Privacy Policy

Information notice on the processing of Personal Data for users and visitors of sirenusemare.com

pursuant to Articles 13 and 14 of EU Regulation 2016/679 (GDPR)

This notice is provided to inform users and visitors of the principles governing the use of personal data supplied when accessing our web services, with particular regard to privacy and confidentiality.

This page describes how the website sirenusemare.com operates with respect to the processing of personal data of users and visitors who browse it. It constitutes an information notice issued pursuant to Regulation (EU) 2016/679 (the “GDPR”) and in accordance with applicable data protection legislation, addressed to those who interact electronically with the services available on this website, accessible from the address www.sirenusemare.com.

This notice applies solely to the website sirenusemare.com and does not extend to any third-party websites accessible through links contained herein.

Data Controller and Place of Processing

The website sirenusemare.com is operated by:

• Le Sirenuse S.p.A., trading as Le Sirenuse Mare, VAT no. 02397010659, with registered office at Via San Sebastiano, 2, Positano (SA), Italy — Data Controller for all processing activities related to the management of services and requests submitted through this website. Le Sirenuse S.p.A. undertakes to ensure full compliance with applicable data protection legislation.
• The following third-party providers operate technical services in connection with this website:
• Positioner SA, Lugano, Centro Monda 3, 6528 Camorino, Switzerland, for the design, development and technical management of this website. Switzerland has been recognised by the European Commission as a country ensuring an adequate level of protection for personal data;
• iWay AG, headquartered in Zurich, Switzerland, for website hosting services; processing activities are limited exclusively to technical services. Switzerland has been recognised by the European Commission as a country ensuring an adequate level of protection for personal data;
• Klaviyo, Inc., 125 Summer Street, Boston, MA 02110, USA, provides the email delivery infrastructure used for the dispatch of newsletter communications and commercial messages. The management of subscriber lists, audience segmentation, and campaign contents is carried out by Positioner SA (Centro Monda 3, 6528 Camorino, Switzerland), acting as primary Data Processor on behalf of the Controller, which transmits to Klaviyo the data strictly necessary for message delivery. Klaviyo acts as sub-processor pursuant to Article 28(4) GDPR. Personal data processed by Klaviyo: email address, delivery metadata, open and click tracking data. Legal basis: explicit consent of the data subject (Article 6(1)(a) GDPR). Transfer to third country: guaranteed by Standard Contractual Clauses pursuant to Article 46 GDPR;
• Cloudflare, Inc., San Francisco (USA), for security and performance services (CDN/WAF) through which all site traffic transits — transfer to a third country is safeguarded by Standard Contractual Clauses pursuant to Article 46 GDPR;
• Meta Platforms Ireland Ltd, Dublin (Ireland) — the website incorporates content from the Instagram platform (@sirenusemare) for the display of the photographic gallery. This functionality results in the transmission of the user's IP address to Instagram's servers at the time the page loads, independently of any consent to advertising tracking. The legal basis for this processing is the legitimate interest of the Data Controller in presenting the site's content; users may object by disabling the loading of embedded content through their browser settings;
• Google LLC, Mountain View (USA), for web traffic analysis services (Google Analytics 4) and tag management (Google Tag Manager, deployed in server-side mode via Stape Inc.) — transfer to a third country is safeguarded by Standard Contractual Clauses pursuant to Article 46 GDPR. These services are activated exclusively upon the data subject's prior consent through the Cookiebot consent management mechanism. Stape Inc. acts as a sub-processor for the server-side tag management infrastructure.

Other parties that may require access to personal data held on this website may be appointed as Data Processors by the Controller. An up-to-date list of processors may be requested from the Data Controller.

Users and visitors are requested to read this notice carefully before submitting any personal information or completing any electronic form on the website. Browsing this website does not, in itself, constitute a legal basis for the processing of personal data pursuant to Article 6 GDPR. Processing activities that require the data subject's consent are carried out solely upon its prior collection in the manner prescribed by applicable legislation.

