Privacy Policy

MH srl, with registered office at Via Cantarana 7, VAT No. 03103040352, Tax Code 03103040352, contactable at margheritahomesrl@gmail.com (hereinafter, the “Data Controller”, “we” or “our”), in its capacity as data controller, wishes to inform its guests and customers (hereinafter, the “Data Subjects”) regarding the processing of their personal data in accordance with Legislative Decree No. 196/2003 (hereinafter the “Privacy Code”) as subsequently amended and supplemented, and with the European General Data Protection Regulation No. 679/2016 (hereinafter the “European Regulation”).

1 – The data we collect

The processing described in this Policy concerns the personal data of Data Subjects collected during the booking and provision of our hospitality services. The categories of personal data processed include the following:

  1. a) dati identificativi e di contatto dell’Interessato (es. nome, data e luogo di nascita, genere, indirizzo postale, numero di telefono, indirizzo e-mail, nazionalità, passaporto, visti o altri documenti d’identità);
  2. b) dati bancari, fiscali e di pagamento (es. coordinate bancarie, informazioni fiscali, numero di carta di credito/debito o altri dati relativi al pagamento);
  3. c) data relating to the stay/booking (e.g. information regarding the travel itinerary, tour group or activities);
  4. d) device data (e.g. IP address, proxy, timestamp, browser type, device type and operating system);
  5. e) data relating to intolerances, allergies or health conditions (e.g. information regarding food intolerances);
  6. f) any further personal data relating to the Data Subject, provided by the Data Subject to the Data Controller;

(hereinafter referred to collectively as the “Data”).

2 – How and where we collect the Data

We collect Data through the bookings and communications you send us. We also collect Data during your stay at our facilities.

If you send us or our service providers Data about other people (for example, if a customer makes a booking for another guest, such as a family member), you declare that you have the authority to do so, you authorise us to use such Data in accordance with this Policy, and you undertake to provide this Policy to the data subjects whose data is disclosed to the Data Controller prior to disclosure, in order to inform them of how their personal data will be processed.

3 – Purposes for which we process the Data

Data subjects’ Data will be processed for the following purposes:

  1. a) to enable you to make a booking, to perform the contract, to provide the requested services, to respond to requests for assistance and to protect our interests, including by sending formal reminders regarding overdue payments;
  2. b) to carry out administrative, accounting and tax-related activities;
  3. c) to speed up registration procedures in the event of subsequent stays at our facilities;

(the purposes set out above are collectively referred to as the “Contractual Purposes”)

  1. d) to comply with a legal or regulatory obligation, including the provision of information to the competent authorities.

(hereinafter referred to as “Legal Purposes”)

  1. e) to send promotional communications and updates on news and offers from the Data Controller, both via traditional communication channels such as post or telephone calls from an operator, and via digital communication tools such as email, chat, messages (SMS and other instant messages), subject to specific informed consent;

(hereinafter referred to as “Direct Marketing Purposes”).

  1. f) to carry out segmentation activities based on the Data Subject’s interests, tastes and needs in order to conduct commercial initiatives and send promotional communications, both via traditional communication channels such as post or telephone calls from an operator and via digital communication tools such as email, chat, messages (SMS and other instant messages), in line with the relevant preferences, subject to specific informed consent;

(hereinafter referred to as “Profiled Marketing Purposes”).

  1. g) to disclose the Data Subject’s Data to commercial partners belonging to the Data Controller’s network, such as those specified in paragraph 6 below, for the sending of promotional communications and for other commercial initiatives such as those indicated in point e);

(hereinafter referred to as “Third-Party Marketing Purposes”).

4 – Legal basis for the processing we carry out

The processing of Data is necessary for Contractual Purposes in order to enter into and perform the contract and, for Legal Purposes, is mandatory to comply with applicable legal requirements. Failure to provide the Data necessary for these purposes will make it impossible to receive bookings, enter into the contract and/or perform the contract.

The processing of Data for Direct Marketing, Profiling and Third-Party Marketing Purposes is not mandatory and is based on the specific consent given by the Data Subject for each processing operation, which they may freely withdraw at any time in accordance with the procedures set out below.

With regard to the Data referred to in paragraph 1 e), processing is based on the Data Subject’s consent to the processing of their special categories of data, which we will in any case process only to perform the contract and meet the Data Subject’s requirements. Such consent is not mandatory, but if not provided, the Data Controller will not be able to process such data and act on the Data Subject’s requests.

5 – Methods of data processing

In relation to the purposes set out above, the Data will be processed using both IT or other automated tools and on paper, and will be protected by appropriate measures to ensure the confidentiality and security of personal data. In particular, the Data Controller adopts appropriate organisational and technical measures to protect the Data in its possession against loss, theft, and unauthorised use, disclosure or alteration of the Data.

