Privacy Policy

PRIVACY POLICY – MAMA FLORENCE

(in accordance with EU Regulation 2016/679 – GDPR)

Last updated: April 29, 2026

1. Data Controller

The Data Controller is:
Le Baccanti Tours Srl
Registered office: Viale Francesco Petrarca 24R, 50124 Florence (FI), Italy
VAT No.: IT05446100488
Email: [email protected]

(hereinafter “Controller” or “Mama Florence”)

2. Scope of Application

This Privacy Policy applies to personal data processed through:

the website www.mamaflorence.com
any connected applications or digital services
integrations with third-party platforms, including ChatGPT (OpenAI) through our MCP (Model Context Protocol) server

3. Types of Data Collected

3.1 Data provided by the user

First and last name
Email address
Phone number
Postal address
Optional company name
Booking information (date, time, number of adults and children, chosen experience)
Billing data
Content of messages or requests
Dietary requirements (allergies/intolerances), if voluntarily provided

3.2 Technical and usage data

IP address
Device and browser information
Usage data
Technical and security logs

3.3 Data collected via third-party services

The website may use services such as:

Google Analytics
Meta (Facebook / Instagram Ads)
Stripe (payments)
HubSpot CRM
Zoho Campaigns / Mailgun
Cloudflare

4. Purpose of Processing

Personal data is processed for the following purposes:

a) Service provision

managing bookings
responding to user requests
customer support

b) Legal obligations

invoicing
tax and administrative compliance

c) Food safety

management of allergies and dietary requirements

Note: while all reasonable precautions are taken, cross-contamination cannot be fully excluded.

d) Marketing (optional)

newsletters
promotional communications

e) Analytics and improvement

service optimization
usage analysis

f) Security

fraud prevention
system protection

5. Use of OpenAI — ChatGPT App and MCP tools

For certain digital functionalities the Controller operates an MCP (Model Context Protocol) server that allows the Mama Florence App inside ChatGPT to perform operations on behalf of the user. The following sections specifically describe which data is transmitted to our server through ChatGPT, how we process it, with whom we share it, and for how long we retain it.

5.1 Scope of this section

This section applies exclusively to interactions taking place through the integration with ChatGPT. For direct interactions with the website, the other sections of this Privacy Policy continue to apply.

5.2 Data we may receive through ChatGPT

Depending on the function used in the App, we may receive the following categories of data, as inputs to our MCP tools:

Experience search parameters (tool: experience search) — start date, end date and number of adult participants. These data do not identify the user and are used only to filter our catalogue.
Experience identifier (tool: experience details) — the product identifier of the requested class or tour.
Booking data (tool: booking request), submitted via the App’s widget — first name, last name, email address, phone number, postal address, optional company name, requested date and time, number of adults, optional number of children, and the identifier of the chosen experience.

We do not receive, through ChatGPT, the full content of the user’s conversation: ChatGPT only forwards to our tools the parameters strictly required to execute the function the user has requested. Through this integration we do not collect payment data, login credentials, identity documents, health data or other special categories of personal data within the meaning of Art. 9 GDPR.

5.3 Data we may return to ChatGPT

In response to the user’s requests, our tools return to ChatGPT (and the App’s widget displays):

Experience search results: a list of available products with title, type, duration, starting price, description, languages, illustrative images, available dates and time slots, and remaining seats per slot.
Details of a single experience: the same set of information enriched with a full description.
Booking confirmation: the identifier of the booking request recorded in our systems.
Technical error messages when the system is unable to complete the request.

Responses do not include personal data of other users.

5.4 Specific purposes for ChatGPT/MCP data

Data received through the App is processed for:

Providing the requested functionality — experience search, viewing details, registering booking requests (legal basis: performance of a contract or pre-contractual measures, Art. 6(1)(b) GDPR).
Managing the subsequent organisation of the booked experience — contacting the user by email or phone to confirm, communicate changes or provide operational instructions (legal basis: performance of the contract, Art. 6(1)(b) GDPR).
Service security, abuse and fraud prevention, technical diagnostics (legal basis: legitimate interest, Art. 6(1)(f) GDPR).
Compliance with legal, accounting, tax and litigation defence obligations (Art. 6(1)(c) GDPR).

