Privacy Policy

1. Data Controller / Organization

The Data Controller (organization responsible under PIPEDA) for the processing of personal data is:

Vezpa di Paolo Vezzola
Registered office: Via San Zeno 67, 25015 Desenzano del Garda (BS), Italy
VAT: 04449070988
Tax code: VZZPLA84C10D284C
Email: [email protected]
Certified email (PEC): [email protected]

2. Scope of Application

This Privacy Policy applies to the Vezpa PMS platform (web, desktop and mobile) and to the website pages where this notice is published. It is directed at users in Canada and describes our practices under applicable Canadian law as well as the GDPR framework where relevant.

3. Personal Data Collected

3.1 Data of Service Users (Property Managers)

When you register with Vezpa as a property manager, we collect:

Identity data: first name, last name, email, phone number
Property data: name, address, type, VAT/business number
Billing data: billing address, tax code/VAT, unique invoicing code/PEC
Access credentials: email and password (stored as a secure hash; we do not store plaintext passwords)
Payment data: handled through external PCI-DSS certified providers (we do not directly store credit card data)

3.2 Data of Property Guests

On behalf of property managers (acting as Data Processor under GDPR art. 28 where applicable, and as a service provider / third party under PIPEDA, governed by the DPA), the system collects:

Identifying data: first name, last name, place and date of birth, citizenship, gender
Identity documents: type, number, place and date of issue, scan or photograph of the document. These images may be processed with automatic OCR to extract textual data, without storing derived biometric data.
Contact data: email, phone number
Reservation data: stay dates, number of guests, rates, meal plan
Payment data: only when payment is made through the Vezpa Booking Engine or Stripe link; card data is never stored on Vezpa servers

            Identity documents and sensitive information: identity documents may contain information that qualifies as "sensitive" (e.g. place of birth that may reveal ethnic origin). Vezpa processes such data only to the extent strictly necessary to meet the property's legal obligations toward public authorities, does not carry out profiling on it and does not disclose it to parties other than the authorities and sub-processors listed in Section 7.
        

3.3 Navigation Data

IP address
Browser and device type
Pages visited and time spent
Operating system
Referrer

3.4 Cookies

We use technical cookies necessary for the operation of the service. For further details please see our Cookie Policy.

4. Purposes of Processing and Legal Basis

4.1 For Property Managers

Purpose	Legal Basis
Provision of the PMS service	Performance of contract (GDPR art. 6.1.b) / PIPEDA consent implied by service request
Invoicing and tax obligations	Legal obligation (GDPR art. 6.1.c); CRA and provincial tax requirements for Canadian customers
Customer support	Performance of contract (GDPR art. 6.1.b)
Security, fraud prevention, service reliability	Legitimate interest (GDPR art. 6.1.f) / legitimate business interest under PIPEDA
Sending marketing communications	Consent (GDPR art. 6.1.a / PIPEDA / CASL) - only where authorized

4.2 For Property Guests

Important: For guest data, the Data Controller (Organization under PIPEDA) is the accommodation property. Vezpa acts as Data Processor / service provider on documented instruction from the property manager, under the Data Processing Agreement.

Guest check-in and registration: legal obligation (Italian TULPS art. 109, Legislative Decree 159/2011 for Italy; equivalent legislation for other supported jurisdictions)
Mandatory government reporting: AlloggiatiWeb (IT-Questura), ISTAT (IT), PayTourist (IT-Municipalities), Feratel/Meldeamt (AT), SES.HOSPEDAJES (ES), NTAK (HU), eVisitor (HR), SEF (PT), UbyPort (CZ), eTurizem (SI) - each activated only if the property is located in the corresponding jurisdiction
Reservation and stay management: performance of contract (art. 6.1.b)
Communications to OTAs and channel manager: performance of the booking contract (art. 6.1.b), limited to channels activated by the property

5. Processing Methods

Personal data is processed using electronic tools, with logic strictly related to the purposes and by adopting appropriate security measures (GDPR art. 32 / PIPEDA Principle 7 - Safeguards):

