PRIVACY POLICY EU Regulation 2016/679, Legislative Decree 196/03, as amended by Legislative Decree 101/18 as well as other current regulatory provisions regarding the protection of personal data This privacy policy applies to all information we collect and is written in accordance with articles 13 and 14 of EU Regulation No. 679/2016. Our main priority is to offer you pleasant and high-quality stays. Your complete satisfaction and trust are fundamental to us. For this reason, we have created this privacy policy, which formalizes our commitment to you and explains how we use your personal data. This document describes in a clear and understandable way how we process and use your personal data, including information on how to contact us. The data controller, present in our facility, may provide additional privacy information that specifies how we collect and process data, and which, together with this Privacy Policy, forms the basis for the processing of your personal data. We ask you to read this Privacy Policy carefully. By providing your personal data and other information through our services, you agree that your data will be processed according to the terms of this Privacy Policy. If any part of this Privacy Policy is not acceptable, we invite you not to use our services and not to provide your personal data. This Privacy Policy is written in Italian and may be translated into other languages. In case of discrepancies between the versions, the Italian version will prevail. ________________________________________ 1) DATA CONTROLLER Deborah Valente Srl, in the person of the legal representative pro-tempore Piazza V. Veneto, 06 – 89861 Tropea (VV) Tel: +39 0963 62100 – Fax: +39 0963 605956 PEC: deborahvalentesrl@pec.it – Email: amministrazione@valentour.it 2) DATA PROTECTION OFFICER (DPO) Nicholas Viscomi c/o Deborah Valente Srl | Piazza V. Veneto, 06 – 89861 Tropea (VV) Email: infoviscomi@gmail.com | Mobile: +39 393 05 91 327 3) CONSENT "Personal data" means any information collected and stored in a format that allows the data subject to be identified directly or indirectly. This information may include, for example, the name (for direct identification) or the telephone number (for indirect identification). Before providing us with your data, we invite you to carefully read this document, which describes our privacy policy. This information on the protection of personal data is part of the general conditions applicable to all services offered by the data controller. By accepting these conditions, you expressly accept the provisions contained in this information. 4) THE PRINCIPLES ADOPTED FOR THE PROTECTION OF PERSONAL DATA The principles set out below are applicable within the corporate sphere of Deborah Valente Srl. * Transparency: when collecting and processing your personal data, we will provide you with all the relevant information and inform you of the purposes and recipients of the data. * Legitimacy: we will collect and process customers' personal data only for the purposes described in this notice. * Relevance and accuracy: We will only collect personal data that is necessary for the relevant processing and will take all reasonable steps to ensure that the personal data we hold is accurate and up to date. * Retention: We will retain customer personal data for as long as is necessary for the processing in accordance with the law. * Access, rectification, opposition: you have the right to access your data, as well as modify, correct or delete them. You also have the right to oppose the use of your personal data, in particular to avoid receiving commercial information (marketing). * Confidentiality and security: we will ensure that reasonable technical and organizational measures are in place to protect your personal data from accidental or unlawful alteration or loss or from unauthorized use, disclosure or access. * Sharing and international transfer: We reserve the right to share your personal data with third parties (for example, business partners and/or service providers) for the purposes set out in this policy and we will take appropriate measures to ensure the security when sharing or transferring such data. 5) TYPES OF PERSONAL DATA COLLECTED In various situations, as our customer, we may ask you for information about yourself and/or your family members, carers or other people associated with you. This information may include: > Contact information (e.g., last name, first name, telephone number, email address); > Personal information (e.g. date of birth, nationality); > Information about any children (e.g., name, date of birth, age); > Arrival and departure dates; > Payment and billing information, such as your credit card number, other payment account number, billing address, and other payment-related details; > Data necessary to satisfy specific requests, such as, for example, health conditions that require specific accommodation. Furthermore, the data controller may collect identifying data from third-party sources, such as: > Social media; > Affiliated organizations or other third parties. If you voluntarily provide us with identifying information, such as your health information, we