INFORMATION ON THE PROCESSING OF PERSONAL DATA OF USERS OF THE WEBSITE WWW.BORGOPIGNANO.COM

Pursuant to and for the purposes of Article 13 of Regulation (EU) 2016/679 (“GDPR”), Inspira società agricola a r.l. (“Inspira”), the company that manages the accommodation facility currently operating under the name “Borgo Pignano Tuscany”, and Borgo Pignano Florence S.r.l. (“BPF” and, collectively, “Joint Controllers”), as joint controllers of personal data, inform you that they process personal data relating to the user or browser as well as to other data subjects who will benefit from the stay (“User” or “Data Subject”) obtained through the website borgopignano.com and the sub-pages https://www.borgopignano.com/en/florence and https://www.borgopignano.com/en/tuscany (hereinafter “Website”) in the modalities and for the purposes described below in this privacy notice (the “Notice”).

Inspira and BPF have defined their respective obligations regarding the processing carried out as Joint Controllers through a joint controllership agreement in accordance with Article 26 of the GDPR.

Please note that this Notice is provided only for the Website and not for other websites that may be consulted by the user via links (for which reference should be made to the respective privacy policies).

By browsing the Website, the User acknowledges that they have read and understood the content of this Notice.

1. Contact details of the Joint Controllers and Relais & Châteaux

The Joint Controllers of personal data are Inspira società agricola a r.l., with registered office in Villa Pignano snc, Volterra (PI), tax code and VAT number 01628140509, which can be contacted at the email address [email protected] and Borgo Pignano Florence S.r.l., with registered office in Villa Pignano snc, Volterra (PI), tax code and VAT number 02407820501, which can be contacted at the email address [email protected]. The Joint Controllers have defined their respective obligations in this regard by means of an agreement, pursuant to Article 26 of the GDPR.

The Joint Controllers have appointed a Data Protection Officer who can be contacted at the following email address: [email protected].

Please note that when the Joint Controllers process User data as part of the Relais & Châteaux Customer Recognition Program (such as “Guest Recognition” and “Les Amis”) of which Inspira and BPF are members, the processing is carried out jointly by the Joint Controllers and Relais & Châteaux, with registered office at 58-60 rue de Prony, 75017 Paris, which can be contacted at the e-mail address [email protected] (“Relais & Châteaux”), whose privacy notice is available at the following link: privacypolicy_it.pdf.

The Joint Controllers and Relais & Châteaux have defined their respective obligations regarding the processing carried out within the Customer Recognition Program as Joint Controllers through a joint controllership agreement in accordance with Article 26 of the GDPR. In general, this agreement provides that Relais & Châteaux has a predominant role in defining the main purposes, means of processing, storage periods and applicable security measures.

2. Types of personal data processed by the Joint Controllers

The Joint Controllers process the following types of personal data of Users who browse and interact with the Website's services. Information regarding additional data subjects who will benefit from the stay will be processed if provided by the User, for the purposes described below, in accordance with applicable law. The User guarantees that the personal data relating to additional data subjects who will benefit from the stay will be provided with the consent of the data subjects, taking care to inform them of the information contained in this Notice, in compliance with the provisions of the GDPR. In particular, the Joint Controllers process the following types of personal data of Users:

2.1. Browsing data

The operation of the Website involves the use of computer systems and software procedures that acquire, during their normal operation, some personal data relating to web navigation, the transmission of which is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified (e.g. IP addresses, URI addresses - Uniform Resource Identifier - of the resources requested, at the time of the request, etc.), and other parameters relating to the user's operating system and IT environment. This data is used to check the correct functioning of the Website and for the anonymous processing of statistical information on the use of the Website. Furthermore, the data may be used for the possible legal defence of rights, as well as for the fulfilment of regulatory obligations to respond to requests from judicial authorities and judicial police.

In addition, data relating to traffic and navigation logs on linked websites may be processed.

With regard to the use of cookies installed through the Website and other online tracking devices, the User is invited to consult the Cookie Policy.

