Vezpa - Property Management System
Compliance with EU Regulation 2016/679, the UK GDPR and the Data Protection Acts 2018
Last updated: 19 April 2026 - UK & Ireland edition (en-GB / en-IE)
This edition of the notice addresses two distinct legal regimes: the EU GDPR for users habitually resident in the Republic of Ireland and the UK GDPR for users habitually resident in the United Kingdom. While the substantive obligations are largely aligned, the regimes differ in their supervisory authority, complaint mechanism and rules on international data transfers, particularly to the United States.
Following the United Kingdom's withdrawal from the European Union, the EU GDPR was retained as part of UK domestic law as the UK GDPR, by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. The UK GDPR operates alongside the Data Protection Act 2018 (DPA 2018), which supplements the GDPR (Part 2), implements the Law Enforcement Directive (Part 3) and addresses processing by the intelligence services (Part 4).
For users in the United Kingdom, additional national rules to be considered include:
UK Supervisory Authority - Information Commissioner's Office (ICO):
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
Helpline: 0303 123 1113 (UK) or +44 1625 545 700
Live chat and online complaint form: ico.org.uk/make-a-complaint/
Web: ico.org.uk
For users habitually resident in the Republic of Ireland, the EU GDPR continues to apply directly, as supplemented by the Irish Data Protection Act 2018 (No. 7 of 2018), which gives further effect to the GDPR and transposes the Law Enforcement Directive into Irish law. Additional Irish national rules include:
Irish Supervisory Authority - Data Protection Commission (DPC):
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Phone: +353 (0)761 104 800 / +353 (0)57 868 4757
Online complaint form: forms.dataprotection.ie/raise-a-concern
Web: www.dataprotection.ie
Vezpa is established in Italy, an EU Member State, and processes personal data primarily within the European Economic Area. For the limited transfers to third countries described in section 7 of this notice, the following safeguards apply specifically to UK and Irish users:
The Vezpa marketing website at vezpa.it serves users in the United Kingdom and Ireland in accordance with both PECR and S.I. No. 336/2011. Strictly necessary cookies (session, security, load balancing) are placed without consent under regulation 6(4) PECR (UK) and regulation 5(5) S.I. 336/2011 (Ireland). Non-essential cookies, including those set by Google Ads conversion tracking on landing pages, are loaded only after the user has given specific, freely given, informed and unambiguous consent through our cookie banner. Consent is recorded with timestamp and can be withdrawn at any time via the cookie preferences link in the footer.
Vezpa relies on the "soft opt-in" mechanism for marketing to existing customers under regulation 22(3) PECR (UK), regulation 13(11) S.I. 336/2011 (Ireland) and Article 130(4) of Italian Legislative Decree 196/2003. This means that, where Vezpa has obtained your contact details in the course of a previous service or sale of similar products, we may send you electronic marketing about similar Vezpa services, provided that you are given a clear and free opportunity to object both at the time the details are collected and in every subsequent communication. To opt out, click the unsubscribe link in any marketing email or write to [email protected] with the subject line "Stop marketing".
Under both the UK GDPR and the EU GDPR, supervisory authorities may impose administrative fines of up to 20 million euros (or 17.5 million pounds sterling under the UK GDPR) or up to 4% of total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(5) GDPR / UK GDPR). The ICO and the DPC additionally publish enforcement notices and decisions on their respective websites; users may consult these to verify Vezpa's compliance posture and to assess the broader risk landscape for accommodation businesses.
