PRIVACY POLICY FOR THE UNITED KINGDOM AND IRELAND

UK-IE 1. Specific provisions for British and Irish users

Although Vezpa is established in Italy and primarily processes personal data within the European Economic Area, this policy explicitly addresses the additional protections and supervisory mechanisms applicable to users habitually resident in the United Kingdom and the Republic of Ireland. The two regimes share common roots in EU Regulation 2016/679 but diverge in certain procedural and territorial aspects.

UK-IE 1.1 Applicable national laws

• United Kingdom: the UK GDPR, retained in domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, as supplemented by Parts 2 to 4 of the Data Protection Act 2018 (DPA 2018) and Schedule 1 thereto. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) govern marketing and cookies. The ICO Guide to the UK GDPR represents the primary regulatory guidance.
• Ireland: the EU GDPR continues to apply directly, supplemented by the Data Protection Act 2018 (No. 7 of 2018), which gives further effect to the Regulation. The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336/2011) govern cookies and direct marketing. Authoritative guidance is published by the Data Protection Commission (DPC).

UK-IE 1.2 Lawful bases used for British and Irish users

The lawful bases under Article 6 GDPR / UK GDPR relied upon by Vezpa for users in the UK and Ireland are identical to those described in section 4 of this policy. We highlight here three additional considerations that apply specifically to users in these two jurisdictions:

• Property managers: when a UK or Irish accommodation provider subscribes to Vezpa, the legal basis for processing the manager's data is the performance of the SaaS contract (Article 6(1)(b)). Tax and accounting record-keeping obligations under HMRC rules (UK) or Revenue Commissioners rules (Ireland) constitute a legal obligation in the country where the manager is established (Article 6(1)(c)), in addition to Italian invoicing obligations applicable to Vezpa as the issuer of invoices.
• Guest data: for guests staying in UK or Irish properties, Vezpa acts solely as Data Processor on the documented instructions of the property. Vezpa does not transmit guest data to UK or Irish authorities (such as the Garda Síochána or UK Police) on its own initiative; transmission, where required by domestic law, is performed manually by the property using the data exported from Vezpa. The Vezpa governmental connectors (e.g. AlloggiatiWeb, eVisitor, NTAK) are activated only for properties located in the relevant connected country and do not affect UK or Irish properties.
• Direct marketing: for British and Irish users we rely on the soft opt-in established by regulation 22(3) PECR and regulation 13(11) of S.I. No. 336/2011 respectively, in addition to Article 130(4) of Italian Legislative Decree 196/2003. Each marketing communication contains a one-click unsubscribe link that satisfies the requirements of section 47 of the UK Privacy and Electronic Communications Regulations and of the Irish ePrivacy Regulations.

UK-IE 1.3 Your rights and how to exercise them in the UK and Ireland

The substantive rights set out in section 8 of this policy (Articles 15 to 22 GDPR / UK GDPR) apply identically to British and Irish users. Vezpa offers two specific facilitations for these users:

• Subject access requests in English: Vezpa undertakes to handle SARs sent in English in the same time frame as Italian-language requests, namely within one month from receipt of a verifiable request, extendable by two further months for complex or multiple requests under Article 12(3) GDPR.
• Direct dialogue with the property manager: for guest data requests, Vezpa will route the SAR to the relevant accommodation provider within 5 working days, in line with the Article 28(3)(e) obligation to assist the controller. The property manager will then respond directly in accordance with its own privacy policy.

UK-IE 1.4 Supervisory authorities and right to lodge a complaint

British and Irish users may lodge complaints not only with the Italian Garante (as Vezpa's lead supervisory authority) but also directly with their national supervisory authority. The latter will, where required, cooperate with the lead authority under Article 60 GDPR (one-stop-shop) or, in the UK case, under the cooperation arrangements set out in the UK GDPR Memorandum of Understanding between the ICO and the EDPB.

