GDPR Privacy Policy

(last updated 17 December 2025)

This Privacy Policy is intended to provide all information on the processing of personal data carried out by Hotel Terme Roma S.r.l. and Hotel Terme Helvetia S.r.l. when the User uses the services provided (as better indicated below).

1. Introduction – who are we?

The personal data of users (hereinafter, ‘Users’) who browse the website sbirziolahotels.com (hereinafter, ‘Website’) are processed by Hotel Terme Roma S.r.l. with registered office in Viale Giuseppe Mazzini, 1 – 35031 Abano
Terme (PD), Tax Code and VAT No. 02006440289, and by Hotel Terme Helvetia S.r.l., with registered office in Via Marzia, 49 – 35031 Abano Terme (PD), Tax Code and VAT No. 00006520282, both companies belonging to the Sbirziola Hotels Group brand.

Each of the aforementioned companies acts as an independent Data Controller (hereinafter, each company individually, the ‘Data Controller’) with regard to the personal data of Users collected in the context of contact and/or booking requests addressed to its facility. The privacy policy pursuant to Articles 13 and 14 of EU Regulation 2016/679 of 27 April 2016 (hereinafter, ‘Regulation’ or ‘Applicable Legislation’) is provided below.

2. How to contact us?

We take the utmost care to respect the right to privacy and the protection of users’ personal data.
Users may contact us at any time using the following methods:

to contact Hotel Terme Roma S.r.l., send an email to info@termeroma.it;
to contact Hotel Terme Helvetia S.r.l., send an e-mail to info@termehelvetia.it

We have not identified a Data Protection Officer (DPO), as we are not subject to
the obligation of designation provided for in Article 37 of the Regulation.

3. Purpose of processing – what do we do?

By browsing the Website, the User can contact us using the appropriate form or through the contacts indicated on the Website, as well as subscribe to our newsletter.

In relation to the activities that can be carried out through the Website, personal data relating to Users is collected.

This Website and any services offered through the Website are reserved for individuals who are at least 18 years of age. We therefore do not collect personal data relating to individuals under the age of 18. At the request of Users, we will promptly delete any personal data unintentionally collected relating to individuals under the age of 18.

Users’ personal data will be processed lawfully for the following purposes:

a) navigation of the Website, i.e. to allow the User to navigate the Website. The User data collected for this purpose includes personal data whose transmission is implicit in the use of Internet communication protocols, which the computer systems and software procedures used to operate the Website acquire during their normal operation (IP addresses or domain names of the computers used by Users, URI addresses – Uniform Resource Identifier addresses of the resources requested, the time
of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server – e.g. successful, error, etc. – and other parameters relating to the User’s operating system and IT environment).

b) processing User requests, i.e. in order to process (i) contact requests received by filling in the appropriate form or by e-mail and (ii) booking requests. The User data collected for this purpose includes the first name, last name, email address, telephone number, payment method details (in the case of bookings) and any additional data voluntarily provided by the User.

c) legal obligations, i.e. to fulfil obligations required by law and to ascertain responsibility in the event of hypothetical computer crimes against the Website.

d) administrative-accounting purposes, i.e. to carry out organisational, administrative, financial and accounting activities, such as internal organisational activities and activities functional to the fulfilment of contractual and pre-contractual obligations.

e) protection of the rights and interests of each Data Controller in court and/or out of court, as well as in administrative proceedings or in arbitration and conciliation proceedings in the cases provided for by law.

Without prejudice to the provisions elsewhere in this Privacy Policy, under no circumstances will we make Users’ personal data accessible to other Users and/or third parties.

The provision of personal data for the processing purposes indicated above is optional but necessary, as failure to provide such data will make it impossible for the User to access the Website and send a contact request.

Data whose provision is mandatory for the above purposes is marked with an asterisk in the relevant collection forms.

4. Additional purposes of processing

4.1 Marketing (sending advertising newsletters, direct sales and commercial communications)

The User’s email address may also be processed for marketing purposes (sending advertising newsletters, direct sales and commercial communications), i.e. so that the User can be contacted by email to offer them the purchase of services offered by the Sbirziola Hotels Group brand, and to present offers and promotions.

This only occurs with the free and optional consent of the User. Failure to consent will not affect the ability to browse the Website or send contact requests.

If consent is given, the User may revoke it at any time by making a request in the manner indicated in paragraph 8 below. The User may also easily object to further promotional communications being sent by e-mail by clicking on the appropriate link in each communication. Following the exercise of the right to object to the sending of advertising newsletters, direct sales and commercial communications via e-mail, it is possible that, for technical and operational reasons (e.g. contact lists already completed shortly before receipt of the objection request), the User may continue to receive some additional promotional messages. If the User continues to receive promotional messages after 24 hours have elapsed since exercising the right to object, please report the problem using the contact details indicated in paragraph 2 above.

