Privacy Policy
1. Data we collect
- Account data: name, work email, phone, company / property, VAT / P.IVA / codice fiscale, role.
- Operational data: reservations, rate plans, room mappings, extranet activity logs.
- Support tickets: messages, attachments and call recordings.
- Marketing data: IP, user-agent, page views (only with cookie consent — see Cookie Policy).
2. Legal basis
Contract performance for account and operational data (art. 6(1)(b) GDPR and art. 6 of the Italian Codice della Privacy, D.Lgs. 196/2003 as amended by D.Lgs. 101/2018); consent for marketing data; legal obligation for tax and audit records (kept 10 years in line with Italian tax law).
3. Sharing
We disclose data to: OTA partners that the Client explicitly connects; PMS platforms the Client asks us to integrate with; payment providers (Stripe, Nexi) to process invoices; and, when required, Italian authorities (Agenzia delle Entrate, Guardia di Finanza, Autorità Giudiziaria).
4. Retention
Account and operational data — for the duration of the contract plus 12 months. Tax records — 10 years. Support tickets — 3 years. Marketing tracking — 13 months from last consent, in line with Garante Privacy guidance.
5. Data subject rights
You may request access, rectification, deletion, restriction or portability by emailing compliance@roomcloudhotels.org. Response within 30 days. You may also file a complaint with the Garante per la Protezione dei Dati Personali — Piazza Venezia 11, 00187 Roma — under Regulation (EU) 2016/679 and the Codice della Privacy (D.Lgs. 196/2003).
6. Security
Encryption in transit (TLS 1.3), encryption at rest (AES-256), quarterly access reviews, ISO 27001-aligned internal controls. Incident notification to affected clients and the Garante within 72 hours as required by art. 33 GDPR.
7. International transfers
Primary hosting is in the EU (Frankfurt and Milano regions). Sub-processors outside the EU are engaged only under Standard Contractual Clauses and a documented Transfer Impact Assessment.