Cookie Policy
Last update: July 1, 2026
Cookies and Other Tracking Tools
This section describes the types of cookies and other tracking tools (pixel cookies, web beacons, device identifiers, localStorage) used on the Site, implementing the Guidelines of the Italian Data Protection Authority of 10 June 2021 and art. 122 of Legislative Decree 196/2003 as amended.
The categories of cookies used by the Site are three:
- Technical cookies (necessary): indispensable for the operation of the Site or for the services requested by the user (session, authentication, interface preferences, security). They are installed directly by the Controller and do not require prior consent under art. 122 of the Italian Privacy Code.
- Analytics/statistical cookies: collect information in aggregated form on the use of the Site. Require prior consent, except those assimilable to technical cookies under the Garante Guidelines of 10 June 2021 (anonymised IP, no cross-data linking, no third-party sharing).
- Profiling/marketing cookies: create profiles on the user to show personalised advertising and targeted content. Require explicit and granular prior consent.
Consent banner: on first access to the Site, a banner is shown that allows accepting, refusing or customising the use of analytics and marketing cookies, with three actions of equal graphic prominence (DPA 2021 + EDPB Guidelines 03/2022). Consent has a duration of 6 months: after that period the banner is re-displayed to obtain renewed consent.
The user can change or revoke consent at any time, from the "Consent Management" section accessible on every page of the Site or from the browser settings. For details on each identifier used, please refer to the table in the "Technical cookies and identifiers" section.
First-party Technical Cookies and Identifiers
The Site uses cookies and identifiers strictly necessary for its operation. These technical identifiers are installed directly by the Controller and do not require user consent, in accordance with Art. 122 of Italian Legislative Decree 196/2003 and the Italian DPA Guidelines of 10 June 2021.
The technical identifiers used on the Site are the following:
| Name | Type | Purpose | Duration |
|---|---|---|---|
session_id / PHPSESSID / connect.sid | cookie | Application session | Browser session |
locale / NEXT_LOCALE / i18n_redirected | cookie | User-selected language | 1 year |
cookie_consent / cookie-consent-* (with Site identifier suffix) | localStorage | Records the user choice in the cookie banner (proof of consent) | 6 years (Art. 7.1 GDPR) |
visitor_uid / *-visitor-uid | localStorage | Anonymous technical browser identifier (client-side UUID) to associate the consent record with the visitor — qualifies as online identifier under Art. 4(1) GDPR | Until manual deletion (localStorage) |
csrf_token / __Host-csrf / _csrf | cookie | Cross-site request forgery protection | Session |
auth_token / next-auth.session-token (authenticated users) | cookie | Authentication session | 30 days or session |
Server-side replica of the consent record: the choice expressed in the cookie banner (accepted/rejected categories, anonymous browser identifier, timestamp and source) is transmitted to the Controller through its compliance infrastructure and retained for 6 years for the purpose of demonstrating the burden of proof of consent (Art. 7.1 GDPR). The server-side consent record contains no direct identifying data, only the anonymous browser identifier.
Note: the list above includes the technical identifiers typically present; the actual set depends on the technical configuration of the Site at the time of the visit. The presence of additional non-listed identifiers can be checked by the user through browser developer tools (DevTools → Application → Cookies / Storage).
To disable technical identifiers, the user must act directly on the browser settings. Disabling them may impair the operation of the Site.
Consent management and withdrawal
On first access to the Site, a banner is shown that allows you to accept, refuse or customise the use of analytics and profiling cookies. Strictly technical cookies are installed regardless of consent, in compliance with art. 122 of Italian D.Lgs. 196/2003 and the Italian Data Protection Authority guidelines of 10 June 2021.
The data subject may modify or withdraw consent at any time:
- by clicking the permanent link "Manage cookie preferences" available on every page of the Site;
- by deleting cookies already installed from the browser settings (the procedure varies depending on the browser).
Withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal.
Proof of consent (art. 7.1 GDPR): when you make your choice, an anonymous record of the consent is stored server-side as required by art. 7.1 GDPR (proof of consent). Data stored: random anonymous identifier (UUID), chosen cookie categories, timestamp, cryptographic hash of the user-agent, country of origin (no full IP address). No personally identifiable information is stored or shared with third parties. Retention: 6 years from registration (ordinary statute of limitations under Italian Civil Code art. 2946).
Local Storage (localStorage and sessionStorage)
The Site uses browser-side storage technologies (localStorage and sessionStorage) to improve user experience and provide the required functionalities. These technologies are equated with cookies under Art. 122 of Italian Legislative Decree 196/2003.
Locally stored data typically includes:
- User selected language;
- UI layout preferences;
- User cookie consent state (server-side replicated for proof of consent — see technical cookies section);
- Application session data (partially filled forms, ongoing bookings);
- Authentication tokens (for registered users).
Most of this data stays on the user device and is not transmitted to the Controller. The only exceptions — expressly declared — are the consent record (server-side replicated for burden of proof under Art. 7.1 GDPR) and, where enabled, privacy-safe audit telemetry (see dedicated clause).
Local data remains stored until manual deletion (browser settings → Clear browsing data) or use of the "Delete local data" button, where available, in the Site preferences.
Google Tag Manager (GTM)
Provider: Google Ireland Ltd (Ireland) - parent company Google LLC (USA).
Purpose: orchestration and conditional loading of analytics, marketing and functional tags (e.g. GA4, Meta Pixel) on the Site.
Data processed: loading of the GTM container transmits to Google servers the user's IP address, user-agent and page URL, even before activation of specific tags.
Retention: Google Cloud logs as per provider policies (typically 14-30 days for network logs).
Transfer: data are transferred to the United States under the EU-US Data Privacy Framework + Standard Contractual Clauses art. 46 GDPR.
