Privacy Policy

1) Scope

This policy explains how we collect and process personal data of guests, website visitors, subscribers, and other individuals who interact with Palazzo Violetta, in accordance with Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap. 586, Laws of Malta).

2) Categories of Personal Data

Guest & Booking Data

  • Name, surname, email, phone, address, nationality, ID/passport details
  • Booking dates, number of guests, preferences and requests
  • Invoice details and payment information (processed via secure providers – no full card data stored by us)
  • Communications related to your stay

Marketing & Communications

  • Newsletter/offer subscriptions (Brevo) and their interaction data
  • WhatsApp Business opt-ins and communication metadata
  • Competition entries and social media interactions

Technical & Usage Data

  • Website analytics/cookies: Google Analytics, Google Ads, Facebook/Meta Pixel, Google Tag Manager, Smartlook
  • Device identifiers, IP address, browser type, pages viewed, timestamps, referrers
  • Consent choices via Complianz

Wi‑Fi Logs

  • Device MAC/IP address, timestamps, bandwidth and session data as required for security and service provision

CCTV Footage

  • Footage captured in and around premises for security and protection of persons and property

3) Sources of Data

We collect data directly from you via our website booking form, walk-ins, phone/email/WhatsApp, social channels, and guest registration on arrival. We also receive data indirectly via online travel agencies/booking engines, payment providers, property management systems, CRM and marketing platforms (Brevo, Zoho CRM), analytics/ad platforms (Google, Meta), and messaging providers (WhatsApp Business).

4) Purposes and Lawful Bases

We process personal data for the following purposes and legal grounds:

Purpose Examples Lawful Basis
Manage bookings & guest stays Reservations, check-in/out, special requests, communications Contract (Art. 6(1)(b))
Process payments & invoicing Charges, refunds, VAT compliance Contract & Legal obligation (Art. 6(1)(b),(c))
Service communications Confirmations, changes, important updates Contract & Legitimate interests (Art. 6(1)(b),(f))
Marketing communications Newsletters/offers via Brevo, WhatsApp updates (where permitted) Consent (Art. 6(1)(a)) or Legitimate interests where allowed (Art. 6(1)(f))
Improve services & website Analytics, troubleshooting, performance, personalization Consent (cookies/trackers) & Legitimate interests (Art. 6(1)(a),(f))
Security & property protection CCTV, Wi‑Fi security logs, fraud prevention Legitimate interests (Art. 6(1)(f)) & Legal obligation
Regulatory & tax compliance Accounting, law enforcement requests, audit trails Legal obligation (Art. 6(1)(c))

Legitimate interests include efficient hotel operations, guest experience, property/guest/staff safety, service improvement, and limited direct marketing to existing customers (subject to opt-out).

5) Children’s Data

Our services are not directed to children under 16. Where a booking involves minors, we process only data necessary for the stay and legal obligations and obtain such information from the booking adult.

6) Disclosures to Third Parties

  • Booking & distribution partners (booking engines/OTAs) facilitating your reservation
  • Payment service providers & banks to process payments and prevent fraud
  • Property management, CRM & marketing tools: PMS, Zoho CRM, Brevo (email), WhatsApp Business, Google (Analytics/Ads/Tag Manager), Meta (Facebook/Instagram Pixel), Smartlook
  • IT/hosting and support providers for website hosting, security, maintenance, and email
  • Professional advisors & authorities (accountants, auditors, legal advisors, tax/VAT or competent authorities) when required by law

Processors are bound by GDPR-compliant data processing agreements and act only on our documented instructions.

7) International Transfers

Some providers (e.g., Google, Meta, WhatsApp) may process data outside the EEA. Where such transfers occur, we rely on adequacy decisions (Art. 45) where available, or Standard Contractual Clauses (SCCs) and additional safeguards (Art. 46). You may request information on transfer mechanisms via info@palazzovioletta.com.

8) Retention Periods

  • Guest/booking & invoice records: generally 5 years for tax/VAT and accounting (or longer if required by law)
  • Marketing consents & subscriber data: generally 2 years from last interaction or until withdrawal of consent/unsubscription
  • Service communications & correspondence: typically up to 2 years after your stay, unless needed longer for legal claims
  • CCTV footage: typically 30 days, unless an incident requires longer retention
  • Wi‑Fi logs: typically 6 months for security and troubleshooting (or as required by applicable law)
  • Cookies/online identifiers: per cookie type and Complianz configuration (see Cookie Policy/Consent settings)

9) Your Rights

Subject to conditions and applicable law, you have the right to: access your data; rectify inaccuracies; erase data; restrict processing; object to processing (including direct marketing); data portability; and withdraw consent at any time. To exercise these rights, contact info@palazzovioletta.com. We may need to verify identity and clarify your request. You also have the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC), Malta (idpc.org.mt).

10) Marketing, WhatsApp & Profiling

We send marketing communications (e.g., via Brevo or WhatsApp Business) only with your consent or where permitted by law (e.g., existing customer soft opt‑in). You can unsubscribe or opt out at any time (links in emails or by contacting us). We may perform audience measurement and limited profiling for advertising and personalization (e.g., Google/Meta) based on your cookie/consent choices. Declining marketing/analytics cookies will limit such processing.

11) Cookies & Tracking (Complianz)

We use Complianz to manage cookie categories and obtain consent. You can review or update your preferences at any time through our Cookie Settings. For details on cookie types, purposes, and storage periods (e.g., Google Analytics, Google Ads, Facebook/Meta Pixel, Google Tag Manager, Smartlook), please refer to our Cookie Policy and the Complianz banner on our site.

12) Wi‑Fi Service

If you use our guest Wi‑Fi, we may collect device identifiers (e.g., MAC address), connection logs, and session metadata to provide the service securely, prevent misuse, and comply with legal requests. Usage is subject to this Policy and any displayed terms at login.

13) CCTV

CCTV operates in selected areas for security and safety. Signage is displayed where cameras are in use. Footage is retained for a limited period (see Section 8) and accessed only on a need‑to‑know basis or shared with competent authorities where legally required.

14) Security

We implement appropriate technical and organizational measures (including access controls, encryption where reasonable, staff training, and processor due diligence) to protect personal data against unauthorized access, alteration, disclosure, or destruction.

15) Do We Have to Collect Your Data?

Where data is required by law or necessary to provide our services (e.g., identity details for guest registration, payment information), we may not be able to accept or fulfil your booking without it.

16) Automated Decision‑Making

We do not engage in automated decision‑making producing legal or similarly significant effects as described in GDPR Art. 22.

17) Changes to This Policy

We may update this Policy from time to time to reflect operational, legal, or regulatory changes. The latest version will be posted on our website with the effective date.

18) Contact

For questions or to exercise your rights, contact: info@palazzovioletta.com
Controller: PJS Trading Ltd, 70, Triq it-Tonna, Sliema, Malta