Italiano
Español
Français
Deutsch
Nederlands
Polski
Português
Português do Brasil
Pусский
日本語
简体中文
한국어
Bahasa IndonesiaThis is an independent tourist guide. We are not affiliated with or endorsed by the Vatican Museums.
Privacy Policy
pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR)
Last updated: 07/02/2026
1. Data Controller
Culturae Heritage Services srls (hereinafter also the “Controller”), with registered office at Via dei Banchi 6, 50123 Florence (FI), Italy, VAT No. IT07519170489, Tax Code 07519170489, REA FI-709102.
Privacy contact: legal@vatican.museum
The Controller has not appointed a Data Protection Officer (DPO) as it does not fall within the mandatory cases set out in Article 37 GDPR (the Controller does not carry out large-scale processing of special categories of data, nor regular and systematic large-scale monitoring). For any request regarding the protection of personal data, please write to the address indicated above.
2. Scope of Application
This privacy notice describes how the Controller processes the personal data of users (hereinafter “User” or “Data Subject”) who visit and interact with the website vatican.museum (hereinafter the “Website”) and with the other websites owned by the Controller.
This notice applies to all processing carried out through the Website, including contact forms, registration systems, statistical analysis services (analytics), advertising and conversion measurement tools, anti-spam and security systems, and communication services (newsletter, transactional emails), activated exclusively with the User’s prior consent where required by law, through the Consent Management Platform (CMP) integrated into the Website.
The Website is editorial and informational in nature. The Controller is not a tour operator, travel agency, or travel intermediary under applicable law. For more details on the nature of the service, please refer to the Disclaimer and the Terms and Conditions of Use.
3. Types of Data Processed
3.1 Browsing and technical data
During normal browsing, the computer systems and software procedures used to operate the Website automatically acquire certain data, the transmission of which is implicit in the use of Internet communication protocols. Such data includes: IP address, browser type and version, operating system, language, requested URLs, date and time of requests, HTTP method, server response code, technical session identifiers, security events.
3.2 Data voluntarily provided by the User
Personal data that the User voluntarily provides through contact forms, registration forms, or direct email may include:
- first name and last name;
- email address;
- phone number;
- country of origin;
- free text message content;
- login credentials (email and password) in case of registration;
- any other information the User voluntarily chooses to provide.
3.3 Data collected through cookies and similar technologies
The Website uses cookies and similar technologies (local storage, pixels, tags) to collect online identifiers and information about the use of the Website, in accordance with the preferences expressed by the User through the CMP. For full details, please refer to the Cookie Policy.
3.4 Data related to advertising campaigns and affiliations
In the context of digital marketing activities, campaign tracking parameters (e.g. gclid, fbclid, msclkid, ttclid, utm_* parameters) and aggregate conversion measurements may be collected, always in accordance with the User’s expressed consents.
3.5 Data related to bookings
When the User books a tour or experience through the Website, data related to the transaction (booking status, voucher references) may be processed by the Controller solely for sending transactional communications (e.g. booking confirmation, status changes, voucher availability). Payment data (credit cards, bank details, security codes) is never collected, processed, or stored by the Controller, as it is managed exclusively by the third-party partner responsible for payment processing (see Section 7).
3.6 Data related to newsletters and commercial communications
If the User subscribes to the newsletter, the Controller collects the User’s email address and any thematic preferences. Subscription is optional and occurs exclusively with the User’s explicit prior consent.
3.7 Mandatory or optional nature of data provision
The provision of browsing data is necessary for the technical operation of the Website. The provision of data in contact and registration forms is optional; however, failure to provide the data marked as mandatory (e.g. name, email) may make it impossible for the Controller to respond to the User’s request, create the account, or provide the requested service.
Consent to cookies and analytics, marketing, and profiling technologies is entirely optional, and the refusal to provide such consent does not in any way affect the browsing of the Website or access to its content.
4. Purposes, Legal Bases, and Retention Periods
The Controller processes personal data for the purposes described in the table below. Where indicated, processing occurs exclusively with the User’s prior express consent.
