Information Notice on the Processing of Personal Data

in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR)

Data Controller

The data controller is Franciacorta Rooms, based at Via Seradina 4, 25040 Colombaro (BS), reachable at the email address info@franciacortarooms.it.

2. Types of Data Processed and Purposes

2.1 Site Navigation

While browsing on franciacortarooms.it Computer systems automatically collect certain technical data necessary for the website's operation: IP address, browser type, operating system, pages visited, and access times. This data is processed for security and technical maintenance purposes and is not associated with user identification data.

  • Legal basis: the legitimate interest of the Controller (Art. 6, para. 1, lit. f, GDPR)
  • Shelf life: 7 days, unless a criminal offence requires further investigation

2.2 Booking and managing your stay

To make a reservation through the website, you will need to provide the following personal details: full name, email address, phone number, dates of stay, number of guests, and optionally, any additional notes. This data is processed for:

  • Manage reservation requests and check room availability;
  • confirm, modify, or cancel the booking;
  • Send communications relating to the stay (confirmation, reminders, review requests);
  • to fulfil the tax and administrative obligations provided for by law, including the communication of guest data to the public security authorities pursuant to Presidential Decree no. 77 of 22 September 1913 and its implementing provisions.
  • Legal basis: performance of a contract (Art. 6(1)(b) GDPR); compliance with a legal obligation (Art. 6(1)(c) GDPR)
  • Shelf life: 10 years from the termination of the contractual relationship for tax obligations; public security data are retained within the terms provided by current legislation

2.3 Online payment via Stripe

The Website uses Stripe (Stripe Payments Europe, Ltd., whose registered office is at 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland) as a payment gateway for the management of online transactions. When the customer chooses to pay online, payment data (credit/debit card number, expiry date, CVV code, cardholder name) are entered directly into a secure form provided by Stripe and transmitted encrypted directly to Stripe.

Franciacorta Rooms never takes possession of, sees, or stores complete payment card data. The Structure receives only confirmation of the transaction's outcome and an anonymised transaction identifier from Stripe.

Stripe is certified PCI DSS Level 1, the highest security standard for the processing of payment data. For complete information on the data processing carried out by Stripe, please refer to Stripe Privacy Policy.

  • Legal basis: performance of the contract (Art. 6, para. 1, lit. b, GDPR)
  • Shelf life: The transaction data (amount, date, outcome) are kept for 10 years for tax and accounting purposes.

2.4 User account registration

When you choose to create an account on the site, you provide your name, email address, and password. The account allows you to access the members' area to view and manage your bookings.

  • Legal basis: execution of a contract / provision of a service requested by the user (Art. 6, para. 1, letter b, GDPR)
  • Shelf life: until account deletion by the user or for prolonged inactivity exceeding 3 years

2.5 Transactional Email Communications

Following booking, the Property Owner sends automated communications regarding the stay: confirmation of receipt of the request, confirmation of the stay, pre-arrival reminders and a review request after check-out. These emails are not for commercial or promotional purposes.

  • Legal basis: performance of the contract (Art. 6, para. 1, lit. b, GDPR)

2.6 Direct contact via email

Anyone who contacts the Data Controller via email voluntarily provides their personal data (name, email address, and the information contained in the message). This data is used exclusively to respond to the request received.

  • Legal basis: the legitimate interest of the Controller (Art. 6, para. 1, lit. f, GDPR)
  • Shelf life: until the request is exhausted and in any case not exceeding 2 years

3. Cookies and Tracking Technologies

The website uses technical cookies necessary for the functionality of searching availability, booking, and accessing the reserved area. In particular:

  • Session cookies maintain the browsing session and access to the reserved area active;
  • LocalStorage temporarily store (for 7 days) the search parameters entered by the user (dates, number of guests) to maintain consistency across site pages.

The site integrates the APIs of Google Maps for viewing the map of the surroundings and the payment service Stripe, which can set its own technical cookies as part of the payment process. Please refer to the respective privacy policies for more details. Cookie preference management is handled by Usercentrics as indicated in the Cookie Policy.

No first-party profiling or marketing cookies are used.

4. Methods of Treatment and Safety

Personal data is processed using electronic tools and with adequate security measures to prevent unauthorised access, disclosure, modification, or destruction. The site uses the protocol HTTPS with SSL/TLS encryption for all communications. Access to data is restricted to authorised persons by the Data Controller within the scope of the indicated purposes.

5. Communication to Third Parties

Personal data is not sold or passed on to third parties for commercial purposes. It may be communicated in the following circumstances:

  • Stripe Payments Europe, Ltd.: for the management of online payment transactions, as Controller within the meaning of Art. 28 GDPR;
  • SMTP Provider (Brevo/Sendinblue): for the sending of transactional email communications, as Data Controller pursuant to Article 28 GDPR;
  • Public authorities Guest data is communicated to public security authorities (Questura/State Police) in the terms and by the methods provided for by current legislation regarding accommodation facilities;
  • Tax authorities in cases provided for by tax legislation.

Stripe operates partly on infrastructure in the United States. The transfer is protected by adequate safeguards under the GDPR (Standard Contractual Clauses and adherence to the EU-USA Data Privacy Framework). For further details, please refer to Stripe Privacy Policy.

6. Data Subject Rights

Pursuant to Articles 15-22 of the GDPR, the data subject has the right to:

  • Access (Art. 15): obtain confirmation that personal data concerning them is being processed and receive a copy thereof;
  • Correction (Art. 16): obtain correction of inaccurate or incomplete data;
  • Erasure (Article 17): obtain the erasure of their data, except for legal obligations that require its retention;
  • Restriction of processing (Art. 18): to obtain the restriction of processing in the cases provided for;
  • Portability (Art. 20): to receive your data in a commonly used, structured format;
  • Opposition (Art. 21): object to processing based on the legitimate interests of the Controller;
  • Withdrawal of consent withdraw consent at any time, without prejudice to the lawfulness of the processing carried out before the withdrawal.

Requests can be sent to info@franciacortarooms.it. The Data Controller will reply within 30 days of receipt.

The data subject also has the right to lodge a complaint with’Information Commissioner's Office (www.garanteprivacy.it).

7. Updates

This privacy notice may be updated following regulatory changes or the introduction of new services. The updated version is always available on this page.