Privacy Notice

Privacy Policy pursuant to European Regulation 679/2016 ("GDPR")

The following version will come into force on 1 June 2026

In this privacy notice, Autostrade per l’Italia S.p.A. (“ASPI”) and the motorway concession companies R.A.V. - Raccordo Autostradale Valle d’Aosta S.p.A. (“RAV”), Società Autostrada Tirrenica p.A. (“SAT”) and Tangenziale di Napoli S.p.A. (“TANA”), which are controlled by and affiliated with Autostrade per l’Italia S.p.A., pursuant to Article 2359 of the Italian Civil Code (referred to collectively as “the Group’s concessionary companies”), acting as independent and separate Data Controllers, provide you, in accordance with Articles 13 and 14 of the GDPR, with this Notice regarding the processing of your personal Data collected in the course of their activities via the “Muovy Cashback” app (“App”) and the “Muovy Cashback” section of the www.autostrade.it website (the App and the website section referred to collectively as the “Portals”), for the Cashback service (hereinafter also referred to “Cashback”).

Specifically, the App is an innovative application, provided and managed by ASPI, designed to offer users a Cashback service in the mobility and transport sector.

Cashback is a service offered by the Group’s concessionary companies via the Portals, with the aim of providing you with a smart and user-friendly solution for managing refunds for significant delays caused by roadworks or episodes disrupting normal traffic flow that result in traffic congestion on the motorway sections under their concession, in accordance with the “Measures” laid down by the Transport Regulatory Authority as set out in ART Resolution No. 132/2024, as supplemented and amended by ART Resolution No. 211/2025.

You can find more information on how the Portals work and the Cashback service offered by clicking here.

The Group’s concessionary companies do not perform any processing other than that expressly authorised and/or requested. This privacy policy may be subject to changes in order to comply with new law provisions, amendments to Data processing policies and/or following modifications to the characteristics of the Portals and/or the Services offered therein.

Any updated version of this information notice will be published in the dedicated section of the Portals, therefore you should periodically consult the privacy information notice published therein to keep abreast with the latest version published.

A. Data processing for which ASPI is the Data controller

In accordance with Article 13 of the GDPR, Autostrade per l’Italia provides you with information regarding the processing of your personal Data collected in connection with your registration on the Portals and, in particular, in relation to the use of the App and your registration in the “Muovy Cashback” section of the www.autostrade.it website.

1. Data Controller

The Data Controller is Autostrade per l’Italia S.p.A, a company subject to management and coordination by Holding Reti Autostradali S.p.A., with registered office in Via A. Bergamini, 50 - 00159 Rome, Tax code, Registration number with the Rome Companies Register and VAT no. 07516911000.

Pursuant to Article 37 et seq. of the GDPR, ASPI has appointed a Data Protection Officer (“DPO”), domiciled for the purpose at Via A. Bergamini 50, 00159 Rome, whom you may contact for matters relating to the processing of your personal Data at the certified e-mail address [email protected].

2. Categories of processed Data

Data provided upon registering on the Portals: As the Data Controller, ASPI collects and processes your personal details (first name and surname), your email address and your login credentials (password and username) (“Data”). From time to time, it may also receive aggregated information from third-party sources, including advertising networks and/or social media networks. In particular, it receives aggregated Data from third-party sources regarding the number of App downloads in order to assess the effectiveness of targeted advertising on certain platforms, such as digital properties operated by companies such as Facebook and Google. Please check which Data is marked as mandatory and which is optional, bearing in mind that failure to provide the Data marked as mandatory will prevent you from registering on the Portals. Please keep your Data up-to-date by editing it in the dedicated section of the Portals.

3. Purposes and legal basis for processing

Your Data will be processed by ASPI in accordance with the principles of necessity, minimisation, lawfulness, fairness, proportionality and transparency, and exclusively for the following purposes:

  1. allow you to register and use the Portals, including future improvements thereof;
  2. ensure you receive customer support (via live chat or call centre) to resolve any issues you may report regarding the Portals;
  3. send you, at the email address specified upon registering on the Portals, marketing information and newsletters relating to products and/or services similar to those you have already purchased and/or received from ASPI (so-called “soft spam”);
  4. to send you advertising material and carry out promotional, marketing and/or direct sales activities for products and/or services sold and/or provided by ASPI.;
  5. to send you commercial and promotional communications relating to products and/or services by selected third parties (i.e. companies in the Group ASPI belongs to, parent, subsidiary and/or associated companies, companies with which ASPI has agreements with, and third party partners), with whom ASPI has legal relations (without Data being communicated to third parties in this case),
  6. to carry out profiling activities, i.e. assessing your preferences, consumption habits and taste, also by inviting you to participate in market research, for the subsequent sending of profiled marketing communications.

