Last updated: 25 June 2026
Information notice on the processing of personal data pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR") and of Italian Legislative Decree no. 196 of 30 June 2003, as amended by Italian Legislative Decree no. 101 of 10 August 2018 (the "Privacy Code").
1. Data controller
The data controller of the personal data is Propertize S.r.l. (the "Controller" or "Propertize"), with registered office at Piazza della Repubblica 19, 20124 Milan (MI), Italy, tax code and VAT no. 13393170967, registered with the Milan Companies Register, REA no. MI-2720595.
Contacts for the exercise of rights and data protection requests:
- Email: info@propertize.it
- Certified email (PEC): propertize@pec.it
- Postal address: as above
2. Data Protection Officer (DPO)
Following an internal assessment under Article 37 of Regulation (EU) 2016/679, the Controller does not fall within the cases requiring the mandatory appointment of a Data Protection Officer. Any data protection requests may be sent to the Controller's contacts set out in paragraph 1.
3. Categories of data processed, purposes, legal bases and retention periods
The Controller processes the following categories of personal data. For each, the purpose, the legal basis under Article 6 GDPR and the retention period are indicated.
3.1 Data for the conclusion and performance of the short-term rental agreement
Categories of data: first name, surname, date and place of birth, address of residence, telephone and email contacts, identity document details (type, number, issuing authority, date of issue and expiry), payment data (Propertize does not retain full card data, which is handled directly by the payment service provider), data relating to the stay (dates, number of occupants, any special requests).
Purpose: conclusion and performance of the rental agreement, booking management, service communications (confirmation, check-in instructions, support during the stay), invoicing and accounting, return of the security deposit, handling of any disputes and litigation, debt recovery.
Legal basis: Article 6(1)(b) GDPR (performance of a contract to which the data subject is party, or pre-contractual measures); Article 6(1)(c) GDPR for tax and accounting obligations.
Retention period: for the duration of the contractual relationship and thereafter for ten years from the last performance of a booking, in compliance with the obligation to retain accounting records under Article 2220 of the Italian Civil Code, Article 39 of Italian Presidential Decree no. 633 of 26 October 1972, and Article 22 of Italian Presidential Decree no. 600 of 29 September 1973.
3.2 Data for compliance with public security obligations (Alloggiati Web)
Categories of data: identification data of adult guests and of the head of household/group, type and number of the identity document, image of the document (acquired for online pre check-in and for in-person verification at check-in).
Purpose: communication to the territorially competent Police Headquarters (Questure) pursuant to Article 109 of Italian Royal Decree no. 773 of 18 June 1931 (TULPS), Article 19-bis of Italian Decree-Law no. 113 of 4 October 2018 converted by Law no. 132 of 1 December 2018, and the Ministry of the Interior Decree of 7 January 2013 as amended by the Decree of 16 September 2021. Transmission takes place via the State Police "Alloggiati Web" portal.
Legal basis: Article 6(1)(c) GDPR (legal obligation to which the Controller is subject). Provision is mandatory: in its absence, the Controller and the Owner are required to refuse accommodation.
Retention period:
(a) the transmission receipts generated by the Alloggiati Web portal are retained for five years from transmission, as proof of compliance and available to the authorities (State Police FAQ; Italian Data Protection Authority measure, web doc. no. 9690786 of 8 July 2021);
(b) the raw data of the identity documents (images and extracted data) are not retained by the Controller beyond the time strictly necessary for transmission via the portal and the generation of the receipt, and are deleted within 24 hours of transmission, in compliance with the data minimisation principle under Article 5(1)(c) GDPR and with the clarification note of the Italian Data Protection Authority of 29 April 2026 (web doc. no. 10244289) on the processing of identity documents of guests of hotels and other accommodation facilities.
3.3 Data for registration and access to the reserved area
Categories of data: email, password (in hashed form), service preferences, booking history.
Purpose: management of the user account to view bookings, history and preferences.
Legal basis: Article 6(1)(b) GDPR.
Retention period: until the account is deleted by the user or for inactivity exceeding three years from the last access.