2.2. Data provided voluntarily by the User through the Website

Users are not required to provide personal data to visit the Website. Therefore, if the User wishes to avoid the processing of their data by the Joint Controllers, they are invited not to interact with the various features of the Website or, at least, to provide as little personal data as possible.

However, when the User interacts with the various features of the Website, certain mandatory and optional data provided directly by the User are collected by the Joint Controllers. Mandatory data are marked with an asterisk (*). In particular:

Data provided by the User when booking through the Website

In order to make a booking through the Website, the following personal data is collected and processed:

identification data such as name, surname, date of birth, place of birth, gender, title, marital status, identity document, residence and/or domicile address (e.g. address, postcode, city, province);
contact details such as e-mail address, telephone number;
data relating to any preferences regarding the stay, activities of interest during the stay, marketing choices, tastes, interests, habits and communication preferences and profiling data based on the history of services purchased and preferences expressed through the Website, information on comparative prices, surveys, statistics (where the User has given his/her consent);
data relating to services purchased through the Website;
payment details such as payment method details, bank details, payment card details, cardholder details, anti-fraud information;
additional special category data provided by the User, which may include data relating to disabilities, requests for assistance and/or accompaniment, intolerances, allergies and/or additional data relating to any special needs of the User (where the User has given his/her consent).
With regard to special category of data, the Joint Controllers invite the User to provide the data deemed strictly necessary for the purposes of booking and subsequent stay.

Data provided by the User through the e-commerce area of the Website

When the User uses the e-commerce service, the following personal data is collected and processed:

identification data such as name, surname, delivery address (e.g. address, postcode, city, province);
contact details such as e-mail address, telephone number;
payment and billing data such as payment method details, bank details, payment card details, cardholder information, anti-fraud information ;
data relating to purchases made through the Website and profiling data based on the history of products purchased and preferences expressed through the Website, marketing choices, communication interests and preferences, information on comparative prices, surveys, statistics (where the User has given their consent).

Data provided by the User through the “Celebrations” area of the Website

When the User uses the services through the “Celebrations” area of the Website, the following personal data is collected and processed:

identification data such as name, surname;
contact details such as e-mail address, telephone number;
data relating to the wedding such as attendees, wedding date, alternative weeding date, number of guest rooms, budget, additional notes.

Additional data provided

The Joint Controllers may process the following User data collected through the completion of contact forms in the "Contacts" section, as well as through the newsletter subscription form

identification data such as first and last name
contact details such as e-mail address, telephone number;
data contained in communications sent, including any attachments;
data relating to any User preferences.

2.3. Data provided voluntarily by the User as part of the Relais & Châteaux Customer Recognition Program

If the User joins the Relais & Châteaux Customer Recognition Program and has an associated account created through Relais & Châteaux, the Joint Controllers and Relais & Châteaux process the following types of personal data of Users for the purposes of guest reception and loyalty:

identification data such as name, surname, date of birth, place of birth, gender, title, marital status, identity document, residence and/or domicile address (e.g. address, postcode, city, province);
contact details such as e-mail address, telephone number;
data relating to any preferences regarding your stay, activities of interest during your stay, marketing choices, tastes, interests, holiday habits and communication preferences, booking and order history;
payment data such as payment method details, bank details, payment card details, cardholder details, anti-fraud information.

3. Purpose and legal basis of processing

3.1. Purpose and legal basis of processing by the Joint Controllers

Personal data is collected and processed for the following purposes:

