This policy clearly and transparently explains how we process the personal data of guests and, more generally, of all those who visit or use the services offered by our sites.
This Policy is amended, supplemented or updated periodically, including in consideration of any changes in the applicable legislation or provisions of the Data Protection Authority and/or the European Data Protection Board. Data subjects are therefore invited to regularly consult this Policy, available on our websites and/or at the reception of our sites, to understand the latest updated version, ensuring that they are always informed about the methods of collection and processing of their personal data.
The Data Controllers are the following Companies (hereinafter jointly referred to as the "Data Controller" or "Palagina"):
Tiber S.r.l. with its registered office at Via Generale C. A. dalla Chiesa, 13 – 50136 – Florence (Florence), Tax Code: 01426880587 and VAT ID: 00995111002, which can be contacted at the following email address: [email protected]
The Data Protection Officer (DPO) can be contacted at the following email address: [email protected]
Società Agricola Le Driadi S.r.l. with its registered office at Via Di Norcenni 21 – 50063 – Figline e Incisa Valdarno (Florence), Tax Code: 05627800484 and VAT ID: 05627800484, which can be contacted at the following email address: [email protected]
The Data Protection Officer (DPO) can be contacted at the following email address: [email protected]
Below are the types of personal data processed within the limits of the purposes defined in this Policy:
Personal data provided by the data subject
During the stay/visit, the data subject may voluntarily provide the following personal data necessary to access the services offered at the sites
Personal and contact data, such as their first name, last name, date of birth, nationality, address, telephone numbers, email addresses and any other data provided, for example, to make bookings and/or check in, to register for the Wi-Fi service, and to participate in other initiatives or events organised at the sites.
It should also be noted that, within the scope of the booking and/or check-in, the data subject may provide personal data relating to other persons (for example, travelling companions and accompanying minors, as well as the data of the parents/guardians of such minors, from whom the data subject has obtained specific written authorisation). In such cases, they are required to inform the data subjects about the processing of their personal data, including the type of data collected, the purposes and retention times, and the parties who may access it, as well as the methods by which they can exercise the rights provided for by the GDPR, including by sharing this Privacy Policy;
Data relating to bookings made, such as the booking number, the reference site, the occupied accommodation, the arrival and departure date, as well as data relating to the services/experiences/activities requested during the stay at the sites;
Purchase data, i.e. information relating to purchases made, such as the list of bookings made and the dates and amounts of such purchases;
Payment data, such as the credit/debit/bank card number (limited to the data necessary to identify/track the transaction, with the number partially obscured), including data relating to the means of payment (type of card) and the payment networks used;
Demographic data, such as the composition of the family unit or group;
Data that Human Company receives from other sources to perform its services, such as booking services;
ID and/or passport number;
Billing data, such as the tax code and VAT number required to issue the invoice;
Images.
Browsing data
In the event that the data subject uses the Wi-Fi Internet access service available at the sites, certain technical information relating to the hardware and software used by users may be automatically collected by the computer systems that allow the service to operate. The transmission of this information is implicit in Internet communication protocols. It may include, for example, the IP address, the domain name of the device used, the identifier of the requested resources (URI), the browser type and version, the presence of plug-ins, the identifier of the mobile device (such as the IDFA or Android ID), and further parameters relating to the operating system and the computing environment.
The personal data of the data subject is processed exclusively for the purposes described in this section, in compliance with the legal bases provided for by the GDPR.
Management of the booking and related services
The personal data of the data subject collected at the time of booking will be processed to allow the Data Controller to manage the booking at the sites and follow up on all associated requests, including those related to the ancillary and complementary services offered during the stay. This data is also used to send service alerts related to the booking and, more generally, to guarantee the guest the full use of the services during the entire period of stay on our site.
During the stay, the data subject may indicate any specific requests related to their desired services. The Data Controller invites the data subject not to communicate data belonging to special categories pursuant to Article 9 of the GDPR (for example: health information, such as the indication of diseases, allergies or food intolerances; requests related to reduced mobility or disability; membership of protected categories; religious beliefs associated with food preferences or service needs; data capable of revealing racial or ethnic origin; etc.); however, if they decide to provide said data, such data will be processed exclusively to process the request and only if strictly necessary for the management of the booking.