3.4 Browsing data and cookies
Categories of data: IP address, browser and device identifier, pages visited, session duration, and any other data collected through cookies and tracking tools.
Purpose: technical operation of the Site, IT security, statistical analysis and traffic measurement subject to consent, and possibly targeted marketing where the user has given consent.
Legal bases: Article 6(1)(f) GDPR (legitimate interest of the Controller for operation and security purposes); Article 6(1)(a) GDPR (consent) for third-party analytics and profiling cookies, pursuant to Article 122 of the Privacy Code and to the Guidelines of the Italian Data Protection Authority of 10 June 2021, measure no. 231, web doc. no. 9677876, published in the Italian Official Gazette no. 163 of 9 July 2021.
Retention period: please refer to the Cookie Policy for the detailed list of cookies and their duration.
Traffic statistics and measurement (PostHog): to analyse the Site's performance and reconstruct sessions and browsing journeys across the pages and subdomains of Propertize, the Controller uses PostHog, with data hosted on infrastructure located in the European Union (Frankfurt). The tool is activated only with the user's prior consent, collected through the dedicated banner, and involves storing a pseudonymous, persistent identifier on the device; no name, email or other contact data is processed for statistical purposes. Legal basis: Article 6(1)(a) GDPR (consent), pursuant to Article 122 of the Privacy Code. Consent may be withdrawn at any time and, until it is given, PostHog stays disabled and collects no data. Details, the list of individual cookies and their duration are in the Cookie Policy.
3.5 Data for direct marketing activities (newsletter, promotions)
Categories of data: email, name (if provided), content preferences.
Purpose: sending newsletters, commercial offers and promotional communications about the Controller's products and services.
Legal basis: Article 6(1)(a) GDPR (the data subject's explicit and specific consent), separate for each marketing purpose. Where the conditions are met, Article 130(4) of the Privacy Code also applies, on soft opt-in towards existing customers, limited to email communications for products and services similar to those already purchased, with the option of simple objection in every communication.
Retention period: until consent is withdrawn or the processing is objected to. Periodic interest check every twenty-four months: in the absence of interaction in that period, the data is deleted or anonymised.
3.6 Profiling data
Categories of data: booking history, destination and accommodation-type preferences, data on interaction with emails and the Site.
Purpose: profiling aimed at personalised offers.
Legal basis: Article 6(1)(a) GDPR (specific consent, separate from the marketing consent).
Retention period: until consent is withdrawn.
3.7 Data for handling information requests and contacts
Categories of data: name, email, telephone, content of the request.
Purpose: responding to requests received via the contact form, WhatsApp, email or telephone.
Legal basis: Article 6(1)(b) GDPR (pre-contractual measures at the data subject's request).
Retention period: twelve months from the closure of the request, unless the request develops into a contractual relationship (in which case the periods in paragraph 3.1 apply).
3.8 Data for handling reviews and feedback
Categories of data: name (possibly abbreviated), date of the stay, content of the review.
Purpose: publication of reviews with authorisation, handling of feedback to improve services.
Legal basis: Article 6(1)(a) GDPR (the data subject's consent for publication); Article 6(1)(f) GDPR (legitimate interest) for internal analysis purposes.
Retention period: five years from publication, unless removal is requested.
3.9 Source of the data (data collected from third parties)
When a booking is made through an intermediation platform (OTA), the Controller receives the personal data of the Client and of the participants in the stay directly from the platform and not from the data subject. The following is specified pursuant to Article 14 of Regulation (EU) 2016/679.
Source of the data: tourism intermediation platforms (for example Airbnb, Booking.com, Vrbo/Expedia, HomeToGo) and, where relevant, the Owner of the property.
Categories of data received: personal and contact data (first name, surname, email, telephone), booking data (dates of the stay, property, number of guests) and any further information transmitted by the platform and necessary for the performance of the stay.
Purpose and legal basis: performance of the short-term rental agreement and related obligations, pursuant to Article 6(1)(b) and (c) GDPR, on the terms set out in paragraphs 3.1 and 3.2.
