Shakadabra Privacy Policy
Last updated: 06/07/2026 · Version 2.0 (replaces the version dated 11 May 2026)
This Privacy Policy is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (the "GDPR") and Italian Legislative Decree 196/2003, as amended by Legislative Decree 101/2018 (the "Italian Privacy Code").
This is a courtesy English translation of the official Italian Privacy Policy. In case of discrepancies, the Italian version prevails.
1. Data Controller
The Data Controller is Shakadabra S.r.l., registered office at Via Velasquez 19, 90141 Palermo (PA), Italy, Tax Code and VAT 07262490829, REA PA-447581, share capital € 11,353.00 fully paid-up, an innovative startup pursuant to Law Decree 179/2012. Legal representative: Gianluca Di Giorgio (Sole Director).
Controller contacts: PEC [email protected]; general e-mail [email protected]; privacy e-mail [email protected]; WhatsApp Business +39 333 1332407; website https://shakadabra.com; provider portal https://provider.shakadabra.com; "Shakadabra" app on the App Store and Google Play. The Controller has not appointed a Data Protection Officer, as the legal conditions are not met.
2. Scope
This Policy applies to processing carried out by Shakadabra through the website https://shakadabra.com, the web app https://shop.shakadabra.com, the portal https://provider.shakadabra.com, the "Shakadabra" mobile app for iOS and Android, and any other digital or physical channel attributable to Shakadabra.
3. Categories of data subjects
Explorer: an adult natural person registered to search, book and review Experiences. Provider: a natural person, sole trader or company publishing and selling Experiences. B2B2C Partner: an accommodation facility, restaurant, car rental or other business promoting Shakadabra to its customers via QR code or referral link. Visitors: anyone browsing the Platform without registering.
4. Categories of personal data processed
4.1 Explorer data
Identification data (first name, last name, e-mail, password stored in hashed form); contact data (phone number, if provided); device geolocation data, collected only with consent, used to suggest nearby experiences; browsing and usage data (experiences viewed, booked, reviewed, session duration, video-feed interactions); payment data, handled directly by the Stripe gateway in PCI-DSS compliant mode (Shakadabra does not store card data); linked PayPal account data for receiving Earn from Review commissions; user-generated content (video reviews of up to 30 seconds, text reviews, comments, profile images); preferences (language, currency, favourite categories); cookie and similar-technology data, managed under the Cookie Policy with granular consent; identity document, requested only in specific anti-fraud or legal-compliance cases.
4.2 Provider data
Identification and tax data (business name or full name, VAT number, tax code, registered office, billing address, SDI code or PEC); contact data; banking and payout data (IBAN, Stripe Connect account data); published content (descriptions, photos, videos, prices, availability calendars); transactional data (booking history, amounts, applied commissions, ratings received); integration credentials with third-party systems (Bokun, Regiondo or similar), processed only with the Provider's express authorisation; professional insurance and local regulatory compliance data, where required by law.
4.3 B2B2C Partner data
Business identification data (trade name, address, type); tax data (VAT number, tax code, billing address, SDI code or PEC); contact data; PayPal account data for receiving commissions; referral campaign data (unique QR code, link, usage statistics); referred-customer data in aggregated or pseudonymised form (unique identifier, number of bookings, cumulative amount). Personal data identifying referred Explorers is not shared with the B2B2C Partner.
4.4 Automatically collected data
For each Platform interaction: IP address, browser type and version, operating system, mobile device identifier, pages visited and time spent, referrer, crash and error data for security and service-improvement purposes.
5. Purposes and legal bases
5.1 Performance of a contract (Art. 6(1)(b) GDPR)
Account registration and management; booking management and Experience enjoyment; payment processing via Stripe; management of the Internal Wallet and commission payouts via PayPal; service communications (confirmations, vouchers, reminders); dispute and refund management; customer support.
5.2 Compliance with legal obligations (Art. 6(1)(c) GDPR)
Issuance and storage of invoices; tax obligations; anti-money-laundering compliance (Legislative Decree 231/2007) where applicable; retention of accounting records (10 years, Articles 2214 and 2220 of the Italian Civil Code); responses to requests from judicial and administrative authorities; obligations under Regulation (EU) 2022/2065 (DSA), including handling of illegal-content notices and statements of reasons for moderation decisions.
5.3 Consent of the data subject (Art. 6(1)(a) GDPR)
Newsletters and promotional communications to Explorers; advanced profiling for offer personalisation; precise device geolocation; third-party marketing and profiling cookies; publication of video reviews in the public feed (subject to acceptance of the community guidelines). Consent may be withdrawn at any time, without prejudice to the lawfulness of prior processing.
