Privacy Policy

Privacy Policy


Al San Michele » di Bonomi Marisa, via san Michele 2 – 28838 Stresa (VB), P.IVA 02230560035 (hereinafter, the « Data Controller »), in its capacity as data processor, informs you, pursuant to Art. 13 EU Regulation no. 2016/679 (hereinafter, the « GDPR »), that your data, in relation to your navigation on our website, will be processed in the following ways and for the following purposes:


1) Object of processing

The Data Controller processes the personal data, which you (hereinafter referred to as « the Data Subject ») provide for the sole purpose of responding to your requests and may only be disclosed to third parties if this is necessary for that purpose.

2) Purpose of processing

Your personal data are processed without your express consent art. 6 lett. b), e) GDPR), for the following purposes:

  • to manage customer relations and for the coordination of accounting, orders, invoicing and any litigation;
  • to perform operations connected with and instrumental to the acquisition of information prior to the conclusion of bookings
  • to fulfil obligations under applicable laws or regulations, including EU regulations;
  • process a contact request
  • process a request for quotation;
  • to fulfil obligations required by law, regulation, Community legislation or an order of the Authority
  • prevent or detect fraudulent activities or abuses harmful to the Site;
  • exercise the rights of the Controller, such as the right to exercise a right in court.

In the above cases, the legal basis for the processing of your personal data is to perform a contract with you or to provide the service you have specifically requested or to comply with a legal obligation or to protect our legitimate interest.

We do not intend to collect personal information from anyone under the age of 16. If you are under the age of 16, you should not make an online booking or any enquiry but ask a parent to do so on your behalf.

3) Method of processing

The processing of your personal data is carried out by means of the operations indicated in art. 4 Privacy Code and art. 4 n. 2) GDPR and precisely: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Your personal data are subject to both paper and electronic and/or automated processing.

4) Storage time of processed data

Data are processed and kept for the time required by the purposes for which they were collected.


  • Personal Data collected for purposes related to the performance of a contract between the Data Controller and the User will be retained until the performance of such contract is completed.
  • Personal Data collected for purposes related to the legitimate interest of the Data Controller will be retained until such interest is satisfied. The User may obtain further information regarding the legitimate interest pursued by the Controller in the relevant sections of this document or by contacting the Controller.

At the end of the retention period the Personal Data will be deleted. Therefore, at the end of this period, the right of access, cancellation, rectification and the right to Data portability can no longer be exercised.

5) Processing of navigation data

The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.

This information is not collected in order to be associated with identified interested parties, but by its very nature could, through processing and association with data held by third parties, allow users to be identified.

This category of data includes the IP addresses or domain names of the computers used by users connecting to the site, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and IT environment.

This data is used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct operation. The data could also be used to ascertain responsibility in the event of hypothetical computer crimes to the detriment of the site.

Links to other sites

The sites we link to, including (but not limited to) secondary sites and third party service providers, may have a different privacy policy than the one set out here.

We take no responsibility for the privacy policies of linked sites and therefore encourage you to be aware of them.

6) Security measures

The Data Controller has adopted a variety of security measures to protect your data against the risk of loss, misuse or alteration. In particular: it has adopted the measures set out in Articles 32-34 of the Privacy Code and Article 32 of the GDPR; it uses data encryption technology and protected data transmission protocols.

7) Data access

Your data may be made accessible for the purposes set out in Articles 2.A) and 2.B)

  • to collaborators of the Data Controller, in their capacity as data processors;
  • to third party companies or other entities that perform outsourcing activities on behalf of the Controller, in their capacity as data processors.

8) Communication of data

Without your express consent (ex art. 24 lett. a), b), d) Privacy Code and art. 6 lett. b) and c) GDPR), the Data Controller may communicate your data to Supervisory Bodies, Judicial Authorities as well as to all other subjects to whom communication is compulsory by law for the fulfilment of the aforementioned purposes. Your data will not be disseminated.

9) Data transfer

The management and storage of personal data will take place in Europe, on servers located in Italy of the Data Controller and/or third party companies appointed and duly appointed as Data Processors.

10) Nature of data conferment and consequences of refusal to answer

The provision of data for the purposes set out in Art. 2 is compulsory as it is necessary to respond to requests for information.

11) Rights of the data subject

In accordance with the provisions of Chapter III, Section I, GDPR, you may exercise the rights set forth therein and in particular:

Right of access – To obtain confirmation as to whether or not personal data concerning you are being processed and, if so, to receive information relating, in particular, to: the purposes of the processing, the categories of personal data processed and the period of storage, the recipients to whom the data may be disclosed (Article 15, GDPR);

Right to rectification – Obtain, without undue delay, rectification of inaccurate personal data concerning you and supplementation of incomplete personal data (Article 16, GDPR);

Right to erasure – Obtain, without undue delay, the erasure of personal data concerning you, in the cases provided for in the GDPR (Article 17, GDPR);

Right to restriction – Obtain from the Controller the restriction of processing, in the cases provided for by the GDPR (Article 18, GDPR); 

Right to portability – To receive, in a structured, commonly used and machine-readable format, the personal data concerning you provided to the Controller, as well as to obtain that it be transmitted to another controller without hindrance, in the cases provided for by the GDPR (Article 20, GDPR);

Right to object – Object to the processing of personal data concerning you, unless there are legitimate grounds for the Data Controllers to continue the processing (Article 21, GDPR);

Right to complain to the supervisory authority – Complain to the Italian Data Protection Authority, Piazza di Montecitorio n. 121, 00186, Rome (RM).

12) Modalities for exercising rights

You may exercise your rights at any time by sending

  • a registered letter with return receipt to: « Al San Michele » di Bonomi Marisa, via san Michele 2 – 28838 Stresa (VB)
  • an e-mail to:

13) Questions or concerns

If at any time you believe that the Owner has not followed the above policy, please let us know by sending an email to and we will do our best to identify and resolve any concerns.

14) Changes to this Policy

This Policy is subject to change. We therefore recommend that you check this Policy regularly and refer to the most up-to-date version. The latest version of the Privacy Policy is posted on this page, indicating the date it was last updated.

Last updated on 02 July 2023

This document has been translated using automatic translation software.
For any linguistic questions or doubts, the reference text is that in the Italian language.