Notice on the processing of personal data. Effective from 1 January 2022

Notice on the processing of personal data pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).
In force since 22 January 2022, updated on 22 July 2025

INTRODUCTION

This notice takes into account the provisions of the GDPR, Italian Legislative Decree 196/2003 (“Privacy Code”) and the Guidelines of the Italian Data Protection Authority. The notice is addressed to customers who browse or make bookings through the channels indicated below.

Data Controller:

Main controller: Rent a Sport Italia SRL (“Rent and Go”), registered office at Via Bruno Buozzi 12, 39100 Bolzano (BZ) – Italy, e‑mail booking@rentandgo.it.

For each booking, the affiliated rental company chosen by the customer for the provision of the service (“Rental Company”) acts as joint controller.

The complete list of affiliated rentals is available here: https://www.rentandgo.it/eng/districts/index

Rent and Go and the Rental Company jointly determine the purposes and means of the processing pursuant to Art. 26 GDPR.

Rent and Go has not appointed a Data Protection Officer (DPO); privacy requests can be sent directly to the contacts indicated above.

Website to which this privacy policy refers: www.rentandgo.it (Site or App).

The Data Controller has not appointed a DPO (Data Protection Officer). Therefore, you may send any request for information directly to the Data Controller.

DATA COLLECTED AND METHOD OF COLLECTION
Data are collected through:
• the website www.rentandgo.it;
• the “Rent and Go” mobile app for Android and iOS devices;
• other platforms owned by Rent and Go (iFrame or booking engine on rental shop websites);
• check‑in terminals located in affiliated stores;
• management software integrated with Rent and Go used by rental staff.


Categories of data processed:
- Complete details of the main customer: first name, last name, residential address, phone, e‑mail.
- Data necessary for the booking of the main customer and sub‑customers: first name, last name, height, weight, shoe size, age or date of birth, skiing experience level.

GENERAL INFORMATION

This document describes how the Data Controller processes your personal data provided on the Site.

The main processing activities concerning your personal data are described below. In particular, the legal basis of the processing is explained, whether the provision is mandatory and the consequences of failure to provide personal data. To best describe your rights, where necessary we have specified if and when a certain processing of personal data is not carried out. On the Site you can enter personal data of third parties. In such a case, you guarantee that you have obtained consent from these subjects to enter their personal data. You therefore undertake to hold the Data Controller harmless from any liability.

Registration on the Site

The information and data requested upon registration will be used to allow you both to access the reserved area of the Site and to use the online services offered by the Data Controller to registered users. The legal basis of the processing is the necessity for the Data Controller to take pre‑contractual measures at the request of the data subject. The provision of data is optional. However, your refusal to provide the data will make it impossible to register on the Site.

Registration with the Rent and Go group and account management

The customer may optionally register with Rent and Go (during the online booking, via in‑store check‑in terminals, or by requesting it at the rental desk). In such a case:
• the data are stored in the Rent and Go CRM;
• they become available to all rental shops in the group, to avoid future re‑registrations;
• the customer receives a welcome e‑mail with data confirmation, instructions to complete the profile and the virtual card with barcode.

Registration takes place by accepting a specific clause referring to this privacy policy, which is permanently available at https://www.rentandgo.it/eng/content/privacy. Legal basis: performance of the contract

Purchases on the Site, online booking and sale

Your personal data will be processed to allow you to make purchases on the Site. In the case of an online purchase order, to enable the conclusion of the purchase contract and the proper performance of the related operations (and, where required by sector regulations, to comply with tax obligations). This processing also includes the possibility of sending communications (e.g. tracking and order information) via automated tools such as SMS and/or WhatsApp. The legal basis of the processing is the Data Controller’s obligation to perform the contract with the data subject or to comply with legal obligations. Regardless of the above (and therefore irrespective of your consent), the Data Controller may process your data for the purpose of so‑called “soft‑spam”, governed by Art. 130 of the Italian Privacy Code. This means that, limited to the e‑mail address you provided in the context of a purchase via the Site, the Data Controller will process the e‑mail to allow the direct offer of similar products/services, provided that you do not object to such processing in the manner set out in this notice. The legal basis of the processing is the Data Controller’s legitimate interest in sending this type of communication, or the performance of pre‑contractual and contractual measures. This legitimate interest may be deemed equivalent to the data subject’s interest in receiving “soft‑spam” communications. The Data Controller may send e‑mails to remind the user to complete a purchase. The legal basis for this processing is the Data Controller’s legitimate interest in sending this type of communication.

