Privacy Policy

Learn more
Information notice under Art. 13 of Regulation (EU) 2016/679 (GDPR). This privacy policy describes how Borgia di Firenze processes personal data collected through borgia.net, in compliance with the GDPR and the Italian Personal Data Protection Code (Codice Privacy, Legislative Decree 196/2003 as amended by Legislative Decree 101/2018) and the Garante provvedimento 10 giugno 2021 on cookies and other tracking tools.
Contents
1. Data Controllers (joint controllers)
2. Types of personal data collected
3. Sources of personal data
4. Purposes and lawful basis for processing
5. Consequences of refusing to provide data
6. Retention periods
7. Recipients and data processors
8. Transfers outside the EU/EEA
9. Your rights as a data subject
10. Right to lodge a complaint with the Garante
11. Children
12. Automated decision-making and profiling
13. Cookies and similar technologies
14. Security and data breach procedures
15. Changes to this policy
Versione in italiano
1. Data Controllers (Art. 4(7) and Art. 26 GDPR, joint controllers)

The website borgia.net advertises and collects inquiries for properties operated by two distinct Italian companies, acting as joint data controllers under Art. 26 GDPR for the data submitted via this website's contact forms and booking widget:

Giglia S.R.L., VAT/Tax Code IT07285610486, REA FI-692894, registered office Via del Parione 1, 50123 Firenze, Italy. PEC: giglia.fi@pec.it. Responsible for the Borgia di Firenze B&B (9 rooms) in Florence.

S. Trinita S.R.L., VAT/Tax Code IT07055120484, REA FI-676281, registered office Via del Parione 1, 50123 Firenze, Italy. PEC: s.trinita.fi@pec.it. Responsible for the apartments Giglio Borgia and Viola Borgia in Florence, Paradiso Borgia and Mezzo Casale Borgia in Rome.

Joint controllers arrangement (Art. 26 GDPR): the two companies have agreed in writing on their respective responsibilities for compliance with the GDPR, in particular regarding the exercise of data subjects' rights and the duty to provide information under Art. 13 and 14. The essence of the arrangement is the following: each company acts as data controller for the personal data relating to its own properties; both companies act jointly when a single inquiry refers to more than one property. Either company may be contacted by data subjects as a single point of contact, and will direct the request internally as needed.

Contact for data protection matters: info@borgia.net. The Controllers have not appointed a Data Protection Officer (DPO) under Art. 37 GDPR, as none of the conditions of that article applies (no large-scale processing of special categories of data, no systematic large-scale monitoring).

2. Types of personal data collected

Submitted by the User via inquiry / booking forms or by email: name, surname, email address, telephone number, country of residence, language, dates of stay, number of guests, any free-text messages or preferences.

Collected automatically via the website and the embedded 5stelle booking widget: IP address (in truncated form where possible), browser type and version, operating system, referring URL, pages visited, timestamps, geo-approximate location based on IP, technical session identifiers.

Collected at check-in (mandatory by Italian law, Art. 109 TULPS, Royal Decree 773/1931 as amended, and Ministerial Decree 7 gennaio 2013): identity document type and number, full name, date of birth, place of birth, citizenship, country of residence, of all guests aged 14 or over. These data are transmitted to the Police authority within 24 hours via the "Alloggiati Web" portal. This is a legal obligation; it is not optional.

Payment data: credit card details, where provided, are processed directly by our payment processor (Nexi, Stripe) and are NOT stored on our servers. We may retain only the last four digits and the transaction ID for accounting purposes.

Special categories of data (Art. 9 GDPR): we do not solicit or process special categories of personal data (health, religion, sexual orientation, etc.). Where guests voluntarily disclose dietary requirements or accessibility needs in free-text fields, we treat them with the same standard of care and use them only to fulfil the requested service.

3. Sources of personal data

Personal data we process originates from the following sources:
• directly from the data subject (you), via this website's forms, emails, phone calls, or in person at check-in;
• from third-party booking platforms (OTAs) when you book through them, including Booking.com, Expedia, Airbnb (apartments only). In these cases the OTA acts as an independent data controller for its own platform and transfers a limited set of data (name, dates, contact email, booking confirmation number) to us in our capacity as data controllers of the actual stay;
• from public registers, only where strictly necessary (e.g. company name verification for B2B invoices).

