Privacy Policy

This Privacy Policy explains how we collect, use and protect personal data in connection with Villa La Selva and the Vico House Estate (together “we”, “us”, “our”). It applies to:

  • visitors of our website,

  • guests and prospective guests making direct bookings with us (online, by email or telephone),

  • and persons contacting us for information.

Bookings made through third-party platforms (e.g. Airbnb, Booking.com, Oliver’s Travels, Vrbo/FeWo-direkt, Plum Guide etc.) are additionally subject to the privacy policies of those platforms.

1. Data controller

The controller responsible for processing your personal data under applicable data protection laws (including the GDPR) is:

Vico House Società Agricola a R.L.

Via Callaro 4, 51010 Marliana (PT)

Email: ciao(a)vicohouse.com

If you have any questions regarding this Privacy Policy or how we handle personal data, you can contact us using the details above.

2. Categories of personal data we collect

We may collect and process the following categories of personal data:

 a) Identification and contact details

  • first and last name

  • email address

  • telephone number

  • postal address

  • country of residence

b) Booking and stay details

  • dates of stay, number of nights

  • number of guests, names and ages where required

  • special requests (e.g. bed configuration, allergies, late arrival)

  • booking channel (direct, Airbnb, Booking.com, etc.)

  • price, currency, payment status

c) Payment information

For direct bookings, payments are processed via Stripe. We do not store full card numbers on our systems. We receive limited payment-related information such as:

  • last digits of card, card type

  • transaction ID and status

  • amount and date of payment

d) Communication data

  • content of emails and messages you send us

  • information you provide via contact forms or enquiry forms

  • notes relating to your stay (e.g. preferences, issues raised, solutions provided)

e) Website and technical data

When you visit our website, our hosting provider may process:

  • IP address and approximate location

  • date and time of access

  • pages viewed, referring website, browser type and device

  • cookies and similar technologies (see Section 7 – Cookies)

If we use web analytics or tracking tools (e.g. Google Analytics, Meta Pixel), these will also process technical and usage data – see Section 7.

3. How we collect your data

 We collect personal data in the following ways:

  • Directly from you, when you:

    • send us an enquiry by email, telephone or via contact form

    • make a direct booking via our website / booking system

    • communicate with us before, during or after your stay

  • Via our online booking system, provided by our channel manager / booking software (e.g. Smoobu). In this case, your data is entered into the booking form and transmitted to us securely via that system.

  • Via third-party booking platforms such as Airbnb, Booking.com, Oliver’s Travels, Vrbo/FeWo-direkt, Plum Guide etc. These platforms share with us only the data necessary to manage your reservation (e.g. name, number of guests, dates of stay, messages). We do not control how these platforms collect or process data; please refer to their respective privacy policies.

  • Automatically, when you visit our website, via server logs and cookies (see Section 7).

4. Purposes and legal bases of processing

 We process personal data only where we have a legal basis under applicable law, in particular under Art. 6 GDPR. The main purposes and legal bases are:

a) Booking management and performance of the contract (Art. 6(1)(b) GDPR)

 We use your data to:

  • process and confirm bookings

  • communicate with you before, during and after your stay

  • prepare your arrival and manage check-in/check-out

  • organise additional services (e.g. private chef, housekeeping, transfers)

  • handle cancellations, date changes and complaints

b) Legal obligations (Art. 6(1)(c) GDPR)

 We may process data to comply with legal requirements, for example:

  • guest registration with local authorities (public security regulations)

  • accounting, invoicing and tax documentation

  • fulfilment of obligations under tourism and lodging laws

c) Legitimate interests (Art. 6(1)(f) GDPR)

We may process data where necessary to protect our legitimate interests, such as:

  • securing and protecting our property and systems

  • enforcing house rules and Terms & Conditions

  • preventing fraud or abuse

  • defending legal claims or exercising legal rights

  • maintaining and improving the operation of our website and services

When we rely on legitimate interests, we balance these against your rights and expectations.

d) Consent (Art. 6(1)(a) GDPR)

 In certain cases we may ask for your consent, for example:

  • if we wish to send you newsletters or marketing emails beyond what is necessary to manage your booking

  • if we use optional cookies or analytics tools that are not strictly necessary for the functioning of the website

You may withdraw your consent at any time with effect for the future.