On‑site provision of the rental service by the Rental Company

The data will be transmitted to the Rental Company chosen by the user for the purpose of providing the rental service. Legal basis: performance of the contract

Responding to your requests

Your data will be processed to respond to your requests for information. The provision is optional, but your refusal will make it impossible for the Data Controller to answer your questions. The legal basis of the processing is the Data Controller’s legitimate interest in following up users’ requests. This legitimate interest is equivalent to the user’s interest in receiving a response to communications sent to the Data Controller. The Data Controller may process your personal data for the purpose of support ticket management. The legal basis of the processing is the Data Controller’s legitimate interest in responding to the data subject’s request. This interest is equivalent to the data subject’s interest in receiving a reply. Personal data will be retained for this purpose until the ticket has been handled. If you fill in the specific form on the Site, the Data Controller may use the personal data to handle the request for a quote and/or intervention. The provision of data is optional, but without it the Controller will be unable to process the request. The legal basis of the processing is the Data Controller’s legitimate interest in responding to users’ requests, an interest that corresponds to the user’s interest in receiving a reply. The Controller may also process personal data for the purpose of managing support requests (tickets). Again, the legal basis is the Controller’s legitimate interest in providing feedback, in line with the user’s interest in receiving support.

Generic marketing

With your consent, the Data Controller may process the personal data you provide in order to send you advertising material and/or newsletters relating to its own or third‑party products. The legal basis for this processing is your consent. The provision of personal data for this purpose is purely optional. Failure to consent to the processing of data for marketing purposes will mean you cannot receive advertising material relating to products/services of the Data Controller and/or third parties, nor can the Data Controller conduct market research, including to assess user satisfaction, or send you newsletters. Such communications will be sent to the e‑mail address you provided on the Site. We use Google services such as Google Ads and Google Analytics to personalise advertising and improve the user experience. This includes the collection of personal data and cookies used to show you ads in line with your preferences. When giving consent, you will be asked to authorise the use of these data. More details on the use of cookies and consent management are available in this website’s cookie policy.

Statistical analysis and surveys

The Data Controller does not carry out “profiling” with your personal data. Therefore, you will not receive advertising material and/or newsletters relating to the Data Controller’s or third parties’ products tailored to your specific interests. Rent and Go may process data in aggregated or pseudonymised form for statistical analyses and to improve service quality. The customer may automatically receive a satisfaction survey by e‑mail at the end of the service; such sending is not subject to marketing consent.

Assignment/transfer of data

The Data Controller does not assign your personal data to third parties.

Cookie policy

The use of cookies is governed by a specific Cookie Policy, available at the following link: https://www.rentandgo.it/eng/content/cookie-policy

Based on the preferences expressed, Rent and Go may carry out remarketing activities on online advertising platforms. The customer may manage or withdraw cookie consent at any time via the dedicated banner or browser settings.

Operational contacts

The Rent and Go staff or the Rental Company may contact the customer by e‑mail or phone for information related to the booking or the rental experience.

Geolocation

When accessing the Site, you may receive a notification on your device (desktop and/or mobile) that gives you the option to allow or refuse the identification of the device (so‑called geolocation). You may freely allow or refuse this setting, without this entailing substantial changes to the functionality of the Site. You may change the geolocation settings at any time via your device settings. The legal basis of the processing is the Data Controller’s legitimate interest in providing services relevant to the user’s location. This legitimate interest is equivalent to the user’s interest in receiving services that are as relevant as possible to their location.

Curriculum Vitae

You can send your curriculum vitae via the Site. Your CV will be reviewed by the Data Controller or by its collaborators. The purpose of the processing is the Data Controller’s legitimate interest in reviewing the document to assess the possibility of establishing an employment or collaboration relationship with you. This interest is equivalent to your interest in being contacted by the Data Controller for this purpose. The data will be retained until the end of the selection period and in any case for no longer than 6 months from sending the curriculum vitae. The provision is optional, but failure to provide the data will prevent the Data Controller from contacting you.

Photographs and videos

The Data Controller does not request the publication of photographs and/or videos portraying you. Your data will therefore not be processed for these purposes.