5. Legal basis – why can we process data?

Website navigation (as described in paragraph 3, letter a) above): the legal basis is Article 6(1)(b) of the Regulation, i.e. processing is necessary for the performance of a contract to which the User is party or in order to take steps at the User’s request prior to entering into a contract.

Fulfilling User requests (as described in paragraph 3, letter b) above): the legal basis is Article 6, paragraph 1, letter b) of the Regulation, as processing is necessary for the performance of pre-contractual measures taken at the User’s request.

Legal obligations (as described in paragraph 3, letter c) above): the legal basis is Article 6, paragraph 1, letter c) of the Regulation, as the processing is necessary to comply with legal obligations.

Administrative and accounting purposes (as described in paragraph 3, letter d)): the legal basis consists of Article 6, paragraph 1, letter b) of the Regulation, as the processing is necessary for the performance of a contract and/or the implementation of pre-contractual measures taken at the request of the User.

Protection of the rights and interests of each Data Controller (as described in paragraph 3, letter e) above): the legal basis is Article 6, paragraph 1, letter f) of the Regulation, as the processing is necessary for the pursuit of the legitimate interests of each Data Controller.

Additional purposes of processing: marketing (as described in paragraph 4.1 above): the legal basis is Article 6, paragraph 1, letter a) of the Regulation, i.e. the provision by the data subject of consent to the processing of their personal data. For this reason, we ask the User to provide specific, free and optional consent to pursue this purpose of processing.

6. Data processing methods and storage periods – how will we process your data and for how long?

We will process Users’ personal data using manual and computerised tools, with logic strictly related to the purposes themselves and, in any case, in such a way as to guarantee the security and confidentiality of the data.

Users’ personal data will be stored with reference to the processing referred to in paragraph 3 above for the time strictly necessary to fulfil the primary purposes relating to the fulfilment of the agreements in place between the Data Controller and the User or, in any case, as necessary for the civil protection of the interests of the Data Controller and the User, as well as for the fulfilment of current legislative obligations.

In the cases referred to in paragraph 4.1 above, Users’ personal data will be stored for the time strictly necessary to fulfil the purpose described therein. Users retain the right to withdraw their consent and object to such processing, using the methods described in paragraph 8, as well as by clicking on the appropriate link at the bottom of the communications.

7. Scope of communication and dissemination of data - who will have access to the data?

Our employees and/or collaborators responsible for managing the Website may become aware of Users’ personal data. These individuals, who have been trained in this regard pursuant to Article 29 of the Regulation, will process the User’s data exclusively for the purposes indicated in this policy and in compliance with the provisions of the Applicable Regulations.

Other individuals may also become aware of Users’ personal data and may process personal data on behalf of the Data Controller as ‘Data Processors’, such as, for example, individuals responsible for managing and maintaining the Website, providers of services related to the management of requests and bookings, and providers of newsletter delivery services.

The User has the right to obtain a list of any Data Processors appointed by us by making a request in the manner indicated in paragraph 2 above.

8. Rights of data subjects – how to protect your rights?

The User may exercise the rights guaranteed by the Applicable Regulations at any time by contacting each Data Controller at the addresses indicated in paragraph 2 above.

Pursuant to Applicable Regulations, the User has:
a. the right to withdraw consent at any time, if the processing is based on consent;
b. the right to access personal data;
c. (where applicable) the right to data portability (the right to receive all personal data concerning them in a structured, commonly used and machine-readable format), the right to restrict the processing of personal data, the right to rectification and the right to erasure (‘right to be forgotten’);
d. the right to object:
i. in whole or in part, on legitimate grounds, to the processing of personal data concerning them, even if relevant to the purpose of the collection;
ii. in whole or in part, to the processing of personal data concerning them for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication;
e. if they believe that the processing concerning them violates the Regulation, the right to lodge a complaint with a supervisory authority (in the Member State where they habitually reside, where they work or where the alleged violation occurred). The Italian supervisory authority is the Garante per la protezione dei dati personali (Data Protection Authority), with headquarters in Piazza Venezia, n. 11, 00187 – Rome (RM) (http://www.garanteprivacy.it/).

We are not responsible for updating all links displayed in this policy; therefore, whenever a link is not working and/or updated, the User acknowledges and accepts that they must always refer to the document and/or section of the websites referred to by that link.