top of page
Artboard 1_300x.png

book now

Privacy Policy

Dear User,

MANDRALIVING s.r.l. considers the protection of its users' personal data — both existing and potential — to be of fundamental importance. We collect personal data about our guests and visitors through various channels, such as the website, mobile application, social media, and directly at our properties, in order to offer an experience tailored to the needs of our guests and visitors.

With this document (the "Policy"), we wish to reaffirm our commitment to ensuring that the processing of personal data collected through your use of our platform is carried out in full compliance with the rights and protections recognised by EU Regulation 2016/679 ("GDPR" or "Regulation") and other applicable data protection legislation ("Privacy Law"), including Legislative Decree 196/2003 as amended ("Privacy Code"), as harmonised with Legislative Decree 101/2018.

DEFINITIONS

For the purposes of this Policy, the following terms shall have the meanings set out below:

Database: any organised collection of Personal Data, distributed across one or more units located at one or more sites of Systems & Automation and its subsidiaries and affiliated companies.

Client: a natural person, legal entity, public authority, or any other body, association or organisation that has entered into a contract with the Company.

Communication: making Personal Data known to one or more specific parties other than the Data Subject, the Controller's representative in the territory of the State, the Processor, or authorised persons, in any form, including by making it available or accessible for consultation.

Consent: any freely given, specific, informed, and unambiguous expression of the Data Subject's wishes, by which they signify agreement — through a statement or a clear affirmative action — that Personal Data relating to them may be processed.

Personal Data: as defined in Article 4(1) of the Regulation, meaning "any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

Authorised Person: a natural person authorised to carry out processing operations by the Controller or the Processor.

Data Subject: the natural person to whom the Personal Data relates.

Pseudonymisation: the processing of Personal Data in such a manner that it can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures ensuring that the Personal Data is not attributed to an identified or identifiable natural person.

Processor: a natural person, legal entity, public authority, or any other body, association or organisation appointed by the Controller to process Personal Data.

Controller: a natural person, legal entity, public authority, or any other body, association or organisation that, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including security-related aspects.

Processing: any operation or set of operations performed, whether or not by automated means, on Personal Data, including collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, erasure, and destruction, even if the data is not held in a Database.

 

This Policy — drafted in accordance with the principle of transparency and inclusive of all elements required by Article 13 of the Regulation — aims to describe how the website https://casa-pier.com (the "Site") is managed with regard to the processing of Personal Data of users and visitors.

We will also provide you, in a clear and straightforward manner, with all the information necessary for you to share your Personal Data in an informed and conscious way, and to exercise your rights under the GDPR at any time. Providing browsing data is necessary to access the Site. The Controller does not engage in any automated decision-making, including profiling as referred to in Article 22(1) and (4) of the GDPR.

In connection with browsing the Site, interacting with its features, and staying at our properties, the Controller may process the following categories of Personal Data, depending on the collection channel:

Browsing data: The IT systems and software procedures used to operate the Site automatically acquire, in the course of their normal operation, certain personal data whose transmission is inherent in the use of internet communication protocols (e.g. IP addresses, browser type, operating system, access time, pages visited).

Data voluntarily provided by the Data Subject: This refers to data sent spontaneously by the user via email to the addresses listed on the Site, or by submitting a CV for open job positions. Such data may include identification details (first name, surname), contact details (email, phone number), and any other information included in the communication or CV. During your experience with us, we may also collect other types of personal data in accordance with applicable law, including:

  • Identification data: first name, surname, passport, visa or other government-issued identity documents, tax identification number, membership or loyalty programme data.

  • Demographic data: place and date of birth, gender, nationality, language preference.

  • Contact data: home or work postal address, personal and work email addresses, telephone numbers (home/work/mobile) and fax.

  • Family data: information about family members and travelling companions, such as names and ages of children.

  • Financial and travel data: credit or debit card numbers or other payment details, financial information in limited circumstances, travel itinerary, data relating to tour groups or activities.

  • Social media data: social media account IDs, profile photos and other publicly available data, or data made available by linking your social accounts.

  • Lifestyle data: guest preferences and personalised data, such as previous stays or interactions, goods and services purchased, interests, activities, hobbies, food and beverage preferences, services and amenities communicated by the guest or learned during the stay.

  • Health data: where required for participation in certain activities, use of services, and special service or facility requests.

During check-in and the stay, the Controller collects the following personal data:

  • Identification and document data: identity card, passport or other identity document, the collection of which is mandatory pursuant to Article 109 of the Consolidated Law on Public Safety (T.U.L.P.S., Royal Decree 773/1931). Failure to provide this document prevents check-in.

  • Payment data: credit/debit card numbers and other information required for processing payments and security deposits.

  • Stay-related data: preferences, special requests, data regarding services used during the stay.

  • Health data: only where strictly necessary to fulfil specific guest requests (e.g. dietary intolerances, accessibility needs). The processing of such data is based on the Data Subject's explicit consent (Article 9(2)(a) of the GDPR), which may be withdrawn at any time.

Cookies and other tracking technologies: For further details on the use of cookies, please refer to our Cookie Policy — the link to the Cookie Policy is available on the homepage.

The company that will process your Personal Data for the purposes described in this Policy, and which therefore acts as the data controller — meaning "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data" — is MANDRALIVING s.r.l., with registered office in Rome, Via Umberto Tupini n. 116 (VAT No. and Tax Code: 16672371008 — PEC: mandraliving@legalmail.it — Email: officemanager@mandraliving.com) (the "Controller").

Given the characteristics of the company and the processing activities carried out (both in terms of type and limited volume, not meeting the threshold of "large-scale" processing), it has been deemed unnecessary to appoint a Data Protection Officer.