5. Sharing of personal data

We only share personal data where necessary and appropriate, in particular with:

  • Service providers who support us in operating the property and website (e.g. IT/hosting providers, booking system provider such as Smoobu, payment service provider Stripe, cleaning and maintenance service providers, private chefs). These parties process personal data only on our instructions and under appropriate contractual safeguards.

  • Third-party booking platforms (Airbnb, Booking.com, Oliver’s Travels, etc.) when required to manage bookings made via those platforms (e.g. to respond to messages, handle complaints or verify bookings). In these cases, the platform itself is usually also a controller.

  • Public authorities, if required by law, for example for guest registration with local police or tourism authorities, or in response to lawful requests by regulatory bodies.

We do not sell your personal data.

6. International transfers

Some of our service providers (for example Stripe or certain booking/IT providers) may process personal data in countries outside the European Union (EU) or European Economic Area (EEA).

Where this is the case, we take appropriate steps to ensure that your data is protected, for example by:

  • ensuring that the country has an adequacy decision from the European Commission, or

  • entering into standard contractual clauses or similar agreements that provide appropriate safeguards.

You can contact us if you wish to know more about the specific safeguards used for data transfers in your case.

7. Cookies and similar technologies

Our website may use cookies and similar technologies (e.g. local storage, tracking pixels) to:

  • ensure basic functionality and security of the site

  • remember language or display preferences

  • analyse usage to improve our content and services

  • integrate third-party services (e.g. embedded booking tool or maps)

Strictly necessary cookies are required for the proper operation of the site and do not require consent.

If we use analytics or marketing cookies (for example Google Analytics or Meta Pixel), these may only be activated based on your consent, which can usually be provided or withdrawn via a cookie banner or settings tool on the site.

 You can also control cookies via your browser settings by deleting existing cookies or blocking certain types. This may, however, affect the functionality of the website.

8. Data retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, and to comply with legal obligations. In particular:

  • Booking and billing data are usually kept for the duration of the contractual relationship and for an additional period required by tax and accounting laws.

  • Guest registration data may be retained in line with public security and tourism regulations.

  • Email correspondence and complaint records may be kept for a reasonable period to enforce or defend legal claims.

  • Technical logs may be kept for a short period for security and troubleshooting purposes.

After the relevant retention period has expired, data will be deleted or anonymised, unless we are legally required or permitted to keep it longer.

9. Your rights as a data subject

Under the GDPR and applicable data protection law, you have the following rights in relation to your personal data:

  • Right of access – to obtain confirmation as to whether we process your personal data and, if so, information about this data.

  • Right to rectification – to have inaccurate or incomplete personal data corrected.

  • Right to erasure – to request deletion of your personal data in certain circumstances.

  • Right to restriction of processing – to request that we restrict processing in certain situations.

  • Right to data portability – to receive personal data you have provided to us in a structured, commonly used and machine-readable format, where processing is based on consent or contract and is carried out by automated means.

  • Right to object – to object, on grounds relating to your particular situation, to processing based on our legitimate interests; and to object at any time to the use of your data for direct marketing.

  • Right to withdraw consent – where processing is based on consent, you may withdraw your consent at any time, without affecting the lawfulness of processing before withdrawal.

You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State of your habitual residence, your place of work or the place of the alleged infringement.

 To exercise your rights, please contact us using the contact details in Section 1. We may need to verify your identity before responding to your request.

10. Security of your data

We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

 However, no system or transmission over the internet can be guaranteed to be 100% secure. We therefore cannot promise absolute security, but we strive to protect your data to the best of our ability and in accordance with legal requirements.

11. Links to other websites

 Our website may contain links to third-party websites (e.g. booking platforms, social media, partners). We are not responsible for the content or privacy practices of these external sites. We recommend that you read their privacy policies before providing personal data.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or the services we offer. The updated version will be published on our website and will apply from the date of publication.

 We encourage you to review this Privacy Policy periodically.

13. Contact

 If you have any questions, concerns or requests regarding this Privacy Policy or your personal data, you can contact us at:

Vico House Società Agricola a R.L.

Via Callaro 4, 51010 Marliana (PT)

Email: ciao(a)vicohouse.com