Hotel San Luca s.a.s. di Paolo Zuccari & C., a company registered under Italian law with VAT number 01901130540 and with registered office in Via Interna delle Mura, 21 – 06049 Spoleto, Italy (hereafter Company) has developed this Internet Privacy Policy in order to conform its activity to that of a trusted subject that ensures, respects and maintains the privacy rights of online visitors.

The Company is the Data Controller (hereinafter the Data Controller) of the processing of personal data collected through its website (hereinafter the Site) as defined by art. 28 of Legislative Decree 30 June 2003, n.196 (Code regarding the processing of personal data) as well as in compliance with Community legislation (European Regulation for the protection of personal data No. 679/2016, GDPR) and subsequent amendments. The Data Controller will process any data collected through this Site for purposes, in a manner and as specifically explained below.

This site processes data based on consent. With the use or consultation of this site visitors and users explicitly approve this privacy statement and consent to the processing of their personal data in relation to the methods and purposes described below, including any disclosure to third parties if necessary for the provision of a service. The provision of data and therefore the consent to the collection and processing of data is optional, the User can refuse consent and may revoke at any time a consent already provided by contacting the Owner. However, denying consent may make it impossible to provide certain services and the browsing experience on the site may be compromised.Starting from 25 May 2018 (date of entry into force of the GDPR), this site will process some of the data based on the legitimate interests of the data controller.

Like all websites, this site also makes use of log files in which information collected in an automated way is stored during user visits. The information collected could be the following:

  • internet protocol (IP) address;
  • type of browser and device parameters used to connect to the site;
  • name of the Internet service provider (ISP);
  • visit date and time;
  • web page of origin of the visitor (referral) and exit;
  • possibly the number of clicks.

The aforementioned information is processed in an automated form and collected in an exclusively aggregated form in order to verify the correct functioning of the site as well as for security reasons (from 25 May 2018 such information will be treated according to the legitimate interests of the Owner).
For security purposes (spam filters, firewalls, virus detection), the automatically recorded data may possibly also include personal data such as IP address, which could be used, in accordance with applicable laws, in order to block attempts at damage to the site itself or to cause damage to other users, or in any case harmful activities or constituting a crime. Such data are never used for the identification or profiling of the user, but only for the purposes of protection of the site and its users (from 25 May 2018 such information will be treated according to the legitimate interests of the owner).

Visitors to the site can provide their data voluntarily to access some services provided by the Site (eg comments, contact forms, newsletters, ..) The data received will be used exclusively for the provision of the requested service and only for the time needed to provide the service.
The information that users of the site deem to make public through the services and tools made available to them, are provided by the user knowingly and voluntarily, exempting this site from any liability regarding any violation of laws. It is up to the user to verify that they have permission to enter personal data of third parties or contents protected by national and international standards.

The data collected by the site during its operation are used exclusively for the purposes indicated above and kept for the time strictly necessary to carry out the activities specified. In any case, the data collected from the site will never be provided to third parties, for any reason, unless it is a legitimate request by the judicial authority and only in the cases provided by law. The data used for security purposes (block attempts to damage the site) are kept for 7 days.

If the site allows the inclusion of comments, or in the case of specific services requested by the user, the site automatically detects and records some identification data of the user, including the email address. These data are voluntarily provided by the user at the time of requesting service delivery. When visitors leave comments on the site, we collect the data shown in the comments form and also the visitor’s IP address and the browser’s user agent string to help detect spam. An anonymized string created by the Visitor’s email address (also called a hash) can be provided to the Gravatar service to see if it is being used. The privacy policy of the Gravatar service is available here: After approval of the comment, the profile image is visible to the public in the context of the comment. By inserting a comment or other information, the user expressly accepts the privacy policy and, in particular, agrees that the contents included are freely disseminated to third parties.

Should the visitor upload images to the website, it is advisable to avoid uploading images including embedded location data (EXIF GPS). Website visitors can download and extract any position data from images on the website.

By filling out the contact form for requesting information, the Visitor agrees to communicate his data to the Data Controller. The requested data could be:

  • general information (name and surname);
  • email address;
  • telephone number;
  • city of residence.

These data will be processed according to the methods expressed in this policy and used for the sole purpose expressed.