PARTIES TO WHOM YOUR PERSONAL DATA MAY BE DISCLOSED

Your Personal Data may be handled, on behalf of the Controller, exclusively by personnel expressly authorised to process it (pursuant to Article 29 of the Regulation and Article 2-quaterdecies of the Privacy Code), and by third parties expressly appointed as data processors (pursuant to Article 28 of the Regulation), for the purpose of properly carrying out all processing activities necessary to pursue the purposes described in this Policy.

By way of example, the following are some categories of parties to whom your Personal Data may be disclosed:

  • the Controller's commercial partners who provide services, acting as data processors or independent controllers, for the purposes referred to in Article 6(1)(b) of the Regulation;

  • third-party service and consultancy providers, acting as data processors or independent controllers, for the purposes referred to in Article 6(1)(b) of the Regulation;

  • parties and authorities whose right of access to Personal Data is expressly recognised by law, regulations, or orders issued by competent authorities;

  • parties acquiring a business or business unit, and companies resulting from potential mergers, demergers, or other corporate restructurings involving the Controller.

  • Online booking and intermediary platforms: The Controller uses online booking platforms (such as Booking.com, Airbnb, Expedia, etc.) which act as independent data controllers for data collected through their portals. Please refer to the privacy policy of each platform for the relevant information.

  • Public security authorities: In fulfilment of the obligation under Article 109 of the T.U.L.P.S., guests' identification data is reported to the competent local police authority.

If you would like to know which parties have received your Personal Data as a result of your relationship with the Controller, you may contact the Controller at the email address indicated in paragraph 7 below.

PERSONAL DATA RETENTION PERIODS

Your Personal Data will be processed by the Controller within the territory of the European Union.

Should your Personal Data need to be transferred to or stored in countries outside the European Union for technical or operational reasons, please be aware that parties located outside the EU will be appointed (where the conditions are met) as Data Processors pursuant to Article 28 of the Regulation.

Any transfer of your Personal Data to such parties, limited to specific processing activities, will be governed in accordance with Chapter V of the Regulation.

All necessary safeguards will be adopted to ensure the fullest protection of your Personal Data, based on: (a) adequacy decisions regarding the recipient third countries issued by the European Commission; (b) adequate guarantees provided by the recipient third party pursuant to Article 46 of the Regulation; (c) binding corporate rules; (d) standard contractual clauses approved by the European Commission.

You may at any time request further details from the Controller should your Personal Data have been processed outside the European Union, including evidence of the specific safeguards adopted.

PRIVACY & POLICY  pursuant to Article 13 of EU Regulation 2016/679

pursuant to Article 13 of EU Regulation 2016/679

THE DATA CONTROLLER

PURPOSES AND LEGAL BASIS FOR PROCESSING

During your use of the Site, Personal Data may be processed for the following purposes and on the corresponding legal bases.

a) Improving the browsing experience and monitoring the correct functioning of the Site

The IT systems and software procedures used to operate the Site automatically acquire, in the course of their normal operation, certain personal data whose transmission is inherent in the use of internet communication protocols.

This category includes, by way of example: IP addresses, browser type, operating system, domain names and URLs of websites accessed or exited from, information on pages visited within the Site, access time, time spent on individual pages, internal navigation paths, and other parameters relating to the user's operating system and IT environment.

Such technical data is collected and used exclusively in an aggregate and non-identifying manner, and may be used to establish liability in the event of hypothetical cybercrimes against the Site.

The legal basis for this processing is the Controller's legitimate interest in the optimal functioning of its systems, optimising and improving the browsing experience, preventing fraudulent activity, and enhancing Site security (Article 6(1)(f) of the Regulation).

b) Establishing, exercising, or defending a right of the Controller in judicial and/or out-of-court proceedings

The legal basis for exercising or defending a right of the Controller is legitimate interest, as provided for under Article 6(1)(f) of the GDPR.

c) Processing data of potential candidates for open job positions

Your data will be used by the Controller to:

  • manage and evaluate your profile for the purpose of recruiting and selecting candidates to join the Controller's organisational structure;

  • send the candidate communications through various means (i.e. telephone, mobile phone, email) as part of the recruitment and selection process;

  • handle any further requirements related to the selection process.

Providing the requested data is necessary for the selection process to proceed; therefore, failure to provide it, or providing it partially or inaccurately, will objectively prevent the Controller from considering your application and properly conducting the recruitment process.

The legal basis for this processing is the performance of pre-contractual measures taken at the Data Subject's request, pursuant to Article 6(1)(b) of the GDPR and Article 111-bis of Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.

d) Proper performance of the contract

Your data will be used by the Controller to provide the requested services, including:

  • Management of bookings and reservations for accommodation and related services; pre-arrival communications (logistics, changes, preferences); processing of payments and security deposits.

  • Check-in and check-out; concierge, luggage storage, and parking services; coordination with third-party suppliers (tours, excursions, taxis, transfers, restaurant and event bookings); Wi-Fi, TV and other connectivity services; in-room dining; cleaning and laundry services; handling of complaints and requests; age verification for restricted goods and services.

  • Organisation of conferences and events; pre-event communications; catering coordination; invoicing and payment management; credit verification; assistance to attendees.

  • Booking of services and facilities; eligibility assessment for services; compliance with health and disability restrictions; coordination with professionals for specific treatments.

The legal basis for this processing is the necessity to perform a contract, as provided for under Article 6(1)(b) of the GDPR.

e) Compliance with legal obligations

Your data will also be used by the Controller to fulfil specific legal obligations, including:

  • Reporting guest details to the competent local police authority within 24 hours of arrival, pursuant to Article 109 of the T.U.L.P.S. (Royal Decree of 18 June 1931, no. 773). Providing an identity document is required by law; failure to do so prevents check-in.

  • Managing invoicing and maintaining mandatory accounting records.

The legal basis for this processing is the necessity to comply with a legal obligation, as provided for under Article 6(1)(c) of the GDPR.

f) Sending commercial and marketing communications (optional)

Subject to your separate and specific consent, the Controller may process your contact details to send promotional communications, special offers, and newsletters relating to the property's services.

