Privacy Policy – Adagio Umbro

Last update: March 12, 2026

1) Data Controller

Controller: Adagio Umbro – Xanadu srl
Address: Loc. Sustrico 4 (Mustaiole 30), 06049 Spoleto (PG), Italy
Email: info@adagioumbro.it
Phone: +39 351 406 4726

2) Types of data processed

  • Personal identification and contact details (name, surname, birth data, ID/passport, email, phone).
  • Booking and service data (accommodation via Motopress Hotel Booking Pro, tennis court via BookingPress, dates, preferences, payment references – without storing full card details).
  • Fiscal and administrative data (billing).
  • Navigation data and cookies (IP address, technical logs, identifiers).
  • Communications via email, WhatsApp Business (Joinchat), social media.

3) Purposes and legal basis

  1. Booking management (accommodation, tennis court, related services). Legal basis: contract execution (Art. 6.1.b GDPR).
  2. Public security obligations (guest data transmission to Italian Police Authority – art. 109 T.U.L.P.S.). Legal basis: legal obligation (Art. 6.1.c).
  3. Administrative and fiscal obligations. Legal basis: legal obligation (Art. 6.1.c).
  4. Faster check-in for future stays. Legal basis: consent (Art. 6.1.a), revocable anytime.
  5. Marketing and newsletter communications. Legal basis: consent (Art. 6.1.a).
  6. IT security and legal protection. Legal basis: legitimate interest (Art. 6.1.f).

4) Data retention

  • Contractual and fiscal data: 10 years.
  • Guest check-in data: transmitted to Police Authority as required by law and not stored by the Controller.
  • Future check-in data: up to 24 months or until consent withdrawal.
  • Marketing data: until consent withdrawal.
  • Technical logs: max 24 months.

5) Data recipients

  • Italian Police Authority (Questura).
  • Tax and legal consultants.
  • Technical providers (hosting, maintenance, WordPress plugins, antispam, security).
  • Payment providers (Stripe, PayPal) as independent controllers.

Personal data will not be publicly disclosed.

6) Services and third parties

  • Hosting/Platform: Aruba – WordPress Managed Hosting (EU).
  • Booking: Motopress Hotel Booking Pro (accommodation), BookingPress (tennis court).
  • Cookie consent: CookieYes (WordPress plugin).
  • Communication: Email, WhatsApp Business (Joinchat), Social Media (Instagram, TikTok, Facebook, X, Pinterest, Youtobe).
  • Payments: Stripe and PayPal.
  • Other services: Google Maps, Google Analytics 4 (traffic analysis and website performance measurement), Google Analytics 4 is configured to anonymize IP addresses and collect aggregated statistics about website usage. Google Fonts, Fonts: Google Fonts (may involve requests to Google servers to display typography on the website), WooCommerce.

7) Data transfers outside EU/EEA

Some providers (Stripe, PayPal, Meta, Google, TikTok) may process data outside the EU/EEA. Transfers are carried out under GDPR rules (adequacy decisions, Standard Contractual Clauses, and supplementary safeguards if required). Transfers may rely on adequacy decisions such as the EU-US Data Privacy Framework, Standard Contractual Clauses (SCC), or other safeguards provided by GDPR.

8) Processing methods and security

Data is processed lawfully, fairly and transparently, using paper and electronic tools. We apply appropriate security measures (HTTPS, backups, access control, logging).

9) Video surveillance

Certain external areas of the Adagio Umbro property are monitored by video surveillance systems for security purposes. Video surveillance is used exclusively to:

  • protect the property, facilities, guests and visitors;
  • prevent unauthorized access, theft or damage;
  • ensure the security of the premises.

The property where Adagio Umbro operates is a private property. Cameras are positioned only in external areas and are not used to monitor private spaces. The processing of images is based on the legitimate interest of the Controller in protecting the property and ensuring security (Art. 6.1.f GDPR). Recorded images are accessible only to authorized persons and may be communicated to competent authorities if required by law. Unless required for investigations or legal obligations, video recordings are generally retained for a limited period not exceeding 72 hours. Areas subject to video surveillance are clearly indicated by appropriate signage.

10) Data subject rights

You have the rights under GDPR (Articles 15–22): access, rectification, erasure, restriction, objection, portability.
You can withdraw consent at any time.
To exercise your rights, please write to: info@adagioumbro.it.
You can also lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

11) Cookies and similar technologies

The site uses technical (necessary) cookies and, upon consent, analytics and marketing cookies. Consent is managed via CookieYes.

  • On first visit, a banner appears with Accept / Reject / Customize options.
  • Choices can be changed anytime via the “Manage Cookie Consent” link in the footer.
  • The full and updated list of cookies is available in the Cookie Policy generated by Complianz.

12) Marketing communications

We may send newsletters and promotional offers only with your consent. You can unsubscribe anytime via email “unsubscribe” link, sending STOP in WhatsApp/SMS, or writing to info@adagioumbro.it.

13) Minors

Our services are restricted to guests aged 18+ for the B&B and 14+ for the tennis court. We do not knowingly process data of children under these ages. If you believe a minor’s data was provided, please contact us for removal.

13) Updates

This Privacy Policy may be updated due to legal or service changes. The latest version will always be published on this page.

Annex A – Data Processing Map

DataPurposeLegal basisRecipientsRetention
Identification, contactQuotes, bookingsArt. 6.1.b GDPRController; Motopress; BookingPress12 months (quotes) / duration of contract
Guest detailsTransmission to Police AuthorityArt. 6.1.c GDPRQuesturaTechnical time needed
Fiscal dataBillingArt. 6.1.c GDPRConsultants; Tax Authority10 years
Preferences/NotesService personalizationArt. 6.1.b / 6.1.a GDPRControllerDuration of contract / until withdrawal
Marketing dataNewsletter, offersArt. 6.1.a GDPRControllerUntil withdrawal
Technical logs/IPSite securityArt. 6.1.f GDPRIT providersTechnical logs: retained for the time necessary for security and technical monitoring, generally not exceeding 12–24 months depending on hosting provider policies.