Sardinia HomeStay

Last updated: 5 February 2026 (v2)

PRIVACY POLICY

pursuant to Articles 13 and 14 of EU Regulation 2016/679 (GDPR)

www.sardiniahomestay.it

Last updated: February 2026

1. Data controller

The data controller is:

Roberta Loriga

Loc. Canale Longu, 08028 Orosei (NU), Italy

Email: roberta.lorigapm@gmail.com

The Data Controller can be contacted at any time for information regarding the processing of personal data.

2. Types of data collected

The website www.sardiniahomestay.it may collect the following categories of personal data:

2.1 Data provided voluntarily by the user

Identification and contact data: first name, last name, email address, phone number, postal address, provided through contact forms, booking requests, or direct communications.
Booking data: dates of stay, number of guests, preferences, and special requests regarding accommodation.
Payment data: any data necessary for payment management (processed through secure third-party platforms such as PayPal, Stripe, or bank transfer; the Data Controller does not store credit card data).
Identity documents: copy of guests' identity documents, collected in accordance with Article 109 of Royal Decree 773/1931 (TULPS) for communication to public security authorities.

2.2 Data collected automatically

Browsing data: IP address, browser type, operating system, pages visited, time of access, site of origin. This data is collected through computer systems and Internet communication protocols.
Cookies and similar technologies: for details, please refer to the Cookie Policy available on the dedicated page of the website.

3. Purposes and legal basis of processing

Personal data is processed for the following purposes:

Responding to contact and information requests sent by the user

Execution of pre-contractual measures at the request of the data subject

Art. 6, par. 1, letter b)

Management of bookings and the tourist rental contract

Execution of the contract

Art. 6, par. 1, letter b)

Legal obligations: communication to law enforcement authorities, tax and accounting obligations

Legal obligation of the Data Controller

Art. 6, par. 1, letter c)

Website management and IT security

Legitimate interest of the Data Controller

Art. 6, par. 1, letter f)

Sending promotional communications and newsletters (only with prior consent)

Consent of the data subject

Art. 6, par. 1, letter a)

Anonymous statistical analysis of website use

Legitimate interest of the Data Controller

Art. 6, par. 1, letter f)

4. Methods of processing

Personal data is processed using IT and/or paper-based tools, with logic strictly related to the purposes indicated above and, in any case, in such a way as to guarantee the security and confidentiality of the data, in compliance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality (Art. 5 GDPR).

The Data Controller shall implement appropriate technical and organizational security measures to protect the data from unauthorized access, loss, destruction, or alteration.

5. Data retention period

Personal data will be retained for the time strictly necessary to achieve the purposes for which it was collected, and in particular:

Contact and booking data: for the entire duration of the contractual relationship and for the following 10 years, in accordance with tax and civil law obligations.
Identity documents (TULPS): communicated to the police authorities within 24 hours of arrival and stored in accordance with the law.
Browsing data: stored for a maximum of 90 days, unless required for the investigation of crimes by the judicial authorities.
Data for marketing purposes: until the user revokes their consent.
Cookies: according to the specific durations indicated in the Cookie Policy.

At the end of the retention period, the data will be deleted or anonymized in an irreversible manner.

6. Communication and transfer of data

Personal data may be communicated to:

Public Security Authorities: for the mandatory communication of guests' personal details (art. 109 TULPS).
Accountant/tax advisor: for accounting and tax compliance.
IT and hosting service providers: acting as data processors pursuant to Art. 28 GDPR.
Booking platforms: (e.g., Booking.com, Airbnb) within the scope of their respective contractual relationships and privacy policies.
Web analytics services: (e.g., Google Analytics) with anonymized IP addresses, as specified in the Cookie Policy.

Personal data will not be disclosed, i.e., it will not be made known to unspecified parties.

6.1 Transfer outside the EU/EEA

Some of the third-party services used (e.g., Google) may involve the transfer of data to countries outside the EU. In such cases, the transfer is based on:

adequacy decisions by the European Commission (Art. 45 GDPR);
standard contractual clauses approved by the European Commission (Art. 46 GDPR);
or other appropriate safeguards provided for by the GDPR.

The user may request further information by contacting the Data Controller.

7. Rights of the data subject

Pursuant to Articles 15-22 of the GDPR, the data subject has the right to:

Access (Article 15): obtain confirmation that their data is being processed and access the data itself.
Rectification (Article 16): obtain the correction of inaccurate data or the integration of incomplete data.
Erasure (Art. 17): obtain the erasure of their data ("right to be forgotten"), except where required by law.
Restriction (Art. 18): obtain the restriction of processing in certain cases.
Portability (Art. 20): receive your data in a structured format and transfer it to another controller.
Objection (Art. 21): object to processing based on legitimate interest, including direct marketing.
Withdrawal of consent (Art. 7): withdraw consent at any time, without prejudice to the lawfulness of processing based on consent given prior to withdrawal.

