Italiano
Español
Français
Deutsch
Nederlands
Polski
Português
Português do Brasil
Pусский
日本語
简体中文
한국어
Bahasa IndonesiaThis is an independent tourist guide. We are not affiliated with or endorsed by the Vatican Museums.
Cookie Policy
Last updated: 07/02/2026
This Cookie Policy explains what cookies and similar technologies are, which ones are used on the website vatican.museum (the “Website”) and on other websites owned by Culturae Heritage Services srls (the “Controller”), and how the User can manage their preferences, pursuant to Regulation (EU) 2016/679 (GDPR) and Directive 2002/58/EC (ePrivacy) as transposed into Italian law.
Manage cookie preferences: Click on bottom right icon.
1. What Are Cookies and Similar Technologies
Cookies are small text files that websites store on the User’s device (computer, smartphone, tablet). In addition to cookies, similar technologies such as local storage, tracking pixels, web beacons, tags, and SDKs may be used to store and/or read information from the User’s device.
2. Types of Cookies
2.1 Technical/necessary cookies
Essential for the proper functioning of the Website (e.g. session management, security, essential preferences, CMP operation, reCAPTCHA cookie). They do not require the User’s consent.
2.2 Preference cookies
Store User choices such as language or other personalization settings. They may require consent if not strictly necessary for the Website’s operation.
2.3 Analytics cookies
Measure the use of the Website (e.g. pages visited, session duration, browsing paths). Used through tools such as Google Analytics 4, Hotjar, and Microsoft Clarity. They require the User’s consent.
2.4 Marketing/profiling cookies
Used for personalized advertising, remarketing, and conversion measurement through tools such as Google Ads, Bing Ads, Meta/Facebook Pixel, TikTok Pixel, and Instagram. They require the User’s express consent.
3. Consent and CMP
The Website uses a native Consent Management Platform (CMP) compliant with Google Consent Mode v2, which:
- displays an informational banner on first access and allows the User to accept, reject, or customize cookie categories;
- prevents the activation of non-technical cookies and tools before consent is obtained;
- allows the User to change or revoke consent at any time, with the same ease with which it was given (Art. 7(3) GDPR), through the “Manage preferences” tool accessible on the Website;
- records and stores proof of the consent expressed by the User.
4. How to Manage Cookies
4.1 Through the CMP
The User can change their preferences at any time using the “Manage cookie preferences” tool on the Website.
4.2 Through the browser
The User can delete or block cookies from their browser settings. Note that blocking technical/necessary cookies may compromise the Website’s functionality. Below are links to the main browsers’ guides:
Google Chrome | Mozilla Firefox | Microsoft Edge | Apple Safari
5. Cookies Used (Table)
The following table lists the cookies and similar technologies used on the Website. It is the Controller’s responsibility to keep this table updated based on the cookies actually installed.
| Category | Cookie / Technology | Provider | Purpose | Duration |
|---|---|---|---|---|
| Necessary | _GRECAPTCHA | Google (reCAPTCHA v3) | Anti-bot security, risk analysis. Necessary technical cookie. | Session |
| Necessary | session_cookie | First party | User session management, security, essential preferences. | Session / up to 12 months |
| Necessary | CuborioCookieConsent | First party (CMP) | Storage of cookie consent preferences expressed by the User. | Up to 12 months |
| Analytics (with consent) | _ga, _ga_* | Google (Analytics 4) | Traffic measurement, interactions, browsing paths. | Up to 24 months |
| Analytics/UX (with consent) | _hj* | Hotjar | Behavioral analysis, heatmaps, session recordings. | Up to 12 months |
| Analytics/UX (with consent) | _clck, _clsk | Microsoft (Clarity) | Behavioral analysis, heatmaps, UX improvement. | Up to 12 months |
| Marketing (with consent) | _gcl_au, IDE, test_cookie | Google (Ads/DoubleClick) | Advertising, conversion measurement, remarketing. | Session to 13/24 months |
| Marketing (with consent) | _uetsid, _uetvid | Microsoft (Bing Ads UET) | Advertising, conversion measurement. | Up to 13 months |
| Marketing (with consent) | _fbp, fr | Meta (Facebook Pixel) | Advertising, conversion measurement, remarketing. | Up to 90 days / 3 months |
| Marketing (with consent) | _ttp, tt_* | TikTok (Pixel) | Advertising, conversion measurement. | Up to 13 months |
6. Main Providers Detail
6.1 Google Tag Manager
Google Tag Manager is a tag management system that enables the activation of third-party scripts and services. GTM itself does not necessarily set cookies, but can activate services that use them. The activation of non-technical tags occurs exclusively according to the preferences collected by the CMP.
6.2 Google Analytics 4
Google Analytics enables the Controller to analyze the use of the Website. The use of Analytics (and related cookies) occurs exclusively after obtaining consent through the CMP.
6.3 Google Ads
Google Ads enables conversion measurement and remarketing list creation. Related cookies are activated only with the User’s consent (Marketing category).
6.4 Microsoft Bing Ads and Clarity
Bing Ads (UET) and Microsoft Clarity may set cookies for conversion measurement and user behavior analysis. They are activated only with consent (Marketing and/or Analytics categories).
6.5 Meta/Facebook Pixel and Instagram
The Facebook Pixel and Instagram integrations enable conversion measurement and audience creation for targeted advertising. They are activated only with consent (Marketing category).
6.6 TikTok Pixel
The TikTok Pixel enables conversion measurement of advertising campaigns on TikTok. It is activated only with consent (Marketing category).
6.7 Hotjar
Hotjar enables analysis of user behavior through heatmaps, session recordings, and surveys. It is activated only with consent (Analytics/UX category).
6.8 Google reCAPTCHA v3
Google reCAPTCHA v3 is an anti-spam and anti-bot protection service activated on pages containing forms. The _GRECAPTCHA cookie is classified as technical/necessary and does not require consent.
From April 2, 2026, Google acts as a Data Processor for reCAPTCHA. References to Google’s Privacy Policy and Terms of Service in relation to reCAPTCHA are no longer applicable and have been removed from the Website.
7. Transfers Outside the EEA
The use of global provider services (Google, Microsoft, Meta, TikTok, Hotjar) may involve data transfers to countries outside the European Economic Area. The Controller adopts Standard Contractual Clauses (SCCs) (Art. 46 GDPR) and, where necessary, additional supplementary measures. For more details, please refer to Section 8 of the Privacy Policy.
8. Contacts
For information about cookies or to exercise your privacy rights: legal@vatican.museum