Privacy Policy

This Privacy Policy explains how we collect, use, store, and protect your personal data when you create an account, manage your membership, and book events on the Tavola Le Piane Wine Club platform (the “Platform”), in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and applicable Italian data protection law (Legislative Decree no. 196/2003 as amended by Legislative Decree no. 101/2018).

Last updated: 26 June 2026

1. Data Controller

The controller responsible for the processing of your personal data is:

LE PIANE SRL

Piazza Matteotti, 2 — 28010 Boca (NO), Italy

P.IVA / Codice Fiscale: 01667410037

Email: info@bocapiane.com

Phone: +39 339 8596388

We have not appointed a Data Protection Officer (DPO), as we are not legally required to do so under Art. 37 GDPR. For any privacy-related request, please use the contact details above.

2. Personal Data We Collect

Depending on how you use the Platform, we process the following categories of data:

Account & authentication data: email address and password (passwords are stored only in encrypted/hashed form by our authentication provider; we never see your password in plain text).
Profile data: first name, last name, phone number, postal address (street, city, postal code, country), and your preferred communication language.
Membership data: membership status, join date, and the date and time on which you accepted our Terms of Service and this Privacy Policy (stored as proof of consent).
Booking data: the events you register for, number of guests, any notes you provide, attendance status, and payment status (e.g. pending / paid).
Communication data: the content of the transactional emails we send you (e.g. booking and payment confirmations) and any correspondence you send us.
Technical & usage data: data automatically generated when you use the site, such as IP address, browser/device information, and aggregated, privacy-friendly usage statistics.

Source of data. We collect personal data directly from you when you register, complete your profile, or make a booking. Technical and usage data is generated automatically through your use of the Platform.

We do not collect or store credit card or other payment-card data, and we do not process special categories of data (Art. 9 GDPR). Membership and event fees are paid by manual bank transfer (see our Terms of Service).

3. Purposes and Legal Bases of Processing

We process your personal data for the following purposes and on the following legal bases (Art. 6 GDPR):

To create and manage your membership and bookings — performance of a contract with you (Art. 6(1)(b)).
To send transactional emails (booking confirmations, payment instructions and confirmations, event updates) — performance of a contract (Art. 6(1)(b)).
To keep the Platform secure and functioning and to understand aggregate usage — our legitimate interests in operating and improving a safe, reliable service (Art. 6(1)(f)).
To comply with legal obligations, in particular accounting, tax, and invoicing duties under Italian law — legal obligation (Art. 6(1)(c)).
Where you give consent (for example by accepting our Terms and this Policy at registration, or joining an optional channel such as a WhatsApp group) — consent (Art. 6(1)(a)), which you may withdraw at any time without affecting the lawfulness of processing carried out before withdrawal.

4. Recipients and Processors

We share your personal data only with service providers (“processors”) that help us run the Platform, and only to the extent necessary. Each acts on our instructions under a data processing agreement pursuant to Art. 28 GDPR. Our main processors are:

Provider	Purpose	Location
Supabase	Authentication, database, and file storage (hosting of your account, profile, and booking data)	Switzerland (Zurich)
Resend	Delivery of transactional emails	EU / USA
Vercel	Website hosting and privacy-friendly traffic analytics	EU / USA
Google Fonts	Loading of website typography	USA
Google Maps	Display of event location maps (when shown)	USA
WhatsApp (Meta)	Optional member group — only if you choose to join	EU / USA

We may also disclose data to public authorities, courts, or professional advisers (e.g. our accountant) where required by law or necessary to establish, exercise, or defend legal claims. We do not sell your personal data or share it for third-party advertising.

5. International Data Transfers

Your core account and booking data is hosted in Switzerland (Zurich). Although Switzerland is outside the EU/EEA, the European Commission has issued an adequacy decision for Switzerland, meaning it offers a level of data protection deemed equivalent to that of the GDPR; transfers there therefore require no additional safeguards. Some of our other processors may process data outside the EU/EEA (e.g. in the United States). Where this happens, the transfer is safeguarded by appropriate measures recognised under Chapter V of the GDPR, such as the European Commission’s Standard Contractual Clauses and/or an adequacy framework. You may request a copy of the relevant safeguards using the contact details in Section 1.

6. Data Retention

We keep your personal data only for as long as necessary for the purposes described above, and in particular:

Account and profile data — for the duration of your membership. After your membership ends or you request deletion, this data is deleted or anonymised within 12 months, unless a longer statutory retention period applies.
Booking, payment, and invoicing records — retained for 10 years from the end of the relevant financial year, as required by Italian civil and tax law (Art. 2220 of the Italian Civil Code and applicable tax provisions).
Consent records (the date you accepted our Terms and Privacy Policy) — retained for the duration of your membership and for up to 5 years thereafter, to demonstrate compliance.
Technical and usage data — retained only in aggregated or short-lived form and not used to build individual profiles.

When data is no longer needed, it is securely deleted or irreversibly anonymised. Deleting your account removes your profile and cascades to associated records, subject to the legal retention periods above.

7. Your Rights

Under the GDPR you have the right to:

access your personal data (Art. 15);
request correction of inaccurate or incomplete data (Art. 16);
request erasure of your data (“right to be forgotten”, Art. 17);
request restriction of processing (Art. 18);
receive your data in a portable, machine-readable format (Art. 20);
object to processing based on our legitimate interests (Art. 21);
withdraw any consent you have given, at any time (Art. 7(3)).

You can exercise many of these rights directly in your account (e.g. by editing or deleting your profile), or by contacting us at info@bocapiane.com. We will respond without undue delay and in any event within one month, as required by Art. 12 GDPR. You also have the right to lodge a complaint with the Italian Data Protection Authority, the Garante per la protezione dei dati personali (garanteprivacy.it), or with the supervisory authority of your country of residence.

8. Cookies and Sessions

We use strictly necessary cookies to keep you logged in and to secure your session (set by our authentication provider). These are essential for the Platform to function and do not require consent. We also use privacy-friendly analytics to understand aggregate, non-identifying usage of the site. We do not use advertising, profiling, or cross-site tracking cookies.

9. Data Security

We use technical and organisational measures appropriate to the risk (Art. 32 GDPR) to protect your data, including encryption in transit (TLS), hashed password storage, strict access controls, and row-level security on our database. In the event of a personal data breach likely to result in a risk to your rights, we will notify the competent authority and, where required, affected users in accordance with Art. 33–34 GDPR. No system is completely secure, but we work continuously to protect your information against unauthorised access, loss, or misuse.

10. Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you within the meaning of Art. 22 GDPR.

11. Is Provision of Data Mandatory?

Providing your account and profile data is necessary to enter into and perform the membership contract and to process your bookings. If you choose not to provide the required data, we will not be able to create your account, confirm your membership, or register you for events.

12. Minors

The Platform is intended for adults. Because membership involves wine and alcohol-related events, you must be at least 18 years old to register. We do not knowingly collect data from minors; if you believe a minor has provided us with data, please contact us so we can delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our processing or in the law. The current version, with its “Last updated” date, is always available on this page. Where changes are material, we will inform you by appropriate means (e.g. email or a notice on the Platform) before they take effect.

14. Contact

For any question about this Policy or to exercise your rights, contact us at info@bocapiane.com or by post at the address in Section 1.