Privacy Policy


pursuant to articles 13 and 14 of EU Regulation 2016/679


This Privacy Policy intends to provide you with information regarding the processing of your personal data by BORGOBRUFA SRL and is made pursuant to articles 13 and 14 of EU Regulation 2016/679 (“GDPR”).


1) Who is the Data Controller and what are the ways to contact him?

The data controller is Borgobrufa Srl in the person of its legal representative, with registered office in Torgiano (PG), Via del Colle 38, 06089, tel. 0759883, mail,, REM


2) How do we collect personal data?

If you contact us directly via our website, by mail or by telephone, in order to request information about our services.

If you buy one of our services, through our website.

If you respond to our marketing campaigns, by filling out a response form, entering data in a form or browsing our website.

If your contact details are communicated to us by a third party, after obtaining your consent.

If our business partners lawfully transfer your personal data to us.

If you attend one of our events.

If you provide personal data of a third party, it is your responsibility to ensure that the interested third party has previously read this Privacy Policy. If you are under 18, please do not provide us with any personal data.


3) What categories of personal data do we collect?

The following categories of personal data concerning you can be collected through the various services and contact channels described in this Privacy Policy:

  1. a) Contact details – name, address, telephone number, email address.
  2. b) Payment data – payment systems chosen by you, for example credit card number, ATM card, IBAN identifier, etc.
  3. c) Complete identification data – personal data of the identity card, passport, driving licence, etc.
  4. d) Interests and preferences – data relating to your interests, including the type of hotel treatment you prefer (for example how you can be reached by telephone at the hotel, your preferred time for meals or beauty treatments, etc.) or the type of ancillary services you are interested in with reference to the catering, the wellness centre, the beauty treatments that we provide.
  5. e) Other personal data – data that you provide to us for the exclusive purpose of personalizing the service.
  6. f) Use of the Site – data relating to the ways in which you use our site, read or forward our communications, including those collected through cookies and other tracking technologies.
  7. g) Your account data – your account data when you access our site.
  8. h) Images – images that portray your person collected through photos and/or videos taken on the occasion of events organized by us.
  9. i) Data relating to your state of health or other data belonging to particular categories – data you provide us with regard to some of your physical conditions such as food allergies or other, for the exclusive purpose of allowing you to take advantage of a better service such as, for example, meals or the opportunity to enjoy the services of the wellness center or beauty treatments in peace and safety.
  10. j) Images collected through the video surveillance system – images that may occasionally portray your person, collected through the video surveillance system.

Therefore, within the limits of the purposes and methods described in this Privacy Policy, “Common personal data” and “Special categories of personal data” may be processed.

For convenience of reference, within this Privacy Policy, the expression “personal data” must be understood as a reference to all your personal data, unless otherwise specified.


4) What are the purposes and legal grounds for processing your personal data (purpose and legal basis of the processing)?


The personal data collected will be processed for the purposes and on the basis of the legal bases set out below:



Legal basis of processing
Categories a), b): for the management of your contractual relationship or to implement pre-contractual measures (such as, for example, the request for information or a quote, the provision of the service). In this case, you are free to provide your data; however, failure to provide it will not allow you to establish the aforementioned relationship and satisfy your request Processing is necessary in relation to the performance of a contract to which you are a party
Category c): for communications required by public safety regulations. Failure to provide data will make it impossible to provide the hotel service in your favour The processing is necessary for a legal obligation
Categories d), e), f), g), h) and i) subject to your specific consent, for the personalization and improvement of the service with specific reference to the catering service, wellness center and beauty treatments. Failure to communicate data does not prevent the service, but prevents its customization and improvement. Your consent
Categories d), e), f), g), h) subject to your specific consent, for the completion (and subsequent use) of surveys and to contact you in order to verify the quality of the service rendered to you and your degree of satisfaction; these activities will still be contained and limited, in the spirit of discretion of our structure. Failure to communicate the data does not prevent the service, but prevents us from knowing your degree of satisfaction and from improving our service. Your consent
Categories a), d), e) subject to your specific consent, to send you promotional communications relating to events organized by the owner or by its commercial partners. However, these activities will be contained and limited, in the spirit of discretion of our structure. Failure to consent prevents us from being able to contact you in relation to our initiatives. Your consent
Category j) images collected by video surveillance system Pursuit of the legitimate interest of the Data Controller, aimed at safeguarding the company assets. In the event of a request to make the images available by the judicial or police authorities, the legal basis is the fulfillment of a legal obligation.


5) How is your personal data processed?

The processing of personal data will take place using manual, computerized or telematic tools, suitable for guaranteeing its security and confidentiality and will be performed by personnel duly trained in compliance with the applicable legislation.

In addition to the cases in which it is necessary to contact you for needs connected to the management of your stay with us, where you consent to the processing of your data for the purposes indicated in point 4, you may be contacted via email, text message or through any electronic means equivalent or by paper mail or call through an operator to all the contact details provided. If you prefer to be contacted only at one or some of these addresses, you can expressly request it to the email address


6) To whom do we communicate your personal data?

Your personal data may be transferred:

Recipients of personal data Scope
Authorized to process personal data pursuant to art. 29 of the GDPR Operational management of the business
Third-party companies that provide support services to the company’s activities, or to professionals with whom specific agreements have been signed pursuant to art. 28 of the GDPR Support in business management
Bodies and/or Authorities possibly appointed by law Legal obligation

Your personal data may also be communicated whenever it is necessary to fulfill requests from the Judicial or Public Safety Authorities. The data collected will not be disseminated under any circumstances.

No transfers of personal data take place outside the EU, not even for the use of “cloud” services.


7) Data retention period

Below is a table that contains indications of retention times (i.e. determination criteria) of personal data:

Purpose Retention period
Categories a), b) (contract) For the entire duration of the relationship and subsequently for 10 years (ordinary prescription)
Category c) (PS communications) The period prescribed by law
Categories d), e), f), g), h), i) (service improvement) Until the end of the service or stay
Categories d), e), f), g), h), i), (satisfaction check) 4 years from collection, due to the possibility of further relations with you and without prejudice to your ability to modify and/or revoke the consent given, at any time
Categories d), e), f), g), h), i), (marketing) 4 years from collection, due to the possibility of further relations with you and without prejudice to your ability to modify and/or revoke the consent given, at any time
Category j) (images) 72 ore


8) What are your rights?

You may, at any time, exercise the rights provided for in articles 15 to 22 of the GDPR and, in particular:

  • ask the Data Controller to access personal data and correct or cancel them or limit their processing;
  • oppose to the processing of your personal data;
  • exercise the right to data portability;
  • revoke the consent at any time without prejudice to the lawfulness of the treatment based on the consent given before the revocation.


Mode of protection

The rights described above can be exercised by making an informal request to the Data Controller at the addresses indicated or at the email address

We will respond to your requests within 30 days of receipt, unless there are special circumstances, in which case it may take up to 60 days to respond.

We inform you that the exercise of some of your rights may be limited by legal provisions.

You can withdraw your consent to marketing activities by following the instructions at the bottom of the marketing email or by contacting

If you believe that your rights have been violated, you have the right to lodge a complaint with the Guarantor Authority for the protection of personal data using the method indicated on the website

This information may be subject to changes. We therefore recommend that you regularly check the privacy section at the following link

Info & reservation

Make your reservation

Book your stay

For the best price

Call now

Do you need more information?

Ask for information