Privacy Policy

www.visitvarenna.com

Privacy and online safety are important to Villa Monti:  we will process your personal data only if you have given your consent to the processing or if it strictly necessary for the performance of your booking contract with us, in addition to that we will process your data only for compliance with our legal obligations.

 

Pursuant  to Regulation (EU) 2016/679  (GDPR –General Data Protection Regulation) through this Privacy Policy we wish to inform you about the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, about the recipients or categories of recipients of the personal data, if any, about the retention period for the personal data  and about your right to request  access to and rectification or erasure of personal data or restriction of processing as well as the right to data portability, about your right to complain with the local privacy authority.

Controller of the data is  Villa Monti S.R.L.  of via Roma n. 9/11, 23829,  Varenna (LC), Italy .

The controller of the data can be contacted by email at privacy@visitvarenna.com

 

1.0 - PERSONAL INFORMATION THAT THIS WEBSITE COLLECTS AND WHY WE COLLECT IT

Processing of your personal data from our website is essential to our ability to provide our services and to fulfill our contract obligations for your bookings. We collect your Personal Data through our website only in 2 ways ( depending on how our services are used):

 

1.1 Contact form: should you choose to contact us using the “contact form” on the “Contact us” page of our website you will be asked to provide us only with your name and with your email address because this is  absolutely necessary for us in order to answer to your information request. Requesting information about our accomodation service is often a preliminary step that our visitors take before entering a booking contract with us and we are happy to do our best to provide them with all the information they might need to take an informed decision about booking our accomodation services.  The personal data that we ask you to supply through our “Contact  form” is only the essential one (your name and email address) that we need in order to reply to your information request: we will store your name and email-address in our cloud Content Management System (CMS) which is provided to us by Wix.com. The retention period for the data you send us through our Contact Form is 6 months: that is the average time frame needed for planning and booking a vacation. After a 6 months retention period all the names and email addresses stored  in our CMS are deleted with the deletion tools provided by our CMS. We use your data only to reply to your information request: we never share your data with third parties and we never use it to send marketing material or any other unsollicited content. From our CMS your data (name and email address) will be collated into an email and sent to us over the Simple Mail Transfer Protocol (SMTP). Our SMTP servers are protected by TLS (sometimes known as SSL) meaning that the email content is encrypted using SHA-2, 256-bit cryptography before being sent across the internet.

By contacting us anytime during the 6 months retention period at privacy@visitvarenna.com with regard to your personal data retained in our CMS you can ask us a copy of your the personal data, you can ask us rectification of inaccurate personal data and you can ask permanent erasure of your personal data.   We shall confirm  any rectification or erasure of personal data within 7 business days from your request.

We consider our CMS  supplier Wix.com to be a third party data processor.

 

1.2 Booking form: should you choose to book our accomodation services for your vaction, you will enter a booking contract with us through our “Booking Form” and by so doing you will provide us with personal data and information:  we require only the personal data that are  absolutely necessary for us in order to complete the booking agreement with you and we ask  your consent  to store and proces it through the booking process.

Our  Booking form requires the following personal data:

 

  • Name and Surname (needed to identify you)

  • Billing address (needed to produce an invoice in your name)

  • Telephone number and e-mail (needed to contact you and to send you information about your booking)

  • Credit card data (needed to process the payment for your booking)

 

Our Website uses an HTTPS transfer protocol to transfer information in a secure and encrypted way to protect your data against “man in the middle” attacks when it travels from our Website to our Property Management System (PMS). Our PMS is a cloud based software that facilitates the manangement of our property and handling of the reservations made online on our Website. The name of our PMS is Sirvoy.com,  it is a service provided to us by Sirvoy Ltd registered in Ireland: Sirvoy is GDPR (General Data Protection Regulation) compliant and we consider it to be a third party data processor.

We do not use our PMS to produce the invoices related to your bookings, to do that we rely on a cloud content management system (CMS) called Google.com provided to us by Google Inc.  which is based in the USA  , it is EU-U.S Privacy Shield compliant  and  GDPR compliant. We copy some of your personal data (only name , surname and billing address) from our PMS to our Google CMS to produce our invoices.

