BOOKING
Online

Privacy Notice (Art. 13 GDPR)

Last updated: 14 January 2026

1) Data Controller

The Data Controller is ALBERGO MARIA S.A.S. DI DEL SOLE O. & C., VAT No. 00448270678, with registered office at Via Morandi, 2 – Borgo S. Maria area – 64025 Pineto (TE), Italy. Contact: Tel. +39 085 9492065 – Email: info@hotelmaria.net

This notice describes how personal data of users who interact with the website and/or contact the establishment are processed.

2) Personal Data Processed

By way of example, we may process:
  • Identification and contact data (name, surname, email, telephone number).
  • Reservation/stay-related data (dates, number of guests, requests, preferences, and any notes provided by the user).
  • Browsing data (IP address, technical logs, device and browser information), within the limits and as specified in the Cookies/Tracking Tools section.
  • Communications sent by the user via email/forms (message content and attachments).

3) Purposes of Processing and Legal Basis

A) Management of Requests and Contacts

  • Purpose: to respond to requests for information, quotations, availability, and assistance.
  • Legal basis: performance of pre-contractual/contractual measures requested by the data subject (Art. 6(1)(b) GDPR).

B) Reservations and stay management

  • Purpose: management of reservations, confirmations, operational communications, and provision of the requested services.
  • Legal basis: performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR).

C) Legal obligations and administrative/accounting requirements

  • Purpose: compliance with legal and regulatory obligations (e.g. tax/accounting requirements, public safety obligations, where applicable).
  • Legal basis: legal obligation (Art. 6(1)(c) GDPR).

D) Protection of the Data Controller’s rights

  • Purpose: to prevent abuse/fraud, handle disputes, and defend a right in legal proceedings.
  • Legal basis: legitimate interest of the Data Controller (Art. 6(1)(f) GDPR), insofar as it is compatible with the rights of the data subject.

E) Marketing (optional)

  • Purpose: sending promotional communications/newsletters (only if requested or where consent is required).
  • Legal basis: consent (Art. 6(1)(a) GDPR) or, where applicable, legitimate interest/soft spam in accordance with the applicable legislation.
  • Provision: optional. Failure to provide the data does not affect the booking or the requested services.

4) Data Processing Methods and Security

The processing is carried out using both manual and electronic tools, in accordance with logics strictly related to the stated purposes, adopting appropriate technical and organizational security measures to prevent unauthorized access, disclosure, alteration, or destruction of data.

5) Data Provision

The provision of data for purposes A and B is necessary in order to process requests and/or manage reservations. In case of failure to provide the data, it may not be possible to provide the requested information or services. The provision of data for purpose E (marketing) is optional.

6) Recipients of Data

Personal data may be disclosed to:
  • Authorized personnel of the Data Controller, properly trained.
  • Service providers/Data Processors (e.g. hosting, IT maintenance, email providers, booking/CRM management where applicable), appointed pursuant to Article 28 GDPR.
  • Consultants (e.g. accountants, legal advisors), where necessary.
  • Public authorities, where required by law.

An updated list of Data Processors can be requested by writing to the contacts indicated in the “Data Controller” section.

7) Data Transfers Outside the EU

As a general rule, data are processed within the European Economic Area (EEA). Where some providers process data outside the EEA, the transfer will take place in compliance with the GDPR, using appropriate safeguards (e.g. adequacy decisions, Standard Contractual Clauses, where applicable).

8) Retention Periods

  • Contact/quotation requests: for the time necessary to handle the request and, subsequently, for a reasonable period (e.g. up to 12 months), unless further legal obligations or protection needs apply.
  • Reservations and stay management: for the duration of the relationship and subsequently in accordance with legal requirements (e.g. tax/accounting obligations).
  • Marketing: until consent is withdrawn or an objection/deletion request is made, and in any case in compliance with the maximum retention periods consistent with the purposes.
  • Technical logs: for generally short periods, unless security requirements or the establishment of liability require otherwise.

9) Data Subject Rights

The data subject may exercise the rights provided under Articles 15–22 of the GDPR, including: access, rectification, erasure, restriction, data portability, objection, and withdrawal of consent (where given). To exercise these rights, you may contact the Data Controller using the contact details provided. It is also possible to lodge a complaint with the Data Protection Authority.

10) Cookies and Tracking Tools

The website may use technical cookies necessary for its functioning and, only if configured and accepted by the user, third-party analytical and/or profiling cookies.
  • Technical cookies: necessary and always active.
  • Analytical cookies: (e.g. visit statistics) enabled according to user configuration and preferences.
  • Profiling/marketing cookies: enabled only with prior consent.

11) Changes to this Privacy Notice

The Data Controller may update this privacy notice. Any changes will be published on this page with the updated date.