Privacy Policy

PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA
Users of the website “Hotel Casolare Le Terre Rosse” (hereinafter, the “Website”)
Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”)
Document updated on: 14/01/2026

1) DATA CONTROLLER AND CONTACT DETAILS
The Data Controller is:
HOTEL CASOLARE TERRE ROSSE di Niccolini Elisa & C. SNC
Loc. San Donato – 53037 San Gimignano (SI) – Italy
VAT No. / Tax Code: 00782250526
Privacy contact: info@hotelterrerosse.com
Privacy contact person: Niccolini Elisa
DPO (Data Protection Officer): not required / not appointed.

2) SCOPE OF APPLICATION
This privacy notice describes how the Data Controller processes the personal data of users who:
● browse the Website;
● contact the Data Controller (e.g. via email or forms on the Website);
● submit requests or bookings (stay/restaurant) and receive related communications.
This notice does not apply to external websites or services accessible via links on the Website, for which reference should be made to their respective privacy notices.
Cookie note: cookie management (banner, preferences, categories and third parties) is handled by another consultant and is not covered in this document. Users may consult the Cookie Policy at the following address: https://www.hotelterrerosse.com/en/cookie-policy.

3) WHAT DATA WE PROCESS (CATEGORIES) – SIMPLE EXPLANATION
3.1 Browsing data (technical and security data)
When you visit a website, your device and the systems that allow the Website to operate automatically generate certain technical information. These are not “data you enter”, but data produced during the Internet communication between your device and the Website’s server.
Examples of browsing data:
● IP address (a number assigned to your Internet connection, necessary to deliver the requested content);
● date and time of access, duration of the visit;
● pages viewed and resources requested (e.g. images, technical files);
● system logs and security logs (technical records useful for detecting malfunctions and anomalous activities);
● technical information about the browser and device (e.g. browser type, language, operating system);
● technical identifiers and parameters required to ensure the Website is available and secure.
Why these data exist: without some of this information, a website would not be able to “respond” to user requests (load pages and content, protect itself from malicious traffic, prevent abuse).
How we use them: to ensure the Website works properly, to guarantee security, to prevent unauthorised access, to diagnose issues and, if necessary, to establish liability in the event of abuse or attacks.
Important: browsing data are not collected to “profile” you, but they may allow indirect identification in specific cases (e.g. investigations into security incidents). For this reason, they are considered personal data when they can be linked to a user.

3.2 Data voluntarily provided by the user (contacts and forms)
When you write to us or fill in contact forms/areas, we process the data you choose to send us. These may generally include:
● first and last name;
● email and/or phone number;
● the content of the message (information requests, availability, quotations, organisational requests).
What “voluntarily provided” means: you decide whether to contact us and what information to enter. However, some data (e.g. email or phone number) are normally necessary for us to reply.

3.3 Data related to bookings (stay and restaurant)
In order to manage requests and bookings (and related communications), we process data necessary for organising the stay or the requested service. Examples include:
● identification and contact data (first name, last name, email, phone number);
● organisational details of the request (dates, number of guests, any preferences, specific requests);
● any notes entered by the user (e.g. logistical requests).
Stay booking: from the Website, the user is redirected to a third-party platform (SimpleBooking) for booking management; for processing carried out by that platform, please refer to its respective notices.
Restaurant booking: the request sent from the Website only sends an email; the data will be used to handle the request and reply.

4) WHY WE PROCESS DATA (PURPOSES) AND LEGAL BASIS
4.1 Browsing, operation and security of the Website
Purposes:
● enable browsing and provide the requested content;
● technical management and maintenance;
● prevention of unauthorised access and malicious activity;
● log management and diagnosis of anomalies and malfunctions.
Legal basis: the legitimate interest of the Data Controller (Art. 6(1)(f) GDPR) in ensuring the security and proper functioning of the Website and/or technical necessity connected with the use of the service.
Nature of the provision: providing browsing data is linked to the normal use of a website; without such technical data, some functions may not be available.

4.2 Management of requests, contacts and assistance
Purpose: to respond to user requests (information, availability, quotations, operational communications) and manage correspondence.
Legal basis: performance of pre-contractual measures taken at the data subject’s request (Art. 6(1)(b) GDPR) and/or the legitimate interest of the Data Controller (Art. 6(1)(f) GDPR) in responding to requests.
Nature of the provision: optional; however, if you do not provide the minimum necessary data (e.g. a contact detail), we will not be able to respond.

4.3 Booking management (stay/restaurant) and related communications
Purpose: to handle requests and bookings, send confirmations/replies, manage changes and operational communications.
Legal basis: performance of pre-contractual/contractual measures (Art. 6(1)(b) GDPR).
Nature of the provision: necessary to manage the booking/request. If the required data are not provided, we will not be able to proceed.

