Privacy Policy
Information notice pursuant to Articles 13 and 14 of EU Regulation 2016/679 (GDPR) and applicable Italian data protection legislation.
1. Data controller
The Data Controller is Agriturismo La Cerra.
Email: info@agriturismolacerra.it
Telefono: +39 347 560 6462
2. Personal data collected
a) Online booking
When a user makes a booking, we collect:
- First and last name
- Email address
- Phone number
- Arrival and departure dates, number of guests, any notes
- Communication language preference
Payment card data is not stored on our servers: payment is handled entirely by Stripe, Inc. (see section 5).
b) Guest registration (check-in / Police Registration Form)
In compliance with Art. 109 of the Italian Public Safety Act (TULPS, R.D. 773/1931) and Ministerial Decree of 7 January 2017, we are required to report guest data to the Public Safety authorities. The check-in form collects:
- Last name, first name, sex
- Date and place of birth, province
- Citizenship and nationality
- Type, number and place of issue of identity document
- Arrival and departure dates
- Guest type and group composition
c) Browsing and cookies
The website collects technical browsing data and uses cookies. For details, please refer to our Cookie Policy.
d) Admin panel access
For staff users: email address and, if using credential login, password (stored in hashed form). When logging in via Google OAuth, we receive name, email and profile picture from the Google account.
3. Purposes and legal bases of processing
| Purpose | Legal basis (Art. 6 GDPR) | Retention |
|---|---|---|
| Booking management and accommodation service delivery | Performance of a contract (Art. 6.1.b) | 10 years from departure date (tax obligations) |
| Payment processing via Stripe | Performance of a contract (Art. 6.1.b) | As above; card data remains on Stripe |
| Guest data reporting to State Police (Alloggiati Web Registration Form) | Legal obligation (Art. 6.1.c) — Art. 109 TULPS | 5 years from reporting |
| Tourist tax calculation and payment (Municipality of Tempio Pausania) | Legal obligation (Art. 6.1.c) | 5 years from the relevant tax year |
| ISTAT C/59 form compilation | Legal obligation (Art. 6.1.c) | 5 years from reporting |
| Calendar synchronisation and sending confirmation / reminder / rejection emails | Performance of a contract (Art. 6.1.b) | Duration of booking + 10 years |
| Website security (anti-bot, rate limiting, fraud protection) | Legitimate interest (Art. 6.1.f) | Security logs: 90 days |
| Anonymous browsing statistics (Vercel Analytics) | Legitimate interest (Art. 6.1.f) | Aggregated data, not traceable to users |
4. Nature of data provision
Providing data for booking is necessary for the conclusion of the contract: failure to provide data will prevent completion of the booking.
Providing personal and identity document data at check-in is required by law (Art. 109 TULPS). Failure to provide data will prevent check-in.
5. Recipients and data processors
Personal data may be communicated to the following entities, each in their capacity as processor or independent controller:
| Entity | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | USA (standard contractual clauses) |
| Google LLC | Calendar synchronisation, OAuth authentication (staff only) | USA (standard contractual clauses) |
| Cloudflare, Inc. | Anti-bot protection (Turnstile) | USA (standard contractual clauses) |
| Vercel, Inc. | Website hosting, aggregate analytics | USA (standard contractual clauses) |
| Aruba S.p.A. | Transactional email sending (SMTP) | Italy |
| Police Headquarters / State Police | Guest Registration Form (legal obligation) | Italy |
We do not sell, exchange or transfer personal data to third parties for marketing purposes.
6. Data transfers outside the European Economic Area
Some of the processors listed in the previous section are based in the United States. Transfers are made on the basis of standard contractual clauses approved by the European Commission (Art. 46.2.c GDPR) or adequacy decisions (EU-US Data Privacy Framework, where applicable).
7. Security measures
We adopt appropriate technical and organisational measures to protect personal data, including:
- HTTPS connections with HSTS preload across the entire website
- Payment card data does not pass through our servers (Stripe PCI DSS Level 1)
- Passwords stored in hashed form (bcrypt)
- Rate limiting and anti-bot protection (Cloudflare Turnstile)
- Admin panel access restricted to authorised users with multi-provider authentication
- Personal data masking in application logs
- HTTP security headers (CSP, X-Frame-Options, X-Content-Type-Options)
8. Data subject rights
Pursuant to Articles 15-22 of the GDPR, the data subject has the right to:
- Access — obtain confirmation of the existence of their data and receive a copy
- Rectification — correct inaccurate or incomplete data
- Erasure — ("right to be forgotten") — request deletion, subject to legal obligations
- Restriction — request restriction of processing in certain circumstances
- Portability — receive their data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
To exercise your rights, simply write to info@agriturismolacerra.it. We will respond within 30 days.
You may also file a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (www.garanteprivacy.it).
9. Data of minors
We do not knowingly collect data from minors under 16 without the consent of a parent or guardian. Personal data of minor guests is collected solely to fulfil the legal obligation of reporting to Public Safety authorities (Art. 109 TULPS) and is provided by the responsible adult.
10. Changes to this notice
We reserve the right to update this notice. Changes will be published on this page with an indication of the last update date.
Last updated: May 30, 2026