4. Purposes and lawful basis for processing (Art. 6 GDPR)

Pre-contractual measures and contract performance, Art. 6(1)(b) GDPR: handling inquiries, booking confirmations, payment processing, check-in / check-out, billing, post-stay communications strictly related to the booking.

Legal obligation, Art. 6(1)(c) GDPR: communication of guest data to the Police authority (Alloggiati Web, Art. 109 TULPS); transmission of data to municipal authorities for the city tourism tax (tassa di soggiorno, Florence Council resolution); accounting and tax record-keeping (Italian Civil Code Art. 2220, Presidential Decree 633/1972); electronic invoicing (Legislative Decree 127/2015).

Legitimate interest, Art. 6(1)(f) GDPR: anonymised website usage analytics for improving the service; security and abuse-prevention logs; defence of legal claims; fraud prevention on bookings. You may object to this processing at any time (see Section 9).

Consent, Art. 6(1)(a) GDPR: any non-essential cookies (analytics, marketing), newsletter and direct marketing communications are processed only with your explicit consent, freely revocable at any time without affecting the lawfulness of processing before the withdrawal.

5. Consequences of refusing to provide data

Providing the data marked as required in the booking forms is necessary to make a reservation; refusal makes it impossible to complete the booking. Providing identity document data at check-in is a legal obligation under Italian police regulations; refusal makes it impossible to accept the guest. Providing optional data (e.g. marketing consent, special requests) has no consequence on the booking itself, only on the corresponding ancillary service.

6. Retention periods

Accounting and tax records: 10 years from the close of the relevant tax year (Italian Civil Code Art. 2220 and DPR 633/1972).
Guest registry and Alloggiati Web communications: as required by police regulations (Art. 109 TULPS), retained for the period prescribed by law.
Booking confirmations and reservation correspondence: 10 years (aligned with accounting retention).
Inquiry forms not resulting in a booking: 24 months from submission, then deleted.
Marketing data (where consent given): until consent is withdrawn or after 24 months of inactivity, whichever occurs first.
Cookie consent record: 6 months from the date of last consent action (Garante guidance).
Server access logs: 6 months for technical purposes; longer only if necessary for incident investigation under Art. 6(1)(f) GDPR or pursuant to a competent authority's request.

7. Recipients and data processors

Data may be shared with the following categories of recipients, acting as data processors appointed under Art. 28 GDPR or as autonomous controllers where indicated:

5stelle / Simple Booking (booking engine and PMS, hosted in the EU), data processor. Privacy policy: simplebooking.com/privacy.
Site5 / Endurance International Group (web hosting, USA), data processor under Standard Contractual Clauses (Art. 46 GDPR).
Nexi S.p.A. and / or Stripe Payments Europe Ltd (payment processing, EU), autonomous data controllers for fraud prevention and payment regulation compliance.
Online Travel Agencies (Booking.com, Expedia, Airbnb) acting as independent controllers where the booking originates from their platform.
Italian Police authority (Alloggiati Web portal) and Comune di Firenze / Comune di Roma (city tourism tax), as data recipients in fulfilment of legal obligations.
Accountant, tax advisor, external legal counsel, on a need-to-know basis, bound by professional confidentiality and data processing agreements.

Personal data are never sold, rented, or licensed to third parties for commercial or marketing purposes.

8. Transfers outside the EU/EEA

Where service providers process data outside the European Economic Area (for example our hosting provider in the USA, certain analytics services), transfers are protected by Standard Contractual Clauses adopted by the European Commission under Art. 46 GDPR, complemented by supplementary measures where the EDPB Schrems II guidance applies (encryption in transit and at rest, contractual transparency on government access requests). A copy of the applicable safeguards is available on request from the contacts in Section 1.