Purposes of processing	Legal basis for processing	Nature of provision
a) to allow Users to browse the Website and use the related services offered by the Joint Controllers through it.	Article 6, paragraph 1, letter b) of the GDPR: for the performance of a contract to which the data subject is party or of pre-contractual measures taken at the request of the data subject.	The provision of personal data is necessary and does not require your consent. Any refusal to provide data may make it impossible for the Joint Controllers to: (i) comply with the services requested; (ii) manage bookings, product purchase requests and requests for information; (iii) manage applications and the staff selection process; (iv) pursue the legitimate interests of the Joint Controllers; (v) fulfil legal obligations. Providing such data is not a legal or contractual requirement; however, the provision of data is necessary to establish a contractual relationship with the User and to follow up on requests received from the User.
b) manage requests for accommodation bookings via the Website. The processing may include special category data (such as data relating to disabilities, intolerances, allergies and/or additional data relating to any special needs) where voluntarily and consensually provided by the User.	Article 6, paragraph 1, letter b) of the GDPR: for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Article 9, paragraph 2, letter a) of the GDPR: consent of the data subject.
c) to manage requests for the purchase of products from the Joint Controllers received through the e-commerce area of the Website.	Article 6, paragraph 1, letter b) of the GDPR: for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
d) Managing requests for information from the User.	Article 6, paragraph 1, letter b) of the GDPR: for the performance of a contract to which the data subject is party or of pre-contractual measures taken at the request of the data subject.
e) managing requests for information from the User through the “Celebrations” section and the subsequent stages of contact and planning.	Article 6, paragraph 1, letter b) of the GDPR: for the performance of a contract to which the data subject is party or of pre-contractual measures taken at the request of the data subject.
f) to follow up on the User's request to subscribe to the Joint Controllers' newsletter relating to informative communications of an editorial and informative nature.	Article 6, paragraph 1, letter b) of the GDPR: for the performance of a contract to which the data subject is party or of pre-contractual measures taken at the request of the data subject.
h) preventing unlawful acts through the Website and for anti-fraud purposes.	Article 6, paragraph 1, letter f) of the GDPR: for the pursuit of a legitimate interest of the Joint Controllers.
h) to protect the rights of the Joint Controllers in the event of any legal disputes.	Article 6, paragraph 1, letter f) of the GDPR: for the pursuit of a legitimate interest of the Joint Controllers.
i) to comply with the legal obligations to which the Joint Controllers are subject.	Article 6, paragraph 1, letter c) of the GDPR: for the fulfilment of legal obligations to which the Joint Controllers are subject.
j) to send advertising material or commercial communications relating to the Joint Controllers' products and services by post, telephone, automated calling systems, fax, e-mail, SMS, MMS, as well as for the Joint Controllers to carry out market research.	Article 6, paragraph 1, letter a) of the GDPR: consent of the data subject.	The provision of personal data is optional. Any refusal will not affect the provision of the services requested by the User. However, refusal to provide data may result in the non-receipt of commercial communications relating to Inspira and BPF products and services.
k) for profiling and/or market analysis of the preferences expressed, in order to create a User profile to send you commercial communications selected on the basis of your preferences or other behavioural aspects, as emerged from the same.	Article 6, paragraph 1, letter a) of the GDPR: consent of the data subject.	The provision of personal data is optional. Any refusal will not affect the use of the services requested by the User. However, refusal to provide data may result in the non-receipt of commercial communications relating to Inspira and BPF products and services selected on the basis of your preferences.
l) to send commercial communications (so-called soft spam) relating to products and services similar to those purchased by the User.	Article 6, paragraph 1, letter f) of the GDPR: for the pursuit of a legitimate interest of the Data Controller, taking into account the provisions of Article 130(4) of the Privacy Code, without the User's consent.	The provision of personal data is optional and failure to provide such data will not affect the use of the services requested by the User.

If the Joint Controllers intend to use the personal data collected for any other purpose incompatible with the purposes for which it was originally collected or authorised, the Joint Controllers will inform the User in advance, and the latter may also refuse or withdraw their consent.

The User may object, at any time (immediately or even subsequently), to the sending of marketing communications and/or soft spam, by sending an objection message from their email address to [email protected] , [email protected], or to [email protected], or by clicking on the appropriate link ("unsubscribe") included in every email communication.

3.2. Purpose and legal basis of processing within the Relais & Châteaux Customer Recognition Program

Personal data processed as part of the Relais & Châteaux Customer Recognition Program is processed for the following purposes:

Purposes of processing

Legal basis for processing

Nature of provision

a) To improve and personalise the services of Relais & Châteaux and the Joint Controllers, as members of the Relais & Châteaux Association, in line with the requests and preferences of Users who join the Relais & Châteaux Customer Recognition Program.

