Privacy Policy

Toll cashback, section, “Non-registered users”

Privacy Policy pursuant to European Regulation 679/2016 (“GDPR”)

Last updated: 01/06/2026

In this privacy notice, Autostrade per l’Italia S.p.A. (“ASPI”) and the motorway concession companies R.A.V. - Raccordo autostradale Valle d’Aosta S.p.A. (“RAV”), Società Autostrada Tirrenica p.A. (“SAT”) and Tangenziale di Napoli S.p.A. (“TANA”), which are controlled by and affiliated with Autostrade per l’Italia S.p.A., pursuant to Article 2359 of the Italian Civil Code (collectively referred to as “the Group’s concessionary companies”), acting as independent and separate Data Controllers, provide you, pursuant to Article 13 of the GDPR, with this Notice regarding the processing of your personal data collected for the provision and management of the Cashback service (hereinafter also “Cashback”), offered via the “Muovy Cashback” app (“App”) or the “Muovy Cashback” section of the www.autostrade.it website (the App and the website section referred to collectively as the “Portals”).

In particular, via the Portals, it is possible to claim a refund of the toll from each of the Group’s concessionary, for significant delays caused by roadworks or events disrupting normal traffic flow that result in traffic congestion on the motorway sections under their concession, in accordance with the “Measures” laid down by the Transport Regulatory Authority as set out in ART Resolution No. 132/2024, as supplemented and amended by ART Resolution No. 211/2025.

The Group’s concessionary companies do not perform any processing other than that expressly authorised and/or requested. This privacy policy may be subject to changes in order to comply with new law provisions, amendments to data processing policies and/or following modifications to the characteristics of the individual Portals and/or the Services offered therein.

Any updated version of this information notice will be published in the dedicated section of the Portals, therefore you should periodically consult the privacy information notice published therein to keep abreast with the latest version published.


1. Data Controller

The independent data controllers (“Data Controllers”), each in relation to requests for refunds of tolls paid on their respective motorway sections, where the point of origin (entry) and destination (exit) are both within the same motorway section under their jurisdiction, are:

  • Autostrade per l’Italia S.p.A., which is subject to the management and coordination of Holding Reti Autostradali S.p.A., with registered office in Via A. Bergamini 50 – 00159, Rome, whose Data Protection Officer (DPO) can be contacted at the following address: [email protected];
  • R.A.V. - Raccordo Autostradale Valle d’Aosta S.p.A., with registered office in Via Alberto Bergamini 50 - 00159 Rome, whose DPO can be contacted at the following address: [email protected];
  • Società Autostrada Tirrenica S.p.A., with registered office in Via Alberto Bergamini 50 - 00159 Rome, whose DPO can be contacted at the following address: [email protected];
  • Tangenziale di Napoli S.p.A., with registered office in Via Giovanni Porzio, 4 -Centro Direzionale Isola A/7 - 80143, Naples, whose DPO can be contacted at the following address: [email protected];

By accessing the “Non-registered users” section and completing the relevant online form, your personal data will be collected and processed – including via ASPI – by the Group’s concessionaire responsible for handling the request for a toll refund for journeys made on the section of motorway under its jurisdiction.

The processing of access and/or browsing data relating to the Portals (such as IP addresses) is carried out by Autostrade per l’Italia S.p.A. (the provider and operator of the Portals themselves), acting as an independent data controller, whose privacy policy is published on the Portals themselves.

2. Categories of Processed Data

Data provided when using the Cashback scheme and submitting a refund claim: the Data Controllers, each in relation to the refund claim for which they are responsible, may collect and process, including through ASPI (or another appointed provider), the personal data provided when completing the web form (first name, surname and email address), as well as data relating to the journey (receipt number, date and time of journey, entry and exit toll booths, vehicle class, lane, amount), the unique identification code issued following your refund claim in accordance with the aforementioned ART resolutions, and, where applicable, the IBAN in the event of a successful outcome to your refund request (“Data”).

The provision of Data is mandatory, therefore failure to provide such data or the provision of incomplete or inaccurate data will prevent the Cashback service from being provided.

3. Purposes and legal basis for processing

Your Data will be processed by each Data Controller responsible for the toll refund claim relating to the relevant section, in accordance with the principles of necessity, data minimisation, lawfulness, fairness, proportionality and transparency, exclusively for the following purposes:

a. to enable you to use the Cashback service, and to ensure the proper management of activities related to or necessary for the provision of such service (including the payment of refunds by crediting the IBAN you have provided, as set out in paragraph 2 above);

b. to provide you with customer support (via live chat or call centre) to assist you in using the Cashback service or to resolve any reports of malfunctions and/or complaints you may have;

c. to fulfil legal obligations and requests by the competent authorities;

d. to send you, at the email address provided upon submitting your refund request, marketing information and newsletters relating to products and/or services similar to those you have already purchased and/or received from ASPI (so-called “soft spam”).

