Villa Meleto Privacy Policy

Donna Gilda a Villa Meleto Società Agricola s.r.l., with registered office at Via di Meleto 19, 50051 Castelfiorentino, Florence, VAT No. 07055290485 (hereinafter, the "Data Controller"), as the data controller, hereby informs you, pursuant to Article 13 of Legislative Decree No. 196 of June 30, 2003 (hereinafter, the "Privacy Code") and Article 13 of EU Regulation No. 2016/679 (hereinafter, the "GDPR"), that your data will be processed in the following ways and for the following purposes:

1. Purpose of Processing

The Data Controller processes the personal and identifying data (e.g., name, surname, company name, address, telephone number, email address, bank and payment details; hereinafter, "personal data" or "data") provided by you when entering into contracts for the Data Controller's services.

2. Purposes of Processing

Your personal data is processed:

Without your express consent (Article 24, letters a), b), and c) of the Privacy Code and Article 6, letters b), and e) of the GDPR), for the following Service Purposes:

• to conclude contracts for the Data Controller's services;

• to fulfill pre-contractual, contractual, and tax obligations arising from existing relationships with you;

• to fulfill obligations established by law, regulation, EU legislation, or an order from the Authority;

• to exercise the Data Controller's rights;

The Data Controller provides a service platform to its Partners, the purpose of which is to facilitate interaction between visitors and the manager and/or owner of a location and/or commercial activity.

A non-exhaustive list, provided by way of example, is as follows:

• Booking services

• Filling out contact forms

• Entering comments and reviews

The Data Controller acts as an intermediary between the visitor and a third party designated by a Partner to receive data submitted by visitors through completed forms.

The Data Controller may retain data submitted by visitors for the sole purpose of providing the service requested by the visitor; such data will not be used for commercial, marketing, or profiling purposes by the Data Controller. The data may be stored on cloud platforms and external storage systems, always protected by security procedures to ensure compliance with GDPR directives.

However, the Data Controller cannot guarantee the correct use of data submitted by third parties for the provision of a service to the visitor.

A visitor wishing to use one of the services offered will be informed of any additional methods and purposes of data processing by a third party just before submitting the data.

These methods will be defined by the Partners during the service creation phase, using the means provided by the platform.

The visitor fully accepts all the purposes listed for using the services. Visitors using these services are aware that their data will be sent to third parties.

In the absence of procedures for the use of data by third parties to provide the service, the visitor has the right to ask the Data Controller for the destination and methods of sending the data.

The Data Controller is exempt from any liability regarding the incorrect use of data by third parties.

Only with your specific and separate consent (Articles 23 and 130 of the Privacy Code and Article 7 of the GDPR), for the following Marketing Purposes:

• Send you via email, post, and/or text message and/or telephone, newsletters, commercial communications and/or advertising material on products or services offered by the Data Controller and surveys on the level of satisfaction with the quality of services;

• Send you via email, post, and/or text message and/or telephone commercial and/or promotional communications developed by the Data Controller's team.

Please note that if you are already our customer, we may send you commercial communications relating to the Data Controller's services and products similar to those you have already used, unless you object (Article 130, paragraph 4, Privacy Code).

3. Processing Methods

Your personal data is processed using the operations indicated in Article 4 of the Privacy Code and Article 4, paragraph 2, GDPR, specifically: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison. Your data will not be utilized.

6. Data Transfer

Personal data is stored on servers within the European Union. In any case, it is understood that the Data Controller, if necessary, will have the right to move the servers outside the EU. In this case, the Data Controller hereby ensures that the transfer of data outside the EU will take place in accordance with the applicable legal provisions,

subject to the stipulation of the standard contractual clauses provided by the European Commission.

7. Nature of the Data Provision and Consequences of Refusal to Respond

The provision, use, interconnection, blocking, communication, deletion, and destruction of data. Your personal data is subject to both paper-based and electronic and/or automated processing.

The Data Controller will process personal data for the time necessary to fulfill the aforementioned purposes and, in any case, for no longer than 10 years from the termination of the relationship for Service Purposes and for no longer than 2 years from the date of data collection for Marketing Purposes.

