Privacy Policy

Last updated: February 1, 2024.

Your privacy is of the utmost importance to Monteverdi Residence Club LLC and MONTEVERDI S.R.L. In order to protect it to the best of our ability, we hereby provide the following policy regarding our use of the personal data you provide. Below, you will find details on the type of information collected during browsing on this website, and your options for intervening in the collection and use of this information are listed.

This policy is disclosed pursuant to articles 13 and 14 of Regulation (EU) 679/2016, known for short as the GDPR, and subsequent updates. This policy is also based on Recommendation No. 2/2001, which the European personal data protection authorities — in the working party established pursuant to Article 29 of Directive No. 95/46/EC — adopted on 17 May 2001 with the aim of identifying some minimum requirements for the online collection of personal data, in particular the methods, times, and nature of the information that data controllers must provide to users who connect to websites, regardless of the purposes of such connections.

COMPANY PRIVACY POLICY ON THE PROCESSING OF PERSONAL DATA PURSUANT

TO ARTICLES 12 ET SEQ. OF REGULATION (EU) 2016/679 (GDPR)

1. Subject Policy regarding the processing of personal data for Monteverdi S.R.L., pursuant to articles 12 et seq. of Regulation (EU) 2016/679.

2. Preamble Regulation (EU) 2016/679 (the “General Data Protection Regulation”, or GDPR) concerns the protection of the personal data of natural persons with regard to processing. According to this legislation, the processing of personal data concerning an individual, defined specifically as the “data subject”, must take place in accordance with the principles of lawfulness, fairness and transparency, as well as protecting the data s privacy and rights to know about the processing carried out on his/her personal data. The purpose of this disclosure is to inform you, in accordance with the aforementioned legislation, that our organization is in possession of certain data concerning you which were acquired as part of your customer relationship with our facility. These data may also have been acquired orally, either directly or through third parties who carry out data-processing operations, or through third parties to whom we provide this information in order to satisfy a request from you.

Pursuant to the GDPR, these data concerning you are classified as “personal data” and therefore enjoy the protection provided by the provisions contained therein. In accordance with article 12 et seq. of the GDPR our facility, in its capacity as Data Controller, shall process the personal data provided by you in compliance with this legislation, with the greatest of care, while implementing actions and organizational principles adequate to guarantee protection during the processing of your personal data. To this end, those responsible for processing undertake to protect the information provided, using specific procedures suggested by the law for the protection of the data collected, in order to: 1) Prevent unauthorized access or disclosure; 2) Ensure the accuracy of the data being processed; 3) Guarantee that the use of the data is limited to the specific purposes described.

3. Definitions 1) personal data: any information concerning a natural person, legal person, body or association, whether identified or identifiable, including indirectly, by reference to any other piece of information, including a personal identification number, a name, location data or an online identifier, or to one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity; 2) processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 3) data subject: the natural person who is the subject of the personal data; 4) data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; 5) data processor: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; 6) third party: the natural or legal person, public authority, agency or body other than the Data Subject, Data Controller, Data Processor and persons who, under the direct authority of the Data Controller or Processor, are authorized to process personal data; 7) consent of the Data Subject: any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; 8) supervisory authority: the independent public authority which is established by a Member State pursuant to Article 51;

In view of the foregoing preamble, the following information is hereby provided:

4. Personal data collected The Data Controller uses your personal data to ensure the efficient provision of its services. You may be required to provide the following data, or they may be collected, potentially only in part:

  1. a) identifying data, VAT number, tax code, company name, registered offices, residence, domicile, and telephone or email contact details;
  2. b) data regarding the contractual relationship, describing the type of contract for the use of tourism booking services as well as information related to its execution which is necessary for the fulfillment of the contract itself;
  1. c) financial data regarding the economic relationship, the amounts owed and any payments, their periodic trends, and a summary of the financial status of the relationship;
  1. d) data to make the relationship with our facility more defined, and our collaboration and operations more efficient;
  2. e) personal data and “special” categories of personal data (concerning health), pursuant to art. 4 and 9 of the Regulation, which are necessary to provide the Wellness

Spa Center treatment services in accordance with the law;

  1. f) data collected by the video-surveillance system, exclusively in appropriately signposted areas and solely for the purposes permitted by law.
  2. Data storage periods The data collected shall be stored for the duration of the relationship with our organization, and for 10 years following the date on which it ends.

In cases where, because of a contractual relationship, data are processed which are not relevant to the administrative and tax-related obligations associated with that relationship, those data shall be stored exclusively for the time necessary to achieve the purposes for which they were collected, before being erased. You will be informed of the storage periods for such data when you are asked for your consent. With regard to the processing of data for video-surveillance purposes, the images captured shall be recorded and stored for 7 days, with exceptions in the case of national holidays, office closures or specific requests from the judicial authorities or the police, in accordance with the provision of 8 April 2010. At the end of this storage period, the images recorded shall be deleted from their respective electronic, IT or magnetic devices.