United Kingdom - Information Commissioner's Office (ICO):
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113 (UK) / +44 1625 545 700 (international)
Online complaint form: ico.org.uk/make-a-complaint/
Web: ico.org.uk

Republic of Ireland - Data Protection Commission (DPC):
21 Fitzwilliam Square South, Dublin 2, D02 RD28
Phone: +353 (0)761 104 800 / +353 (0)57 868 4757
Online complaint form: forms.dataprotection.ie/raise-a-concern
Web: www.dataprotection.ie

UK-IE 1.5 Transfers of personal data to the United States

The most significant cross-border data flow that affects UK and Irish users concerns transfers to U.S.-based sub-processors (Stripe Inc., Google LLC for Firebase Cloud Messaging, Microsoft Corp., DigitalOcean LLC, and Apple Inc. for in-app purchases). The applicable safeguards are:

• EU/EEA → USA (relevant for Irish users): EU-U.S. Data Privacy Framework, Commission Decision (EU) 2023/1795 of 10 July 2023, for active certified recipients; Commission SCCs 2021/914 with documented Transfer Impact Assessment for non-certified recipients (notably Apple Inc., which is not DPF-certified, so transfers occur under SCCs through Apple Distribution International Ltd in Dublin).
• UK → USA (relevant for British users): UK Extension to the EU-U.S. DPF ("UK Data Bridge"), in force since 12 October 2023, for participating recipients; the UK International Data Transfer Agreement (IDTA) issued by the ICO on 21 March 2022, or the UK Addendum to the EU SCCs, for non-participating recipients. A Transfer Risk Assessment is conducted in accordance with the ICO TRA Tool (June 2022).

Users may consult our up-to-date sub-processors register for the current certification status of each U.S. recipient and for the country of establishment of the contracting entity.

UK-IE 1.6 Automated decision-making and profiling

Vezpa does not carry out automated decision-making producing legal effects or similarly significantly affecting users in the UK or Ireland, in the sense of Article 22 GDPR / UK GDPR. The OCR feature applied to identity documents at check-in is not a form of profiling: it merely transcribes textual information from a document image and does not generate any score, ranking or behavioural prediction. Consequently, the additional safeguards of Article 22(3) (right to obtain human intervention, right to express one's point of view and right to contest the decision) do not arise in the ordinary use of the service.

1. Data Controller

The Data Controller for personal data is:

Vezpa di Paolo Vezzola
Registered office: Via San Zeno 67, 25015 Desenzano del Garda (BS), Italy
VAT No.: 04449070988
Tax Code: VZZPLA84C10D284C
Email: [email protected]
PEC: [email protected]

2. Scope of Application

This Privacy Policy applies to the Vezpa PMS platform (web, desktop and mobile) and to the pages of the website on which this notice is published.

3. Personal Data Collected

3.1 Data of Service Users (Property Managers)

When you register with Vezpa as a manager of accommodation premises, we collect:

• Personal details: first name, surname, email, telephone number
• Property details: name, address, type, VAT number
• Billing details: billing address, tax code/VAT number, unique code/PEC address
• Login credentials: email and password (encrypted)
• Payment details: handled via external PCI-DSS certified providers (we do not directly store credit card data)

3.2 Data of Property Guests

On behalf of the property managers (as Data Processor pursuant to Art. 28 GDPR, governed by the DPA), the system collects:

• Identification data: first name, surname, place and date of birth, nationality, gender
• Identity documents: type, number, place and date of issue, scan or photograph of the document. Such images may be processed with automatic OCR to extract textual data, without storage of derived biometric data.
• Contact data: email, telephone number
• Booking data: stay dates, number of guests, rates, meal plan
• Payment data: only if payment is made via the Vezpa booking engine or Stripe link; card data is never stored on Vezpa servers

3.3 Navigation Data

• IP address
• Browser and device type
• Pages visited and time spent
• Operating system
• Referrer

3.4 Cookies

We use technical cookies necessary for the operation of the service. For further details please consult our Cookie Policy.

4. Purposes of Processing and Legal Basis

4.1 For Property Managers

4.2 For Property Guests

Important: For guest data, the Data Controller is the accommodation provider. Vezpa acts as Data Processor on the documented instructions of the property manager, pursuant to the Data Processing Agreement.

