This Application collects some Personal Data from its Users.
This document can be printed using the print command available in the settings of any browser.
Stefano Certoma of Sustainable Surf Holidays
Email address of the Data Controller: admin@sustainablesurfholidays.com
Among the Personal Data collected by this Application—either directly or through third parties—are: email; name; phone number.
Complete details about each type of data collected are provided in the dedicated sections of this privacy policy or through specific information notices displayed before data is collected. Personal Data may be provided freely by the User or, in the case of Usage Data, automatically collected during use of this Application.
Unless otherwise specified, all Data requested by this Application is mandatory. If the User refuses to provide them, it may be impossible for this Application to provide the Service. Users who have doubts about which data is mandatory are encouraged to contact the Data Controller.
The use of Cookies—or other tracking tools—by this Application or by third-party services used by this Application, unless otherwise stated, is meant to provide the Service requested by the User, as well as for the additional purposes described in this document and in the Cookie Policy, if available.
The User assumes responsibility for the Personal Data of third parties obtained, published, or shared through this Application and ensures they have the right to share them, releasing the Data Controller from any liability towards third parties.
Processing Methods
The Controller adopts appropriate security measures to prevent unauthorized access, disclosure, modification, or destruction of Personal Data. Processing is carried out using IT and/or telematic tools, organizational procedures, and logic strictly related to the purposes indicated. In addition to the Controller, in some cases, access to Data may be granted to employees involved in the organization of this Application (administrative, commercial, marketing, legal staff, system administrators), or to external parties (such as technical service providers, postal couriers, hosting providers, IT companies, communication agencies), possibly appointed as Data Processors by the Controller. An updated list of Data Processors can always be requested from the Controller.
Legal Basis for Processing
The Controller processes Personal Data relating to the User when one of the following conditions applies:
The User has given consent for one or more specific purposes;
Processing is necessary for the execution of a contract with the User or pre‑contractual measures;
Processing is required to fulfill a legal obligation to which the Controller is subject;
Processing is necessary for the performance of a task of public interest or in the exercise of public authority;
Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by third parties.
You may always request the Controller to clarify the specific legal basis for each processing, in particular whether it is based on law, contract, or necessary to enter into a contract.
Place
Data is processed at the Controller’s operational offices and at any other location where the parties involved in the processing are located. For additional details, contact the Controller.
User Personal Data may be transferred to a country other than the one in which the User resides. For further information on the location of Data processing, the User may refer to the section on details regarding the processing of Personal Data.
The User has the right to obtain information on the legal basis of transfers of data outside the European Union or to an international organization, as well as the security measures adopted by the Controller to protect their Data.
The User may check if any such transfer occurs by referring to the section on Personal Data processing details or contacting the Controller.
Retention Period
Data is processed and retained for the time required by the purposes for which it was collected.
Specifically:
Personal Data collected for the performance of a contract between the Controller and the User will be retained until the contract is fully executed;
Personal Data collected for purposes related to the Controller’s legitimate interest will be retained until such interest is fulfilled (further details available in the relevant sections or on request);
When processing is based on the User’s consent, the Controller may retain Data until consent is revoked; however, they may be required to retain it for a longer period in compliance with legal obligations or by order of an authority.
At the end of the retention period, Personal Data will be deleted. Consequently, at that point, rights of access, deletion, rectification, and portability can no longer be exercised.
User Data is collected to allow the Controller to provide the Service, comply with legal obligations, respond to requests or enforcement actions, protect their rights and interests (or those of Users or third parties), detect any fraudulent or malicious activity, as well as for the following purposes: Contacting the User.
For detailed information on the purposes of processing and the Personal Data processed for each purpose, Users can refer to the “Details on the processing of Personal Data” section.
Contacting the User
Mailing list or newsletter (this Application)
When registering for the mailing list or newsletter, the User’s email address is automatically added to a contact list. Messages may include information, even of a commercial or promotional nature, about this Application. Email may be added as a result of registration or after a purchase.
Contact form (this Application)
By filling in the form with their data, the User consents to its use to respond to inquiries, quotes, or any other requests. Data processed: email; name; phone number.
Phone contact (this Application)
Users who have provided their phone number may be contacted for promotional or support purposes. Data processed: phone number.
Commercial Affiliation
This service allows the Application to display ads for third-party products or services, in the form of links or banners. Clicks are tracked by third-party services.
Integration with Social Networks and External Platforms
These services allow interactions with social networks or external platforms directly from this Application. Interactions and information are subject to the User’s privacy settings on the network. Some services may collect traffic data even if users do not interact. It is recommended to log out from those services to avoid linking data to the User’s profile.
LinkedIn social buttons and widgets (LinkedIn Corporation): Cookies; usage data; processed in USA.
Facebook Like button and widgets (Facebook, Inc.): Cookies; usage data; processed in USA.
Twitter Tweet button and widgets (Twitter): Cookies; usage data; processed in USA.
YouTube social buttons and widgets (Google Ireland Limited): usage data; processed in Ireland.
Displaying External Content
Services that allow display of external content directly in the pages of this Application may collect traffic data even if not used.
Google Fonts (Google LLC or Ireland): usage data; other data types per service policy; processed in USA.
YouTube Video Widget (Google LLC): Cookies; usage data; processed in USA.
Additional Information on Processing
Selling goods and services online: Data may include payment card or bank account details depending on the payment system used.
System logs and maintenance: System logs, including IP addresses, may be collected for functionality and maintenance purposes.
“Do Not Track” requests: This Application does not support “Do Not Track”. For third-party services, refer to their privacy policies.
Users may exercise the following rights regarding their data:
Revoke consent at any time.
Object to processing on grounds other than consent.
Access their data and receive a copy.
Check and request correction of data.
Request limitation of processing under certain conditions.
Request deletion of data under certain conditions.
Receive their data in a structured, machine-readable format and, where technically feasible, transfer it to another Controller (data portability).
Lodge a complaint with the data protection supervisory authority or seek judicial remedies.
Opposition Rights
Users can object to processing based on public interest, official authority, or legitimate interests for reasons related to their personal situation. If data is processed for direct marketing, users can object without needing to justify. Check applicable sections or contact the Controller for clarity.
How to Exercise Rights
Submit a request using the Controller’s contact details. Requests are free and processed promptly, within one month.
Legal Defense: Personal Data may be used for legal defense or pre-litigation. The User acknowledges that the Controller may be required to disclose data on public authority orders.
Specific Notices: Additional notices may be provided for specific services or data processing.
Policy Updates: The Controller may modify this policy at any time. Users should check regularly for updates. If changes involve processing based on consent, the Controller will seek renewed consent if necessary.
Definitions: Personal Data, Usage Data, User, Data Subject, Data Processor, Data Controller, this Application, Service, European Union, legal references—based on Articles 13 and 14 of Regulation (EU) 2016/679.
Last Updated: 07/09/2025
©SustainableSurfHoliday.com – Privacy Policy
Let’s Plan Your Dream Surf Holiday
Fill Up the Form To Receive Your FREE Quote