will use this information only to fulfill specific requests (for example, for health-related needs that require specific accommodations or dietary needs, such as allergies or other medical conditions). By providing this data, the user expressly consents to the collection, use, processing and storage by the data controller, in accordance with this privacy policy. Regarding information about persons under the age of 18, we only collect the name, surname, nationality and date of birth. This information can only be provided by an adult or a person with parental responsibility. We kindly ask you to ensure that your children do not provide us with personal information, especially via the Internet, without your consent. If this happens, you can contact us to provide us with the necessary instructions to delete this information. We do not knowingly collect sensitive data, such as data relating to race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, health status or sexual orientation. However, if necessary to offer an adequate service (for example, for specific diets), we may collect such information with the explicit consent of the user. 6) SPECIAL DATA The term "special data" refers to information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data used to uniquely identify a person, and data concerning health, sex life or sexual orientation of the person. Generally, we do not collect this sensitive data unless you provide it to us voluntarily or we are required to do so in accordance with applicable laws or regulations. In the event that you voluntarily provide us with personal data that fall into this category (as specified in art. 9 of the GDPR), we inform you that such data will be treated with the utmost confidentiality by our authorized personnel, in compliance with current regulations. To ensure your safety and privacy, we invite you to communicate any information regarding pathologies, allergies, intolerances, etc. directly to our reception staff, by filling out the appropriate form provided. This form will be destroyed securely by an authorized person no later than three days after your check-out, using a shredder. 7) WHEN PERSONAL DATA IS COLLECTED Personal data may be collected on various occasions, including: a) Tour operator services: * Request for quotes; * ticket issuing; * flight, train, NCC, cruise, stay reservations, etc.; * management of payment services; * vehicle rental with driver; * estimate and sale of the package and/or tourist service; * data processing activities for administrative and accounting purposes, customer assistance, etc.); * requests for information, complaints and/or disputes. b) Hotel activities: * Request for quotes; * ticket issuing; * reservations; * management of payment services; * vehicle rental with driver; * estimate and sale of the package and/or tourist service; * data processing activities for administrative and accounting purposes, customer assistance, etc.); * booking a room; * booking of stay; * check-in and payment; * consumption of meals and drinks at the accommodation facility's bar or restaurant during a stay; * requests for information, complaints and/or disputes. c) Commercial activity (marketing): * participation in satisfaction surveys (for example, completing a satisfaction questionnaire following a hotel stay) – even anonymously; * newsletter subscription, to receive commercial promotions via email. d) Transmission of information from third parties: * tour operators, travel agencies, booking systems and so on. e) Internet activities: * connection to Deborah Valente Srl websites (IP address, cookies); * information, registration - newsletter subscription - contact request - booking confirmation - comment insertion forms; * online data collection forms (request for quotes and/or online booking, Deborah Valente Srl pages on social networks, network access devices such as Facebook access data and so on). 8) PURPOSE OF THE PROCESSING User Data is collected to allow the Owner to provide the requested Service, comply with legal obligations, respond to requests or executive actions, protect their rights and interests, identify any malicious or fraudulent activity, etc. Specifically, we collect your personal data in order to: > Fulfill our obligations to our customers. > Acceptance of your request to benefit from the guarantee pursuant to art. 50 of Legislative Decree no. 79/2011 (Tourism Code); > Comply with current administrative, accounting and tax obligations. > Comply with legal obligations in general, including the obligation set forth in the “Consolidated Law on Public Safety” (art. 109 RD 18.6.1931 n. 773) which requires us to communicate to the Police Headquarters, for public safety purposes, the personal details of guests staying in the accommodation according to the procedures established by the Ministry of the Interior (Decree of 7 January 2013). > Fulfil the obligations set forth in the tourist tax (art. 4 of Legislative Decree 14 March 2011, n. 23). > Manage requests for quotes, various information. > Manage the requested services: > Reservations and organization of the stay > Subscription to the insurance policy (mandatory and/or voluntary) > Manage room reservations and accommodation requests: e.g. creation and storage of legal documents > Manage the stay of customers at our facilities: e.g. monitoring the use of services (e.g. telephone, bar, pay TV, etc.), managing access to rooms, internal management of lists of customers who have behaved inappropriately during their stay at the facility (aggressive and antisocial behavior, failure to comply with the contractual terms of the facility, failure to comply with safety regulations, theft, damage and vandalism or problems with payment). Improve our services, in particular: processing of your personal data for commercial activities (marketing); adapting our products and services to better meet your needs; Manage the relationship with customers before, during and after your stay: providing data for the customer database; sending newsletters, promotions and tourist, hotel or service offers; managing requests to unsubscribe from newsletters, promotions, tourist offers; assessing the right of opposition and other rights provided for by the GDPR; use of a dedicated telephone service to search for people staying at the data controller's facilities, in the event of events that have an impact on the facilities in question (natural disasters, terrorist attacks, etc.). > Improve the data controller's services, in particular: conducting surveys and analyzing customer questionnaires and comments (also anonymously); managing claims/complaints. > Protect and improve the use of the data controller's website, in particular: improving navigation; adopting security measures and preventing fraud. > Comply with local legislation, for example regarding the retention of accounting documents. Further information can be obtained, upon request, by contacting the Data Controller at the contact details indicated in this information notice. 9) AUTOMATED DECISION-MAKING The data controller does not carry out processing based on an automated decision-making process based on profiling. 10) PROFILING No processing relating to the Profiling purpose will be carried out. 11) DIRECT MARKETING The processing of data for marketing purposes is aimed at sending promotional communications, newsletters, marketing and market research. This can be done both through automated tools (SMS, MMS, email, push notifications, fax) and non-automated tools (paper mail, telephone calls with an operator). The Data Controller collects only one consent for these purposes, as established by the "Guidelines on promotional activities and the fight against spam" of the Guarantor for the Protection of Personal Data (4 July 2013). If you wish to object to the processing of your data for marketing purposes or withdraw the consent already provided, you may do so at any time by contacting the Data Controller at the contact details indicated in this policy. The withdrawal will not affect the lawfulness of the processing carried out before the withdrawal. Processing for marketing purposes will be carried out directly by the Data Controller or through authorised persons or external parties appointed as Data Processors. Providing data for marketing purposes is optional. To receive our "newsletter" from the site, you will need to give your consent by selecting the appropriate box. Failure to provide consent will not affect obligations already undertaken or to be undertaken. The legal basis of the processing, as provided for by Article 6 of Regulation (EU) 679/2016, is the consent of the interested party for one or more specific purposes. The interested party has the right to withdraw consent at any time, without prejudice to the legitimacy of the processing carried out before the withdrawal. 12) MARKETING SOFT-SPAM The email address provided in the context of purchasing a product and/or service offered and sold directly by the Data Controller may be used to allow the same to carry out direct sales of similar products or services (and therefore send promotional communications via email to the user regarding such products and/or services) without their consent, provided that the user does not exercise the right to object in the manner indicated in this Privacy Policy. The collection of your data by the Data Controller is necessary in order to pursue their legitimate interest. Your data may be shared with authorized personnel of the Data Controller and/or relevant service providers with whom a contract has been established and who have been appointed as data processors if necessary. The legal basis for the processing as provided by Article 6 of Regulation (EU) 679/2016 is: * paragraph f): the processing is necessary for the pursuit of the legitimate interest of the data controller or third parties, provided that the interests or rights and freedoms of the data subject, which require the protection of personal data, do not prevail, particularly if the data subject is a minor. 