Privacy Rights Notice

1. Introduction and Scope

This Privacy Rights Notice explains how Vezpa di Paolo Vezzola (hereinafter "Vezpa" or "We") processes personal information in compliance with:

California CCPA/CPRA California Consumer Privacy Act, as amended by the California Privacy Rights Act
Virginia VCDPA Virginia Consumer Data Protection Act
Colorado CPA Colorado Privacy Act
Connecticut CTDPA Connecticut Data Privacy Act
FTC Act Federal Trade Commission Act (Section 5 - unfair or deceptive practices)
COPPA Children's Online Privacy Protection Act

1.1 Who This Applies To

This notice applies to:

Accommodation managers who use Vezpa (direct clients)
Guests staying at properties that use Vezpa
Business partners and suppliers
Visitors to the vezpa.it website

1.2 Dual Role of Vezpa

Vezpa operates in two distinct roles:

BUSINESS (CONTROLLER) For data of property managers (clients) - we determine the purposes and means of processing
SERVICE PROVIDER (PROCESSOR) For guest data - we process data on behalf of the property manager under their instructions

2. Business Identity and Contact Details

Business:

Vezpa di Paolo Vezzola
Registered office: Desenzano del Garda (BS), 25015, via San Zeno 67, Italy
VAT: 04449070988
Email: [email protected]

3. Categories of Personal Information Collected

3.1 Manager Data (Clients)

Category (CCPA)	Type of Data	Mandatory
Identifiers	Name, surname, date of birth, email address, phone number	Required
Contact information	Email, phone, mailing address	Required
Commercial information	Company name, EIN/tax ID, property details, subscription records	Required
Financial information	Payment card (via Stripe - PCI DSS compliant), billing address	Required for subscription
Internet or network activity	Access logs, IP address, platform activity, browsing history on our site	Automatic
Professional information	Business type, property type, role	Voluntary

3.2 Guest Data (as Service Provider)

Category (CCPA)	Type of Data	Business Purpose
Identifiers	Name, surname, date and place of birth, citizenship	Guest registration and legal compliance
Government-issued ID	ID type, number, issue date, issuing authority	Legal compliance (where required by local law)
Contact information	Email, phone, address	Booking management and communications
Commercial information	Stay dates, number of guests, room, rates	Booking management
Financial information	Transactions, receipts	Payment processing and tax compliance

Sensitive Personal Information:

Vezpa does NOT intentionally collect sensitive personal information such as:

Social Security numbers
Racial or ethnic origin
Religious beliefs
Health information
Biometric or genetic data
Sexual orientation
Precise geolocation

If such data is entered by mistake, it must be deleted immediately.

4. Purpose and Legal Basis for Processing

4.1 For Managers (Clients)

Business Purpose	Legal Basis	Retention
Provision of PMS service	Contract performance / Performing services	Duration of contract + 7 years
Invoicing and accounting	Legal obligation (IRS requirements, state tax laws)	7 years (federal tax retention)
Customer support	Contract performance / Performing services	Duration of contract + 2 years
Security and fraud prevention	Legitimate business interest / Legal obligation	5 years
Service improvement	Legitimate business interest	2 years (anonymous aggregated data)
Direct marketing	Consent / CAN-SPAM compliance	Until consent is withdrawn or opt-out received
Legal defense	Legitimate business interest	Applicable statute of limitations

4.2 For Guests (on behalf of the Manager)

Business Purpose	Legal Basis	Retention
Guest registration	Legal obligation (state/local lodging laws)	Per applicable state/local requirements
Lodging tax reporting	Legal obligation (state/local tax laws)	Per state/local regulations
Booking and stay management	Contract performance / Performing services	7 years (tax purposes)
Online check-in and communications	Contract performance / Performing services	Duration of stay + property retention period

Note on Sale of Personal Information:

Vezpa does NOT sell your personal information. We do not disclose personal information to third parties for monetary or other valuable consideration. We also do not "share" personal information for cross-context behavioral advertising purposes as defined under the CCPA/CPRA.

5. Processing Methods

5.1 Data Protection Principles

Vezpa processes personal information in accordance with the following principles:

Transparency: we clearly inform you about our data practices
Purpose limitation: we use data only for the stated business purposes
Data minimization: we collect only information that is reasonably necessary
Accuracy: we keep data up-to-date and accurate
Retention limitation: we retain data only for the necessary period
Security: we protect data with appropriate technical and organizational measures
Accountability: we can demonstrate compliance with applicable laws

5.2 Processing Means

Data is processed using:

Digital tools: servers, databases, web/mobile applications
Paper-based: only for necessary documents (contracts, invoices)

5.3 Access Controls

Data is accessible to:

Authorized Vezpa personnel (with personal credentials)
Access based on the "need to know" principle (least privilege)
Access logs tracked and monitored

6. Security Measures

6.1 Technical Measures

TLS/SSL Encryption: all data is transmitted encrypted (HTTPS)

Database encryption: sensitive data encrypted at-rest

Password hashing: secure algorithms (bcrypt/Argon2)

Firewall: advanced perimeter protection

Antivirus and Anti-malware: constantly updated

Daily backups: encrypted and geo-redundant

Disaster Recovery Plan: tested restoration procedures

Multi-factor authentication (MFA): for administrative access

24/7 Monitoring: anomaly and intrusion detection

Vulnerability Assessment: periodic security scans

6.2 Organizational Measures

Staff training: privacy and security training

NDA agreements: all employees sign confidentiality agreements

Security policies: documented procedures

Incident management: data breach response plan

Regular audits: periodic compliance reviews

Privacy by Design: privacy integrated into development

Access control: role-based authorizations (RBAC)