The legal basis is the Data Subject's consent pursuant to Article 6(1)(a) of the GDPR. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.

In accordance with the principle of storage limitation (Article 5(1)(e) of the Regulation), your Personal Data will be processed by the Controller only for as long as necessary to fulfil the purposes described in this Policy.

In particular, your Personal Data will be retained as follows:

  • For the purposes in paragraph a): for the time necessary to provide the services on the Site.

  • For the purposes in paragraph b): for the time strictly necessary to exercise or defend a right in judicial or out-of-court proceedings, and in any event no longer than the applicable limitation period.

  • For the purposes in paragraph c): for the duration of the selection process and, upon its conclusion: (i) if your application is accepted, the personal data collected during the hiring process will be transferred to your employee file and retained during and after the employment relationship in accordance with our data retention policy; (ii) if your application is not accepted, we may retain your personal data and CV for a maximum period of one (1) year after the conclusion of the relevant selection process, in order to consider your profile for future job opportunities. After that period, the data will in any case be deleted or destroyed.

  • For the purposes in paragraph d) (performance of contract): for a period of 10 years from the termination of the contractual relationship, in line with the ordinary limitation period. For the purposes in paragraph e) (compliance with legal obligations — reporting under Article 109 T.U.L.P.S. and tax documentation): for 10 years, in accordance with Article 2220 of the Civil Code and the obligations governing the retention of accounting records.

  • For data processed on the basis of consent (e.g. health data for special requests, marketing communications): until consent is withdrawn and, thereafter, for the time necessary to handle any disputes.

Upon expiry of the above retention periods, Personal Data will be destroyed, erased, or anonymised, in accordance with technical deletion and backup procedures and the Controller's accountability requirements.

In any case, your Personal Data will be subject to a periodic review, no less frequently than every 12 months, to assess its continued relevance to the Controller's activities; if your Personal Data is no longer relevant, it will be deleted immediately.

LOCATIONS OF PROCESSING

INFORMATION SECURITY

All information collected on this Site is stored and maintained in secure facilities with access restricted exclusively to authorised personnel. The website https://casa-pier.com is regularly monitored for potential security breaches and to ensure that collected information is protected from unauthorised access.

MANDRALIVING s.r.l. complies with the security measures required by applicable laws and regulations, and with all appropriate measures in accordance with current best practices, in order to safeguard the confidentiality of users' Personal Data and minimise, as far as possible, the risks of unauthorised access, removal, loss, or damage to users' Personal Data.

DATA SUBJECTS' RIGHTS AND HOW TO EXERCISE THEM

You may exercise your rights under Articles 15 et seq. of the Regulation against the Controller at any time. In particular, you have the right to obtain:

  • confirmation as to whether or not your Personal Data is being processed, and access to the data and the following information: the purposes of processing, the categories of personal data, the recipients or categories of recipients to whom the data has been or will be disclosed, and the relevant retention period;

  • rectification of inaccurate Personal Data and/or completion of incomplete Personal Data, including by providing a supplementary statement;

  • erasure of your Personal Data and restriction of processing in the cases provided for by the GDPR and applicable privacy legislation;

  • where applicable, portability of your Personal Data and, in particular, the possibility of requesting the direct transfer of your Personal Data to another controller;

  • objection, at any time, on grounds relating to your particular situation, to the processing of your Personal Data, in full compliance with applicable privacy legislation;

  • withdrawal of consent at any time, where processing is based on Article 6(1)(a) or Article 9(2)(a) of the GDPR, without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise your rights, you may contact the Controller at the following email address, attaching a copy of your identity document: officemanager@mandraliving.com

In any case, if you believe that the processing of your Personal Data is contrary to applicable Privacy Law, you always have the right to lodge a complaint with the competent supervisory authority (the Italian Data Protection Authority — Garante per la Protezione dei Dati Personali) pursuant to Article 77 of the GDPR.

Last updated: June 2026

DEFINITIONS

THE DATA CONTROLLER

PURPOSES AND LEGAL BASIS FOR PROCESSING

PARTIES TO WHOM YOUR PERSONAL DATA MAY BE DISCLOSED

PERSONAL DATA RETENTION PERIODS

LOCATIONS OF PROCESSING

INFORMATION SECURITY

DATA SUBJECTS' RIGHTS AND HOW TO EXERCISE THEM

Dear User,

MANDRALIVING s.r.l. considers the protection of its users' personal data — both existing and potential — to be of fundamental importance. We collect personal data about our guests and visitors through various channels, such as the website, mobile application, social media, and directly at our properties, in order to offer an experience tailored to the needs of our guests and visitors.

With this document (the "Policy"), we wish to reaffirm our commitment to ensuring that the processing of personal data collected through your use of our platform is carried out in full compliance with the rights and protections recognised by EU Regulation 2016/679 ("GDPR" or "Regulation") and other applicable data protection legislation ("Privacy Law"), including Legislative Decree 196/2003 as amended ("Privacy Code"), as harmonised with Legislative Decree 101/2018.

For the purposes of this Policy, the following terms shall have the meanings set out below:

Database: any organised collection of Personal Data, distributed across one or more units located at one or more sites of Systems & Automation and its subsidiaries and affiliated companies.

Client: a natural person, legal entity, public authority, or any other body, association or organisation that has entered into a contract with the Company.

Communication: making Personal Data known to one or more specific parties other than the Data Subject, the Controller's representative in the territory of the State, the Processor, or authorised persons, in any form, including by making it available or accessible for consultation.

Consent: any freely given, specific, informed, and unambiguous expression of the Data Subject's wishes, by which they signify agreement — through a statement or a clear affirmative action — that Personal Data relating to them may be processed.

