Privacy Policy

Privacy Policy - Website

The purpose of this privacy policy is to provide all the information on the processing of personal data carried out by Bags Parking S.r.l when the User accesses and browses the present website (as better indicated below).

1. Introduction - who are we?

Bags Parking S.r.l., with registered office in Via Nansen, 15, 20156 Milano, P. IVA and C.F. 10968670967 (hereinafter, “Data Controller“), owner of this website (hereinafter, the “Website“), in its capacity as a data controller in relation to the personal data of the users browsing the Website (hereinafter, “Users“) hereby provides the privacy policy pursuant to Article 13 of the EU Regulation 2016/679 of 27 April 2016 (hereinafter, “Regulation“, or “Applicable Law“).

2. How to contact us?

The Data Controller takes the utmost account of its User’s right to privacy and the protection of personal data. For any information in relation to this privacy policy, Users may contact the Data Controller at any time, using the following methods:

By sending a registered letter with a return receipt to the Data Controller’s registered office at Via Nansen, 15, 20156 Milan, Italy;
By sending an e-mail to: [email protected]

Users may also contact the Data Protection Officer (RPD or DPO) of the Data Controller for any information or request to the following contact details: company Shibumi S.r.l. – e-mail [email protected].

3. What do we do? - Purpose of processing

By browsing the Website, the User can consult the available content and learn about the services promoted by the Data Controller.

Moreover, the User, from the “FAQ Bags Manager” and “FAQ Traveller“ sections, may contact the Data Controller for various purposes such as, purely by way of example and not limited to, obtaining more information on the services offered by the Data Controller; from the “Become a Bags Manager” section, by filling in the appropriate form, the User may contact the Data Controller to find out his/her eligibility to become a “Bags Manager”.

In relation to the activities that may be carried out through the Website, the Data Controller collects personal data relating to the Users.

This Website and the services eventually offered through the Website are reserved for subjects over the age of 18 years old. Hereby, the Data Controller does not collect personal data pertaining to subjects under the age of 18 years old. At the request of the Users, the Data Controller will promptly delete all the personal data, involuntarily collected, pertaining to subjects under the age of 18 years old.

Users’ personal data will be lawfully processed by the Data Controller for the following purposes:

a) Allowing browsing of the Website. The User data collected by the Data Controller for the sole purpose of browsing the Website include all those personal data whose transmission is implicit in the use of Internet communication protocols, such as:q IP addresses used by users who connect to the Website, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the log file and other parameters relating to the User’s operating system and computer environment.

b) Contact and/or information request. The User’s data collected by the Data Controller for the purposes of any contact request and/or information request on the Website include: first name, last name, e-mail address, city of residence and/or domicile telephone number, as well as any personal information that the User voluntarily publishes. The User’s personal data will be used by the Data Controller for the sole purpose of ascertaining the User’s identity, thus avoiding possible fraud or abuse, and contacting the User for service purposes only (e.g. responding to his/her request for information). Without prejudice to what is provided for elsewhere in this privacy policy, under no circumstances will the Data Controller make Users’ personal data accessible to other Users and/or third parties.

c) Legal obligations, i.e. to fulfill obligations laid down by law, by an authority, by a regulation, or by European legislation.

The provision of personal data for the processing purposes mentioned above is optional but necessary since failure to provide such data will make it impossible for the User to browse and use the services offered by the Data Controller on the Website.

4. Legal basis for processing

Contractual obligations and fulfillment of the User’s request (as described in para. 3 (a) and (b) above): the legal basis is Art. 6(1)(b) of the Regulation, i.e. the processing is necessary for the performance of a contract to which the User is party or for the performance of pre-contractual measures taken at the User’s request.

Legal obligations (as described in para. 3, lett. c) above): the legal basis is Art. 6(1)(c) of the Regulation, as the processing is necessary to fulfill a legal obligation to which the Data Controller is subject.

