Privacy Policy
Last updated: [12/02/2026]
1) Data Controller
Hotel Rio ***
Via delle Mimose, 13 – 17024 Finale Ligure (SV) – Italy
Tel. 019601726 – Fax 019601727 – Cell. 3343982404
P. IVA: 00387600091
Email privacy: [info@riohotel.it]
(hereinafter “Data Controller”)
2) Types of Data Processed
- Identification and contact data (first name, last name, email, phone number, address, etc.).
- Booking-related data (stay dates, preferences, requests, number of guests, any notes).
- Browsing data (IP address, logs, online identifiers, device and browser information).
- Data voluntarily provided through contact forms, information requests, email, phone calls, WhatsApp, etc.
- Payment data: if managed by external providers, the Data Controller does not store full card details (depending on the system used).
3) Purposes of Processing and Legal Bases
- Handling requests and quotations (responding to messages and information requests).
Legal basis: performance of pre-contractual measures / contract (Art. 6(1)(b) GDPR). - Booking and stay management (confirmations, operational communications, customer support).
Legal basis: contract (Art. 6(1)(b) GDPR). - Administrative, accounting, and tax obligations.
Legal basis: legal obligation (Art. 6(1)(c) GDPR). - Website security and abuse prevention (technical logs, protection against attacks, checks).
Legal basis: legitimate interest (Art. 6(1)(f) GDPR). - Marketing and newsletter (sending promotional communications, offers, events) – only if requested or authorized.
Legal basis: consent (Art. 6(1)(a) GDPR) or legitimate interest where permitted (soft spam, where applicable). - Statistics and measurement (analytics) and profiling/remarketing – if applicable.
Legal basis: consent through the cookie banner (Art. 6(1)(a) GDPR) for non-technical cookies.
4) Processing Methods
Data processing is carried out using electronic and/or paper-based tools, in compliance with the principles of lawfulness, fairness, and transparency, and by adopting appropriate security measures to protect the data.
5) Disclosure of Data to Third Parties
Personal data may be disclosed to third parties acting as Data Processors or independent Data Controllers, when necessary for the purposes indicated above, for example:
- IT and hosting providers, website maintenance, email services.
- Booking engine / channel manager (if used) for booking management.
- Payment service providers (if used) to process transactions.
- Consultants and professionals (accountant, legal advisor) for compliance and legal protection.
- Public authorities when required by law or by an order from the competent authority.
The updated list of Data Processors can be requested from the Data Controller using the contact details provided.
6) Transfers Outside the EU
Some service providers may process data outside the European Economic Area (EEA). In such cases, the transfer is carried out in compliance with Articles 44 et seq. of the GDPR (e.g., adequacy decisions, Standard Contractual Clauses, and supplementary measures).
7) Data Retention Period
- Information/quotation requests: for the time necessary to handle the request and, if no further action is taken, up to [X months].
- Bookings and contractual documentation: for the duration of the relationship and thereafter in accordance with legal obligations (e.g., accounting/tax requirements).
- Marketing/newsletter: until consent is withdrawn or a deletion request is submitted.
- Technical logs: for a limited period, usually up to 30 days, unless required for security purposes.
8) Data Subject Rights
At any time, the data subject may exercise the rights provided under Articles 15–22 of the GDPR, including: access, rectification, erasure, restriction, data portability, objection to processing, and withdrawal of consent (without affecting the lawfulness of processing based on consent before its withdrawal).
To exercise your rights: [info@riohotel.it]
9) Complaint to the Supervisory Authority
The data subject has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) (www.garanteprivacy.it) if they believe that the processing violates applicable laws.
10) Provision of Data
Providing data for inquiries and bookings is necessary in order to process requests and/or perform the contract. Providing data for marketing purposes is optional and takes place only with the user’s consent.
11) Cookies and Tracking Tools
The website may use technical cookies necessary for its operation and, subject to consent, analytics and marketing cookies. For more information, please refer to the Cookie Policy.
12) Minors
The services are not intended for individuals under the age of 16. If you believe that a minor has provided personal data, please contact the Data Controller to request its removal.
13) Property Identification Details
CTR: web360CTR 009029-ALB-0021
CIN: IT009029A1XS7R5LLW
14) Changes to this Privacy Policy
The Data Controller may update this privacy notice. Any changes will be published on this page, along with the updated revision date.