AL BORGHETTOBoutique Apartments

Privacy Policy

pursuant to Article 13 of EU Regulation 2016/679 (GDPR)

1. Data Controller

The Data Controller of personal data is:

Name
Roberto Di Fede (Mini Appartamenti Al Borghetto)

Address
Via Bruno Fratelli, 22, 94015 Piazza Armerina (EN)

Email
info@al-borghetto.com

Phone
+39 329 34 73 980

Tax Code
DFDRRT85L06G580E

Data relating to registrations in the hospitality facility registers:

CIN Code
IT086014C2CTVEC9IL

CIR Code
19086014C226802

The Data Controller is the natural or legal person who determines the purposes and means of the processing of personal data. To exercise your rights or for any information regarding the processing, you can contact us at the provided contact details.

2. Personal Data Collected

2.1 Online Booking Data

Through the booking form on the website, we collect the following data, voluntarily provided by the user:

  • First and last name

  • Email address

  • Phone number

  • Arrival and departure dates, number of guests, requested room type

This data is necessary to manage the booking request and allow staff to contact the user to confirm availability and finalize arrangements. Without this data, the request cannot be processed.

2.2 Online Check-in Data

If the booking is confirmed, the user can optionally complete the online check-in. In this case, the identification data required by Italian law (Art. 109 T.U.L.P.S.) is collected:

  • First and last name

  • Place and date of birth

  • Citizenship

  • Gender

  • Type of identity document, number, issuing authority, and date of issue

If the user does not complete the online check-in, the same data will be collected in person upon arrival at the property by the reception staff.

2.3 Browsing Data (Google Analytics)

The website uses Google Analytics 4, a statistical analysis service provided by Google Ireland Limited. This tool collects anonymous technical data on browsing (pages visited, session duration, general geographic origin, device type) to improve the website's functionality. The IP address is anonymized before any processing.

2.4 Technical Browsing Data

The servers hosting the website automatically record standard technical information (IP address, browser, operating system, requested pages, access times). This data is retained for cybersecurity needs and is deleted within 30 days.

3. Purposes of Processing and Legal Bases

Personal data is processed for the following purposes, each based on a specific legal basis pursuant to Article 6 of the GDPR:

Purpose Legal Basis
(Art. 6 GDPR) Detail Management of booking request Letter b) \u2013 performance of a contract The data is used to respond to the request and confirm the booking. Fulfillment of public security obligations (guest registration forms) Letter c) \u2013 legal obligation Transmission of guest identification data to the Police Headquarters via the Alloggiati Web portal (Art. 109 T.U.L.P.S.). Statistical analysis of web traffic Letter f) \u2013 legitimate interest Anonymous statistics via Google Analytics to improve the website. Cybersecurity Letter f) \u2013 legitimate interest Retention of access logs to prevent abuse.

Consent to data processing for contractual purposes (booking) is necessary to proceed with the booking itself. Processing for the fulfillment of legal obligations (check-in) does not require the data subject's consent, although they have the right to be informed as provided in this policy.

4. Retention Periods

Personal data is retained for the time strictly necessary for the purposes for which it was collected:

Booking Data
For the entire duration of the contractual relationship and up to 10 years from the conclusion of the stay, for any fiscal and accounting obligations.

Check-in Data (guest registration forms)
Raw data is deleted as soon as the transmission receipt from the Alloggiati Web portal is obtained. Transmission receipts are retained for at least 5 years.

Google Analytics Data
Aggregated and anonymous; retained according to the service settings (max 14 months by default in GA4).

Server Technical Logs
Deleted within 30 days of recording.

5. Communication and Transfer of Data

5.1 Internal Recipients

The data is accessible exclusively to authorized property staff (reception staff, administration), limited to what is necessary for the described purposes.

5.2 Public Security Authorities

Guest identification data is mandatorily transmitted to the competent territorial Police Headquarters via the State Police's Alloggiati Web telematic portal, pursuant to Art. 109 T.U.L.P.S. This communication occurs in fulfillment of a legal obligation and does not require the data subject's consent.

5.3 Google Analytics

Anonymous browsing data is processed by Google Ireland Limited (based in the European Union). Google may also process aggregated data on its servers in the United States, in compliance with the guarantees provided by the EU-US Data Privacy Framework. For more information: policies.google.com/privacy.

5.4 No Transfer to Third Parties

Personal data is not sold, transferred, or communicated to third parties for marketing or commercial profiling purposes.

6. Data Subject Rights

Pursuant to Articles 15\u201322 of the GDPR, each data subject has the right to:

  • Access: obtain confirmation of processing and a copy of their data (Art. 15)

  • Rectification: request correction of inaccurate or incomplete data (Art. 16)

  • Erasure (\"right to be forgotten\"): request deletion of data, except for legal obligations (Art. 17)

  • Restriction: request restriction of processing in certain cases (Art. 18)

  • Portability: receive data in a structured, machine-readable format (Art. 20)

  • Objection: object to processing based on legitimate interest (Art. 21)

  • Withdrawal of consent: at any time, without affecting the lawfulness of previous processing

To exercise your rights, you can contact the Data Controller at the email address: info@al-borghetto.com. The Data Controller will respond within 30 days of the request.

You may also lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) at www.garanteprivacy.it.

7. Cookies and Google Analytics

The website does not use proprietary profiling cookies or tracking cookies that require the user's prior consent.

Google Analytics 4 is used in anonymized mode (IP anonymization active, user reporting features disabled). In this configuration, processing is based on legitimate interest and does not require prior consent according to the guidelines of the Italian Data Protection Authority.

If advanced profiling features of Google Analytics are activated in the future, a cookie banner compliant with the Authority's provisions will be implemented, and this policy will be updated.

8. Data Security

The Data Controller adopts appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or accidental destruction. Measures include:

  • Encrypted connection via HTTPS protocol across the entire website

  • Access to data restricted to authorized personnel

  • Deletion of guest identification data after transmission to authorities

  • Regular backups and server infrastructure protection

9. Updates to This Policy

The Data Controller reserves the right to modify or update this policy at any time, including following regulatory changes. Updates will be published on this page with the revision date. We invite you to consult this page periodically.

Last revision
05/04/2026