Privacy Policy
Last updated: May 2025 · Version 1.0This privacy notice is provided pursuant to art. 13 of Regulation (EU) 2016/679 of the European Parliament and Council (hereafter "GDPR") and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (Italian Privacy Code).
1. Data controller
The controller of personal data collected through this website is:
- Business name: L'800 Locanda a Palazzo
- Address: Via Calavecchia 53, 87032 Amantea (CS), Italy
- VAT: 03906130780
- Email: info@l800.it
- Phone: +39 0982 428262
2. Types of data processed
2.1 Data provided voluntarily
When you use the contact or booking forms on this site, you voluntarily provide personal data such as name, phone number, email address, and other information included in your message (e.g. preferred date, number of guests, special requests). This data is sent via WhatsApp to +39 0982 428262 and is not stored by the website.
2.2 Gift voucher purchase data
When you purchase a gift voucher through the dedicated page, the data needed to complete the transaction (name, email address, payment details) is processed by PayPal (Europe) S.à r.l. et Cie, S.C.A. as an independent data controller. The site receives only payment confirmation and the data necessary to send the voucher by email (handled by Resend Inc.).
2.3 Browsing data
The IT systems and software procedures used to operate the site acquire, during their normal operation, certain data whose transmission is implicit in the use of internet protocols (IP address, browser type, operating system, date and time of request, etc.). This data is used only to obtain anonymous statistical information on the use of the site and is not associated with identified users.
2.4 Cookies and tracking technologies
The site uses cookies and third-party technologies. For detailed information, please refer to the Cookie Policy.
3. Purposes and legal basis for processing
| Purpose | Legal basis |
|---|---|
| Handling booking and contact requests | Art. 6(1)(b) GDPR — performance of pre-contractual measures |
| Processing gift voucher purchases | Art. 6(1)(b) GDPR — performance of the contract |
| Tax and accounting obligations | Art. 6(1)(c) GDPR — legal obligation |
| Necessary technical cookies | Art. 6(1)(f) GDPR — legitimate interest |
| Profiling and non-essential third-party cookies | Art. 6(1)(a) GDPR — data subject's consent |
4. Data processors (sub-processors)
In delivering its services, the Controller relies on the following parties who process data on its behalf:
- Cloudflare Pages (Cloudflare Inc., USA) — website hosting. Adequacy: EU-US Data Privacy Framework.
- Resend Inc. (USA) — transactional email delivery (gift voucher purchase confirmation). Adequacy: standard contractual clauses.
- PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) — payment processing. Authorised by the CSSF.
- WhatsApp Ireland Limited (Ireland/Meta Platforms) — communication channel for bookings. The user is redirected to the WhatsApp application.
5. Data transfers outside the EU
Some service providers are based or have infrastructure outside the European Economic Area (EEA), particularly in the United States. Transfers are carried out in accordance with Chapter V of the GDPR, in the presence of:
- European Commission adequacy decision (e.g. EU-US Data Privacy Framework);
- Standard Contractual Clauses approved by the European Commission.
6. Data retention period
Personal data is kept only for as long as strictly necessary for the purposes for which it was collected:
- WhatsApp booking data: in the user's WhatsApp chat history, subject to WhatsApp/Meta policies.
- Purchase data: 10 years for tax and accounting purposes (art. 2220 Italian Civil Code).
- Transactional emails (gift vouchers): 12 months from the issue date.
- Browsing data: maximum 30 days.
7. Data subject's rights
Pursuant to articles 15–22 of the GDPR, the data subject has the right to:
- Access (art. 15): obtain confirmation of processing and a copy of the data;
- Rectification (art. 16): correct inaccurate or incomplete data;
- Erasure (art. 17): request deletion of data ("right to be forgotten");
- Restriction (art. 18): restrict processing in certain cases;
- Portability (art. 20): receive the data in a structured and readable format;
- Objection (art. 21): object to processing based on legitimate interest;
- Withdrawal of consent: withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise these rights, the data subject can contact the Controller at info@l800.it. The Controller will respond within 30 days of receiving the request.
8. Right to lodge a complaint
The data subject has the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it), Piazza Venezia 11, 00187 Rome, Italy, if they believe that the processing of their personal data violates the GDPR.
9. Changes to this privacy notice
The Controller reserves the right to amend this privacy notice at any time. Changes will take effect from the date of publication on the site. Users are encouraged to consult this page periodically.