Privacy Policy must be drafted in compliance with the EU General Data Protection Regulation (GDPR) 2016/679, explicitly stating the role of third-party service providers such as Smoobu and PayPal.

Privacy Information (EU Regulation 2016/679)

1. Data Controller

The Data Controller of personal data is: Hello Verona, located at Via Campagnol di Tombetta 65, Verona, contactable via email at info@helloverona.net .

2. Purpose and Legal Basis of Processing

Personal data are processed in accordance with Article 6, paragraph 1 of the GDPR for:

• Performance of the Contract (letter b): Complete management of the booking, provision of accommodation services, and guest assistance.
• Compliance with Legal Obligations (letter c): Mandatory communication of data to Public Security authorities and management of fiscal obligations (e.g., tourist tax).

Failure to provide the required personal data (such as identification data) will make it impossible to properly execute the contract.

3. Categories of Data and Processing Methods

The categories of collected data include Registration and Contact Data, Transaction Data, and Technical Usage Data (such as IP address and browsing statistics, including data collected through Cookies). Processing is carried out securely, mainly using electronic means.

4. Recipients and Data Transfer

Your personal data may be disclosed to the following recipients:

• Public Authorities: To comply with legal obligations (e.g., Police, Revenue Agency).
• Smoobu GmbH (Data Processor): We use Smoobu software for booking management. Smoobu operates as a service provider in compliance with the GDPR.
• PayPal (Payment Processor): Data required for transactions are processed by PayPal, which acts as an external entity. Users are encouraged to consult PayPal’s Privacy Policy for specific details regarding the processing of financial data and purchase protection.

5. Rights of the Data Subject

Users can exercise at any time the rights provided by the GDPR (Articles 15-22), including the right of access, rectification, erasure, restriction of processing, and, if applicable, data portability to another controller. Consent withdrawal, if applicable (e.g., for marketing purposes), can be made at any time through informal communication.