Personal Data: as defined in Article 4(1) of the Regulation, meaning "any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

Authorised Person: a natural person authorised to carry out processing operations by the Controller or the Processor.

Data Subject: the natural person to whom the Personal Data relates.

Pseudonymisation: the processing of Personal Data in such a manner that it can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures ensuring that the Personal Data is not attributed to an identified or identifiable natural person.

Processor: a natural person, legal entity, public authority, or any other body, association or organisation appointed by the Controller to process Personal Data.

Controller: a natural person, legal entity, public authority, or any other body, association or organisation that, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including security-related aspects.

Processing: any operation or set of operations performed, whether or not by automated means, on Personal Data, including collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, erasure, and destruction, even if the data is not held in a Database.

 

This Policy — drafted in accordance with the principle of transparency and inclusive of all elements required by Article 13 of the Regulation — aims to describe how the website https://casa-pier.com (the "Site") is managed with regard to the processing of Personal Data of users and visitors.

We will also provide you, in a clear and straightforward manner, with all the information necessary for you to share your Personal Data in an informed and conscious way, and to exercise your rights under the GDPR at any time. Providing browsing data is necessary to access the Site. The Controller does not engage in any automated decision-making, including profiling as referred to in Article 22(1) and (4) of the GDPR.

In connection with browsing the Site, interacting with its features, and staying at our properties, the Controller may process the following categories of Personal Data, depending on the collection channel:

Browsing data: The IT systems and software procedures used to operate the Site automatically acquire, in the course of their normal operation, certain personal data whose transmission is inherent in the use of internet communication protocols (e.g. IP addresses, browser type, operating system, access time, pages visited).

Data voluntarily provided by the Data Subject: This refers to data sent spontaneously by the user via email to the addresses listed on the Site, or by submitting a CV for open job positions. Such data may include identification details (first name, surname), contact details (email, phone number), and any other information included in the communication or CV. During your experience with us, we may also collect other types of personal data in accordance with applicable law, including:

  • Identification data: first name, surname, passport, visa or other government-issued identity documents, tax identification number, membership or loyalty programme data.

  • Demographic data: place and date of birth, gender, nationality, language preference.

  • Contact data: home or work postal address, personal and work email addresses, telephone numbers (home/work/mobile) and fax.

  • Family data: information about family members and travelling companions, such as names and ages of children.

  • Financial and travel data: credit or debit card numbers or other payment details, financial information in limited circumstances, travel itinerary, data relating to tour groups or activities.

  • Social media data: social media account IDs, profile photos and other publicly available data, or data made available by linking your social accounts.

  • Lifestyle data: guest preferences and personalised data, such as previous stays or interactions, goods and services purchased, interests, activities, hobbies, food and beverage preferences, services and amenities communicated by the guest or learned during the stay.

  • Health data: where required for participation in certain activities, use of services, and special service or facility requests.

During check-in and the stay, the Controller collects the following personal data:

  • Identification and document data: identity card, passport or other identity document, the collection of which is mandatory pursuant to Article 109 of the Consolidated Law on Public Safety (T.U.L.P.S., Royal Decree 773/1931). Failure to provide this document prevents check-in.

  • Payment data: credit/debit card numbers and other information required for processing payments and security deposits.

  • Stay-related data: preferences, special requests, data regarding services used during the stay.

  • Health data: only where strictly necessary to fulfil specific guest requests (e.g. dietary intolerances, accessibility needs). The processing of such data is based on the Data Subject's explicit consent (Article 9(2)(a) of the GDPR), which may be withdrawn at any time.

Cookies and other tracking technologies: For further details on the use of cookies, please refer to our Cookie Policy — the link to the Cookie Policy is available on the homepage.

The company that will process your Personal Data for the purposes described in this Policy, and which therefore acts as the data controller — meaning "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data" — is MANDRALIVING s.r.l., with registered office in Rome, Via Umberto Tupini n. 116 (VAT No. and Tax Code: 16672371008 — PEC: mandraliving@legalmail.it — Email: officemanager@mandraliving.com) (the "Controller").

Given the characteristics of the company and the processing activities carried out (both in terms of type and limited volume, not meeting the threshold of "large-scale" processing), it has been deemed unnecessary to appoint a Data Protection Officer.

During your use of the Site, Personal Data may be processed for the following purposes and on the corresponding legal bases.

a) Improving the browsing experience and monitoring the correct functioning of the Site

The IT systems and software procedures used to operate the Site automatically acquire, in the course of their normal operation, certain personal data whose transmission is inherent in the use of internet communication protocols.

This category includes, by way of example: IP addresses, browser type, operating system, domain names and URLs of websites accessed or exited from, information on pages visited within the Site, access time, time spent on individual pages, internal navigation paths, and other parameters relating to the user's operating system and IT environment.

Such technical data is collected and used exclusively in an aggregate and non-identifying manner, and may be used to establish liability in the event of hypothetical cybercrimes against the Site.

The legal basis for this processing is the Controller's legitimate interest in the optimal functioning of its systems, optimising and improving the browsing experience, preventing fraudulent activity, and enhancing Site security (Article 6(1)(f) of the Regulation).

b) Establishing, exercising, or defending a right of the Controller in judicial and/or out-of-court proceedings

The legal basis for exercising or defending a right of the Controller is legitimate interest, as provided for under Article 6(1)(f) of the GDPR.

c) Processing data of potential candidates for open job positions

Your data will be used by the Controller to:

  • manage and evaluate your profile for the purpose of recruiting and selecting candidates to join the Controller's organisational structure;

  • send the candidate communications through various means (i.e. telephone, mobile phone, email) as part of the recruitment and selection process;

  • handle any further requirements related to the selection process.

Providing the requested data is necessary for the selection process to proceed; therefore, failure to provide it, or providing it partially or inaccurately, will objectively prevent the Controller from considering your application and properly conducting the recruitment process.

