Privacy Policy
How we collect, use, and protect your data · Last updated 15 January 2026
On this page
1Data Controller
Sassi Villas S.r.l. is the data controller responsible for your personal data as described in this Privacy Policy. We are registered in Italy and operate in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Italian Privacy Code (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018). Our registered office address is available upon request. For all privacy-related enquiries, you may contact our Data Protection Officer at support@sassivillas.com. We take our responsibilities as a data controller seriously and have implemented appropriate organisational and technical measures to protect your personal data.
2Information We Collect
We collect information you provide directly when creating an account, making a reservation, or contacting our support team. This includes your name, email address, phone number, postal address, date of birth, payment details, travel preferences, and any special requests or accessibility requirements. For guests staying at our properties, Italian law requires us to collect identity document details (passport or national ID) for police registration purposes. We also collect information automatically through cookies and similar technologies, including your IP address, browser type and version, device identifiers, operating system, pages visited, referral source, and interaction patterns. We may receive information from third-party services you use to log in, from payment processors, or from publicly available sources.
3Legal Basis for Processing
We process your personal data on several legal bases as permitted under GDPR Article 6. Contractual necessity: processing required to fulfil your reservation and provide our services, including payment processing, booking confirmations, and guest communication. Legal obligation: processing required to comply with Italian law, including guest registration with the Questura, tax record retention, and anti-money laundering obligations. Legitimate interest: processing necessary for our legitimate business interests, including fraud prevention, platform security, service improvement, and direct marketing to existing customers. Consent: processing based on your explicit opt-in, including marketing communications to non-customers, non-essential cookies, and profiling for personalised recommendations. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
4How We Use Your Information
Your personal information is used to process and manage reservations, verify your identity as required by law, communicate booking confirmations, updates, and pre-arrival information, collect and remit tourist tax on your behalf, provide customer support and concierge services, personalise your experience on the Platform including property recommendations, send marketing communications (with your consent or under legitimate interest for existing customers), comply with legal and regulatory obligations, detect and prevent fraud and unauthorised access, conduct internal analytics to improve our services, and manage our relationship with property owners. We do not sell your personal data to third parties under any circumstances.
5Data Sharing & Third Parties
We share your personal data only when necessary and with appropriate safeguards. Property owners receive your name, contact details, and any special requests necessary to prepare for your stay. Payment processors (including Stripe) receive your payment details to process transactions securely; Sassi Villas does not store full card numbers on its own servers. Our technology service providers (hosting, email, analytics) process data on our behalf under strict data processing agreements. Italian authorities receive guest identification data as required by law (Questura registration, tourist tax reporting). Professional advisers (legal, accounting, audit) may access data as necessary for their services. We may also disclose data where required by law, regulation, or court order. All third-party processors are vetted for GDPR compliance and are bound by data processing agreements that restrict them from using your data for any purpose other than providing their services to us.
6International Data Transfers
Your data is primarily stored and processed within the European Economic Area (EEA). Where we use service providers based outside the EEA, we ensure that appropriate safeguards are in place as required by GDPR Chapter V. These safeguards include European Commission adequacy decisions for the recipient country, Standard Contractual Clauses (SCCs) approved by the European Commission, or the service provider's participation in recognised certification mechanisms. We do not transfer data to countries that lack adequate protection without implementing one of these safeguards. You may request information about the specific safeguards applied to any international transfer by contacting our Data Protection Officer.
7Data Storage & Security
Your data is stored on secure servers located within the European Economic Area. We implement industry-standard security measures including encryption in transit (TLS 1.3), encryption at rest (AES-256), regular penetration testing and security audits, multi-factor authentication for administrative access, automated intrusion detection and monitoring, and regular staff training on data protection. Access to personal data is restricted to authorised personnel on a need-to-know basis, and all access is logged and auditable. We maintain an incident response plan and will notify affected individuals and the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, as required by GDPR Article 33. While we take every reasonable precaution, no method of electronic storage or transmission is entirely secure, and we cannot guarantee absolute security.
8Cookies & Tracking
The Platform uses essential cookies required for basic functionality, performance cookies to analyse usage patterns, and optional marketing cookies to deliver relevant content. A detailed description of the cookies we use, their purpose, and duration is provided in our separate Cookie Policy. You can manage your cookie preferences through your browser settings or our cookie consent banner, which is displayed on your first visit and is accessible at any time via the footer link. Disabling essential cookies may affect the functionality of the Platform. We use anonymised analytics data to improve our services and do not track users across third-party websites. We honour Do Not Track browser signals where technically feasible.
9Your Rights Under GDPR
Under the General Data Protection Regulation, you have the following rights: the right of access (to request a copy of the personal data we hold about you); the right to rectification (to have inaccurate data corrected or incomplete data completed); the right to erasure (to request deletion of your data where there is no compelling reason for continued processing); the right to restrict processing (to request that we limit how we use your data); the right to data portability (to receive your data in a structured, commonly used, machine-readable format); the right to object (to object to processing based on legitimate interests or for direct marketing purposes); the right to withdraw consent (to withdraw previously given consent at any time); and the right to lodge a complaint with the Garante per la protezione dei dati personali or your local supervisory authority. To exercise any of these rights, contact our Data Protection Officer at support@sassivillas.com. We will verify your identity before processing any request and will respond within 30 days. In complex cases, this period may be extended by a further 60 days, and we will inform you of any such extension.
10Automated Decision-Making
We do not use fully automated decision-making, including profiling, that produces legal effects or similarly significant effects on you without human involvement. We may use automated processing to detect fraudulent transactions, flag suspicious account activity, or generate personalised property recommendations. In all such cases, a human review is available and no significant decision is made without human oversight. You have the right to request human intervention, express your point of view, and contest any automated decision by contacting our team at support@sassivillas.com.
11Children's Privacy
The Platform is not directed at children under the age of 16, and we do not knowingly collect personal data from children under 16 without verifiable parental consent. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that information as quickly as possible. Parents or guardians who believe their child has provided personal data to us without consent may contact us at support@sassivillas.com. Guest information collected for booking purposes may include the names and ages of children in the travelling party, which is collected from the parent or guardian making the reservation and is used solely for occupancy and safety purposes.
12Data Retention
We retain personal data for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows: booking records and associated financial data are retained for a minimum of 10 years in accordance with Italian tax law (Art. 2220 of the Italian Civil Code); guest identification records submitted to the Questura are retained for 5 years; account profile data is deleted within 90 days of account closure, unless retention is required by law; marketing consent records are retained for the duration of the consent plus 3 years; website analytics data is anonymised after 26 months; and customer support correspondence is retained for 3 years after the last interaction. You may request early deletion of non-essential data at any time, and we will comply unless a legal obligation requires retention.
13Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. Material changes will be communicated to registered users via email at least 30 days before they take effect and will be highlighted on the Platform. We encourage you to review this policy periodically. The "Last Updated" date reflects the most recent revision. Your continued use of the Platform after changes take effect constitutes acceptance of the updated policy. If you do not agree with any changes, you may close your account and request deletion of your data as described above.
If you have questions about this document, please contact our team at support@sassivillas.com. This document is provided in English for convenience. In the event of a conflict between the English and Italian versions, the Italian version shall prevail.