1. Data Controller
The Data Controller is The Urban Group, a non-entrepreneurial short-term rental based in Bari, Italy. For any request you can write to theurbanlodgebari@gmail.com or theurbanravanas@gmail.com.
2. Data processed
For each adult or minor guest the following data is collected:
- first name, last name, date and place of birth, citizenship, gender;
- type, number, date and place of issue of the ID document;
- copy (front/back) of ID card or passport;
- face photo (selfie) for identity verification, where required;
- reference email and phone number;
- arrival and departure dates, assigned property.
3. Purposes and legal bases
- Compliance with Public Security obligations (Article 109 R.D. 18/06/1931 n. 773 — TULPS, Ministerial Decree 7/01/2013 and subsequent provisions of the Italian Ministry of the Interior) through transmission of guest data to the competent Police Headquarters via the State Police portal Alloggiati Web — legal basis: legal obligation (Art. 6.1.c GDPR).
- Tax and tourism compliance, including communication of data for the municipal tourist tax and ISTAT statistics — legal basis: legal obligation (Art. 6.1.c GDPR).
- Performance of the short-term rental contract, check-in management, delivery of access instructions and assistance during the stay — legal basis: contract (Art. 6.1.b GDPR).
- Fraud prevention and protection of the property and guests — legal basis: legitimate interest of the Controller (Art. 6.1.f GDPR).
4. Nature of the data provision
Providing the data required by Public Security and for tax/tourism purposes is mandatory; refusal makes it impossible to access the property and to perform the contract. The face photo is requested only for identity verification when check-in is performed remotely.
5. Processing methods
Data is collected through the digital check-in form and processed with electronic tools, over encrypted channels (TLS) and with appropriate technical and organizational measures, in compliance with Articles 25 and 32 GDPR. Access is restricted to authorized personnel and to providers expressly appointed as Processors.
6. Check-in service provider
The digital check-in service is provided by specialized vendors (e.g. Chekin Booking Systems S.L. or equivalent) appointed as Processors under Article 28 GDPR. Such vendors process data solely on behalf of the Controller, under a specific agreement and with adequate security guarantees.
7. Recipients
- Police Headquarters of Bari, through the Alloggiati Web portal (State Police).
- Municipality of Bari for tourist tax and tourism compliance.
- Puglia Region and ISTAT for mandatory statistical surveys.
- Digital check-in, hosting, email and cloud infrastructure providers, appointed as Processors.
- Public Authorities where required by law.
8. Transfers outside the EU
Some providers may process data outside the European Economic Area. Such transfers take place only on the basis of adequacy decisions of the European Commission or Standard Contractual Clauses, in accordance with Articles 44 et seq. GDPR.
9. Retention
- Data transmitted to the Public Security Authority: retained within the timeframes set by applicable law (transmission occurs within 24 hours of arrival; data remains available on the Alloggiati Web portal within statutory limits).
- Copy of the ID document: deleted once statutory obligations are fulfilled and, in any case, not beyond the period strictly necessary for identity verification and the mandatory notification.
- Stay and contractual data: 10 years for tax and civil purposes.
10. Data subject rights
You may exercise the rights under Articles 15-22 GDPR at any time:
- access, rectification, erasure of data;
- restriction and objection to processing;
- data portability;
- withdrawal of any consent given;
- lodging a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).
Rights of erasure, restriction and objection cannot be exercised in relation to data whose processing is imposed by legal obligations.
11. Minors
Data of minors is collected exclusively to comply with Public Security obligations and must be provided by the parent or legal guardian, who guarantees its accuracy.
12. References
For the full data processing framework please refer to the general Privacy Policy and the Cookie Policy.