4. Special categories of data
The Controller does not habitually process special categories of personal data under Article 9 GDPR (data concerning health, ethnic origin, religious beliefs, sexual orientation, etc.). Should the data subject spontaneously communicate such data (for example: requests connected to disability, allergies, particular dietary needs), the processing is based on explicit consent under Article 9(2)(a) GDPR or on the performance of the contract under Article 6(1)(b) GDPR, limited to what is strictly necessary to accommodate the reported need.
5. Mandatory or optional provision
The provision of the data referred to in paragraphs 3.1, 3.2 and 3.3 is necessary for the conclusion and performance of the contract and for compliance with legal obligations. In its absence, the Controller cannot provide the requested service.
The provision of the data referred to in paragraphs 3.5, 3.6 and 3.8 is optional: refusal does not affect the provision of essential services but prevents the delivery of the related features.
6. Automated decision-making and profiling (Article 22 GDPR)
The Controller does not carry out solely automated decisions producing significant legal effects on the data subject within the meaning of Article 22 GDPR. The profiling referred to in paragraph 3.6, where activated with consent, is aimed solely at personalising commercial content and does not affect decisions relevant to the data subject's rights.
7. Recipients and categories of recipients
Personal data may be disclosed to the following parties, each within the limits of their functions and in compliance with the GDPR:
7.1 Internal parties
Employees, collaborators and directors of the Controller, duly authorised to process the data and trained pursuant to Articles 29 and 32(4) GDPR.
7.2 External processors (Article 28 GDPR)
Service providers that process data on behalf of the Controller, appointed by a specific data processing agreement (DPA) pursuant to Article 28 GDPR. Main categories and providers:
(a) PMS and Channel Manager platform: Avantio S.L.U. (Spain, EU), for the management of the booking system on booking.propertize.it, the PMS, the Channel Manager and transmission to Alloggiati Web;
(b) Hosting of the institutional website and company email: Hostinger International Ltd. (EU);
(c) Hosting of internal applications and databases: Railway Corp. (USA);
(d) DNS, CDN and perimeter security: Cloudflare Inc. (USA);
(e) Productivity and collaboration: Google Ireland Ltd. (Ireland, EU) for Google Workspace (Gmail, Drive, Sheets);
(f) Payment provider: Stripe Payments Europe Ltd. (Ireland, EU);
(g) Newsletter and email marketing: The Rocket Science Group LLC d/b/a Mailchimp (USA);
(h) CRM and project management: ClickUp Inc. (USA);
(i) Internal operational communications: Telegram FZ-LLC (United Arab Emirates), for the team's internal notification and operational management channels;
(j) AI voice agent: Retell AI Inc. (USA), for the management of automated calls;
(k) Large language model (LLM) providers: Anthropic PBC (USA), OpenAI Ireland Ltd. (Ireland, EU), Groq Inc. (USA);
(l) Tourist tax management: PayTourist S.r.l. (Italy);
(m) Cleaning, maintenance and reception service providers: limited to the data strictly necessary (e.g. Client name, date and time of check-in/out);
(n) Professional advisers: accountant, labour consultant, lawyer, acting as autonomous controllers or processors depending on the nature of the relationship;
(o) Site traffic statistics and measurement: PostHog Inc. (USA), for the analysis of sessions, browsing journeys and funnels on the institutional Site and on the subdomains of Propertize, subject to the user's consent, with data hosted on infrastructure located in the European Union (Frankfurt, Germany).
The updated list of processors and any sub-processors is available on written request to the Controller.
7.3 Autonomous controllers
Parties that process the data for their own purposes, to which Propertize transmits data in the course of its activity:
(a) OTAs: Airbnb Ireland UC, Booking.com B.V. (Netherlands), Vrbo / Expedia Group Inc., HomeToGo SE and other intermediation platforms that autonomously manage the relationship with the Client under their own terms;
(b) Owner of the Property: to the extent necessary for the performance of the Contract and any claim for damages;
(c) Public authorities: Police Headquarters (Alloggiati Web), the Italian Revenue Agency (Single Certification and tax returns), Municipalities (tourist tax), and the judicial authority upon reasoned request.
