PRIVACY & COOKIE POLICY

Privacy Notice – Article 13 of Regulation (EU) 2016/679

Aries Group S.r.l.
Via Lampedusa 11/A – 20141 Milan (MI), Italy

Data Controller email address: privacy@ariesgroup.it

 

Introduction

Pursuant to Article 13 of Regulation (EU) 2016/679 (hereinafter, the “GDPR”), we hereby inform you that the personal data relating to you (“Personal Data”) are processed by ARIES GROUP S.R.L., VAT no. and Tax Code 11337310962, REA MI – 2595814, with registered office in Milan, Via Lampedusa 11/A (“Aries” or the “Company”), acting as Data Controller pursuant to Article 4 GDPR (“Controller”), in accordance with this Privacy Notice (“Privacy Notice”).

 

Categories of Personal Data Processed

Depending on the circumstances, Aries may process the following Personal Data:

  • Identification data (first name, last name, date of birth, gender, tax code, nationality, identification document details such as passport or ID card);

  • Contact details (email address, postal address, telephone number);

  • Browsing data collected via cookies installed on electronic devices (computer, smartphone, tablet, etc.). For further details, please refer to the Cookie Policy available on this page;

  • Banking details necessary for the management of the contractual relationship.

 

Purposes of Processing, Legal Basis and Retention Period

Below are the purposes of processing, the relevant legal bases, and the applicable retention periods.

(1) Purchase and Provision of Services

Personal Data are processed to enable the booking and purchase of accommodation and hospitality services offered by the Company, as well as additional services connected with hotel activities (e.g., spa and wellness services, sports activities, corporate events such as conferences, symposiums, presentations, etc.) (“Services”).

Bookings and data collection may occur:

  • via the Company’s website;

  • via booking platforms (e.g., Booking);

  • by telephone;

  • in person at the hotel reception.

Legal basis: Performance of a contract or pre-contractual measures pursuant to Article 6(1)(b) GDPR.
Retention period: For the duration necessary to perform the contract and for an additional 10 years for administrative, accounting and tax compliance purposes.

(2) Management of Requests

Personal Data provided through the website, email, telephone or reception desk are processed to respond to information requests.

Legal basis: Legitimate interest of the Controller (Art. 6(1)(f) GDPR).
Retention period: For the time necessary to handle the request; thereafter anonymised, without prejudice to statutory retention obligations.

(3) Compliance with Legal Obligations

Personal Data are processed to comply with legal obligations related to hotel activities, including public security regulations (e.g., Italian Consolidated Public Security Laws – Royal Decree 773/1931).

Legal basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR).
Retention period: As required by applicable law.

(4) Civil, Tax and Administrative Compliance

Processing for civil, tax, accounting and administrative obligations connected with the Services.

Legal basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR).
Retention period: As required by applicable law.

(5) Marketing Activities

Subject to your prior explicit consent, Personal Data may be processed to send commercial communications, promotional activities, offers, discounts and newsletters via automated means (email, SMS, messaging systems such as WhatsApp, social networks) and traditional means.

Legal basis: Consent pursuant to Articles 6(1)(a) and 7 GDPR.
Retention period: Maximum 24 months, unless consent is withdrawn earlier.

(6) Soft Spam (Art. 130(4) Italian Privacy Code)

Without requiring consent, the Company may send promotional emails regarding services similar to those already purchased.

Legal basis: Article 130(4) of Italian Legislative Decree 196/2003.
Retention period: Maximum 24 months, unless you object.

You may object at any time by writing to privacy@ariesgroup.it or by following the unsubscribe instructions in communications received.

(7) Customer Satisfaction

Surveys and communications to assess customer satisfaction.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).
Retention period: No longer than 24 months.

(8) Anonymous Analysis

After anonymisation, purchase and interaction data may be used for internal analysis and service improvement.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).
Once anonymised, data are no longer personal data and may be retained without time limits.

(9) Protection of the Controller’s Rights

Processing necessary to establish, exercise or defend legal claims.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).
Retention period: For the time strictly necessary to protect the Controller’s rights.

After the above retention periods, Personal Data will be deleted or anonymised.

Provision of Data

Fields marked with an asterisk (*) are mandatory for contract conclusion and execution. Failure to provide such data may prevent the establishment or proper performance of the contractual relationship.

Processing Methods

Personal Data are processed lawfully, fairly and transparently, in accordance with GDPR principles, using manual and electronic means suitable to ensure confidentiality and security.

Access is restricted to duly authorised personnel.

Recipients of Personal Data

Personal Data may be processed by employees and collaborators authorised by the Controller.

Data may be disclosed to third parties strictly necessary for the purposes indicated, including:

  • Legal, administrative and accounting advisors;

  • Marketing and communication consultants;

  • CRM providers;

  • IT service providers;

  • Banks and insurance companies;

  • Auditors.

Where they act on behalf of the Controller, they are appointed as Data Processors under Article 28 GDPR. In other cases, they act as independent Data Controllers.

Personal Data may also be disclosed to public authorities where required by law.

International Data Transfers

Where necessary, Personal Data may be transferred outside the EU:

  • Based on an adequacy decision of the European Commission;

  • Under Standard Contractual Clauses (SCCs) with supplementary safeguards where required;

  • Under other appropriate safeguards pursuant to Article 46 GDPR.

Data Subject Rights

Pursuant to Articles 15–22 GDPR, you may:

  • Access your Personal Data;

  • Obtain a copy;

  • Request rectification or erasure;

  • Restrict processing;

  • Object to processing;

  • Exercise data portability rights;

  • Withdraw consent at any time (where processing is based on consent).

You may lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali):
https://www.garanteprivacy.it

How to Exercise Your Rights

Requests may be sent to:

privacy@ariesgroup.it
or
Aries Group S.r.l.
Via Lampedusa 11/A
20141 Milan (MI), Italy

Privacy Notice last updated: September 2025