top of page

PRIVACY & GDPR

Privacy Policy pursuant to Regulation (EU) 2016/679 (GDPR)

Pursuant to Articles 13 et seq. of Regulation (EU) 2016/679 (“GDPR”), this notice describes how the personal data of users who request information or make a reservation at Agriturismo Ai Tre Sentieri via website, email, telephone, messaging, or other direct channels are processed. The Data Protection Authority reminds that this notice must be provided before data collection; the GDPR also requires it to specify the data controller, purposes, legal basis, retention periods, recipients, and data subject rights.

1. Data Controller

Data Controller: Giorgia Zandomeni

Business: Agriturismo Ai Tre Sentieri
Address: Aurisina 108/C, 34011 Duino Aurisina (TS), Italy
Email: aitresentieri@gmail.com
Phone: +39 345 9223583
VAT No. / Tax Code: 01070370323
Certified Email (PEC): zandomenigiorgia@pec.it

2. Types of Data Processed

Depending on the case, we may process the following categories of personal data:

  • identification data, such as first and last name;

  • contact data, such as email address and phone number;

  • reservation-related data, such as stay dates, number of guests, special requests;

  • administrative and tax data, if necessary for invoicing or other obligations;

  • data contained in communications voluntarily sent by the user;

  • identity document data, collected at check-in exclusively to comply with legal obligations.

3. Purposes of Processing

Personal data are processed for the following purposes:
a) managing availability requests, quotes, and reservations;
b) managing the stay and communications with the guest before, during, and after the stay;
c) complying with legal, accounting, tax, administrative, and public security obligations;
d) protecting the rights of the data controller, including in out-of-court or judicial proceedings;
e) sending promotional communications or newsletters, only if the user has given specific consent.

4. Legal Basis for Processing

Processing is based, depending on the case, on the following legal grounds under the GDPR:

  • performance of pre-contractual measures requested by the data subject and/or performance of the accommodation contract;

  • compliance with legal obligations to which the data controller is subject;

  • legitimate interest of the data controller in organizational management, security, and protection of its rights, where compatible with the rights of the data subject;

  • consent of the data subject, where required, for example for marketing purposes. The Data Protection Authority and the GDPR require a clear and distinct legal basis for each purpose.

5. Nature of Data Provision

Providing data necessary to request information or make a reservation is optional, but failure to provide such data may make it impossible to respond to the request or complete the reservation.

Providing data required by law is mandatory.

6. Processing Methods

Data are processed using paper, IT, and electronic tools, in compliance with the principles of lawfulness, fairness, transparency, data minimization, and security set out in applicable legislation.

7. Data Recipients

Data may be disclosed, strictly as necessary, to:

  • accounting, tax, and administrative consultants;

  • IT service providers, hosting providers, booking engines, channel managers, email services, or technical support providers;

  • payment providers and banking institutions, if used for payments;

  • public authorities, entities, or parties to whom disclosure is required by law;

  • parties acting as data processors or authorized personnel.

8. Data Transfers Outside the EU

If certain providers used by the data controller involve transfers of data outside the European Economic Area, such transfers will be carried out in compliance with the safeguards provided by the GDPR.

9. Data Retention Period

Data will be retained for the time strictly necessary to achieve the purposes for which they are collected and, subsequently:

  • for the time necessary to manage the stay and related communications;

  • for the periods required by civil, tax, administrative, and public security laws;

  • until consent is withdrawn, for any marketing purposes based on consent.

10. Data Subject Rights

The data subject may exercise the rights provided by the GDPR, including:

  • access to personal data;

  • rectification of inaccurate data;

  • erasure, where provided by law;

  • restriction of processing;

  • objection to processing, where applicable;

  • data portability, where applicable;

  • withdrawal of consent, without affecting the lawfulness of processing carried out before withdrawal;

  • lodging a complaint with the Data Protection Authority. Data subject rights are expressly provided by the GDPR and also explained by the Authority.

To exercise their rights, the data subject may write to:
aitresentieri@gmail.com

11. Complaint to the Supervisory Authority

The data subject has the right to lodge a complaint with the Data Protection Authority, in accordance with the procedures indicated on the Authority’s official website.

12. Changes to This Policy

The data controller reserves the right to update this policy at any time by publishing the updated version on this page.

Last updated: 27/03/2026

bottom of page