The legal basis of the processing is the execution of pre-contractual/contractual measures (Article 6, paragraph I, point b of the GDPR) and, with regard to any special categories of data referred to above, the consent of the data subject (Article 9, paragraph II, point a of the GDPR). The provision of data is mandatory, as it is necessary to follow up on requests related to the booking, and failure to provide data could make it impossible to fully manage the booking and the requested services.
Check-In Service
The personal, contact and booking data, including the data contained in the passport or other identity document, will be processed by the Data Controller to allow the data subject to complete check-in at the site. This data will also be processed to verify the identity of the person who will be staying and to carry out all the activities necessary to provide the requested service.
In particular, the personal data contained in the passport or other identification documents will be shared with the competent public security authorities, limited to the information necessary for the Data Controller to fulfil the obligations referred to in Article 109 of Royal Decree no. 773 of 18 June 1931 (act consolidating the public safety laws, TULPS), in the manner established by the relevant decrees.
It should be noted that, in the case of minors accompanied by persons other than their parents/guardians, Palagina may request the presentation of written authorisation and a copy of the parent/guardian’s identity document. This copy will only be viewed in order to verify the veracity of the authorisation and will not be acquired or stored by the sites.
The legal basis of the processing is the execution of pre-contractual/contractual measures (Article 6, paragraph I, point b of the GDPR) and the fulfilment of legal obligations (Article 6, paragraph 1, point c of the GDPR).
The provision of data is mandatory, as it is necessary to follow up on the activities related to the check-in service, and failure to provide data may make it impossible to satisfy the booking request at our sites.
Purchase of products or services at the sites
The contact data, payment data and, possibly, the billing data of the data subject will be processed by the Data Controller for all purposes related to the processing of purchases made at the sites and for the management of related orders, such as, for example, the receipt of any requests for information regarding the products and services purchased and/or reports, payment management, and providing assistance to the consumer.
The legal basis of the processing is the execution of pre-contractual/contractual measures pursuant to Article 6, paragraph I, point b of the GDPR. The provision of the data subject’s data is mandatory, as it is necessary for the processing and management of orders, and failure to provide the data may make it impossible to proceed with the purchase order.
Registration, booking and participation in experiences and events
The contact details, and, where required, the payment details of the data subject may be used to allow them to register and/or book and participate in the experiences at the sites and other events organised by Palagina.
The legal basis is the execution of pre-contractual/contractual measures (Article 6, paragraph I, point b of the GDPR). The provision of data is mandatory, as it is necessary for registration and participation in experiences and/or events, and failure to provide data may make it impossible to participate in such initiatives.
Data subjects are also informed that during the events organised at the sites, photos or video recordings may be made for promotional purposes, company communications or documentation of the activities carried out, as well as to enhance the image of the sites and services offered through publication on the website and on official social media channels.
When taking the images and video recordings, care will be taken not to directly capture the data subjects and to avoid, as far as possible, the recording of identified or identifiable subjects. The photos and videos will therefore be focused on environments, general contexts and details that do not allow for the identification of the people present.
If, due to the nature of the proposed event or activity, it is necessary to record or photograph participants in a recognisable way, the Data Controller will request the signing of a specific release in advance from the data subjects, through which they give consent to the processing of their image, in compliance with the GDPR and applicable legislation on image rights. In the absence of consent, the data subject will not be able to be filmed or, if this is not technically possible, the images will be obscured or rendered unidentifiable. In any case, the data subject may withdraw any consent given at any time, without prejudice to the lawfulness of the processing carried out before the withdrawal.
Use of the Wi-Fi service
The contact data of the data subject, together with the browsing data, will be processed by the Data Controller for all the purposes necessary to register for, access and use the Wi-Fi service available at the sites, as well as to guarantee the security of the network, i.e. for control and maintenance activities, if necessary.
The legal basis of the processing is the execution of pre-contractual/contractual measures (Article 6, paragraph I, point b of the GDPR), as well as the legitimate interest of the Data Controller in ensuring the proper functioning and security of the Wi-Fi network, including with a view to improving the service (Article 6, paragraph 1, point f of the GDPR).
