Privacy Policy

Published on 5/21/2026 – Last Updated: 5/21/2026

The protection of your privacy is of the utmost importance to us. This Policy applies to https://cortedivalle.com (hereinafter the ” Site “) and all existing or potential relationships between Corte di Valle and its customers, prospects and partners. We take the necessary measures to ensure the protection of personal data of the users of our website.

Corte di Valle guarantees the protection of users’ personal data in accordance with the provisions of Regulation (EU) 2016/679 (GDPR), Legislative Decree 196/2003 (Privacy Code) as amended by Legislative Decree 101/2018, and the provisions of the Italian Data Protection Authority.

This Policy explains: what personal data we collect when you navigate on our Site, the purposes of such collection, the legal basis of the processing, the recipients of the data, the retention periods, your rights and the security measures taken. By ” personal data ” we mean any information that can identify a user, such as last name, first name, postal and email addresses, telephone numbers, IP address, computer connection identifier, etc.

 

1 – Data Controller.

The Data Controller of personal data collected through the Site is:

• Società Agricola Corte di Valle Wine and Resort S.r.l.
• Registered office: Via Vicchio 26/28, 50022 Greve in Chianti (FI), Italy
• VAT / Tax Code: IT 07189990489
• Legal Representative: Pierre Mariani – Chairman of the Board of Directors
• Email: contact@cortedivalle.com
• Phone: +39 055 853939
• Website: https://cortedivalle.com

 

Privacy Referent

For any queries related to the processing of personal data, you can contact the internal Privacy Contact Person by writing to contact@cortedivalle.com.

Note on the DPO/DPO: Corte di Valle is not subject to the obligation to designate a Data Protection Officer pursuant to Article 37 of the GDPR, as the processing carried out does not fall within the cases that require its mandatory appointment.

 

2 – Types of Data Collected

Corte di Valle may collect and process the following categories of personal data when you fill out a contact form or other form on the Site:

• Last Name and First Name
• Title (Mr./Mrs.)
• Professional category
• Business name (for professionals)
• Email address
• Landline or mobile phone number
• Mailing address
• Payment data (for bookings, managed by payment provider)
• Site usage data: IP address, browser type, software, hardware, approximate geolocation data, and web page of origin

 

In addition, Corte di Valle automatically collects anonymous information about the use of the Site and its services (parts of the site visited, browser used, page of origin, IP address). These data do not allow direct identification of the user, but they allow to compile statistics on the use of the Site and to send more targeted communications.

The Site does not collect data belonging to special categories (so-called sensitive data under Article 9 GDPR, such as racial or ethnic origin, political opinions, religious beliefs, health data, etc.) or data relating to criminal convictions (Article 10 GDPR).

 

3 – Methods of Collection

Your personal data are collected through the following modalities:

• Contractual relationship with Corte di Valle (reservations, events, tastings)
• Visit of the website https://cortedivalle.com
• Creation of a customer account
• Completion of contact forms
• Requesting a quote
• Using the services of Corte di Valle
• Identity verification
• Subscription to commercial communications and newsletter
• Correspondence with Corte di Valle
• Exchange of business cards
• Interaction with facility staff
• Satisfaction surveys
• Cookies (see Cookie Policy for more information)
• Sweepstakes

 

The personal information collected is provided expressly and voluntarily by the user.

 

4 – Purposes of the Processing and Legal Bases.

According toArticle 6 of the GDPR, any processing of personal data must be based on a legal basis. Corte di Valle processes personal data for the following purposes and based on the following legal bases:

 

Purpose	Legal basis (art. 6 GDPR)	Duration of storage
Management of reservations and hospitality contracts	Contract execution (art. 6.1.b)	10 years from the end of the contract (tax obligations – DPR 600/1973)
Response to requests via contact form	Pre-contractual measure or consent (Art. 6.1.b or 6.1.a)	24 months from last contact
Billing and accounting requirements	Legal obligation (Art. 6.1.c)	10 years (art. 2220 civil code)
Newsletters and commercial communications	Explicit consent (art. 6.1.a)	Until consent is revoked, max 24 months of inactivity
Customer satisfaction surveys	Legitimate interest of the Data Controller (art. 6.1.f)	12 months after sending
Fulfilment of public safety obligations (notification of lodgers to the Police Headquarters)	Legal obligation (art. 6.1.c) – art. 109 TULPS	According to legal timelines
Anonymous browsing statistics	Legitimate interest (art. 6.1.f)	Maximum 13 months (analytics cookies)
Computer fraud prevention	Legitimate interest (art. 6.1.f)	12 months
Litigation defense	Legitimate interest (art. 6.1.f)	For as long as necessary for prosecution

 

Provision ofdata: the provision of personal data is optional. However, failure to provide data marked as mandatory (with an asterisk in the forms) will prevent Corte di Valle from fulfilling the user’s request, managing the reservation or fulfilling contractual and legal obligations.

