Privacy Policy

This notice is provided to inform users and visitors of the principles governing the use of personal data supplied when accessing our web services, with particular regard to privacy and confidentiality.

This page describes how the website sirenuse.it operates with respect to the processing of personal data of users and visitors who browse it. It constitutes an information notice issued pursuant to Regulation (EU) 2016/679 (the “GDPR”) and in accordance with applicable data protection legislation, addressed to those who interact electronically with the services available on this website, accessible from the address www.sirenuse.it.

This notice applies solely to the website sirenuse.it and does not extend to any third-party websites accessible through links contained herein.

Data Controller and Place of Processing

The website sirenuse.it:

• is the property of Le Sirenuse S.p.A., trading as Albergo Le Sirenuse, VAT no. 02397010659, with registered office at Via San Sebastiano, 2, Positano (SA), authorised internal staff carry out all processing activities related to the management of services and requests submitted through this website. As Data Controller, Le Sirenuse S.p.A. undertakes to ensure full compliance with applicable data protection legislation;
• is entrusted, for content management and the booking engine, to Positioner SA, Lugano, Centro Monda 3, 6528 Camorino, Switzerland;
• is hosted on the server farm of iWay AG, headquartered in Zurich, Switzerland, where processing activities are limited exclusively to technical services.
• Switzerland has been recognised by the European Commission as a country ensuring an adequate level of protection for personal data.
• Other parties operating in connection with the services of this website include:
• Google LLC, Mountain View (USA), for web traffic analysis services (Google Analytics) and tag management (Google Tag Manager) — the transfer to a third country is safeguarded by Standard Contractual Clauses pursuant to Article 46 GDPR, supplemented, where necessary, by appropriate technical and organisational measures to ensure an equivalent level of protection;
• Meta Platforms Ireland Ltd, Dublin (Ireland), for advertising conversion tracking via Meta Pixel — this processing is carried out exclusively on the basis of the data subject's explicit prior consent. Meta Platforms Ireland Ltd may act as a joint controller in respect of the collection and transmission phase of data, in accordance with the terms and conditions of the platform;
• Oracle Corporation (Oracle Hospitality), Austin (USA), as provider of the Opera Cloud hotel management system with which the website's booking engine integrates via asynchronous API calls — the transfer to a third country is safeguarded by Standard Contractual Clauses pursuant to Article 46 GDPR;
• Cloudflare Inc., San Francisco (USA), as provider of security and performance optimisation services (CDN/WAF) through which the website's traffic passes — the transfer to a third country is safeguarded by Standard Contractual Clauses pursuant to Article 46 GDPR;
• Microsoft Ireland Operations Ltd, Dublin (Ireland), as provider of the Microsoft Advertising service for advertising conversion tracking (bat.bing.net) — this processing is carried out exclusively on the basis of the data subject's explicit prior consent; transfers to third countries where applicable are safeguarded by Standard Contractual Clauses pursuant to Article 46 GDPR.
• Positioner SA (Centro Monda 3, 6528 Camorino, Switzerland) and Klaviyo, Inc. (125 Summer Street, Boston, MA 02110, USA), respectively as primary Data Processor and sub-processor pursuant to Article 28(4) GDPR, for the management of subscriber lists, audience segmentation, campaign contents, and email delivery of newsletter and commercial communications sent on the basis of the data subject's explicit consent (Article 6(1)(a) GDPR). Positioner SA is established in Switzerland, a country recognised by the European Commission as ensuring an adequate level of protection for personal data. The transfer of data to Klaviyo, Inc. in the United States is safeguarded by Standard Contractual Clauses pursuant to Article 46 GDPR.

Other third parties that may require access to personal data held on this website may be appointed as Data Processors by the Controller. An up-to-date list of processors may be requested from the Data Controller.

Users and visitors are requested to read this notice carefully before submitting any personal information or completing any electronic form on the website. Browsing this website does not, in itself, constitute a legal basis for the processing of personal data pursuant to Article 6 GDPR. Processing activities that require the data subject's consent are carried out solely upon its prior collection in the manner prescribed by applicable legislation.

