1. Data Controller
The Data Controller is The Urban Group, a non-entrepreneurial short-term rental operating in Bari, Italy. For any request regarding the processing of personal data, please contact:
- The Urban Lodge: theurbanlodgebari@gmail.com
- The Urban Ravanas: theurbanravanas@gmail.com
2. Categories of data processed
- Contact data: first name, last name, email, phone number.
- Booking data: dates, number of guests, preferences, communications exchanged.
- Guest identification data: copy of ID document, personal details and photo, as required by Italian Article 109 TULPS and Ministry of the Interior provisions.
- Payment data: handled by third-party providers; we do not directly store card details on our systems.
- Browsing data: IP address, technical logs, device identifiers, cookies (see Cookie Policy).
3. Purposes and legal bases
- Handling enquiries and bookings — legal basis: pre-contractual and contractual measures (Art. 6.1.b GDPR).
- Performance of the short-term rental contract — legal basis: contract (Art. 6.1.b GDPR).
- Legal obligations, including communication of guest data to the Public Security Authorities and tax/tourism compliance — legal basis: legal obligation (Art. 6.1.c GDPR).
- Site security and abuse prevention — legal basis: legitimate interest (Art. 6.1.f GDPR).
- Analytics and marketing — legal basis: consent (Art. 6.1.a GDPR), which can be withdrawn at any time.
4. Processing methods
Data is processed using both electronic and paper-based tools, with appropriate technical and organizational measures to ensure confidentiality, integrity and availability, in compliance with Articles 25 and 32 GDPR.
5. Data retention
- Booking and contractual data: for the duration of the relationship and 10 years thereafter for tax and civil purposes.
- Guest ID data for Public Security: within the timeframes set by applicable law.
- Contact communications: for the time needed to handle the request and up to 24 months thereafter.
- Analytics/marketing data: until consent is withdrawn or for up to 24 months.
6. Recipients and processors
Data may be shared with third parties acting as processors, including:
- Digital check-in and Public Security compliance providers (e.g. Chekin) for transmission of data to the competent Authorities.
- Booking and channel-management platforms (e.g. Airbnb, Booking.com).
- Payment and invoicing service providers.
- Hosting, email, cloud infrastructure and analytics providers.
- Professional advisors (accountants, lawyers) and public Authorities where required by law.
7. Transfers outside the EU
Some providers may process data outside the European Economic Area. Such transfers take place only on the basis of adequacy decisions or Standard Contractual Clauses approved by the European Commission, in accordance with Articles 44 et seq. GDPR.
8. Data subject rights
You may exercise the rights under Articles 15-22 GDPR at any time, including:
- access to your personal data;
- rectification and erasure;
- restriction of and objection to processing;
- data portability;
- withdrawal of consent;
- lodging a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).
To exercise these rights, please send a request to the contacts listed in section 1.
9. Digital check-in and ID data
To comply with the obligations set out by Article 109 TULPS and by the Italian Ministry of the Interior, guest identification data is collected (also through digital check-in systems) and transmitted to the competent Police Headquarters through the "Alloggiati Web" portal.
10. Changes
This notice may be updated at any time to reflect regulatory or operational changes. The most recent version is always available on this page.