Comprehensive Privacy & Cookie Policy
Pursuant to EU Reg. 2016/679 (GDPR) and D.Lgs. 196/2003 (Italian Privacy Code)
Last Updated: March 2026 | Explicit Applicability: Global, with primary jurisdiction in Italy & the European Union
A Commitment to Absolute Discretion. Bellavita operates under strict European GDPR and CCPA absolute Fiduciary architecture. We are not a commercial travel agency; we are a private logistical intelligence network. All biographical data, travel manifests, biometric passport markers, and transit telemetry generated during the course of a Sovereign engagement are classified via encrypted ledgers. We enforce a Ghost Protocol: your digital travel footprint and logistical routing history are systematically purged 30 days post-extraction from the Italian Republic unless a standing retainer mandates preservation. We do not monetize, sell, or distribute UHNW travel manifests to third-party commercial vendors under any circumstances. At Bellavita, we recognize that our clients require an uncompromising paradigm of privacy. This document, drafted in strict adherence to the Italian "Codice della Privacy" (D.Lgs. 196/2003 amended by D.Lgs. 101/2018), the European GDPR, and the guidelines of the Garante Privacy, outlines exactly how we protect your personal sphere when you utilize our website, partner systems, and bespoke itinerary services.
Contents
- 1. Information About the Data Controller
- 2. Categories of Personal Data Processed
- 3. Purposes and Legal Basis of Processing
- 4. Methods of Processing & Data Security
- 5. Data Retention Periods
- 6. Communication and Dissemination of Data (Third Parties)
- 7. Transfer of Data Outside the EU/EEA
- 8. Comprehensive Cookie Policy
- 9. Artificial Intelligence, Analytics, and Automated Profiling
- 10. Rights of the Data Subject
- 11. Changes to this Policy
1. Information About the Data Controller
Data Controller: Simone Busin (operating as Bellavita)
VAT Number (P.I.): 01270080250
Registered Office: VIA PAVIER N.22 FRAZ. FEDER, 32020 CANALE D'AGORDO BL, Italy
Email for Privacy Inquiries: privacy@bellavitahotels.travel
The Data Controller directly handles all data protection inquiries. Given the scale and structure of operations, the appointment of a dedicated Data Protection Officer is not required under Article 37 of the GDPR.
2. Categories of Personal Data Processed
We process only the data strictly necessary for fulfilling our concierge services and managing digital interactions.
2.1 Navigation Data
- IP addresses
- URL addresses of requested resources
- Timestamp and request method
- File size and server response codes
- Operating system and browser information
2.2 Data Provided Voluntarily by the User
- Email correspondence and contact details
- Travel logistics information
- Identity information necessary for hotel registration
- Dietary restrictions or medical accessibility requirements
- Billing details and tokenized payment information
Processing of Children's Data
Bellavita services are intended for adults organizing travel services. We do not knowingly collect personal data from individuals under the age of 16 without parental or guardian authorization. If such data is discovered without proper authorization, it will be deleted promptly.
3. Purposes and Legal Basis of Processing
Your personal data is processed in accordance with the lawful bases described in Article 6 and Article 9 of the GDPR.
Where processing is based on the legitimate interest of the Data Controller (Art.6(1)(f)), such interest consists primarily of maintaining platform security, preventing fraud, ensuring service reliability, and defending legal claims. The legitimate interests pursued by the Data Controller include ensuring the security of digital infrastructure, preventing fraud, maintaining service reliability, and protecting the company against legal claims.
| Purpose | Legal Basis | Status |
|---|---|---|
| Execution of travel services | Art.6(1)(b) Contract | Mandatory |
| Legal compliance | Art.6(1)(c) | Mandatory |
| Dietary or health accommodations | Art.9 Consent | Optional |
| Security and legal defense | Art.6(1)(f) | Mandatory |
4. Methods of Processing & Data Security
Data processing occurs using secure technical and organizational measures compliant with Article 32 GDPR.
- Encrypted communication via TLS
- Multi-factor authentication
- Strict internal access control
- Segregation of sensitive information
4.1 Server Logs and Security Monitoring
To ensure infrastructure security, server logs may record technical metadata including IP address, timestamps, requested resources, and browser identifiers.
These logs are processed exclusively for cybersecurity monitoring, system diagnostics, and protection against unauthorized access or attacks.
Processing occurs under the legitimate interest of maintaining secure digital infrastructure.
5. Data Retention Periods
- Navigation logs: 7–30 days
- Client correspondence: up to 12 months after travel
- Accounting data: 10 years (Italian civil and tax law)
- Passport copies: deleted within 30 days after itinerary completion
6. Communication and Dissemination of Data (Third Parties)
Bellavita does not sell personal data.
Data may be shared only with service providers necessary to perform travel arrangements.
All processors operate under formal Data Processing Agreements compliant with Article 28 GDPR.
- Hotels and travel operators
- Transport providers
- Cloud infrastructure providers
- Professional advisors
- Authorities when legally required
7. Transfer of Data Outside the EU
Where international transfers occur, they rely on recognized mechanisms including Standard Contractual Clauses or adequacy decisions under the GDPR.
8. Comprehensive Cookie Policy
Technical Cookies
Used strictly for website functionality.
Analytics and Infrastructure Providers
Bellavita may utilize limited analytics or infrastructure providers operating under strict contractual safeguards.
- Google Analytics (privacy-enhanced configuration)
- Cloudflare security and content delivery services
- Meta Platforms services if activated in the future
Third-Party Embedded Content
Certain pages may include third-party embedded content (maps, booking tools, or media). When activated, such services may process limited technical data including IP addresses or browser information.
9. Artificial Intelligence and Profiling
Bellavita does not use automated decision-making processes that produce legal effects on users. Client data is never submitted to public AI systems for training or analysis.
10. Rights of the Data Subject
- Right of Access
- Right to Rectification
- Right to Erasure
- Right to Restrict Processing
- Right to Data Portability
- Right to Object
To exercise these rights, please contact the Data Controller via email.
For security reasons, the Data Controller may request verification of identity before processing requests.
Supervisory Authority
Garante per la Protezione dei Dati Personali
Piazza Venezia 11 – 00187 Rome – Italy
www.garanteprivacy.it
Data Breach Response
In the event of a personal data breach likely to result in risk to individuals, Bellavita will notify the competent supervisory authority within 72 hours as required by Articles 33 and 34 GDPR.
11. Changes to this Policy
This policy may be updated periodically. The most recent revision date is shown at the top of this page.
Direct Privacy Inquiries
Email: privacy@bellavitahotels.travel