Privacy policy




Information on the processing of User's personal data


Rights of the Interested User

How to exercise your rights and/or request information on processing




Dear User, 

this Privacy Policy is provided to you pursuant to Article 13 of Regulation (EU) 2016/679 - on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, also referred to as, "the Regulation" or "GDPR").

This Privacy Policy contains information on the processing of your personal data as a result of browsing the Internet and using the services made available to you through the website.

You will be provided with specific and/or supplementary information on the processing of your personal data each time we collect them, either through your interaction with the site or by virtue of contractual relationships established with our Company; you can view all of them at any time by clicking on the links in the "Information" section at the bottom of this page. 

Attention: this Privacy Policy does not apply to web services provided by third parties, which you may use or consult and access through hypertext links. In this regard, we invite you to consult the privacy information and privacy policies provided by these third parties in the appropriate locations.



Privacy Policy: The GDPR, the Privacy Code, the Measures of the Guarantor and, in general, all the legislation on the protection of individuals with regard to the processing of personal data.

GDPR or Regulation: The General Data Protection Regulation (EU) 2016/679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data.

Personal Data: Any information relating to an identified or identifiable individual. In addition to the data provided by the User by means of any forms within individual areas of the Web Services, this also includes data relating to the User's navigation. 

Interested party: The identified or identifiable individual to whom the Personal Data relates.

Navigation data: In the course of their normal operation, the computer systems and software procedures used to operate the Web Services acquire certain data. The transmission of these data is implicit in the use of Internet communication protocols. This information is not collected in order to be associated with the identified parties concerned, but by its very nature it could enable users to be identified through processing and association with data held by third parties. However, if the browsing session takes place after accessing the Reserved Area (so-called log in), the data collected are associated with the User's personal account.

Browsing data includes:

  • IP addresses or domain names of computers used by users connecting to the site;

  • the addresses of the requested resources in URI (Uniform Resource Identifier) format;

  • the time of the request;

  • the method used to submit the request to the server;

  • the size of the file obtained in response;

  • the numerical code indicating the status of the response given by the server (successful, error, etc.);

  • other parameters relating to the User's operating system and computer environment.

Data provided by the User: This is the data which the User voluntarily and knowingly provides by sending communications (e.g. by e-mail, to the addresses on the web domain) or by filling in specific forms, if present in the areas provided by the Services.

The Data provided by the User are only strictly necessary for the purposes required by the Services on a case by case basis (for precise details regarding the categories of data collected on a case by case basis, please refer to the relevant privacy policy). By way of example, such data may be:

  • personal details;

  • concerning contact details (e.g. e-mail address);

  • related to the contractual position of the User/Client;

  • geolocation (if the user has given consent to the collection of data relating to their location);

  • regarding the use of individual Services available to the User;

  • concerning facts and events disclosed by the User in their messages (in this regard, and for their greater protection, the User is requested not to provide information not strictly pertinent to the subject of the request and the nature of the Services provided by the company).

Data Controller or Holder: The person who decides on the aims and methods of processing Personal Data. With reference to Web Services, the Unipol Group is the Company which this site refers to and whose references are at the bottom of each page.

Services or web services: The services provided through the Internet, used via the website and/or any applications.

User: The interested party (individual) who browses, consults, accesses or uses the Web Services.

DPO: The Data Protection Officer . The interested user may request clarifications regarding the processing of Personal Data or exercise their rights by contacting the DPO, in the manner and form indicated in the section "How to exercise rights and/or request information on processing".

Privacy Guarantor: The Guarantor for the protection of personal data, i.e. the Italian national monitoring authority for the protection of personal data. Consult the website of the Privacy Guarantor.

Cookies: Cookies are pieces of information that are stored on your device (e.g., within your browser's memory) when you visit a website or use a web application. 

Each cookie may contain various data, such as the name of the server it comes from, a numerical identifier, etc.

View the Cookie Policy for more information.



The following is useful information concerning the processing of Personal Data carried out via the Web Services.

In particular, we want to inform you of:

  • the identification and contact details of the Data Controller;

  • the contact details of the Data Protection Officer (DPO);

  • the categories of Personal Data processed through the Web Services;

  • the purposes for which such Personal Data are processed on a case by case basis;

  • the grounds for processing such data (so-called legal bases);

  • the duration of their retention, always strictly necessary for the pursuit of the stated purposes;

  • the categories of the data communication recipients.


Data Controller

Registered office

Tenute del Cerro S.p.A.

Via Grazianella n. 5 - Fraz. Acquaviva - 53045 Montepulciano (SI).


Categories of Personal Data, purpose and legal basis of processing and retention periods

​Categories of Personal Data

Purpose of processing

Legal basis

Data retention periods

Navigation data

Allow web browsing and the provision of Services

Need to implement a contract to which the individual is part of or to provide a service at the individual's request

For the duration of navigation within the services

To obtain anonymous statistical information on the use of the Web Services, for the sole purpose of checking their correct functioning

Legitimate interest of the Company

The collected data are collected in aggregate and no longer traceable to the individual user who browsed the site.