6.3 Compliance Standards

PCI-DSS Compliant: through certified payment providers (Stripe)
SOC 2 aligned practices: industry-standard security controls

7. Data Recipients and Disclosures

7.1 Categories of Recipients

Your data may be disclosed to the following categories of recipients:

Category	Recipients	Role	Purpose
Government authorities	IRS, state tax authorities, law enforcement (when required)	Independent controllers	Legal obligation
Hosting provider	DigitalOcean	Service provider	IT infrastructure
Payment gateway	Stripe (PCI DSS compliant)	Service provider	Payments
Email provider	IONOS	Service provider	Sending communications
OTA	Booking.com, Airbnb, Expedia, etc.	Independent controllers	Booking management
Professionals	Accountants, lawyers, consultants	Service providers	Professional advice

7.2 No Sale of Personal Information

Vezpa does not sell personal information and has not sold personal information in the preceding 12 months. We do not share personal information for cross-context behavioral advertising.

7.3 International Transfers

Data Transfers:

Vezpa is based in Italy (EU). Data may be transferred internationally as necessary to provide the service. Where personal information is transferred, we ensure appropriate safeguards are in place, including Standard Contractual Clauses and compliance with applicable data transfer requirements.

8. Your Privacy Rights

8.1 Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the following rights:

Right	Description
Right to Know	Request disclosure of the categories and specific pieces of personal information collected about you, the sources, purposes, and categories of third parties with whom we share it
Right to Delete	Request deletion of your personal information (subject to legal exceptions)
Right to Correct	Request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing	Opt out of the sale or sharing of your personal information (note: Vezpa does not sell personal information)
Right to Limit Use of Sensitive PI	Limit the use and disclosure of sensitive personal information
Right to Non-Discrimination	Not be discriminated against for exercising your privacy rights

8.2 Rights Under Virginia Law (VCDPA)

If you are a Virginia resident, you have the right to: access, correct, delete, obtain a copy of your data in a portable format, and opt out of targeted advertising, sale of personal data, and profiling.

8.3 Rights Under Colorado (CPA) and Connecticut (CTDPA) Laws

Residents of Colorado and Connecticut have similar rights to access, correct, delete, and port their data, as well as opt-out rights for targeted advertising, sale of personal data, and certain profiling activities.

8.4 How to Exercise Your Rights

You can exercise your rights through:

Email: [email protected] (subject: "Privacy Rights Request")
Mail: Vezpa di Paolo Vezzola, Desenzano del Garda, via San Zeno 67, Italy
User area: "Privacy and Data" section in the dashboard (for some rights)

8.5 Verification and Response Times

We will verify your identity before processing your request. Vezpa responds to requests within 45 days of receipt (extendable by an additional 45 days in complex cases, with notice to you). For California requests, we may request specific information to verify your identity.

8.6 Authorized Agents

You may designate an authorized agent to submit a request on your behalf. We may require the agent to provide proof of authorization and may still verify your identity directly.

8.7 Limitations on Rights

Some rights may not be exercisable when:

Legal obligations require us to retain the data
Data is necessary for legal defense or to exercise legal claims
An applicable legal exception applies

9. Data Breach Notification

9.1 Breach Procedure

In the event of a data breach, Vezpa:

Assesses the incident promptly upon discovery
Notifies affected individuals as required by applicable state breach notification laws (all 50 states have breach notification laws)
Notifies state attorneys general where required
Documents the incident in the breach register
Adopts corrective measures to prevent future breaches

9.2 Transparency

In the event of a data breach affecting you, you will receive a communication containing:

Nature of the breach
Types of information involved
Steps we have taken
Steps you can take to protect yourself
Contact information for questions

10. Children's Privacy (COPPA)

Vezpa's service is intended for users aged 18 and older. We do not knowingly collect personal information from children under the age of 13, as defined by the Children's Online Privacy Protection Act (COPPA). If we become aware that we have inadvertently collected personal information from a child under 13, we will promptly delete it.

If you believe a child under 13 has provided us with personal information, please contact us at [email protected].

11. Service Provider Agreements

11.1 Agreements with Clients (for guest data)

When the property manager uses Vezpa to process guest data:

The manager is the Business (Controller)
Vezpa is the Service Provider (Processor)
A Data Processing Agreement (DPA) is concluded defining the terms of processing

11.2 DPA Contents

The Data Processing Agreement contains:

Subject and duration of processing
Nature and purpose of processing
Type of personal information and categories of consumers
Obligations and rights of the business
Documented instructions on processing
Security measures implemented
Authorized sub-processors
Assistance with consumer rights requests

The DPA is an integral part of the Terms of Service.

12. Privacy by Design

12.1 Built-In Privacy

Vezpa integrates data protection from the design stage:

Native encryption in all communications
Pseudonymization where possible
Data minimization in data collection
Granular access controls
Complete audit trail of all operations

12.2 Default Settings

Default settings maximize privacy:

Only strictly necessary data is mandatory
Automatic retention for the minimum legally required period
Marketing opt-in (not opt-out)
Data visibility limited to the minimum necessary

13. CCPA Metrics (Annual Disclosure)

In compliance with the CCPA, Vezpa discloses the following metrics for the preceding calendar year upon request:

Number of requests to know received, complied with, and denied
Number of requests to delete received, complied with, and denied
Number of requests to opt-out received, complied with, and denied
Median number of days to substantively respond to each type of request

Contact [email protected] for the latest metrics.

14. Changes to This Notice

This notice may be modified due to:

Changes in federal or state privacy laws
New service features
Organizational changes

Material changes will be communicated via email with at least 30 days' notice.

The last update date is always indicated at the top of the document.

PRIVACY RIGHTS NOTICE