Privacy Policy

Privacy Notice pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR)

Introduction

This notice describes how Casa E. di Mirafiore & Fontanafredda S.r.l. processes personal data of users of the website https://www.albergoagenzia.it (“the Site”). This notice is provided in accordance with Article 13 of Regulation (EU) 2016/679 (GDPR) and applicable national data protection laws. It applies to all users who visit the Site and interact with the services offered by Casa E. di Mirafiore & Fontanafredda S.r.l. 

This notice applies exclusively to the Site https://www.albergoagenzia.it, owned by Casa E. di Mirafiore & Fontanafredda S.r.l. It does not extend to other websites, including those of third-party partners, which may be accessed by the user via links on the Site.

For the privacy notice of Fontanafredda, please refer to its specific policy.

1. Who is the Data Controller?

The Data Controller is Casa E. di Mirafiore & Fontanafredda S.r.l., with its registered office at Via Alba 15, 12050 Serralunga d’Alba (Cn), Italy, represented by its current legal representative (“Controller”).

The Controller has appointed a Data Protection Officer (DPO), who can be contacted at: privacy@fontanafredda.it.

2. What Data is Collected?

2.1 Navigation Data

The Site may collect information that could enable the identification of users. This includes:

• IP addresses or domain names of the devices used to connect to the Site;
• URI (Uniform Resource Identifier) of requested resources;
• Timestamps of requests;
• Methods used to submit requests to the server;
• File sizes of responses;
• Numeric codes indicating server response status (e.g., success, error);
• Other parameters.

2.2 Personal and Identifiable Data

The Controller processes personal and identifiable data, such as:

• Name and surname;
• Address;
• Phone number;
• Email address.

Users are free to provide their personal data to request information via the following dedicated email addresses:

• eventi@albergogenzia.it
• info@albergoagenzia.it
• info@albergocortealbertina.it

3. Purposes and Legal Bases for Data Processing

3.1 Categories of Special Data

In general, the Controller does not process special categories of data (e.g., health information, dietary restrictions, allergies) unless strictly necessary for service provision. In such cases, processing is carried out in compliance with Article 9 of the GDPR, with the explicit consent of the user.

3.2 Personal Data for Newsletter Purposes

Personal data may be processed for newsletter purposes only with the user’s specific consent, which is optional. The newsletter service involves sending promotional communications about products and services offered by the Controller or its affiliated companies within the Casa E. di Mirafiore & Fontanafredda S.r.l. group. The legal basis for this processing is the user’s consent (Article 6(1)(a) GDPR), which can be revoked at any time. Upon subscribing to the newsletter, users receive a confirmation email. The newsletter will only become active after confirmation. Users may revoke consent at any time by unsubscribing or writing to privacy@fontanafredda.it.

3.3 Data Provided for Purchases and Package Bookings

Personal data provided by users—for example, to book or purchase experiences, activities, or packages (as outlined in the General Terms and Conditions)—is processed to:

• Deliver the service;
• Enable users to purchase a product.

The legal basis for this processing is Article 6(1)(b) GDPR. For online booking services, the Site uses Blastness S.p.A., an external provider specializing in reservation management.

Blastness acts as a Data Processor under Article 28 GDPR, ensuring compliance with security measures and applicable regulations.

During the booking process, users are redirected to a page owned by the Controller.

Blastness may also carry out retargeting activities, which involve online advertising techniques to promote services to specific users based on their browsing habits and interests. Navigation data is collected whenever a user accesses the website or platforms managed by the Company, using tools such as Google Analytics or advertising platforms (e.g., Bing, TripAdvisor, Trivago).

The legal basis for this processing is the user’s specific consent, in accordance with Articles 6(1)(a) and 122 of the GDPR.

3.4 Cookies

For information on cookie processing, please refer to the dedicated Cookie Policy.

Users are informed that their personal data may be processed to fulfil legal obligations or comply with orders from competent authorities, to pursue the legitimate interests of the Controller, or to exercise the Controller’s legal rights, such as the right to defence.

4. Who Are the Recipients of the Data?

Personal data may be shared with the following categories of recipients:

• Authorized personnel (employees and collaborators);
• Consulting firms responsible for event organization, acting as external data processors;
• Service providers for managing activities outlined in the purposes above, such as newsletter services (e.g., MailUp);
• IT consultants providing information system management services;
• Web platform operators.