The personal data you provided us with through our “booking form” is  stored on our Sirvoy.com PMS and on our Google.com  CMS with a retention period of 18 months after your check-out date.

By contacting us anytime during the 18 months retention period at privacy@visitvarenna.com with regard to your personal data retained in our CMS and PMS you can ask us a copy of your the personal data, you can ask us rectification of inaccurate personal data and you can ask permanent erasure of your personal data as long as it is no longer necessary for the fulfillment of our contract or legal obligations.  We shall confirm  any rectification or erasure of personal data within 7 business days from your request.

At the end of the booking process, before submitting the “booking form” you are always asked to read and accept our booking terms and conditions which include our privacy policy information: without your explicit consent by accepting our “booking terms and conditions” the booking process will not be completed and no personal data will be transfered to our PMS. If you accept our “booking terms and conditions” after pressing a “Book now” button your booking will be submitted to us and your personal data will be securely tansfered through a HTTPs transfer protocol to our PMS. According to our “Booking terms and conditions” after your reservation is made we might charge a 35% Initial Deposit or a 100% Full Payment for your reservation on your credit card (depending on the time to your check-in date):  these credit card payments are processed through our credit card processor called Stripe.com by Stripe Inc based in the USA. Stripe.com is GDPR compliant  and certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework, we consider Stripe.com a third party data processor.  Stripe.com will retain your personal data transmitted from our PMS to process your payment for the period necessary to fulfill it obbligations including to ensure that transactions can be appropriately processed, settled, refunded or charged-back, to help identify fraud and to comply with anti-money laundering and other laws and rules that apply to Stripe.com

Villa Monti is PCI (Payment Card Industry) compliant, the integration of our PMS with Sirvoy.com is PCI compliant and Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1 (the most stringent level of certification available in the payments industry). In the section below we explain our carholder data handling, retention and disposal policy.

 

2.0 – CARHOLDER DATA HANDLING, RETENTION AND DISPOSAL POLICY

 

This section describes the policies for cardholder data (CHD) at Villa Monti, CHD consists of the following data:

 

  • The PAN, which is the 15- or 16-digit number on the front of credit and debit cards.

  • The cardholder name, expiration date, and/or service code are also considered CHD when they are stored with a PAN.

  • Card verification codes (three- or four-digit card-verification code or value printed on the front of the card or the signature panel)

 

CHD are encypted while in transit between our “booking form” and our PMS and while in transit between our PMS and our credit card processor Stripe.com , we never send or ask to send PAN by way of not secured and not encrypted communication tools such as emails or chat or istant message.

 

Villa Monti does not hold directly any CHD:

 

  • CHD are transmitted via our “booking form” to our PMS by Sirvoy where they rest: CHD is made unreadable when resting in our PMS by encryption and it is retained on our PMS for no longer than 18 months and later it is automatically deleted in a secure way by Sirvoy.com

  • CHD are transmitted form our PMS to our credit card processor stripe.com where they rest: CHD is made unreadable when resting on Sirvoy.com by encryption and it is retained there for no longer than 18 months and later it is deleted by us using the deletion tool provided by Stripe.com.

 

In both Sirvoy.com and Stripe.com PAN are masked with only the last 4 digit visible when accessed by our personell to make a charge or a refund.

A 18 months retention period allows for the fulfillment of our legitimate business needs: sometimes our guests book their vacation  1 year or more in advance and we need to retain their CHD while waiting for an authorization up to 18 months from the time of booking to the time of refund or charge of a security deposit after check-out.

