Privacy Policy for the Processing of Personal Data pursuant to Art. 13 of Regulation (EU) 2016/679 (GDPR)

The Data Controller is Chiara Bertollo, residing at via G. Marconi 39, 36020 Pove del Grappa (VI), Italy, e-mail: attico41.bassano@gmail.com (hereinafter, the "Controller").

The Controller processes the personal data of guests and those requesting information regarding stays at "Attico 41 Grand View in the heart of Bassano," collected via the website, online booking portals, or direct contacts (e-mail, telephone, messaging).

Source of Data and Nature of Provision

Personal data are collected at the time of the request for information, booking, and registration at the accommodation facility. Providing data for the purposes referred to in lettera) is mandatory for the stay and legal requirements; without it, it will not be possible to use our services. Providing data for the purposes referred to in letters b) and c) is optional.

Purposes and Legal Bases of Processing

Personal data are processed by the Controller for the following purposes:

a) management of check-in, guest registration, calculation and payment of tourist tax, public security, and tax obligations;

b) facilitation of registration procedures for any future stays at the property;

c) sending commercial and promotional communications from the property via e-mail or telephone (e.g., offers, news, information on future stays).

For the purpose in letter a), the legal basis is Art. 6, par. 1, letter b) of the GDPR (execution of a contract and pre-contractual measures), as well as the fulfillment of legal obligations.

For the purposes in letters b) and c), the legal basis is Art. 6, par. 1, letter a) of the GDPR (consent of the data subject).

Processing Methods

The processing of personal data is carried out using manual and IT tools, with logic strictly related to the purposes indicated above and in a way that guarantees the security and confidentiality of the data, in compliance with the GDPR.

Parties Involved in the Processing

Data may be processed by subjects expressly authorized by the Controller and instructed on security measures for the protection of personal data. The Controller may use service providers (e.g., management software, IT providers, booking portals, accounting and tax consultants) acting as data processors pursuant to Art. 28 of the GDPR or as independent controllers, as the case may be.

Recipients of Personal Data

The data collected during registration and the stay may be communicated, within the limits of what is necessary, to:

• Public security authorities and other competent authorities, in compliance with current legislation (e.g., Art. 109 T.U.L.P.S. and related provisions);

• Financial administration and other public bodies, when required by law;

• Consultants and third parties for administrative, accounting, or legal requirements, within the limits of their respective competencies.

Transfer of Data to Non-EU Countries

Personal data are not transferred outside the European Union, except in cases where some service providers (e.g., platforms or IT providers) are based in non-EU countries. In such cases, the transfer will take place in compliance with Articles 44 et seq. of the GDPR (adequacy decisions, Standard Contractual Clauses, or other suitable guarantees).

Data Retention Period

Personal data are kept for a period no longer than necessary to achieve the purposes indicated above and in compliance with legal obligations. Specifically, data related to accounting and tax requirements are kept for the terms provided by civil and tax law; data processed based on consent (purposes b and c) are kept until the withdrawal of consent or, at most, for the time reasonably necessary to manage the relationship with the guest.

Rights of the Data Subject

As a data subject, the guest may exercise the rights provided for in Articles 15-22 of the GDPR at any time, including:

• Right of access to personal data;

• Right to obtain the rectification or updating of data;

• Right to obtain the erasure of data or the restriction of processing, in provided cases;

• Right to object to processing; • Right to data portability, where applicable;

• Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Requests can be addressed to the Controller at the e-mail address attico41.bassano@gmail.com or the postal address indicated above.

The data subject also has the right to lodge a complaint with the Data Protection Authority (www.garanteprivacy.it) if they believe the processing violates applicable legislation.