The legal basis for this processing is the performance of pre-contractual measures taken at the Data Subject's request, pursuant to Article 6(1)(b) of the GDPR and Article 111-bis of Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.

d) Proper performance of the contract

Your data will be used by the Controller to provide the requested services, including:

  • Management of bookings and reservations for accommodation and related services; pre-arrival communications (logistics, changes, preferences); processing of payments and security deposits.

  • Check-in and check-out; concierge, luggage storage, and parking services; coordination with third-party suppliers (tours, excursions, taxis, transfers, restaurant and event bookings); Wi-Fi, TV and other connectivity services; in-room dining; cleaning and laundry services; handling of complaints and requests; age verification for restricted goods and services.

  • Organisation of conferences and events; pre-event communications; catering coordination; invoicing and payment management; credit verification; assistance to attendees.

  • Booking of services and facilities; eligibility assessment for services; compliance with health and disability restrictions; coordination with professionals for specific treatments.

The legal basis for this processing is the necessity to perform a contract, as provided for under Article 6(1)(b) of the GDPR.

e) Compliance with legal obligations

Your data will also be used by the Controller to fulfil specific legal obligations, including:

  • Reporting guest details to the competent local police authority within 24 hours of arrival, pursuant to Article 109 of the T.U.L.P.S. (Royal Decree of 18 June 1931, no. 773). Providing an identity document is required by law; failure to do so prevents check-in.

  • Managing invoicing and maintaining mandatory accounting records.

The legal basis for this processing is the necessity to comply with a legal obligation, as provided for under Article 6(1)(c) of the GDPR.

f) Sending commercial and marketing communications (optional)

Subject to your separate and specific consent, the Controller may process your contact details to send promotional communications, special offers, and newsletters relating to the property's services.

The legal basis is the Data Subject's consent pursuant to Article 6(1)(a) of the GDPR. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Your Personal Data may be handled, on behalf of the Controller, exclusively by personnel expressly authorised to process it (pursuant to Article 29 of the Regulation and Article 2-quaterdecies of the Privacy Code), and by third parties expressly appointed as data processors (pursuant to Article 28 of the Regulation), for the purpose of properly carrying out all processing activities necessary to pursue the purposes described in this Policy.

By way of example, the following are some categories of parties to whom your Personal Data may be disclosed:

  • the Controller's commercial partners who provide services, acting as data processors or independent controllers, for the purposes referred to in Article 6(1)(b) of the Regulation;

  • third-party service and consultancy providers, acting as data processors or independent controllers, for the purposes referred to in Article 6(1)(b) of the Regulation;

  • parties and authorities whose right of access to Personal Data is expressly recognised by law, regulations, or orders issued by competent authorities;

  • parties acquiring a business or business unit, and companies resulting from potential mergers, demergers, or other corporate restructurings involving the Controller.

  • Online booking and intermediary platforms: The Controller uses online booking platforms (such as Booking.com, Airbnb, Expedia, etc.) which act as independent data controllers for data collected through their portals. Please refer to the privacy policy of each platform for the relevant information.

  • Public security authorities: In fulfilment of the obligation under Article 109 of the T.U.L.P.S., guests' identification data is reported to the competent local police authority.

If you would like to know which parties have received your Personal Data as a result of your relationship with the Controller, you may contact the Controller at the email address indicated in paragraph 7 below.

In accordance with the principle of storage limitation (Article 5(1)(e) of the Regulation), your Personal Data will be processed by the Controller only for as long as necessary to fulfil the purposes described in this Policy.

In particular, your Personal Data will be retained as follows:

  • For the purposes in paragraph a): for the time necessary to provide the services on the Site.

  • For the purposes in paragraph b): for the time strictly necessary to exercise or defend a right in judicial or out-of-court proceedings, and in any event no longer than the applicable limitation period.

  • For the purposes in paragraph c): for the duration of the selection process and, upon its conclusion: (i) if your application is accepted, the personal data collected during the hiring process will be transferred to your employee file and retained during and after the employment relationship in accordance with our data retention policy; (ii) if your application is not accepted, we may retain your personal data and CV for a maximum period of one (1) year after the conclusion of the relevant selection process, in order to consider your profile for future job opportunities. After that period, the data will in any case be deleted or destroyed.

  • For the purposes in paragraph d) (performance of contract): for a period of 10 years from the termination of the contractual relationship, in line with the ordinary limitation period. For the purposes in paragraph e) (compliance with legal obligations — reporting under Article 109 T.U.L.P.S. and tax documentation): for 10 years, in accordance with Article 2220 of the Civil Code and the obligations governing the retention of accounting records.

  • For data processed on the basis of consent (e.g. health data for special requests, marketing communications): until consent is withdrawn and, thereafter, for the time necessary to handle any disputes.

Upon expiry of the above retention periods, Personal Data will be destroyed, erased, or anonymised, in accordance with technical deletion and backup procedures and the Controller's accountability requirements.

In any case, your Personal Data will be subject to a periodic review, no less frequently than every 12 months, to assess its continued relevance to the Controller's activities; if your Personal Data is no longer relevant, it will be deleted immediately.

Your Personal Data will be processed by the Controller within the territory of the European Union.

Should your Personal Data need to be transferred to or stored in countries outside the European Union for technical or operational reasons, please be aware that parties located outside the EU will be appointed (where the conditions are met) as Data Processors pursuant to Article 28 of the Regulation.

Any transfer of your Personal Data to such parties, limited to specific processing activities, will be governed in accordance with Chapter V of the Regulation.

All necessary safeguards will be adopted to ensure the fullest protection of your Personal Data, based on: (a) adequacy decisions regarding the recipient third countries issued by the European Commission; (b) adequate guarantees provided by the recipient third party pursuant to Article 46 of the Regulation; (c) binding corporate rules; (d) standard contractual clauses approved by the European Commission.