  1. Obligatory or optional provision of data It is obligatory to provide the Data Controller with the data which are essential for the provision of services and the data which are necessary to comply with obligations imposed by laws, regulations and European Community legislation, including the orders issued by Authorities legally authorized to do so and by supervisory and control bodies. Your provision of data which are non-essential for the performance of the service - if such are required by the Data Controller - is optional. You may choose to provide them by means of a suitable disclosure with a request for consent issued by us. However, if you decline to provide such data, this may make our facility less efficient in its provision of our services or make it completely or partially impossible to provide them.
  1. Processing methods Pursuant to article 12 et seq. of the GDPR, we wish to inform you that the personal data provided by you shall be recorded, processed and stored in our paper-based and electronic archives, as well as by the third parties with whom we collaborate, in accordance with the technical and organizational measures suggested by the GDPR. The processing of your personal data may consist of any operation or set of operations indicated in art. 4, para. 1, point 2 of the GDPR, specifically: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. This processing shall take place using tools and procedures which are suitable to guarantee the security and confidentiality of the data, and may be carried out, either directly and/or through delegated third parties, both manually — on paper — and with the support of IT or electronic tools. For the purposes of the proper management of the relationship and the fulfillment of legal obligations, the data may be included in the Data Controller’s own internal documentation and, if necessary, in the records and registers required under the law.
  1. Purposes of processing The main purpose for the processing of your personal data is to allow the correct establishment and/or development of the relationship described in the preamble, as well as the proper management thereof. Specifically, the purposes of processing shall be the following:
  1. a) Administrative and tax-related purposes, particularly:

- Compliance with tax and accounting obligations;

- The legal obligations to which the data controller is subject: for compliance with laws and/or the rulings of public bodies which require MONTEVERDI S.R.L. to collect and/or further process certain types of personal data

- Client management (client administration; administration of contracts, orders, shipments and invoices; solvency and reliability checks);

- Dispute management (breaches of contract; warning notices; transactions; credit recovery; arbitration; litigation);

- Internal control services (of safety, productivity, service quality, integrity of assets);

  1. b) The management of commercial Marketing activities (market analysis and surveys), subject to acquisition of the user’s consent, such as:

- Promotional activities via emails, banners, SMS, phone calls, instant messaging or through social media;

- Checking customer satisfaction levels;

  1. c) Purposes related to availing of treatments from the Wellness Centre SPA, subject to acquisition of the user’s specific consent for the processing of “special” personal data connected to the provision of the services themselves.

The personal data shall be processed to fulfill legal obligations, to comply with administrative, insurance-related and tax-related obligations imposed by the applicable legislation, and also to satisfy accounting and commercial purposes, as well as to enable proper compliance with the legal and contractual obligations arising out of the legal relationship with the Data Subject. We remind you that, in any case, the Data Subject is free to deny consent for processing for commercial purposes, as well as to indicate the channels through which he/she wishes to be contacted or receive the aforementioned processing.

  1. Existence of automated decision-making MONTEVERDI S.R.L. does not carry out automated processing on personal data (profiling).
  2. Legal basis for processing Pursuant to art. 6 of the aforementioned regulation, the processing of personal data is lawful on the grounds that the Data Subject has

expressed consent for the processing of his/her personal data for one or more specific purposes. It is specified that the processing of personal data shall also be lawful, even in the absence of the Data Subject’s consent, when it is necessary for:

  1. a) the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
  2. b) compliance with a legal obligation to which the Data Controller is subject;
  3. c) protecting the vital interests of the Data Subject or of another natural person;
  4. d) the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
  5. e) the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the data subject is a minor;

Moreover, the express consent of the Data Subject is not necessary in the event that processing is carried out on data obtained from public records, lists, deeds or documents that anybody can access, without prejudice to the limits and methods permitted by the applicable laws.

  1. Activities which may be outsourced to third parties The Data Controller, in the performance of its activities aimed at the provision of Wellness Centre SPA services.

Under these circumstances, the third-party operators delegated by the Data Controller may carry out their activities using the data provided by the Data Controller itself.

The categories of recipients to whom these data may be provided are:

  1. Public Administrations, for the performance of their institutional responsibilities, within the limits set out by the laws or regulations;
  2. Third Parties and service providers (all of whom shall be located within the European Union or in Italy) to whom such disclosure is necessary for the performance of the services in question. The categories (in terms of activities performed, sector, industry) of the third parties who may be recipients of the data are as follows (the Data Controller has chosen to list the categories instead of the individual names of suppliers and sub-suppliers, as the latter approach would make the sheer quantity of information excessive):

- Natural and/or legal persons acting as collaborators and/or consultants to carry out the work linked with the activity;

- Persons, companies or professional agencies which provide assistance, consultancy or collaboration to the Data Controller in accounting, administrative, legal, tax-related and financial matters related to the Contract;

- Suppliers in the ICT services field for installation, assistance with and maintenance of IT and computerized systems and equipment, and all functionally connected services which are necessary to provide the services covered by the Contract;

- Third parties external to the Company, when such disclosure is obligatory under the law or in order for the Data Controller to properly fulfill contractual, pre-contractual or post-contractual provisions (e.g. credit institutions for matters regarding the compliance of receipts and payments).

