Privacy Policy

Sassi Villas Ltd, a company incorporated in England and Wales (the “Platform”, “we”, “us” or “our”), is the controller of the personal data we process in connection with the Services. We determine the purposes and means of that processing within the meaning of the UK General Data Protection Regulation, as retained in the law of England and Wales (the “UK GDPR”), and, where applicable, of Regulation (EU) 2016/679 (the “EU GDPR”). Together we refer to these as “data-protection law”. The EU GDPR applies in parallel where we offer services to, or monitor the behaviour of, data subjects in the European Union (Article 3(2)). We are registered with the Information Commissioner’s Office (“ICO”), our UK supervisory authority; registration details are available on request. In the European Union, the authority most likely to receive a complaint about our processing is the Italian Garante per la Protezione dei Dati Personali, given the location of the properties, although you may complain to the supervisory authority of any member state where you live, work or where an alleged infringement occurred. You can reach our privacy lead at support@sassivillas.com with “Data Protection” in the subject line; Italian-language correspondence is welcome and will be answered in Italian.

We collect and process the following categories of personal data, only as far as necessary for the purposes described below.

• Account data: name, postal address, email, telephone, password (stored as a salted hash), language and currency preferences, and (for Property Owners) entity name, tax identifiers (codice fiscale, partita IVA, UTR or other), beneficial-ownership statements and IBAN or bank details for payouts.
• Booking data: dates of stay, party composition (adults, and number and ages of children), special requests, allergies, accessibility requirements, communications with the Owner and our team, and refund and modification history.
• Know-your-customer and identity-document data: for Guests, passport or national identity card details collected at booking to support the host’s Alloggiati Web submission and our anti-money-laundering, anti-fraud and sanctions obligations; for Owners, the identity documents required under UK platform-operator, anti-money-laundering and Italian tax rules.
• Payment data: instrument tokens and metadata handled by Stripe; we do not see or store full card numbers.
• Tax-administration data: Italian VAT identifiers, cedolare secca elections and Certificazione Unica details for Owners.
• Technical and usage data: IP address, device and browser details, pages viewed, search terms, session timings, error logs and cookie identifiers (see the Cookie Policy).
• Marketing and consent data: subscriptions, consent records, preferences and unsubscribe history.
• Customer-support data: tickets, call recordings (where notified) and documents you upload.

We do not seek special-category data (Article 9); where accessibility or dietary details may indirectly reveal health information, we handle them under the lawful bases below.

We rely on the following lawful bases under Article 6 of data-protection law (and Article 9 where special-category data is involved).

• Contractual necessity (Article 6(1)(b)): processing needed to perform the Terms or the Booking Contract you make with the Owner, or to take steps at your request beforehand, including booking, payment, communication, refunds and support.
• Legal obligation (Article 6(1)(c)): processing required by UK, Italian or EU law, including platform-operator reporting (and DAC7 where applicable), cedolare secca withholding under Decree-Law 50/2017, anti-money-laundering and sanctions law, Italian tax record-keeping under Article 2220 of the Italian Civil Code, and lawful requests from authorities.
• Legitimate interests (Article 6(1)(f)): the secure and efficient operation of the Services, fraud prevention, analytics and product improvement, network and information security, internal administration, soft opt-in marketing to existing customers under regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), and the establishment, exercise or defence of legal claims; we document a balancing test for each.
• Consent (Article 6(1)(a)): prior, freely given, specific, informed and unambiguous consent, including for non-essential cookies, marketing to non-customers and any exceptional special-category processing at your request.

You may withdraw consent at any time without affecting earlier processing.

We use each category of data on the lawful basis identified above. Account and booking data let us create and run your account, accept and confirm bookings, send confirmations, modifications, cancellations and refunds, facilitate Guest-Owner communication, provide support and operate the owner dashboard. KYC, identity-document and tax-administration data let us meet our legal obligations as a reporting platform operator (and under DAC7 where applicable), discharge cedolare secca and Certificazione Unica duties, share guest identity details with Owners so the host can complete the Alloggiati Web submission to the Questura within 24 hours of check-in (the obligation under Article 109 of Royal Decree 773/1931 sits with the host, not the Platform), comply with anti-money-laundering and sanctions law, and keep audit-quality tax records. Payment data, processed through Stripe, lets us take payment, handle refunds, manage chargebacks and release Owner payouts. Technical and usage data let us monitor and improve the Services, prevent fraud and abuse, and debug. Marketing data lets us send communications you have asked for and honour unsubscribe requests. We do not sell your personal data and we do not engage in cross-context behavioural advertising.

