Privacy & Cookie Policy

Data Controller: VIVIFAR SRL — Via Vincenzo Viviani, 2 — 20124 Milan (MI), Italy — VAT 04635370960 — Tel. 0267382931
Last updated: 8 May 2026

PRIVACY POLICY

1. Introduction

VIVIFAR SRL ("the Controller", "we", "us") processes the personal data of users who visit the website www.ristoranteallacadrega.it (the "Site") in accordance with the EU General Data Protection Regulation 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 as amended by D.Lgs. 101/2018.

This Privacy Policy describes what personal data we collect, for what purposes, on what legal basis, and for how long we retain it, together with the rights you can exercise as a data subject.

2. Categories of data processed

• Browsing data: IP address, browser and operating system type, pages visited, access time, referring URL. Collected automatically by servers and hosting infrastructure.
• Data voluntarily provided by the user:
  • Contact form: name, email address, phone number (optional), message text.
  • Table reservations: first name, last name, email address, phone number, preferred date/time, number of guests, special requests, privacy consent, marketing consent (optional).
  • Reviews: name, email address, rating and comment.
• Analytics data (with consent): aggregated and anonymous data on visits, devices and traffic sources collected via Umami Analytics and Google Analytics 4.
• Marketing and ad-measurement data (with consent): advertising cookie identifiers, conversion events (e.g. form submissions, phone-number clicks), Google Click ID (GCLID), Facebook Click ID (fbclid) and pages visited, collected via Google Ads and Meta Pixel for campaign measurement and remarketing purposes.

3. Purposes and legal bases for processing

4. Third-party services

The Site uses the following third-party services, which may process users' personal data as independent data controllers or processors:

4.1 Cloudflare Workers — Hosting and CDN

• Provider: Cloudflare, Inc. (USA)
• Purpose: Site hosting, content delivery and security (DDoS protection, global CDN)
• Data processed: IP address, traffic data, HTTP headers
• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
• Privacy policy: cloudflare.com/privacypolicy

4.2 Cloudflare Google Tag Gateway — First-party delivery of Google tags

• Provider: Cloudflare, Inc. (USA)
• Purpose: First-party (same-origin) delivery of Google's gtag.js script used by Google Analytics 4 and Google Ads, in order to improve loading performance and reduce the impact of ad-blockers. Requests are forwarded to Google's servers without Cloudflare using the data for its own purposes
• Data processed: HTTP request metadata (IP address, user-agent, referrer) processed transiently for proxying
• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) for the proxy mechanism itself; Consent (Art. 6(1)(a)) governs the actual activation of the underlying Google tools through Google Consent Mode v2
• Privacy policy: cloudflare.com/privacypolicy

4.3 Umami Analytics — Traffic analysis

• Provider: Umami Software Inc. (USA)
• Purpose: Anonymous statistical analysis of Site visits (visitor counts, page views, traffic sources, devices)
• Data processed: Anonymised IP address, device/browser type, pages visited, traffic source. No identifying cookies.
• Legal basis: Consent (Art. 6(1)(a) GDPR) — activated only after user consent is given
• Privacy policy: umami.is/privacy

4.4 Google Analytics 4 — Advanced traffic analysis

• Provider: Google Ireland Limited / Google LLC (USA)
• Purpose: Analysis of user behaviour, conversion measurement, navigation paths and content effectiveness
• Data processed: IP address (anonymised), cookie identifiers (_ga, _ga_6HKNF4PSE8), pages visited, interaction events, device/browser type, traffic source
• Legal basis: Consent (Art. 6(1)(a) GDPR) — activated only upon the user's explicit consent. When consent is denied, only aggregated cookieless signals are sent to Google (Google Consent Mode v2) to allow statistical traffic modelling
• Privacy policy: policies.google.com/privacy

4.5 Google Ads — Conversion measurement and remarketing

• Provider: Google Ireland Limited / Google LLC (USA)
• Purpose: Measuring conversions of Google Ads campaigns (e.g. contact-form submissions, phone-number clicks) and building remarketing audiences for personalised advertising
• Data processed: IP address, cookie identifier (_gcl_au), Google Click ID (GCLID), conversion events, pages visited
• Legal basis: Consent (Art. 6(1)(a) GDPR) — activated only upon the user's explicit consent for the "Marketing" category. When consent is denied, only aggregated cookieless signals are sent to Google (Google Consent Mode v2)
• Privacy policy: policies.google.com/privacy

4.6 Meta Pixel — Conversion measurement and remarketing (Facebook/Instagram)

• Provider: Meta Platforms Ireland Limited / Meta Platforms, Inc. (USA)
• Purpose: Measuring conversions of advertising campaigns on Facebook and Instagram (e.g. contact-form submissions, phone-number clicks) and building custom audiences for remarketing
• Data processed: IP address, cookie identifier (_fbp), Facebook Click ID (fbclid), conversion events, pages visited
• Legal basis: Consent (Art. 6(1)(a) GDPR) — activated only upon the user's explicit consent for the "Marketing" category
• Privacy policy: facebook.com/privacy/policy

4.7 jsDelivr CDN — Consent management library

• Provider: Prospect One sp. z o.o. (Poland / EU)
• Purpose: Delivery of the cookie consent banner software (CookieConsent v3)
• Data processed: IP address, user-agent (standard CDN access logs)
• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
• Privacy policy: jsdelivr.com/privacy-policy-jsdelivr-net