5. Processing methods and data retention periods

The Data Controller will process the Users’ personal data by means of manual and computerized tools, with logic strictly related to the purposes themselves and, in any case, in such a way as to guarantee the security and confidentiality of the data.

The personal data of the Website’s Users will be retained for the time strictly necessary to carry out the primary purposes set out in paragraph 3 above, or in any case, as necessary for the protection in civil law of the interests of both the Users and the Data Controller.

In any case, any retention periods provided for by law or the Regulation shall remain unaffected.

6. Transmission and dissemination of data

The personal data of the Users may be disclosed to the employees and/or collaborators of the Data Controller in charge of managing the Website and the Users’ requests. These subjects, who have been instructed to do so by the Data Controller pursuant to art. 29 of the Regulation, will process Users’ data exclusively for the purposes indicated in this policy and in compliance with the provisions of the Applicable Law.

The personal data of the Users may also be disclosed to third parties who may process personal data on behalf of the Data Controller in their capacity as “Data Processors” pursuant to Article 28 of the Regulation, such as, by way of example, IT and logistical service providers, functional to the functioning of the Website; suppliers of outsourcing or cloud computing services; professionals and consultants.

The Data Controller has identified the Stripe platform as the software infrastructure for managing membership fee payments. The privacy policy of the platform, which will process the payment data of the Users in its capacity as an Autonomous Data Controller, can be found at the following link https://stripe.com/it/privacy

Users have the right to obtain a list of any data processors appointed by the Data Controller, by making a request to the Data Controller in the manner indicated in paragraph 7 below.

7. Rights of the data subjects

Users may exercise the rights granted by the Applicable Law by contacting the Data Controller in the following ways:

By sending a registered letter with a return receipt to the Data Controller’s registered office at Via Nansen, 15, 20156 Milan, Italy;
By sending an e-mail to: [email protected]

Pursuant to Applicable Law, the Data Controller informs that Users have the right to obtain an indication of (i) the origin of personal data; (ii) the purposes and methods of the processing; (iii) the logic applied in the event of processing carried out with the aid of electronic instruments; (iv) of the identification details of the data controller and data processors; (v) the subjects or categories of subjects to whom the personal data may be communicated or who may come to aware of them as data processors or agents.

Furthermore, Users have the right to obtain:

a) Access, updating, rectification, or, when interested, integration of data;

b) Cancellation, transformation into anonymous form, or the restriction of data processed in breach of the law, including data that do not need to be stored in relation to the purposes for which the data was collected or subsequently processed;

c) Certification that the operations referred to in points a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disclosed, except where this proves impossible or involves a manifestly disproportionate effort compared with the right protected.

Moreover, the Users have:

a) The right to withdraw consent at any time, if the processing is based on their consent;

b) The right to data portability (the right to receive all personal data concerning them in a structured format, commonly used and readable by automatic devices);

c) The right to oppose:

i) in whole or part, for legitimate reasons, the processing of personal data concerning them for legitimate reasons even pertinent to the purpose of the collection;

ii) in whole or in part, the handling of personal data concerning them for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication;

iii) if personal data are processed for direct marketing purposes, at any time, to the processing of data for this purpose, including profiling in so far as it is related to such direct marketing.

d) If it is deemed that the processing concerning their personal data violates the Regulation, the right to lodge a complaint with a Supervisory Authority (in the Member State in which they usually reside, in the one in which they work, or in the one in which the alleged violation has occurred). The Italian Supervisory Authority is the Data Protection Authority, with registered offices in Piazza Venezia No. 11, 00187 – Rome (http://www.garanteprivacy.it/).

The Data Controller is not responsible for updating all links viewed in this Privacy Policy, therefore, whenever a link does not work and/or is not updated, the Users acknowledge and accept that they must always refer to the document and/or section of the websites referred to by this link.

Privacy Policy - App

This privacy policy is to provide all the information on the processing of personal data carried out by Bags Parking S.r.l. in the context of the services offered through the platform “Bags Parking” (as better described below).