Encryption in transit: all data is transmitted via HTTPS/TLS 1.2+
Passwords: stored with secure hashing algorithms (Django PBKDF2 default)
Tokens: JWT access 15 minutes, refresh with rotation and blacklist, optional TOTP 2FA
Access control: role-based authorization (manager/assistant/housekeeper/observer), least-privilege principle
Backups: performed regularly by the infrastructure provider (DigitalOcean), located in the EU (Frankfurt)
Hosting: DigitalOcean servers located in the European Union (FRA1 region), DigitalOcean Spaces storage Frankfurt
Monitoring: access and application logs, automated anomaly detection, bot and scanner blocking

6. Data Retention

Personal data is kept for the time strictly necessary:

Manager (customer) data: duration of the contract + up to 10 years for tax and accounting obligations; Canadian customers: minimum 6 years under CRA requirements
Billing data: 10 years under Italian law (Civil Code art. 2220); Canadian customers: minimum 6 years under CRA
Guest data (processed by Vezpa as Data Processor):
- AlloggiatiWeb reporting: the retention period is set by the Data Controller (property) under applicable law
- ISTAT reporting: per ISTAT regulations
- Other reservation data: as instructed by the Data Controller in the DPA (typically 10 years for tax purposes)
- Upon termination of the contract with the Data Controller, Vezpa deletes or returns guest data within 30 days, except for independent retention obligations (e.g. invoicing)
Access and application logs: up to 24 months for security and legal defence (legitimate interest)
Authentication tokens and trusted devices: 90 days from last use
Marketing data (newsletter, campaigns): until consent is withdrawn, with biennial review
Support tickets: duration of the contract + 2 years

7. Disclosure and Dissemination of Data

7.1 Recipients of Data

Your data may be disclosed to the following categories of recipients. The always-current nominative list of sub-processors is published at vezpa.it/subprocessors.

Public authorities (autonomous Data Controllers, legal obligation)

Italy: Questura / AlloggiatiWeb, ISTAT, Municipalities (via PayTourist for tourist tax), Revenue Agency
Austria: Feratel/Meldeamt
Spain: SES.HOSPEDAJES (Ministerio del Interior)
Hungary: NTAK
Croatia: eVisitor
Portugal: SEF
Czech Republic: UbyPort
Slovenia: eTurizem / AJPES
Canada: Canada Revenue Agency (CRA), provincial tax authorities and law enforcement where required by law

Each government connector is activated only if the property is located in the corresponding jurisdiction. Credentials are configured by the property itself.

Sub-processors (GDPR art. 28.4 / PIPEDA third parties)

Infrastructure: DigitalOcean LLC (Frankfurt servers, database, Spaces/CDN, Redis) - USA/EU under DPF and SCCs
Payments: Stripe Payments Europe Ltd (EU) / Stripe Inc. (USA) - PCI-DSS, DPF-certified
Transactional email and PEC: IONOS SE (DE)
Mobile push notifications: Google LLC - Firebase Cloud Messaging (USA, DPF-certified)
OTA Channel Manager: STAAH Limited (New Zealand) - country with EU adequacy decision (2012)
In-app purchase and subscription:
- Apple Distribution International Ltd (IE) - EU entity; any transfers to Apple Inc. (USA) are governed by Standard Contractual Clauses 2021/914 (Apple does not participate in the DPF)
- Google Ireland Ltd / Google LLC (USA, certified active under the DPF)
- Microsoft Ireland / Microsoft Corp. (USA, certified active under the DPF)
Smart locks (optional, if activated): Tuya Smart (CN) - EU SCCs and supplementary measures
Professional advisors: accountant, lawyer, IT consultants, appointed as Processors or autonomous Controllers as required

OTAs (autonomous Data Controllers for the traveller relationship)

Booking.com, Airbnb, Expedia, VRBO, Agoda and approximately 55 other channels connected via STAAH: reservation data flows under the contract between the property and the OTA

7.2 Cross-border Data Transfers

Vezpa is based in Italy (EU). Some processing involves transfers of personal data outside the European Union and outside of Canada. In all cases, safeguards under GDPR Chapter V are adopted, and Canadian users are informed that their personal information may be processed and stored outside Canada and subject to foreign laws, including lawful access by foreign courts, law enforcement and national security authorities:

