Privacy Policy
Last updated: April 2026 — v3 (GDPR compliance, cookie consent, terms of service)
Data Controller
Alessio Goria
Email: alessio.goria@alessiogoria.com
Website: alessiogoria.com
Purpose of the website
alessiogoria.com is a personal portfolio and travel blog website. It is NOT a travel agency, it does NOT sell travel packages, and it does NOT provide mountain guide or tour guide services. The site serves as a meeting point for people who prepare trips and mountain outings independently. Information about routes, difficulty, and conditions is indicative and based on the author's personal experience. Each user is responsible for their own safety and decisions.
Nature of this website
This is a personal portfolio website. It does not sell products or services and does not profile users for commercial purposes.
Legal basis for processing
Personal data is processed on the following legal bases (Art. 6 GDPR):
• Consent (Art. 6.1.a): for analytics cookies (Google Analytics). Users can give or withdraw consent via the cookie banner.
• Legitimate interest (Art. 6.1.f): for server logs (security), for technical cookies necessary for the site to function.
• Performance of a contract or pre-contractual measures (Art. 6.1.b): for user account management and account requests.
• Legal obligation (Art. 6.1.c): for data retention required by law.
Data processed and purposes
This website processes the following data:
1. Language preference: stored in the browser's localStorage (Italian/English) to maintain the selected language between visits. Never transmitted to external servers.
2. Cookie preference: stored in the browser's localStorage (cookie_consent) to remember the user's choice regarding analytics cookies.
3. Analytics data (with consent only): if the user accepts analytics cookies, Google Analytics 4 collects aggregated and anonymous visit data (pages viewed, session duration, country of origin, device type). IP addresses are anonymised before being sent to Google.
4. Form data: the site collects data through forms (trip proposals, participation requests, account requests). Data collected includes: name, email, message content. This data is saved in the site's database and used exclusively to manage requests.
5. Authentication data: for registered users, the site stores username, first name, last name, and session tokens. Passwords are encrypted (hashed).
6. Server logs: the web server may automatically record the visitor's IP address, browser type, pages visited, and date/time of access. These data are retained only as long as necessary for the security of the service.
Cookies and tracking technologies
This website uses the following technologies:
TECHNICAL COOKIES / LOCALSTORAGE (always active, legal basis: legitimate interest):
| Name | Type | Duration | Purpose |
|---|---|---|---|
| lang | localStorage | Persistent | Language preference |
| cookie_consent | localStorage | Persistent | Cookie choice |
| auth_token | localStorage | Session | User authentication |
| auth_user | localStorage | Session | User session data |
ANALYTICS COOKIES (with prior consent only, legal basis: consent):
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _ga | Cookie | 2 years | GA4 identifier |
| _ga_* | Cookie | 2 years | GA4 session |
| _gid | Cookie | 24 hours | Session identifier |
Data controller for analytics: Google Ireland Limited.
IP addresses are anonymised (anonymize_ip: true).
Google Privacy Policy: https://policies.google.com/privacy
Users can change or withdraw their consent at any time by clicking "Manage cookies" in the site footer, or by clearing browser data.
Data collected through forms
The site collects personal data through the following forms:
1. Trip/outing proposal form: name, email, title, type, difficulty, date/period, destination, description. Data is saved in the database and visible to the controller for organising activities.
2. Participation form: name, email (optional), preferred date, message. Data is associated with the corresponding proposal.
3. Account request: first name, last name, username. Data is used to create a user account.
Form data is NOT shared with third parties, NOT used for marketing, and NOT sold. Users can request deletion at any time by writing to alessio.goria@alessiogoria.com.
Data retention periods
Personal data is retained for the following periods:
• Analytics data (Google Analytics): 14 months (GA4 default setting)
• Form data (proposals, participations): 2 years from submission date
• Account requests: until processed, maximum 90 days
• Login attempts: 24 hours
• User accounts: while active + 1 year after deactivation
• Server logs: 30 days
• Analytics cookies: see table above
At the end of the indicated periods, data is deleted or anonymised.
Sub-processors
The following third parties process data on behalf of the controller:
• Google Analytics (Google Ireland Limited, Ireland) — Web traffic analysis. Policy: https://policies.google.com/privacy
• Turso / LibSQL (EU) — Database for site data storage.
• Netlify (USA, with EU Standard Contractual Clauses) — Website and serverless functions hosting.
• Aruba S.p.A. (Italy) — Email service.
All sub-processors operate in compliance with GDPR or have signed Standard Contractual Clauses (SCCs) approved by the European Commission.
Social network links
The website contains links to Instagram, Facebook, and LinkedIn profiles. These links open the respective platforms in a new tab. By clicking such links, you are subject to the privacy policies of Instagram (Meta), Facebook (Meta), and LinkedIn. The data controller has no control over data processed by these platforms.
Hosting and security
The website is hosted on Netlify, which ensures data transmission via HTTPS (encrypted connection). Netlify operates in the USA with Standard Contractual Clauses (SCCs) for the transfer of personal data outside the EEA. The hosting provider processes technical access data in compliance with GDPR.
Data breach notification procedure
In the event of a personal data breach, the controller commits to:
1. Assessing the breach within 24 hours of discovery.
2. Notifying the competent Data Protection Authority within 72 hours of discovery, if the breach poses a risk to the rights and freedoms of data subjects (Art. 33 GDPR).
3. Communicating the breach to affected data subjects without undue delay, if the breach poses a high risk to their rights and freedoms (Art. 34 GDPR).
4. Documenting all breaches, including circumstances, consequences, and remedial actions taken.
To report a suspected breach: alessio.goria@alessiogoria.com
User rights
Under Articles 15-22 of the GDPR (EU Regulation 2016/679), every user has the right to:
• access their personal data (Art. 15)
• request rectification (Art. 16) or erasure (Art. 17)
• restrict processing (Art. 18)
• object to processing (Art. 21)
• request data portability (Art. 20)
• withdraw consent at any time (Art. 7.3)
• lodge a complaint with the relevant data protection authority
The controller commits to responding within 30 days of the request.
To exercise these rights, write to: alessio.goria@alessiogoria.com
Intellectual property and photographic copyright
All photographs on this website are the exclusive property of Alessio Goria and are protected by copyright law (Italian Law no. 633 of 22 April 1941 and subsequent amendments, as well as EU Regulation no. 2019/790).
Without prior written authorisation from the rights holder, it is strictly prohibited to:
• reproduce, copy, download or save the photographs by any means
• publish, share or redistribute the photographs on websites, social networks or other channels
• use the photographs for commercial or non-commercial purposes
• modify, adapt or create derivative works from the photographs
Any unauthorised use constitutes copyright infringement and may be prosecuted under applicable civil and criminal law.
For usage requests, licences or permissions: alessio.goria@alessiogoria.com
Changes to this policy
The data controller reserves the right to modify this policy at any time. Changes will be published on this page with an updated date at the top of the document.