- Suppliers of security, monitoring and video-surveillance services, for the purposes of protecting the safety and integrity of assets;

- Suppliers of dedicated services for the Wellness Centre SPA;

- Suppliers of dedicated services for marketing and commercial communication purposes;

  1. The Company’s parent, subsidiary or affiliated companies, pursuant to article 2359 of the Italian Civil Code, or companies subject to common control.

The third parties described above shall be provided exclusively with the information necessary to provide the services for which they have been commissioned, and they shall be subject to a confidentiality obligation forbidding the use of the data provided for any purpose other than that agreed upon.

The third-party operators shall be Data Processors of the personal data in their own right (pursuant to art. 28 of the GDPR) and shall process the data within the limits strictly necessary for that purpose, independently ensuring that their employees have signed a confidentiality agreement. To request data which do not fall within the processing described above, these parties must in turn provide you with a specific disclosure regarding the processing of personal data which they carry out, along with request for consent.

  1. Dissemination The Data Controller shall not widely disseminate your data, i.e. it shall not allow unknown parties to have knowledge of them by consultation or otherwise making them available.
  2. Transfer of personal data overseas The data provided by you shall be processed in Italy. If, over the course of a contractual relationship, it is necessary for your data to be processed in a State which does not belong to the EU, they shall exclusively be transferred to States considered by the European Commission to be adequate for the transmission of personal data (art. 45 of the GDPR). In such cases, as set out by the aforementioned regulation, the transfer shall not require any specific authorization. Currently, the non-EU States considered adequate on the basis of decisions by the European Commission are: Andorra, Argentina, Australia, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, and the USA. Additional countries which may come to be considered adequate can be checked at the following link: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en). Transfer is also permitted in the event that the Data Controller has entered into Standard Contractual Clauses (SCC) with the overseas recipients for the transfer of personal data to non-EU countries, entitling the Data Controller to impose upon the recipient, by means of the contract, the obligation to process the data in compliance with the contents of Regulation EU 697/2016 (GDPR).
  3. Circulation of your data The following categories of subjects, who have been nominated as data processors or processing officers by the Data Controller, may process your data:
  4. a) Employees or collaborators, generally engaged in: - Secretarial/office duties; - Maintenance and assistance for the services and/or products provided to you; - Accounting and billing; - Marketing of services and/or products; - The marketing office;
  5. b) Directors and administrators; The personal data may also be processed by subjects who have a contractual relationship with the Data Controller, as indicated in the paragraph “Activities which may be outsourced to third parties”. The Data Controller may delegate to such parties the fulfillment of certain compliance requirements or the performance of certain activities required to carry out the relationship with the Data Subject.
  6. Data Subjects’ Rights According to art. 15 of the GDPR, you have the right to confirmation of whether or not personal data about you are being processed, even if not yet recorded. These rights may be exercised subject to the ascertainment of the identity of the Data Subject by displaying an identity document, which will not be retained by the Data Controller but merely checked in order to verify the legitimacy of the request.
  7. a) The Data Subject has the right to access his/her personal data and to the following information (art. 15): - the purposes of the processing; - the categories of personal data concerned; - the third-party recipients or categories of third-party recipient to whom the personal data have been or will be disclosed, specifying if these are recipients in foreign countries; - where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; - where the personal data have not been collected from the data subject, any available information as to their source; - the existence or otherwise of automated decision-making, including profiling; - where data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to article 46 of the GDPR;

You also have the right to request that the Data Controller carry out the following operations on your personal data:

  1. b) The erasure, or partial erasure, of the data (art.17);
  2. c) The restriction of processing, rectification of data and objection to processing (art.18);
  3. d) Data portability, including the right to transmit your data to another controller without hindrance (art. 20);
  4. e) The communication of the erasure, restriction or rectification of your personal data to all recipients to whom they have been disclosed, unless this proves impossible or involves disproportionate effort (art.19);
  5. f) Lodgement of a complaint with the competent “Data Protection Authority”.
  6. Identity of the Data Controller and, if designated, of its Representative in State territory and of the Data Protection Officer.
  7. Data Controller The Data Controller is: MONTEVERDI S.R.L., with registered offices in Piazzetta Maurilio Bossi, 4, 20121, Milan (MI), Italy; Tel: 0578-268146; email address: privacy@monteverdituscany.com.
  8. Data Processors The role of Data Processors is performed by the external companies with which contractual relationships exist, and who need to receive your personal data in order to fulfil those agreements. To be informed of the Data Processors, if appointed, and to know of the persons who shall be appointed to that role in future, the Data Subject may request this information by sending an email to the Data Controller at the address given above. It should be understood that the Data Processors indicated above do not handle Data Subjects’ requests to exercise their rights pursuant to art. 15 et seq. of the GDPR. That activity is carried out exclusively by the undersigned, in its capacity as the Data Controller.