5.4 Legitimate interest of the Controller (Art. 6(1)(f) GDPR)
Platform security and fraud prevention; content moderation to protect users and the integrity of the service, including with automated tools followed by human review; legal defence; aggregate statistical analysis for service improvement; B2B commercial communications to accommodation facilities, restaurants, tour operators and other professional entities of the hospitality and tourism sector, as detailed in Section 11.
6. Specific features
6.1 B2B2C referral
When an Explorer registers after scanning a QR code or following a B2B2C Partner's link, the acquisition source is tracked. For 24 months following registration, every Experience booked and completed by the Explorer generates for the Partner a commission equal to 30% of the Marketplace Commission collected by Shakadabra (as of the effective date, 6% of the transaction value). The Explorer's personal data is never shared with the Partner, who receives only aggregated or pseudonymised statistics on its campaigns.
6.2 Earn from Review
Explorers may upload video reviews (maximum 30 seconds) of experiences they booked and lived. After moderation, videos are published in the Platform's public feed. When another Explorer views the video, books the same Experience and completes payment, the author accrues a commission according to the tiers set out in the Terms and Conditions (3% to 5% of the transaction value). Program data (videos, view statistics, generated bookings, accrued commissions) is processed for contract performance and program management. The Explorer is solely responsible for tax compliance on commissions received.
6.3 Earn from Coupon
B2B2C Partners and partnered influencers may run coupon campaigns. When an Explorer uses a coupon associated with a partner, the partner accrues a commission on the related booking. Tracking is similar to the B2B2C referral and does not involve sharing data identifying Explorers.
6.4 Payments and financial flows
For bookings: the Explorer pays via Stripe, a PCI-DSS Level 1 certified gateway; Shakadabra operates as a platform via Stripe Connect; the Provider receives the net amount in its Stripe Connect account, after deduction of the 20% Marketplace Commission; payout times follow Stripe standards (typically 2 to 7 business days). For Earn from Review and referral commissions: accrual in the Internal Wallet and payout via PayPal upon reaching the € 100.00 threshold, monthly, by the 15th day of the following month.
6.5 Content moderation and notices (DSA)
User-uploaded content is moderated through automated analysis of images, video and text (filters and classifiers, including AI-based) and human review. In case of a notice under Art. 16 DSA, Shakadabra processes the notifier's data (name, e-mail, content of the notice) and the content author's data to review the notice, take the decision, provide the statement of reasons under Art. 17 DSA and handle any complaints. Legal bases: legal obligation and legitimate interest in the security of the service.
7. Processing methods
Data is processed lawfully, fairly and transparently, by electronic means, with technical and organisational measures appropriate to the risk under Art. 32 GDPR: encryption in transit (TLS 1.2 or higher) and at rest; password hashing with strong algorithms; role-based access control and least privilege; security logging and continuous monitoring; regular backups and disaster-recovery procedures; training of authorised personnel; Data Protection Impact Assessments where required by law.
8. Retention
Account data: for the duration of the account plus 10 years after deletion, for tax and civil-law obligations. Transaction and invoicing data: 10 years from issuance (Articles 2214 and 2220 of the Italian Civil Code and tax law). Video reviews: for the duration of the account plus 5 years after deletion, unless earlier removal is requested by the author. Browsing data and logs: 12 months, save for security or legal-defence needs. Marketing and profiling cookies: maximum 12 months, subject to consent renewal. Marketing communications data: until consent withdrawal or objection. Notice and moderation-decision data: for the time needed to handle complaints and disputes. Once retention periods expire, data is deleted or irreversibly anonymised.
9. Recipients
Data may be communicated to: Shakadabra staff and collaborators authorised to process it; technical service providers (hosting, e-mail, customer support, analytics, content-moderation tools), appointed processors under Art. 28 GDPR where applicable; payment gateways (Stripe, PayPal); accounting, tax and legal advisors; audit and certification firms; public authorities and judicial bodies, where required by law; parties involved in extraordinary transactions (transfers, mergers), in compliance with applicable law.
The Provider receives only the data strictly necessary for delivering the booked Experience (name, number of participants, specific requirements communicated by the Explorer) and processes it as an autonomous controller for the performance of its own contract. B2B2C Partners do not receive data identifying referred Explorers. An updated list of processors is available upon request to [email protected].