By contacting us anytime during the 18 months retention period at privacy@visitvarenna.com with regard to your CHD retained in our PMS or on our Sirvoy.com control panel you can ask us permanent erasure of CHD data as long as it is no longer necessary for the fulfillment of our contract or legal obligations.  We shall confirm  any rectification or erasure of personal data within 7 business days from your request. Please note that Stripe.com may retain your personal data transmitted from our PMS to process your payment for the period necessary to fulfill it obbligations including to ensure that transactions can be appropriately processed, settled, refunded or charged-back, to help identify fraud and to comply with anti-money laundering and other laws and rules that apply to Stripe.com

 

 

3.0 - OUR THIRD PARTY DATA PROCESSORS

We use a number of third parties to process personal data on our behalf as we described in the sections above. These third parties have been carefully chosen and all of them comply with the legislation set out in section 2.0.  based in the USA and are EU-U.S Privacy Shield compliant.

 

  • Google.com - based in the USA  - EU-U.S Privacy Shield compliant – GDPR compliant

  • Wix.com - based in Israel  - adheres to the Safe Harbor Privacy Principles developed by the U.S. Department of Commerce and the European Union (EU) – GDPR compliant

  • Stripe.com - based in the USA  - EU-U.S Privacy Shield compliant – GDPR compliant

  • Sirvoy.com - based in Ireland  - GDPR compliant

 

4.0 – DATA BREACHES

We will report any unlawful data breach of this website’s database or the database(s) of any of our third party data processors to any and all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been stolen.

 

5.0 – COOKIES

  • Our Website use cookie: we ask our visitors if they agree to the placement of cookies before they start to use our website when they visit it for the first time.

  • All the cookies used by our website can be erased by the users through their web browser privacy tools.

  • No personal user data is acquired from our Website with cookies and we do not use cookies to transmit personal information.

 

The cookies used by our Website, their duration and purpose are described here:

 

5.1 Like most websites, our site uses Google Analytics (GA) to track user interaction. GA uses cookie to track site visitation metrics and we use this data to determine the number of people using our site, to better understand how they find and use our web pages and to see their journey through the website.  Although GA records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you to us. GA also records your computer’s IP address which could be used to personally identify you but Google do not grant us access to this. Retention period by GA for data you send that is associated with is  set to 14 months. Our website uses the analytics.js implementation of GA.

We consider Google to be a third party data processor.

 

5.2 Our website uses  a persistent cookie called “svSession”  with a retention period  of 2 years, it is used to track visitors’ behaviour as they move around the website: this data is used to try and understand what people do and don't like about a site so it can be improved. The information collected by this cookie is anonymous and it and is separate from any personally identifiable information that you may submit via this site. “svSession”  is a general cookie implemented by Wix.com in all the websites developed through the Wix.com platform.

We consider Wix.com to be a third party data processor.

 

5.3 Our website uses  also some session (Transient) cookies called “XSRF” and “HS” which are erased when you close your browser and do not collect information from your computer. They typically store anonymous Information in the form of a session identification that does not personally identiy the user. These transient cookies are a general cookie implemented by Wix.com for security purpose in all the websites developed through the Wix.com platform.

We consider Wix.com to be a third party data processor.

 

Our Website is hosted by Wix.com, as user of our Website your personal data collected in the manners described in this paragraph may be maintained, processed and stored by Wix in the United States or other jurisdictions. Wix is based in Israel, which is considered by the European Commission to be a country which offers an adequate level of protection for EU data. Wix adheres to the Safe Harbor Privacy Principles developed by the U.S. Department of Commerce and the European Union (EU). The Safe Harbor Privacy Principles are intended to provide equivalent protections for personal data as those existing in the EU. For more information about the Safe Harbor Privacy Principles and to view our certification, visit the U.S. Department of Commerce's Safe Harbor website at http://export.gov/safeharbor/.  We consider our website host Wix.com to be a third party data processor.

All traffic (transferral of files) between this website and your browser is encrypted and delivered over a HTTPs protol.

 

6.0 – CHANGES TO OUR PRIVACY POLICY

This privacy policy may change from time to time inline with legislation or industry developments. We will not explicitly inform our clients or website users of these changes. Instead, we recommend that you check this page occasionally for any policy changes. Specific policy changes and updates are mentioned in the change log below.

 Changes Log:

 

  • February 15, 2018:  uploaded Privacy Policy

  • April 24, 2018:  uploaded new GDPR compliant Privacy Policy

 

Villa Monti