4. Access to Data

Your data may be made accessible for the purposes referred to in Articles 2.A) and 2.B): to the Data Controller's employees or collaborators responsible for verifying the security of the infrastructure, in their capacity as persons in charge and/or internal data processors and/or system administrators;

5. Disclosure of Data

Without the need for express consent (pursuant to Article 24, letters a), b), and d) of the Privacy Code and Article 6, letters b) and c) of the GDPR), the Data Controller may disclose your data for the purposes referred to in Article 2.A) to supervisory bodies, judicial authorities, insurance companies for the provision of insurance services, as well as to those parties to whom disclosure is required by law for the fulfillment of the aforementioned purposes. These parties will process the data in their capacity as independent data controllers.

Disclosure of data for the purposes referred to in Article 2.A) is mandatory. Without them, we cannot guarantee the Services.

The provision of data for the purposes referred to in Article 2.B) is optional. You can therefore decide not to provide any data or to subsequently object to the processing of data already provided. In this case, you will not be able to receive newsletters, commercial communications, and advertising material relating to the Services offered by the Data Controller. You will, however, continue to be entitled to the Services referred to in Article 2.A).

8. Rights of the Data Subject

As a data subject, you have the rights set forth in Article 7 of the Privacy Code and Article 15 of the GDPR, specifically the right to:

• Obtain confirmation of the existence or otherwise of personal data concerning you, even if not yet recorded, and communication of such data in an intelligible form;

• Obtain information on: a) the source of the personal data; b) the purposes and methods of the processing; c) the logic applied in the event of processing carried out with the aid of electronic means; d) the identification details of the data controller, data processors, and the designated representative pursuant to Article 5, paragraph 2 of the Privacy Code and Article 3, paragraph 1, of the GDPR; e) the persons or categories of persons to whom the personal data may be communicated or who may become aware of it in their capacity as designated representative in the territory of the State, data processors, or persons in charge of processing;

• Obtain: a) the updating, rectification, or, where applicable, integration of the data; b) the deletion, anonymization, or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which it was collected or subsequently processed; c) certification that the operations referred to in letters a) and b) have been notified, including their content, to those to whom the data was communicated or disseminated, except where such disclosure proves impossible or involves a manifestly disproportionate effort compared with the right being protected;

• Object, in whole or in part: a) for legitimate reasons, to the processing of your personal data, even if pertinent to the purpose of its collection; b) to the processing of your personal data for the purposes of sending advertising or direct sales materials or for conducting market research or commercial communications, through the use of automated calling systems without human intervention, by email, and/or through traditional marketing methods such as telephone and/or postal mail. Please note that the data subject's right to object, set out in point b) above, for direct marketing purposes via automated means extends to traditional means, and that the data subject remains free to exercise the right to object even partially. Therefore, the data subject may decide to receive communications only via traditional means, only automated communications, or neither type of communication.

Where applicable, the data subject also has the rights set forth in Articles 16-21 of the GDPR (Rights of the Data Subject).

Where applicable, you also have the rights set forth in Articles 16-21 of the GDPR (right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object), as well as the right to lodge a complaint with the Supervisory Authority.

9. How to exercise your rights

You may exercise your rights at any time by sending:

• A registered letter with return receipt to Donna Gilda a Meleto Società Agricola s.r.l., with registered office at Via di Meleto 19, Castelfiorentino 50051 (FI)

• An email to admin@villameleto.com

• A certified email to donnagildameleto@legalmail.it

10. Data Controller, Data Processor, and Persons in Charge

The Data Controller is Donna Gilda a Meleto Società Agricola s.r.l., with registered office at Via di Meleto 19, Castelfiorentino 50051 (FI).

The updated list of data processors and data controllers is kept at the Data Controller's registered office.

________________________________________

Cookies

What are cookies?

A "cookie" is a small text file created on the user's computer when they access a particular website. Its purpose is to store and transport information. Cookies are sent from a web server (the computer running the website being visited) to the user's browser (Internet Explorer, Mozilla Firefox, Google Chrome, etc.) and stored on the user's computer. They are then sent back to the website on subsequent visits.

While browsing, the user may also receive cookies from other websites (so-called "third-party" cookies) on their terminal. These cookies are set directly by the operators of those websites and used for the purposes and according to the methods defined by them.