To exercise their rights, data subjects may send a request to: roberta.lorigapm@gmail.com.

The Data Controller will respond within 30 days of receiving the request, which may be extended by a further 60 days in complex cases, subject to notification to the data subject.

7.1 Right to complain

The data subject has the right to lodge a complaint with the Italian Data Protection Authority:

Personal Data Protection Authority

Piazza Venezia, 11 – 00187 Rome

www.garanteprivacy.it

Email: protocollo@gpdp.it

PEC: protocollo@pec.gpdp.it

8. Nature of data provision

The provision of personal data is:

Mandatory for data necessary to fulfill legal obligations (e.g., communication to law enforcement authorities, tax obligations) and for the execution of the tourist rental contract. Failure to provide data will make it impossible to provide the service.
Optional for data provided for the purpose of sending promotional communications or newsletters. Failure to provide this data will not affect the use of the service.

9. Automated decision-making processes and profiling

The Data Controller does not carry out automated decision-making processes or profiling activities pursuant to Article 22 of the GDPR that produce legal effects or similarly significantly affect the data subject.

10. Minors

The website is not intended for the direct collection of personal data from minors under the age of 16. If the Data Controller becomes aware that it has collected data from a minor without the consent of a parent or guardian, it will promptly delete such data.

11. Security measures

The Data Controller adopts appropriate technical and organizational security measures pursuant to Article 32 of the GDPR, including:

use of the HTTPS protocol for encrypted data transmission;
access to data limited to authorized persons only;
periodic data backups;
regular updates of the software and systems used.

12. Links to external websites

The site may contain links to third-party websites (e.g., Booking.com, Airbnb, Google Maps, social networks). The Data Controller is not responsible for the processing of personal data carried out by these sites. Users are invited to consult the respective privacy policies before providing their data.

13. Changes to this policy

The Data Controller reserves the right to modify this policy at any time, including as a result of regulatory changes. The changes will be published on this page with an indication of the date of the last update. We recommend that you consult this page periodically.

14. Reference legislation

EU Regulation 2016/679 (GDPR)
Legislative Decree No. 196 of June 30, 2003 (Privacy Code), as amended by Legislative Decree No. 101 of August 10, 2018
Directive 2002/58/EC (ePrivacy Directive)
Royal Decree No. 773 of June 18, 1931 (TULPS) – Art. 109
Applicable guidelines of the Italian Data Protection Authority

15. Contact

For any questions, clarifications, or requests regarding this policy or the processing of personal data, you can contact the Data Controller:

Roberta Loriga

Loc. Canale Longu, 08028 Orosei (NU), Italy

Email: roberta.lorigapm@gmail.com

Last updated: 5 February 2026 (v2)

PRIVACY POLICY

pursuant to Articles 13 and 14 of EU Regulation 2016/679 (GDPR)

www.sardiniahomestay.it

Last updated: February 2026

1. Data controller

The data controller is:

Roberta Loriga

Loc. Canale Longu, 08028 Orosei (NU), Italy

Email: roberta.lorigapm@gmail.com

The Data Controller can be contacted at any time for information regarding the processing of personal data.

2. Types of data collected

The website www.sardiniahomestay.it may collect the following categories of personal data:

2.1 Data provided voluntarily by the user

Identification and contact data: first name, last name, email address, phone number, postal address, provided through contact forms, booking requests, or direct communications.
Booking data: dates of stay, number of guests, preferences, and special requests regarding accommodation.
Payment data: any data necessary for payment management (processed through secure third-party platforms such as PayPal, Stripe, or bank transfer; the Data Controller does not store credit card data).
Identity documents: copy of guests' identity documents, collected in accordance with Article 109 of Royal Decree 773/1931 (TULPS) for communication to public security authorities.

2.2 Data collected automatically

Browsing data: IP address, browser type, operating system, pages visited, time of access, site of origin. This data is collected through computer systems and Internet communication protocols.
Cookies and similar technologies: for details, please refer to the Cookie Policy available on the dedicated page of the website.

3. Purposes and legal basis of processing

Personal data is processed for the following purposes:

Responding to contact and information requests sent by the user

Execution of pre-contractual measures at the request of the data subject

Art. 6, par. 1, letter b)

Management of bookings and the tourist rental contract

Execution of the contract

Art. 6, par. 1, letter b)

Legal obligations: communication to law enforcement authorities, tax and accounting obligations

Legal obligation of the Data Controller

Art. 6, par. 1, letter c)

Website management and IT security

Legitimate interest of the Data Controller

Art. 6, par. 1, letter f)

Sending promotional communications and newsletters (only with prior consent)

Consent of the data subject

Art. 6, par. 1, letter a)

Anonymous statistical analysis of website use

Legitimate interest of the Data Controller

Art. 6, par. 1, letter f)

4. Methods of processing

The Data Controller shall implement appropriate technical and organizational security measures to protect the data from unauthorized access, loss, destruction, or alteration.

