Privacy Policy
Last updated: 21 May 2026
Joint Data Controllers
Il Conventino is jointly owned and operated by Dominic Espinosa and Yelena Mokritsky as joint Data Controllers (Contitolari del trattamento under Art. 26 GDPR).
Address: Loc. Il Conventino, Ponte alla Piera 22, 52031 Anghiari (AR), Italia
Email: info@ilconventino.com
No Data Protection Officer has been appointed; for any request please contact the Controllers directly.
Categories of personal data collected
Through the inquiry form on this website, and in the course of managing a confirmed booking, we process the following categories of personal data:
Inquiry data — name, email, phone, arrival and departure dates, party size, the channel through which you found us, and any free-text notes you choose to include.
Booking data — the inquiry data above, together with payment details, which are collected and processed directly by our payment provider; we receive only the transaction reference and the card brand and last four digits.
Identity-document data — for guests of confirmed bookings, the data required by Italian law for guest registration with the public-security authority: full name, date and place of birth, nationality, document type and number, dates of stay.
Purposes and legal bases
We process your personal data only for the purposes set out below, on the legal bases indicated.
| Purpose | Legal basis |
|---|---|
| Reply to inquiries and manage pre-contractual measures | Art. 6(1)(b) GDPR |
| Manage confirmed bookings and the resulting contract | Art. 6(1)(b) GDPR |
| Guest registration with the public-security authority (Alloggiati Web) | Art. 6(1)(c) GDPR — Art. 109 TULPS, Royal Decree 773/1931 |
| Property registration (CIN/BDSR) and short-term-rental reporting obligations | Art. 6(1)(c) GDPR — Art. 13-ter D.L. 145/2023; Regulation (EU) 2024/1028 |
| Regional stay-communication and ISTAT statistical reporting | Art. 6(1)(c) GDPR — LR Toscana 86/2016 |
| Accounting and tax obligations | Art. 6(1)(c) GDPR — Art. 2220 Codice Civile |
| Understanding how guests find the property (channel attribution) | Art. 6(1)(f) GDPR — legitimate interest |
| Site security and fraud prevention | Art. 6(1)(f) GDPR — legitimate interest |
| Establishment, exercise, or defence of legal claims | Art. 6(1)(f) GDPR — legitimate interest |
Nature of provision
Providing your name, email, phone number, and the dates of your intended stay is necessary for us to reply to your inquiry, coordinate your arrival, and enter into a contract with you. The other fields, such as any free-text notes, are optional. Refusing to provide the necessary fields means we will not be able to process your inquiry.
Methods of processing
Personal data are processed in compliance with Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree no. 196/2003 (Codice in materia di protezione dei dati personali), in line with the principles of lawfulness, fairness, and transparency, with appropriate technical and organisational measures to ensure their confidentiality, integrity, and security. Processing is carried out predominantly by electronic means and, where necessary, on paper.
Recipients of data
Your data may be shared with the following categories of recipients, only as needed for the purposes set out above:
- Providers of email and electronic communications services.
- Providers of hosting, cloud infrastructure, and content-delivery services.
- Providers of cookieless website analytics, used to count aggregate page views.
- Payment service providers, which act as autonomous controllers for fraud prevention and as processors for the payment transaction itself.
- Italian public authorities where required by law, including the Polizia di Stato (Questura di Arezzo) for guest registration, the Ministero del Turismo for property registration (CIN / BDSR), the Comune di Anghiari for stay communication, the Regione Toscana / ISTAT for statistical reporting, and the Agenzia delle Entrate for tax purposes.
- A commercialista (Italian accountant), where appointed, for tax compliance.
Extra-EU transfers
Some of our service providers are established outside the European Economic Area, primarily in the United States. Where data are transferred to those providers, transfers take place on the basis of the EU-U.S. Data Privacy Framework adequacy decision (Commission Implementing Decision EU 2023/1795). Where the adequacy decision does not apply, we rely on the European Commission's Standard Contractual Clauses (Decision EU 2021/914) supplemented by the additional measures recommended by the European Data Protection Board.
Retention periods
| Data | Period |
|---|---|
| Inquiries that do not result in a booking | 24 months from last contact |
| Booking records (confirmed bookings) | 10 years (Art. 2220 Codice Civile) |
| Guest-registration receipts (Alloggiati Web) | 5 years |
| Identity-document copies, where provided in advance by email | Deleted immediately after the registration filing is complete |
| Server logs (access logs and request metadata) | No longer than 12 months |
Special categories of personal data
We do not request or collect special categories of personal data within the meaning of Art. 9 GDPR (such as data revealing religious or philosophical beliefs, or data concerning health). However, given the historic nature of Il Conventino and the presence of the chapel, if you choose to provide such information voluntarily — for example in the special-requests field for ceremonial purposes or for accessibility-related needs — we will process it on the basis of your explicit consent (Art. 9(2)(a) GDPR), signified by your submission of the form, and only for the purpose of managing your inquiry or stay. Such information is deleted on the same retention schedule as the surrounding inquiry or booking record.
Your rights
Under Articles 15 to 22 of the GDPR you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Obtain erasure of your data, where applicable.
- Restrict processing in certain circumstances.
- Receive your data in a structured, commonly used and machine-readable format (data portability).
- Object to processing based on legitimate interest.
- Not be subject to automated decision-making, including profiling, which produces legal or similarly significant effects.
To exercise any of these rights, write to info@ilconventino.com. We will respond within 30 days, as required by Art. 12(3) GDPR.
You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Roma — protocollo@gpdp.it).
Cookies
For information about how this site uses cookies, please see our Cookie Policy.
Amendments
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Where changes are material, we will notify you on the website. Earlier versions are available on request.