• Guest check-in and registration: legal obligation (Italian Consolidated Public Security Act (TULPS), art. 109, Legislative Decree 159/2011) for Italy; equivalent legislation for other supported States
• Mandatory governmental communications: AlloggiatiWeb (IT-Police), ISTAT (IT), PayTourist (IT-Municipalities), Feratel/Meldeamt (AT), SES.HOSPEDAJES (ES), NTAK (HU), eVisitor (HR), SEF (PT), UbyPort (CZ), eTurizem (SI) — each activated only where the property is located in the corresponding State
• Management of bookings and stays: performance of the contract (Art. 6.1.b)
• Communications to OTAs and channel manager: performance of the booking contract (Art. 6.1.b), only channels activated by the property

5. Methods of Processing

Personal data is processed by electronic means, with logic strictly related to the purposes and by the adoption of appropriate security measures (Art. 32 GDPR):

• 🔐 Encryption in transit: all data is transmitted via HTTPS/TLS 1.2+
• 🔐 Passwords: stored using secure hashing algorithms (Django default PBKDF2)
• 🔐 Tokens: JWT access 15 minutes, refresh with rotation and blacklist, TOTP 2FA available
• 🔐 Access control: role-based authorisations (manager/assistant/housekeeper/observer), principle of least privilege
• 🔐 Backups: performed regularly by the infrastructure provider (DigitalOcean), EU location (Frankfurt)
• 🔐 Hosting: DigitalOcean servers located in the European Union (FRA1 region), DigitalOcean Spaces storage in Frankfurt
• 🔐 Monitoring: access and application logs, automated anomaly detection, bot and scanner blocking

6. Data Retention

Personal data is retained only for the time strictly necessary:

• Manager data (customers): duration of the contract + 10 years for tax and accounting compliance
• Billing data: 10 years (Art. 2220 of the Italian Civil Code, tax obligation)
• Guest data (processed by Vezpa as Processor):
  • AlloggiatiWeb communications: the retention period is set by the Controller (property) according to applicable legislation
  • ISTAT communications: in accordance with ISTAT regulations
  • Other booking data: according to the Controller's instructions in the DPA (typically 10 years for tax purposes)
  • Upon termination of the contract with the Controller, Vezpa deletes or returns guest data within 30 days, save for independent retention obligations (e.g. invoicing)
• Access and application logs: up to 24 months for security and legal defence purposes (legitimate interest)
• Authentication tokens and trusted devices: 90 days from last use
• Marketing data (newsletter, campaigns): until consent is withdrawn, with biennial review
• Support tickets: duration of the contract + 2 years

7. Communication and Disclosure of Data

7.1 Recipients of the Data

Your data may be communicated to the following categories of recipients. The up-to-date itemised list of sub-processors is published at vezpa.it/subprocessors.

Public authorities (independent Controllers, legal obligation)

• Italy: Police / AlloggiatiWeb, ISTAT, Municipalities (via PayTourist for tourist tax), Italian Revenue Agency
• Austria: Feratel/Meldeamt
• Spain: SES.HOSPEDAJES (Ministerio del Interior)
• Hungary: NTAK
• Croatia: eVisitor
• Portugal: SEF
• Czech Republic: UbyPort
• Slovenia: eTurizem / AJPES

Each governmental connector is activated only where the property is located in the corresponding State. Credentials are configured by the property itself.

Sub-processors (Art. 28.4 GDPR)

• Infrastructure: DigitalOcean LLC (Frankfurt servers, database, Spaces/CDN, Redis) — USA/EU with DPF and SCCs
• Payments: Stripe Payments Europe Ltd (EU) / Stripe Inc. (USA) — PCI-DSS, DPF certified
• Transactional email and PEC: IONOS SE (DE)
• Mobile push notifications: Google LLC — Firebase Cloud Messaging (USA, DPF certified)
• OTA Channel Manager: STAAH Limited (New Zealand) — country with EU adequacy decision (2012)
• In-app purchase and subscriptions:
  • Apple Distribution International Ltd (IE) — EU entity; any transfers to Apple Inc. (USA) are governed by SCC 2021/914 (Apple does not participate in the DPF)
  • Google Ireland Ltd / Google LLC (USA, DPF certified active)
  • Microsoft Ireland / Microsoft Corp. (USA, DPF certified active)
• Smart locks (optional, if activated): Tuya Smart (CN) — EU SCCs and supplementary measures
• Professional advisers: accountants, lawyers, IT consultants, designated as Processors or independent Controllers as required