Property Owners are the principal accommodation suppliers and the hosts under Italian short-term-let legislation. They receive the personal data they need to prepare for and run your stay: typically your name and those of additional Guests, party composition, arrival and departure dates, contact details, special requests, allergies or dietary information, accessibility requirements, and identity-document details (document type, number and issuing country) sufficient for the Owner, as host, to complete the Alloggiati Web submission to the local Questura within 24 hours of check-in under Article 109 of Royal Decree 773/1931. Where Italian law allows the host to use a delegate, the same data may be shared with that delegate on the Owner’s instruction. For this Alloggiati Web data the Owner acts as an independent controller for regulatory compliance, and we share it controller-to-controller with appropriate confidentiality and data-protection commitments. Where we provide an Owner with a Certificazione Unica or tax reporting, we share only what is needed to operate it and to let the Owner’s commercialista prepare the Italian income-tax return. We do not give Owners payment-card data, and we do not permit them to use Guest data for marketing without separate Guest consent.

Payments are collected, held and disbursed by Stripe Technology Europe, Limited, an Irish electronic money institution authorised by the Central Bank of Ireland (reference C187865) and certified at PCI DSS Level 1. Stripe processes payment data (card tokens, network metadata, amounts, currency, billing country, risk signals and, for Stripe Connect, Owner KYC data) both as a controller for its own compliance, fraud-prevention and regulatory purposes and as a processor on our behalf for the payment mechanic. Its use is governed by the Stripe Services Agreement, the Stripe Connected Account Agreement and Stripe’s Privacy Policy, which apply when you make a Booking or onboard as an Owner. Our written contract with Stripe meets the processor requirements of Article 28 of data-protection law, including documented instructions, confidentiality, security, sub-processor management, assistance with data-subject rights, breach-notification co-operation and end-of-engagement data return or deletion. We do not see or store full card numbers and do not hold Guest funds in our own account. Transfers within the Stripe group are protected by the mechanisms in the International Data Transfers section below.

We share personal data with tax authorities where the law requires it. To HMRC, we report each year the information required under the UK Platform Operators (Due Diligence and Reporting Requirements) Regulations 2023: each Owner’s identifying details, the consideration paid through the Platform, the fees withheld, the number of relevant activities and the periods concerned. That information is automatically exchanged with the Agenzia delle Entrate under the multilateral framework. Separately, we remit cedolare secca withholding monthly and file annual Certificazione Unica data under Article 4 of Decree-Law 50/2017 (as amended by Law 213/2023), and we file Italian VAT returns through our direct identification at the Agenzia delle Entrate (Article 35-ter of Presidential Decree 633/1972, as confirmed for UK platforms by Risoluzione 7/E/2021). We also co-operate with lawful requests from the Guardia di Finanza, law enforcement and supervisory authorities, applying the safeguards required by data-protection law. The underlying tax mechanics are explained on our Italian Tax & Platform Reporting page.

By default we store personal data in the United Kingdom and the European Economic Area. Some service providers may transfer data outside these areas. Where we make a “restricted transfer” under Chapter V of data-protection law, we rely on one or more safeguards: a UK adequacy regulation or an EU Commission adequacy decision (Article 45) where the destination country qualifies; the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, for transfers from the UK; the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), for transfers from the EEA; binding corporate rules approved by a supervisory authority; or an Article 49 derogation where applicable. We carry out a transfer-impact assessment in line with European Data Protection Board and ICO guidance, and we add supplementary technical, contractual or organisational measures where it shows they are needed to provide essentially equivalent protection. You may request a copy of the relevant safeguard from support@sassivillas.com.

We apply technical and organisational measures appropriate to the risk, in line with Article 32 of data-protection law. These include: encryption in transit (TLS 1.3 or higher) and at rest (AES-256 or equivalent); role-based access control on a least-privilege basis; multi-factor authentication for administrative access to production; segregated production, staging and development environments; regular security testing, including at least annual external penetration testing; centralised logging, monitoring and alerting; secure development practices (code review, dependency scanning, secrets management) reflecting the privacy-by-design duty under Article 25; documented incident-response procedures; encrypted backups with restoration testing; staff training, with role-specific modules for engineering and support; and vendor-risk management with contractual data-processing requirements. If a personal-data breach is likely to risk individuals’ rights and freedoms, we will notify the ICO (and the Italian Garante or other EEA authority where relevant) within 72 hours under Article 33, and we will notify affected data subjects without undue delay where the risk is high under Article 34.

