Gusto Wine Tours – Privacy Policy

We are a small husband and wife company whose primary concern is providing entertaining day tours around the vineyards of Umbria, south of Perugia in Italy.

Who we are:

  • The business is owned by Mark Stafford who runs and manages the tours and Giselle Stafford who is both the Data Controller and Data Processor.

Data and what we need it for:

  • Most of our customers apply online and we hold the name, address and contact details given in the email. Customers who take up our services pay online using PayPal.
  • Our policy is then to remove all emails after a year unless the customer specifically requests we keep it alive for future reference.
  • It is not our policy to keep any information beyond the parameters as laid out above, as we do not market directly to past customers nor do we buy in or acquire names and addresses for the purposes of attracting new business.

Data and what we do with it:

  • Our data processing is confined to receiving and answering emails regarding our online bookings for the tours we organise.
  • Security:
  1. We do not hold nor even see any bank details of customers as we exclusively use PayPal to collect payments online
  2. All photographs are taken with the express knowledge of the customers and are stored securely on a password protected external storage device
  3. Our passwords are strong and stored only on a secure password manager available only to the Data Controller and Company Manager
  4. Computer screens are not left unattended showing personal data nor on show for accidental viewing by unauthorised personnel and visitors. All computer devices are switched off when not in use
  5. All paper records (Receipts and mail confirmations) are stored in a locked filing cabinet and only accessed when necessary
  6. Financial data will be stored for the minimum period required by law. All other personal data both electronic and paper, unless requested otherwise, will be destroyed by removal or shredding as soon as the customer contact episode is completed
  7. Our system is protected by industry standard virus and malware software and the network is encrypted and firewalled
  8. Data backup to a separate and discreet device is performed regularly and entirely in accordance with the importance and frequency of our data processing
  • On occasion, we will use social media to promote our business. Under no circumstances will we publish a name or a photo in this area without consent
  • We regularly monitor TripAdvisor, but, unfortunately, we do not always have control over what is published in our name. Where possible we will use our managerial access to redress any imbalance or misuse.
  • We will pass on to proper and legal authorities what we are required to do by law or regulation for the proper and lawful maintenance of our financial house-keeping.
  • We do not pass any personal data whatsoever and by whatever means to any other third-party organisation.

Your rights as laid out in the GDPR, May 25th, 2018:

  • Right to have details of all personal information held on you provided within 30 days – we will respond promptly and accurately should there be any enquiries
  • Right to Transparency – we will ensure there is no hidden agenda. Your information will be always managed professionally and openly
  • Right to request erasure and editing – if we are holding personal data, you have the right to request the data and/or request for it to be securely deleted
  • Right to object
  • To data being held without lawful reason – we believe we have legitimate reasons for holding limited personal data which are for keeping full accounting records for the finance authorities
  • To data being passed on or being profiled

How to redress any issues:

In the first instance – please contact us outlining where you feel we have let you down. All our contact details are to be found on
If we cannot help you, please contact the Italian Data Protection Authority (Garante per la protezione dei dati personali) –