Legal basis: prior explicit consent of the data subject under art. 6(1)(a) GDPR and art. 122 of Legislative Decree 196/2003, collected via cookie banner before loading the container. The qualification as "technical processing exempt from consent" has been superseded by the Guidelines of the Italian DPA of 10 June 2021, which require prior consent for any identifier not strictly necessary for Site operation.
Provider privacy policy: business.safety.google/privacy
Google Analytics 4 (Google Ireland Limited)
We use Google Analytics 4 to analyse the use of the Site in aggregated form, identify areas for improvement and optimise user experience.
- Purpose: Statistical analysis of traffic and user behaviour
- Data collected: Device identifiers, IP address (masked by Google, not stored in clear text for GA4 properties), pages visited, dwell time, interactions, custom events
- Legal basis: Consent under art. 6(1)(a) GDPR + art. 122 Italian Privacy Code (analytics cookies not assimilable to technical under DPA Provv. 9 June 2022)
- Retention: 14 months (GA4 property setting)
- Configuration: single domain, no cross-tracking; "Google Signals" and "Data Sharing > Modeling" options DISABLED to avoid mixing with advertising profiling purposes that would require a separate legal basis (Italian DPA Provv. 9 June 2022).
- Transfer: USA (Google LLC) under EU-US Data Privacy Framework + SCC art. 46 GDPR
- Provider privacy policy: policies.google.com/privacy
Brevo SAS (formerly Sendinblue)
We use Brevo as a provider for transactional emails (confirmations, service notifications) and, subject to consent, for email marketing and newsletters. Brevo acts as Data Processor under art. 28 GDPR.
- Purpose: Sending transactional emails and, with consent, marketing
- Data collected: Email, name, open/click events of sent emails
- Legal basis: Performance of contract (transactional, art. 6(1)(b) GDPR) + explicit consent for marketing (art. 6(1)(a) GDPR)
- Retention: For the duration of the relationship and until user unsubscription; 10 years after unsubscription, in minimised form, exclusively as proof of consent pursuant to art. 7(1) GDPR
- Transfer: France (Brevo SAS), EU servers - no extra-EU transfer
- Provider privacy policy: brevo.com/legal/privacypolicy
Stripe
Provider: Stripe Payments Europe Ltd (Ireland) — Stripe Inc. group (USA).
Purpose: online payment processing, fraud prevention (Stripe Radar), credit card tokenisation. Strictly necessary for payments.
Data collected: cookie identifiers (__stripe_mid, __stripe_sid), card token, amount, currency, IP address, browser fingerprint (anti-fraud).
Retention: __stripe_mid 1 year, __stripe_sid 30 minutes.
Transfer: Ireland (EU) for processing, USA for fraud detection under SCC Art. 46 GDPR.
Legal basis: contract performance under Art. 6.1.b GDPR (necessary for payment, exempt from consent).
Privacy policy: stripe.com/privacy
PayPal
Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) — PayPal Holdings Inc. group (USA).
Purpose: online payment processing via PayPal account or credit card, fraud prevention. Strictly necessary for payments.
Data collected: cookie identifiers (x-pp-s, l7_az, ts, tsrce), transaction data (amount, currency, order ID), IP address, payer's PayPal account data, device fingerprint (anti-fraud).
Retention: 10 years for anti-money-laundering legal obligations.
Transfer: Luxembourg (EU) for processing, USA for fraud detection under SCC Art. 46 GDPR.
Legal basis: contract performance under Art. 6.1.b GDPR (necessary for payment, exempt from consent).
Privacy policy: paypal.com/en/legalhub/privacy-full
Sentry (Functional Software, Inc. — EU data region)
This Site uses Sentry, a technical application error-monitoring tool, to detect and fix malfunctions and ensure the stability and security of the service.
- Purpose: technical error monitoring, diagnostics and Site security/stability (essential tool, no profiling).
- Data collected: technical error data (browser and operating system type, the affected page, the technical exception trace). No personal data is collected by default; any email addresses contained in messages are redacted and session recording (Session Replay) is not enabled.
- Legal basis: the Controller's legitimate interest in the security and proper functioning of the Site (Art. 6(1)(f) GDPR; see Recital 49). No cookies are used and no consent is required.
- Retention: error events are stored for a limited period according to Sentry's settings (typically 90 days), after which they are deleted.
- Transfer: data is hosted on infrastructure located in the European Union (Frankfurt, Germany). Any access by the provider, based in the United States, is governed by appropriate safeguards under Art. 46 GDPR (Standard Contractual Clauses / Data Privacy Framework; see Recital 113).
- Provider's privacy policy: sentry.io
How to manage preferences
You can manage your cookie preferences in two ways:
- From the Emerge banner: click on "Manage cookie preferences" at the bottom of every page to reopen the choice panel.
- From your browser settings:
- Google Chrome: Settings → Privacy and security → Cookies and other site data
- Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Preferences → Privacy → Cookies and website data
- Microsoft Edge: Settings → Privacy, search and services → Cookies
For newsletters and promotional emails: click "Unsubscribe" at the bottom of any email. Withdrawal is immediate.
Note: disabling first-party technical cookies may prevent the Site from functioning correctly (e.g. language persistence, cart session).
Additional opt-out tools for advertising networks:
- EDAA advertisers: youronlinechoices.eu
- Google Ads: adssettings.google.com
- Meta (Facebook/Instagram): facebook.com/settings/ads
Contacts for cookie questions
For any question about cookie usage on this site:
- Email: info@palace.it
- Address: Via Cavour 2/4, 39012 Merano (BZ), Italia
For more details on data processing collected via cookies, see the Privacy Policy of the site.