The retention periods indicated are reasonable maximums and may be reduced in application of the storage limitation principle (Article 5(1)(e) GDPR).
Where processing is based on the Controller’s legitimate interest (Art. 6(1)(f) GDPR), the Controller has carried out a balancing assessment (Legitimate Interest Assessment — LIA) to ensure that its legitimate interest does not override the rights and fundamental freedoms of the Data Subjects. The User may request a copy of such assessment by writing to the contacts indicated in Section 1.
| Purpose | Data | Legal Basis | Retention | Notes |
|---|---|---|---|---|
| Website operation, technical functioning, security, fraud and abuse prevention | Browsing data, technical logs, IP | Legitimate interest (Art. 6(1)(f) GDPR) — LIA conducted | Up to 12 months | Extendable in case of investigations or litigation |
| Handling requests via contact form or email | Data provided by the User | Performance of pre-contractual measures (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)) — LIA conducted | Up to 24 months from last interaction | Subject to legal obligations or pending litigation |
| Account registration and reserved area management | Name, surname, email, password, phone, country | Performance of contract (Art. 6(1)(b) GDPR) | For the duration of the account + 12 months | Deletion upon User request |
| Transactional communications related to bookings | Email, booking data, voucher status | Performance of contract (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)) — LIA conducted | Up to 24 months from booking | Transactional emails only, no marketing |
| Legal and tax obligations, litigation management | Data necessary for legal obligations and defense | Legal obligation (Art. 6(1)(c)) and/or legitimate interest (Art. 6(1)(f)) | Up to 10 years or applicable limitation period | |
| Statistical analysis and measurement (Google Analytics, Hotjar, Microsoft Clarity) — with consent only | Cookies/IDs, usage events, technical data | Consent (Art. 6(1)(a) GDPR) | Per Cookie Policy (typically 14–26 months) | Revocable at any time |
| Advertising, remarketing, conversions (Google Ads, Bing Ads, Meta/Facebook, TikTok, Instagram) — with consent only | Cookies/IDs, events, campaign parameters | Consent (Art. 6(1)(a) GDPR) | Marketing: up to 24 months; profiling: up to 12 months | Revocable at any time |
| Anti-spam and anti-bot security (Google reCAPTCHA v3) | IP, behavioral data, _GRECAPTCHA cookie | Legitimate interest (Art. 6(1)(f) GDPR) — LIA conducted | Duration of verification session | From April 2, 2026 Google acts as Data Processor. Technical/necessary cookie. |
| Newsletter and commercial communications — with consent only | Email, thematic preferences | Consent (Art. 6(1)(a) GDPR) | Until consent is withdrawn | List cleanup after 24 months of inactivity |
| Collection and publication of reviews | Name/nickname, review text, date | Consent (Art. 6(1)(a)) and legitimate interest (Art. 6(1)(f)) | For the duration of publication on the Website | Removal upon User request |
5. Cookies and Consent Management Platform (CMP)
The Website uses a Consent Management Platform (CMP) compliant with Google Consent Mode v2 (mandatory since March 2024 for European advertisers), which allows the User to:
- accept, reject, or customize categories of non-technical cookies and tools;
- change their preferences at any time through the “Manage cookie preferences” tool accessible on the Website;
- be informed that analytics, marketing, and profiling cookies and technologies are activated only after valid consent has been obtained.
Preventive blocking: no cookie or non-strictly-necessary technology is installed on the User’s device before the User has expressed their consent through the CMP. In the absence of consent, only technical/necessary cookies are active.
Consent withdrawal: the User may withdraw consent at any time with the same ease with which it was given, through the “Manage cookie preferences” tool accessible on the Website, without affecting the lawfulness of processing based on consent given prior to withdrawal (Art. 7(3) GDPR).
Technical/necessary cookies (including Google reCAPTCHA’s _GRECAPTCHA cookie) do not require consent and are active by default, as they are essential for the operation and security of the Website.
For full details, including the complete list of cookies used, please refer to the Cookie Policy.