Video surveillance
The data subject’s personal data will be processed through the video surveillance system installed at the sites exclusively for the following purposes: to protect the safety of personnel, property, assets and persons within the sites; to prevent unlawful acts of any kind; and to facilitate the Data Controller’s right of defence in the event of any unlawful acts. The video recordings produced by the system may also be used to comply with orders issued by the judicial authority and/or the judicial police; to assert or defend a right, including by a third party; and, possibly, to complete the documentation accompanying claims forwarded to insurance companies.
The images are automatically captured when passing through or entering the premises subject to video surveillance, and the presence of cameras is indicated within the site by special signs placed near the cameras.
The video surveillance system has been installed in compliance with current regulations (including Article 4 of Law no. 300/1970) and the indications provided by the Italian Data Protection Authority (General provision on video surveillance of 8 April 2010).
The legal basis of the processing is the legitimate interest of the Data Controller in guaranteeing security within the sites and preventing illegal acts of any kind, as well as to ascertain, defend and exercise the rights of the Data Controller or third parties. (Article 6, paragraph 1, point f of the GDPR).
Purposes related to the protection of rights, including those of the data subject
Personal data will be processed by the Data Controller to protect its rights, including with respect to any requests, or to take legal action, including with regard to claims made against it or third parties, as well as to prove that it has provided a response to any requests for the exercise of one or more of the data subject's rights.
The legal basis of the processing is the legitimate interest of the Data Controller in the protection of its rights (Article 6, paragraph I, point f of the GDPR).
Compliance with legally binding requests to comply with legal obligations, regulations or provisions/requests from the competent authorities, including supervisory authorities.
The personal data of the data subject may be processed to comply with a legal obligation and/or provisions/requests from the competent authorities, including supervisory authorities.
In this case, the legal basis is the fulfilment of legal obligations to which the Data Controller is subject (Article 6, paragraph I, point c of the GDPR).
Personal data is stored for different periods of time depending on the specific purpose for which it was collected. The retention periods are established in compliance with the principles of limitation and minimisation provided for by the GDPR, and the data is deleted or anonymised once the period associated with its processing purpose has expired.
Below are the retention periods for the different purposes listed above:
Managing the booking and check-in service: The data processed for the pursuit of these purposes will be stored for a period of time not exceeding 10 years from the booking or check-in date. In particular, the data relating to the passport or other identity document and the information contained therein, as collected in order to allow the Data Controller to fulfil its legal obligations, will be stored exclusively for the time strictly necessary for the fulfilment of the obligation relating to the communication of guests to the public safety authorities provided for by Article 109 of Royal Decree no. 773 of 18 June 1931 and subsequent amendments.
Purchase of products or services at the sites: The data processed for the pursuit of this purpose will be stored for a period of time not exceeding 10 years from the date of purchase.
Registration, booking and participation in experiences and events: The data processed for the pursuit of this purpose will be stored for a period of time not exceeding 10 years from the date of the experience and/or event, or in any case, the use of the service.
Use of the Wi-Fi service: Browsing data is stored for a maximum of 6 months from the last use.
Video surveillance: The images from the video surveillance system are stored by the Data Controller for a maximum period of 48 hours, after which the images will be automatically deleted.
Purposes related to the protection of rights, including those of the data subject: The data processed for the pursuit of this purpose will be stored for the entire duration of the related proceedings, and, in any case, for the time deemed reasonably necessary by the Data Controller for the protection of its rights, including in relation to the related limitation periods.
Fulfilment of legally binding requests to comply with legal obligations, regulations or provisions/requests from the competent authorities, including supervisory authorities: The data processed for the pursuit of this purpose will be stored for the entire duration of the proceedings before the competent authorities, in addition to the relevant limitation periods.
The processing is carried out using paper, IT and/or telematic tools, with organisational methods and logic strictly related to the purposes indicated, always in full compliance with the principles of lawfulness, fairness, transparency, minimisation, integrity, confidentiality and security provided for by the GDPR.
The processing is carried out in a suitable manner in order to guarantee data protection at every stage, from collection to storage, through to any deletion. The Data Controller adopts the appropriate security measures in order to prevent unauthorised access, disclosure, modification or destruction of personal data.
