Privacy Policy

Last updated: 1 May 2026 · Version 1.0

This Privacy Policy describes how Budoni Holiday Homes processes personal data collected through the website www.budonicasevacanze.com in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.

1. Data Controller

Tonio Tuvoni — manager of Budoni Holiday Homes
Email: [email protected]
WhatsApp: +39 342 111 4620

2. Types of data processed

When you fill out the "Request a quote" form on the Booking page, we collect:

Identification data: first name, last name, email address, phone number
Request-related data: desired stay dates, number of adults/children, property of interest, optional message
Technical data: IP address, country of origin, browser user agent (automatically collected for security and fraud prevention purposes)
Consents: consent to data processing, optional marketing consent

3. Purpose and legal basis of processing

Purpose	Legal basis	Retention
Response to quote request (phone/WhatsApp/email contact)	Performance of pre-contractual measures (Art. 6.1.b GDPR)	2 years from last contact
Site security (fraud prevention, anti-bot, rate limiting)	Legitimate interest (Art. 6.1.f GDPR)	30 days (access logs)
Promotional communications (seasonal offers, last-minute)	Optional explicit consent (Art. 6.1.a GDPR)	Until consent is revoked
Tax and accounting obligations (in case of booking)	Legal obligation (Art. 6.1.c GDPR)	10 years (tax regulations)

4. Processing methods and service providers

Data is processed with electronic tools and protected by adequate security measures (HTTPS encryption, administrative authentication, firewall, security logs, periodic backups). It may be shared with the following entities, identified as external processors:

Cloudflare, Inc. (USA) — hosting, CDN, security (signed DPA, SCC standard contractual clauses)
Resend (Resend.com Inc., USA) — transactional email delivery (DPA, SCC)
Meta Platforms Ireland Ltd. — sending WhatsApp Business messages (DPA, data stored in EU)
Stripe Payments Europe Ltd. (Ireland) — only in case of online deposit payment

Data is never sold or transferred to third parties for commercial purposes other than those declared.

5. Non-EU transfers

Some providers (Cloudflare, Resend) are based in the United States. Transfers are based on Standard Contractual Clauses (SCC) approved by the European Commission or adherence to equivalent mechanisms (Data Privacy Framework).

6. Data subject rights (Art. 15–22 GDPR)

You have the right to:

Access your data and receive a copy
Correct inaccurate data
Erase data (right to be forgotten), subject to legal obligations
Restrict processing
Object to processing for legitimate interest or marketing
Receive data in a portable format
Withdraw consent at any time (without affecting the lawfulness of previous processing)
Lodge a complaint with the Italian Data Protection Authority

To exercise these rights, write to [email protected]. Response within 30 days.

Right to be forgotten: To delete ALL your data from our system, send a request to [email protected] with the subject "Data deletion request". Deletion is irreversible.

7. Cookies and similar technologies

The site does NOT use profiling, third-party or tracking cookies. Only the following are present:

Technical session cookies (necessary for operation), duration: browser session
Cloudflare Turnstile (privacy-friendly anti-bot verification, no persistent fingerprinting) on the booking page
Technical local storage (language preferences, no PII)

We do not use Google Analytics or advertising profiling tools. Web fonts are self-hosted (no requests to Google Fonts).

8. Data security

We adopt technical and organisational measures appropriate to the risk (Art. 32 GDPR):

TLS 1.3 encryption in transit (mandatory HTTPS, HSTS preload)
At-rest database encryption (Cloudflare D1)
Administrative authentication with cryptographic keys, audit log of admin actions
Application firewall (WAF) and anti-bot protection (Turnstile, rate limiting)
Periodic backups with controlled retention
HMAC signature verification on external webhooks (Stripe, Meta WhatsApp)
Regular security updates and periodic penetration testing

9. Retention and automatic deletion

Lead data is retained for 2 years from last contact. Technical security data (IP, logs) is automatically deleted after 30 days. Administrative data (admin audit log) is retained for 90 days. Data related to actually completed bookings is retained for 10 years for tax purposes.

10. Changes to the Privacy Policy

Any updates will be published on this page with the update date. We invite you to consult it periodically. Substantial changes will be communicated by email to those who have given marketing consent.

← Back to home