Privacy Policy-en

Privacy Policy

Last update: April 3, 2025

Introduction

This privacy notice ("Privacy Policy" or "Policy") is provided pursuant to Article 13 of EU Regulation 2016/679 ("GDPR") and Italian Legislative Decree 196/2003, as amended by Legislative Decree 101/2018 ("Privacy Code"), and is addressed to users ("Data Subject", "Data Subjects") of the website https://flaturbansuites.com ("Website"), managed by B&B Flat Urban Suites ("Controller", "Establishment").

This Policy describes the methods of collection, use, sharing, retention, and protection of the personal data of Data Subjects who interact with the Website and/or who use the services offered by the Establishment.

The Controller invites Data Subjects to carefully read this Policy before communicating any personal data.

Data Controller

The Controller of the personal data is:

B&B Flat Urban Suites
Viale Ettore Franceschini, 71
00155 Rome, Italy

Contact person: Flavio Tentellini
Telephone: +39 3490096071
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Types of Data Processed

Browsing Data

The computer systems and software procedures used to operate the Website acquire, during their normal operation, certain personal data, the transmission of which is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of computers and terminals used by Data Subjects, URI/URL (Uniform Resource Identifier/Locator) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.) and other parameters relating to the operating system and the IT environment of the Data Subject.

Data Voluntarily Provided by the Data Subject

The optional, explicit, and voluntary sending of messages to the Establishment's contact addresses, as well as the completion and submission of forms on the Website, entails the acquisition of the sender's contact details, necessary to respond, as well as all personal data included in the communications.

In particular, the Controller may collect the following personal data:

  • Personal details (name, surname, date of birth);
  • Contact details (email address, telephone number, residential address);
  • Information related to the stay (arrival and departure dates, number of guests, preferences);
  • Payment details (credit card data are not stored);
  • Identity documents (as required by Italian legislation for accommodation facilities).

Cookies and Similar Technologies

The Website uses cookies and similar tracking technologies, as specified in the Cookie Policy.

Purposes and Legal Basis of Processing

The Controller processes the personal data of Data Subjects for the following purposes:

Performance of a Contract or Pre-contractual Measures (Art. 6, par. 1, lit. b) GDPR)

  • Management of bookings and stays at the Establishment;
  • Provision of requested services;
  • Response to information requests;
  • Fulfillment of contractual obligations;
  • Payment processing.

Compliance with a Legal Obligation (Art. 6, par. 1, lit. c) GDPR)

  • Communication of guest data to competent authorities (so-called "guest registration forms"), as required by Italian public security regulations;
  • Tax and accounting obligations;
  • Response to requests from public authorities.

Legitimate Interest of the Controller (Art. 6, par. 1, lit. f) GDPR)

  • Improvement and optimization of the Website;
  • Statistical analysis in aggregate form on the use of the Website;
  • Protection and security of the Website;
  • Exercise of the Controller's rights, including in legal proceedings.

Consent of the Data Subject (Art. 6, par. 1, lit. a) GDPR)

  • Sending promotional communications and newsletters regarding services and initiatives of the Establishment;
  • Direct marketing.

Processing Methods

The processing of personal data is carried out using IT and/or telematic tools, with organizational methods and with logic strictly related to the purposes indicated. In particular, data processing is carried out through the following operations: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion, and destruction of data.

The Controller adopts specific security measures to prevent data loss, illicit or incorrect use, and unauthorized access.

Data Retention Period

Personal data are processed and stored for the time required by the purposes for which they were collected:

  • Data relating to bookings and stays are stored for the period necessary for the provision of the service and for the subsequent 10 years, in compliance with legal obligations in tax and accounting matters;
  • Data collected for direct marketing purposes are stored until the withdrawal of consent by the Data Subject and in any case not beyond 24 months from collection;
  • Browsing data are generally deleted immediately after processing, but may be stored for a longer period in case of necessity related to Website security or legal obligations.

Recipients of the Data

The personal data of Data Subjects may be communicated to the following categories of recipients:

  • Authorized personnel of the Establishment, duly trained and instructed;
  • External service providers acting as Data Processors (e.g., IT service providers, hosting services, booking service managers);
  • Public authorities, where required by law (e.g., Police Headquarters for "guest registration forms");
  • Legal, tax, and accounting consultants of the Controller;
  • Potential purchasers of the Establishment or business, in case of extraordinary corporate operations.

Data Transfer

The Controller does not transfer the personal data of Data Subjects to third countries outside the European Union. In the event that this becomes necessary for the provision of services (e.g., use of cloud services with servers located outside the EU), the Controller undertakes to ensure that the transfer takes place in compliance with applicable regulations and subject to the adoption of adequate safeguards, such as adequacy decisions, standard contractual clauses approved by the European Commission, or other safeguards considered adequate.

Nature of Data Provision

The provision of personal data for purposes related to the performance of the contract and compliance with legal obligations is mandatory. Any refusal, partial or total, to provide such data would make it impossible for the Controller to provide the requested services.

The provision of data for marketing purposes and newsletter subscription is optional. The Data Subject may withdraw at any time the consent previously given, without prejudice to the lawfulness of processing based on consent before its withdrawal.

Rights of Data Subjects

In accordance with the GDPR, Data Subjects may exercise the following rights:

  • Right of access (Art. 15 GDPR): the right to obtain confirmation as to whether or not personal data concerning them are being processed and, if so, to obtain access to the personal data and specific information about the processing;
  • Right to rectification (Art. 16 GDPR): the right to obtain, without undue delay, the rectification of inaccurate personal data and the completion of incomplete personal data;
  • Right to erasure or "right to be forgotten" (Art. 17 GDPR): the right to obtain, without undue delay, the erasure of personal data, in the cases provided for by the regulation;
  • Right to restriction of processing (Art. 18 GDPR): the right to obtain restriction of processing, in the cases provided for by the regulation;
  • Right to data portability (Art. 20 GDPR): the right to receive personal data in a structured, commonly used, and machine-readable format and to transmit such data to another controller, only for the cases provided for by the regulation;
  • Right to object (Art. 21 GDPR): the right to object at any time to the processing of personal data carried out for direct marketing purposes or based on the legitimate interest of the Controller;
  • Right not to be subject to automated decision-making (Art. 22 GDPR): the right not to be subject to a decision based solely on automated processing, including profiling;
  • Right to lodge a complaint with the Italian Data Protection Authority, Piazza Venezia n. 11, 00187, Rome (RM).

To exercise the aforementioned rights, Data Subjects may contact the Controller using the contact details indicated in the "Data Controller" section of this Policy.

Amendments to the Privacy Policy

The Controller reserves the right to make changes to this Policy at any time, giving notice to Data Subjects by publication on the Website. Data Subjects are invited to periodically consult this page to review any updates.

This Privacy Policy is drafted in compliance with the General Data Protection Regulation (GDPR) of the European Union and other applicable regulatory provisions on personal data protection.