Privacy Policy

1. Data Controller (Business under CCPA)

The Data Controller (Business under CCPA) of personal data is:

Vezpa di Paolo Vezzola
Registered office: Via San Zeno 67, 25015 Desenzano del Garda (BS), Italy
VAT ID: 04449070988
Tax Code: VZZPLA84C10D284C
Email: [email protected]
Certified email (PEC): [email protected]

2. Scope

This Privacy Policy applies to the Vezpa PMS platform (web, desktop, and mobile) and to the web pages where this notice is published.

3. Personal Data Collected

3.1 Service User Data (Property Operators)

When you register with Vezpa as a property operator, we collect:

Identification data: first name, last name, email, phone number
Property data: name, address, type, VAT number
Billing data: billing address, tax code/VAT, electronic invoicing code/PEC
Access credentials: email and password (encrypted)
Payment data: handled by PCI-DSS certified external providers (we do not directly store credit card data)

3.2 Guest Data

On behalf of property operators (as a Data Processor / Service Provider under CCPA; art. 28 GDPR where applicable, governed by the DPA), the system collects:

Identification data: first name, last name, place and date of birth, citizenship, gender
Identity documents: type, number, place and date of issue, scan or photograph of the document. These images may be processed with automatic OCR to extract textual data, without storage of any derived biometric data.
Contact data: email, phone number
Booking data: stay dates, number of guests, rates, meal plan
Payment data: only if payment is processed through Vezpa's Booking Engine or Stripe link; card data is never stored on Vezpa servers

            Identity documents and sensitive categories (art. 9 GDPR / "sensitive personal information" under CPRA): identity documents may contain data qualifying as "sensitive" (e.g., place of birth from which ethnic origin may be inferred). Vezpa processes such data only to the extent strictly necessary for the operator's legal obligations to public authorities, does not profile on it, and does not disclose it to anyone other than the authorities and sub-processors listed in section 7.
        

3.3 Usage Data

IP address
Browser and device type
Pages visited and time spent
Operating system
Referrer

3.4 Cookies

We use technical cookies necessary for the service to function. For details see our Cookie Policy.

4. Purposes of Processing and Legal Basis

4.1 For Property Operators

Purpose	Legal Basis
Provision of the PMS service	Performance of contract (art. 6.1.b GDPR; business purpose under CCPA)
Invoicing and tax compliance	Legal obligation (art. 6.1.c GDPR)
Customer support	Performance of contract (art. 6.1.b GDPR)
Security, fraud prevention, service reliability	Legitimate interest (art. 6.1.f GDPR; security business purpose under CCPA)
Marketing communications	Consent (art. 6.1.a GDPR) - only where authorized; opt-out available under CAN-SPAM

4.2 For Property Guests

Important: For guest data, the Data Controller (Business) is the property. Vezpa acts as a Data Processor (Service Provider) based on the property's documented instructions, in accordance with the Data Processing Agreement.

Guest check-in and registration: legal obligation (Italian law TULPS, art. 109, and D.Lgs. 159/2011, applicable when guests stay at properties in Italy); equivalent regulations for other supported countries
Mandatory government reporting: AlloggiatiWeb (IT-Questura), ISTAT (IT), PayTourist (IT-Municipalities), Feratel/Meldeamt (AT), SES.HOSPEDAJES (ES), NTAK (HU), eVisitor (HR), SEF (PT), UbyPort (CZ), eTurizem (SI) — each connector activated only if the property is located in the corresponding country
Booking and stay management: performance of contract (art. 6.1.b)
Communications to OTAs and channel managers: performance of the booking contract (art. 6.1.b), only for channels activated by the property

5. Processing Methods

Personal data is processed with electronic tools, using logic strictly related to the purposes, and with adequate security measures (art. 32 GDPR):

Encryption in transit: all data is transmitted via HTTPS/TLS 1.2+
Passwords: stored using secure hashing algorithms (PBKDF2 Django default)
Tokens: JWT access 15 minutes, refresh with rotation and blacklist, TOTP 2FA available
Access control: role-based authorization (director/assistant/housekeeper/observer), least-privilege principle
Backups: performed regularly by our infrastructure provider (DigitalOcean), EU location (Frankfurt)
Hosting: DigitalOcean servers located in the European Union (FRA1 region), DigitalOcean Spaces storage Frankfurt
Monitoring: access and application logs, automated anomaly detection, bot and scanner blocking

6. Data Retention

Personal data is retained only as long as strictly necessary:

Operator (customer) data: duration of the contract + 10 years for tax and accounting obligations
Billing data: 10 years (art. 2220 Italian Civil Code, tax obligation)
Guest data (processed by Vezpa as a Data Processor):
- AlloggiatiWeb submissions: retention period determined by the Data Controller (the property) based on applicable law
- ISTAT submissions: per ISTAT regulations
- Other booking data: per Data Controller instructions in the DPA (typically 10 years for tax purposes)
- On termination of the Data Controller's contract, Vezpa deletes or returns guest data within 30 days, subject to independent retention obligations (e.g., invoicing)
Access and application logs: up to 24 months for security and legal defense purposes (legitimate interest)
Authentication tokens and trusted devices: 90 days from last use
Marketing data (newsletter, campaigns): until consent is withdrawn, with biennial review
Support tickets: duration of contract + 2 years

7. Data Sharing and Disclosure

7.1 Recipients of Data

Your data may be shared with the following categories of recipients. The current named list of sub-processors is published at vezpa.it/subprocessors.