You may at any time request further details from the Controller should your Personal Data have been processed outside the European Union, including evidence of the specific safeguards adopted.

All information collected on this Site is stored and maintained in secure facilities with access restricted exclusively to authorised personnel. The website https://casa-pier.com is regularly monitored for potential security breaches and to ensure that collected information is protected from unauthorised access.

MANDRALIVING s.r.l. complies with the security measures required by applicable laws and regulations, and with all appropriate measures in accordance with current best practices, in order to safeguard the confidentiality of users' Personal Data and minimise, as far as possible, the risks of unauthorised access, removal, loss, or damage to users' Personal Data.

You may exercise your rights under Articles 15 et seq. of the Regulation against the Controller at any time. In particular, you have the right to obtain:

  • confirmation as to whether or not your Personal Data is being processed, and access to the data and the following information: the purposes of processing, the categories of personal data, the recipients or categories of recipients to whom the data has been or will be disclosed, and the relevant retention period;

  • rectification of inaccurate Personal Data and/or completion of incomplete Personal Data, including by providing a supplementary statement;

  • erasure of your Personal Data and restriction of processing in the cases provided for by the GDPR and applicable privacy legislation;

  • where applicable, portability of your Personal Data and, in particular, the possibility of requesting the direct transfer of your Personal Data to another controller;

  • objection, at any time, on grounds relating to your particular situation, to the processing of your Personal Data, in full compliance with applicable privacy legislation;

  • withdrawal of consent at any time, where processing is based on Article 6(1)(a) or Article 9(2)(a) of the GDPR, without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise your rights, you may contact the Controller at the following email address, attaching a copy of your identity document: officemanager@mandraliving.com

In any case, if you believe that the processing of your Personal Data is contrary to applicable Privacy Law, you always have the right to lodge a complaint with the competent supervisory authority (the Italian Data Protection Authority — Garante per la Protezione dei Dati Personali) pursuant to Article 77 of the GDPR.

Last updated: June 2026

Dear User,

MANDRALIVING s.r.l. considers the protection of its users' personal data — both existing and potential — to be of fundamental importance. We collect personal data about our guests and visitors through various channels, such as the website, mobile application, social media, and directly at our properties, in order to offer an experience tailored to the needs of our guests and visitors.

With this document (the "Policy"), we wish to reaffirm our commitment to ensuring that the processing of personal data collected through your use of our platform is carried out in full compliance with the rights and protections recognised by EU Regulation 2016/679 ("GDPR" or "Regulation") and other applicable data protection legislation ("Privacy Law"), including Legislative Decree 196/2003 as amended ("Privacy Code"), as harmonised with Legislative Decree 101/2018.

pursuant to Article 13 of EU Regulation 2016/679

PRIVACY POLICY
 

For the purposes of this Policy, the following terms shall have the meanings set out below:

Database: any organised collection of Personal Data, distributed across one or more units located at one or more sites of Systems & Automation and its subsidiaries and affiliated companies.

Client: a natural person, legal entity, public authority, or any other body, association or organisation that has entered into a contract with the Company.

Communication: making Personal Data known to one or more specific parties other than the Data Subject, the Controller's representative in the territory of the State, the Processor, or authorised persons, in any form, including by making it available or accessible for consultation.

Consent: any freely given, specific, informed, and unambiguous expression of the Data Subject's wishes, by which they signify agreement — through a statement or a clear affirmative action — that Personal Data relating to them may be processed.

Personal Data: as defined in Article 4(1) of the Regulation, meaning "any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

Authorised Person: a natural person authorised to carry out processing operations by the Controller or the Processor.

Data Subject: the natural person to whom the Personal Data relates.

Pseudonymisation: the processing of Personal Data in such a manner that it can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures ensuring that the Personal Data is not attributed to an identified or identifiable natural person.

Processor: a natural person, legal entity, public authority, or any other body, association or organisation appointed by the Controller to process Personal Data.

Controller: a natural person, legal entity, public authority, or any other body, association or organisation that, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including security-related aspects.

Processing: any operation or set of operations performed, whether or not by automated means, on Personal Data, including collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, erasure, and destruction, even if the data is not held in a Database.

 

This Policy — drafted in accordance with the principle of transparency and inclusive of all elements required by Article 13 of the Regulation — aims to describe how the website https://casa-pier.com (the "Site") is managed with regard to the processing of Personal Data of users and visitors.

We will also provide you, in a clear and straightforward manner, with all the information necessary for you to share your Personal Data in an informed and conscious way, and to exercise your rights under the GDPR at any time. Providing browsing data is necessary to access the Site. The Controller does not engage in any automated decision-making, including profiling as referred to in Article 22(1) and (4) of the GDPR.

In connection with browsing the Site, interacting with its features, and staying at our properties, the Controller may process the following categories of Personal Data, depending on the collection channel:

Browsing data: The IT systems and software procedures used to operate the Site automatically acquire, in the course of their normal operation, certain personal data whose transmission is inherent in the use of internet communication protocols (e.g. IP addresses, browser type, operating system, access time, pages visited).

Data voluntarily provided by the Data Subject: This refers to data sent spontaneously by the user via email to the addresses listed on the Site, or by submitting a CV for open job positions. Such data may include identification details (first name, surname), contact details (email, phone number), and any other information included in the communication or CV. During your experience with us, we may also collect other types of personal data in accordance with applicable law, including:

  • Identification data: first name, surname, passport, visa or other government-issued identity documents, tax identification number, membership or loyalty programme data.

  • Demographic data: place and date of birth, gender, nationality, language preference.

  • Contact data: home or work postal address, personal and work email addresses, telephone numbers (home/work/mobile) and fax.

  • Family data: information about family members and travelling companions, such as names and ages of children.

  • Financial and travel data: credit or debit card numbers or other payment details, financial information in limited circumstances, travel itinerary, data relating to tour groups or activities.