The Site uses:

• Session cookies, whose use is not instrumental in collecting the User's personal identification data, being limited to the sole transmission of session identification data in the form of numbers automatically generated by the server. Session cookies They are not stored permanently on the User's device and are automatically deleted when the browser is closed.

• Third-party cookies for sharing on some of the major social networks (for example, Facebook, Twitter, Google+, WhatsApp, YouTube, LinkedIn, AI, and similar). Each time the User decides to interact with the plug-ins or accesses the Site after logging in through their Facebook or Twitter account, some personal information may be acquired by the operators of the social network platforms (for example, the User's visit to the Site).

Rights of the interested party

The interested party may exercise at any time, by sending an email to asset(at)norcia.net, the rights set forth in Article 7 of Legislative Decree No. 196 of June 30, 2003, which is reproduced verbatim below.

Art. 7 Legislative Decree 196/2003

1. The interested party has the right to obtain confirmation of the existence or otherwise of personal data concerning him or her, regardless of their being already recorded, and communication of such data in an intelligible form.

2. The interested party has the right to obtain information on:

• a) the source of the personal data;

• b) the purposes and methods of the processing;

• c) the logic applied in the event of processing carried out with the aid of electronic means;

• d) the identification details of the data controller, data processors, and the designated representative pursuant to Article 5, paragraph 2;

• e) the persons or categories of persons to whom the personal data may be communicated or who may become aware of it in their capacity as designated representative in the territory of the State, data processors, or persons in charge of processing.

3. The interested party has the right to obtain:

• a) the updating, rectification, or, where interested therein, integration of the data;

• b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;

• c) certification that the operations referred to in letters a) and b) have been notified, including their content, to those to whom the data was communicated or disseminated, except where such disclosure proves impossible or involves a manifestly disproportionate effort compared with the right being protected.

4. The data subject has the right to object, in whole or in part:

• a) for legitimate reasons, to the processing of personal data concerning him or her, even if pertinent to the purpose of collection;

• b) to the processing of personal data concerning him or her for the purpose of sending advertising or direct selling materials or for conducting market research or commercial communications.

Third-party cookies

The data controller does not have access to the data collected and processed independently by the operators of social media platforms. For more information on the logic and methods of processing data collected by social media platforms, users are encouraged to read the privacy notices provided by the providers of the services in question.

Main Social Networks

• Facebook http://www.facebook.com/policy.php

• Twitter http://twitter.com/privacy

• WhatsApp https://www.whatsapp.com/legal/

• Google+ and YouTube https://www.google.it/intl/it/policies/privacy/

Google Analytics

The Site uses Google Analytics. This is a web analytics service provided by Google Inc. ("Google") that uses cookies stored on the user's computer to enable aggregate statistical analysis of the use of the website visited.

The data generated by Google Analytics is stored by Google as indicated in the Privacy Policy available at the following link: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

To view the privacy policy of Google Inc., the independent data controller for the Google Analytics service, please visit the website http://www.google.com/intl/en/analytics/privacyoverview.html

Browser Data Management

Data Provision

With the exception of technical cookies strictly necessary for normal browsing, the provision of data is left to the discretion of the data subject who decides to browse the site after reading the brief information contained in the relevant banner and/or to use services that require the installation of cookies.

The data subject can prevent the installation of cookies through the appropriate functions available on their browser.

Disabling Cookies

Without prejudice to the above regarding cookies strictly necessary for browsing, the user can delete other cookies through the functionality provided by the website via this policy or directly through their browser.

Each browser has different procedures for managing settings. The user can obtain specific instructions through the links below or through the guide for their specific browser.

• Microsoft Windows Explorer: https://privacy.microsoft.com/it-it/windows-10-microsoft-edge-and-privacy

• Google Chrome: https://support.google.com/chrome/answer/95647?hl=it&p=cpn_cookies

• Mozilla Firefox: https://support.mozilla.org/it/kb/Attivare%20e%20disattivare%20i%20cookie?redirectlocale=en-US&redirectslug=Enabling+and+disabling+cookies

• Apple Safari: https://support.apple.com/kb/PH17191?viewlocale=it_IT&locale=it_IT

Having read the information above and available on the website https://www.villameleto.com/privacy-policy , I authorize the processing of my personal data in accordance with this policy.