Personal data may be the subject of communication to the Institutions and Institutes for the fulfillment of legal obligations or judicial authorities to respond to their explicit requests. The Data Controller does not knowingly collect sensitive or judicial personal data through the Website. Sensitive Data, pursuant to art. 4 of the Code regarding the processing of personal data, include personal data suitable to reveal the racial and ethnic origin, religious beliefs, philosophical or otherwise, political opinions, membership of parties, trade unions, associations or organizations religious, philosophical, political or trade union, as well as personal data suitable to reveal the state of health and sexual life.

Judicial data, again pursuant to art. 4 of the Code, include personal data suitable for revealing the measures referred to in Article 3, paragraph 1, letters a) to o) and r) to u), of the D.P.R. November 14, 2002, n. 313, on the subject of criminal records, the register of administrative sanctions depending on the offense and the related pending charges, or the status of defendant or suspect under articles 60 and 61 of the criminal procedure code. We recommend that you do not provide such information through the Site. In the event that this is necessary (for example in the case of belonging to protected categories in case of sending a resume for recruitment purposes, in response to a job announcement or in in case of expression of interest to work in the Company) we invite you to send us a registered letter with the expression of your consent in writing to the processing of this information.

Please note that the Site may contain links (links) to other sites that are not governed by this Privacy Policy.

The data collected by the site are processed at the Seeweb web hosting data center. Web hosting, which is responsible for the processing of data, keeping data on behalf of the Owner, is located in the European Economic Area and acts in accordance with European standards.

The information and personal data of the Visitors collected from the Site, including the data freely provided in order to obtain the sending of informative material or other communications by writing in the form of the Site, will be kept for the sole purpose of providing the requested service and for the duration necessary for the same purpose. Once the service is complete, all personal data will be destroyed in compliance with the data retention policy, unless otherwise requested by the authority and unless required by law, or when indicated in this policy for particular sections of the portal.

Pursuant to European Regulation 679/2016 (GDPR) and national regulations, the User can, in accordance with the procedures and within the limits established by current legislation, exercise the following rights:

  • request confirmation of the existence of personal data concerning him / her (right of access);
  • to know its origin;
  • receive intelligible communication;
  • to have information about the logic, the methods and the purposes of the processing;
  • request the updating, rectification, integration, cancellation, transformation into anonymous form, blocking of data processed in violation of the law, including those no longer necessary for the pursuit of the purposes for which they were collected;
  • in cases of consent-based processing, receive only the cost of any support, its data provided to the holder, in a structured and readable form by a data processor and in a format commonly used by an electronic device;
  • the right to lodge a complaint with the Control Authority (Privacy Guarantor – link to the Guarantor page);
  • as well as, more generally, exercise all the rights that are recognized by the current provisions of the law.

Requests should be sent to the Data Controller at In the event that the data are processed on the basis of legitimate interests, the rights of data subjects are guaranteed (with the exception of the right to portability that is not provided for by the regulations), in particular the right to oppose the treatment that can be exercised by sending a request to the data controller.

This site processes the data of users in a lawful and correct manner, adopting the appropriate security measures to prevent unauthorized access, disclosure, modification or unauthorized destruction of data. Processing is carried out using IT and / or telematic tools, with organizational methods and with logic strictly related to the purposes indicated. In addition to the owner, in some cases, may have access to the data categories of employees involved in the organization of the site (administrative, commercial, marketing, legal, system administrators) or external subjects (as suppliers of third-party technical services, postal couriers, hosting providers, IT companies, communication agencies).

This site may share some of the data collected with services located outside the European Union area. In particular with Google, Facebook and Microsoft (LinkedIn) through social plugins and the Google Analytics service. The transfer is authorized on the basis of specific decisions of the European Union and the Guarantor for the protection of personal data, in particular Decision 1250/2016 (Privacy Shield – here the information page of the Italian Data Protection Authority), for which no further consent is required. The companies mentioned above guarantee their adherence to the Privacy Shield.

The web hosting Seeweb is appointed as data controller, keeping the data on behalf of the owner. Web hosting is located in the European Economic Area and acts in accordance with European standards. Google is appointed data controller, processing data on behalf of the Data Controller (Google Analytics).

This privacy policy is updated as of June 19, 2018.

Special offers
For unique stays
Discover more