1. Introduction - who are we?

Bags Parking S.r.l. with registered office in Via Nansen, 15, 20156 Milan, VAT and C.F. 10968670967 (hereinafter, “Data Controller” or simply “Controller”), manager of the internet website and the application branded “Bags Parking” (hereinafter, the “App” or “Bags Parking“), in its capacity as data controller of personal data of users browsing the App (hereinafter, “Users“) provides below the privacy policy pursuant to Art. 13 of the EU Regulation 2016/679 of 27 April 2016 (hereinafter, “Regulation“, or “Applicable Law“).

2. How to contact us?

The Data Controller takes the right to privacy and the protection of its Users’ personal data into the utmost consideration. For any information in relation to this privacy policy, Users may contact the Data Controller at any time, using the following methods:

By sending a registered letter with a return receipt to the Controller’s registered office at Via Nansen, 15, 20156 Milan;
By sending an e-mail to: [email protected]

3. What do we do? - Purpose of processing

Bags Parking is a platform offering a luggage storage service, where Users can register (i) as “Traveller“, in order to search for the nearest Bags Manager (i.e. luggage storage facility owners) and make a reservation and use the service offered by the platform; (ii) as “Bags Manager“, i.e. in order to cooperate with Bags Parking by offering a luggage storage service at their private home and/or business location (hereinafter, the “Service“).

In connection with the activities that can be performed through the App, the Controller collects personal data relating to Users.

The App and the services offered through the website are reserved for subjects who have reached the age of eighteen. The Data Controller, therefore, does not collect personal data relating to persons under the age of 18. At the request of the Users, the Data Controller will promptly delete all personal data involuntarily collected relating to persons under the age of 18.

In particular, Users’ personal data will be lawfully processed by the Controller for the following purposes:

a) Contractual obligations and provision of the Service: to execute the Terms and Conditions of the Service, which are accepted by the User upon registration on the App; to fulfill specific requests of the User (such as, for example, the possibility to contact the Controller by accessing the relevant section).

The User data collected by the Controller for the purposes of registration include:

- name, surname, date of birth, e-mail, mobile phone number, the photo chosen as the profile image, as well as all the User’s personal information that may have been voluntarily communicated to the Controller. Unless the User gives the Controller specific and optional consent to the processing of his/her data for the further purposes set out in the following paragraphs, the User’s personal data will be used by the Controller for the sole purpose of ascertaining the User’s identity (also by validating the e-mail address), thus avoiding possible fraud or abuse, and contacting the User for service reasons only (for example, once a booking has been confirmed, the User will receive confirmation of this in his/her personal area and by e-mail);
- personal data whose transmission is implicit in the use of Internet communication protocols and/or in the use of mobile applications, such as: IP addresses used by users who connect to the App, URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, log files and other parameters relating to the User’s operating system and IT environment, the IP identifier of the device, the date and time of the server request, the User Agent of the device. The User’s data collected by the Controller for the purposes of any contact or request for information include: first name, last name, contact details, as well as any personal information the User may have voluntarily communicated to the Controller.

In addition to the data listed above, the Controller will process the User’s geographical location:

(i) in the case of registration as a ‘Bags Manager’, to enable you to locate correctly on the map the baggage storage location corresponding to your private home and/or the location of your business activity.

(ii) in the case of registration as a ‘Traveller’, to allow you to view nearby ‘Bags Managers’.

In order to be able to identify the exact location of the User, the App collects real-time information about the location of the User’s device, using the geolocation services present on the User’s device and associated with it, and to the extent permitted by the User. The geolocation services of the device are only activated following authorization provided by the User, at the time of the request for activation by the device. When accessing the geolocation services of a mobile device, the Controller may collect and process information regarding the GPS location of the User’s mobile device (including the latitude, longitude, or altitude of the mobile device) and the time at which the location information is recorded in order to customize the Service with geolocalised information and other functionalities (for example, informing the User about any promotions that are active in his/her area). If the User chooses the “Deny” option, the App, and therefore the Controller, will not have access to the aforementioned geolocation services. The User can activate/deactivate the geolocation of his device at any time, through the settings provided by his device.