Purposes and Legal Basis of Processing

Personal data provided by users and visitors in connection with requests submitted or services used through this website are processed solely for the purpose of responding to such requests or delivering the requested service, and are shared with third parties only where strictly necessary. The legal basis for such processing is the need to fulfil a request made by the data subject or to provide a service specifically requested by the data subject (performance of pre-contractual or contractual measures taken at the request of the data subject — Article 6(1)(b) GDPR).

Where the user or visitor additionally provides their consent, data may also be used for commercial communication activities relating to services offered by the Controller and its affiliates. In such cases, the legal basis for processing is the freely given consent of the data subject (Article 6(1)(a) GDPR).

In all other cases, browsing data are processed to ensure the correct functioning of the website, on the basis of the legitimate interest of the Controller (Article 6(1)(f) GDPR). Any processing carried out using non-anonymised traffic analysis tools is performed exclusively on the basis of the data subject's prior consent.

Categories of Data Processed and Purposes of Processing

Data derived from browsing

The computer systems and software procedures underlying the operation of this website may, in the course of their normal functioning, collect certain personal data whose transmission is implicit in the use of internet communication protocols. This information is not gathered with the intent of associating it with identified individuals; however, by its very nature and through processing and cross-referencing with third-party data, it may enable the indirect identification of users (IP addresses, domain names of computers used to connect, operating system and browser details, timestamps, etc.). Such data may be used solely for statistical purposes in anonymous, aggregated form, and to monitor the proper functioning of the website. It is retained for a limited period, is not disclosed to third parties, and is shared only to the extent strictly necessary for the technical management of the service.

Data voluntarily provided by users and visitors

Where users and visitors voluntarily, explicitly and freely provide their personal data in order to submit requests, subscribe to the newsletter, or access services, such data will be collected and processed exclusively to fulfil the relevant request or deliver the requested service. Personal data provided by users and visitors may be communicated to third parties only where this is strictly necessary to respond to the relevant request.

With specific regard to the newsletter subscription form, the data collected (first name, last name, email address) will be used to send commercial and informational communications relating to Le Sirenuse Mare, Emporio Sirenuse and other services of the Le Sirenuse group, exclusively on the basis of the data subject's prior explicit consent. The data subject may withdraw consent at any time by using the unsubscribe link included in every communication.

Data relating to cookies and similar technologies

Cookies are small text strings that visited websites deposit on users' devices to enhance the browsing experience and, where applicable, to monitor usage patterns. Some cookies may be retransmitted to the same website on a subsequent visit by the same user, enabling recognition and improving site functionality. In the course of browsing a website, users may also receive on their device cookies sent by different websites or web servers (so-called “third-party” cookies).

sirenusemare.com uses session cookies to enable safe and efficient navigation of the website and to retain the user's language preference during the session. These cookies are not permanently stored on the device and are deleted when the session is closed.

Upon first accessing the website, users and visitors may express their consent to the installation of non-technical cookies, which are used exclusively upon receipt of such consent, and/or may view the Cookie Policy. Non-technical cookies — including profiling cookies and non-anonymised traffic analysis cookies — are installed and activated exclusively following the expression of the user's consent through the dedicated preference management mechanism provided by Cookiebot; in the absence of such consent, these tools remain disabled.

The full and up-to-date Cookie Policy, including the list of all cookies in use, their purposes, duration, and the identity of third-party providers, is managed through the Cookiebot consent management platform, accessible via the cookie preference centre available on the website.

Links to Third-Party Websites and Joint Controllership

The Controller reserves the right to use and/or present on its website services provided by third parties. With regard to the processing of personal data, such third-party websites may apply different and independent criteria. The Controller therefore disclaims any responsibility for the activities and content of any linked third-party websites.

