Guided tours
Tickets group
Would you like to participate in a guided tour, a family workshop, or are you part of a group of more than 15 people?

Are you a teacher interested in our educational programs for schools of all levels?

Are you planning a corporate event or an exclusive team building at the museum?

Discover what the Leonardo3 Museum has to offer!
Guided tours, schools, companies


This website uses cookies, even of third parties cookies. If you close this button or access to another section or select another part of this webpage we will assume you have accepted cookies. To learn more or to change or differentiate your consent to cookies see here: cookies policy link.


Legal terms

Terms and Conditions of Use
This site is the exclusive property of LEONARDO3 srl, which has created it for the purposes of information, communication, and entertainment. By visiting this Site you agree to be bound by these terms and conditions - which can be modified by LEONARDO3 in its sole discretion, at any time and without notice - and to use this service for lawful purposes and in compliance with the applicable laws and regulations. If you do not agree to such terms and conditions, please notice that you are not allowed to visit the Site.

Copyright and Intellectual Property
The Site contains information, images, photographs, logos, music, video, trademarks, products, advertising, etc. which are exclusive property of LEONARDO3 and/or its subsidiaries (together, “LEONARDO3 SRL”), or granted to LEONARDO3 Group under license by their respective right owners.

Said material is protected against unauthorized use by copyrights, design and trademark laws. You cannot reproduce, totally or in part publish, transmit, modify totally or in part, or sell any of the material contained in this Site. No right or other claims may be deemed assigned to you as a result of downloading and/or copying the abovementioned materials. All signs, patterns, designs, trademarks, logos displayed in the Site are protected, and therefore reproduction, distribution, publishing, transmission, modification, totally or in part, sale and any other usage of the above material is forbidden. Your access to the Site should not be construed as granting, by implication, estoppel or otherwise, any license or right to use any marks appearing on the Site without the prior written consent of LEONARDO3 or the third party owner thereof.

The downloading of material from the Site is permitted only for personal and non-commercial purposes and to the extent expressly authorized by appropriate indications within the Site.

Limitation of Liability
The purpose of the Site is to provide accurate and updated information. LEONARDO3 will do its utmost to ensure that the information presented on the Site fully conforms to the requisites of accuracy and updating. However, the possibility of errors or unintentional omissions cannot be excluded. If errors are notified, they will be corrected. The Site is provided to you strictly on an “as is” basis, and accordingly LEONARDO3 declines any responsibility for any damage, loss, or prejudice of any nature that may result to the users or their property as a consequence of accessing the Site, the impossibility of accessing the Site or the downloading of material from the Site, where this is permitted, including damage to users’ computers caused by viruses.

LEONARDO3 does not accept any responsibility for materials created or published by third parties websites which the Site has a hypertext link with. Users who decide to visit, using a link, a website different from the Site, will do so at their own risk and shall review and agree to that website's rules of use before using it. In addition, a link to a non-LEONARDO3 site does not imply that LEONARDO3 endorses such site or the products or services referenced in such third party site.
Any communication or any other material sent to LEONARDO3, either by e-mail or by web pages, shall be treated as non confidential and for free use. By accepting these rules user represents that no objection will be that the material is made available to users of the Site. You represent that LEONARDO3 has no obligation to keep the material confidential, to pay you any compensation, and warrant that the material does not infringe any third party’s right including but not limited to copyright, trademark, patent, privacy and other laws.

Moreover, LEONARDO3 reserves the right to use said material contents for any purpose and in any manner whatsoever. Certain material transmitted to the Site by its users could be subject to the specific submission rules. Users are recommended to read submission rules thoroughly before sending any material.


Your personal data may be collected when browsing this website. Similarly, electronic messages sent to LEONARDO3 and electronic addresses used to send additional information are likely to be stored. You have the right, free of charge, to access, rectify, modify and oppose the data concerning you or a deceased person for whom you are the legal representative. You may exercise this right by writing to the appropriate department.

LEONARDO3  authorizes access to the Service from any country, subject to the national legislation in force in that country. Users accessing the Service from workstations outside Italian territory expressly acknowledge that they have read, understood, and fully accepted these Terms and Conditions.

These Terms, Conditions and Privacy terms are subject to Italian law. In the event of any dispute arising from the application of these Terms and Conditions, the Parties undertake to attempt to reach an amicable solution. Should this not be possible, the Parties recognize the exclusive competence of the Italian court of Milan.

Site's design
Conception, design and development: ultranoir

General introduction
This policy is divided into two sections: the first is aimed at describing how this website owned by Leonardo3 srl is managed, with reference to the processing of personal data of users who consult it and/or use the services made available to them through the website, such as online ticketing and newsletter services; the second contains information on the processing of users’ personal data that Leonardo3 srl implements through the cookies on the website.