If the User decides not to activate the aforementioned settings, he/she will still be able to use the App and access the Service, but with certain limitations (e.g., for the “Traveller”, the impossibility of correctly displaying the nearest “Bags Manager”).

This data is collected solely for the purpose of properly executing the Terms and Conditions, accepted by the User during registration, as well as for the functional performance of the Service itself.

b) administrative-accounting purposes, e. to carry out activities of an organizational, administrative, financial, and accounting nature, such as internal organizational activities and activities functional to the fulfillment of contractual and pre-contractual obligations;

c) legal obligations, i.e. to fulfill obligations laid down by law, authority, regulation, or European legislation.

The provision of personal data for the processing purposes indicated above is optional but necessary, since failure to provide such data, within each specific form, will make it impossible for the User respectively to register, use the Service or make his/her request to the Controller.

Personal data that are required for registration purposes are indicated with an asterisk within the application form.

4. Further purpose of processing

4.1. Newsletter

Some of the User’s personal data (i.e. name, surname, e-mail address) may also be processed by the Controller for the purpose of sending the newsletter. Therefore, the User will receive from the Controller a periodical newsletter that will contain information regarding news relevant to the sector related to Bags Parking’s activities, as well as to propose to the User the purchase of products and/or services offered by the Controller and/or third companies, to present offers, promotions, and commercial opportunities.

If consent is not given, the possibility of subscribing to the App will not be affected in any way.

In the event of consent, the User may withdraw it at any time by making a request to the Controller in the manner indicated in paragraph 8 below.

The User may also easily object to further sending of promotional communications by clicking on the appropriate link for the withdrawal of consent, which is present in each e-mail containing the newsletter. Once consent has been withdrawn, the Controller will send the User an e-mail message confirming that consent has been withdrawn.

5. Legal basis

Contractual obligations and fulfilment of the User’s request (as described in para. 3(a) above): the legal basis is Art. 6(1)(b) of the Regulation, i.e. the processing is necessary for the performance of a contract to which the User is party or for the performance of pre-contractual measures taken at the User’s request.

With regard to the processing of the User’s geographic location, the legal basis consists of Article 6(1)(a) of the Regulation, i.e. the provision by the data subject of consent to the processing of his/her personal data for one or more specific purposes. For this reason, the Data Controller asks the User to provide a specific consent, free and optional, in order to pursue this processing purpose. If the User decides not to activate geolocation, he/she may in any case use the App and access the Service.

Administrative-accounting purposes (as described in para. 3(b) above): the legal basis is Art. 6(1)(b) of the Regulation, as the processing is necessary for the performance of a contract and/or the execution of pre-contractual measures taken at the User’s request.

Legal obligations (as described in para. 3(c) above): the legal basis is Art. 6(1)(c) of the Regulation, as the processing is necessary to comply with a legal obligation to which the Data Controller is subject.

Further processing purposes: for the processing relating to the activity of sending the newsletter, (as described in Section 4 above), the legal basis consists of Article 6(1)(a) of the Regulation, i.e. the provision by the data subject of consent to the processing of his/her personal data for one or more specific purposes. For this reason, the Data Controller asks the User for the provision of specific free and optional consent, in order to pursue such processing purpose.

6. Processing methods and data retention periods

The personal data of the Users of the App will be stored for the time strictly necessary to fulfill the primary purposes illustrated in paragraph 3 above, or in any case as long as necessary to protect the interests of both the Users and the Data Controller under civil law. With regard to the processing of the User’s geographical position, the User’s personal data will be stored until the User denies his/her authorization to geolocalise his/her device.

In the cases referred to in paragraph 4 above, the User’s personal data shall be kept for the time strictly necessary to fulfill the purposes set out therein and, in any event, until the User revokes his or her consent.

In any case, any retention periods provided for by law or regulations are unaffected.