The legal basis for processing your Data for the purposes referred to in points a) and b) is the performance of a contract or pre-contractual measures taken at Your request, pursuant to Article 6.1(b) of the GDPR.

The legal basis for processing of your Data for the purpose referred to in point c) is ASPI’s legitimate interest, pursuant to Article 6.2(f) of the GDPR, without prejudice to the possibility of objecting to such processing at any time, easily and free of charge. In particular, you may object the receipt of such communications at any time by clicking on the link at the bottom of the relevant e-mail or by contacting the DPO of ASPI at the contact details indicated in section A.1 above.

The legal basis for processing your Data for the purposes referred to in points d), e) and f) is your prior explicit consent, under Article 6.2(a) of the GDPR. Contact methods aimed at direct marketing activities, on behalf of third parties and profiling as in points d), e) and f) above, may be both automated (by e-mail, sms, push notifications, other mass messaging tools, etc.) and traditional (telephone calls with an operator and postal mailings). In any case, you may revoke your consent, even partially, e.g. by consenting only to traditional contact methods. Should you consent to the profiling referred to in point g) above, this will involve an automated activity that will place you in a subject category with similar characteristics (in terms of purchasing preferences, places of interest and frequently travelled road sections) on the basis of your previous experience and use of the motorway network, or of market analyses in which you may have participated, your demographic and your activities on the Portals.

4. Processing methods

Your Data will be processed by computerised means, also with the aid of electronic and information devices, directly and/or through delegated third parties, according to logics strictly related to the purposes indicated in section A.3 above.

Your Data shall be processed in accordance with the GDPR and applicable law, and in such a way as to ensure the security and confidentiality of the Data, to prevent unauthorised disclosure or use, alteration or destruction.

Processing of your Data will be entrusted, in each operation, to employees and/or collaborators of ASPI, duly authorised and appointed. Any third-party companies appointed by ASPI (including those belonging to the Autostrade per l’Italia S.p.A. Group) will, however, act as Data processors in accordance with Article 28 of the GDPR (“Data Processors”). A full list of persons appointed as Data Processor is available at the DPO’s, which can be reached as specified in Section A.1 above.

Your personal Data (first name, surname and email address) provided upon registering may be disclosed exclusively to each of the Group’s concessionary companies responsible for the relevant refund request to enable you to optimise - within the scope of related, instrumental and necessary activities - your participation in the Cashback service and to make the provision of the Cashback service itself faster and simpler. Each of the Group’s concessionary companies may process them in their capacity as independent Data controllers, as indicated in section B below.

5. Data retention period and locations

Your Data will be stored on ASPI's servers located in the European Union, and will not be disseminated or transferred outside the European Union. Your Data will only be processed by ASPI for the time strictly necessary to pursue the purposes set out in Section A.3 above. In particular:

  • For the purposes referred to in point a) of section A.3 above, your Data will be retained by ASPI – even if you delete your account – until you expressly request their deletion (which will, however, result in the deletion of your account and the inability to continue using the service provided). It is understood that ASPI may retain your Data in order to defend its rights in relation to disputes outstanding at the time of the request or at the direction of public authorities. You can delete your account by accessing the “Profile” section of the Portals or by sending an explicit request to delete your Data to ASPI’s DPO (see contact details in section A.1 above).
  • For the purposes of point b) in Section A.3 above, we inform you that calls and chats are recorded and stored together with the Data contained therein for the time necessary to resolve your request for assistance, report and/or complaint, as well as to provide you with feedback and improve the customer care service. Even in this case, however, it is understood that ASPI may retain your Data, within the limits of the law, in order to prove the fulfilment of its contractual obligations, and to defend its rights in relation to outstanding disputes or at the direction of public authorities.
  • For the purposes referred to in point c) of section A.3 above, your Data will be retained by ASPI until you expressly object to their processing. It is understood that the Data will be deleted automatically if your account is deleted, or upon your express request for the deletion of the Data for that specific purpose. Additionally, it is understood that ASPI may retain your Data in order to defend its rights in relation to disputes outstanding at the time of the request or at the direction of public authorities.
  • For the purposes set out in points d), e) and f) of section A.3 above, your Data will be retained by ASPI until you object to their deletion, which occurs automatically 12 months after your account is deleted, or - even if you delete your account - until you expressly request the deletion of your Data (which will, however, result in the deletion of your account). It is understood that ASPI may retain your Data in order to defend its rights in relation to disputes outstanding at the time of the request or at the direction of public authorities.

