Privacy Policy

INFORMATION PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679 - PRIVACY POLICY https://susafa.com

Dear User, we inform you that pursuant to Article 13 of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, the data provided will be processed according to the principles of lawfulness, fairness and transparency and protection of your privacy and your rights. Therefore, we provide you with the following information:

1. Data Controller

The Data Controller is Società Agricola Susafa S.r.l., via Gen. G. Arimondi, 2 - 90143 Palermo, contactable at the email address info@susafa.it

2. Data Protection Officer (DPO)

The Data Protection Officer (DPO), if appointed, can be contacted at dpo@susafa.it.

3. Categories of data processed

The Data Controller processes personal identification and contact data such as name, surname, email address and telephone number, as well as booking data such as period of stay, number of guests, type of room or service requested, any special requests, billing data and tax data (tax code or VAT number). Payment and transaction data may also be processed, managed through third-party providers specializing in electronic payment services, without the Data Controller retaining complete data on the payment instruments used.

Browsing data, such as IP address, device identifiers, access logs, and technical information relating to the use of the site, are also processed.

Special categories of data pursuant to Art. 9 of the GDPR are not processed, unless the data subject spontaneously provides specific information (for example, dietary requirements or specific health concerns); in this case, such data will be processed exclusively to fulfill the request and for the time strictly necessary.

4. Purpose of processing

Personal data is processed to allow the management of reservations made through the site, including administrative, accounting, organizational, and logistical activities related to the provision of the hospitality service. Processing is necessary for the performance of a contract or pre-contractual measures taken at the request of the data subject pursuant to Art. 6, par. 1, letter b) GDPR.
The data is also processed to allow the formulation and sending of quotes at the user's request, as well as for subsequent contacts aimed at the possible conclusion of the contract. In this case too, the legal basis is Art. 6, paragraph 1, letter b) GDPR.

The processing also concerns the data provided via contact forms or email communications in order to respond to requests for information relating to the property, the services offered, or availability. This processing is based on the adoption of pre-contractual measures at the request of the interested party.
Browsing data is processed to guarantee the correct functioning of the site, the security of networks and IT systems, and the prevention of fraudulent use.
The provision of the data necessary for booking is mandatory; failure to provide such data will make it impossible to complete the booking. The provision of data for requesting a quote or information is necessary in order to provide a response.

5. Retention Period

Data relating to reservations and tax documents are retained for 10 years, in compliance with civil and tax obligations. Data relating to requests for quotes not followed by a reservation are retained for the time strictly necessary to provide a response and in any case no longer than 12 months.
Browsing data and security logs are retained for a maximum period of 6 months, except where required by judicial authorities to investigate criminal offenses. Regarding the cookies and tracking tools used by the site, please refer to the Cookie Policy, which provides a detailed list of the retention periods for each type of cookie.

6. Processing Methods

Personal data is processed using IT and electronic means, in compliance with the principles of lawfulness, fairness, transparency, minimization, and storage limitation, adopting appropriate technical and organizational measures to guarantee the security and confidentiality of the data.

7. Data Recipients

The data may be processed by authorized and adequately trained internal personnel. They may also be disclosed to third parties who provide services functional to the business's activity, such as IT and hosting providers, booking management platforms, tax and administrative consultants, banks, and payment service providers.
If the booking is made through external platforms, these parties operate as independent Data Controllers in accordance with their respective privacy policies.
Suppliers who process data on behalf of the Data Controller are appointed as Data Processors pursuant to art. 28 GDPR.
The data may be disclosed to public bodies or competent authorities for the fulfillment of legal obligations pursuant to art. 6, paragraph 1, letter c) GDPR.

8. Transfers to non-EU countries

If, for technical or organizational reasons, personal data is transferred to countries outside the European Union, the transfer will take place in compliance with Articles 44 et seq. of the GDPR, based on adequacy decisions by the European Commission or through the adoption of Standard Contractual Clauses or other adequate guarantees provided for by applicable legislation.

9. Rights of the data subject

The data subject may exercise the rights provided for in Articles 15–22 of the GDPR at any time, including the right to access, rectification, erasure, restriction of processing, data portability, and objection to processing, by contacting the Data Controller at the contact details indicated above or the DPO, if appointed. The right to lodge a complaint with the Italian Data Protection Authority pursuant to Article 77 of the GDPR remains unaffected.