4.4 Marketing (newsletter, offers, promotional communications) – ONLY WITH CONSENT
Purpose: to send you promotional communications, offers, updates, initiatives and news related to the Data Controller’s services.
Legal basis: the data subject’s consent (Art. 6(1)(a) GDPR).
Nature of the provision (key point):
● optional: you are free not to give consent;
● no consequences on browsing, contact requests and bookings: you can still request information and book without marketing;
● consent must be collected through a separate, unticked checkbox;
● you may withdraw consent at any time (see Section 9), without affecting the lawfulness of processing carried out before withdrawal.

4.5 Profiling/analysis for marketing purposes (if applicable) – ONLY WITH SEPARATE CONSENT
If activated, profiling consists of analysing certain information (e.g. interactions with sent communications, expressed preferences) in order to personalise promotional content and make it more relevant.
Legal basis: specific and separate consent (Art. 6(1)(a) GDPR).
Nature of the provision: optional and separate from marketing consent. Refusing profiling does not prevent booking or use of the Website.

5) DATA RECIPIENTS
Data may be processed by:
● authorised internal staff;
● external parties providing services related to the Website and the management of requests/bookings (e.g. hosting, maintenance, IT support, email services, booking platforms).
Key suppliers: Qnt S.r.l a Socio Unico
These parties may act as Data Processors pursuant to Art. 28 GDPR.

6) TRANSFERS OF DATA OUTSIDE THE EU
Where certain suppliers process data outside the European Economic Area, the Data Controller ensures that the transfer is carried out in compliance with the GDPR (Arts. 44 et seq.), adopting appropriate safeguards (e.g. adequacy decisions, standard contractual clauses and additional measures, where necessary).

7) RETENTION PERIODS
Data are stored for the time strictly necessary for the purposes for which they were collected:
● browsing/technical log data: generally for short periods, compatible with technical and security needs, unless necessary to establish liability in case of incidents/abuse;
● requests and contacts: for the time necessary to manage the request and for any organisational needs or protection of rights;
● bookings: for the time necessary to manage the booking and related obligations;
● marketing/profiling: until consent is withdrawn or deletion is requested, in accordance with the principles of data minimisation and storage limitation, in any case no longer than 2 years.

8) PROCESSING METHODS AND SECURITY MEASURES
Processing is carried out using manual and/or electronic and telematic tools, with logic related to the stated purposes and with appropriate technical and organisational measures to ensure security, integrity and confidentiality of data.

9) DATA SUBJECT RIGHTS (ARTS. 15–22 GDPR) – PRACTICAL EXPLANATION
You may exercise your GDPR rights at any time. Below is a clear description of what they mean and when you can use them.

9.1 Right of access (Art. 15 GDPR)
You may request confirmation as to whether your personal data are being processed and obtain:
● a copy of the data;
● the purposes of processing;
● the categories of data processed;
● the recipients or categories of recipients;
● the retention period or the criteria used to determine it;
● the origin of the data (if not collected directly from you);
● information on any automated decision-making processes, if any, and the logic used.
Example: “I would like to know what data you have about me and for what purposes you use them.”

9.2 Right to rectification (Art. 16 GDPR)
You may request correction or updating of inaccurate data and completion of incomplete data.
Example: “My phone number has changed: please update your records.”

9.3 Right to erasure (“right to be forgotten”, Art. 17 GDPR)
You may request deletion of data when, for example:
● they are no longer necessary for the purposes;
● you withdraw consent and there are no other legal grounds;
● you object to processing and there are no overriding legitimate grounds;
● processing is unlawful.
Please note: deletion may not be possible for data we must retain to comply with legal obligations or to protect rights in legal proceedings.

9.4 Right to restriction of processing (Art. 18 GDPR)
You may request that your data be stored but not used (except for specific exceptions), for example:
● if you contest the accuracy of the data (for the time needed for verification);
● if processing is unlawful and you prefer restriction instead of deletion;
● if the data are needed by you to establish, exercise or defend a right;
● if you have objected to processing and the balancing of interests is being assessed.

9.5 Right to data portability (Art. 20 GDPR)
For data processed by automated means and based on consent or contract, you may request:
● to receive the data in a structured, commonly used and machine-readable format;
● direct transmission to another controller, where technically feasible.

9.6 Right to object (Art. 21 GDPR)
You may object:
● to processing based on legitimate interest, for reasons related to your particular situation (we will assess the request);
● at any time to processing for direct marketing: in such case, we will stop processing for that purpose.

9.7 Right to withdraw consent (Art. 7 GDPR)
Where processing is based on consent (e.g. marketing and/or profiling), you may withdraw it at any time:
● withdrawal does not affect the lawfulness of processing carried out before withdrawal;
● from the moment of withdrawal, we will stop processing based on that consent.

9.8 Right to lodge a complaint (Art. 77 GDPR)
If you believe processing violates the GDPR, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) or to take legal action before the competent courts.

10) HOW TO EXERCISE YOUR RIGHTS / CONTACTS
To exercise your rights or request information about the processing of personal data, you may write to:
info@hotelterrerosse.com
(recommended subject: “Privacy Request – exercise of GDPR rights”).

11) UPDATES
The Data Controller may update this notice over time (e.g. due to changes in services or legal updates). The version published on the Website is the one in force at the time of consultation.