6. Rights of the Data Subject

Please note that under the GDPR you have the right to:

  • Obtain information on the purposes for which your Data is processed, the period of processing and the persons the Data is disclosed to (right of access);
  • obtain rectification or integration of inaccurate Data concerning you (right of rectification);
  • obtain the deletion of your Data in the following cases (a) the Data are no longer necessary for the purposes for which they were collected; (b) you have withdrawn your consent to the processing of the Data, if they are being processed on the basis of your consent; (c) you have objected to the processing of your Data if they are being processed for ASPI’s legitimate interest (d) the processing of your Data does not comply with the law; (e) you have deleted your account by accessing the "Profile" section of the Portal or you have sent an explicit request for the deletion of your Data; or (f) 12 months have elapsed since the deactivation of your account. However, we would like to point out that Data retention by ASPI is lawful if it is necessary in order to comply with a legal obligation or to ascertain, exercise or defend a right in a court of law (so-called right to erasure);
  • obtain that the Data concerning you be only stored without any other use of them in the event that (a) you should object to the accuracy of your Data, for the period necessary to allow us to verify their accuracy; (b) the processing is unlawful, but you still object to the deletion of the Data by ASPI (c) the Data are necessary for the ascertainment, exercise or defence of a legal right; (d) you objected to the processing and are waiting for verification of whether ASPI's legitimate reasons for processing prevail over those of the Data subject (the so-called right to restriction);
  • receive the Data concerning you in a commonly used, machine-readable and interoperable format, and to have your Data transferred to another Data controller (so-called right to Data portability);
  • obtain the cessation of the processing in cases where your Data are being processed pursuant to Article 6(1)(f) of the GDPR (e.g. in cases where Your Data are being processed for the purpose of commercial communications/newsletters concerning products or services identical to those already purchased/provided by ASPI) (so-called right to object);
  • revoke your consent to the processing of the Data at any time, without prejudice to the lawfulness of the processing based on your consent before revocation.

The aforementioned rights may be exercised by making a request without formalities to the DPO, whose contact details are set out in Section A.1 above.

Finally, we would like remind you that you have the right to address the Garante per la protezione dei dati personali, Piazza Venezia, 11, 00187 Roma (RM), to assert your rights in relation to the processing of your Data.

B. Processing for which Autostrade per l’Italia S.P.A., R.A.V. - Raccordo Autostradale Valle d’Aosta S.p.A., Società Autostrada Tirrenica p.A. and Tangenziale di Napoli S.p.A. are Independent Data controllers

Pursuant to Articles 13 and 14 of the GDPR, Autostrade per l'Italia S.p.A., R.A.V. - Raccordo Autostradale Valle d’Aosta S.p.A., Società Autostrada Tirrenica p.A. and Tangenziale di Napoli S.p.A. - acting as independent and separate Data Controllers - provide you with the following information regarding the processing of your personal Data collected and processed via one or both Portals as part of the “Cashback service”.

1. Data Controllers

The independent Data controllers (“Data Controllers”), each in relation to requests for refunds of tolls paid on their respective motorway sections where the point of origin (entry) and destination (exit) are both within the same motorway section under their jurisdiction, are:

  • Autostrade per l’Italia S.p.A., which is subject to the management and coordination of Holding Reti Autostradali S.p.A., with registered office in Via A. Bergamini 50 – 00159, Rome, whose Data Protection Officer (DPO) can be contacted at the following address: [email protected];
  • R.A.V. - Raccordo Autostradale Valle d'Aosta S.p.A., with registered office in Via Alberto Bergamini 50 - 00159 Rome, whose DPO can be contacted at the following address: [email protected];
  • Società Autostrada Tirrenica S.p.A., with registered office in Via Alberto Bergamini 50 - 00159 Rome, whose DPO can be contacted at the following address: [email protected];
  • Tangenziale di Napoli S.p.A., with registered office in Via Giovanni Porzio, 4 -Centro Direzionale Isola A/7 - 80143, Naples, whose DPO can be contacted at the following address: [email protected].

2. Categories of Processed Data

Data provided when accessing and using the Cashback scheme: In addition to the Data provided upon registering on the Portals (first name, surname and your email address) and Data relating to your journey (date and time of the journey, exit station and, where available, entry station), the Data Controllers may collect and process, through ASPI (or another appointed provider), certain specific Data which varies depending on the type of user (i.e. natural person with a tax code, natural person with a VAT number or company).