  • Social media data: social media account IDs, profile photos and other publicly available data, or data made available by linking your social accounts.

  • Lifestyle data: guest preferences and personalised data, such as previous stays or interactions, goods and services purchased, interests, activities, hobbies, food and beverage preferences, services and amenities communicated by the guest or learned during the stay.

  • Health data: where required for participation in certain activities, use of services, and special service or facility requests.

During check-in and the stay, the Controller collects the following personal data:

  • Identification and document data: identity card, passport or other identity document, the collection of which is mandatory pursuant to Article 109 of the Consolidated Law on Public Safety (T.U.L.P.S., Royal Decree 773/1931). Failure to provide this document prevents check-in.

  • Payment data: credit/debit card numbers and other information required for processing payments and security deposits.

  • Stay-related data: preferences, special requests, data regarding services used during the stay.

  • Health data: only where strictly necessary to fulfil specific guest requests (e.g. dietary intolerances, accessibility needs). The processing of such data is based on the Data Subject's explicit consent (Article 9(2)(a) of the GDPR), which may be withdrawn at any time.

Cookies and other tracking technologies: For further details on the use of cookies, please refer to our Cookie Policy — the link to the Cookie Policy is available on the homepage.

DEFINITIONS

The company that will process your Personal Data for the purposes described in this Policy, and which therefore acts as the data controller — meaning "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data" — is MANDRALIVING s.r.l., with registered office in Rome, Via Umberto Tupini n. 116 (VAT No. and Tax Code: 16672371008 — PEC: mandraliving@legalmail.it — Email: officemanager@mandraliving.com) (the "Controller").

Given the characteristics of the company and the processing activities carried out (both in terms of type and limited volume, not meeting the threshold of "large-scale" processing), it has been deemed unnecessary to appoint a Data Protection Officer.

THE DATA CONTROLLER

During your use of the Site, Personal Data may be processed for the following purposes and on the corresponding legal bases.

a) Improving the browsing experience and monitoring the correct functioning of the Site

The IT systems and software procedures used to operate the Site automatically acquire, in the course of their normal operation, certain personal data whose transmission is inherent in the use of internet communication protocols.

This category includes, by way of example: IP addresses, browser type, operating system, domain names and URLs of websites accessed or exited from, information on pages visited within the Site, access time, time spent on individual pages, internal navigation paths, and other parameters relating to the user's operating system and IT environment.

Such technical data is collected and used exclusively in an aggregate and non-identifying manner, and may be used to establish liability in the event of hypothetical cybercrimes against the Site.

The legal basis for this processing is the Controller's legitimate interest in the optimal functioning of its systems, optimising and improving the browsing experience, preventing fraudulent activity, and enhancing Site security (Article 6(1)(f) of the Regulation).

b) Establishing, exercising, or defending a right of the Controller in judicial and/or out-of-court proceedings

The legal basis for exercising or defending a right of the Controller is legitimate interest, as provided for under Article 6(1)(f) of the GDPR.

c) Processing data of potential candidates for open job positions

Your data will be used by the Controller to:

  • manage and evaluate your profile for the purpose of recruiting and selecting candidates to join the Controller's organisational structure;

  • send the candidate communications through various means (i.e. telephone, mobile phone, email) as part of the recruitment and selection process;

  • handle any further requirements related to the selection process.

Providing the requested data is necessary for the selection process to proceed; therefore, failure to provide it, or providing it partially or inaccurately, will objectively prevent the Controller from considering your application and properly conducting the recruitment process.

The legal basis for this processing is the performance of pre-contractual measures taken at the Data Subject's request, pursuant to Article 6(1)(b) of the GDPR and Article 111-bis of Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.

d) Proper performance of the contract

Your data will be used by the Controller to provide the requested services, including:

  • Management of bookings and reservations for accommodation and related services; pre-arrival communications (logistics, changes, preferences); processing of payments and security deposits.

  • Check-in and check-out; concierge, luggage storage, and parking services; coordination with third-party suppliers (tours, excursions, taxis, transfers, restaurant and event bookings); Wi-Fi, TV and other connectivity services; in-room dining; cleaning and laundry services; handling of complaints and requests; age verification for restricted goods and services.

  • Organisation of conferences and events; pre-event communications; catering coordination; invoicing and payment management; credit verification; assistance to attendees.

  • Booking of services and facilities; eligibility assessment for services; compliance with health and disability restrictions; coordination with professionals for specific treatments.

The legal basis for this processing is the necessity to perform a contract, as provided for under Article 6(1)(b) of the GDPR.

e) Compliance with legal obligations

Your data will also be used by the Controller to fulfil specific legal obligations, including:

  • Reporting guest details to the competent local police authority within 24 hours of arrival, pursuant to Article 109 of the T.U.L.P.S. (Royal Decree of 18 June 1931, no. 773). Providing an identity document is required by law; failure to do so prevents check-in.

  • Managing invoicing and maintaining mandatory accounting records.

The legal basis for this processing is the necessity to comply with a legal obligation, as provided for under Article 6(1)(c) of the GDPR.

f) Sending commercial and marketing communications (optional)

Subject to your separate and specific consent, the Controller may process your contact details to send promotional communications, special offers, and newsletters relating to the property's services.

The legal basis is the Data Subject's consent pursuant to Article 6(1)(a) of the GDPR. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.

PURPOSES AND LEGAL BASIS FOR PROCESSING

Your Personal Data may be handled, on behalf of the Controller, exclusively by personnel expressly authorised to process it (pursuant to Article 29 of the Regulation and Article 2-quaterdecies of the Privacy Code), and by third parties expressly appointed as data processors (pursuant to Article 28 of the Regulation), for the purpose of properly carrying out all processing activities necessary to pursue the purposes described in this Policy.