Web scraping

The Data Controller allows the use of web scraping techniques, provided that such activities are carried out in accordance with the following terms and conditions: (i) Lawful and ethical access. Web scraping must be performed lawfully and ethically. Users must comply with all applicable laws and regulations when carrying out scraping activities; (ii) Responsible use. Users must ensure that scraping techniques do not compromise the functionality of our website, do not overload the Site’s servers and do not interfere with other users’ experience; (iii) Respect for personal data. Users must respect the privacy and protection of personal data present on the Site. Any collection of personal data must be carried out in compliance with the legislation in force on the protection of personal data; (iv) Attribution. Any data or content collected from the Site through web scraping must be properly attributed to the Site as the original source; (v) Limitations. The Data Controller reserves the right to impose limitations or restrictions on web scraping, including requiring a prior written agreement in certain cases. Users must be ready to stop scraping activities at the Data Controller’s request. By using the Site and carrying out web scraping activities, the user agrees to comply with the above terms and conditions. Failure to comply may result in the revocation of permission to carry out web scraping and in the adoption of appropriate measures to protect the rights and interests of the Data Controller.

Communication/disclosure of personal data

In the course of its ordinary activity, the Data Controller may communicate your personal data to certain categories of subjects. In Article 2 you can find the list of subjects to whom the Data Controller communicates your personal data. To facilitate the protection of your rights, Article 2 may in some cases specify when your data are not communicated to third parties.

The “communication” of personal data to third parties is different from “assignment/transfer” (governed in the preceding point). In fact, in the case of communication, the third party to whom the data are transmitted may use them only for the specific purposes described in the relationship with the Data Controller. In the case of transfer, however, the third party becomes an autonomous Data Controller of the personal data. Furthermore, your consent is always required to transfer your personal data to third parties.

Without prejudice to the foregoing, it is understood that the Data Controller may in any case use your personal data to properly fulfil the obligations provided for by applicable laws.

SPECIFIC PRIVACY NOTICE

Art. 1 Methods of processing

1.1 The processing of your personal data will mainly be carried out using electronic or otherwise automated means, in ways and with tools suitable to guarantee the security and confidentiality of personal data. If the automatic chatbot service is operational, your personal data will also be processed to enable the activation of this service, through which the user may contact and be contacted by the Data Controller, subject to consent. The legal basis is the Data Controller’s legitimate interest in responding to user requests through the chatbot service. This legitimate interest can be considered equivalent to the data subject’s interest in using the automatic chatbot service.

1.2 The information acquired and the processing methods will be relevant and not excessive in relation to the type of services provided. Your data will also be managed and protected in secure IT environments appropriate to the circumstances.

1.3 No “special categories” of data are processed through the Site. Special data are those that may reveal racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organisations of a religious, philosophical, political or trade‑union nature, health status and sex life.

1.4 No judicial/criminal data are processed through the Site.

Art. 2 Communication of personal data

The Data Controller may communicate your personal data to specific categories of recipients.

The Data Controller wishes to inform users that, in the context of using the YouTube service (managed and owned by Google LLC), certain personal data may be collected and shared. This collection of data is essential to provide and improve users’ experience on our Site and to allow viewing of video content embedded via the YouTube API. Specifically, when a user views video content via the YouTube API on our Site, the following information may be collected: IP address (used to connect the user’s device to YouTube for video transmission); behavioural data (including information on how the user interacts with the videos, which videos are viewed and for how long); location information (used to provide content relevant to the user’s geographic location). These data are collected automatically by the system and may, in some cases, be retained to improve the user experience and for YouTube’s internal analytical purposes. Our Site uses YouTube API services and, by viewing content through these APIs, the user accepts YouTube’s Terms of Service available at https://www.youtube.com/t/terms. For further details on Google LLC’s data handling, users are invited to consult Google LLC’s privacy policy at http://www.google.com/policies/privacy and YouTube’s at https://www.youtube.com/intl/ALL_it/howyoutubeworks/our-commitments/protecting-user-data/. Details on the use of API user data: When a user interacts with YouTube videos embedded on our Site, data such as viewing preferences, history of videos viewed, and interactions with video content (likes, comments, shares) may be collected. These data are made available via the YouTube API and help to understand how users interact with video content. Access to data via the API client: Our Site may use specific API calls to request and receive data from YouTube. This may occur when a user views a video, with the system automatically recording the relevant information. Data collection: Data are collected automatically by YouTube’s system at the time users interact with YouTube videos on our Site. This process is essential to provide a smooth and personalised user experience. Retention: The data collected are stored securely within YouTube’s systems for a period not exceeding the need for use. YouTube adopts all necessary security measures to protect these data from unauthorised access or unlawful use. Use of data: YouTube uses these data for various purposes, including: internal analysis; personalisation of content; improvement of the user experience.