In particular:

  • If you are a “natural person” user with a Tax Code or VAT number, in addition to the Data collected during the registration process on the Portals, the Data Controllers will process: your personal and identification details (date and place of birth, and Tax Code and/or VAT number); your contact details (address/domicile, telephone number); a clear photo of your identification document (e.g. identity card); Data relating to the vehicle(s) (e.g. number plate, country of registration and type of vehicle(s)) used and a photo of the documents showing the capacity in which the vehicle was assigned to you if you are not the registered owner (e.g. contract with the leasing company, letter of assignment from the company you work for, handover report from the leasing company to the company you work for); bank account details (to receive your refund); details of the electronic toll collection company and the electronic toll collection device(s) (Telepass or other service providers) in your possession, and a clear photo of the latest invoice; any other Data or information necessary to provide you with the Cashback service.
  • If you are a “company”, in addition to the Data requested during the registration process on the Portals, you will be asked to provide: your personal and identification details as the company’s authorised representative (first name, surname, date and place of birth, and Tax code); your contact details (address/domicile, telephone number and email address); a clear photo of your identification document (e.g. identity card); the name or business name of the Company; the Company’s VAT number; details of the vehicle(s) (e.g. registration number, country of origin and type of vehicle(s)) used by the Company and a photo of the documents showing the capacity in which the vehicle was assigned to the Company if it is not the registered owner (e.g. handover report from the leasing company); the Company’s bank account details (to receive the refund); information regarding the electronic toll collection company and the electronic toll collection device(s) (Telepass or other service providers) in the Company’s possession, and a clear photo of the most recent invoice issued; and any other Data or information necessary to provide the Cashback service.

In order to verify your identity, you will be asked to take and upload a clear photo of your ID when accessing the Cashback scheme. The Data contained in your identification document will be processed on behalf of the Data Controller by ASPI (or another appointed supplier), including through Sum & Substance Ltd, a third-party company based in the United Kingdom but with branches in the EU. That being said, your Data will be processes and stored exclusively within the EU, and they will not be transferred outside the EU under any circumstances.

To verify that you are indeed the registered owner of the electronic toll collection devices specified at the time of access or at a later date, you may be asked to take a clear photo of the most recent invoice issued for each electronic toll collection device and to upload it to the Portals. Similarly, on behalf of each Data Controller, ASPI (or another appointed supplier) may (i) provide the service provider that issued your electronic toll collection device(s) with your Tax Code/VAT number and the number(s) of your electronic toll collection device(s) in order to verify the accuracy of the Data specified; and/or (ii) obtain, at any time, up-to-date information on the electronic toll collection device(s) specified at the time of access from the service provider that issued the device(s) to you. To verify that you are indeed the registered owner of the vehicle specified when accessing in or at a later date, you may be asked to take a clear photo of the documents showing that the vehicle has been registered in your name by the relevant registered owner. Similarly, ASPI (or another designated provider) may pass on your Tax Code/VAT number, your vehicle registration number and the type of vehicle to the Motor Vehicle Registration Authority in order to verify the accuracy of the details provided.

We ask you to help us keep your Data up to date by updating them in your Profile. Please note that it is your responsibility to update the Data relating to your vehicle, as they are essential in order to use the Cashback service correctly. If the vehicle is no longer registered in your name or assigned to you, updating the relevant details is a legal obligation. Failure to do so will render you liable to the Data Controller and to the actual owner or assignee of the vehicle. To this end, the single Data Controllers may periodically ask you to confirm your status as the owner or assignee of the vehicle via pop-ups or similar interactive features on the Portals, and they reserve the right to verify the accuracy of your declarations by submitting the Data specified in the section above to the Motor Vehicle Registration Authority. In the event of a false declaration, you will be liable to the Data Controller, who may immediately suspended the Cashback service, and may ask for compensation for any losses incurred.

Please check which Data are marked as mandatory and which are optional, bearing in mind that failure to provide the Data marked as mandatory will prevent the Cashback service from being provided. Failure to provide the Data marked as optional does not prevent you from registering on the Portals, but may render the Cashback service offered via the Portals unavailable (unless you subsequently provide the Data) or, in any case, make the use of the service less immediate and user-friendly.

3. Purposes and legal basis for processing

Your Data will be processed by each Data Controller responsible for the relevant refund request in accordance with the principles of necessity, lawfulness, fairness, proportionality and transparency, and exclusively for the following purposes:

  1. allow you to access and use the Cashback service, and ensure the proper management of activities related to or necessary for the provision of such service (including the payment of refunds into your bank account or as a credit on your toll invoice, in accordance with the agreements in force at the time your refund is paid);
  2. to provide you with customer support (via live chat or call centre) to assist you in using the Cashback service or to resolve any reports of malfunctions and/or complaints you may have;
  3. to fulfil legal obligations and requests by the competent authorities.

