Privacy Policy | Tenuta Le Marze

Last updated: 01 February 2026

This Privacy Policy describes how personal data of users who browse and use the website tenutalemarze.eu (the “Website”) are processed, in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national legislation.

1. Data Controller

The Data Controller is:

MIRO’ SRL
Via Curtatone 13, 20122 Milano – Italy
VAT N. 03806770966
Contact email: info@tenutalemarze.eu

2. Categories of personal data processed

The Data Controller processes the following categories of personal data:

  • Dati identificativi e di contatto
    nome, cognome, indirizzo email, numero di telefono
  • Booking and stay-related data
    stay dates, number of guests, selected accommodation, any additional notes
  • Payment data
    processed exclusively through external providers (PayPal or bank transfer); the Data Controller does not store credit card details
  • Technical and browsing data
    anonymised IP address, website usage data, cookies and tracking tools

3. Methods of data collection

Personal data are collected:

  • directly from users through contact forms or booking requests;
  • automatically while browsing the Website (technical data and cookies);
  • through the external booking system Octorate.

The Website does not provide for the creation of user accounts.

4. Purposes of processing and legal bases

Personal data are processed for the following purposes:

  1. Handling contact requests
    Legal basis: pre-contractual measures
  2. Managing bookings and stays
    Legal basis: performance of a contract
  3. Processing payments
    Legal basis: performance of a contract
  4. Administrative, accounting and tax obligations
    Legal basis: legal obligation
  5. Website security and abuse prevention
    Legal basis: legitimate interest of the Data Controller
  6. Statistical analysis of website traffic (GA4)
    Legal basis: user consent
  7. Marketing, remarketing, profiling and personalised offers
    (email marketing, advertising campaigns, promotional communications)
    Legal basis: explicit and revocable user consent

Providing data for marketing purposes is optional and failure to give consent does not affect the use of the main Website services.

5. Processing methods and security measures

Personal data are processed using electronic and IT tools, in compliance with the principles of lawfulness, fairness, transparency and data minimisation.
Appropriate technical and organisational measures are adopted to ensure data security and confidentiality.

6. Data communication and recipients

Personal data are not disclosed but may be communicated to third parties acting as:

  • Data Processors, including:
    • Octorate (booking management)
      hosting and IT service providers
      CookieYes (consent management)
      Google (Google Analytics 4)
      Independent Data Controllers, such as PayPal for payment processing
      An updated list of Data Processors may be requested from the Data Controller.
    • hosting and IT service providers
    • CookieYes (consent management)
    • Google (Google Analytics 4)
  • Independent Data Controllers, such as PayPal for payment processing

An updated list of Data Processors may be requested from the Data Controller.

7. Transfers of data outside the EU

Some services used (e.g. Google, PayPal) may involve transfers of personal data outside the European Union.
Such transfers are carried out in compliance with GDPR safeguards, including adequacy decisions or Standard Contractual Clauses.

8. Data retention period

Personal data are retained only for the time strictly necessary to achieve the purposes for which they were collected, in particular:

  • contact requests: up to 12 months
  • booking and stay data: for the duration of the contractual relationship
  • tax and accounting data: 10 years
  • marketing data: until consent is withdrawn
  • statistical data: in anonymised or aggregated form

9. Data subject rights

Users may exercise, at any time, the rights provided for by Articles 15–22 of the GDPR, including:

  • access to personal data
  • rectification or erasure
  • restriction of or objection to processing
  • data portability
  • withdrawal of consent
  • lodging a complaint with the competent Data Protection Authority

10. How to exercise your rights

Requests may be sent to: info@tenutalemarze.eu
The Data Controller will respond within the time limits provided by applicable law.

11. Cookies and tracking tools

The Website uses technical, analytical and – subject to consent – marketing cookies.
Consent management is handled through CookieYes.
For further information, please refer to the dedicated Cookie Policy.

12. Changes to this Privacy Policy

The Data Controller reserves the right to modify this Privacy Policy at any time.
Any changes will be published on this page with an updated revision date.