This policy refers to the website www.monteverdituscany.com, owned by Monteverdi Residence Club LLC, and does not concern any other websites visited by the user via links.

Navigation data

As part of their normal operation, the IT systems and software procedures which ensure the functioning of this website acquire certain personal data, whose transmission is implicit in the use of Internet communication protocols.

This information is not collected in order to be associated with identified data subjects. However, by its very nature, it could permit users to be identified through processing and association with data in the possession of third parties.

This category of data includes the IP addresses or domain names of computers used by users who connect to the website, addresses of the resources requested in URI (Uniform Resource Identifier) notation, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numeric code indicating the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment.

These data are used for the exclusive purpose of deriving anonymous statistical information about the use of the website and to check that it is operating correctly.

The data could be used to determine responsibility in the event that the website were damaged by a hypothetical computer crime, solely at the request of the relevant supervisory bodies.

Specific, brief notices shall be shown or displayed on a case-by-case basis on the pages of the website which are set up for special on-request services, such as subscription to the newsletter or the submission of job applications, for example.

This Privacy Policy describes our handling of the personal information which we (or our service suppliers) collect:

  • From you (sometimes referred to as the "user") through any one of our websites which are covered by this legal notice and this Privacy Policy (collectively, the "Website");
  • Through the social media pages which we control, through which you can access this Privacy Policy (the “social media pages”);
  • Through emails in HTML format which we send to you and which link to this Privacy Policy, and through your communications; and
  • When you visit or stay at our facility as a guest, or through other offline interactions with us if you are seeking information on a visit or stay at our facility.

Collectively, we refer to the Website and the social media pages as the "Online services" and, when including the offline channels, as the "Services". This Privacy Policy is incorporated into the Terms and Conditions for the use of the Monteverdi website as though it was included there in full. By using the Website, you accept and consent to the Terms and Conditions and to this Privacy Policy.

Information voluntarily provided by the user

When you interact with us through the Services, we may collect personal information from you as described below.

a. Information collected 

We collect the personal information which you knowingly choose to send in order to take advantage of certain functions of the online Services, or to participate in certain activities, such as the information which you knowingly provide when you contact us by using the "Contact Us" page of the Website. For example, if you are seeking information about a reservation on the Website, you may provide us with such information as your name, address, telephone number and email address. We collect the information which you knowingly provide if you respond to a survey, a competition, or a promotional offer. If you make a reservation by telephone, or communicate with us via email, fax or online chat services, we shall collect the personal information which you knowingly provide.

When a reservation is made on the Website, we collect information relevant to that reservation, including the travel itinerary, billing address, name, email address and telephone number. We also collect information on guests’ preferences, such as language preferences, interests, hobbies, food and drink choices, the dates of special occasions such as birthdays or anniversaries, and the services and amenities in which you are interested in the context of your stay at our facility. We shall collect information on your credit or debit card or other payment details through our payment processor, if this is necessary to take payment for your stay. If you send us personal information regarding other people, for example if you are making a reservation for another individual, you must declare to us that you have the authority to do so and that you authorize us to use such data in accordance with this Privacy Policy.

b. If you stay at our facility

If you are a guest at our facility, we shall collect information when you purchase goods and services there, for example if you eat in a restaurant or take advantage of childcare or Spa services. We may collect images and video and audio data through security cameras located in public areas, such as the halls. If you take part in an event, we may collect information regarding your participation in the event.

The Data Controller for the personal data is Monteverdi Residence Club LLC and the affiliated company Monteverdi s.r.l. Any other companies which may view the data have been nominated as Data Processors, as described in the Privacy document. The video-surveillance system has been installed for reasons of workplace safety and the protection of company assets. The images are stored for a maximum period of 24 hours, unless requested by the Judicial Authority. Data Subjects can request their data or the cancellation of the same at any time by writing to our Data Protection Officer (DPO) at the email address privacy@monteverdituscany.com

c. Information and choices collected passively

Moreover, while you are browsing the Website or using the social media pages, some personal information may be collected passively, i.e. it is collected without your having actively provided it. The types of information which are collected passively, as well as the techniques used to collect them and how we may use these types of information, are set out below.