USA - EU-U.S. Data Privacy Framework (Commission Decision (EU) 2023/1795): Stripe Inc., Google LLC (Firebase Cloud Messaging), Microsoft Corp., DigitalOcean LLC, certified active under the Framework (verify at dataprivacyframework.gov/list)
USA - Standard Contractual Clauses (SCC 2021/914): Apple Inc. - Apple does not participate in the DPF; the contractual relationship for EU users is with Apple Distribution International Ltd (Ireland), and any transfers to Apple Inc. (USA) take place under SCCs and Apple's internal mechanisms
New Zealand - Adequacy Decision (Commission Decision (EU) 2013/65): STAAH Limited
China (optional) - Standard Contractual Clauses (SCC) 2021/914 + supplementary measures: Tuya Smart, only for properties that activate smart locks
For any transfer absent active DPF or adequacy, Vezpa adopts EU SCCs 2021/914 and, where applicable, a documented Transfer Impact Assessment (TIA)
PIPEDA / Quebec Law 25 compliance: for Canadian personal information transferred abroad, Vezpa uses contractual means (including its DPA and EU SCCs) to ensure a comparable level of protection, as required by PIPEDA and Quebec Law 25's rules on transfers outside Quebec.

7.3 Dissemination

Personal data is not disseminated (disclosed to unspecified recipients) and is not sold.

8. Rights of the Individual / Data Subject

Under GDPR articles 15-22 (where applicable) and under PIPEDA / Quebec Law 25 for Canadian users, you have the right to:

Access (GDPR art. 15 / PIPEDA Principle 9): obtain confirmation of the existence of your data and receive a copy
Rectification (GDPR art. 16 / PIPEDA Principle 9): correct inaccurate or incomplete data
Erasure (GDPR art. 17): obtain deletion of data (right to be forgotten) when the conditions are met; under PIPEDA, withdraw consent subject to legal or contractual restrictions
Restriction (GDPR art. 18): limit processing in certain circumstances
Portability (GDPR art. 20 / Quebec Law 25): receive data in a structured format and transmit it to another controller
Objection (GDPR art. 21): object to processing on legitimate grounds
Challenge compliance (PIPEDA Principle 10): challenge our compliance with privacy law
Withdraw consent: withdraw marketing consent at any time

            Important note: For guest data, these rights must be exercised with the accommodation property (which is the Data Controller / Organization), not directly with Vezpa. Vezpa, as Data Processor, assists the Data Controller in handling requests under GDPR art. 28.3.e.
        

For detailed information about your Canadian privacy rights, see our Canadian Privacy Rights page.

Marketing and newsletter

Subscription to commercial communications requires express consent with double opt-in (confirmation via email link). Each communication contains an immediate unsubscribe link. Canadian recipients are covered by Canada's Anti-Spam Legislation (CASL): express consent is obtained where required, and every commercial email identifies the sender and provides an unsubscribe mechanism.

How to exercise your rights

You may exercise your rights by writing to:

Email: [email protected]
PEC: [email protected]
Registered letter to the address in the header

We will respond within 30 days of the request.

Right to lodge a complaint

If you believe that the processing of your data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority:

Italian Data Protection Authority (Garante per la Protezione dei Dati Personali)
Piazza Venezia, 11 - 00187 Rome, Italy
Email: [email protected]
PEC: [email protected]
Tel: +39 06.696771
Web: www.garanteprivacy.it

Canadian users may also file a complaint with the Office of the Privacy Commissioner of Canada - OPC (www.priv.gc.ca). Quebec residents may contact Commission d'acces a l'information (CAI, www.cai.gouv.qc.ca).

9. Minors

The Vezpa PMS service is intended exclusively for persons over 18 years of age. We do not knowingly collect data from minors. Under PIPEDA, meaningful consent for the collection of a minor's personal information must be obtained from a parent or guardian. If we learn that we have collected information from a child without appropriate consent, we will promptly delete it.

10. Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. There is currently no universally accepted standard for responding to DNT signals, and we do not currently respond to them. We will update this policy if a standard is established.

11. Changes to the Privacy Policy

This Privacy Policy may be amended over time. Any material change will be communicated with reasonable notice via:

Publication of the new version on the website
Email notification to registered users
Information banner in the reserved area

The last-updated date is always shown at the top of the document.