Automated decision-making processes: Corte di Valle does not carry out any automated decision-making processes, including profiling (Art. 22 GDPR), that produce legal effects or significantly affect the user.

 

5 – Recipients of Data.

Corte di Valle does not sell, trade, or transfer users’ personal data to third parties without their consent, except as necessary to respond to a request or to perform a contractual service.

Personal data may be processed by authorized employees of Corte di Valle, duly trained in accordance with Article 29 GDPR and Article 2-quaterdecies of the Privacy Code. The data may also be communicated to third parties appointed as Data Processors pursuant to Art. 28 GDPR, within the limits of the purposes indicated above. The main Data Processors are:

• 5Stelle* S.r.l. – PMS Provider
• Headquarters: Via Nazionale 19, 43058 Sorbolo Mezzani (PR), Italy
• Purpose: management of reservations and customer data
• Website: https://www.hotelcinquestelle.cloud/

 

D-EDGE SAS – Booking and payment system

• Location: 14-16 Boulevard Poissonnière, 75009 Paris, France
• Purpose: technical management of online reservations, payments, billing
• Website: https://www.d-edge.com
• Privacy policy: https://www.d-edge.com/fr/mentions-legales

 

O2switch SAS – Site Hosting

• Location: Chemin des Pardiaux, 63000 Clermont-Ferrand, France
• Purpose: Hosting the Site on servers located in the European Union
• Website: https://www.o2switch.fr

 

Diadao Productive SARL – Technical Maintenance

• Location: Zone Ecoparc – 625 Avenue de la Saladelle, 34130 Saint-Aunès, France
• Purpose: development, maintenance and updating of the Site
• Website: https://www.diadao.fr

 

Data may also be communicated to:

• Public Safety Authorities (Police Headquarters) for fulfillment of the law ex art. 109 TULPS (Testo Unico delle Leggi di Pubblica Sicurezza)
• Judicial, administrative or tax authorities, where required by law
• Professional consultants (accountants, lawyers) within the limits of the professional mandate
• Banking institutions and payment providers for handling transactions

 

In case of total or substantial transfer of the assets of Corte di Valle, the personal data collected may be one of the transferred assets, in compliance with the provisions of the GDPR.

 

6 – Data transfers outside the European Union.

The personal data collected are hosted and processed within the European Union (Italy and France).

If, due to technical or organizational needs, a transfer of data outside the European Economic Area (EEA) becomes necessary, Corte di Valle is committed to ensuring that such a transfer takes place in accordance with articles 44-49 of the GDPR, through adequate safeguards such as:

• European Commission adequacy decision (Art. 45 GDPR)
• Standard Contractual Clauses approved by the European Commission (Art. 46.2.c GDPR)
• Binding Corporate Rules (Binding Corporate Rules – art. 47 GDPR)

 

The user will be informed in advance in case of transfers to countries that do not offer an adequate level of protection.

 

7 – Retention Period.

Personal data are retained for the time strictly necessary to achieve the purposes for which they were collected, in application of the principle of minimization (Art. 5(1)(e) GDPR). Specific retention times for each purpose are given in the table in Section 4.

In any case, longer periods may be retained when required or justified by law, in particular:

• 10 years for accounting and tax documents (Art. 2220 Civil Code, Presidential Decree 600/1973)
• Specific time periods provided for mandatory communications to Public Security (Art. 109 TULPS)
• Duration necessary for the exercise or defense of rights in court

 

At the end of the retention period, the data will be irreversibly deleted or anonymized.

 

8 – Rights of the Data Subject.

Pursuant to Articles 15-22 of the GDPR, you have the right to exercise the following rights at any time:

 

• Right of access (art. 15 GDPR): obtain confirmation of the existence or otherwise of a processing operation and access to your data
• Right to rectification (art. 16 GDPR): correct inaccurate data or supplement incomplete data
• Right to erasure (” right to be forgotten “) (art. 17 GDPR): obtain the deletion of one’s data, within the limits provided by law
• Right to restriction of processing (art. 18 GDPR)
• Right to portability (art. 20 GDPR): to receive one’s data in a structured, commonly used and machine-readable format
• Right to object (Art. 21 GDPR): object at any time to processing based on legitimate interest or for direct marketing purposes
• Right to withdraw consent (Art. 7 GDPR): at any time, without affecting the lawfulness of processing based on consent prior to withdrawal
• Right not to be subjected to automated decisions (art. 22 GDPR), including profiling
• Right tocomplain to the Supervisory Authority (art. 77 GDPR): you have the right to complain to the Data Protection Authority