- IP addresses: an IP address is a unique identifier which some electronic devices use for identification and communication on the Internet. When you visit our Website, we can see the IP address of the device you are using to connect to the Internet. We use this information to determine the general physical location of the device and to learn which geographic regions visitors to our website are coming from. We may also use this information to improve our website.

- Through your browser: some information is collected by most browsers, such as your Media Access Control (MAC) address, the type of computer and type of operating system, the screen resolution of that version, and the type and version of your Internet browser. Just like IP addresses, we can use this information to improve our website and the user experience.

- Use of monitoring tools: the Website may use pixel tags, web beacons, clear GIFs, Flash shared objects, HTML5 local storage, HTML5 mini databases and other similar technologies, both in certain aspects of the Website and in emails in HTML format sent to you. These monitoring tools are used, among other purposes, to generate statistics on the use of the Website and track the activities of Website users and of email recipients.

- Interaction with social media pages: if you interact with our social media pages, we may collect your social media ID, your profile photo and other publicly available data.

- Social media widgets: the Website includes certain social media features, such as Facebook, Instagram and Twitter widgets that you can use to access our social media pages. These functions may install a cookie or use other automatic collection and tracking technologies to collect information on you and on your use of social media functions through and in connection with our website. Interactions with the social media functions and widgets present on the Website are regulated by the privacy policies of the companies which provide them. If you use any of the social media functions or widgets on this Website, we strongly recommend that you check the privacy policies of the social media platforms, as well as the privacy policy of the company which provides the tools that allow sharing, which is called Oracle.

Oracle’s privacy policy is available here: https://www.oracle.com/legal/privacy/privacy-policy.html#12

- Cookies: see our cookie policy for a description of how cookies are used on the Website and your choices in relation to cookies. View Cookie Policy.

Processing methods and duration

Pursuant to article 12 et seq. of the GDPR, we wish to inform you that the personal data provided by you shall be recorded, processed and stored in our electronic archives, as well as by the third parties with whom we collaborate, using tools and procedures which are suitable to guarantee the security and confidentiality of the data.

Processing shall be carried out for a length of time no greater than needed to achieve the purposes for which the data were collected, after which they shall be erased. For specific purposes, such as those associated with the use of cookies, specific data storage periods are provided.

We use the personal information sent by the user or otherwise collected through the Services and other sources for the purposes described in this Privacy Policy, and as may additionally be described to the user when it is collected. 

Purposes of processing the personal information collected through this website

Monteverdi Residence Club LLC and the affiliated company Monteverdi s.r.l., as the controllers of the personal data related to this website, respect the principles of lawfulness, fairness and transparency, as well as the protection of confidentiality.

In general, we use the information that you provide to us for the purpose for which it was provided. For example, if you subscribe to receive email notifications regarding our resort, we will contact you via email. If you provide us with information to seek details about a reservation, we will use that information in order to process your reservation. Moreover, we may use the personal information from or concerning you:

  1. To facilitate reservations and payments; to send administrative information, confirmations or messages prior to your arrival; to assist you with events and to provide you with information regarding the property;
  2. To complete the reservation and the stay, including taking payment, facilitating your preferences, providing you with the services and conveniences requested, and supporting you with customer service;
  3. To manage our contractual relationship with you, including by sending you a receipt via email when you make a reservation and after your stay;
  4. To send you offers tailored to your preferences, send you marketing communications and periodic customer satisfaction, market research or quality assurance surveys, and to personalise your experience on the Website by sending commercial communications and/or advertising material regarding products or services offered by the Controller via email, mail and/or SMS and/or telephone calls and newsletters. Exclusively in the case that you grant your specific consent by electronic means — either by filling out the Newsletter form on this website, or by agreeing to receive occasional marketing communications when booking your stay at our facility. If you are already a client of ours, we may send you marketing communications regarding products and services offered by the Controller similar to those you have already purchased, unless you expressly inform the Controller of your objection to this type of processing.
  5. To send you important information on our relationship with you or on the Services, any changes to our terms, conditions and policies, and other administrative information; and
  6. For our corporate purposes, such as data analysis, audits, record-keeping, the development of new products or services, strengthening and improving our Services, identifying trends in the use of our Website, and exercising and defending our legal rights, as well as other purposes required by applicable legislation.

We may use any information which does not personally identify you, your computer or your device for any purpose.

Communication and disclosure of data 

The Data Controller shall not widely disseminate your data, i.e. it shall not allow unknown parties to have knowledge of them by consultation or otherwise making them available.

In the event that it may become necessary to communicate your personal data to third parties (to offer you an additional service, or to fulfil tax obligations or comply with a legal obligation), the company shall ensure that the third parties in question also act in accordance with the GDPR Regulation in handling the processing of your data.

You can receive the up-to-date list of external Data Processors by contacting us through the channels listed at the bottom of this policy.