This notice describes how Vezpa di Paolo Vezzola (hereinafter "Vezpa" or "We") processes personal data in compliance with:
This notice applies to:
Vezpa operates in two distinct roles:
Data Controller:
Vezpa di Paolo Vezzola
Registered office: Desenzano del Garda (BS), 25015, via San Zeno 67
VAT No.: 04449070988
Tax Code: VZZPLA84C10D284C
PEC: [email protected]
Email: [email protected]
| Category | Type of Data | Mandatory |
|---|---|---|
| Identification data | First name, surname, date of birth, tax code | โ Mandatory |
| Contact data | Email, telephone, address | โ Mandatory |
| Company data | Company name, VAT No., property details | โ Mandatory |
| Payment data | IBAN, credit card (via Stripe) | โ Mandatory for subscription |
| Usage data | Access logs, IP, activity on the platform | โ๏ธ Automatic |
| Communications data | Email, support chat, tickets | ๐ Voluntary |
| Category | Type of Data | Legal Basis (of the Controller) |
|---|---|---|
| Personal details | First name, surname, date and place of birth, nationality, gender | Legal obligation (Italian Consolidated Public Security Act (TULPS), art. 109 and equivalent EU regulations) |
| Identity document | Type, number, date of issue, issuing authority, scanned or photographic image | Legal obligation |
| OCR extraction | Textual data extracted automatically from the document (name, date, number) | Performance of contract (Art. 6.1.b) - only to facilitate data entry |
| Contact data | Email, telephone, address | Performance of contract |
| Booking data | Stay dates, number of guests, room, rates, meal plan | Performance of contract |
| Payment data | Transactions, receipts (card data handled by Stripe, not stored on Vezpa) | Performance of contract + tax obligation |
Identity documents acquired may contain elements qualifiable as "special" pursuant to Art. 9 GDPR, typically:
Lawfulness of processing: Art. 9.2.b (fulfilment of obligations in the field of employment, security and social protection), 9.2.g (substantial public interest reasons - public security records) and 9.2.f (establishment of legal claims). Purposes limited to obligations imposed by law towards public authorities.
Additional measures: access limited to authorised roles only (manager, assistant), no profiling on such data, no communication to third parties outside the recipient public authorities.
Vezpa does not deliberately collect other special data (political/religious opinions, health data, genetic data, sexual orientation). If such data is entered in error by the user, it must be removed immediately.
| Purpose | Legal Basis (Art. 6 GDPR) | Retention |
|---|---|---|
| Provision of PMS service | Art. 6.1.b - Performance of contract | Duration of contract + 10 years |
| Invoicing and accounting | Art. 6.1.c - Legal obligation | 10 years (tax obligation) |
| Customer support | Art. 6.1.b - Performance of contract | Duration of contract + 2 years |
| Security and fraud prevention | Art. 6.1.f - Legitimate interest | 5 years |
| Service improvement | Art. 6.1.f - Legitimate interest | 2 years (aggregated anonymous data) |
| Direct marketing | Art. 6.1.a - Consent | Until consent is withdrawn |
| Defence of rights in court | Art. 6.1.f - Legitimate interest | 10 years |
| Purpose | Legal Basis | Retention |
|---|---|---|
| Guest registration and communication to the Police | Art. 6.1.c - Legal obligation (Italian Consolidated Public Security Act (TULPS), art. 109, Legislative Decree 159/2011) | Minimum 2 years |
| ISTAT communications | Art. 6.1.c - Legal obligation | In accordance with ISTAT regulations |
| Tourist tax (PayTourist) | Art. 6.1.c - Legal obligation | In accordance with municipal regulations |
| Booking and stay management | Art. 6.1.b - Performance of contract | 10 years (tax purposes) |
| Online check-in and communications | Art. 6.1.b - Performance of contract | Duration of stay + property's retention period |
For many activities consent is NOT required because they are based on:
Consent is required ONLY for marketing and profiling.
Vezpa processes personal data in compliance with the following principles:
Data is processed using:
Data is accessible to:
Data may be communicated to the following categories of recipients. The itemised, always up-to-date list is published at vezpa.it/subprocessors.