Leonardo3 srl (hereinafter also referred to as the “Company” or “Owner”), in compliance with the legislation on the protection of personal data, intends to guarantee the privacy and security of the personal data of each user/visitor (the reference to them in the body of the policy is equivalent to identifying them as data subjects), also in relation to Internet access made from abroad.

The policy is also provided as a brief information notice and/or with a link to it, pursuant to art.13 of the EU Regulation 679/2016 (hereinafter “GDPR”), to those who interact with the web services of the Site accessible by electronic means. Please note that the information is not provided for other websites that may be consulted by the user through links published on the Site.

Data controller, data processors and persons in charge of data processing
The data controller is Leonardo3 srl, in the person of its legal representative pro tempore, with registered office in Via Monte Napoleone 9, Milan. Personal data may be processed by specially authorized and trained personnel.

Section 1: Processing of data deriving from the user’s subscription to the online ticketing and newsletter services accessible through the leonardo3.net website, as well as those deriving from consultation of the site’s pages.

1. Object, purpose and legal basis of the processing and nature of the personal data
a) The Data Controller collects data from users of the Site through the forms on its pages, which are set up for the use of the ticketing service managed through distribution platforms in agreement with the Data Controller.

The personal data processed are:
• identification data (name, surname, country of origin);
• address and contact details (e-mail and telephone number);
• data provided for the payment of tickets;
• accounting data (company name, VAT number, tax code);
• common data related to the facilities provided for access to museum facilities or events staffed or organized by the holder;
• computer data (e.g. related to the transaction carried out).

Personal data are processed for activities such as those functional to:
• acquiring and processing information useful for establishing the relationship with users for the purchase of tickets online, including reduced or free tickets;
• for the execution of the relationship established and of what follows from it (e.g. registration, data processing, including for accounting purposes, archiving, consultation and storage).

In such cases, the legal basis for the processing is based on:
• the need to carry out pre-contractual measures and the performance of the contract (ex Art. 6 (1) (b) of the GDPR);
• the need to comply with legal obligations (ex art. 6, paragraph 1, letter c) of the GDPR), such as those arising from the proper keeping of accounts and the application of the rules on the modalities of use of and access to the facilities and places of cultural interest referred to in Legislative Decree no. 42/2004, as amended, and Ministerial Decree no.111/2016, as amended.

The processing of personal data for the aforementioned purposes is necessary and any refusal to provide such data will make it impossible to provide the service requested and, therefore, to issue tickets for access to the museum facilities managed by the owner or to events organized by the owner, as well as to use the facilities provided for the aforementioned purposes.

(b) The personal data of the users, such as their contact and address data (in particular e-mail), may also be processed:
• with the User’s prior consent, for subscription to the mailing list set up, also through providers in agreement with the Data Controller, for the sending of newsletters for information purposes, that is to say, to periodically inform the User about the initiatives and developments of the services provided by the Data Controller and the activities related to them.In particular, once the user has provided his or her e-mail address in the “Keep in touch” section of the home page, by clicking on the “Subscribe to the newsletter” button, he or she consents to the processing of his or her personal data for the aforementioned purposes, without having to tick any further boxes. This is because, in accordance with Recital 32 and Article 5(1)(11) of the GDPR, any free, specific, informed and unambiguous manifestation of will by which the data subject expresses his or her consent to the processing of his or her data, by means of an unambiguous statement or positive action, constitutes a manifestation of consent.

In the event of failure to provide personal data, as well as in the absence of consent of the data subject, their processing will not take place for such purposes.

If the user had also used the other services offered by the owner through the site, any refusal to make the data for the newsletter subscription or the lack of consent will not affect the other processing already in place.

Consent, if given, may be revoked at any time and free of charge. The same applies if the user decides to object to the processing. In particular, to object to the processing, the User need only follow the unsubscribe instructions provided at the bottom of each email. In the event of withdrawal of consent, the User may send his request to info@leonardo3.net.

In the event that the user has given his/her consent and subsequently wishes to revoke it or oppose the processing for the purpose of receiving newsletters, the data relating to him/her will be permanently deleted or otherwise excluded from the processing in question (e.g. by being included in a black list), without this having any consequences or adverse effects on the user and on the processing carried out for the other purposes, with the exception also of the processing already carried out for the purposes in question on the basis of the consent given at the time.

c) The Data Controller may also process the personal data of users (including those of an IT nature) in order to guarantee the security and confidentiality of the processing carried out through the services displayed on the Site (ex art. 6, par. 1, lett. f) of the GDPR).
The data controller also acts in fulfillment of other legal obligations (art. 6, par. 1, lett. c) of the GDPR), when it carries out:
• the control and monitoring of HW and SW systems, applications and IT tools used for the processing of personal data, and also when it:
• implements procedures for the detection and notification of personal data breaches;
• responding to requests from competent authorities.
Legitimate interest pursuant to Art. 6(1)(f) of the GDPR) also justifies the data controller in processing the personal data of users in order to protect their rights and to assert their claims in judicial or extrajudicial proceedings and/or to defend themselves against the claims of others.

d) Finally, the website offers content of an informative and interactive nature. Therefore, information about the user or, more generally, about the visitor may be acquired during the visit of the website in the following ways:
• The computer systems and software procedures used to operate the site acquire, during their normal operation, some personal data (navigation data), the transmission of which is implicit in the use of Internet communication protocols.This category of data includes IP addresses (generally considered to be personal data under European law), browser type, operating system, domain name and addresses of websites from which the user accesses or exits, information on the pages visited by the user within the site, access time, length of time spent on each page, internal path analysis and other parameters related to the user’s operating system and computer environment.