We do not sell your personal information. We may share your personal information with third parties only as described within this Privacy Policy, or as otherwise described at the time when we collect the information from you, including as follows:

  1. Personal information may be shared by Monteverdi Residence Club LLC with its affiliate company which manages the resort in Italy, Monteverdi s.r.l., for the purposes described in this policy;
  2. With the companies or people that we employ to provide us with services, such as the processing of reservations for us and website hosting services;
  3. With a third party in the event of the reorganisation, merger, sale, joint venture, divestiture, transfer, or any other disposal of our business, our assets or our shares, in whole or in part (including in relation to a state of bankruptcy or similar proceedings).

Moreover, we use and disclose the Personal Information collected through the Website as we deem it necessary or appropriate: (i) based on applicable law, including laws outside of your country of residence; (ii) to comply with legal proceedings; (iii) to respond to requests from public and government authorities, including public and government authorities outside of your country of residence; (iv) to enforce our terms and conditions; (v) to protect our operations or those of any of our affiliate companies; (vi) to protect our rights, privacy, security or property and/or those of our affiliates, of users or of other parties; and (vii) to allow us to pursue the available remedies or limit the damages that we may incur.

Obligatory or optional provision of consent

By using and consulting the website, visitors and users approve this privacy policy and consent to the processing of their personal data in accordance with the methods and purposes described, including the communication thereof to third parties in the event that this is necessary to provide one of the services performed. 

It is only obligatory to provide those data which are necessary for the proper functioning of this website. In relation to the other purposes, the user has the power to deny consent. However, we must inform you that failure to grant consent may impair your browsing experience, making it impossible for us to provide certain services.

If you encounter any problems of a technical nature related to the provision of consent, we invite you to contact us through the special channels set out on this website in order to allow us to assist you.

Interest-based advertising

As described in Section 1.c of this Privacy Policy above, Monteverdi and our third-party commercial partners may collect information from you and from your device through a variety of technologies (such as cookies, device identifiers, pixel tags, web beacons and other analytical technologies), in order to:

  1. Track how you use the Website, how you arrived at the Website, and what you do after leaving the Website; and
  2. Show you advertisements pertinent to your interests, taking into account your use of the Website and of the other websites and online services that you use. Remember that these advertisements may be displayed to the user on the Website and on third-party applications and websites. This is called "interest-based advertising" or "online behavioral advertising". To learn more about interest-based advertising, you can visit:

www.networkadvertising.org/choices
https://www.datalogix.com/privacy 
www.aboutads.com 

If you wish to opt out of interest-based advertising, you can use some or all of the following methods:

  • Visit http://www.aboutads.info/choices (for advertising on the web) and http://www.aboutads.info/appchoices (for mobile advertising); and
  • For advertising on mobile devices, disable using the settings in your telephone’s operating system (for instructions on how to "Limit Ad Tracking" on iOS, visit this Apple support document; for instructions on how to disable interest-based ads on Android, please check these instructions).

The simplest way to interrupt the collection of your personal data is to stop using the website.

Connecting to third-party websites

The Online services may contain links to other Websites to make it convenient for users to find information, products or services that could be of interest. If you access a third-party Website from a link in the Online services, any information that you disclose on the former Website is not covered by this Privacy Policy. It is possible that these links may be used by third or other parties to collect personal or other information concerning you.

We are not responsible for the privacy-related practices of these Websites, advertisers or third parties, or for the content of such Websites, and it is your sole responsibility to check and understand the privacy policies and practices of these other Websites. We do not control the use of cookies by these third parties, or the way in which they collect or manage information. It is your own exclusive responsibility to check and understand the privacy policies and practices of these other Websites, advertisers and third parties.

Where the information is processed

Monteverdi Residence Club LLC has its offices in the United States, and our affiliate, Monteverdi s.r.l., has its offices in Italy. Regardless of where you are located, you consent to the processing and transfer of your personal data in the United States and in Italy. The laws which govern the protection of data in the United States may not be as complete or offer as much protection as the laws in the country where you live. The data are processed mainly at the offices of the Data Controller, and occasionally at the premises of the third parties with which it collaborates.

Monteverdi Residence Club LLC shall ensure that, in the cases where the need to provide certain services means that processing must be shared with third parties, the processing is carried out in accordance with European Regulation 679/2016 (GDPR). You can receive the up-to-date list of our external collaborators by contacting us through the channels listed at the bottom of this policy.

Security

Monteverdi shall adopt reasonable measures to protect the information collected and provided through the Services from loss, improper use, and unauthorised access, disclosure, alteration or destruction. However, you should bear in mind that no transmission over the Internet is ever completely secure. Moreover, Monteverdi makes all reasonable efforts to ensure that the Services are generally available. Nonetheless, there may be times when access to the Services is interrupted or unavailable. Monteverdi shall make every reasonable effort to reduce such interruptions to a minimum, where this is within its reasonable control. You hereby accept that Monteverdi shall have no responsibility towards you for any change, suspension or interruption to the Services.