9. Your rights as a data subject (Art. 15 to 22 GDPR)

You have the right to:
Access your personal data (Art. 15);
Rectify inaccurate or incomplete data (Art. 16);
Erase your data ("right to be forgotten"), where applicable (Art. 17);
Restrict processing (Art. 18);
Receive your data in a structured, machine-readable, portable format (Art. 20);
Object to processing based on legitimate interest (Art. 21);
Not be subject to a decision based solely on automated processing (Art. 22);
Withdraw consent at any time, where processing is based on consent (Art. 7(3)).

To exercise these rights, write to info@borgia.net, indicating the right(s) you wish to exercise and attaching a copy of an identity document to verify your identity (the copy will be deleted as soon as your request is processed). We will respond within 30 days (extendable by a further 60 days for complex requests, with prior notice), free of charge (Art. 12 GDPR).

10. Right to lodge a complaint with the Garante

Without prejudice to any other administrative or judicial remedy, if you believe that the processing of your personal data infringes the GDPR you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali):
Piazza Venezia 11, 00187 Roma. Tel: +39 06 696771. Email: protocollo@gpdp.it. PEC: protocollo@pec.gpdp.it. Website: www.garanteprivacy.it.

11. Children

The booking and inquiry services on this website are addressed to adults aged 18 or over. Personal data of minors (children under 14, in accordance with Art. 8 GDPR and Art. 2-quinquies of the Italian Privacy Code) are processed only when provided by a parent or legal guardian in the context of a family booking, and only for the strict purpose of providing the accommodation service.

12. Automated decision-making and profiling

The Data Controllers do not carry out fully automated decision-making producing legal effects on the data subject (Art. 22 GDPR). Pricing displayed on the website is set on an aggregate, non-personalised basis; no individual user profiling is used to vary prices, room availability, or service offerings.

13. Cookies and similar technologies

In line with the Garante provvedimento 10 giugno 2021, this website distinguishes between technical cookies and non-technical cookies (analytics / profiling / marketing).

Technical cookies are necessary for the proper functioning of the website and the booking widget; they do not require consent under Art. 122 of the Italian Privacy Code. They include the cookie consent record (bdf_cookie_consent), the booking widget session cookies (5stelle), and standard HTTPS session identifiers (PHPSESSID).

Non-technical cookies (analytics, advertising, social media) are activated only after explicit consent obtained through the cookie banner shown on first visit. You may grant, refuse, or modify your preferences at any time by reopening the banner from the link in the website footer. Refusing non-technical cookies has no effect on the availability or functioning of the website.

Cookies currently in use:

Cookie Source Purpose Duration Category
bdf_cookie_consent borgia.net Records your cookie preferences 6 months Technical
5SB_* 5stelle / Simple Booking Booking widget session and preferences Session, up to 30 days Technical
PHPSESSID borgia.net Standard server session identifier Session Technical

14. Security measures and data breach procedures

The Data Controllers adopt appropriate technical and organisational measures (Art. 32 GDPR) to protect personal data against unauthorised access, alteration, disclosure, or destruction. The website is served over HTTPS with TLS 1.2+ encryption and HSTS enforcement; access to administrative tools is restricted, password-protected, and logged; database backups are encrypted at rest. In the unlikely event of a personal data breach involving a risk to the rights and freedoms of natural persons, the Controllers will notify the Garante within 72 hours of becoming aware of the breach (Art. 33 GDPR), and, where the risk is high, will communicate the breach to the affected data subjects without undue delay (Art. 34 GDPR).

15. Changes to this policy

This policy may be updated to reflect changes in the law or in our processing operations. The "last updated" date below indicates the most recent revision; substantive changes will be notified by a prominent banner at the top of the website for at least 30 days. We recommend reviewing this page periodically.

Last updated: 22 May 2026.
Version: 2.0.
Legal basis: Regulation (EU) 2016/679 (GDPR); Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (Codice Privacy); Garante provvedimento 10 giugno 2021 on cookies and other tracking tools; Art. 109 TULPS (Royal Decree 773/1931 as amended); DPR 633/1972 (VAT and accounting).