13) LEGITIMATE INTEREST OF THE DATA CONTROLLER > Acceleration of registration. The Data Controller may use your personal data to simplify and speed up registration procedures for subsequent stays at the facilities managed by the Data Controller. > Commercial offers. The Data Controller may send you commercial communications regarding products and/or services similar to those you previously purchased (so-called "soft spam") via email. > Satisfaction questionnaires. The Owner may send you a satisfaction questionnaire regarding the services received (customer care) during or at the end of your stay, via email, regular mail or other channels. The questionnaire will include questions aimed at gathering your opinion, as well as suggestions for improving hotel tourist services. > Response to positive and negative reviews and defense against false and/or damaging reviews. The Data Controller may process your personal data, limited to what is necessary, to respond to reviews, both positive and negative, and to defend against false, defamatory or potentially damaging reviews. To this end, the Data Controller may adopt appropriate protection measures, which include, for example: requesting removal of the review on the publication platform, the possible exercise of legal action with the competent authorities, or the publication of a reply to protect the image and reputation of the facility. If necessary, the data processing will be limited and aimed exclusively at protecting the integrity and reputation of the Data Controller. > Sending informative newsletters. The data controller may send newsletters containing useful, relevant and interesting information for guests, with the aim of maintaining a transparent and constant communication channel. Such newsletters may concern updates on the services offered by the area, special events (parties, anniversaries, etc.), and other communications that can enrich the user's experience and keep them informed on the most recent developments in the area in which the activity is concentrated. The sending of informative newsletters is based on the assumption that the information shared has value for the user, thus contributing to a continuous and profitable relationship between the data controller and the recipients. Furthermore, it will always be possible for the user to update or modify the possibility of receiving such newsletters or not. "The data subject may object to such processing at any time. The legal basis that justifies the aforementioned purposes is the legitimate interest of the controller [Art. 6, para. 1, letter f) GDPR]." The Data Controller has prepared a Legitimate Interest Impact Assessment (LIA) to justify the processing of data in these circumstances. The legal basis for the processing of data in these cases lies in the legitimate interest of the Data Controller, pursuant to Article 6, par. 1, letter f) of the GDPR. The interested party has the right to object to these treatments at any time, by contacting the Data Controller using the channels of this privacy policy. 14) METHODS OF PROCESSING THE COLLECTED DATA The Owner adopts appropriate security measures to prevent unauthorized access, disclosure, modification or destruction of Personal Data. Processing is carried out using paper, computer and/or telematic tools, with organizational methods and logic strictly related to the purposes indicated. 15) LEGAL BASIS FOR THE PROCESSING The Data Controller processes Personal Data relating to the User if one of the following conditions exists: > the User has given consent for one or more specific purposes; > processing is necessary for the performance of a contract with the User and/or for the execution of pre-contractual measures; > processing is necessary to fulfill a legal obligation to which the Data Controller is subject; > processing is necessary for the pursuit of the legitimate interest of the Owner or third parties. It is always possible to ask the Owner to clarify the specific legal basis of each treatment and in particular to specify whether the treatment is based on the law, provided for by a contract or necessary to conclude a contract. 16) MANDATORY OR OPTIONAL NATURE OF PROVIDING DATA AND CONSEQUENCES OF FAILURE TO PROVIDE The provision of data necessary for the execution of the contract, the request for quotes and/or information, and to fulfill legal, fiscal, accounting, administrative obligations, etc., is mandatory. Failure to provide such data may prevent the owner from providing you with the requested services. The provision of data for marketing activities, however, is always optional. Failure to provide such data will not affect the ability to access the site's features or make requests for information, reservations, etc. Users who have doubts about which data is mandatory are invited to contact the Owner for clarification. 