Legal

Privacy Policy

Last updated: 28 April 2026

This Privacy Policy explains how OffTheBoot (“we”, “us”, “our”) collects, uses, and protects your personal data when you visit offtheboot.comor use our trip-planning services. It is provided in accordance with Regulation (EU) 2016/679 (“GDPR”) and the Italian Personal Data Protection Code (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018).

1. Who is the Data Controller

The Data Controller is OffTheBoot, based in Padova, Italy.

For any privacy-related request, you can contact us at info@offtheboot.com.

2. What personal data we collect

We only collect personal data you knowingly provide, plus limited technical data required to operate the website securely.

Data you provide

  • Email address— entered on the “Plan your trip” page before you access the questionnaire, or to join the Video Consultation waitlist.
  • Trip questionnaire answers — travel preferences, dates, party size, style, interests, and any free-text notes you choose to share. These are submitted through Tally, our form provider.
  • Messages you send us — the content of any email you send to info@offtheboot.com.

Data collected automatically

  • Technical server logs — IP address, user agent, request timestamp, referring URL. These are retained by our hosting provider for security, debugging, and anti-abuse purposes.
  • Third-party technical cookies — when the Tally questionnaire is loaded on /plan-your-trip, Tally may set its own cookies to remember form state. These are strictly technical and required for the form to work. See section 8.

We do not use analytics tracking, advertising cookies, social-media pixels, or any tool that builds a behavioural profile of visitors.

Data collected by our chat assistant

When you use the chat assistant on our site (powered by an AI model and configured by us), we save the conversation so we can improve the service and follow up if you ask us to.

  • Each conversation gets a random identifier and is stored as a single file on our hosting infrastructure (Vercel Blob).
  • We store: your messages, the assistant's replies, the time, the language detected, and a one-way hash of your IP address (we do notstore your raw IP). We classify your device as “mobile” or “desktop” — we do not store your full user agent.
  • We do not store your name, email, location, or any direct identifier in chat logs unless you type one into the conversation yourself.
  • Conversations are kept for 365 days, then deleted automatically by a daily cleanup job.
  • The AI model itself is operated by a third-party provider (OpenRouter, which routes to Anthropic). Your messages are sent to them only for the duration of generating each reply and are subject to their own no-training/zero-retention policies.

You can request the deletion of your chat history at any time by emailing info@offtheboot.com from the same browser session, or by sharing the conversation identifier shown in the chat URL.

3. Purposes and legal bases

PurposeData usedLegal basis (GDPR Art. 6)
Reply to your trip-planning request and deliver your itineraryEmail, questionnaire answersContractual necessity (Art. 6(1)(b))
Notify you when the Video Consultation service launchesEmailConsent (Art. 6(1)(a)), which you give by submitting the waitlist form
Respond to email enquiriesEmail, message contentLegitimate interest (Art. 6(1)(f)) in answering the people who contact us
Secure and maintain the siteServer logsLegitimate interest (Art. 6(1)(f)) in operating a safe service
Comply with legal obligationsAny of the above, if requested by authoritiesLegal obligation (Art. 6(1)(c))

Providing your email is optional, but without it we cannot deliver a trip-planning service or place you on the consultation waitlist.

4. Who receives your data

We do not sell your data. We share the minimum necessary with the following sub-processors, each bound by a data-processing agreement and, where applicable, Standard Contractual Clauses for transfers outside the EEA:

Sub-processorPurposeLocation
Vercel Inc.Website hosting, serverless functions, edge logsUSA (EU data regions available; SCCs in place)
Sanity.ioContent management system, lead email storageEU / USA (SCCs in place)
Tally Forms SRLTrip-planning questionnaireBelgium, EU
Google Workspace (Sheets + Gmail)Internal lead log, email correspondenceUSA (SCCs in place)

Your data may also be disclosed to law-enforcement or judicial authorities if required by applicable law.

5. International transfers

Some of the sub-processors above are based outside the European Economic Area. In those cases, transfers take place under the European Commission's Standard Contractual Clauses, or under any equivalent lawful transfer mechanism in force at the time. A copy of the mechanism applicable to your data is available on request at info@offtheboot.com.

6. How long we keep your data

  • Lead emails and questionnaire answers: up to 24 months from the last meaningful interaction, or until you ask us to delete them.
  • Email correspondence: up to 36 months, or until you ask us to delete it.
  • Server logs:up to 30 days, in line with our hosting provider's default retention.
  • Waitlist emails: until you unsubscribe or we close the waitlist, after which data is deleted within 90 days.
  • Chat conversations:365 days from the last message, then auto-deleted by a daily cleanup job. See section 2 for what is and isn't stored.

7. Your rights

Under GDPR Articles 15–22, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Eraseyour data (“right to be forgotten”) when one of the grounds in Art. 17 applies.
  • Restrict processing in the cases listed in Art. 18.
  • Port your data to another controller in a machine-readable format.
  • Object to processing based on our legitimate interest.
  • Withdraw consent at any time, where processing is based on your consent. Withdrawal does not affect the lawfulness of processing carried out before.
  • Lodge a complaint with a supervisory authority, in particular the Italian Garante per la Protezione dei Dati Personali.

To exercise any of these rights, email us at info@offtheboot.com. We will reply within 30 days (Art. 12 GDPR).

8. Cookies

OffTheBoot does not set any first-party tracking or analytics cookies. The only cookies that may be set on your browser are:

  • Tally session cookies — set only when the questionnaire iframe is loaded on /plan-your-trip, and only to remember your progress inside the form. Strictly technical; no consent required under Italian Garante guidelines of 10 June 2021.
  • Vercel anti-abuse cookies — short-lived, technical, set by our hosting provider to protect the site from bots. No profiling or tracking.

If we add analytics or marketing tools in the future, we will update this policy and, where required, ask for your prior consent through a cookie banner.

9. Children

OffTheBoot is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a minor has submitted data, contact us and we will delete it.

10. Automated decision-making

We do not carry out automated decision-making or profiling that produces legal effects concerning you. Every itinerary is built by a human.

11. Security

We apply appropriate technical and organisational measures to protect your data, including encryption in transit (HTTPS), restricted access to our content management system, and regular review of sub-processors' security practices.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top. If the change materially affects your rights, we will notify you by email where we hold a current address.

13. Contact and Data Controller identification

The Data Controller responsible for the personal data collected through this website is Alice Bertolio, natural person, based in Padova (PD), Italy.

Questions, requests, or complaints about this Privacy Policy: info@offtheboot.com.