Versione in italiano
Informativa ai sensi dell'Art. 13 del Regolamento (UE) 2016/679 (GDPR). La presente informativa descrive come Borgia di Firenze tratta i dati personali raccolti tramite il sito borgia.net, in conformità al GDPR, al Codice Privacy italiano (D.Lgs. 196/2003 come modificato dal D.Lgs. 101/2018) e al provvedimento del Garante 10 giugno 2021 in materia di cookie.
1. Titolari del trattamento (contitolari, Art. 26 GDPR)

Il sito borgia.net promuove e raccoglie richieste di prenotazione per strutture gestite da due distinte società italiane, che agiscono come contitolari del trattamento ai sensi dell'Art. 26 GDPR:

Giglia S.R.L., P.IVA IT07285610486, REA FI-692894, sede legale Via del Parione 1, 50123 Firenze. PEC: giglia.fi@pec.it. Responsabile per il B&B Borgia di Firenze (9 camere) a Firenze.

S. Trinita S.R.L., P.IVA IT07055120484, REA FI-676281, sede legale Via del Parione 1, 50123 Firenze. PEC: s.trinita.fi@pec.it. Responsabile per gli appartamenti Giglio Borgia e Viola Borgia a Firenze, Paradiso Borgia e Mezzo Casale Borgia a Roma.

Per esercitare i diritti previsti dagli artt. 15-22 GDPR o per qualsiasi richiesta in materia di protezione dei dati: info@borgia.net. I Titolari non hanno nominato un Responsabile della Protezione dei Dati (DPO) ex Art. 37 GDPR in quanto non ricorrono le condizioni previste.

2. Tipologie di dati trattati

Dati conferiti volontariamente (nome, cognome, email, telefono, paese di residenza, date di soggiorno, numero di ospiti); dati raccolti automaticamente dal sito (indirizzo IP, browser, sistema operativo, pagine visitate); dati raccolti al check-in obbligatoriamente per legge (documento di identità di tutti gli ospiti, trasmessi alla Questura tramite "Alloggiati Web" entro 24 ore, Art. 109 TULPS); dati di pagamento gestiti direttamente dai processori di pagamento (Nexi, Stripe), non conservati sui nostri server.

3. Finalità e base giuridica del trattamento (Art. 6 GDPR)

a) Esecuzione del contratto (Art. 6.1.b), gestione delle prenotazioni, check-in, fatturazione;
b) Obbligo legale (Art. 6.1.c), comunicazioni alla Questura (Alloggiati Web), versamento tassa di soggiorno, tenuta delle scritture contabili (Art. 2220 c.c., DPR 633/1972), fatturazione elettronica;
c) Legittimo interesse (Art. 6.1.f), statistiche aggregate di utilizzo del sito, sicurezza, prevenzione frodi;
d) Consenso (Art. 6.1.a), cookie non tecnici e comunicazioni di marketing, sempre revocabile.

4. Conservazione, destinatari, trasferimenti, diritti

Conservazione, 10 anni per dati contabili e fiscali, 24 mesi per richieste senza prenotazione, 6 mesi per il consenso ai cookie.

Destinatari, 5stelle / Simple Booking, Site5 (hosting), Nexi / Stripe (pagamenti), OTA (Booking.com, Expedia, Airbnb), Questura, Comune di Firenze e Comune di Roma, commercialista e consulenti. I dati non vengono mai venduti.

Trasferimenti extra UE, ove necessario (es. hosting USA), tutelati da Clausole Contrattuali Standard (Art. 46 GDPR).

Diritti dell'interessato, accesso, rettifica, cancellazione, limitazione, portabilità, opposizione, revoca del consenso (Artt. 15-22 GDPR). Per esercitarli scrivere a info@borgia.net. Risposta entro 30 giorni.

Reclamo, diritto di proporre reclamo al Garante per la Protezione dei Dati Personali, Piazza Venezia 11, 00187 Roma, www.garanteprivacy.it, protocollo@gpdp.it.

5. Cookie

Il sito utilizza solo cookie tecnici necessari al funzionamento (widget di prenotazione 5stelle, registrazione del consenso) che non richiedono il consenso ai sensi dell'Art. 122 del Codice Privacy. Eventuali cookie analitici o di profilazione sono attivati solo dopo consenso esplicito tramite l'apposito banner, revocabile in qualsiasi momento dal link in fondo alla pagina.

Ultimo aggiornamento: 22 maggio 2026. Versione: 2.0.