Privacy for palazzo bandino

This website collects some Personal Data of its Users.

Summary of the Privacy Policy – Personal Data processed using the following services:

Contacting the User
Contact form/newsletter on the website
Personal Data: last name; first name; email; phone number

Booking engine

Personal Data: Last name; first name; email; phone number; credit card (payment gateway is Stripe)

Platform and Hosting Services
Personal Data: Data communicated during the use of the service

Google Analytics 4
Google Ireland
Personal Data: Usage Data


We respect your privacy in accordance with Regulation (EU) 2016/679 (of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).

Our aim is to protect and safeguard your personal data when you interact with our website.

If you do not agree with this Privacy Policy (including our specific Cookie Policy), we kindly ask you to discontinue the use of the site.


Data Controller is the natural person, public authority, agency, company, or other body which determines the purposes and means of the processing of personal data (Article 4, paragraph 1, point 7), of EU Regulation 2016/679). Data Processor is a natural or legal person who processes personal data on behalf of the Data Controller (Article 4, paragraph 1, point 8), of EU Regulation 2016/679).

Data Controller:
Palazzo Bandino Società Semplice Agricola di Valeriani Marta & C.
Via delle Stiglianesi, 3
Chianciano Terme (SI)
Tel: +39 0578 61199
VAT code: 01515960522

Data Processor:
Via Custoza, 13
56040 Monteverdi Marittimo (PI)
P.IVA: 01871320493


Personal Data: These are pieces of information that identify or make an individual identifiable, directly or indirectly, and that may provide information about their characteristics, habits, lifestyle, personal relationships, health status, economic situation, etc.

We do not collect your personal data during anonymous browsing on the site. We collect your data (provided voluntarily) to provide you with services.

(A) For the provision of our online booking service, we collect the following information:

• First and last name • Email address • Mobile phone number • Credit card information

(B) If you submit a request for information, a quote, or any other nature via our contact form, the following information is collected to provide you with feedback:

• First and last name • Email address and/or mobile phone number • Any voluntarily disclosed information (by you in the free text sections) that may contain special data such as disabilities, need for help, etc.

(C) For the provision of our online shop service through QUOVAI S.r.l. software, we collect the following information:

• First and last name • Email address • Mobile phone number • Credit card information

QUOVAI S.r.l. does not collect or process personal data qualified as “special data” (such as, merely by way of example, data suitable for revealing racial or ethnic origin, religious, philosophical, or other beliefs, political opinions, membership of associations or organizations of a religious, philosophical, or union nature, as well as personal data suitable for revealing health status or data relating to criminal convictions and offenses), unless you have given your explicit consent, which may be the case when submitting a request for information (case (B)).

For operational and maintenance needs, this site may collect system logs, which record interactions and may also contain personal data, such as IP address.

The data provided by you through the portal will be processed for the following purposes (among others): responding to information requests and managing support requests; performing sales or booking services; sending information about future events; managing payments; keeping statistics to measure the performance of the portal in aggregated and anonymous form (in no way allowing the identification of the individual).

The details of your credit card (name and surname, card number, and expiration date) are collected through the Stripe payment gateway ( and are stored in encrypted form until the service is provided.


We collect, use, and share the data in our possession as described based on the following legal grounds:

  • Processing is necessary to fulfill a legal obligation (for measures to counteract the effects of containment and for the recovery and relaunch of the tourism sector) to which the Data Controller is subject. The legal basis is based on Article 6(1)(c) of Regulation (EU) 2016/679, as well as – for data concerning the health status of the data subject falling within the special categories of data referred to in Article 9(1) of the GDPR – Article 9(2)(g) of the GDPR as specified in EU Regulation 2021/953.
  • Processing is lawful if it is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject. Administrative and accounting purposes are expressly included. This also includes the service provided by the administrative part and, therefore, the processing of the data subject’s personal data for reservation management and sending responses to support requests. The legal basis is based on Article 6(1)(b) of Regulation (EU) 2016/679.
  • Consent to the processing of personal data for one or more specific purposes (for example, sending promotional material via email following voluntary registration for the newsletter). For this purpose, you will need to give your consent, which can be revoked at any time. The legal basis is based on Article 6(1)(a) of Regulation (EU) 2016/679.

Mailing list to receive information:

During the booking process, your email address is added to a contact list (subject to consent) to which email messages may be sent.

Our legitimate interests, including our interests in providing a secure and effective service for you.

Article 130, paragraph 4 of the Privacy Code also allows the sending of promotional communications via email to customers (current or former customers) to advertise services similar to those previously purchased (so-called soft spam). There is a right to opt-out. The legal basis is based on Article 6(1)(f) of Regulation (EU) 2016/679.


