Privacy Policy

The purpose of this privacy policy provides all the information on the processing of personal data carried out by Villa La Ripa S.r.l. (as indicated below).

1. INTRODUCTION – WHO WE ARE?

Villa La Ripa S.r.l., with registered office in Arezzo - Località Antria, 38 – 52100, Italy, VAT No. and Fiscal Code No. 02299020517 and registration number in the Italian trade Register of Arezzo under number REA 176325 (hereinafter, “Data Controller”), manager of the internet website https://www.villalaripa.it/en/  (hereinafter, the “Website”), in its capacity as data controller in relation to personal data pertaining to the users using the Website (hereinafter, the “Users”) hereby provides the privacy policy pursuant to art. 13 of the Regulation EU 2016/679 of the Council of 27 April 2016 (hereinafter, “Regulation” or “Applicable Law”).

2. HOW TO CONTACT US?

The Data Controller takes the utmost account of its Users’ right to privacy and protection of personal data.

For any information related to this privacy policy, Users may contact the Data Controller at any time, using the following methods:

• registered letter with return receipt (to the following address Arezzo - Località Antria, 38 – 52100, Italy);
• By sending an e-mail to info@villalaripa.it.

The Data Controller has not identified a data protection officer (DPO), as it is not subject to the obligation of designation provided for by art. 37 of the Regulation.

3. WHAT DO WE DO? - PROCESSING PURPOSES

By browsing the Website, the User can keep up to date with the products and services developed by the Data Controller, as well as register on the Website in order to access the reserved area and/or book a private tour to the Data Controller's premises (hereinafter, "Service").

In connection with the activities that may be carried out through the Website, the Data Controller collects personal data relating to Users.

It is also possible to book tours, experiences and activities at the Data Controller's premises through other platforms that may be indicated on the Website. Where there is a link to this information notice, the latter shall also apply to the processing of personal data collected through the said platforms, which are collected by the Data Controller for the purposes set out in this privacy policy.

This Website and the services eventually offered through the Website are reserved to subjects over the age of 18 years old. Hereby, the Data Controller does not collect personal data pertaining to subjects under the age of 18 years old. At request of the Users, the Data Controller will promptly delete all the personal data, involuntary collected, pertaining to subjects under the age of 18 years old.

Particularly, the personal data of the Users will be lawfully processed for the following purposes:

1. Contractual obligations and provision of the Service: to enable navigation of the Website or to execute the Terms and Conditions of the Website, which are accepted by the User during registration or purchase on the Website; to fulfil specific requests of the User sent to the Data Controller through the Website or other methods provided therein. The User's data collected by the Data Controller for the purposes of registration and/or booking of tours, experiences and/or activities on the Website include: name, surname, date of birth, country, address, telephone and/or mobile phone number, email address; as well as all the User's personal information that may be voluntarily published.

Unless the User gives the Data Controller a specific and optional consent to the processing of his/her personal data for the further purposes provided for in the following paragraphs, the User's personal data will be used by the Data Controller for the exclusive purpose of ascertaining the User's identity (also by validating the e-mail address), thus avoiding possible fraud or abuse, and contacting the User for service reasons only (e.g. sending notifications regarding the services offered on the Website). Without prejudice to what is provided for elsewhere in this privacy policy, under no circumstances will the Data Controller make Users' personal data accessible to other Users and/or third parties;

2. Administrative and accounting purposes, i.e., to carry out activities of an organisational, administrative, financial and accounting nature, such as internal organisational activities and activities functional to the fulfilment of contractual and pre-contractual obligations;
3. Legal obligations, i.e., to comply with obligations imposed by law, an authority, a regulation or European legislation.

The provision of personal data for the above-mentioned processing purposes is optional but necessary, since failure to provide such data will make it impossible for the User to make their request to the Data Controller, to register on the Website or, where required, to book tours and/or experiences and make the desired purchase.

Personal data which are necessary for the pursuit of the processing purposes described in this paragraph 3 are indicated with an asterisk in the request form (or are otherwise marked as “mandatory”).

4. OTHER PROCESSING PURPOSES

Marketing (sending of advertising material, direct sales and commercial communication, Newsletter)

With the User's free and optional consent, some of the User’s personal data (name, surname and e-mail address) may also be processed by the Data Controller for marketing purposes (as for example, sending of advertising material, direct sales, commercial communication or sending newsletters containing information regarding news regarding the sector relative to the Website activities and the services offered by the Data Controller), or in order for the Data Controller to contact the User through electronic mail to propose to the User the purchase of products and/or services offered by the Data Controller and/or by third parties, to present offers, promotions and business opportunities by the Data Controller and/or by third parties. 

In case of lack of consent, the possibility to fulfill the purposes set out in previous paragraph 3 will not be in any way affected. 

In case of consent, the User may at any time withdraw the same, making a request to the Data Controller in the manner indicated in paragraph 8 below. 

The User can also easily oppose further sending of promotional communications via e-mail by clicking on the appropriate link for the revocation of consent, which is present in each promotional email. Once the consent has been revoked, the Data Controller will send the User an e-mail message confirming the revocation of the consent.

The Data Controller informs that, following the exercise of the right of opposition to the sending of promotional communications via email, it is possible that the User continues to receive further promotional messages due to technical and operational reasons (e.g. formation of contact lists already completed shortly before the Data Controller’s receiving of the opposition request). Should the User continue to receive promotional messages after 24 hours from the exercise of the right of opposition, please report the problem to the Data Controller, using the contacts indicated in paragraph 8 below.

