Privacy Policy

1. Introduction

Villa Traiano Holding Ltd is committed to protecting the privacy and personal data of all users, guests and visitors of its website and hotel property. This Privacy Policy describes how we collect, use, store and protect personal data, in compliance with EU Regulation 2016/679 (GDPR), Italian Legislative Decree No. 196 of 30 June 2003, as amended by Legislative Decree No. 101 of 10 August 2018 (D.Lgs. 196/2003), the UK GDPR and the Data Protection Act 2018 of the United Kingdom.

We encourage you to read this privacy notice carefully to understand our practices regarding the processing of personal data.

2. Who We Are and Contact Details

The Data Controller is:

Villa Traiano Holding Ltd — the brand's foreign parent company
20 Wenlock Road, London, England, N1 7GU
Companies House: 16607218
Email: info@villatraiano.com

For processing activities carried out on the Italian premises (check-in, stay, restaurant, SPA, events, CCTV, tax obligations), the Data Controller is:

VT Hospitality S.r.l.
Registered office: Viale dei Rettori 9, 82100 Benevento (BN), Italy
VAT / Italian Tax Code: 01892000629
REA: BN - 313670
Certified email (PEC): hospitality@pec.villatraiano.com
Email: privacy@villatraiano.com

VT Hospitality S.r.l. operates, for the activities within its remit, together with Villa Traiano Management S.r.l. For further details please refer to the booking terms.

Data Protection Officer (DPO):
Email: dpo@villatraiano.com

3. Scope

This Privacy Policy applies to all personal data processed in the context of Villa Traiano's activities, with reference to the following categories of data subjects:

• Hotel guests
• Website visitors
• Clients of events, weddings and meetings
• Suppliers and business partners
• Job candidates

4. Types of Data Processed

In the course of our activities, we may process the following categories of personal data:

• Identification data: first name, surname, date of birth, nationality, identity document details
• Contact data: email address, telephone number, postal address
• Booking data: stay dates, room type, preferences, special requests
• Financial data: payment information, processed through PCI-DSS certified payment gateways
• Health-related data: food allergies, accessibility requirements, any medical conditions voluntarily disclosed by the guest
• Browsing and cookie data: IP address, browser type, operating system, pages visited, session data
• CCTV data: images captured by closed-circuit surveillance systems installed in common areas
• Communications: content of emails, messages sent via the contact form, telephone enquiries

5. Collection Methods

Personal data may be collected through the following methods:

• Online contact and booking forms on the website
• Online Travel Agencies (OTAs) and third-party booking systems
• Communications via email, telephone or social media
• Check-in procedure at the property
• Cookies and analytics tools during website browsing

6. Purposes and Legal Bases for Processing

Personal data is processed for the following purposes, each supported by a specific legal basis:

7. Marketing Communications

Marketing and promotional communications are sent only with the explicit consent of the data subject. Consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to the withdrawal, by using the unsubscribe link included in each communication or by contacting the DPO at dpo@villatraiano.com.

8. Events, Weddings and Meetings

In connection with the organisation of events, weddings and meetings, we may process personal data relating to organisational preferences, guest contact details, special requests (dietary, accessibility, logistical) and contractual details. Such data is processed solely for the proper performance of the requested service and is retained for the time necessary to fulfil contractual and legal obligations.

9. CCTV Surveillance

The common areas of the property are equipped with a closed-circuit television (CCTV) surveillance system, installed for security and property protection purposes. The presence of cameras is indicated by appropriate signage. Recorded images are retained for a maximum period of 7 days, unless they are required for the investigation of unlawful activities, and are accessible only to authorised personnel.