We do not use the data received through ChatGPT for automated profiling, direct marketing, training of artificial intelligence models, or for any purpose other than those listed above.

5.5 Recipients of ChatGPT/MCP data

The data we receive through the App may be shared with:

OpenAI, as the provider of the ChatGPT platform. ChatGPT forwards to our server only the information needed to execute the requested functions and returns our responses to the user. Processing by OpenAI is governed by OpenAI’s privacy policy.
Our operational backend mamaflorence.com, which receives booking data from the MCP server and records it in our management systems.
Our hosting / infrastructure providers, on which the MCP server and the operational backend are run.
Our employees, collaborators and consultants authorised to process the data, bound by confidentiality obligations.
Public authorities and supervisory bodies, where required by law or by a competent authority’s order.

Within this integration we do not use third-party analytics providers, external error monitoring systems, payment gateways or email marketing platforms. We do not sell personal data to third parties.

5.6 Specific retention for ChatGPT/MCP data

Booking-request data: for the time necessary to organise and deliver the booked experience and, thereafter, for the period required by accounting, tax and statute-of-limitation obligations — typically up to 10 years from the end of the relationship (Art. 2220 of the Italian Civil Code).
MCP server technical logs (which include the parameters of the calls to our tools, including the contact data entered by the user for booking requests, and the technical responses): retained for a maximum of 30 days and then automatically deleted, save for specific needs of abuse investigation or legal defence.
Cache and temporary storage: no persistent cache is used in the MCP server.
Deletion requests: processed within 30 days of receipt, save for legal exceptions.

5.7 User controls specific to the App

In addition to the rights described in section 10, the user may at any time:

disconnect the App from ChatGPT from the ChatGPT account settings, immediately stopping the transmission of new data to our server;
request the deletion of booking data already transmitted by writing to [email protected].

5.8 Minimisation and security measures

The App’s tools are designed according to the data-minimisation principle: they receive only the parameters required to execute the function the user requests and return only results relevant to the request. In particular:

read-only tools (experience search and experience details) do not collect any identifying personal data;
the booking-request tool only collects the contact data necessary for the operational handling of the booking;
we do not receive nor retain the entire conversation the user has with ChatGPT.

Technical and organisational measures: HTTPS for all communications between ChatGPT and our server; validation of inputs received by the tools; declarative tool hints (read-only / non-destructive) so that ChatGPT can correctly apply its own confirmation policies; management of credentials and domain-verification tokens via environment variables, kept outside the source code; access to systems limited to authorised personnel.

5.9 Special categories of data

The App is not designed to collect special categories of personal data (health, sex life, ethnic origin, political opinions, religious beliefs, trade-union membership, biometric or genetic data) nor identity documents or full payment details. Users are asked not to voluntarily enter such information in free-text fields; should such data be entered, it will be deleted as soon as detected.

6. Processing Methods

Data is processed using appropriate technical and organizational measures to ensure security, confidentiality, and integrity.

7. Data Retention

Contractual data: up to 10 years
Marketing data: until consent is withdrawn
Technical/log data (general site): up to 12 months
MCP server technical logs: up to 30 days (see section 5.6)
Allergy-related data: limited to the duration of the service

8. Data Sharing

Data may be shared with:

technical service providers
digital platforms (including OpenAI — see section 5)
legal and tax advisors

9. Transfers Outside the EU

Some data may be transferred outside the European Union (e.g., to the United States).
Such transfers are carried out in compliance with GDPR safeguards.

10. User Rights

Users have the right to:

access their data
request correction or deletion
object to processing
request data portability
withdraw consent

Specifically for the ChatGPT App integration, see also the controls described in section 5.7.

Contact:
📧 [email protected]

Users may also lodge a complaint with the relevant Data Protection Authority.

11. Cookies

This website uses technical, analytical, and marketing cookies.
Please refer to the dedicated Cookie Policy for more information.

12. Updates

This Privacy Policy may be updated over time.
Any changes will be published on this page.