All recipients listed above act as Data Processors under Article 28 of the GDPR. Personal data is processed solely by authorized individuals (employees and/or collaborators) under Article 29 of the GDPR, based on their roles and responsibilities, and after receiving privacy training. Personal data is not sold or disclosed to group companies or third-party partners.

Users are not subject to decisions based solely on automated processing, as referred to in Article 22 of the GDPR.

5. How Long Do We Process Data?

The retention periods for personal data are as follows:

• Data processed for legal obligations: Retained for the period required by applicable laws (e.g., tax, health, food safety regulations), with a maximum retention period of 10 years, or longer if required by law;
• Data processed for marketing purposes: Retained as long as the user demonstrates interest in receiving communications. The Controller periodically verifies user engagement. Users who do not open Casa E. di Mirafiore & Fontanafredda S.r.l. newsletters for 36 consecutive months will be automatically removed from the mailing list;
• Data processed for profiling purposes: Retained for a maximum of 24 months from collection, unless consent is revoked earlier;
• Data related to IT security and monitoring of corporate system access: Retained for a maximum of 12 months from collection, unless security or legal requirements necessitate a longer retention period;
• Data processed for contractual and tax purposes: Retained for the duration of the contractual relationship and thereafter to fulfil legal obligations. In any case, data is retained for no longer than 10 years from the termination of the contractual relationship, unless further legal obligations or judicial protection requirements apply.

For details on the retention periods of cookies installed on the Site, please refer to the specific information provided in the cookie banner under the section “Clicca qui” (“Click here”). Any special categories of data included in the notes section are retained only for the strictly necessary period to provide the service, after which they will be deleted.

6. What Security Measures Are in Place?

Personal data is stored in digital format and protected using organizational and technical security measures to ensure confidentiality and prevent risks such as loss, destruction, unauthorized access, or unlawful processing. Some of the security measures implemented include:

• Data backups;
• Use of the HTTPS protocol;
• Deployment of antimalware and antispam tools.

7. Is There a Transfer of Data to Non-EU Countries?

Personal data processing may involve transfers to third countries within or outside the European Union. In such cases, the Controller and any third parties involved will apply adequate safeguards recognized by the European Commission in its adequacy decisions. Where no adequacy decision exists, data transfers to non-EU countries will be carried out using appropriate safeguards, ensuring enforceable rights and effective remedies for data subjects. This includes the use of standard contractual clauses under Article 46(2)(c) of the GDPR, in line with the templates adopted by the European Commission.

For data managed by sub-processors on behalf of Blastness, please refer to the summary document available at: https://www.blastness.com/it/data-processing-agreement → “Sub-Processors” section.

8. Is the Site Directed at Minors?

The Site is not intended for minors, and no personal data of minors is collected or processed.

9. What Are the User’s Rights?

Users may exercise their rights under Articles 15 and following of Regulation (EU) 2016/679 (GDPR) by contacting the Data Controller at: 📧 privacy@fontanafredda.it or by sending a registered letter with return receipt to: Casa E. di Mirafiore & Fontanafredda S.r.l. Via Alba 15, 12050 Serralunga d’Alba (Cn), Italy.

For each processing activity, users may exercise the following rights:

• Right of access: Obtain a copy of the personal data undergoing processing;
• Right to object to processing for commercial purposes: Users may request to stop receiving promotional communications at any time by unsubscribing from the newsletter or writing to privacy@fontanafredda.it;
• Right to object to automated decision-making: Users may request not to be subject to decisions based solely on automated processing, such as profiling activities;
• Right to rectification: Update or correct any inaccurate or incomplete personal data held by the Controller;
• Right to withdraw consent: Revoke consent given for processing at any time.

• Right to erasure (Right to be forgotten): Request the deletion of personal data when the purposes for which it was collected have ceased, and there are no legitimate interests or legal obligations requiring its retention;
• Right to restriction of processing: Request the limitation of data processing activities;
• Right to data portability: Receive a copy of the data in a structured, commonly used, and machine-readable format, and transfer it to another Data Controller;
• Right to lodge a complaint with the Supervisory Authority: Users may lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali), located at: Piazza Venezia 11, 00187 Roma, Italy Email: protocollo@gpdp.it Website: https://www.garanteprivacy.it

For further details on user rights, please visit: https://www.garanteprivacy.it/home/diritti

10. What Happens in Case of Changes to This Notice?

The Controller reserves the right to modify or update this Privacy Notice at its discretion. Any updates will be published on this page, and users will be notified via email with details of the changes.

Current version: 1

This Privacy Policy was published on February 20, 2026.