoint) | Processing within the EEA |
| Vercel Inc. | Website hosting and aggregated traffic analytics | United States | SCC |
An up-to-date list of Processors is available on request by writing to viaggia@quinck.io. Data is not disclosed or sold to third parties for marketing purposes.
7. Transfer of data outside the European Union
Some Processors are located in the United States. In such cases the transfer is based on the Standard Contractual Clauses adopted by the European Commission pursuant to Art. 46 GDPR and, where applicable, on the provider's certification under the EU-US Data Privacy Framework, together with appropriate supplementary measures.
8. Security measures
The Controller adopts appropriate technical and organisational measures, including: encryption of communications in transit (TLS/HTTPS), encryption of data at rest, encryption of access tokens using the AES-256-GCM algorithm, role-based access controls, and hosting of data in data centres located in the European Union.
9. Rights of the data subject
At any time the data subject may exercise the rights set out in Articles 15-22 of the GDPR, namely:
- right of access to their personal data (Art. 15);
- right to rectification of inaccurate data (Art. 16);
- right to erasure ("right to be forgotten", Art. 17);
- right to restriction of processing (Art. 18);
- right to data portability (Art. 20);
- right to object to processing (Art. 21);
- right to withdraw consent at any time, without affecting processing carried out before withdrawal;
- right not to be subject to decisions based solely on automated processing (Art. 22).
Rights may be exercised by writing to viaggia@quinck.io. Where data is processed by Quinck srl on behalf of an agency user, the request will be forwarded to the agency, as Controller, or handled on its instructions.
The data subject also has the right to lodge a complaint with the competent supervisory authority, the Italian Data Protection Authority — Garante per la protezione dei dati personali (www.garanteprivacy.it).
10. Changes to this Policy
The Controller reserves the right to update this Policy to reflect changes in legislation or in the Service. The current version is always published on this page, with the last-updated date shown at the top.