The legal basis for the processing of your data for the purposes referred to in points (a) and (b) is the performance of a contract or pre-contractual measures taken at your request, pursuant to Article 6(1)(b) of the GDPR, as well as the legitimate interest of the Data Controller, pursuant to Article 6(2)(f) of the GDPR, in managing the refund claim in accordance with the criteria laid down by the Transport Regulatory Authority, as set out in ART Resolution No. 132/2024 referred to in the introduction.

The legal basis for the processing of your data for the purpose referred to in point (c) is compliance with a legal obligation, and in particular with ART Resolution No. 132/2024, as supplemented and amended by ART Resolution No. 211/2025 of the Transport Regulatory Authority, to which the Group’s concessionary companies are subject pursuant to Article 6(1)(c) of the GDPR.

The legal basis for the processing of your Data for the purpose referred to in point d) is ASPI’s legitimate interest, pursuant to Article 6.2(f) of the GDPR, without prejudice to the possibility of objecting to such processing at any time, easily and free of charge. In particular, you may object the receipt of such communications at any time by clicking on the link at the bottom of the relevant e-mail or by contacting the DPO of each Data Controller at one of the contact details indicated in section 1 above.

4. Processing methods

Your Data will be processed by computerised means, also with the aid of electronic and information devices, directly and/or through delegated third parties, according to logics strictly related to the purposes indicated in section 3 above.

Your Data shall be processed in accordance with the GDPR and applicable law, and in such a way as to ensure the security and confidentiality of the data, to prevent unauthorised disclosure or use, alteration or destruction.

The processing of your Data will be entrusted, in each operation, to employees and/or collaborators of each Data Controller for the relevant activities, duly authorised and appointed.

Any third-party companies appointed by each Data Controller (such as Autostrade per l’Italia) will act as data processors within the meaning of Article 28 of the GDPR (“Data Processors”). A full list of persons appointed as Data Processor is available at the DPO’s, which can be reached as specified in Section 1 above.

5. Data retention period and locations

Your Data will be stored on the Data Controller’s server located in the European Union, and will not be disseminated or transferred outside the European Union. Your Data will only be processed by the Data Controller for the time strictly necessary to pursue the purposes set out above. In particular:

  • for the purposes referred to in point a) of section 3 above, your Data will be retained by each Data Controller in relation to the refunds for which they are responsible, within the limits established by the aforementioned Resolution and, in any event, until you expressly request the erasure of your Data from the Data Controller’s DPO (see contact details in paragraph 1 above). It is understood that the Data Controller may retain your Data in order to defend its rights in relation to disputes outstanding at the time of the request or at the direction of public authorities;
  • for the purposes of point b) in section 3 above, we inform you that calls and chats are recorded and stored together with the Data contained therein for the time necessary to resolve your request for assistance, report and/or complaint, provide you with feedback and improve the customer care service. Even in this case, however, it is understood that the Data Controller may retain your Data within the limits of the law, in order to prove the fulfilment of its contractual obligations, and to defend its rights in relation to outstanding disputes or at the direction of Public authorities;
  • for the purposes of point d) in section 3 above, your Data will be retained by the Data Controller as long needed to fulfil any legal obligations;
  • for the purposes referred to in point d) of section 3 above, your Data will be retained until you expressly object to their processing. It being understood that the data will not be deleted until you expressly request their deletion for that specific purpose. It is also understood that each Data Controller may retain your Data in order to defend its rights in relation to disputes outstanding at the time of the request or at the direction of the Public authorities.

6. Rights of the Data Subject

Please note that under the GDPR you have the right to:

  • obtain information on the purposes for which your Data is processed, the period of processing and the persons the Data is disclosed to (right of access);
  • obtain rectification or integration of inaccurate Data concerning you (right of rectification);
  • have your Data deleted in the following cases: (a) the Data is no longer necessary for the purposes for which it was collected; (b) you have objected to the processing of your Data, where it is processed on the basis of a legitimate interest of each Data Controller; (c) the processing of your Data does not comply with the law; (d) you have submitted an explicit request for the deletion of your Data. However, we would like to point out that Data retention by each Data Controller is lawful if it is necessary in order to comply with a legal obligation or to ascertain, exercise or defend a right in a court of law (so-called right to erasure);
  • obtain that the Data concerning you be only stored without any other use of them in the event that (a) you should object to the accuracy of your Data, for the period necessary to allow us to verify their accuracy; (b) the processing is unlawful, but you still object to the deletion of the Data by each Data Controller (c) the Data are necessary for the ascertainment, exercise or defence of a legal right; (d) you objected to the processing and are waiting for verification of whether the Data Controller’s legitimate reasons for processing prevail over those of the data subject (so-called right to restriction);
  • to receive the Data concerning you in a commonly used, machine-readable and interoperable format, and to have your Data transferred to another data controller (so-called right to data portability).

The aforementioned rights may be exercised by making a request without formalities to the DPO of the Data Controller, whose contact details are set out in section 1 above.

Finally, we would like remind you that you have the right to address the Garante per la protezione dei dati personali, Piazza Venezia, 11, 00187 Roma (RM), to assert your rights in relation to the processing of your Data.