10. Data Sharing

Personal data may be disclosed to the following categories of recipients, acting as data processors or independent data controllers:

• Cloudflare, Inc. (USA) — website hosting, CDN, WAF, DNS and cookieless analytics (Cloudflare Web Analytics)
• Google LLC (USA) — traffic analysis (Google Analytics 4), tag management (Google Tag Manager), mapping services (Google Maps)
• Selfbook, Inc. (USA) — online booking engine (sdk.selfbook.com SDK) — necessary to complete a booking
• Sabre / SynXis (USA) — hotel channel manager integrated with Selfbook
• Stripe Payments Europe Ltd. (Ireland) — payment processing for experiences and events
• Spreedly, Inc. (USA) — card tokenisation for the booking engine
• Twilio Segment, Inc. (USA) — aggregation of analytics/marketing events to authorised destinations
• Triptease Ltd. (UK) — on-site messaging and offer personalisation
• Statsig, Inc. (USA) — feature flag and A/B testing
• Meta Platforms, Inc. (USA) — remarketing and custom audiences (Meta Pixel), subject to consent
• Villa Traiano Hub — the group's proprietary CRM (hub.villatraiano.com, pos.villatraiano.com)
• Legal, tax and accounting advisors
• Public authorities (Questura, Agenzia delle Entrate, judicial authorities)
• Travel and transport partners, where necessary for the performance of requested services

Data is not made publicly available. Recipients are bound by contractual obligations of confidentiality and security, including Standard Contractual Clauses (SCCs) for transfers to the USA, where applicable.

11. International Data Transfers

Some of our service providers may be established outside the European Economic Area (EEA) or the United Kingdom. In such cases, the transfer of personal data takes place only where adequate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules (BCR)
• Adequacy decisions by the European Commission or the UK Secretary of State

For specific information on the safeguards applied, please contact the DPO at dpo@villatraiano.com.

12. Retention Periods

Personal data is retained for the period strictly necessary to fulfil the purposes for which it was collected:

• Booking and contractual data: 10 years from the end of the relationship, for tax and accounting purposes
• Marketing data: until consent is withdrawn
• CCTV surveillance data: maximum 7 days
• Guest registration records (schedine alloggiati): in accordance with the timeframes provided by Public Safety legislation
• Browsing and cookie data: in accordance with the timeframes set out in the Cookie Policy

13. Security Measures

Villa Traiano implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction or alteration. These measures include:

• Encryption of data in transit and at rest
• Firewall and perimeter protection systems
• Regular backups and disaster recovery plans
• Periodic security audits and impact assessments
• Training of personnel authorised to process data

14. Data Subject Rights

Under Articles 15-22 of the GDPR and applicable UK legislation, data subjects have the right to:

• Access — obtain confirmation of processing and a copy of their personal data
• Rectification — correct inaccurate or incomplete data
• Erasure — request the deletion of data (right to be forgotten)
• Restriction — restrict processing in certain circumstances
• Data portability — receive data in a structured, commonly used and machine-readable format
• Objection — object to processing on legitimate grounds, including processing for direct marketing purposes
• Withdrawal of consent — withdraw consent at any time, without affecting the lawfulness of processing carried out prior to the withdrawal

To exercise your rights, please send a request to the DPO at dpo@villatraiano.com.

15. Cookies and Tracking

The website uses cookies and similar tracking technologies. For detailed information on the types of cookies used, their purposes and how to manage your preferences, please refer to our Cookie Policy.

16. Minors

The services offered through the website are not intended for individuals under the age of 16. We do not knowingly collect personal data from minors under 16 without the verifiable consent of a parent or legal guardian. If we become aware that we have collected data from a minor without appropriate parental consent, we will promptly delete such data.

17. External Links and Social Media

The website may contain links to third-party websites and social media platforms. Villa Traiano is not responsible for the privacy practices or the processing of personal data carried out by such third parties. We encourage users to review the privacy notices of third-party websites and platforms before providing their personal data.

18. Changes to the Privacy Policy

Villa Traiano reserves the right to update this Privacy Policy at any time to reflect regulatory, organisational or technological changes. The updated version will always be available on this page, with an indication of the date of the last update. In the event of material changes, we will inform users with adequate notice.

19. Competent Authorities

Data subjects have the right to lodge a complaint with the competent supervisory authority:

• Italy: Garante per la Protezione dei Dati Personali — www.garanteprivacy.it
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk

20. Contact

For any questions, requests or clarifications regarding this Privacy Policy or the processing of personal data, please contact the Data Protection Officer (DPO):

Email: dpo@villatraiano.com