This technical/informatics data is collected and used in an aggregated and anonymous manner for the sole purpose of facilitating the use of the navigation service provided by the Owner, in other words, exclusively for the legitimate interest of facilitating the use of the Owner’s content published on the Website and for controlling its correct functioning and obtaining statistical information on its use.

2.Processing methods
Data processing is carried out by means of computerized procedures and, to a lesser extent, on paper by specially authorized internal personnel.
They have access to the personal data of the users if and to the extent necessary for the performance of the processing activities concerning them.
The Data Controller periodically verifies the means used to process the User’s personal data and the security measures in place, and ensures that they are kept up to date; verifies that no personal data is collected, processed, archived or stored if processing is not necessary or if the purposes for which the data was collected are exhausted; verifies that the data is stored with guarantees of integrity and authenticity and that it is used for the purposes of the processing actually carried out. The same precautions are understood to be met in the event that the data controller, for the processing in question, uses suppliers outside its organization, with whom it concludes the agreements referred to in Article 28 of the GDPR.

3. Dissemination of data
Personal data will not be disseminated or disclosed in any way to unspecified and unidentifiable persons, including third parties.

The User’s personal data may be disclosed to:
• suppliers and providers of web services and ICT services and of the management platforms/systems through which the Data Controller carries out the processing(s) referred to in this Policy;
• consultants and maintenance and technical assistance companies;
• public and government authorities and bodies, if the communication of the User’s data to them is necessary for the fulfilment of legal obligations and as a result of specific requests.

The communication concerns the categories of data whose transmission is necessary for the performance of the activities and purposes pursued by the owner in the management of the relationship once established. The relevant processing does not require consent in the event that it is carried out in the face of legal obligations or in order to perform the obligations deriving from the contractual relationship established with the user; or in the event of any other hypothesis of exclusion that is expressly provided for or depends on the legislation, including regulatory legislation, in force and applied by the Owner; or even if the processing is carried out by third parties identified as data processors pursuant to Article 28 of the GDPR. The list of recipients of personal data, to the extent that their identification is possible, may be made available to users upon their specific request.

4. Retention of personal data
Users’ personal data will be kept for the time necessary to achieve the purposes for which they were collected and for any additional time required or permitted by law. In particular for the personal data referred to in paragraph 1, letter a) above, the period of conservation depends on the duration of the relationship established. This is without prejudice to:
• the limitation of processing and other guarantees provided in specific cases;
• the purposes that may survive the conclusion of the contract (e.g. accounting, art. 2220 of the Civil Code)
• the periods provided for by the Civil Code for the exercise of rights (articles 2935, 2946 and 2947 of the Civil Code), where applicable;

for the personal data referred to in letter b) of paragraph 1, the personal data will be kept until the user withdraws his or her consent or objects to the processing by removing himself or herself from the mailing list, or in any case for the duration of the processing;

for the personal data referred to in paragraph 1, letter c) above, the period of retention shall depend on the needs arising from the processing and on the risks assumed and/or discovered and the negative consequences and liabilities arising therefrom, subject to measures to anonymize the data or to limit their processing.The data must be kept (from the time of the knowledge/detection of the risk event or of the breach of personal data) for the time necessary to proceed with the notification to the supervisory authority of the breach of data security detected through the procedures implemented by the data controller and, in any case, to remedy it;

for the personal data referred to in paragraph 1, letter d), when discovered, for no longer than seven days (with the exception of the time necessary for the investigation of criminal offences by the judicial authority).

In any case, subject to the limits established by law or regulation, the retention of the above data may be extended for the time necessary for the management of any litigation that may have been initiated, if functional to it.

5. Transfer of data abroad
Data processed for the purposes referred to in paragraph 1, letters a) and b) may be transferred outside the European Union. Providers (one among others, Mailchimp) may transfer data within servers located in the United States of America: in this case, we warn that at the moment the transfer of data to the United States, if it occurs, is not supported by an adequacy decision, therefore, unless otherwise indicated, the safeguard instrument that presides over the transfer is represented by the standard contractual clauses referred to in Article 46, par. 1, of the GDPR. 
For all other purposes, the management and storage of personal data will take place on servers located in the European Union of the Data Controller and/or third party companies duly appointed as external data processors pursuant to Article 28 of the GDPR.