Legal basis for the processing of personal information and the rights of data subjects

The laws of certain countries require us to give you information on the legal reasons on the basis of which we collect, use, disclose and otherwise process your personal information. To the extent that these laws apply, our legal bases for the processing of personal information are:

  1. To enter into and carry out a contract with you: we may process personal information in order to comply with our contractual obligations towards you, or to take steps in anticipation of entering into a contract. For example, we process your personal information in order to handle any reservations made using the Services.
  2. To fulfill a legal obligation: we need to use and disclose the personal information in certain ways in order to fulfill our legal obligations.
  3. For our legitimate interests, provided that your fundamental rights and freedoms do not override these interests: in many cases, we manage the personal information in order to advance our legitimate business. This includes:
    • Providing a safe user experience on our online Services;
    • Providing the requested Services;
    • Customer service;
    • Personalising the Services based on your preferences;
    • Sending you communications with the information that you have told us is important to you;
    • Protecting the users, our workers, and our property;
    • Analyzing and improving our operations (e.g. optimizing the design and functioning of our online Services); and
    • Managing legal issues.
  1. With your consent: where permitted by law, we process personal information on the basis of your implicit or express consent.

You, as the user browsing on this website, have the power to exercise the rights granted to you by articles 15 et seq. of the GDPR at any time. These rights may be exercised subject to the ascertainment of the identity of the Data Subject by displaying a copy of an identity document, which will not be retained by the Data Controller but merely checked in order to verify the legitimacy of the request.

  • The Data Subject has the right to access his/her personal data (art. 15);
  • The Data Subject has the right to the erasure of the data, even partially (art.17);
  • The Data Subject has the right to the restriction of processing, to the rectification of data, and to object to processing (art.18);
  • The Data Subject has the right to data portability, i.e. the right to transmit his/her data to another controller without hindrance (art. 20);
  • The Data Subject has the right to have the erasure, restriction or rectification of his/her personal data communicated to all recipients to whom they have been disclosed, unless this proves impossible or involves disproportionate effort (art.19);
  • The Data Subject has the right to lodge a complaint with the competent “Data Protection Authority”.

To exercise the rights listed above, you can contact our Data Protection Officer (DPO) at privacy@monteverdituscany.com , you will receive a response within 30 days of receiving a formal request.

Special statement on minors

No person below the age of 18 years may send information to this Website without the prior consent of his/her parents or guardians; nor may they make any purchases or enter into legal deeds on this website without the aforementioned consent, unless this is permitted by the legislation in force.

Data Controller and Privacy Contact Person

In certain countries, the laws on data protection require us to identify the data controller for your personal data. The "data controller" is the person or organization who, alone or jointly with others, determines the purposes for which and the manner in which personal information is or can be processed. This Privacy Policy is issued on behalf of Monteverdi Residence Club LLC, with registered offices at 201 East Fifth Street, 1730 PNC Center, Cincinnati, OH 45202, and Monteverdi srl, with registered offices at Piazzetta Maurilio Bossi n. 4, Milan – Italy, each of them in their capacity as controllers of your Personal Data pursuant to the applicable data protection laws.

The company MONTEVERDI S.R.L. with registered offices in Piazzetta Maurilio Bossi, 4, 20121, Milan (MI), Italy, VAT No. IT05024150962 (hereinafter the “Controller”), as the Data Controller, hereby informs you — pursuant to art. 13 of Regulation (EU) No. 2016/679 (hereinafter the “GDPR”) — that the data you provide shall be processed through the methods and for the purposes described below:

  1. DATA SUBJECT TO PROCESSING:

1.1 The data subject to processing shall be the personal, identifying data (for example: name, surname, company name, address, telephone number, email address, bank and payment details) — hereinafter referred to as “personal data” or simply “data” — communicated by you to the Data Controller at the time of entering into a purchasing agreement with the latter.

  1. PURPOSES OF PROCESSING:

2.1 Pursuant to art. 6 of Reg. (EU) 2016/679, your data will be processed exclusively for the following purposes:

  • To carry out the agreement for the provision of tourist booking services, as requested by you from the Data Controller;
  • To fulfil the pre-contractual, contractual and fiscal obligations deriving from the relationship with you;
  • To fulfil the obligations required by the law, by a regulation, by European Community legislation or by an order of the Authority (for example regarding money laundering);
  • To exercise the rights of the Controller, for example the right of defence in court.