By way of example, the following are some categories of parties to whom your Personal Data may be disclosed:

  • the Controller's commercial partners who provide services, acting as data processors or independent controllers, for the purposes referred to in Article 6(1)(b) of the Regulation;

  • third-party service and consultancy providers, acting as data processors or independent controllers, for the purposes referred to in Article 6(1)(b) of the Regulation;

  • parties and authorities whose right of access to Personal Data is expressly recognised by law, regulations, or orders issued by competent authorities;

  • parties acquiring a business or business unit, and companies resulting from potential mergers, demergers, or other corporate restructurings involving the Controller.

  • Online booking and intermediary platforms: The Controller uses online booking platforms (such as Booking.com, Airbnb, Expedia, etc.) which act as independent data controllers for data collected through their portals. Please refer to the privacy policy of each platform for the relevant information.

  • Public security authorities: In fulfilment of the obligation under Article 109 of the T.U.L.P.S., guests' identification data is reported to the competent local police authority.

If you would like to know which parties have received your Personal Data as a result of your relationship with the Controller, you may contact the Controller at the email address indicated in paragraph 7 below.

PARTIES TO WHOM YOUR PERSONAL DATA MAY BE DISCLOSED

In accordance with the principle of storage limitation (Article 5(1)(e) of the Regulation), your Personal Data will be processed by the Controller only for as long as necessary to fulfil the purposes described in this Policy.

In particular, your Personal Data will be retained as follows:

  • For the purposes in paragraph a): for the time necessary to provide the services on the Site.

  • For the purposes in paragraph b): for the time strictly necessary to exercise or defend a right in judicial or out-of-court proceedings, and in any event no longer than the applicable limitation period.

  • For the purposes in paragraph c): for the duration of the selection process and, upon its conclusion: (i) if your application is accepted, the personal data collected during the hiring process will be transferred to your employee file and retained during and after the employment relationship in accordance with our data retention policy; (ii) if your application is not accepted, we may retain your personal data and CV for a maximum period of one (1) year after the conclusion of the relevant selection process, in order to consider your profile for future job opportunities. After that period, the data will in any case be deleted or destroyed.

  • For the purposes in paragraph d) (performance of contract): for a period of 10 years from the termination of the contractual relationship, in line with the ordinary limitation period. For the purposes in paragraph e) (compliance with legal obligations — reporting under Article 109 T.U.L.P.S. and tax documentation): for 10 years, in accordance with Article 2220 of the Civil Code and the obligations governing the retention of accounting records.

  • For data processed on the basis of consent (e.g. health data for special requests, marketing communications): until consent is withdrawn and, thereafter, for the time necessary to handle any disputes.

Upon expiry of the above retention periods, Personal Data will be destroyed, erased, or anonymised, in accordance with technical deletion and backup procedures and the Controller's accountability requirements.

In any case, your Personal Data will be subject to a periodic review, no less frequently than every 12 months, to assess its continued relevance to the Controller's activities; if your Personal Data is no longer relevant, it will be deleted immediately.

PERSONAL DATA RETENTION PERIODS

Your Personal Data will be processed by the Controller within the territory of the European Union.

Should your Personal Data need to be transferred to or stored in countries outside the European Union for technical or operational reasons, please be aware that parties located outside the EU will be appointed (where the conditions are met) as Data Processors pursuant to Article 28 of the Regulation.

Any transfer of your Personal Data to such parties, limited to specific processing activities, will be governed in accordance with Chapter V of the Regulation.

All necessary safeguards will be adopted to ensure the fullest protection of your Personal Data, based on: (a) adequacy decisions regarding the recipient third countries issued by the European Commission; (b) adequate guarantees provided by the recipient third party pursuant to Article 46 of the Regulation; (c) binding corporate rules; (d) standard contractual clauses approved by the European Commission.

You may at any time request further details from the Controller should your Personal Data have been processed outside the European Union, including evidence of the specific safeguards adopted.

LOCATIONS OF PROCESSING

All information collected on this Site is stored and maintained in secure facilities with access restricted exclusively to authorised personnel. The website https://casa-pier.com is regularly monitored for potential security breaches and to ensure that collected information is protected from unauthorised access.

MANDRALIVING s.r.l. complies with the security measures required by applicable laws and regulations, and with all appropriate measures in accordance with current best practices, in order to safeguard the confidentiality of users' Personal Data and minimise, as far as possible, the risks of unauthorised access, removal, loss, or damage to users' Personal Data.

INFORMATION SECURITY

You may exercise your rights under Articles 15 et seq. of the Regulation against the Controller at any time. In particular, you have the right to obtain:

  • confirmation as to whether or not your Personal Data is being processed, and access to the data and the following information: the purposes of processing, the categories of personal data, the recipients or categories of recipients to whom the data has been or will be disclosed, and the relevant retention period;

  • rectification of inaccurate Personal Data and/or completion of incomplete Personal Data, including by providing a supplementary statement;

  • erasure of your Personal Data and restriction of processing in the cases provided for by the GDPR and applicable privacy legislation;

  • where applicable, portability of your Personal Data and, in particular, the possibility of requesting the direct transfer of your Personal Data to another controller;

  • objection, at any time, on grounds relating to your particular situation, to the processing of your Personal Data, in full compliance with applicable privacy legislation;

  • withdrawal of consent at any time, where processing is based on Article 6(1)(a) or Article 9(2)(a) of the GDPR, without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise your rights, you may contact the Controller at the following email address, attaching a copy of your identity document: officemanager@mandraliving.com

In any case, if you believe that the processing of your Personal Data is contrary to applicable Privacy Law, you always have the right to lodge a complaint with the competent supervisory authority (the Italian Data Protection Authority — Garante per la Protezione dei Dati Personali) pursuant to Article 77 of the GDPR.

Last updated: June 2026

DATA SUBJECTS' RIGHTS AND HOW TO EXERCISE THEM

bottom of page