 

Methods of exercising rights

Rights can be exercised free of charge by contacting the Controller by the following means:

• Email: contact@cortedivalle.com
• Mail: Società Agricola Corte di Valle Wine and Resort S.r.l. – Via Vicchio 26/28, 50022 Greve in Chianti (FI), Italy
• Subject: ” Exercise of privacy rights “
• Online form: https://cortedivalle.com/it/modulo-rgpd

 

A copy of a valid identity document must be attached to the request in order to verify the identity of the applicant. The Holder will respond within 30 days of receipt of the request. This period may be extended by an additional 60 days if the complexity or number of requests warrants it (Art. 12.3 GDPR).

Complaint to the Regulatory Authority

If you believe that your personal data is being processed in violation of the GDPR or the Privacy Code, you have the right to complain to the Garante per la protezione dei dati personali, as the Italian Data Protection Authority:

• Garante per la protezione dei dati personali
• Address: Piazza Venezia 11, 00187 Rome, Italy
• Email: protocollo@gpdp.it
• PEC: protocollo@pec.gpdp.it
• Switchboard: +39 06 696771
• Website: https://www.garanteprivacy.it
• Complaint template: https://www.garanteprivacy.it/web/guest/modulistica/reclamo

 

Postmortem rights

Pursuant toArticle 2-terdecies of the Privacy Code (introduced by Legislative Decree 101/2018), rights relating to the personal data of deceased persons may be exercised by those who have an interest of their own, or act to protect the data subject as his or her proxy, or for family reasons deserving protection. The data subject may expressly prohibit, by written declaration, the exercise of such rights after his or her death.

 

9 – Security of Personal Data.

Pursuant toArticle 32 of the GDPR, Corte di Valle takes appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of communications using SSL/TLS protocol (HTTPS)
• Up-to-date firewall and antivirus systems
• Pseudonymization of data where possible
• Access control using individual credentials and privilege profiling
• Periodic backups and disaster recovery procedures
• Staff training on data handling
• Periodic verification and updating of security measures

 

Despite our best efforts and efforts, no method of transmission over the Internet or any method of electronic storage is completely secure. Therefore, absolute security cannot be guaranteed. In the event of a personal data breach (data breach), Corte di Valle will notify the Guarantor within 72 hours (Art. 33 GDPR) and, if the risk is high, will also notify the data subjects (Art. 34 GDPR).

 

10 – Cookies

The use of cookies on the Site is governed by a dedicated Cookie Policy , drafted in accordance with the Guarantor’s Order No. 231 of June 10, 2021 (” Guidelines cookies and other tracking tools “).

The Cookie Policy can be accessed from the footer of the Site. Through the cookie management banner, the user can accept, reject or customize their preferences at any time.

 

11 – Updates to the Policy.

Corte di Valle may update this Privacy Policy at any time by posting a new version on the Site. The user is invited to regularly consult the dedicated page to take note of any changes.

In case of substantial changes (change of purpose, legal basis, recipients, etc.), Corte di Valle will inform registered users by email or visible notice on the Site.

 

12 – Links to Third Party Sites

The Site may contain hyperlinks to other websites. Corte di Valle cannot be held responsible for the privacy policies or data practices of third party sites. You are encouraged to consult the privacy policies of the target sites.

 

13 – Consent.

When data processing is based on consent (Art. 6.1.a GDPR), it is freely expressed by the user through positive and unambiguous action (e.g., checking appropriate boxes that are not pre-flagged). Consent can be revoked at any time as easily as it was given, e.g., via the unsubscribe link in each commercial email or by writing to contact@cortedivalle.com. Revocation of consent does not affect the lawfulness of the processing carried out prior to the revocation.

 

14 – Contact and Complaints

If you have any questions, requests or complaints regarding this Privacy Policy or the way in which Corte di Valle collects, uses or processes personal data, you can contact the Controller by the following means:

Email: contact@cortedivalle.com

Mail: Società Agricola Corte di Valle Wine and Resort S.r.l. – Via Vicchio 26/28, 50022 Greve in Chianti (FI), Italy

Phone: +39 055 853939

 

If the response is not satisfactory, the user may appeal to the Guarantor for the protection of personal data in the manner indicated in paragraph 8.

 

 

Società Agricola Corte di Valle Wine and Resort S.r.l.

Via Vicchio 26/28 – 50022 Greve in Chianti (FI) – Italy

P.IVA IT 07189990489 – contact@cortedivalle.com