Privacy Policy

1. Data Controller

The data controller for personal data is Ospite Smart, based in Italy.

To exercise the rights provided by GDPR (access, rectification, erasure, restriction, data portability, objection, withdrawal of consent) or for any privacy-related question, you can contact us via the Contact page.

2. Types of data collected and purposes

We collect and process the following data based on your interactions with the site and the service.

2.1 Registration and user account

Data collected: name (or company name), email address, password (stored in encrypted form using the bcrypt algorithm).

Purpose: creation and management of the account, authentication at login, service communications.

Legal basis: performance of the contract (provision of the requested service).

2.2 Session and security

Data collected: the site uses session cookies (e.g. a session identifier) and protection mechanisms against falsification (CSRF). Session data can include user identifier, IP address and browser user agent, stored on the server during the session (approx. 2 hours of inactivity).

Purpose: to ensure the proper operation of the reserved area (login, dashboard, platform management) and the security of operations (protection against unauthorized access and CSRF attacks).

Legal basis: legitimate interest (security and proper functioning of the service).

2.3 Purchase and payment (one-time payment)

Data collected: during checkout we store in session the amount to pay, the applied discount code (if any), and the user identifier. Card payment is handled by Stripe (redirect to the Stripe page); PayPal account payment is handled by PayPal (redirect to the PayPal page). We do not store or have access to card data or PayPal credentials; such data are processed directly by Stripe and PayPal according to their respective privacy notices.

After payment confirmation, we record: user identifier, subscription identifier, the payment gateway used (stripe, paypal, coupon or manual), the gateway transaction identifier (where available), amount paid, currency, status (completed/failed), date and time of payment.

Purpose: activation of the service (digital guide), contractual performance, retention of payment proofs and compliance with fiscal and accounting obligations.

Legal basis: performance of the contract; legal obligation (retention of documents related to transactions).

2.4 Platform setup (digital guide)

Data collected: subdomain chosen by the user, property/platform name, logo (image file, format JPG/PNG/GIF/WebP, max 200 KB), primary color of the guide, contact email (optional), phone (optional), website (optional), links to social profiles (Instagram, Facebook, X, LinkedIn, YouTube). In addition, customizable titles and texts (e.g. page title, welcome message, "About us" text) in Italian and English.

Purpose: to create and personalize the public digital guide associated with the user (page accessible via a unique subdomain), and manage the content and settings shown to guests.

Legal basis: performance of the contract.

2.5 Guide sections/pages (content)

Data collected: for each section (up to 10 per platform): slug (URL identifier), icon name, title in Italian and English, HTML textual content (Italian and English) entered via the editor, and any attached document (one file per section, format PDF/JPG/PNG, max 1 MB). HTML contents are sanitized by the system to avoid scripts or dangerous links.

Purpose: publication and updating of the informational content of the digital guide (WiFi, schedules, house rules, contacts, etc.) in multilingual mode.

Legal basis: performance of the contract.

2.6 Contact forms (public site)

Data collected: name and surname, email address, message subject and message text.

Purpose: to respond to requests sent through the form, provide assistance and manage pre-contract or support communications.

Legal basis: legitimate interest (responding to user requests) and, where applicable, execution of pre-contract measures.

2.7 Cookie preferences

Data collected: the user’s expressed cookie choice (total acceptance, refusal of non-essential cookies, or blocking of all cookies) is stored locally in the browser (localStorage) with key cookie_consent. This is not a cookie but a similar technology used to store a preference.

Purpose: to respect the user’s choice and not repeat the consent request on every visit.

Legal basis: legitimate interest (respecting preferences) and, where required by law, consent.

3. Data retention

• Account and registration data: kept for the entire duration of the account. In case of account closure or deletion request, data are deleted or anonymized within the necessary technical times, subject to legal obligations.
• Session data: the session expires after a period of inactivity (about 2 hours); session files on the server may be deleted periodically by the system.
• Payment and subscription data: stored for the time necessary to provide the service and for compliance with legal, fiscal and accounting obligations (in Italy generally at least 10 years for documents relevant for tax purposes).
• Platform content (digital guide): kept for the entire duration of the contractual relationship; in case of termination, they may be deleted or kept in backups for a limited period according to internal policies.
• Messages from the contact form: kept for the time necessary to handle the request and for any follow-up; they may be archived for a reasonable period (e.g. 24 months) for reference, unless a deletion request is made.

4. Recipients and transfers of data

Data may be disclosed to:

• Payment service providers: Stripe (Stripe, Inc.) and PayPal (PayPal Europe S.à r.l. and/or related entities) for payment processing. Such entities operate in accordance with their respective privacy notices and, for transfers outside the EU, with standard contractual clauses or adequate safeguards under GDPR.
• Hosting and infrastructure: data are hosted on servers managed by the data controller or by hosting providers (in the EU or with adequate guarantees).
• External resources loaded by pages: site pages may include resources (fonts, icons, scripts) from third-party domains (e.g. Google Fonts, Cloudflare CDN for Font Awesome and JavaScript libraries). Access to these resources may involve sending your IP address and browser information to the third-party provider; for details, refer to Google and Cloudflare privacy notices. We do not use profiling cookies or third-party analytics without your consent.

We do not sell or transfer your personal data to third parties for marketing purposes without your explicit consent.

5. Rights of the data subject

Under the GDPR you have the right to:

• Access: obtain confirmation about the existence of data concerning you and receive a copy.
• Rectification: obtain correction of inaccurate or incomplete data.
• Erasure: obtain the deletion of data in the cases provided for by law (e.g. withdrawal of consent, data no longer necessary).
• Restriction: obtain that processing is restricted in certain circumstances.
• Data portability: receive data in a structured, commonly used format and transmit them to another controller where technically possible.
• Objection: object to processing based on legitimate interests for legitimate reasons.
• Withdrawal of consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

You can exercise your rights by contacting us via the Contact page. You also have the right to lodge a complaint with the Data Protection Authority (www.garanteprivacy.it).

6. Security

We adopt appropriate technical and organizational measures to protect data from unauthorized access, loss, destruction or alteration, including: encryption of passwords (bcrypt), protection of forms with anti-CSRF tokens, validation and sanitization of inputs (including sanitization of HTML in published content), limiting access to management environments, and using secure connections (HTTPS) where configured.

7. Minors

The service is not intended for minors under 16 years of age. We do not knowingly collect data from minors; in case of proven collection of minors’ data without parental/guardian consent, we will proceed with deletion.

8. Updates to this privacy notice

This privacy notice may be updated to reflect changes to the service or applicable regulations. The current version is always available on this page, along with the date of the last update. In case of material changes, we will inform you via notice on the site or, where possible, via email.