5. LEGAL BASIS FOR PROCESSING

Contractual obligations and provision of the Service (as described in the previous paragraph 3, letter a)): the legal basis consists of art. 6, paragraph 1, lett. b) of the Regulation, or the processing is necessary for the performance of a contract to which the User is party or in order to take steps at the request of the data subject prior to entering into a contract.

Administrative and accounting purposes (as described in the previous paragraph 3, letter b)): the legal basis consists of art. 6, paragraph 1, lett. b) of the Regulation, as the processing is necessary for performance of a contract to which the User is party or in order to take steps at the request of the data subject prior to entering into a contract.

Legal obligations (as described in the previous paragraph 3, letter c)): the legal basis consists of art. 6, paragraph 1, lett. c) of the Regulation, as the processing is necessary for compliance with a legal obligation to which the Data Controller is subject.

Other processing purposes (as described in paragraph 4 above) for the processing relating to marketing activities, the legal basis is Article 6, paragraph 1, letter a) of the Regulation, i.e., the provision by the data subject of consent to the processing of his/her personal data for one or more specific purposes. For this reason, the Data Controller asks the User to provide a specific free and optional consent, in order to pursue such processing purpose.

6. PROCESSING METHODS AND DATA RETENTION PERIOD

The Data Controller will process the personal data of Users using manual and IT tools, with logic strictly related to the purposes themselves and, in any case, in order to guarantee the security and confidentiality of the data.

The personal data of Users will be retained for the time strictly necessary to carry out the main purposes explained in paragraph 3 above or, in any case, as necessary for the protection in civil law of the interests of both the Users and the Data Controller.

In the case referred to in paragraph 4 above, Users' personal data shall be stored for the time strictly necessary to fulfil the purposes set out therein and, in any case, until Users withdraw their consent.

7. TRANSMISSION AND DISSEMINATION OF DATA

The User’s personal data may be transferred outside the European Union, and, in this case, the Data Controller will ensure that the transfer takes place in accordance with the Applicable Law and, in particular, in accordance with Articles 45 (Transfer on the basis of an adequacy decision) and 46 (Transfer subject to adequate guarantees) of the Regulation.

The personal data of the Users may be disclosed to the employees and/or collaborators of the Data Controller in charge of managing the Website and the Users’ requests. These subjects, who have been instructed to do so by the Data Controller pursuant to Article 29 of the Regulation, will process the User’s data exclusively for the purposes indicated in this policy and in compliance with the provisions of the Applicable Law.

The personal data of the Users may also be disclosed to third parties who may process personal data on behalf of the Data Controller as “Data Processors” pursuant to Article 28 of the Regulation, such as, for example, IT and logistic service providers functional to the operation of the Data Controller’s Website, suppliers of outsourcing or cloud computing services, professionals and consultants.

Users have the right to obtain a list of any data processors appointed by the Data Controller, making a request to the Data Controller in the manner indicated in paragraph 8 below.

8. RIGHTS OF THE DATA SUBJECTS

Users may exercise their rights granted by the Applicable Law by contacting the Data Controller as follows:

• registered letter with return receipt (to the following address Arezzo - Località Antria, 38 – 52100, Italy)
• by e-mail (to the following address info@villalaripa.it)

The Data Controller has not identified a data protection officer (DPO), as it is not subject to the obligation of designation provided for by art. 37 of the Regulation.

Pursuant to Applicable Law, the Data Controller informs that Users have the right to obtain indication (i) of the origin of personal data; (ii) the purposes and methods of the processing; (iii) the logic applied in the event of processing carried out with the aid of electronic instruments; (iv) of the identification details of the data controller and data processors; (v) the subjects or categories of subjects to whom the personal data may be communicated or who may come to aware of them as processors or agents.

Furthermore, Users have the right to obtain:

a) Access, updating, rectification, or, when interested, integration of data;

b) The cancellation, transformation into anonymous form or the restriction of data processed in breach of the law, including data that does not need to be stored in relation to the purposes for which the data was collected or subsequently processed;

c) Certification to the effect that notification has been supplied of operations as per letters a) and b), as regards their content, to those to whom the data was communicated or disseminated, except for the case where notification proves impossible or requires the use of means clearly disproportionate to the right being protected.

Moreover, the Users have:

a) The right to withdraw consent at any time, if the processing is based on their consent;

b) The right to data portability (the right to receive all personal data concerning them in a structured format, commonly used and readable by automatic device);

c) The right to oppose to:

i) in whole or part, for legitimate reasons, the processing of personal data relating to you for legitimate reasons even pertinent to the purpose of collection;

ii) in whole or part, the handling of personal data for the purpose of sending advertising or sales materials or for the carrying out of market research or for commercial communication purposes;

iii) if personal data is processed for direct marketing purposes, at any time, to the processing of data for this purpose, including profiling in so far as it is related to such direct marketing.

d) If it is deemed that the processing concerning their personal data violates the Regulation, the right to lodge a complaint with a Supervisory authority (in the Member State in which they usually reside, in the one in which they work or in the one in which the alleged violation has occurred). The Italian Supervisory Authority is the “Garante per la protezione dei dati personali”, with registered offices in Piazza Venezia No. 11, 00187 – Rome (http://www.garanteprivacy.it/).

_____________ 

The Data Controller is not responsible for updating all links viewed in this privacy policy, therefore, whenever a link does not work and/or is not updated, the Users acknowledge and accept that they must always refer to the document and/or section of the websites referred to by this link.