17) CONDITIONS FOR ACCESS TO PERSONAL DATA BY THIRD PARTIES To ensure your right of access and modification, we are required to share your personal data with internal and external recipients, subject to the following conditions. Within the company, in order to provide you with the best service, we reserve the right to share your personal data, allowing access to authorized personnel, including: > hotel staff and partners; > reservations staff using the reservation tools; > IT departments; > Rental services company for transport vehicles, shuttles, etc. > business partners and marketing services; > medical services, if applicable; > legal services, if applicable; > in general, any subject (internal/external) in charge/authorised of the processing of specific categories of personal data. Regarding service providers and partners: your personal data may be sent to third parties for the purpose of providing you with services and improving your stay and our services. Such suppliers and partners include, but are not limited to: > External service providers: ITC companies, call centers, banks, credit card issuers, lawyers, couriers, postal services, hosting providers, IT companies, communication agencies. Our service providers are contractually bound to protect your personal data and not to use or share it unless required by law. Third parties are designated, if necessary, as Data Processors by the Owner. The updated list of Data Processors can always be requested from the Data Controller. Local authorities: the data controller may also be required to send your information to local authorities if required by law or in the context of an investigation and in accordance with local regulations. In the event of any corporate reorganization, merger, sale, assignment, or other transfer of ownership of all or a portion of the business, including in connection with bankruptcy proceedings, the owner may transfer all data collected in accordance with this Policy. Furthermore, the data controller may make available web services (for example, forums and blogs) through which the User/Guest/interested party may publish information and material on the Site. In this case, please pay attention to the possibility that any data disclosed through such services may become publicly accessible as they are available to visitors to the site and to the general public who may use them for any purpose. In all of this, it is advisable to use discretion when disclosing any personally identifiable information or any other information through such web services. 18) TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS Your personal data is processed by the data controller within the European Union and is not disclosed. The data is processed at the Data Controller's operating offices and in any other place where the parties involved in the processing are located. For further information, you can contact the Data Controller. 19) DATA SECURITY The data controller shall adopt appropriate technical and organizational measures, in accordance with applicable laws, to protect your personal data against unlawful or accidental destruction, accidental loss or modification, as well as against unauthorized disclosure or access. To ensure security, technical measures (such as firewalls) and organizational measures (for example, a user access system via identifier and password, physical protection solutions, etc.) have been implemented. When you submit your credit card information to make a hotel reservation, the security of the transaction is ensured by SSL (Secure Socket Layer) encryption technology. Please note, however, that the security of email communications cannot be completely guaranteed. Therefore, in email correspondence with the data controller, we recommend that you do not send payment data or special information. 20) PLACE OF TREATMENT The processing of data related to the Data Controller’s services is carried out at the Controller’s premises and/or at the premises of the specifically designated external Data Processors. Such processing is performed by authorized internal personnel, with the possible support of third parties appointed as external Data Processors. No data is disclosed. Personal data provided by users accessing the web services available in the interactive areas of the website (e.g., quote requests, bookings, newsletter subscriptions) will be used exclusively for the purposes previously communicated. 21) DATA SHARING When you browse our websites and use the booking service, your information will be shared with the service provider, such as: > be.bookingexpert.it/......: by browsing our websites, using the “book” service, your information will also be shared with the service provider. This information may include personal data such as your name, your contact details, your payment details, the names of the guests traveling with you and the preferences you specified at the time of booking > valentourb2c.netstorming.net/it…..: by browsing our website, using the “book” service: and your information will also be shared with the service provider. This information may include personal data such as your name, your contact details, your payment details, the names of guests traveling with you and the preferences you specified at the time of booking. Other Service Providers: We work with third-party companies that handle your data on our behalf, under specific confidentiality agreements. For example, we may use these providers to: > Manage your booking and payments: on our website you can pay for your booking by choosing between different options (credit cards, MyBank, BPay). In this case, you will be directed to an external page to complete the payment (example: https://ecomm.sella.it/pagam/), where you