How to delete your account

You can delete your Bags Parking account at any time. There are two simple ways to do this:

1. Through the app:

Go to your account Settings.
Select Delete Account.
Confirm your choice to proceed with the deletion.

Before deleting your account, please:

Set your storage location as “not visible” to prevent other users from booking it. You will also need to contact us to permanently delete your luggage storage, which cannot be done independently, otherwise you will continue to receive bookings.
Understand that:

All data and information associated with your account, including booking history and storage details, will be permanently deleted and cannot be recovered.
Deleting your account is an irreversible operation.

2. By contacting us:

If you cannot or do not prefer to delete your account through the app, you can contact us at the following addresses:

Phone: +39 3894262642
Email: [email protected]

A member of our team will assist you in deleting your account and your luggage storage.

Please remember that:

Deleting your account will remove all your data and information.
It is not possible to recover deleted data after your account has been deleted.

We invite you to read the information above carefully before proceeding with the deletion of your account.

If you have any doubts or questions, do not hesitate to contact us.

7. Scope of communication and dissemination of data

The personal data of the Users may be disclosed to the employees and/or collaborators of the Data Controller in charge of managing the App and the Users’ requests. These subjects, who have been instructed to do so by the Data Controller pursuant to art. 29 of the Regulations, will process Users’ data exclusively for the purposes indicated in this information notice and in compliance with the provisions of the Applicable Law.

User’s personal data may also come to the knowledge of third parties who may process personal data on behalf of the Data Controller in their capacity as Data Processors, such as, by way of example, suppliers of IT and logistical services functional to the operation of the App, suppliers of outsourcing or cloud computing services, professionals and consultants.

Users have the right to obtain a list of any Data Processors appointed by the Controller by making a request to the Controller in the manner indicated in paragraph 8 below.

8. Rights of the data subjects

Users may exercise the rights guaranteed to them by the Applicable Law by contacting the Controller in the following ways:

By sending a registered letter with a return receipt to the Controller’s registered office at Via Nansen, 15, 20156 Milan;
By sending an e-mail to: [email protected]

Pursuant to the Applicable Law, the Data Controller informs Users that they have the right to obtain information on (i) the origin of personal data; (ii) the purposes and methods of the processing; (iii) the logic applied in the event of processing carried out with the aid of electronic instruments; (iv) the identification details of the data controller and data processors; (v) the subjects or categories of subjects to whom personal data may be communicated or who may become aware of them in their capacity as data processors or persons in charge of processing.

In addition, Users have the right to obtain:

(a) access, update, rectification, or, where interested, integration of the data;

b) the cancellation, transformation into an anonymous form, or restriction of data processed in breach of the law, including data whose storage is not necessary for relation to the purposes for which the data were collected or subsequently processed;

c) certification that the operations referred to in points a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, unless this proves impossible or involves a manifestly disproportionate effort compared with the right protected.

In addition, Users have:

(a) the right to withdraw consent at any time, if the processing is based on their consent;

b) the right to data portability (the right to receive all personal data concerning them in a structured, commonly used, and machine-readable format);

(i) in whole or in part, for legitimate reasons, to the processing of personal data concerning them, even if they are relevant to the purpose of the collection;

ii) in whole or in part, to the processing of personal data concerning them for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication;

(iii) where personal data are processed for direct marketing purposes, at any time, to the processing of their data carried out for that purpose, including profiling insofar as it relates to such direct marketing.

d) if they consider that the processing concerning them is in breach of the Regulation, the right to lodge a complaint to the Data Protection Supervisory Authority (in the Member State where they have their habitual residence, in the Member State where they work or in the Member State where the alleged breach has occurred). The Italian Data Protection Supervisory Authority is the Garante per la protezione dei dati personali, based in Piazza Venezia n. 11, 00187 – Rome (http://www.garanteprivacy.it/).

The Data Controller is not responsible for updating all the links displayed in this privacy policy, therefore, whenever a link is not working and/or updated, Users acknowledge and accept that they must always refer to the document and/or section of the websites referred to by that link.