Privacy Statement

1. Introduction

We respect your privacy in accordance with Regulation (EU) 2016/679 (known as GDPR in English). Pursuant to Articles 13 and 14 of the aforementioned Regulation, we communicate the following.

We are committed to protecting and safeguarding all the personal information you provide to us. We also invite you to read our Cookie Policy, which explains how we use cookies. If you do not agree with this Privacy Policy, we kindly ask you to leave the site. Our services are intended only for adults (18 years and older).

2. What Information Do We Collect and Use?

Personal Data: Personal data is any information that, directly or indirectly, even in connection with any other information, including a personal identification number, identifies or makes identifiable a natural person. We do not collect the user's personal data during anonymous browsing on our site.

If you make a reservation, we collect the following information:

  • First and last name
  • Email address
  • Mobile phone number
  • Any information voluntarily disclosed that may contain sensitive data such as disabilities, dietary preferences, etc.
  • Credit card data if you choose this payment option through our booking engine

If you send an information request via email, we collect:

  • First and last name
  • Email address
  • Any information voluntarily disclosed that may contain sensitive data such as disabilities, dietary preferences, etc.

Reservations from Third Parties: We receive bookings from OTAs, travel agencies, social media sources, and others. In these cases, we are provided with a minimum set of personal data such as the guest's first and last name and, in some cases, a phone number and/or email address, in line with your settings on third-party services.

Management Software: We use the software QUOVAI PMS (a property management system) to manage our property. There is a Data Processing Agreement (DPA) between us (as Data Controller) and our supplier QUOVAI S.r.l. (as Data Processor) that is compliant with Regulation (EU) 2016/679 (GDPR compliant).

Data Processing Purposes in the PMS:

  • Providing a quote
  • Carrying out tourist booking services
  • Compiling documentation for regulatory obligations (e.g., public safety communications, ISTAT)
  • Calculating the tourist tax
  • Preparing invoices or receipts
  • Maintaining statistics to measure the property's performance

3. Data Processing Location

The processing related to the web service provided by QUOVAI S.r.l. takes place at the company's headquarters and on the data centers of HETZNER, located in Germany. No data transfer outside the European Union is carried out.

The Platform may share some of the data collected with services located outside of Italy, particularly through Google Analytics 4, a web analytics service provided by Google Inc. (“Google”). These data may be transferred outside the European Union, for example, to the United States, in accordance with the new EU-U.S. Data Privacy Framework (DPF), which ensures the protection of personal data.

All data collected is managed securely and transparently, with the aim of improving the user experience and optimizing our services.

4. On What Legal Bases Do We Process Your Personal Data?

  • Execution of a contract in which you are a party – the provision of data is mandatory, as it is required to establish the pre-contractual and contractual relationship of short-term rental (the stay) between us. The legal basis is based on Article 6 (1) (f) of Regulation (EU) 2016/679.
  • Purpose based on the consent of the data subject for the sending of commercial and/or marketing communications. The legal basis is based on Article 6 (1) (a) of Regulation (EU) 2016/679.
  • Purposes related to legal obligations – for example, public administrations for their institutional purposes; notification forms to the Public Security Authority in compliance with the communication obligation under Article 109 of the Public Security Law (T.U.L.P.S.). The legal basis is based on Article 6 (1) (c) of Regulation (EU) 2016/679.

5. How Long Do We Retain Your Personal Data?

The processing of personal data is carried out predominantly using IT systems for the time strictly necessary to achieve the purposes for which the data was collected.

  • Email: Your email address may be retained for commercial and marketing purposes only with your express and/or written consent.
  • Credit Card Data: We retain your credit card data (name, type and card number, expiration date, CVC code) for the time necessary to carry out operations related to our business: up to 5 days after check-out. Data related to public security obligations are deleted 5 days after check-out.
  • Special Categories of Data: We do not collect special categories of personal data. However, if this information is entered in a free-text section of our site, such as the request form or the notes field during the booking process, it will be deleted (if identified and recognised) 5 days after check-out.

6. How Do We Protect Your Personal Data?

We follow procedures to ensure that your personal data is not misused or accessed without authorisation:

  • SSL Technology: The PMS uses Secure Socket Layer (SSL) technology, which ensures that all communications cannot be intercepted or deciphered. By convention, Internet addresses (URLs) that imply an SSL connection begin with https:// instead of http://.
  • Lock Icon: In most common browsers, a green lock icon appears to the left of the URL to indicate that a full SSL connection has been established between the user's browser and our site. If your browser does not support SSL technology, you should update to the latest version.
  • Authorised Access: Access to the hotel management PMS is granted exclusively to authorised personnel. Each authorized person has their own access credentials.

7. What Personal Information Do We Disclose to Third Parties?

We DO NOT disclose, transfer, or sell your personal data to companies or third parties not directly involved in the main purposes of our business. However, we may be required to disclose personal data following a request from the Judicial Authority, for the prevention of fraud or crimes in general, or if we deem such action necessary to protect our business.

8. Cookies

For information regarding cookies, please refer to our specific Cookie Policy.

9. Links to Third-Party Websites

From our website, it is possible to access, via dedicated links, third-party websites such as Google Maps, VisitTuscany, and YouTube. We decline any responsibility regarding the management of personal data by these sites and the management of authentication credentials provided by third parties.

We encourage you to carefully read the Privacy Policies of such websites, as their data collection, management, and processing procedures may differ from ours.

10. How Can You Contact Us?

Pursuant to Regulation (EU) 2016/679, you can exercise the following rights:

  • Access your personal data
  • Withdraw consent for direct marketing purposes
  • Object to the processing of your personal data (when it is based on a legal basis other than consent)
  • Verify and request rectification
  • Obtain the limitation of processing (in such cases, we will not process your data for any other purpose except its storage)
  • Obtain the deletion or removal of your personal data
  • Request data portability
  • Lodge a complaint

For any request regarding the processing of personal data,

Finally:

This Privacy Policy may be modified in the future following changes in legislation regarding privacy and data protection. The most updated version of the Privacy Policy will always be available here.

Updated October 2024