Below are the recipients to whom the Data Controller reserves the right to communicate your data:

  • The Data Controller may communicate your personal data to all those entities (including the competent Public Authorities, in cases provided for by law) that have access to personal data by virtue of statutory or administrative measures.
  • Your personal data may also be communicated to all those public and/or private entities, natural and/or legal persons (legal, administrative and tax consultancy firms, judicial offices, chambers of commerce, labour chambers and offices, etc.), where communication is necessary or functional for the proper fulfilment of legal obligations.
  • The Data Controller avails itself of employees and/or collaborators of any kind. For the proper functioning of the Site, the Data Controller may communicate your personal data to these employees and/or collaborators.
  • In its ordinary activity of managing the Site, the Data Controller uses consulting companies and IT suppliers connected to the Rent and Go group, tasked with technical services (hosting, CRM, software maintenance, help‑desk), consultants or professionals responsible for the installation, maintenance, updating and, in general, management of the hardware and software of the Data Controller or of those used by the latter to provide its services. Therefore, only for these purposes may your data also be processed by these subjects.
  • For the sending of its communications, the Data Controller uses external companies appointed for sending this type of communications (CRM platforms). Your personal data (in particular the e‑mail) may therefore be communicated to these companies.
  • For customer support purposes, the Data Controller uses one or more companies or freelance consultants appointed to provide customer care services. Only for this purpose may your personal data be communicated to these companies, consultants or natural persons.
  • For online payments of products and services purchased through the Site, the Data Controller uses banks and companies that manage national and international payment circuits.
  • The personal data of purchasers are not communicated to couriers or shippers.

The Controller reserves the right to modify the above list based on its ordinary operations. You are therefore invited to access this notice regularly to check to which subjects the Data Controller communicates your personal data.

Art. 3 Retention of personal data

3.1 This article describes how long the Data Controller reserves the right to retain your personal data.

  • For marketing purposes, personal data will be retained until any withdrawal of consent. For inactive users, personal data will be deleted one year after sending the last e‑mail that may have been viewed.
  • For the purpose of performing the sales contract, the data will be retained for 10 years from the date of receipt of the purchase order. This is to allow the Data Controller to exercise its right of defence and to demonstrate that it has properly performed the contract.
  • As provided by Article 2220 of the Italian Civil Code, invoices, as well as all accounting records in general, are kept for a minimum of ten years from the date of recording, so that they can be produced in the event of an inspection.
  • Through the Site (or by submitting a request to the Data Controller) it is possible to delete the user’s account. In this case all stored personal data will be deleted and will not be retained by the Data Controller for any purpose.

3.2 Without prejudice to Article 3.1, the Data Controller may retain your personal data for the time required by specific regulations, as amended from time to time.

Art. 4 Transfer of personal data

4.1 The Data Controller is established in a country that presents an adequate level of security from a regulatory standpoint. If the transfer of your personal data takes place to a non‑EU country for which the European Commission has issued an adequacy decision, the transfer is in any case considered safe from a regulatory point of view. This Article 4.1 indicates, from time to time, the countries to which your personal data may be transferred and where the European Commission has issued an adequacy decision.

  • You are therefore invited to regularly consult this article to check whether the transfer of your personal data takes place to a country with these characteristics.

4.2 Without prejudice to Article 4.1, your data may also be transferred to non‑EU countries for which the European Commission has not issued an adequacy decision. You are therefore invited to regularly view this Article 4.2 to ascertain to which of these countries your data may be transferred.

4.3 In this article the Data Controller indicates the countries to which it may specifically direct its activity. This may imply the application of the legislation of the relevant country, together with that which governs the relationship with the user as indicated in the Introduction.

  • At the user’s request, the Data Controller will apply, to the processing of personal data, the possibly more favourable rules provided for by the user’s national legislation.

Art. 5. Rights of the data subject

Since Rent and Go and the Rental Company are joint controllers of the processing, requests relating to personal data (including erasure requests) must be addressed to both parties separately, according to the procedures indicated below.

The Data Controller informs you that you have the right to:

  • request access to your personal data, as well as rectification or erasure of the same, restriction of processing concerning you, or to object to the processing, in addition to the right to data portability;
  • withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • lodge a complaint with a supervisory authority.

These rights may be exercised without formalities by contacting the addresses indicated in the Preamble. Rent a Sport Italia SRL will remove personal data from its systems (except for data that must be retained to comply with legal obligations).

If you also wish your data to be removed from the systems of the Rental Company that provided the service, you must contact that company directly: the email address is shown on the booking voucher or can be requested by writing to the Rent and Go contacts.

Art. 6. Changes and Miscellanea

The Data Controller reserves the right to make changes to this notice at any time, giving appropriate publicity to users of the Site and in any case ensuring adequate and similar protection of personal data. In order to view any changes, you are invited to regularly consult this notice. In the event of substantial changes to this privacy notice, the Data Controller may also give notice by e‑mail.