Article 6, paragraph 1, letter f) of the GDPR: for the pursuit of a legitimate interest of Relais & Châteaux and the Joint Controllers, as hotels that are members of the Relais & Châteaux Association.

The provision of personal data is optional.

Refusal to provide such data will not affect the provision of the services requested by the User. However, refusal to provide data may result in the User not receiving personalised services in line with their expectations and preferences.

b) Managing, monitoring and improving customer relations, measuring the quality of the stay and the degree of satisfaction (in particular pre- and post-booking questionnaires).

Article 6, paragraph 1, letter f) of the GDPR: for the pursuit of a legitimate interest of Relais & Châteaux and the Joint Controllers, as hotel establishments that are members of the Relais & Châteaux Association.

For more information on the processing activities carried out by Relais & Châteaux, please consult the Relais & Châteaux privacy notice, available at the following link privacypolicy_it.pdf.

4. Methods of processing

Within the organisational structure of Inspira and BPF, personal data will be processed by persons authorised to do so acting under the authority of the Joint Controllers, who have been adequately trained by the Joint Controllers themselves, mainly using electronic systems in accordance with the principles applicable to the processing of personal data pursuant to Article 5 of the GDPR.

Please note that the profiling system adopted by the Joint Controllers, on the basis of which data relating to the services and products you have purchased may be processed, subject to your consent, is based on the analysis of purchases made and preferences expressed through the Website.

Processing relating to the Relais & Châteaux Customer Recognition Program is carried out within the organisational structure of the Joint Controllers and Relais & Châteaux and within the Relais & Châteaux group.

5. Data retention period

The data will be stored for the period necessary to fulfil legal obligations. The criteria used to determine the applicable retention period are as follows: the personal data covered by this Policy will be retained for the time necessary (i) to manage the contractual relationship with the User, (ii) to manage complaints or specific requests from the User, (iii) to assert rights in court, and (iv) for the time required by applicable law.

Furthermore, with regard to processing for the purposes referred to in point 3.1(f), the data may be retained by the Joint Controllers for the duration of the subscription to the newsletter and/or until the User exercises their right to object to receiving the newsletter.

Finally, with regard to processing for the purposes referred to in point 3.1(j), the data may be stored by the Joint Controllers for a period of 24 months from the date of acquisition of consent and, with regard to processing for the purposes referred to in point 3.1(k), the data may be stored by the Joint Controllers for a period of 12 months from the date of acquisition of consent.

The Joint Controllers reserve the right, before the end of the defined retention period, to send the User a request to renew their consent, in the most appropriate manner and in compliance with the legislation on the protection of personal data.

The data processed by the Joint Controllers as part of the Relais & Châteaux Customer Recognition Program for the purposes referred to in point 3.2(a) are accessible to the Joint Controllers only for the time necessary to prepare and monitor the relevant bookings, (i.e. up to a maximum of one month before the stay and one month after departure), for the purposes referred to in point 3.2(b), up to 2 years after the last contact with the Joint Controllers.

For the retention periods of personal data processed through cookies, please refer to the Cookie Policy .

6. Scope of data communication and categories of recipients

Exclusively for the purposes specified above, the data collected, recorded and processed may be processed by external parties who perform certain organisational, technical and security activities on behalf of the Joint Controllers related to the management of the Website and the provision of related services (e.g., IT and telematic service companies), operating as data processors under specific contracts in place with the Joint Controllers.

Data may also be disclosed to third-party intermediaries (travel agencies, booking platforms), strategic partners and related advisors, as well as professionals (such as legal advisors and auditors). Some of the above recipients may process personal data, as independent data controllers, for the purposes and in the manner provided for in their respective privacy policies. In this case, we recommend that you review the privacy policies prepared by these entities as data controllers.

The data collected as part of the Relais & Châteaux Customer Recognition Program is shared with Relais & Châteaux, as joint controller, under the joint controllership agreement in accordance with Article 26 of the GDPR.