6 – To whom we may disclose the Data

For the purposes set out in paragraph 3, the Data Controller may disclose – in whole or in part – the Data of Data Subjects to the following categories of recipients:

  1. a) providers of services that are instrumental to or support those carried out by the Data Controller and therefore, by way of example but not limited to, catering, surveyors, consultants, lawyers, technology service providers, marketing agencies, banks, insurance companies and debt collection agencies;
  2. b) competent administrative or judicial authorities, upon legitimate request;
  3. c) business partners belonging to the Data Controller’s network who offer services complementary to those of the Data Controller, such as travel agencies, restaurants, car hire companies, wellness centres, etc.

Such recipients, depending on the circumstances, process the Data in their capacity as data controllers, data processors or persons in charge of processing. Some of the entities listed above may be located in countries outside the European Union or the European Economic Area. In such cases, the disclosure of the Data will take place in accordance with the provisions of the following paragraph.

7 – Transfer of Data abroad

In accordance with the applicable regulations, Data may be transferred abroad, including to countries outside the European Economic Area. Any transfer of Data to countries outside the European Economic Area will, in any event, take place in accordance with appropriate and adequate safeguards for the purposes of the transfer itself, pursuant to Articles 44 et seq. of the European Regulation, such as standard contractual clauses for data protection.

In any case, the Data Subject may obtain further information regarding any transfer of Data outside the European Economic Area by submitting a request to the Data Controller in the manner set out in the following paragraphs.

8 – How long we retain the Data

For Contractual and Legal Purposes, the Data will be retained for a period equal to the duration of the contract and for 10 years following its termination, except where retention for a longer period is required in the event of any disputes, requests from the competent authorities, or in accordance with applicable legislation. Any copies of identity documents are retained for the period strictly necessary to fulfil the legal obligation to report via the State Police portal and are subsequently deleted.

For Direct Marketing Purposes, the Data is retained for a period of 24 months from the date on which consent is given or renewed.

For Profiled Marketing Purposes, the Data is retained for a period of 24 months from the time of collection.

For Third-Party Marketing Purposes, the Data is retained for a period of 24 months from the date on which consent is given or renewed, it being understood that the retention and subsequent processing following disclosure to third parties will depend on those third parties, to whom the Data Subject may turn independently to exercise their rights.

Upon expiry of the retention period, the data will be deleted, anonymised or aggregated.

9 – Rights of Data Subjects

Without prejudice to the Data Subject’s right not to provide their Data, the Data Subject may, at any time and free of charge:

  1. a) obtain confirmation as to whether or not Data concerning them exists;
  2. b) be informed of the source of the Data, the purposes of the processing and the methods used, as well as the logic applied to processing carried out using electronic means;
  3. c) request the updating, rectification or – if they so wish – completion of the Data concerning them;
  4. d) obtain the erasure, anonymisation or blocking of any Data processed in breach of the law, as well as to object, on legitimate grounds, to the processing;
  5. e) withdraw their consent, where previously given, by sending a notice to the Data Controller;
  6. f) request that the Data Controller restrict the processing of Data concerning them in the event that (i) the Data Subject disputes the accuracy of the Data, for the period necessary for the Data Controller to verify the accuracy of such Data; (ii) the processing is unlawful and the Data Subject opposes the erasure of the Data and requests instead that its use be restricted; (iii) although the Data Controller no longer requires the Data for processing purposes, the Data is necessary for the Data Subject to establish, exercise or defend a right in court or out of court; (iv) the Data Subject has objected to the processing pursuant to Article 21(1) of the European Regulation pending verification as to whether the Data Controller’s legitimate grounds override those of the Data Subject;
  7. g) request the erasure of Data concerning them without undue delay;
  8. h) obtain the portability of Data concerning them.

Requests to exercise these rights may be submitted in writing to the Data Controller, who can be contacted at the email address indicated above.

The Data Subject shall also have the right to lodge a complaint with the Italian Data Protection Authority using the contact details available on the website www.garanteprivacy.it, where the conditions are met.

Pursuant to Article 2-terdecies of the Privacy Code, in the event of death, the aforementioned rights may be exercised by anyone who has a personal interest, or who acts to protect the Data Subject as an agent, or for family reasons worthy of protection. You may choose to expressly prohibit the exercise of some of the rights listed above by your successors by sending a written statement to the Data Controller at the email address provided above. The statement may be revoked or amended at a later date in the same manner.

10 – Changes and updates

This policy may be subject to change, with prior notice, including as a result of any regulatory amendments and/or additions.