Privacy Policy

GUIDELINES AS PER ART. 13 AND 14
EU REGULATION 2016/679

Data subjects
Website users

Personal data processing
Hereby are described the website's management procedures www.divinaluxuryhotel.com, whose owner is Gate s.r.l.. These guidelines are drafted in accordance with art. 13 of the regulation 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data. These guidelines are drafted for Divina Luxury Hotel website and not for other websites that users may access through their links.

Data controller
Following the consultation of this website, data referring to identified or identifiable persons can be processed.
Data controller: Divina Luxury Hotel - Via Aurora, 29 - 00187 - Roma - email: direzione@divinaluxuryhotel.com, Business name: Gate s.r.l. legally registered in Via Ghibellina, 110 50122 Firenze (Fi).

Place of data processing and recipients
The processing relating to the web services of this website take place in ITALY at server farms "Server Farm DATA4 GROUP Via Monzoro, 101-105 - 20007 Cornaredo (MI). These entities are suppliers of Titanka! (primary processor) Spa, which has its registered office in Strada degli Angariari, 46 47891 Falciano RSM, and which carries out website maintenance and management operations.

Type of data processed

• Browsing data
Software applications designated for Divina Luxury Hotel's website correct functioning acquire certain personal data submitted via secure protocols. Such data are not collected to be associated with identified individuals but may allow users to be identified through data processing and cross-checking with other data possessed by third parties. This category of data includes IP addresses, browser's identifier (user agent), URI (Uniform Resource Identifier) addresses of resources requested, the request time, the method used in submitting the request to the server, the numerical code indicating the status of the server response (e.g. successful, unsuccessful) and other parameters relating to the operating system and the user's IT environment. These data are used solely for extracting anonymous statistical information on the use of the website to check its correct functioning.
• Data voluntarily supplied by the user
To access some of the services available on Divina Luxury Hotel's website, the optional and voluntary insertion of certain identification data may be requested (email, name, contacts, and information needed to provide the required service).

Purposes and lawful basis

• Service provision
Personal data supplied by users making use of the services provided by Divina Luxury Hotel (i.e.: through web browsing, form filling for various requests) are used for the sole purpose of carrying out the service or performance required. The lawful basis for the processing is the fulfillment of pre-contractual conditions to fulfill your request.
• Further communication following a stay
Following the purchase of a stay, Divina Luxury Hotel shall forward to the user further communication, including those of a commercial nature, regarding its services. The aforementioned lawful basis of the processing is the legitimate interest of the data controller (cons. 47 GDPR).
• Direct marketing
In case of specific consent (by subscribing to the newsletter), Divina Luxury Hotel shall send via email information on new products, promotions, and other special offers. The user will be entitled to deactivate the service at any time through the dedicated procedure and/or methods indicated below for the exercise of his/her rights. The lawful basis for the processing is the user's consent. Specific explanatory information, if needed, will be published or shown on the website pages used for further specific services on request.

Data storage period
The data storage period is defined by the purposes of the requested service and for a further period of 36 months. Should the requested information be part of an online transaction, such data shall be stored for economic or fiscal accounting purposes for a period of 10 years. As regards technical data managed by the website, such as cookies, the storage period is defined according to the cookies' technical characteristics as specified in the table "List of cookies". The storage period of personal data will be automatically extended for a further period of 36 months whenever a new consent to the processing of personal data is given and/or every time users access the services provided by entering their own login credentials (e.g. Login personal account).

Optionality of data provision
With the exception of what has been specified regarding browsing data, the user is free to supply to Divina Luxury Hotel the personal data requested to benefit from the services provided through the website. Failure to provide data relating to the fields marked by the asterisk (mandatory) will result in the impossibility to access such services.

Processing procedures and safety
The processing of personal data occurs via information systems designed to guarantee data safety and privacy in compliance with the appropriate safety measures pursuant to art. 32 GDPR, via secure communication protocols with SSL encryption algorithms.
Your personal data will be processed in accordance with the aforementioned laws and privacy obligations in effect. Good practices are defined by the Italian Data Protection Authority's provision "Guidelines on Marketing and against Spam - July 4, 2013" (published in the Official Gazette no 174 on July 26, 2013), Guidelines on Personal Data Processing for online Profiling - March 19, 2015, and Guidelines on Automated individual decision-making and Profiling for the purposes of the EU Regulation 2016/679.

Data transfer to non-EU countries and guarantees of adequacy
The service provider in charge of hosting, maintenance, and management services for the Divina Luxury Hotel website is Titanka!, a web agency located in San Marino, a non-EU country that has adopted the European framework on personal data processing by adopting the December 21, 2018 law no 171 that guarantees compliance with GDPR regulations. While waiting for the adequacy assessment procedures to be initiated by the European Commission, data processing is allowed if the data subject has signed a contract or a pre-contractual agreement or has expressed consent to the data transfer after being informed of the risks involved in the procedure (art. 49 GDPR - derogations involved in specific situations). Further data transfers to non-EU countries may occur when using Facebook, Google, and other social networks or when turning to service providers located in the US. Such data processing is guaranteed under the "Privacy shield" agreements, signed by individual companies.

Recipients
To carry out business activities and to provide support in organising and maintaining said activities, some of the data might be transferred or reported to recipients. Recipients are divided into the following categories: Third parties, processors and sub-processors, and authorised personnel under the authority of the controller or the processor.

• Third Parties
Natural and legal people, public authorities, services, and other entities that do not include the data subject, the data controller, or the data processor and sub-processors. For data processing related to administrative purposes, accounting, legal obligations, and customer management, data may be communicated to:
- Companies managing traditional or electronic postal services
- Companies registering domain names
- Other entities whose data communication is necessary to achieve the aforementioned purposes or to comply with a legal obligation
• Processors and sub-processors
These are individuals or legal entities, public authorities, services, or other entities that process personal data on behalf of the data controller. This includes:
- Titanka! Spa as the primary processor, and other sub-processors providing services for technology infrastructure, connectivity, and hosting: Semplify srl in San Marino. Semplify srl relies on further sub-processors for service provision, such as Server Farm DATA4 GROUP Via Monzoro, 101-105 - 20007 Cornaredo (MI
- Providers of SaaS services, such as CRM/ERP, marketing automation, and customer care systems
- Professional freelancers, and accountancy firms for the maintenance of the accounting system
• Authorised personnel
These are natural persons under the data controller's or processor's direct authority, such as employees or workers, and who have been duly informed and authorised to process personal data for the purposes and in the manners described above.

Data subject's rights
Data subjects are entitled to exercise their rights under the applicable laws, including the rights to access, rectify, or erase their personal data, and restrict or object to data processing, as well as the right to data portability, by sending their request via email to direzione@divinaluxuryhotel.com. Data subjects can also lodge a complaint with the competent supervisory authority.

Data Controller's Contact Information
For further information on this privacy policy and for the exercise of your rights, you can contact the data controller directly at direzione@divinaluxuryhotel.com.