Public authorities (independent controllers, legal obligation)

Italy: Police Authority / AlloggiatiWeb, ISTAT, Municipalities (via PayTourist for tourist tax), Italian Revenue Agency
Austria: Feratel/Meldeamt
Spain: SES.HOSPEDAJES (Ministerio del Interior)
Hungary: NTAK
Croatia: eVisitor
Portugal: SEF
Czech Republic: UbyPort
Slovenia: eTurizem / AJPES

Each government connector is activated only if the property is located in the corresponding country. Credentials are configured by the property itself.

Sub-processors (art. 28.4 GDPR / Service Providers under CCPA)

Infrastructure: DigitalOcean LLC (servers in Frankfurt, database, Spaces/CDN, Redis) — USA/EU with DPF and SCCs
Payments: Stripe Payments Europe Ltd (EU) / Stripe Inc. (USA) — PCI-DSS, DPF certified
Transactional email and PEC: IONOS SE (DE)
Mobile push notifications: Google LLC — Firebase Cloud Messaging (USA, DPF certified)
OTA Channel Manager: STAAH Limited (New Zealand) — country with EU adequacy decision (2012)
In-app purchase and subscription:
- Apple Distribution International Ltd (IE) — EU entity; any transfers to Apple Inc. (USA) are governed by SCC 2021/914 (Apple does not participate in the DPF)
- Google Ireland Ltd / Google LLC (USA, DPF certified active)
- Microsoft Ireland / Microsoft Corp. (USA, DPF certified active)
Smart locks (optional, if activated): Tuya Smart (CN) — EU SCCs and supplementary measures
Professional advisors: accountant, attorney, IT consultants, designated as Processors or independent Controllers as needed

OTAs (independent controllers for the traveler relationship)

Booking.com, Airbnb, Expedia, VRBO, Agoda and approximately 55 other channels connected via STAAH: booking data flows under the contract between the property and the OTA

7.2 International Data Transfers

Some processing involves transfers of personal data outside the European Union. In all cases, safeguards are adopted per Chapter V GDPR:

USA — EU-U.S. Data Privacy Framework (Commission Decision (EU) 2023/1795): Stripe Inc., Google LLC (Firebase Cloud Messaging), Microsoft Corp., DigitalOcean LLC, certified active under the Framework (verify at dataprivacyframework.gov/list)
USA — Standard Contractual Clauses (SCC 2021/914): Apple Inc. — Apple does not participate in the DPF; the contractual relationship for EU users is with Apple Distribution International Ltd (Ireland), and any transfers to Apple Inc. (USA) are carried out through SCC and Apple's internal mechanisms
New Zealand — Adequacy Decision (Commission Decision (EU) 2013/65): STAAH Limited
China (optional) — Standard Contractual Clauses (SCCs) 2021/914 + supplementary measures: Tuya Smart, only for properties that activate smart locks
For any transfer without active DPF or adequacy, Vezpa adopts EU SCCs 2021/914 and, where applicable, documented Transfer Impact Assessment (TIA)

7.3 No Sale of Personal Information

Personal data is never disseminated (disclosed to unspecified recipients) and never sold. Vezpa does not sell or "share" personal information for cross-context behavioral advertising as defined under CCPA/CPRA.

8. Your Rights

Under articles 15-22 GDPR (where applicable) and US state privacy laws, you have the right to:

Access (art. 15 GDPR / right to know under CCPA): obtain confirmation of the existence of your data and receive a copy
Rectification (art. 16 GDPR / right to correct under CPRA): correct inaccurate or incomplete data
Deletion (art. 17 GDPR / right to delete under CCPA): obtain the deletion of your data when conditions apply
Restriction (art. 18 GDPR): restrict processing under certain conditions
Portability (art. 20 GDPR): receive your data in a structured format and transmit it to another controller
Objection (art. 21 GDPR / right to opt out under CCPA): object to processing for legitimate reasons; opt out of sale/sharing (Vezpa does not sell)
Withdraw consent: withdraw your marketing consent at any time
Non-discrimination (CCPA): you will not be denied service or charged different prices for exercising your rights

            Important: For guest data, these rights must be exercised with the property (which is the Data Controller / Business), not directly with Vezpa. Vezpa, as a Data Processor (Service Provider), assists the Data Controller in fulfilling requests under art. 28.3.e GDPR.
        

Marketing and newsletter

Signing up for commercial communications requires explicit double opt-in consent (confirmation via email link). Every message contains an immediate unsubscribe link, in compliance with the US CAN-SPAM Act. For existing customers, Vezpa may send communications about similar products and services under art. 130.4 D.Lgs. 196/2003 ("soft opt-in") where applicable, with the ability to opt out at any time.

How to exercise your rights

You may exercise your rights by contacting:

Email: [email protected]
PEC: [email protected]
Certified mail to the address above

We will respond within 30 days (45 days for CCPA requests, extendable by an additional 45 days where reasonably necessary).

Right to Complain

If you believe the processing of your data violates the GDPR, you have the right to file a complaint with the supervisory authority:

Italian Data Protection Authority (Garante per la Protezione dei Dati Personali)
Piazza Venezia, 11 - 00187 Rome, Italy
Email: [email protected]
PEC: [email protected]
Phone: +39 06.696771
Web: www.garanteprivacy.it

US residents may also file complaints with their state Attorney General or the Federal Trade Commission (FTC) where applicable.

9. Minors

The Vezpa PMS service is intended exclusively for individuals over 18 years of age. We do not knowingly collect data from minors. In accordance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect information from children under 13. If a parent or guardian believes that a minor has provided personal data, they may contact us for its immediate deletion.

10. Changes to the Privacy Policy

This Privacy Policy may be modified over time. Any material change will be communicated with appropriate notice through:

Publication of the new version on the website
Email notification to registered users
Informational banner in the reserved area

The last update date is always indicated at the top of the document.