| Category | Recipients | Role | Purpose |
|---|---|---|---|
| Italian public authorities | AlloggiatiWeb (Police), ISTAT, Municipalities (PayTourist), Italian Revenue Agency | Independent Controllers | Legal obligation |
| EU public authorities | Feratel/Meldeamt (AT), SES.HOSPEDAJES (ES), NTAK (HU), eVisitor (HR), SEF (PT), UbyPort (CZ), eTurizem (SI) | Independent Controllers | Legal obligation of the Controller (property) |
| Hosting / Storage / CDN | DigitalOcean LLC (Frankfurt servers, Spaces, Redis) | Processor | IT infrastructure |
| Payments | Stripe Payments Europe Ltd / Stripe Inc. | Processor | Payment processing |
| IONOS SE (DE) | Processor | Sending transactional email and PEC | |
| Mobile push notifications | Google LLC (Firebase Cloud Messaging) | Processor | Sending push notifications to mobile devices |
| OTA Channel Manager | STAAH Limited (New Zealand) | Processor | Booking synchronisation with OTAs |
| In-app purchase โ Apple | Apple Distribution International Ltd (IE) / Apple Inc. (USA) | Independent Controller (store) | Management of App Store subscriptions. Apple does not participate in the DPF: USA transfers are governed by SCC 2021/914 |
| In-app purchase โ Google / Microsoft | Google Ireland Ltd / Google LLC (USA, DPF), Microsoft Ireland / Microsoft Corp. (USA, DPF) | Independent Controllers (stores) | Management of Play Store / Microsoft Store subscriptions |
| OTAs | Booking.com, Airbnb, Expedia, VRBO, Agoda and approximately 55 other channels | Independent Controllers | Booking management with the traveller |
| Smart locks (optional) | Tuya Smart (CN) | Processor | Home automation access management, only if activated by the property |
| Professionals | Accountants, lawyers, IT consultants | Processors / Independent Controllers | Specialist consultancy, only where necessary |
The up-to-date list is published and always available at vezpa.it/subprocessors. Any changes (new sub-processors, replacements) are communicated to Controllers (properties) with at least 30 days' notice to allow objection (Art. 28.2 GDPR).
For each non-EU sub-processor the applicable transfer mechanism is documented. The SCCs and any Transfer Impact Assessments are available to the Controller on request.
| Right | GDPR Art. | Description |
|---|---|---|
| Access | Art. 15 | Obtain confirmation that your data exists and receive a copy |
| Rectification | Art. 16 | Correct or complete inaccurate data |
| Erasure ("right to be forgotten") | Art. 17 | Obtain deletion of data (with exceptions for legal obligations) |
| Restriction | Art. 18 | Restrict processing under certain conditions |
| Portability | Art. 20 | Receive data in a structured format (CSV, JSON) and transfer it to another controller |
| Objection | Art. 21 | Object to processing based on legitimate interest |
| Withdrawal of consent | Art. 7.3 | Withdraw consent to marketing at any time |
| Complaint | Art. 77 | Lodge a complaint with the Italian Data Protection Authority (Garante) |
| No automated profiling | Art. 22 | Not to be subject to decisions based solely on automated processing |
You can exercise your rights through:
Vezpa responds to requests within 30 days of receipt (extendable by a further 60 days in complex cases, with reasoned communication).
Some rights (erasure, restriction) may not be exercisable where:
In the event of a data breach (violation of personal data), Vezpa:
In the event of a data breach involving you, you will receive a communication containing:
Vezpa has initiated the Data Protection Impact Assessment (DPIA) pursuant to Art. 35 GDPR, in view of the systematic processing of identity documents of data subjects from several EU States and transfers to non-EU sub-processors.
The DPIA and any additional mitigation measures are updated periodically. In the event of a high residual risk, Vezpa will proceed to prior consultation with the Italian Data Protection Authority (Garante) pursuant to Art. 36 GDPR. The Controller (property) may request a summary of the DPIA by writing to [email protected].
When the property manager uses Vezpa to process guest data:
The Data Processing Agreement contains, pursuant to Art. 28.3 GDPR:
The DPA forms an integral part of the Terms of Service and is accepted upon registration of the property.
Vezpa integrates data protection from the design stage:
Default settings maximise privacy:
Vezpa maintains a complete register of all processing activities, containing:
The register is available at the request of the Italian Data Protection Authority (Garante).
This notice may be amended for:
Material changes will be communicated by email with at least 30 days' notice.
The date of the last update is always indicated at the top of the document.
Privacy Office:
๐ง Email: [email protected]
๐ง PEC: [email protected]
๐ฎ Address: Desenzano del Garda, via San Zeno 67
Italian Data Protection Authority (Garante):
Piazza Venezia, 11 - 00187 Rome, Italy
๐ง Email: [email protected]
๐ง PEC: [email protected]
๐ Tel: +39 06.696771
๐ Web: www.garanteprivacy.it
Users in other EU Member States may also contact their national DPA.
ยฉ 2022-2026 Vezpa - All rights reserved | Privacy Policy | Terms of Service | Cookie Policy | GDPR | DPA | Sub-processors
Document drafted in compliance with EU Regulation 2016/679 (GDPR)
and with Legislative Decree 196/2003 as amended by Legislative Decree 101/2018