will be asked for personal data such as the cardholder, card number, expiration date, security code, email, bank name, and telephone number. > Send marketing materials, etc. 22) VIDEO SURVEILLANCE The video surveillance system records images of people and objects in the area covered by the cameras, in order to guarantee company security, prevent crime and protect assets. The processing is based on the legitimate interest of the Data Controller (art. 6.1.f of the GDPR). The data may be communicated to public authorities, if necessary, but are not transferred abroad. The cameras record 24/7 and the images are protected by security measures to prevent unauthorized access. Data subjects may exercise the rights of access, opposition, limitation and cancellation. The rights of rectification (art. 16) and portability (art. 20) do not apply, as the images represent objective data that cannot be modified or transferred. The images are stored for a limited period; once this period has expired, access requests cannot be accepted. The provision of data is mandatory to access the premises: otherwise, access will not be permitted. 23) DATA STORAGE We will retain your personal data only for as long as necessary to achieve the purposes described in our privacy policy and in accordance with the law. > Contractual data: They will be kept for 10 years after the end of the contract, unless there is a need to keep them to defend the rights of the owner. > Data for legitimate interest: They will be stored for 5 years. > Data for legal obligations: They will be retained only for the time necessary to comply with the obligations established by law. > Digital receipts of dispatch: They will be kept for 5 years, in digital or paper format. > Marketing data: They will be stored for 24 months or until the consent is revoked. After the revocation, the data will no longer be used and will not be stored further. > Video camera images: They will be stored for the maximum authorized time, unless there are special needs (for example requests from the authorities). After this period, the images will be overwritten. When the retention periods have expired, the data will be deleted, destroyed or made anonymous, compatible with technical procedures. After deletion, it will no longer be possible to exercise the rights of access, deletion, rectification or portability of the data. However, in some cases, the law may require further retention of the data. 24) RIGHTS OF THE INTERESTED PARTY The interested party has the right to ask the data controller and/or the data protection officer, access to personal data concerning him/her, the rectification or erasure of the same, the limitation of processing, the portability of data, has the right to object to processing, has the right to object to profiling, to lodge a complaint with a supervisory authority. The interested party has the right to withdraw consent at any time without prejudice to the lawfulness of processing based on consent given before withdrawal. For a complete and exhaustive list of the rights that can be exercised by the interested party, please refer to articles 15 et seq. of GDPR 2016/679. It is possible to exercise these rights by contacting the Data Controller and/or the Data Protection Officer through the channels indicated in this information. Upon request, a specific form prepared by the Owner for the exercise of rights is available. 25) ACCESS AND MODIFICATION You have the right to access your personal data collected by Deborah Valente Srl and to modify them, subject to the applicable legal provisions. You can also exercise the right to object by writing to the address indicated below. If you encounter difficulties in exercising these rights, we invite you to contact the data controller and/or the data protection officer using the channels indicated in this information notice. 26) METHODS OF PROCESSING PERSONAL DATA The processing of your personal data will take place, in compliance with the provisions of the GDPR, using paper, computer and telematic tools, with logic strictly related to the purposes indicated and, in any case, with methods suitable to guarantee their security and confidentiality in compliance with the provisions of Article 32 GDPR. 27) COMPLAINT Pursuant to Regulation (EU) 2016/679, you have the right to lodge a formal complaint with the Guarantor Authority (art. 77) according to the methods indicated on the Authority's website at the address: * https://www.garanteprivacy.it/home/modulistica-e-servizi-online either to propose a judicial appeal (art. 79). 28) CONTACT US For any questions about our Policy or how the data controller manages your personal data, contact us by email at 📧 PEC: deborahvalentesrl@pec.it – Email: amministrazione@valentour.it or by post at: Deborah Valente Srl, Piazza V. Veneto, nr 06, 89861 Tropea (VV), Italy. 29) UPDATES We reserve the right to update this policy periodically. We therefore invite you to consult it regularly. Changes to this Policy will be effective upon publication. By continuing to use the Site after the publication of changes, you accept the new version of the Policy. (Privacy Policy updated to: 04.07.2025)