This Privacy Policy explains how Relais Borgo Taurino ("we", "us") collects and processes personal data of visitors to borgotaurino.it, in compliance with Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.

1. Data Controller

Relais Borgo Taurino
Via Fasol e Menin, 20 — 31049 Valdobbiadene (TV), Italy
VAT IT04269580264
Email: info@borgotaurino.it
Phone: +39 0423 188 0049

2. Categories of data processed

Data you provide voluntarily: name, email, phone, subject and message via the contact form; email address, preferred language and consent status via the newsletter form.
Navigation data: IP address, user agent, pages visited, referrer, access timestamp. Collected in aggregate form for technical, security and anti-abuse purposes.
Pseudonymised analytics data: anonymous identifiers, session duration, navigation path, interaction events (CTA clicks, form submissions, etc.) — collected only with your consent via Google Analytics 4 (see § 4 and the Cookie Policy).
Cookie consent state: categories accepted/rejected, timestamp, policy version — stored locally in your browser (localStorage cc_consent_v1).

3. Purposes and legal bases

Purpose	Legal basis
Responding to contact-form inquiries	Art. 6(1)(b) GDPR — pre-contractual measures
Newsletter dispatch	Art. 6(1)(a) GDPR — consent (single opt-in with IP + timestamp)
Automatic welcome email after newsletter signup	Art. 6(1)(a) GDPR — consent (included within newsletter consent)
Website security, abuse prevention, anti-bot (Cloudflare Turnstile)	Art. 6(1)(f) GDPR — legitimate interest
Anonymous measurement and analytics via Google Analytics 4 (Google Tag Manager)	Art. 6(1)(a) GDPR — consent (cookie banner opt-in)
Marketing and advertising profiling (Meta Pixel, Google Ads) — not active at present	Art. 6(1)(a) GDPR — consent (freshly collected upon activation)
Legal obligations (accounting, tax, authority requests)	Art. 6(1)(c) GDPR — legal obligation

4. Google Consent Mode v2

We implement Google Consent Mode v2: until your explicit acceptance, no identifiers or personal data are transmitted to Google. Only after your consent do the relevant signals turn granted and analytics event collection begins (and, possibly in the future, marketing). Without consent, Google may only receive aggregated anonymous pings useful for audience estimation but devoid of any personal identifier.

5. External processors

The following third parties act as Data Processors under Article 28 GDPR:

Brevo (Sendinblue SAS) — transactional emails (staff notifications, contact confirmations, newsletter welcome emails) and newsletter contact list management. Based in Paris, France. Processing within the EEA.
Cloudflare Inc. — hosting (Cloudflare Pages), CDN, DDoS protection, Turnstile anti-bot, DNS. Based in San Francisco, USA. Extra-EEA transfers under the EU-US Data Privacy Framework and the European Commission's Standard Contractual Clauses.
Google Ireland Ltd. — Google Tag Manager (tag orchestration) and Google Analytics 4 (aggregated, pseudonymised traffic statistics, IP anonymization enabled, Consent Mode v2). Based in Dublin, Ireland. Extra-EEA transfers to Google LLC (USA) covered by the EU-US Data Privacy Framework and Standard Contractual Clauses. Analytics data retention: 14 months.

Processors prepared for possible future activation — not active at present, activation will be preceded by a new specific consent:

Meta Platforms Ireland Ltd. (Meta Pixel + Conversions API) — measurement of Facebook and Instagram campaigns.
Google Ireland Ltd. (Google Ads Conversion Tracking) — measurement of Google Ads campaigns.

An up-to-date list of processors is available on request by writing to info@borgotaurino.it.

6. Profiling and segmentation

We apply a minimal segmentation of newsletter contacts through a TAG attribute combining origin and site language (e.g. "Sito Borgo Taurino EN"). This segmentation is used exclusively to send the newsletter in the correct language and does not entail any individual behavioural profiling.

7. Retention

Contact-form data: 24 months from the last exchange, unless longer retention is required by law.
Newsletter subscription: until consent is withdrawn (unsubscribe).
Cookie consent state (localStorage): 6 months, refreshed on every change.
Technical navigation logs: up to 30 days for security purposes, then deleted or anonymised.
Google Analytics 4 data: 14 months.

8. Your rights

At any time you may exercise the rights under Articles 15-22 GDPR:

access to your data,
rectification,
erasure ("right to be forgotten"),
restriction of processing,
data portability,
objection,
withdrawal of consent at any time.

To exercise them please write to info@borgotaurino.it. To unsubscribe from the newsletter you can also click "Unsubscribe" at the bottom of every email we send.

You also have the right to lodge a complaint with the Italian Data Protection Authority.

9. Extra-EEA transfers

Extra-EEA transfers to the United States (primarily to Cloudflare and Google) are performed under the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) and subordinately under the Standard Contractual Clauses approved by the European Commission (Decision 2021/914/EU), with supplementary measures where required.

10. Minors

This website is not intended for children under 16. We do not knowingly collect personal data from minors without parental or guardian consent.

11. Changes

We reserve the right to update this Policy to reflect legal or organisational changes, in particular when new marketing tools are activated (Meta Pixel, Google Ads). The date of the latest update is shown at the top of this page. Material changes will be communicated via a homepage banner or an email to newsletter subscribers.