Privacy Policy

The website www.cinciano.it collects certain personal data from its users.
This policy is drafted in accordance with personal data protection laws, including Articles 13 and 14 of Regulation (EU) 2016/679 (hereinafter “GDPR”) and Italian Legislative Decree no. 196/2003 (Privacy Code), as amended by Legislative Decree no. 101/2018.

Data Controller
Fattoria di Cinciano S.r.l. Soc. Agr., registered office in Località Cinciano, 2 – 53036, Poggibonsi (SI), Italy
Phone: +39 0577 936588 – Email: info@cinciano.it – VAT No. 00692410525

1) Types of Data Collected

a) Contact and correspondence
Users may contact the Controller to request information regarding the products and services offered. The personal data collected are those included in the body of the message sent to the Controller’s email address.

b) Online booking
If users book services offered by the Controller through the “Book” page, the processing involves personal data (such as personal details, phone number, email address, and payment information – credit card details, bank account number, PayPal account data, or other payment-related information). These data are collected directly from the user and are limited to what is strictly necessary for the performance of the requested services.

c) Content from external platforms
These services allow the display of content hosted on external platforms directly from the pages of this site and enable interaction with them.
Even if users do not actively use the service, it is possible that such services may collect traffic data related to the pages in which they are embedded. The widgets installed on this site include:

  • Google Maps: A map display service managed by Google Inc. that allows this site to incorporate content into its pages. If the user clicks the widget, they will be redirected to Google’s page, where their data will be processed independently. Please refer to Google’s privacy policy: https://policies.google.com/privacy?hl=en.
  • Email Widget: By clicking “Email,” the user may be redirected to their email provider to send a message to the Controller. Please refer to your email provider’s privacy policy.
  • Facebook and Instagram Widgets: The site integrates widgets from the social networks Facebook and Instagram. The collection and use of data by these social networks are governed by their respective privacy policies. Social buttons/widgets (icon buttons for social networks) may also be present, allowing users to interact directly with those networks. By clicking the buttons, the social network collects information about the user’s visit. Aside from this user-initiated sharing, the Controller does not share browsing information or user data collected through the site with social networks.
    Please refer to Meta’s privacy policy: https://www.facebook.com/privacy/policy/.
    To prevent tracking by social media widgets, it is advised to log out of all social networks before visiting this website.
  • Booking Expert: When booking our hospitality services, users may be redirected to the Booking Expert platform, provided by Zucchetti Hospitality S.r.l. (a Zucchetti Group company), which acts as the data processor on behalf of the Controller.
  • TripAdvisor: The TripAdvisor widget is a content display service managed by TripAdvisor LLC, allowing this website to integrate content from that platform. See the privacy policy: https://www.tripadvisor.com/pages/privacy.html
  • TheFork: If a user books a restaurant reservation at Osteria 1126 through TheFork app, La Fourchette Sas acts as an autonomous data controller. See the privacy policy: https://www.thefork.it/legal#NormativaSullaPrivacy
  • Booking.com: If you book a stay at the Controller’s accommodation via Booking.com, the platform processes your data as an independent data controller. See their privacy policy: https://www.booking.com/content/privacy.en.html

2) Methods and Location of Data Processing

Data will be processed electronically, using systems designed to store, manage, and transmit the information. In addition to the Controller, in certain cases, other individuals involved in the organization (authorized personnel) or external parties (e.g., software providers, hosting providers) may access the data. These external parties may be appointed as Data Processors by the Controller where necessary.

3) Purpose and Legal Basis of the Processing

The Controller processes the User’s personal data for the following purposes:

  • Point 1, letter a): The purpose of processing your data is to respond to your inquiries. The legal basis for the processing lies in the execution of pre-contractual and contractual measures (Art. 6, letter b, GDPR).

1, letter b): Purpose of Data Processing

The purposes of processing your data are:

  • Fulfillment of contractual obligations and execution of the contract;
  • Compliance with accounting and tax obligations;
  • Fulfillment of all obligations arising from laws, regulations, and EU legislation, including the obligation provided for by Article 109 of Royal Decree no. 773 of 18 June 1931, which requires registering and communicating the personal details of hosted guests to the local police authority (Questura).

The legal basis for the processing is therefore the performance of a contract or compliance with legal and regulatory obligations (Art. 6, para. 1, letters b) and c) of the GDPR).
You may always request the Controller to clarify the specific legal basis applicable to each processing activity.

4) Data Location and Scope of Disclosure

Data is processed and stored at the Controller’s registered office by authorized personnel or by individuals in charge of occasional maintenance operations.
Personal data is stored on servers located within the European Union.

Your data may be disclosed, strictly for the purposes described above, to the Controller’s employees, third-party companies, and professionals (e.g., professional firms, software providers, banks) acting on behalf of the Controller as Data Processors.
Furthermore, your personal data may be disclosed to judicial authorities, insurance companies for insurance services, and any other parties to whom disclosure is required by law.

Your data will not be publicly disclosed.
The entities in the above categories act as Data Processors or operate independently as separate Controllers.
You may request an updated list of Data Processors from the Controller using the contact details provided at the beginning of this policy.

5) Nature of Data Provision and Consequences of Refusal

Providing data for the purposes set out in points 1, letters a) and b) is essential to access the requested services. Therefore, refusal to provide such data will make it impossible for the Controller to provide those services.

6) Data Retention Period

Data is processed and retained for the time required to fulfill the purposes for which it was collected.

Specifically:

  • Personal data collected for purposes related to the execution of a contract or pre-contractual measures will be retained until the contract has been fully executed and, in any case, in compliance with applicable law.
  • Personal data collected for the performance of services offered by the Controller will be retained for 10 years from the date of collection (standard limitation period).

The Controller may be required to retain personal data for a longer period to comply with legal obligations or by order of an authority.
Once the retention period has expired, personal data will be deleted. Therefore, after this deadline, the rights to access, erasure, rectification, and data portability can no longer be exercised.

7) User Rights

Users may exercise specific rights concerning the data processed by the Controller.
In particular, under the GDPR and applicable laws, users have the right to:

  • Withdraw consent at any time;
  • Object to the processing of their data;
  • Access their personal data;
  • Verify and request rectification;
  • Request restriction of processing;
  • Request erasure or removal of their personal data;
  • Receive their data or have it transferred to another Controller;
  • Lodge a complaint with the Supervisory Authority (Italian Data Protection Authority – Garante Privacy).

8) How to Exercise Your Rights

To exercise these rights, users may send a request by email to the Controller at: info@cinciano.it

9) Information Not Contained in This Policy

Further information regarding the processing of personal data may be requested at any time from the Data Controller using the contact details provided.

Last updated: March 8, 2024
Data Controller:
Fattoria di Cinciano S.r.l. Soc. Agr.