Furthermore, where necessary, the data may be disclosed to the competent authorities and other public entities that request it on the basis of current regulations and in relation to investigations and proceedings relating to the prevention, detection and prosecution of crimes, as well as to the legal defence of rights.

The complete list of these entities or categories of entities is available at the Joint Controllers' headquarters and may be requested by sending a communication to the contact details indicated in paragraph 1 of this Notice.

Personal data will not be disclosed.

7. Transfer of data to third countries outside the EU

In general, personal data will not be transferred outside the EU.

However, if they are transferred to third countries outside the EU, this will only be done in accordance with the decisions of the European Commission that have recognised the adequacy of the data protection regulations in force in those countries, or on the basis of adequate safeguards (such as standard contractual clauses or binding corporate rules for groups), or, in the absence of such conditions, if the transfer is authorised by the User or necessary for the performance of the contract with or in favour of the User. In any case, if the data is transferred outside the EU, the Joint Controllers will provide the information required under Article 13(1)(f) of the GDPR.

Data collected as part of the Relais & Châteaux Customer Recognition Program may be transferred by Relais & Châteaux to third parties located outside the EU on the basis of adequate safeguards to govern such transfers. For more information on the third countries to which personal data may be transferred and the related safeguards adopted by Relais & Châteaux, please refer to the Relais & Châteaux privacy notice, available at the following link privacypolicy_it.pdf.

8. Rights of Data Subjects

Within the limits set out in Article 2-undecies of Legislative Decree No. 30/2003, as amended and supplemented by Legislative Decree No. 101/2018 ("Privacy Code"), the User has the right to exercise at any time the rights recognised by Articles 15 to 22 and 77 of the GDPR, as briefly summarised below:

Right of access: you may request information about the processing that the Joint Controllers carry out on your data or confirmation that the Joint Controllers process your personal data. In this case, you may request the Joint Controllers to provide a copy of your data and to verify which data we hold.
Right to rectification: you have the right to request that the Joint Controllers rectify your personal data if it is incorrect, including the right to request the integration of incomplete personal data.
Right to erasure: you have the right to request that the Joint Controllers erase the data (or part thereof) that you have provided to us, including data that does not need to be retained for the purposes for which it was collected or otherwise processed.
Right to restriction of processing: you may request the Joint Controllers to restrict the processing of your personal data if the conditions laid down by law are met.
Right to object: you may object to the processing of your personal data, unless there is an overriding legitimate reason for continuing such processing.
Right to portability: you may obtain from the Joint Controllers, in a structured, commonly used and machine-readable format, the personal data you have provided, for the purpose of transmitting it to another party. This right is applicable in cases where the Joint Controllers process such data using automated tools, on the basis of consent or for the purpose of providing services.
Withdrawal of consent: if the processing is based on consent, you may withdraw it at any time, without prejudice to the lawfulness of the processing carried out prior to such withdrawal.
Right not to be subject to automated decision-making: you may request not to be subject to processing based solely on automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you. This right may not be exercised if: (i) the processing is necessary for the conclusion of a contract between you and the Joint Controllers; (ii) the processing is authorised by law; (iii) the processing is based on your consent.
Right to lodge a complaint with the Supervisory Authority: without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent Supervisory Authority if you believe that the processing operations violate the current legislation on the protection of personal data.

Without prejudice to the procedures established by the Data Protection Authority for lodging a complaint, for all other rights you may send a request to the Joint Controllers using the contact details indicated in paragraph 1 of this Notice.

With regard to the implementation of the User's rights for processing carried out by the Joint Controllers and by Relais & Châteaux as part of the Relais & Châteaux Customer Recognition Program, the User may submit your requests to both the Joint Controllers and Relais & Châteaux, with the clarification that, for greater effectiveness, only Relais & Châteaux will be responsible for any updates to personal data on shared tools.

This Notice is subject to change. We therefore recommend that you check this web page regularly and take into account the most up-to-date version of the policy contained therein.

Updated on September 2025