4.8 Web3Forms — Contact form

• Provider: Web3Forms (USA)
• Purpose: Receiving and forwarding by email the contact requests submitted by the user
• Data processed: Name, email address, phone number (if provided), message text
• Legal basis: Pre-contractual measures / Legitimate interest (Art. 6(1)(b)(f) GDPR)
• Privacy policy: web3forms.com/privacy

4.9 Cadrega Reservation System (Railway.app)

• Provider: Proprietary service hosted on Railway Corp. infrastructure (USA)
• Purpose: Managing table reservations and collecting customer reviews
• Data processed: First name, last name, email address, phone number, preferred date/time, number of guests, special requests, ratings and comments
• Legal basis: Performance of contract / Consent (Art. 6(1)(a)(b) GDPR)
• Railway privacy policy: railway.app/legal/privacy

4.10 Google Maps — Interactive map

• Provider: Google Ireland Limited / Google LLC (USA)
• Purpose: Displaying an embedded map showing the restaurant's location on the Contact page
• Data processed: IP address, map interaction data, Google cookies
• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
• Privacy policy: policies.google.com/privacy

4.11 YouTube — Video content

• Provider: Google Ireland Limited / Google LLC (USA)
• Purpose: Playback of videos embedded in blog articles
• Data processed: IP address, video usage data, YouTube cookies (including profiling cookies if the user is signed into a Google account)
• Legal basis: Consent (Art. 6(1)(a) GDPR)
• Privacy policy: policies.google.com/privacy

5. International transfers

Several service providers listed above are based in the United States or other countries outside the European Economic Area (EEA). Transfers of personal data to such countries take place in compliance with the safeguards required by Chapter V of the GDPR, specifically through:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR);
• The EU-US Data Privacy Framework, where the provider has self-certified.

US-based providers: Cloudflare, Inc., Umami Software Inc., Web3Forms, Railway Corp., Google LLC, Meta Platforms, Inc.

6. Recipients of data

Personal data is not sold or transferred to third parties for their own marketing purposes. Data may be shared with:

• Technical service providers acting as data processors (listed in section 4);
• Public, judicial or supervisory authorities, where required by law.

7. Your rights as a data subject

Under Articles 15–22 of the GDPR, you have the right to:

• Access (Art. 15): obtain confirmation that your data is being processed and receive a copy;
• Rectification (Art. 16): correct inaccurate or incomplete data;
• Erasure / "Right to be forgotten" (Art. 17): request deletion of your data, subject to legal retention obligations;
• Restriction (Art. 18): restrict processing in certain circumstances provided by law;
• Data portability (Art. 20): receive data you have provided in a structured, machine-readable format;
• Object (Art. 21): object to processing based on legitimate interest;
• Withdraw consent: withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise these rights, please contact us via our contact form. We will respond within 30 days of receiving your request.

You also have the right to lodge a complaint with the Italian data protection supervisory authority:
Garante per la protezione dei dati personali
Piazza Venezia, 11 — 00187 Rome, Italy
www.garanteprivacy.it

8. Information for minors

This Site is not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. If a parent or guardian believes the Site holds personal information about a child, please contact us immediately via our contact form to request its deletion.

9. Changes to this Policy

We reserve the right to update this Privacy Policy at any time. Changes will be published on this page with a revised date. For material changes, we will provide a prominent notice on the Site.

---

COOKIE POLICY

Effective date: 13 April 2026
Last updated: 13 April 2026

What are cookies?

Cookies are small text files stored on your device when you visit a website. They can be first-party (set directly by the Site) or third-party (set by external domains). This Cookie Policy provides information about cookies used on this Site in compliance with the GDPR and applicable ePrivacy rules.

Strictly necessary cookies (always active)

These cookies are essential for the correct functioning of the Site and cannot be disabled via the preferences panel. They do not collect personally identifiable information.

Analytics cookies (require consent)

These cookies are activated only upon the user's explicit consent via the cookie banner. They are used to understand how visitors interact with the Site in an aggregated and anonymous way.

Marketing cookies (require consent)

These cookies are activated only upon the user's explicit consent via the cookie banner, under the "Marketing" category. They are used to measure the effectiveness of Google Ads campaigns and for remarketing.

Third-party embedded content

Some pages of the Site embed content provided by third parties that may set their own cookies on your device:

• Google Maps (Contact page): Google LLC may collect browsing data and set its own cookies. More information: policies.google.com/technologies/cookies
• YouTube (blog articles): Google LLC may collect video usage data and set profiling cookies, particularly if you are signed into a Google account. More information: policies.google.com/technologies/cookies

Managing your cookie preferences

You can withdraw or update your consent at any time by clicking the button below:

Manage cookie preferences

You can also manage or delete cookies directly in your browser:

• Chrome: support.google.com/accounts/answer/32050
• Safari: support.apple.com — Manage cookies in Safari
• Firefox: support.mozilla.org — Clear cookies in Firefox
• Microsoft Edge: support.microsoft.com — Delete cookies in Edge

Disabling certain cookies may affect your browsing experience. Strictly necessary cookies cannot be disabled via the preferences panel as they are essential for the Site to function.