Only parties duly authorised and instructed by the Data Controller may have access to the data. In particular, for the performance of certain processing activities, Palagina may communicate the data to the following categories of external parties, who will process such data, depending on the role they play in relation to the processing, as independent data controllers or as data processors pursuant to Article 28 of the GDPR, if and within the limits of what is strictly necessary for the pursuit of the purposes described in this Policy:
- other companies in the Human Company Group;
- other consultants and external suppliers who carry out activities auxiliary to the purposes stated above, such as cloud service providers, IT providers or hosting providers; postal couriers; communication agencies that provide support in the organisation of events and/or experiences; travel agencies or tour operators; and companies that manage certain internal services at the site where the guest is staying (such as, for example, catering services, vehicle rentals, excursion or tour services, etc.)
- professional firms, especially where necessary for the protection of the Data Controller's rights
- banks and credit institutions, insurance companies;
- third-party companies, including those working to promote products and/or offer services. In particular, for the provision of the Wi-Fi service, Palagina relies on the company AMG Srl (Corso Giacomo Matteotti, 42 – 10121, Turin (Turin) – VAT ID: IT12066830014); while for the check-in service it relies on the company GlobeID Limited (The Black Church, St. Mary's Place, Dublin 7 – Ireland) via the PassportScan app;
- parties who may access the data by virtue of a provision of law, regulation or EU legislation, within the limits established by these rules
The updated list of data recipients is available by request to the Data Controller’s email address.
The Data Controller does not transfer personal data to countries outside the European Economic Area (EEA). If necessary, the data subjects will be informed in advance, and guarantee measures will be adopted for the transfer to the recipients, which, depending on the case, may entail: verification of the existence of adequacy decisions for the recipient country by the European Commission, signing of standard contractual clauses, and verification of the adoption of any additional measures in implementation of the EDPB Recommendations 01/2020
The data subject’s personal data is not disclosed publicly.
Regulation (EU) 2016/679 (GDPR) grants data subjects specific rights. In particular, in relation to the processing of their personal data covered by this Policy, the data subject may exercise the following rights with respect to the Data Controller:
- the right of access: the data subject may request confirmation that data concerning them is being processed, as well as further clarification about the information referred to in this Policy (Article 15 of the GDPR);
- the right to rectification: the data subject may request to rectify or supplement the data provided, if it is inaccurate or incomplete (Article 16 of the GDPR);
- the right to erasure: the data subject may request that their data be erased if it is no longer necessary for the aforementioned purposes, in the event of withdrawal of consent or objection to processing, in the event of unlawful processing, or in case of a legal obligation to erase (Article 17 of the GDPR);
- the right to restriction: the data subject may request that the processing of their personal data be restricted in the event that they dispute its accuracy, for the time necessary to verify it, in the event of unlawful processing for which they oppose the deletion of their personal data; in the event that their personal data is necessary for the ascertainment, exercise or defence of a right in court; and finally, in the event of objection to the processing, pending verification that the legitimate reasons of the Data Controller Company take precedence over their own (Article 18 of the GDPR);
- the right to portability: the data subject may request to receive their data, or to have it transmitted to another Data Controller indicated by the former, in a structured, commonly used and machine-readable format (Article 20 of the GDPR);
- the right to object: the data subject may object at any time to the processing of their data, unless there are legitimate reasons to proceed with the processing that take precedence over their own, for example, the defence in court or exercise of rights of the Data Controller Company (Article 21 of the GDPR).
To exercise these rights, data subjects may contact the Data Controller Company at any time by sending a request to the email address shown in the table.
Società | |
|---|---|
Tiber S.r.l. | |
Società Agricola Le Driadi S.r.l. |
To ensure the correct handling of the request and data protection, the Company will verify the identity of the applicant before proceeding. Once the identity has been verified, the Data Controller will respond within 30 days of receipt of the request, except in complex cases that may require an extension, within the time limits provided for by law.
Users also have the right to lodge a complaint with the Data Protection Authority if they believe that the processing of their data violates current legislation. The Italian Data Protection Authority can be contacted via the telephone switchboard at +39 (0)6 696771, via email at [email protected] or via certified email at [email protected].
Last updated: 18/03/2026