Privacy Policy

This policy describes how NUN Assisi Relais & Roman Spa collects, processes, and protects the personal data of users of the website nunassisi.com, in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Italian data-protection law.

 

Data Controller
The Data Controller for personal data collected through the website nunassisi.com is STRUCTURAE srl, registered office at Via Gramsci 9, 06083 Bastia Umbra (PG), Italy, operating the hospitality property "NUN Assisi Relais & Roman Spa" located at Via Eremo delle Carceri 1A (Piazza Giacomo Matteotti), 06081 Assisi (PG), Italy.

 

Tax code / VAT no.: 02821890544
CIN: IT054001A101x016278

 

For any request relating to the processing of personal data, the Controller can be contacted at:

 

  • Email: reception@nunassisi.com
  • Phone: +39 075 815 5150
  • Postal address (property): NUN Assisi Relais & Roman Spa, Via Eremo delle Carceri 1A, 06081 Assisi (PG), Italy
  • Registered office: STRUCTURAE srl, Via Gramsci 9, 06083 Bastia Umbra (PG), Italy

 

Data Collected and Purposes of Processing
The website collects and processes the following categories of personal data.

 

a) Data voluntarily provided by the user
First name, last name, email address, phone number, and any other data entered in the contact forms, information-request forms, or newsletter subscription form. Such data are processed to respond to the user's requests, provide the requested information and, with consent, send promotional communications and newsletters.

 

b) Browsing data
IP address, browser type, operating system, pages visited, session duration, error events, and technical logs. Such data are collected automatically in aggregated and anonymized form, for technical, statistical, and site-security purposes.

 

c) Booking and purchase data
In the case of a hotel stay booking, spa treatment, table reservation at Benedikto restaurant, or voucher purchase, the user is redirected to external platforms (see "Third-party services" section). Data entered on those platforms are processed directly by the respective autonomous Data Controllers, according to their own privacy policies. The Controller of nunassisi.com does not have direct access to the user's payment data.

 

Legal Basis for Processing
Personal data is processed on the following legal bases:

 

  • Consent of the data subject (Art. 6(1)(a) GDPR), for sending promotional communications, newsletter subscriptions, and the use of non-technical (third-party) cookies.
  • Performance of a contract or pre-contractual measures requested by the data subject (Art. 6(1)(b) GDPR), to act on information requests and bookings.
  • Compliance with legal obligations (Art. 6(1)(c) GDPR), for tax, accounting, and public-safety obligations.
  • Legitimate interest of the Controller (Art. 6(1)(f) GDPR), for site security, fraud prevention, legal defense, and aggregated statistical purposes.

 

Third-Party Services
The website nunassisi.com integrates services provided by third parties, which may collect and process personal data autonomously as autonomous Data Controllers, or as Data Processors appointed by the Controller under Art. 28 GDPR. For each service, the role, data processed, location of the provider, and link to the relevant privacy policy are set out below. Users are invited to consult the privacy policies of the individual providers carefully before interacting with the relevant services.

 

Lettermint B.V. — transactional email and newsletter delivery
Role: External Data Processor under Art. 28 GDPR.
Data processed: email address, contact-form content, newsletter subscription data.
Provider location: Lettermint B.V., Willemsvaart 16b, 8019 AB Zwolle, Netherlands (European Union).
Processing location: servers located exclusively within the European Union / European Economic Area.
Privacy policy: https://lettermint.co/privacy-policy
Data Processing Agreement: https://lettermint.co/dpa
Sub-processors list: https://lettermint.co/subprocessors

 

Linode LLC, a subsidiary of Akamai Technologies, Inc. — media hosting
Role: External Data Processor under Art. 28 GDPR (Object Storage service).
Data processed: media files uploaded by the Controller; no end-user identifying data is processed.
Provider location: Akamai Technologies, Inc., 145 Broadway, Cambridge MA 02142, United States of America.
Non-EU transfer: covered by Standard Contractual Clauses (decision 2021/914/EU) executed between the Controller and the provider.
Privacy policy: https://www.akamai.com/legal/privacy-statement

 

Bonkdo / Mybeezbox (SAS My Selling Tools) — voucher purchase platform
Role: External Data Processor under Art. 28 GDPR. STRUCTURAE srl (operating as NUN Assisi Relais & Roman Spa) remains the Data Controller; Mybeezbox operates as the technical provider of the Bonkdo platform, embedded in the site via iframe.
Data processed: user identification, contact, and payment data, IP address, voucher purchase data.
Provider location: France (European Union).
Privacy policy: https://nunassisi.shop.bonkdo.com/en/privacy

 

TheFork SAS (Tripadvisor group) — table reservations at Benedikto restaurant
Role: Autonomous Data Controller for the purposes of its own reservation platform (account management, communications, loyalty programme). For the sole purpose of the table reservation at Benedikto restaurant, also acts as External Data Processor on behalf of STRUCTURAE srl (operating as NUN Assisi Relais & Roman Spa).
Data processed: reservation data, contact data, IP address.
Provider location: TheFork SAS, 33 Avenue de Wagram, 75017 Paris, France (European Union).
The reservation is concluded directly on the TheFork platform, integrated in the site via a widget loaded after the user's consent.
Privacy policy: https://www.thefork.it/privacy