2.2. Exclusively in the case that you grant your specific consent by electronic means — either by filling out the Newsletter form on this website, or by agreeing to receive occasional marketing communications when booking your stay at our facility — the data provided by you may also be processed for the following purposes:

  • Sending marketing communications and/or advertising material regarding products or services offered by the Controller via email, mail and/or SMS and/or telephone calls and newsletters;

2.3 We advise you that if you are already a client of ours, we may send you marketing communications regarding products and services offered by the Controller similar to those you have already purchased, unless you expressly inform the Controller of your objection to this type of processing.

  1. PROCESSING METHODS AND DATA STORAGE PERIODS

3.1 The processing of your personal data is carried out by means of the operations indicated in art. 4 of the Italian Privacy Code and art. 4 point 2) of the GDPR; specifically: collection, recording, organisation, storage, consultation, processing, alteration, selection, extraction, alignment, use, combination, blocking, communication, erasure and destruction of the data. Your personal data shall be subject to both paper-based and electronic and/or automated processing.

3.2 The Controller shall process your personal data for the length of time necessary to achieve the purposes described in art. 2) and, in any case, for no longer than 10 years from the end of the contractual relationship, including the personal data acquired for marketing purposes. At the end of this period of time, the data shall be erased or rendered anonymous.

  1. ACCESS TO THE DATA

For the purposes listed in art. 2.1 and 2.2, your data may be made accessible:

  • To the employees and collaborators of the Controller in their capacity as processing officers and/or internal processors and/or system administrators;
  • To third parties or other subjects (merely by way of example: professional offices, consultants, etc.) which perform activities on behalf of the Controller on an outsourcing basis, in their capacity as external processors.
  1. COMMUNICATION OF THE DATA

5.1 For the purposes described in art. 2.1, your data may be communicated to Supervisory Bodies and Judicial Authorities, as well as to those parties to whom such communication is obligatory under the law, for the pursuit of the aforementioned purposes. These subjects will process the data in their capacity as independent Data Controllers.

5.2 Your data shall not be broadly disseminated.

  1. TRANSFER OF DATA

Your personal data shall be stored on servers located within the European Union. However, it remains understood that the Controller will also have the right to move the servers outside the EU, should it become necessary. In that case, the Controller guarantees, as of now, that the transfer of the data outside the EU will take place in accordance with the applicable legal provisions, subject to the stipulation of the standard contractual clauses required by the European Commission.

  1. NATURE OF THE PROVISION OF DATA AND CONSEQUENCES OF REFUSAL

7.1 The provision of data for the purposes listed in art. 2.1 is mandatory. If the data are not provided, we cannot guarantee the fulfilment of the purchasing agreement.

7.2 The provision of data for the purposes listed in art. 2.2, instead, is optional. You can therefore decide not to provide any data, or deny consent for the processing of any data already provided at a later point: in that case, you will not receive newsletters, marketing communications and advertising material pertaining to the products offered by the Controller.

  1. RIGHTS OF THE DATA SUBJECT

8.1 In your capacity as data subject, you have the rights described in art. 15 of the GDPR.

8.2 Where applicable, you also have the rights provided for in articles 16-21 of the GDPR (the right to rectification, the right to be forgotten, the right to the restriction of processing, the right to data portability, the right to object), as well as the right to file a complaint with the Data Protection Authority.

  1. HOW TO EXERCISE YOUR RIGHTS

You may exercise the rights described in point 8 above at any time, by:

Sending an email to privacy@monteverdituscany.com.

  1. DATA CONTROLLER AND CONTACT DETAILS

The Data Controller is the company MONTEVERDI S.R.L. with registered offices in Piazzetta Maurilio Bossi, 4, 20121, Milan (MI), Italy, VAT No. IT05024150962. The up-to-date list of processors and those responsible for data processing is kept at the registered offices of the Data Controller.

Our right to modify the Privacy Policy

Monteverdi reserves the right to modify, alter or update this Privacy Policy at any time. Any modifications that we may make to our Privacy Policy in the future shall be published on this page and, if appropriate, communicated to the user via email.

Use of the Services following any modifications means that you accept the requirement to follow and be bound by the Privacy Policy as it has been modified, subject to the limits put in place by the applicable legislation. If you do not agree with these modifications, you must stop using our Services.

Any modification to this Privacy Policy shall be effective for any user who has used the Services before the modification was made, without prejudice to any additional requirements set out by the applicable legislation. We invite you to check this policy regularly, and particularly before providing us with any personal information. The Privacy Policy was most recently update on the date indicated above.

Any updates shall always be published on this page.

Contact us

Please do not hesitate to email privacy@monteverdituscany.com if you have any questions or concerns regarding the Privacy Policy or on our reporting practices. 

United States 
Address: 201 East Fifth Street, 1730 PNC Center, Cincinnati, OH 45202
Telephone: +1.513.579.2684

Italy
Address: Via di Mezzo, Castiglioncello del Trinoro, 53047 Sarteano (SI)
Telephone: +39 0578268146 

For bookings email travel@monteverdituscany.com