OTAs (independent Controllers for the relationship with the traveller)

• Booking.com, Airbnb, Expedia, VRBO, Agoda and approximately 55 other channels connected via STAAH: booking data flows on the basis of the contract between the property and the OTA

7.2 Transfers outside the EU

Some processing activities involve transfers of personal data outside the European Union. In all cases safeguards pursuant to Chapter V GDPR are adopted:

• USA — EU-U.S. Data Privacy Framework (Commission Decision (EU) 2023/1795): Stripe Inc., Google LLC (Firebase Cloud Messaging), Microsoft Corp., DigitalOcean LLC, certified active under the Framework (verify at dataprivacyframework.gov/list)
• USA — Standard Contractual Clauses (SCC 2021/914): Apple Inc. — Apple does not participate in the DPF; the contractual relationship for EU users is with Apple Distribution International Ltd (Ireland), and any transfers to Apple Inc. (USA) take place by means of SCC and Apple internal mechanisms
• New Zealand — Adequacy decision (EU Decision 2013/65): STAAH Limited
• China (optional) — Standard Contractual Clauses (SCC) 2021/914 + supplementary measures: Tuya Smart, only for properties that activate smart locks
• For any transfer in the absence of an active DPF or adequacy, Vezpa adopts EU SCC 2021/914 and, where applicable, a documented Transfer Impact Assessment (TIA)

7.3 Dissemination

Personal data is not subject to dissemination (communication to unspecified recipients) and is not sold.

8. Rights of the Data Subject

Pursuant to Articles 15-22 of the GDPR, you have the right to:

• 📧 Access (Art. 15): obtain confirmation that your data exists and receive a copy
• ✏️ Rectification (Art. 16): correct inaccurate or incomplete data
• 🗑️ Erasure (Art. 17): obtain the deletion of data (right to be forgotten) where the conditions are met
• ⏸️ Restriction (Art. 18): restrict processing under certain conditions
• 📤 Portability (Art. 20): receive the data in a structured format and transmit it to another controller
• 🚫 Objection (Art. 21): object to processing on legitimate grounds
• ❌ Withdrawal of consent: withdraw marketing consent at any time

Marketing and newsletter

Subscription to commercial communications requires explicit consent with double opt-in (confirmation via email link). Every communication contains an immediate unsubscribe link. For existing customers, Vezpa may send communications on similar products and services pursuant to Art. 130.4 Legislative Decree 196/2003 ("soft opt-in"), with the option to object always available.

How to exercise your rights

You can exercise your rights by writing to:

• 📧 Email: [email protected]
• ✉️ PEC: [email protected]
• 📮 Registered post to the address shown at the top

We will respond within 30 days of the request.

Right to lodge a complaint

If you believe that the processing of your data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority:

Italian Data Protection Authority (Garante)
Piazza Venezia, 11 - 00187 Rome, Italy
Email: [email protected]
PEC: [email protected]
Tel: +39 06.696771
Web: www.garanteprivacy.it

Users in other EU Member States may also contact their national DPA.

9. Minors

The Vezpa PMS service is intended exclusively for persons over 18 years of age. We do not knowingly collect data from minors. If a parent or guardian believes that a minor has provided personal data, they may contact us for its immediate deletion.

10. Changes to the Privacy Policy

This Privacy Policy may be amended from time to time. Any substantial change will be communicated with appropriate notice via:

• Publication of the new version on the website
• Email notification to registered users
• Information banner in the reserved area

The date of the last update is always indicated at the top of the document.