Purposes and Legal Basis of Processing

Personal data provided by users and visitors in connection with requests submitted or services used through this website are processed solely for the purpose of responding to such requests or delivering the requested service and are shared with third parties only where strictly necessary. The legal basis for such processing is the need to fulfil a request made by the data subject or to provide a service specifically requested by the data subject (performance of pre-contractual or contractual measures taken at the request of the data subject).

Where the user or visitor additionally provides their consent, data may also be used for commercial communication activities relating to further services offered by the Controller. In such cases, the legal basis for processing is the freely given consent of the data subject.

In all other cases, browsing data are processed to ensure the correct functioning of the website, on the basis of the legitimate interest of the Controller. Any processing carried out using non-anonymised traffic analysis tools (such as, by way of example, Google Analytics) is performed exclusively on the basis of the data subject's prior consent, where it involves the direct or indirect identification of the user.

Categories of Data Processed and Purposes of Processing

Data derived from browsing

The computer systems and software procedures underlying the operation of this website may, in the course of their normal functioning, collect certain personal data whose transmission is implicit in the use of internet communication protocols. This information is not gathered with the intent of associating it with identified individuals; however, by its very nature and through processing and cross-referencing with third-party data, it may enable the indirect identification of users (IP addresses, domain names of computers used to connect, operating system and browser details, timestamps, etc.). Such data may be used solely for statistical purposes in anonymous, aggregated form, and to monitor the proper functioning of the website. It is retained for a limited period, is not disclosed to third parties, and is shared only to the extent strictly necessary for the technical management of the service.

Data voluntarily provided by users and visitors

Where users and visitors voluntarily, explicitly and freely provide their personal data in order to submit requests, access services or subscribe to mailing lists, such data will be collected and processed exclusively to fulfil the relevant request or deliver the requested service. Personal data provided by users and visitors may be communicated to third parties only where this is strictly necessary to respond to the relevant request.

Data relating to cookies and similar technologies

Cookies are small text strings that visited websites deposit on users' devices to enhance the browsing experience and, where applicable, to monitor usage patterns. Some cookies may be retransmitted to the same website on a subsequent visit by the same user, enabling recognition and improving site functionality — for example, cookies that speed up navigation or display content of greatest interest in light of previous choices. In the course of browsing a website, users may also receive on their device cookies sent by different websites or web servers (so-called “third-party” cookies).

Sirenuse.it uses two distinct types of cookies: session cookies, which are used to enable safe and efficient navigation of the website, to recognise the country from which the user or visitor is connecting, to keep the user or visitor logged in during the session, to allow registration and access to personal accounts, and to enable completion of requests. These cookies are not permanently stored on the device and are deleted when the session is closed.

The website may also use persistent cookies to personalise the browsing experience in accordance with the device in use (computer, tablet or smartphone), to analyse access patterns, and to allow content to be shared via social networks or email. These cookies are stored permanently on users' devices and have a variable duration.

Upon first accessing the website, users and visitors may express their consent to the installation of non-technical cookies, which are used exclusively upon receipt of such consent, and/or may view the Cookie Policy, which sets out full details of how consent may be granted or withheld and how preferences may be amended at any time. In particular, non-technical cookies — including profiling cookies and non-anonymised traffic analysis cookies — are installed and activated exclusively following the expression of the user's consent through the dedicated preference management mechanism; in the absence of such consent, these tools remain disabled.

The full and up-to-date Cookie Policy, including the list of all cookies in use, their purposes, duration, and the identity of third-party providers, is managed through the Cookiebot consent management platform, accessible via the cookie preference centre available on the website.

Links to Third-Party Websites

The Controller reserves the right to use and/or present on its website services provided by third parties. With regard to the processing of personal data, such third-party websites may apply different and independent criteria. The Controller therefore disclaims any responsibility for the activities and content of any linked third-party websites.