10. Extra-EU transfers
Some suppliers operate outside the European Union. In such cases Shakadabra adopts the safeguards under Articles 44 et seq. GDPR. Main transfers concern: Stripe, Inc. (USA), payment gateway, based on Standard Contractual Clauses and a Data Processing Addendum; PayPal (Europe) S.à r.l. et Cie, S.C.A. and PayPal Holdings, Inc. (USA), payment services, based on Standard Contractual Clauses; Amazon Web Services, cloud and infrastructure services, with servers located in the European Union; Google (Ireland), e-mail and productivity services, with servers in the European Union; Anthropic, PBC (USA), AI services for suggestions and AI features of the Platform, based on Standard Contractual Clauses. Where US suppliers are certified under the EU-US Data Privacy Framework, the transfer relies on the related adequacy decision. Copies of the safeguards are available upon request to [email protected].
11. B2B commercial communications and legitimate interest
Shakadabra sends commercial communications to accommodation facilities, restaurants, tour operators, car rentals and other professional entities of the hospitality and tourism sector, to present the marketplace and propose partnerships. These communications rely on Shakadabra's legitimate interest in promoting its services (Art. 6(1)(f) GDPR), in compliance with Italian Data Protection Authority Decision No. 372 of 4 July 2019 and applicable B2B marketing guidelines. The legitimate-interest basis was verified through a balancing test (Legitimate Interest Assessment) considering: the strictly professional nature of the recipients, the relevance of the message to their activity, the limited intrusiveness of the initiative, and a simple and effective objection channel. Recipients may object at any time by writing to the opt-out address indicated in each message, by replying "NO" or "UNSUBSCRIBE" to the e-mail received, or by writing to [email protected]. The protections of Art. 130 of the Italian Privacy Code apply.
12. Data subject rights
Data subjects may at any time exercise the rights provided by the GDPR: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), portability (Art. 20), objection (Art. 21), including objection to direct marketing, withdrawal of consent at any time, and complaint to the supervisory authority (Art. 77).
Requests should be sent to [email protected], attaching a copy of a valid identity document for proper identification. Shakadabra replies within one month of receipt; in particularly complex cases the term may be extended by two months, with prompt reasoned notice. Exercising rights is free of charge, save for manifestly unfounded or excessive requests.
Complaints may be lodged with the Italian Data Protection Authority (Garante per la protezione dei dati personali): Piazza Venezia 11, 00187 Rome, Italy; www.garanteprivacy.it.
13. Cookies and similar technologies
The Platform uses cookies and similar technologies (pixels, SDKs, local storage) for the operation of the service, usage analysis and personalisation. Technical cookies: necessary, no consent required. Analytics cookies: in aggregated form or with adequate pseudonymisation. Profiling and marketing cookies: only with express consent via the banner. Consent is collected granularly and may be withdrawn at any time via the management panel accessible from the footer. See the Cookie Policy for details.
14. Minors
Shakadabra services are reserved to adults (18 years or older). Shakadabra does not intentionally collect data of minors under 18; if it becomes aware of data provided by a minor in breach of the Terms, it deletes it promptly, save for legal obligations. Parents or guardians may write to [email protected].
15. Security and breaches
Shakadabra adopts appropriate technical and organisational measures to protect data against unauthorised access, loss, destruction, alteration, disclosure or unlawful use. In case of a personal data breach posing a risk to the rights and freedoms of data subjects, Shakadabra notifies the Italian Data Protection Authority within 72 hours of becoming aware of it (Art. 33 GDPR) and, where the risk is high, informs data subjects (Art. 34 GDPR).
16. Automated decision-making and profiling
The Platform uses recommendation algorithms and AI features (including solutions provided by Anthropic) to suggest experiences, sort search results, personalise the video feed and improve the user experience; it also uses automated tools for content moderation, with human review of contested decisions. Such processing does not produce legal effects significantly affecting the data subject within the meaning of Art. 22 GDPR. Users may object to profiling and request human intervention by writing to [email protected]. The main parameters of the recommender systems are described in the Terms and Conditions (Section 5.4) and on the DSA Information page.
17. Changes to this Policy
Shakadabra may update this Policy at any time, including for regulatory or organisational changes. Updates are communicated through publication of the new version on the Platform with the relevant date, e-mail to the registered address in case of material changes, and in-app notification where technically available.
18. Privacy contacts
Privacy e-mail: [email protected] · PEC: [email protected] · WhatsApp Business: +39 333 1332407 · Postal address: Shakadabra S.r.l., Via Velasquez 19, 90141 Palermo (PA), Italy.