Privacy Policy

1. Purpose & Scope

The purpose of this Privacy Policy is to clearly, thoroughly, and accessibly inform individuals interested in our accommodation services and our guests (hereinafter: Data Subjects or Guests) about all matters relating to the processing of their personal data — including the purposes, legal basis, duration of processing, data processors involved, and the rights available to Data Subjects.

The Data Controller processes personal data in compliance with applicable legislation — in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), as well as applicable Italian privacy law.

2. Data Controller

• Name: Szabo C. Mikael
• Address / Property Address: Via Castellana 37, 56030 Lajatico (PI), Italy
• Phone: +39 334 767 5576
• Email: info@casadelizia.it

3. Categories, Purposes, Legal Bases & Retention Periods

3.1. Contact, Inquiries & Information

• Data processed: First and last name, email address, phone number, and any other personal data voluntarily provided in the inquiry.
• Purpose: Responding to inquiries, providing quotes, and maintaining communication.
• Legal basis: The Data Subject's voluntary consent (GDPR Art. 6(1)(a)), or steps taken prior to entering into a contract.
• Retention period: Where no booking follows the inquiry, data is deleted within 30 days of the response, or upon withdrawal of consent.

3.2. Accommodation Booking & Service Delivery

• Data processed: Name, address, email, phone number, booking details (check-in, check-out, number of guests).
• Purpose: Concluding and fulfilling the accommodation contract, recording and confirming the booking, guest communication.
• Legal basis: Performance of a contract to which the Data Subject is a party (GDPR Art. 6(1)(b)).
• Retention period: Until the last day of the calendar year following the stay (maximum 2 years), or until the expiry of any civil law statute of limitations.

3.3. Billing & Accounting Obligations

• Data processed: Billing name, address, tax number (for businesses), service fee, payment transaction data.
• Purpose: Issuing legally required invoices and fulfilling accounting obligations.
• Legal basis: Compliance with a legal obligation applicable to the Data Controller (GDPR Art. 6(1)(c)).
• Retention period: Invoices and supporting documents must be retained for 8 years from the date of issue.

3.4. Statutory Guest Registration & Tourism Tax

• Data processed: Full name, birth name, date and place of birth, gender, nationality, identity document or passport number, mother's name, home address.
• Purpose: Fulfilling legal data reporting obligations to Italian law enforcement and tourism authorities, and compliance with local tourism tax requirements.
• Legal basis: Compliance with a legal obligation (GDPR Art. 6(1)(c)).
• Retention period: As required by applicable Italian tourism and public security legislation.

4. Data Security

The Data Controller treats personal data with the utmost care and strict confidentiality. Electronic data processing and records are protected by firewalls, password protection, and antivirus software to prevent unauthorized access, modification, disclosure, or deletion. Physical documents are stored in a secured location.

5. Data Transfers & Data Processors

The Data Controller shares personal data with third parties only to the extent necessary for service delivery and legal compliance. The following data processors may be engaged:

• Hosting provider: TeamSystem Contabilità, Pesaro, Via Sandro Pertini, 88, 61122, PU, Italy (Purpose: technical operation of the website and processing of messages and bookings received through it).
• Accounting software / accountant: BDO Italia (Purpose: issuing invoices and bookkeeping).
• Authorities: Relevant Italian law enforcement and local government bodies (Purpose: compliance with public security regulations and tourism tax obligations).

6. Rights of Data Subjects

Under the GDPR, Data Subjects have the right to:

• Access: Receive confirmation as to whether their personal data is being processed, and access that data.
• Rectification: Request the correction of inaccurate data or the completion of incomplete data.
• Erasure ("Right to be forgotten"): Request deletion of data where the processing purpose has ceased or consent has been withdrawn (except where processing is required by law, e.g. for invoicing).
• Restriction of processing: Where data is disputed or processing is unlawful.
• Data portability: Receive provided data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Object to the processing of their personal data.

Requests to exercise these rights should be sent to info@casadelizia.it or by post to the Data Controller's address. The Data Controller will respond without undue delay, and in any event within 30 days.

7. Right to Lodge a Complaint

If a Data Subject believes that Casa Delizia (Szabo C. Mikael) has violated applicable data protection legislation, they may lodge a complaint with the relevant supervisory authority:

Data Subjects also have the right to seek judicial redress against the Data Controller in competent courts.

8. Amendments to This Policy

The Data Controller reserves the right to amend this Privacy Policy unilaterally. Changes take effect upon publication on the website.