Privacy Policy

1. Data Controller

Le rose di Marianne
Karin Wallnöfer
St. Elisabethweg 39A, 39040 Vahrn (BZ), Italy
Phone: +39 333 2734553
E-mail: lerosedimarianne@gmail.com

2. Data Protection Officer

There is no legal obligation to appoint a Data Protection Officer.
The contact person is the Data Controller.

3. Definitions and legal bases (Art. 4, Art. 6 GDPR)

We process personal data in compliance with the Regulation (EU) 2016/679 (GDPR).
Depending on the purpose, the following legal bases apply:

Art. 6(1)(b) GDPR – performance of a contract / pre-contractual measures (e.g. bookings, replies to enquiries)

Art. 6(1)(c) GDPR – compliance with legal obligations (e.g. guest registration, tax retention duties)

Art. 6(1)(f) GDPR – legitimate interest (e.g. secure operation of the website, server log files)

Art. 6(1)(a) GDPR – consent (e.g. optional statistics or marketing cookies)

4. Categories of personal data

Master data: name, address, contact details

Booking data: travel dates, number of guests, selected apartment, price

Communication data: e-mail content, telephone notes

Usage / technical data: IP address, access time, user agent, referrer (server logs, cookies)

Payment data: depending on the selected payment method (see payment service providers)

5. Purposes of processing

Provision of the website, stability and security

Processing of enquiries and bookings, performance of contracts

Fulfilment of legal obligations (guest registration, tax law)

Communication with guests and interested parties

Optional statistics and optimisation (only with consent)

6. Hosting and server log files

Hosting provider (processor): [name, location]
Access data is stored in server log files (IP address, date/time, URL, status code, data volume, referrer, user agent).
Legal basis: Art. 6(1)(f) GDPR (technical operation and security).
Retention period: max. [7–30] days, after which data is deleted or anonymised.

7. Contact (e-mail / contact form)

When you contact us, your details are processed in order to handle your request.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (general enquiries).
The data will be deleted once the request has been processed, provided no statutory retention obligations apply.

8. Online booking (Smoobu)

We integrate the booking and availability widget of Smoobu GmbH, Berlin, Germany.
When using the widget, data such as travel dates, number of guests, contact details and, if applicable, payment data are processed.
When the widget is loaded, technical data (e.g. IP address) may also be transmitted to Smoobu, and cookies may be set.
Legal basis: Art. 6(1)(b) GDPR (booking / pre-contractual measures); for loading external content or cookies, Art. 6(1)(a) GDPR (consent).
Retention period: in accordance with Smoobu’s policies and statutory requirements.
External content is only loaded after consent via the cookie banner. Consent can be withdrawn at any time with effect for the future.

9. Payment service providers

If you make an online payment, payment data will be transmitted to the respective payment service provider.
Possible providers include PayPal and Stripe.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract); where applicable Art. 6(1)(a) GDPR (consent).
Payment service providers act as independent data controllers; their own privacy policies apply.

10. Maps, fonts and external content

Maps (e.g. Google Maps / OpenStreetMap): loaded only with consent; legal basis Art. 6(1)(a) GDPR

Web fonts (e.g. Google Fonts hosted locally): no connection to third-party servers

Video platforms (YouTube, Vimeo, etc.): two-click solution / consent required

11. Cookies and consent management

We use a cookie banner to obtain and manage user consent.
Legal basis: Art. 6(1)(c) GDPR (documentation obligation) and Art. 6(1)(a) GDPR (optional cookies).
Necessary cookies are required for the operation and security of the website.
Optional cookies (statistics, marketing, external content) are used only with consent.
You can change or withdraw your consent at any time via [link “Cookie settings”].

12. Web analytics (only if used)

If web analytics tools such as Matomo (self-hosted) or Google Analytics 4 are used, details on provider, IP anonymisation, retention period, legal basis (consent) and opt-out options will be provided here.

13. Recipients and processors

Hosting / server: [name] (data processing agreement)

Booking system: Smoobu GmbH, Germany (data processing agreement)

Payment services: PayPal / Stripe (independent controllers)

14. Transfer to third countries

Personal data is transferred to third countries only if an adequacy decision exists or EU Standard Contractual Clauses or other appropriate safeguards have been agreed.

15. Data retention

Personal data is processed and stored only for as long as necessary for the respective purposes or as required by law (e.g. accounting obligations up to 10 years).

16. Obligation to provide data

Providing personal data is necessary for booking and contract conclusion. Without the required information, a booking is not possible.

17. Security (TLS / HTTPS)

This website uses TLS encryption (HTTPS) to protect transmitted data from unauthorised access.

18. Rights of data subjects (Art. 15–22 GDPR)

You have the right of access, rectification, erasure, restriction of processing, data portability, withdrawal of consent and objection to processing based on legitimate interests.

Right to object (Art. 21 GDPR):
You may object to processing at any time for reasons arising from your particular situation.

Requests may be addressed to the contact details listed above.

19. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority.
The competent authority in Italy is the Garante per la protezione dei dati personali,
Piazza Venezia 11, 00187 Rome, Italy.

20. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy if services, legal requirements or technical conditions change.

Last updated: August 2025