The website links to the e-commerce section Emporio Sirenuse (emporiosirenuse.com), which is operated by a separate legal entity. The privacy policy of Emporio Sirenuse, available on the relevant website, applies to all processing activities relating to browsing and purchases carried out on that platform. Solely with respect to commercial communication and marketing activities, Le Sirenuse S.p.A. and Emporio Sirenuse act as joint controllers pursuant to Article 26 GDPR, having entered into a joint controllership agreement that governs, in particular, the allocation of responsibilities regarding the management of the legal basis for processing, the exercise of data subjects' rights, and the conduct of marketing activities, it being understood that data subjects may address any request to either joint controller. The legal basis for such processing is the data subject's explicit consent. Data subjects may exercise their rights against either joint controller; the primary point of contact is Le Sirenuse S.p.A., reachable at [email protected].

Multimedia content on the website may be delivered through third-party platforms (Vimeo, YouTube), and typographic fonts may be loaded via Google Fonts (Google LLC, USA); these services may result in the transmission of the user's IP address to the respective servers. Transfers to the United States are governed by Standard Contractual Clauses adopted by the European Commission pursuant to Article 46 GDPR.

Optional Nature of Data Provision

With the exception of browsing data as specified above, users and visitors are free to choose whether or not to provide their personal data. Failure to do so will result solely in the inability to obtain the requested service.

Processing Methods and Retention

All processing is carried out by automated means (e.g. using electronic procedures and equipment) and/or manually (e.g. on paper) for the period strictly necessary to achieve the purposes for which the data were collected, and in any event in accordance with applicable legislative provisions. In particular: browsing data are retained for a period not exceeding 7 days, save where retention is required in connection with the investigation of criminal offences; data voluntarily provided through contact forms, information requests or job applications are retained for the period necessary to handle the relevant request and, in any event, for no longer than 24 months from the date of collection; data relating to reservations and contractual relationships are retained for 10 years in accordance with civil and fiscal obligations. Upon the expiry of the applicable retention period, data are deleted or rendered permanently anonymous.

For processing carried out by Positioner SA and Klaviyo, Inc. acting as Data Processors for email marketing activities, retention periods are governed by the respective contractual arrangements and the privacy policies of the individual providers, to which reference is made. Specific security measures are implemented to prevent the loss, unlawful or improper use of data, as well as any unauthorised access.

Rights of Data Subjects

The data subject has the right, at any time and within the limits and conditions established by law, to obtain confirmation as to whether or not personal data relating to them are being processed and, if so, to obtain access to their data and to the following information:

• the purposes of the processing;
• the categories of personal data being processed;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular where located in third countries or international organisations;
• the envisaged retention period for the personal data or, where this is not possible, the criteria used to determine that period;
• all available information as to the source of the data, where personal data have not been collected directly from the data subject;
• the existence of any automated decision-making process, including profiling.
• The data subject also has the right to obtain, without undue delay, from the Data Controller:
• the rectification of inaccurate personal data;
• the completion of incomplete personal data, including by means of a supplementary statement;
• the erasure of their personal data (within the limits and cases provided for by applicable legislation);
• the restriction of processing;
• the right to object at any time to the processing of their personal data (Article 21 GDPR), where processing is based on the legitimate interest of the Controller or is carried out for direct marketing purposes;
• the right to withdraw consent at any time, without prejudice to the lawfulness of processing carried out prior to such withdrawal (Article 7 GDPR);
• the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali), Piazza Venezia 11, 00187 Rome – www.garanteprivacy.it – PEC: [email protected].

In the above cases, the Data Controller shall also notify each recipient to whom the data subject's personal data have been transmitted of any rectification, completion, erasure or restriction of processing, within the limits and in the manner prescribed by applicable legislation.

The data subject further has the right to receive from the Data Controller the personal data concerning them in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance.

Relevant requests should be addressed directly to the Data Controller at the e-mail address [email protected]. Data subjects may also contact the Hotel's Data Protection Officer (DPO) directly by e-mail at [email protected].

This document, published at www.sirenuse.it, constitutes the Privacy Policy of this website and may be updated periodically. The use of information collected is subject to the policy in effect at the time of use.

last updated: April 2026

 

Discover Le Sirenuse & Around

Cookie declaration