Privacy Policy

1. Data Controller

The Data Controller for personal data collected through this website is:

2. Types of Data Collected and Purposes

2.1 Browsing and Technical Data

When you visit our website, our systems automatically collect technical data including: anonymised IP addresses, browser type and version, operating system, pages visited and time spent. Used solely for website security and anonymous aggregate statistics.

• →Legal basis: Legitimate interest (Article 6(1)(f) GDPR)
• →Retention: 7 days in server logs, then permanently anonymised

2.2 Enquiries and Contact Forms

When you contact us via email, telephone, WhatsApp or contact form, we process: name, email address, telephone number, and the content of your message.

• →Legal basis: Pre-contractual measures (Article 6(1)(b) GDPR) and legitimate interest (Article 6(1)(f) GDPR)
• →Retention: 24 months from the date of your last communication

2.3 Reservations and Bookings

Reservations via our booking engine (Synxis/Sojern by Amadeus) involve processing of: name, contact details, payment data, stay dates and guest preferences. Payment data is processed exclusively by Synxis/Sojern (PCI-DSS certified) and is never stored on our servers.

• →Legal basis: Performance of a contract (Article 6(1)(b) GDPR)
• →Retention: 10 years for fiscal/accounting obligations under Italian law (D.Lgs. 471/1997)

2.4 Newsletter

If you subscribe to our newsletter, we process your email address and optionally your first name to send communications about offers, events and news.

• →Legal basis: Consent (Article 6(1)(a) GDPR) — freely given and withdrawable at any time
• →Retention: Until you withdraw consent via the unsubscribe link in each email

2.5 Analytics

We use privacy-friendly analytics with IP masking to measure traffic and improve user experience. Non-technical analytics cookies are activated only after consent via the cookie banner.

• →Legal basis: Consent (Article 6(1)(a) GDPR)
• →Retention: 13 months

3. Data Recipients and International Transfers

Your data may be shared with the following processors under Article 28 GDPR contracts:

• →Synxis / Sojern by Amadeus (USA) — booking engine — safeguards: Standard Contractual Clauses
• →Cloudflare Inc. (USA) — CDN, DDoS protection — safeguards: Standard Contractual Clauses
• →Google LLC (USA) — analytics — safeguards: Standard Contractual Clauses
• →Italian-based professional firms — accounting and legal — under professional confidentiality
• →Public authorities — when required by law (e.g. police registration of guests under D.Lgs. 286/1998)

No personal data is sold to third parties. International transfers are covered by appropriate safeguards.

4. Your Rights Under GDPR

Under Articles 15–22 GDPR you have the following rights:

• →Access (Art. 15) — obtain confirmation and a copy of your data
• →Rectification (Art. 16) — correct inaccurate or incomplete data
• →Erasure (Art. 17) — request deletion where no legal obligation requires retention
• →Restriction (Art. 18) — limit how we use your data in certain circumstances
• →Portability (Art. 20) — receive your data in a machine-readable format
• →Object (Art. 21) — object to processing based on legitimate interest or for direct marketing
• →Withdraw consent — at any time, without affecting prior lawful processing

To exercise these rights: privacy@faloriasparesort.com. We respond within 30 days. You also have the right to lodge a complaint with the Italian Data Protection Authority: www.garanteprivacy.it.

5. Security

We implement appropriate technical and organisational measures including HTTPS/TLS 1.3 encryption, Cloudflare DDoS protection, access controls and regular security reviews.

6. Cookies

This website uses cookies. For full details see our Cookie Policy.

7. Updates

Last updated: 1 May 2026. We will notify you of material changes via a notice on the website.