The processing related to the web service provided by QUOVAI S.r.l. takes place at the company’s headquarters and on the company’s Data Centers located in Germany. No data transfer outside the European Union takes place. The Platform may share some of the collected data with services located outside of Italy, in particular, the Google Analytics service.

Google Analytics 4 is a web analytics service provided by Google Inc. (“Google”) with processing location in Ireland. Google uses the personal data collected for the purpose of tracking and examining the use of the site, compiling reports, and sharing them with other Google services. This integration of Google Analytics anonymizes your IP address. Anonymization works by shortening the IP address of users within the member states of the European Union or in other countries party to the agreement on the European Economic Area. platform and hosting services (a platform provided by Automattic Inc. in the United States): These services aim to host and operate key components of this website, making it possible to deliver this website from a single platform. These platforms provide us with a range of tools such as analytical tools, user registration management, comment management, database management, payment processing, etc. The use of such tools involves the collection and processing of Personal Data. Some of these services operate through servers located geographically in different places, making it difficult to determine the exact location where Personal Data is stored.


We do not disclose, transfer, or sell your personal data to companies or third parties not directly involved in the main purposes of our business.

Your data will be known by our employees. Furthermore, other recipients include: subjects whom, for various reasons, we use for the execution of the contract; subjects providing services for platform management; subjects providing legal and/or tax and accounting consultancy services; competent authorities and supervisory bodies for the fulfillment of legal obligations; and Public Administrations for their institutional purposes.

The subjects belonging to the categories mentioned above operate, in some cases, autonomously as distinct Data Controllers, in other cases, as Data Processors specifically appointed by the Data Controller in accordance with Article 28 of Regulation (EU) 2016/679.

However, we may be required to disclose personal data following a request from the Judicial Authority, as well as for the purpose of fraud prevention or general crime prevention, or if we believe such action is necessary to protect our business.


For information regarding cookies, we refer you to our specific Cookie Policy.


We retain your personal data for the time necessary to carry out the operations inherent to the Data Controller’s activity in accordance with Regulation (EU) 2016/679.

The processing of personal data is mainly carried out using computerised means for the time strictly necessary to achieve the purposes for which the data was collected and for the subsequent 10 years from the date of acquisition. At the end of this period, the online data will be deleted or anonymised by our provider QUOVAI S.r.l unless there are further purposes for their retention.

We must retain your tax data for the 10 years required by Italian law; after this period, the legal criterion (legal obligation) for further retention no longer exists, so we delete them.

We do not collect special categories of personal data. However, if this information is entered in a free text section of the website or in emails sent to us, such information will be kept (if identified and recognised) for the time strictly necessary to achieve the initial purposes.


In order to prevent unauthorised access to your personal data and to maintain its accuracy, we are committed to implementing appropriate security measures to safeguard its confidentiality, integrity, and security. It is important to note, however, that no transmission over the Internet can ever be 100% secure.

In parts of the sites where personal data is collected, Secure Socket Layer (SSL) technology is used, which ensures that all communications between the user’s computer and us cannot be intercepted or decrypted. By convention, Internet addresses (URLs) that imply an SSL connection begin with https:// instead of http://. Additionally, in most common browsers, a green padlock icon is displayed to the left of the URL to indicate that a full SSL connection has been established between the user’s browser and our Platform. If your browser does not support SSL technology, you should update to the latest version.


The Platform is aimed at a general audience and does not offer services targeted at minors. Individuals under the age of 18 MUST NOT provide us with information or personal data. If we discover that a minor has provided us with personal data without parental or guardian authorization, we will promptly delete such information.


In accordance with Regulation (EU) 2016/679, you may, according to the methods and within the limits provided by current legislation, exercise the following rights by addressing a request to the contact details of the Data Controller:

  • Access your personal data;
  • Withdraw consent;
  • Object to the processing of your personal data (when it is carried out on a legal basis other than consent);
  • Verify and request rectification;
  • Obtain the limitation of processing (in this case, we do not process your data for any purpose other than their storage);
  • Obtain the erasure or removal of your personal data;
  • Request data portability;
  • Lodge a complaint.

Requests should be addressed directly to us as the Data Controller. We endeavor to respond to all legitimate requests within one month. It may occasionally take us longer than a month if your request is particularly complex.

If you believe that the processing of your data breaches privacy law or that your rights have been violated in any other way, you can contact the supervisory authority:

  • Garante per la Protezione dei Dati Personali:
    Piazza di Monte Citorio n. 121, Roma, 00186, Italia
    Tel: 06-69677-3785
    Web site:


For any requests regarding the processing of your personal data, you can:


This Privacy Policy has been in effect since the date indicated at the beginning of the document. The Data Controller may modify this Privacy Policy at any time; in such case, we will publish the updated version here and modify the effective date indicated below.

This Privacy Policy is updated as of 22/02/2024.