The Services use cookies and similar technologies to operate, remember your preferences, measure usage, deliver content where you have consented and integrate third-party services such as payment, mapping and video providers. Non-essential cookies and similar technologies (including pixels, SDKs, local and session storage, IndexedDB and fingerprinting) are deployed only with your prior consent through our consent-management interface, under regulation 6 of PECR and Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC); strictly necessary cookies need no consent. You can withdraw consent at any time via “Cookie Settings” in the footer, without affecting earlier processing, and we treat a Global Privacy Control signal as an absence of consent to non-essential cookies. Full detail, including the cookie inventory and each category, is in our Cookie Policy, which forms part of this notice.

Subject to the conditions and exceptions in data-protection law, and free of charge in most cases, you have the following rights over the personal data we hold about you:

• access (Article 15): confirmation of processing, a copy of your data and the supporting information;
• rectification (Article 16): correction of inaccurate data and completion of incomplete data;
• erasure (Article 17): deletion where a listed ground applies, subject to the Article 17(3) exceptions, including our Italian tax record-keeping under Article 2220 of the Italian Civil Code and platform-operator reporting;
• restriction (Article 18): suspension of processing in defined circumstances;
• portability (Article 20): receipt of data you provided in a structured, machine-readable format and its transmission to another controller;
• objection (Article 21): to legitimate-interests processing or direct marketing; we stop marketing on request and stop other such processing unless we show overriding grounds or need it for legal claims;
• not to be subject to a solely automated decision (Article 22);
• to withdraw consent (Article 7(3)) at any time;
• to complain to a supervisory authority (Article 77): the ICO (ico.org.uk), the Italian Garante (garanteprivacy.it) or your national EEA authority.

To exercise any right, write to support@sassivillas.com. We verify identity proportionately and respond within one month, extendable by up to two further months for complex or numerous requests, of which we will tell you within the first month.

We do not subject you to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects, except where permitted by law with suitable safeguards or where necessary for a contract between us, in which case the Article 22(3) safeguards apply. We use automated processing only in narrow, human-supervised contexts: Stripe’s payment-fraud and chargeback risk scoring (Stripe may decline a high-risk transaction; contact us for a human review where appropriate); our own booking-risk screening, where signals such as last-minute international bookings, mismatched information or sanctions matches may trigger manual review before a Booking is confirmed; anti-spam and deduplication controls on user Content; and algorithmic ranking in search and recommendations, which does not produce legal effects on you. If you believe an automated decision has affected you adversely, write to support@sassivillas.com to request human intervention, express your view and contest the decision under Article 22(3).

The Services are intended for individuals aged 18 or over. We do not knowingly collect personal data from children below the age at which they can consent to information-society services: 13 in the United Kingdom (section 9 of the Data Protection Act 2018 and Article 8 of the UK GDPR), or the equivalent age (13 to 16) set by the relevant EU member state under Article 8(1) of the EU GDPR. We do collect, from the adult Guest making the booking, the names and ages of children in the travelling party, solely to operate occupancy limits, allocate beds and fulfil the host’s Alloggiati Web obligation; this is processed under contractual necessity (Article 6(1)(b)) and is not used for marketing. If we learn that we have inadvertently collected a child’s data without a lawful basis, we will delete it without undue delay. Parents or guardians can contact support@sassivillas.com.

We keep personal data only as long as necessary for the purposes for which it was collected, including legal, accounting and reporting obligations, dispute resolution and enforcement of our agreements. The principal periods are:

You may request early deletion of any data not subject to a legal retention obligation; where retention is required, we may keep the data for the residual period.

We may update this Privacy Policy to reflect changes in our processing, service providers, use of cookies, applicable law or regulatory guidance. For material changes we will notify you by email, by an in-product notice on next sign-in, or by a prominent notice on the Services, at least thirty (30) days before they take effect, or longer where the law requires. Non-material changes, such as correcting typographical errors, clarifying language without altering a right or obligation, or updating cross-references, may be made without prior notice. The “Last Updated” date above reflects the most recent revision, and continued use after an update constitutes acknowledgement of it. Where a change needs renewed consent (for example, new categories of non-essential cookie or a new consent-based processing operation), we will obtain that consent through our consent-management interface before it applies to you.