8. Transfers outside the EU
Some of the Controller's processors and providers are located in the United States or in other third countries with respect to the European Economic Area. Such transfers take place on the basis of the safeguards provided for in Chapter V of the GDPR, identified for each recipient as follows.
(a) EU-US adequacy decision "Data Privacy Framework" (DPF), Commission Implementing Decision (EU) 2023/1795 of 10 July 2023, for certified US providers listed in the official register. Currently included are: Cloudflare Inc. and The Rocket Science Group LLC (Mailchimp). The validity of the decision was confirmed by the General Court of the European Union by judgment of 3 September 2025, Case T-553/23 (Latombe v Commission). Each provider's certification can be verified in the official list at dataprivacyframework.gov.
(b) Standard Contractual Clauses (SCC) of the EU Commission, Implementing Decision (EU) 2021/914 of 4 June 2021, with any supplementary measures pursuant to CJEU judgment C-311/18 of 16 July 2020 (Schrems II), for US providers not covered by an adequacy decision. Included are: Anthropic PBC, Groq Inc., ClickUp Inc., Retell AI Inc., Railway Corp. and PostHog Inc. (whose Site-related data is nonetheless hosted on infrastructure located in the European Union, Frankfurt).
(c) For Telegram FZ-LLC (United Arab Emirates), used exclusively for the team's internal operational communications, the transfer takes place on the basis of the Standard Contractual Clauses where available and, failing that, the derogations under Article 49 GDPR, limited to strictly necessary data and excluding special categories of data.
Providers based in the European Union or the European Economic Area (for example Avantio S.L.U. in Spain, Hostinger International Ltd., Google Ireland Ltd., Stripe Payments Europe Ltd., OpenAI Ireland Ltd.) do not entail a transfer of data outside the European Economic Area. At the data subject's request, the Controller provides a copy of the safeguards adopted or instructions on how to obtain them.
9. Rights of the data subject (Articles 15-22 GDPR)
The data subject has the right to:
(a) access their personal data (Article 15 GDPR);
(b) rectification of inaccurate data or integration of incomplete data (Article 16);
(c) erasure ("right to be forgotten"), where the conditions are met (Article 17);
(d) restriction of processing, where the conditions are met (Article 18);
(e) objection to processing, in particular for direct marketing purposes (Article 21);
(f) portability of the data provided, in a structured, commonly used and machine-readable format (Article 20);
(g) withdrawal of consent given, at any time, without prejudice to the lawfulness of processing based on consent before its withdrawal (Article 7(3) GDPR);
(h) not to be subject to a decision based solely on automated processing (Article 22 GDPR).
Requests may be sent to the Controller's contacts indicated in paragraph 1. The Controller responds without undue delay and in any case within one month of the request (extendable by a further two months in complex cases, with a reasoned communication). The response is free of charge save for manifestly unfounded or excessive requests (Article 12 GDPR).
10. Complaint to the Supervisory Authority
The data subject has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali), Piazza Venezia 11, 00187 Rome, email protocollo@gpdp.it, PEC protocollo@pec.gpdp.it, website www.garanteprivacy.it, pursuant to Article 77 GDPR, without prejudice to any other form of redress under Articles 78-79 GDPR.
11. Security measures
The Controller adopts technical and organisational measures appropriate to the risk pursuant to Article 32 of Regulation (EU) 2016/679, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The measures adopted, periodically reviewed in line with technological developments and risks, are aimed at ensuring the confidentiality, integrity, availability and resilience of the processing systems and services. The processors referred to in paragraph 7.2 are selected on the basis of the sufficient guarantees required by Article 28(1) GDPR.
In the event of a personal data breach, the Controller carries out the obligations under Articles 33 and 34 GDPR, including notification to the Italian Data Protection Authority within 72 hours where the legal conditions are met, and communication to the data subjects where the risk is high.
12. Changes
This Privacy Policy may be updated. Changes are published on the Site with an indication of the update date. For substantial changes, specific notice will be given to registered data subjects.
13. Contacts
For any data protection request:
- Email: info@propertize.it
- Certified email (PEC): propertize@pec.it
The legally binding version of this document is the Italian one.