6. Data Recipients
Personal data may be disclosed to the following parties, acting as Data Processors (Art. 28 GDPR), independent Controllers, or authorized persons:
IT and hosting service providers
- OVH SAS (OVHcloud): hosting, dedicated servers, infrastructure — datacenter in Limburg, Germany (EEA). Acts as Data Processor pursuant to Art. 28 GDPR.
Analytics, advertising, and security service providers (activated per CMP consents)
- Google Ireland Ltd / Google LLC: Google Tag Manager, Google Analytics 4, Google Ads (conversions/remarketing), Google reCAPTCHA v3.
- Microsoft Corporation / Microsoft Ireland Operations Ltd: Bing Ads (UET), Microsoft Clarity.
- Meta Platforms Ireland Ltd / Meta Platforms Inc.: Facebook Pixel, Instagram Ads.
- TikTok Technology Ltd / ByteDance Ltd: TikTok Pixel.
- Hotjar Ltd: behavioral analysis and heatmaps.
Communication service providers
- Amazon Web Services EMEA SARL (AWS): Amazon SES and SNS for transactional emails and newsletter — region eu-west-1 (Ireland, EEA). Acts as Data Processor pursuant to Art. 28 GDPR.
Commercial partners (independent Controllers)
- Viator Inc. (Tripadvisor Group): partner for booking and payment of tours and experiences via iframe integration. Viator acts as independent Data Controller for payment data and for the provision of the tourism service.
- GetYourGuide Deutschland GmbH: affiliate partner for tours and experiences.
- LivTours: affiliate partner for tours and experiences.
When the User is redirected to third-party partner websites (affiliate marketing), the processing of the User’s personal data will be governed by the respective partner’s privacy policy.
Other recipients
- Legal, tax, and commercial advisors, as Processors or authorized persons.
- Competent authorities, when required by law.
The Controller does not sell Users’ personal data.
7. Payments Through Third-Party Partner (Viator)
The Website offers the possibility to purchase tours and experiences directly from its pages. The payment process takes place entirely through an integrated module (iframe) provided by Viator Inc. (Tripadvisor Group).
The Controller does not collect, process, or store the User’s payment data in any way (credit card numbers, bank details, security codes). Such data is acquired, processed, and stored exclusively by Viator, which acts as an independent Data Controller for payment data and for the provision of the tourism service.
The Controller receives from Viator exclusively:
- aggregate and statistical data on conversions;
- information on booking status (for sending transactional communications to the User);
- commercial commissions.
The invoice and voucher for the purchased tour are issued directly by Viator.
For the processing of payment data, please refer to the Viator Privacy Policy.
8. Data Transfers Outside the EEA
Some providers (particularly groups headquartered in the United States) may involve the transfer of personal data to countries outside the European Economic Area (EEA). In such cases, the Controller adopts adequate safeguards pursuant to Articles 44 et seq. of the GDPR, including:
- Standard Contractual Clauses (SCCs) of the European Commission (Art. 46(2)(c) GDPR), in the updated version (Q2 2025), and, where necessary, Transfer Impact Assessments (TIA) and supplementary measures in accordance with EDPB Recommendations 01/2020;
- adequacy decisions of the European Commission, where available (e.g. EU-U.S. Data Privacy Framework for certified entities in the USA);
- additional technical and organizational measures (data minimization, pseudonymization, encryption in transit and at rest, access segregation).
The main providers subject to extra-EEA transfers include: Google LLC, Meta Platforms Inc., Microsoft Corporation, TikTok/ByteDance, Amazon Web Services Inc., Viator Inc.
The User may request information on the specific safeguards adopted and a copy of the applicable SCCs by writing to the contacts indicated in Section 1.
9. Data Subject Rights
The User may exercise at any time the rights provided by Articles 15–22 of the GDPR:
- right of access to personal data (Art. 15);
- right to rectification and update (Art. 16);
- right to erasure (“right to be forgotten”), where applicable (Art. 17);
- right to restriction of processing (Art. 18);
- right to data portability, where applicable (Art. 20);
- right to object, particularly to processing based on legitimate interest (Art. 21); in case of objection, the Controller shall refrain from further processing the data, unless it demonstrates compelling legitimate grounds;
- right not to be subject to decisions based solely on automated processing, including profiling (Art. 22);
- right to withdraw consent at any time, with the same ease with which it was given, without affecting the lawfulness of processing carried out prior to withdrawal (Art. 7(3)).