The legal basis for the processing of your Data for the purposes referred to in points h) and i) is the performance of a contract or pre-contractual measures taken at your request, pursuant to Article 6.1(b) of the GDPR, on the assumption that consent has been given by providing the Data to claim a refund and, therefore, by making use of the Cashback service, as well as for the legitimate interest of the Data Controllers, who are part of the same Group, in the transmission of Data for the management of the service, pursuant to Article 6.1(f) of the GDPR.

The legal basis for the processing of your Data for the purpose referred to in point j) is compliance with a legal obligation, and in particular with ART Resolution No. 132/2024, as supplemented and amended by ART Resolution No. 211/2025 of the Transport Regulatory Authority, to which the Data Controllers are subject pursuant to Article 6.1(c) of the GDPR.

4. Processing methods

Your Data will be processed by computerised means, also with the aid of electronic and information devices, directly and/or through delegated third parties, according to logics strictly related to the purposes indicated in section B.3 above.

Your Data shall be processed in accordance with the GDPR and applicable law, and in such a way as to ensure the security and confidentiality of the Data, to prevent unauthorised disclosure or use, alteration or destruction.

The processing of your Data will be entrusted, in each operation, to employees and/or collaborators of each Data Controller for the relevant activities, duly authorised and appointed.

Any third-party companies appointed by each Data Controller (such as Autostrade per l’Italia) will act as Data processors within the meaning of Article 28 of the GDPR (“Data Processors”). A full list of persons appointed as Data Processor is available at the DPO’s, which can be reached as specified in Section B.1 above.

Please note that each concessionaire, acting as an independent Data controller, may collect the personal identification Data of the Data subject as part of its activities relating to the management of refund claims for which they are responsible, through intra-group communication.

5. Data retention period and locations

Your Data will be stored on the Data Controller's server located in the European Union, and will not be disseminated or transferred outside the European Union. Your Data will only be processed by the Data Controller for the time strictly necessary to pursue the purposes set out in Section B.3 above. In particular:

  • for the purposes referred to in point h) of section B.3 above, your Data will be retained by each Data Controller, in relation to the refunds for which they are responsible, within the limits set out in the aforementioned Resolutions even if you were to delete your account, and in any event until you expressly request the deletion of your Data from the Data Controller’s DPO (see contact details in section B.1 above). It is understood that the Data Controller may retain your Data in order to defend its rights in relation to disputes outstanding at the time of the request or at the direction of the Public authorities;
  • for the purposes of point b) in Section B.3 above, we inform you that calls and chats are recorded and stored together with the Data contained therein for the time necessary to resolve your request for assistance, report and/or complaint, as well as to provide you with feedback and improve the customer care service. Even in this case, however, it is understood that the Data Controller may retain your Data within the limits of the law, in order to prove the fulfilment of its contractual obligations, and to defend its rights in relation to outstanding disputes or at the direction of Public authorities;
  • for the purposes of point d) in section B.3 above, your Data will be retained by the Data Controller as long needed to fulfil any legal obligations.

6. Rights of the Data Subject

Please note that under the GDPR you have the right to:

  • obtain information on the purposes for which your Data is processed, the period of processing and the persons the Data is disclosed to (right of access);
  • obtain rectification or integration of inaccurate Data concerning you (right of rectification);
  • have your Data deleted in the following cases: (a) the Data is no longer necessary for the purposes for which it was collected; (b) you have objected to the processing of your Data, where it is processed on the basis of a legitimate interest of each Data Controller; (c) the processing of your Data does not comply with the law; (d) you have submitted an explicit request for the deletion of your Data. However, we would like to point out that Data retention by each Data Controller is lawful if it is necessary in order to comply with a legal obligation or to ascertain, exercise or defend a right in a court of law (so-called right to erasure);
  • obtain that the Data concerning you be only stored without any other use of them in the event that (a) you should object to the accuracy of your Data, for the period necessary to allow us to verify their accuracy; (b) the processing is unlawful, but you still object to the deletion of the Data by ASPI (c) the Data are necessary for the ascertainment, exercise or defence of a legal right; (d) you objected to their processing and are waiting for verification of whether each Data Controller's legitimate reasons for processing prevail over those of the Data subject (the so-called right to restriction);
  • receive the Data concerning you in a commonly used, machine-readable and interoperable format, and to have your Data transferred to another Data controller (so-called right to Data portability).

The aforementioned rights may be exercised by making a request without formalities to the DPO of the single Data Controller involved, whose contact details are set out in Section B.1 above.

Finally, we would like remind you that you have the right to address the Garante per la protezione dei dati personali, Piazza Venezia, 11, 00187 Roma (RM), to assert your rights in relation to the processing of your Data.