 

Isidoro Software (365 BIT srls) — hotel reservation system
Role: External Data Processor under Art. 28 GDPR. STRUCTURAE srl (operating as NUN Assisi Relais & Roman Spa) remains the Data Controller; 365 BIT srls provides the technical booking platform used at the booking.isidorosoftware.com subdomain.
Data processed: identification, reservation, and payment data.
Provider location: 365 BIT srls, Via Becchetti 99, 06081 Assisi (PG), Italy — VAT no. 02614550395.
Provider cookie policy: https://isidorosoftware.com/cookie-policy-ue/

 

Meta Platforms, Inc. (Instagram, Facebook) — links to official social pages
Role: Autonomous Data Controller on the respective social networks.
Data processed: no data is collected on nunassisi.com itself; the links in the footer and menu redirect to the official social pages, where the respective privacy policies apply.
Privacy policies: https://www.facebook.com/privacy/policy/ — https://help.instagram.com/519522125107875

 

Google Analytics 4 (when enabled)
Role: External Data Processor, with IP-anonymization configured. Without such configuration, the provider operates as an autonomous Controller.
Data processed: IP address (anonymized), pages visited, device, browser, site-interaction data.
Location: United States of America (transfer covered by Standard Contractual Clauses).
Cookies: the service installs statistical / profiling cookies that require the user's prior consent, collected through a cookie banner compliant with the Italian Data Protection Authority's guidelines.
Privacy policy: https://policies.google.com/privacy

 

Hapto Studio — technical maintenance of the website
Role: External Data Processor under Art. 28 GDPR, limited to website maintenance, development, and technical support activities. Hapto Studio operates under the Controller's instructions and does not use the data for its own purposes.

 

Data Retention
Personal data is retained only for the time strictly necessary to achieve the purposes for which it was collected:

 

  • Contact and information-request data: 24 months from the last useful contact.
  • Newsletter subscription data: until the user withdraws consent.
  • Data related to concluded bookings: according to legal terms (10 years for tax and accounting obligations).
  • Browsing data and technical logs: maximum 12 months, unless otherwise required by law.

 

After these terms, the data is deleted or irreversibly anonymized.

 

Transfers of Data Outside the European Union
Some of the service providers listed in this policy are based outside the European Union, in particular in the United States of America (Linode, Meta, Google). In such cases, the transfer of data takes place exclusively to countries that guarantee an adequate level of protection under the GDPR, or on the basis of specific contractual safeguards such as the Standard Contractual Clauses approved by the European Commission (decision 2021/914/EU).

 

Rights of the Data Subject
The data subject has the right to exercise, at any time, the following rights vis-à-vis the Data Controller:

 

  • Access to personal data (Art. 15 GDPR);
  • Rectification of inaccurate or incomplete data (Art. 16 GDPR);
  • Erasure of personal data ("right to be forgotten", Art. 17 GDPR);
  • Restriction of processing (Art. 18 GDPR);
  • Data portability (Art. 20 GDPR);
  • Objection to processing (Art. 21 GDPR);
  • Withdrawal of consent at any time, without prejudice to the lawfulness of processing based on consent before its withdrawal;
  • Complaint to the supervisory authority (in Italy: Garante per la Protezione dei Dati Personali, www.garanteprivacy.it).

 

Requests can be sent in writing to reception@nunassisi.com. The Controller will respond within the terms set by applicable law, usually within one month of receiving the request.

 

Cookies
The website uses technical cookies, necessary for the correct functioning of the pages, which do not require the user's consent under applicable law.

 

If third-party cookies for statistical or profiling purposes are activated (for example Google Analytics), these will be installed only with the user's prior consent, collected through a cookie banner compliant with the Italian Data Protection Authority's guidelines.

 

The user can change their cookie preferences at any time through the dedicated management panel, or disable cookies through their browser settings.

 

For more details on the cookies used and their purposes, please refer to the "Third-party services" section of this policy.

 

Updates to This Policy
The Controller reserves the right to modify this policy at any time, with notice to users through the publication of the updated version on the website. Users are invited to consult this page periodically to stay informed about how their personal data is processed.

 

Last updated: [date to be inserted at publication].

 

Contact
For any question or request relating to this policy or the processing of personal data, the Controller can be contacted at:

 

Data Controller: STRUCTURAE srl
Registered office: Via Gramsci 9, 06083 Bastia Umbra (PG), Italy
Tax code / VAT no.: 02821890544

 

Property: NUN Assisi Relais & Roman Spa
Address: Via Eremo delle Carceri 1A (Piazza Giacomo Matteotti), 06081 Assisi (PG), Italy
Email: reception@nunassisi.com
Phone: +39 075 815 5150

Privacy Policy — NUN Assisi Relais & Roman Spa