5. Data retention period

Personal data will be retained for the time strictly necessary to achieve the purposes for which it was collected, and in particular:

Contact and booking data: for the entire duration of the contractual relationship and for the following 10 years, in accordance with tax and civil law obligations.
Identity documents (TULPS): communicated to the police authorities within 24 hours of arrival and stored in accordance with the law.
Browsing data: stored for a maximum of 90 days, unless required for the investigation of crimes by the judicial authorities.
Data for marketing purposes: until the user revokes their consent.
Cookies: according to the specific durations indicated in the Cookie Policy.

At the end of the retention period, the data will be deleted or anonymized in an irreversible manner.

6. Communication and transfer of data

Personal data may be communicated to:

Public Security Authorities: for the mandatory communication of guests' personal details (art. 109 TULPS).
Accountant/tax advisor: for accounting and tax compliance.
IT and hosting service providers: acting as data processors pursuant to Art. 28 GDPR.
Booking platforms: (e.g., Booking.com, Airbnb) within the scope of their respective contractual relationships and privacy policies.
Web analytics services: (e.g., Google Analytics) with anonymized IP addresses, as specified in the Cookie Policy.

Personal data will not be disclosed, i.e., it will not be made known to unspecified parties.

6.1 Transfer outside the EU/EEA

Some of the third-party services used (e.g., Google) may involve the transfer of data to countries outside the EU. In such cases, the transfer is based on:

adequacy decisions by the European Commission (Art. 45 GDPR);
standard contractual clauses approved by the European Commission (Art. 46 GDPR);
or other appropriate safeguards provided for by the GDPR.

The user may request further information by contacting the Data Controller.

7. Rights of the data subject

Pursuant to Articles 15-22 of the GDPR, the data subject has the right to:

Access (Article 15): obtain confirmation that their data is being processed and access the data itself.
Rectification (Article 16): obtain the correction of inaccurate data or the integration of incomplete data.
Erasure (Art. 17): obtain the erasure of their data ("right to be forgotten"), except where required by law.
Restriction (Art. 18): obtain the restriction of processing in certain cases.
Portability (Art. 20): receive your data in a structured format and transfer it to another controller.
Objection (Art. 21): object to processing based on legitimate interest, including direct marketing.
Withdrawal of consent (Art. 7): withdraw consent at any time, without prejudice to the lawfulness of processing based on consent given prior to withdrawal.

To exercise their rights, data subjects may send a request to: roberta.lorigapm@gmail.com.

The Data Controller will respond within 30 days of receiving the request, which may be extended by a further 60 days in complex cases, subject to notification to the data subject.

7.1 Right to complain

The data subject has the right to lodge a complaint with the Italian Data Protection Authority:

Personal Data Protection Authority

Piazza Venezia, 11 – 00187 Rome

www.garanteprivacy.it

Email: protocollo@gpdp.it

PEC: protocollo@pec.gpdp.it

8. Nature of data provision

The provision of personal data is:

Mandatory for data necessary to fulfill legal obligations (e.g., communication to law enforcement authorities, tax obligations) and for the execution of the tourist rental contract. Failure to provide data will make it impossible to provide the service.
Optional for data provided for the purpose of sending promotional communications or newsletters. Failure to provide this data will not affect the use of the service.

9. Automated decision-making processes and profiling

10. Minors

11. Security measures

The Data Controller adopts appropriate technical and organizational security measures pursuant to Article 32 of the GDPR, including:

use of the HTTPS protocol for encrypted data transmission;
access to data limited to authorized persons only;
periodic data backups;
regular updates of the software and systems used.

12. Links to external websites

13. Changes to this policy

14. Reference legislation

EU Regulation 2016/679 (GDPR)
Legislative Decree No. 196 of June 30, 2003 (Privacy Code), as amended by Legislative Decree No. 101 of August 10, 2018
Directive 2002/58/EC (ePrivacy Directive)
Royal Decree No. 773 of June 18, 1931 (TULPS) – Art. 109
Applicable guidelines of the Italian Data Protection Authority

15. Contact

For any questions, clarifications, or requests regarding this policy or the processing of personal data, you can contact the Data Controller:

Roberta Loriga

Loc. Canale Longu, 08028 Orosei (NU), Italy

Email: roberta.lorigapm@gmail.com

Privacy Policy

PRIVACY POLICY

Loading...

Privacy Policy

PRIVACY POLICY