To exercise your rights, please write to: legal@vatican.museum
The Controller will respond as a rule within 1 month of the request, a period that may be extended up to 3 months in cases of particular complexity or high volume of requests (Art. 12 GDPR). In the event of an extension, the User will be informed within 1 month. The exercise of rights is free of charge, unless requests are manifestly unfounded or excessive (Art. 12(5) GDPR).
9.1 Automated decision-making processes
The Controller does not carry out any fully automated decision-making process, including profiling, that produces legal effects concerning the User or that similarly significantly affects the User (Art. 22 GDPR). The analytics and marketing tools used by the Website are exclusively for aggregate statistical and advertising purposes and do not result in automated individual decisions.
9.2 Complaint to the Supervisory Authority
The User has the right to lodge a complaint with the competent supervisory authority.
For Italy:
Garante per la Protezione dei Dati Personali
Piazza Venezia, 11 — 00187 Roma (RM), Italy
Website: www.garanteprivacy.it
PEC: protocollo@pec.gpdp.it
Phone: (+39) 06 696771
It is also noted that Regulation (EU) 2025/2518, published in November 2025 and applicable from 15 months after publication, introduces new procedural rules to improve cooperation between European data protection authorities in cross-border cases, providing further safeguards for Data Subjects’ rights.
10. Google reCAPTCHA v3 — Specific Notice
The Website uses Google reCAPTCHA v3, an anti-spam and anti-bot protection service provided by Google Ireland Ltd / Google LLC, activated exclusively on pages containing forms.
From April 2, 2026, in accordance with Google’s announcement, reCAPTCHA operates under a model where Google acts as a Data Processor and the Website’s Controller is the Data Controller for data collected through reCAPTCHA.
This means that:
- references to Google’s Privacy Policy and Terms of Service in relation to reCAPTCHA are no longer applicable and have been removed from the Website;
- the processing of data collected by reCAPTCHA is governed by this Privacy Policy and by the Google Cloud Data Processing Addendum;
- reCAPTCHA sets a necessary cookie (_GRECAPTCHA) for its risk analysis, classified as a technical/necessary cookie that does not require consent.
Data collected by reCAPTCHA may include: IP address, behavioral data (mouse movements, interaction patterns), browser and device information. Such data is used exclusively for security and fraud prevention purposes.
11. Minors
The Website is not intended for individuals under the age of 16 (threshold established by Art. 2-quinquies of Legislative Decree 196/2003 for Italy). The Controller does not intend to knowingly collect personal data from minors. If a parent or guardian believes that data of a minor has been collected without the necessary consent, they may contact the Controller at the details indicated in Section 1 to request prompt deletion.
12. Security Measures
The Controller adopts appropriate technical and organizational measures to protect personal data from unauthorized access, loss, destruction, or alteration (Art. 32 GDPR), including: encrypted communications (HTTPS/TLS), authenticated access with minimum privileges, periodic backups, security updates, access monitoring, security incident management procedures.
13. Changes to This Privacy Policy
The Controller reserves the right to update this Privacy Policy at any time. The date of the last update is indicated at the top. Material changes will be communicated via notice on the Website and, where possible, by email to registered Users. The User is invited to periodically consult this page.
14. Applicable Law and Jurisdiction
This privacy policy is governed by Regulation (EU) 2016/679 (GDPR), Directive 2002/58/EC (ePrivacy), Italian personal data protection legislation (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018), as well as by applicable Provisions and Guidelines of the Garante per la Protezione dei Dati Personali and the EDPB.
For any dispute relating to the interpretation or application of this policy, the Court of Florence shall have jurisdiction, unless otherwise provided by mandatory consumer protection provisions.