Data provided by the User: provision of Web Services

Booking of overnight stays at establishments

Need to execute a contract or a pre-contractual measure which the individual is a part of

For the duration of the booking; subsequently, if confirmed during check-in, the Data will be kept (as provided for by the privacy policy provided at that time), due to administrative/accounting requirements, for the time provided for by tax regulations (in general, 10 years)

Request for information

Need to execute requests made by the interested party (pre-contractual phase) or legitimate interest

The time taken to provide feedback


The provision of your Personal Data is free and optional. We remind you, however, that it is indispensable for the pursuit of certain purposes (to provide you with the appropriate feedback requested, for registration in the Reserved Area or for the provision of individual Services); if not provided, in such cases, it may not be possible to proceed with the pursuit of those purposes.


We invite you, however, to consult the relevant information on the processing of data for more details.


Methods of data processing and recipients of data communication

The above data will not be distributed and may only be disclosed to employees of our Company who are specifically authorised to process them. They may also be acquired and/or processed by other companies of the Unipol Group and/or companies. Processing operations may be carried out by external parties to whom we entrust to carry out operations on our behalf, and with whom we enter into appropriate agreements aimed at regulating the processing of data.

Finally, the data may be disclosed at the express request of public authorities or law enforcement agencies.

The processing of Personal Data is always subject to the application of appropriate security measures to ensure the confidentiality, availability and integrity of the data.


The Web Services may use technical, analytical and profiling cookies, both first and third party.

Cookies are essential to improve the Services and to provide products that are always in line with Users' preferences.

Any use of profiling and/or third-party cookies will always be subject to your prior consent.

To learn more, click here.



The Privacy Law (Articles 15-22 of the Regulation) guarantees the User, as the interested party, the right to access their data, as well as to obtain the rectification and/or integration, cancellation or portability of the data. The Privacy Regulations also give the User the right to request the restriction of data processing and to object to the processing, as well as the possibility to revoke any consent given (revocation does not affect the lawfulness of the processing carried out up to that moment).



What does it consist of?

Requirements for operation

Data access

The User may request from the Data Controller:

  • confirmation that they are processing data relating to them;

  • a copy of the data relating to them;

  • information concerning data processing (e.g. legal bases, retention periods, categories of data recipients, etc.)

The User is always entitled to submit such a request

Correcting or supplementing data

The User may request the Data Controller to:

  • rectify

  • update

  • edit

Personal Data processed

If the data processed are inaccurate or incomplete

Erasing data

The User may request that the Data Controller delete the Personal Data which is being processed

  • the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

  • the User revokes the consent on which the processing is based, and if there is no other legal basis for the processing;

  • the User objects to the processing pursuant to Art. 21 and there is no overriding legitimate reason to proceed with the processing;

  • the Personal Data has been unlawfully processed;

  • the Personal Data must be erased in order to comply with a legal obligation imposed by EU or Member State law on the Data Controller

Restriction of Personal Data Processing

The User may request that the Data Controller does not carry out any processing operation on their Personal Data other than retention, unless consented to by the User or in order to protect their rights

  • the User disputes the accuracy of the Personal Data, for the period necessary for the Data Controller to verify the accuracy of such Personal Data;

  • the processing is unlawful and the interested party objects to the deletion of the Personal Data and requests instead that its use be restricted;

  • although the Data Controller no longer needs it for processing purposes, the Personal Data is necessary for the investigation, exercise or defence of legal claims;

  • the User has objected to the data being processed, pending verification of whether the legitimate motives of the Controller prevail over those of the interested party

Objection to the processing of Personal Data

The User may object to processing based on a legitimate interest (including the sending of promotional communications) or on a public interest

There must be grounds relating to the particular situation of the User, except if the objection is related to processing for direct marketing purposes

Objection to an automated decision-making process

The User may object to automated decision-making processes. In the event that such a process is necessary for the conclusion of a contract, is based on explicit consent, is authorised by law or regulation of the State or of the European Union, the User has the right to obtain human intervention by the Data Controller, to express their opinion and to challenge the decision

There is a decision based solely on automated processing, including profiling, which results in legal effects which concern the User or which significantly affects the User in a similar way.

Portability of Personal Data

The User has the right to receive the Personal Data concerning them in a structured, commonly used and machine-readable format

Provided all the following conditions are met:

  • the data has been provided by the User;

  • the processing is consented to or is contract-based;

  • the processing is carried out by automated means

Withdrawal of consent

The User may withdraw their  previously given consent. Withdrawal does not affect the lawfulness of the processing carried out up to that moment

Ongoing permanent requirement



The "Data Protection Officer" is available to assist with any doubts or clarifications, to exercise the rights of the interested parties and to provide an updated list of the categories of data recipients.


Data Protection Officer or DPO


Your right to contact the Privacy Guarantor remains unaffected, including by means of a complaint, where deemed necessary for the protection of your Personal Data and your rights in this respect.​ 



Below is a list of the disclosures:

Information​ on the processing of common data for contractual purposes and commercial promotion (TDC_InfC_CoCo


Information on the processing of common data for contractual purposes and commercial promotion - Farmhouse Clients (TDC_InfC_CoCo_02)

Information on the processing of personal data for the purpose of bookings (TDC_Info_PreW_01)


Back to in​dex