The website links to the e-commerce section Emporio Sirenuse (emporiosirenuse.com), operated by Emporio Le Sirenuse S.r.l., a separate legal entity. The privacy policy of Emporio Sirenuse, available at www.emporiosirenuse.com, applies to all processing activities relating to browsing and purchases carried out on that platform. Solely with respect to commercial communication and marketing activities directed at users who have subscribed to the joint newsletter, Le Sirenuse S.p.A. and Emporio Le Sirenuse S.r.l. act as joint controllers pursuant to Article 26 GDPR, having entered into a joint controllership agreement. The legal basis for such processing is the data subject's explicit consent. Data subjects may exercise their rights against either joint controller; the primary point of contact is Le Sirenuse S.p.A., reachable at [email protected].

Reservation and Payment Data

Reservations at Le Sirenuse Mare are made by direct contact via email or telephone. In connection with its cancellation policy, Le Sirenuse Mare retains credit card details provided at the time of booking for the sole purpose of applying the cancellation fee set out in the booking confirmation (Euro 100.00 per person in the event of late cancellation or no-show). The legal basis for this processing is the performance of a contract (Article 6(1)(b) GDPR). Credit card data is processed exclusively through the payment provider and is not stored directly by the Controller beyond what is strictly necessary for the above purpose. The data subject will be informed of the specific terms at the time of booking.

Optional Nature of Data Provision

With the exception of browsing data as specified above, users and visitors are free to choose whether or not to provide their personal data. Failure to do so will result solely in the inability to obtain the requested service or to receive the newsletter communications.

Processing Methods and Retention

All processing is carried out by automated means (e.g. using electronic procedures and equipment) and/or manually (e.g. on paper) for the period strictly necessary to achieve the purposes for which the data were collected, and in any event in accordance with applicable legislative provisions.

In particular: browsing data are retained for a period not exceeding 7 days, save where retention is required in connection with the investigation of criminal offences; data voluntarily provided through the newsletter subscription form are retained until the data subject withdraws consent or, in any event, for no longer than 24 months from the last interaction, after which they are deleted or permanently anonymised; data relating to reservation requests and the associated cancellation policy are retained for 10 years in accordance with civil and fiscal obligations.

For processing carried out by third-party service providers acting as Data Processors (including Positioner SA, iWay AG, Klaviyo Inc. (acting as sub-processor), Cloudflare and Google LLC), retention periods are governed by the respective contractual arrangements and the privacy policies of the individual providers, to which reference is made.

Specific security measures are implemented to prevent the loss, unlawful or improper use of data, as well as any unauthorised access.

Rights of Data Subjects

Pursuant to Articles 15–22 of the GDPR, the data subject has the right, at any time and within the limits and conditions established by law, to obtain confirmation as to whether or not personal data relating to them are being processed and, if so, to obtain access to their data and to the following information:

• the purposes of the processing;
• the categories of personal data being processed;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular where located in third countries or international organisations;
• the envisaged retention period for the personal data or, where this is not possible, the criteria used to determine that period;
• all available information as to the source of the data, where personal data have not been collected directly from the data subject;
• the existence of any automated decision-making process, including profiling.

The data subject also has the right to obtain, without undue delay, from the Data Controller:

• the rectification of inaccurate personal data;
• the completion of incomplete personal data, including by means of a supplementary statement;
• the erasure of their personal data (within the limits and cases provided for by applicable legislation);
• the restriction of processing;

the right to object at any time to the processing of their personal data (Article 21 GDPR), where processing is based on the legitimate interest of the Controller or is carried out for direct marketing purposes;

the right to withdraw consent at any time, without prejudice to the lawfulness of processing carried out prior to such withdrawal (Article 7 GDPR);

the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali), Piazza Venezia 11, 00187 Rome – www.garanteprivacy.it – PEC: [email protected].

The data subject further has the right to receive from the Data Controller the personal data concerning them in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance (portability, Article 20 GDPR), where technically feasible.

Relevant requests should be addressed directly to the Data Controller at the e-mail address [email protected]. Data subjects may also contact the Data Protection Officer directly at [email protected].

This document, published at www.sirenusemare.com, constitutes the Privacy Policy of this website and may be updated periodically. The use of information collected is subject to the policy in effect at the time of use.

last updated: April 2026