Privacy Policy
Florence.city is operated by AI EDGE CONSULTING S.R.L. (the "Controller"), a società unipersonale registered in Italy. This Privacy Policy explains what data we process when you visit Florence.city, why we process it, and what rights you have under the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and Italian Codice Privacy (D.Lgs. 196/2003 as amended).
What we don't do
Before we describe what we do, here is what Florence.city does NOT do:
- We do not run tracking pixels or behavioural advertising. We use a privacy-preserving aggregate analytics feature provided by our hosting provider — see 'What we do process' below.
- We do not set non-essential cookies. No advertising or analytics cookies. No fingerprinting.
- We do not collect or process email addresses for marketing purposes.
- We do not sell, rent, or share personal data with advertisers.
- We do not create user accounts or store user-generated content.
- We do not profile visitors or make automated decisions about them.
What we do process
When you visit Florence.city, the following limited data is processed:
Server logs. Our hosting provider (Vercel) automatically logs the IP address, browser user-agent, page requested, response status code, and timestamp of each request. This is standard for any web service and is used to detect abuse (rate limits, bot traffic, security incidents) and to diagnose technical issues.
Aggregate analytics. We use Vercel Web Analytics, a privacy-preserving analytics feature provided by our hosting provider. It collects anonymous, aggregated page-view data using a stateless server-side hash that is regenerated daily — meaning visitors cannot be tracked across days, no cookies are set on the visitor's device, and no personal identifiers are stored. The data we see is limited to: page URL, country (derived from IP, then IP discarded), device type (desktop/mobile/tablet), browser, and referrer. We use this to understand overall site traffic volume and content popularity. We do not associate this data with any individual visitor.
Error reports. When the site encounters an unexpected error in your browser, our error-tracking provider (Sentry) captures the error context — page URL, browser type, error stack trace, and recent action breadcrumb. This helps us identify and fix bugs. We use this only for site reliability; we don't profile visitors. Sentry may capture your IP for geographic context; we configure the SDK to send only essential error details (sendDefaultPii: false, no session replay, low trace sampling). Errors are retained for 30 days, then automatically deleted.
Search queries. When you use the search bar, your typed query is sent to our search service (Typesense) to return matching places. We do not associate search queries with your identity, store them long-term against your IP, or use them for any purpose beyond returning results.
Map tile requests. When you view a map, your browser requests map tiles from our map provider (MapTiler). MapTiler sees the bounding-box coordinates of the tiles you load and your IP address. Their processing is governed by their own privacy policy: https://www.maptiler.com/privacy-policy/
Strictly necessary cookies. Our hosting provider may set technical cookies for routing, caching, and abuse-prevention. These are exempt from prior-consent requirements under Article 122 of the Italian Codice Privacy (D.Lgs. 196/2003, as amended by D.Lgs. 69/2012 implementing the ePrivacy Directive 2009/136/EC) because they are strictly necessary for the service. We do not set any other cookies.
Legal basis for processing
We rely on legitimate interest (GDPR Art. 6(1)(f)) for server logging, search query processing, and security. The legitimate interest is operating and securing the website. The processing is minimal, transient, and presents no significant risk to your rights.
We rely on the strictly-necessary exemption (ePrivacy Directive Art. 5(3), implemented in Italy as Codice delle Comunicazioni Elettroniche Art. 122 co. 1) for the technical cookies described above.
How long we keep your data
| Data | Retention |
|---|---|
| Server access logs (Vercel) | Vercel's runtime log retention — between 1 hour and 3 days depending on plan, after which logs are automatically deleted unless exported. Florence.city does not currently use Vercel Log Drains or extended-retention add-ons. |
| Search queries (Typesense) | Processed in-memory to return results; not stored long-term. |
| Strictly-necessary cookies | Session-scoped or shorter, per provider defaults. |
| Error reports (Sentry) | 30 days, then automatically deleted per Sentry retention defaults. |
Third parties (data processors)
The following third parties process data on our behalf:
| Provider | Role | Location of processing | Transfer mechanism |
|---|---|---|---|
| Vercel Inc. | Hosting, edge network, server logs, privacy-preserving aggregate analytics | United States (with EU edge nodes) | Standard Contractual Clauses (Art. 46 GDPR) per Vercel's Data Processing Addendum |
| Fly.io (Fly Cloud Application Hosting, Inc.) | Search-index runtime infrastructure | European Union (Frankfurt, Germany — `fra` region) | Processing occurs within the EU. Underlying provider is US-incorporated; transfer governed by Standard Contractual Clauses per Fly.io DPA. |
| Typesense Inc. | Search engine software (deployed on Fly.io infrastructure above) | Same as Fly.io above (EU/Frankfurt) | Same as above — Typesense is the software; Fly.io is the infrastructure processor |
| MapTiler AG | Map tile serving | Switzerland | EU Commission adequacy decision (26 July 2000) — Switzerland is recognised as providing equivalent protection. See MapTiler's privacy policy: https://www.maptiler.com/privacy-policy/ |
| Google LLC (Places API) | Place data (server-to-server only) | United States | Standard Contractual Clauses per Google Cloud DPA |
| Sentry Inc. | Error tracking + performance monitoring | United States | Standard Contractual Clauses (Art. 46 GDPR) per Sentry's Data Processing Addendum |
We do not pass any visitor personal data to Google Places. Google Places data flows server-to-server from our backend during periodic data refreshes and never carries individual visitor identifiers.
We do not use Vercel Speed Insights or other opt-in Vercel telemetry beyond privacy-preserving Web Analytics described above. Other Vercel processing is limited to server access logs and aggregate analytics as described in 'What we do process'.
Your rights under GDPR
You have the following rights regarding your personal data:
- Access (Art. 15) — confirmation of whether we process data about you and, if so, a copy.
- Rectification (Art. 16) — correction of inaccurate data.
- Erasure (Art. 17) — deletion of your data ("right to be forgotten"), subject to the exceptions in GDPR.
- Restriction (Art. 18) — limitation of processing pending a dispute.
- Objection (Art. 21) — objection to processing based on legitimate interest, including profiling (we do not profile).
- Portability (Art. 20) — receipt of your data in a structured, machine-readable format, where processing is based on consent or contract (note: we do not process data on those legal bases, so this right will generally not apply to our processing).
To exercise any of these rights, contact us at contact@florence.city. We will respond within 30 days (extendable by an additional 60 days for complex requests, with notification).
You also have the right to lodge a complaint with the Italian Data Protection Authority:
Garante per la Protezione dei Dati Personali
Piazza Venezia 11, 00187 Roma
https://www.garanteprivacy.it
Data Protection Officer
We are not required to appoint a Data Protection Officer (DPO) under GDPR Art. 37 because our core activities do not consist of large-scale processing of special-category data, systematic monitoring of data subjects, or public-authority activity. Privacy questions can be directed to contact@florence.city.
Children
Florence.city is a general-audience tourism information site. It is not directed at children under 16 and we do not knowingly process personal data from children. If you believe a child has interacted with our service and you wish their data to be deleted, contact us.
Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our processing or in applicable law. The effective date at the bottom of this page indicates the version. Material changes will be highlighted at the top of this page for at least 30 days.
Controller
AI EDGE CONSULTING S.R.L. (società unipersonale)
Viale Spartaco Lavagnini 70/72, 50129 Firenze (FI), Italia
C.F. / P. IVA: 07413890489
PEC: aiedge@legalmail.it
Email: contact@florence.city
Last updated: 2026-06-02