Privacy Policy
Published on 07/05/2026
Anett Hotel, with registered office in Jaufenstraße 24, Ratschings (BZ) - 39040, Tax ID IT02731040214, (hereinafter "Data Controller" or "Controller") is constantly committed to protecting the online privacy of natural persons during the browsing and enjoyment of services on the website https://www.anett-hotel.com (hereinafter "Portal" or "Website").
This document describes all aspects related to the processing of Personal Data of users (hereinafter "Data Subjects") carried out through the Website, in compliance with the provisions of Art. 13 of Regulation (EU) no. 2016/679 (hereinafter "Regulation"). According to the rules of the Regulation, the processing carried out by the Controller through the Website shall be based on the principles of lawfulness, fairness, transparency, purpose limitation and storage limitation, data minimization, accuracy, integrity and confidentiality.
1. Data Controller
The Data Controller for the processing carried out through the Portal is Anett Hotel as defined above and can be contacted through the methods indicated in the "Contacts" section (see Art. 10).
2. Categories of Personal Data Processed
3. Processing Purposes
The Controller uses Personal Data collected through this Website for the following purposes:
4. Legal Basis of Processing
The processing of Personal Data is lawful by virtue of the following legal bases, as provided for in Art. 6 of the Regulation:
Performance of tasks in the public interest:
Art. 6(1)(e) of the Regulation – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
Consent:
Art. 6(1)(a) of the Regulation – The data subject has given consent to the processing of their personal data;
5. Processing Methods
Processing is carried out through manual and/or automatic methods, including through the use of information and computer technologies (e.g., CRM, management software and mailing list services), subject to the application of appropriate technical and organizational security measures to ensure the security, integrity and confidentiality of Personal Data, so as to minimize the risks of destruction, loss, unauthorized access, modification and unauthorized disclosure, in accordance with Articles 6 and 32 of the GDPR.
6. Transfer of Personal Data outside the EU/EEA
The Controller does not intend to transfer Personal Data outside the European Economic Area. However, should it become necessary to meet organizational/production needs (by way of non-exhaustive example, by using providers and/or cloud services that require the transfer of data abroad), adequate safeguards will be identified for the transfer of Personal Data to a Third Country, which depending on the circumstances may include: verification of the existence of adequacy decisions of the European Commission, execution of standard contractual clauses and/or binding corporate rules, verification of the adoption of any supplementary measures in implementation of Recommendation 01/2020 EDPB.
| Vendor Name | Description | Vendor Privacy Policy |
|---|---|---|
| https://www.facebook.com/policy/cookies | ||
| Google Advertising Products | https://business.safety.google/privacy/ | |
| Consisto | https://www.consisto.it/it/privacy-policy.html | |
| YouTube | https://policies.google.com/privacy | |
| Avacy CMP | https://jumpgroup.it/privacy-policy/ | |
| Google Adsense | https://policies.google.com/privacy | |
| Bing Ads | ||
| Microsoft Advertising | https://privacy.microsoft.com/privacystatement | |
| Crazy Egg | https://www.crazyegg.com/privacy | |
| Casale Media | https://casalemedia.com/ | |
| Microsoft Enhanced Conversions | https://privacy.microsoft.com/privacystatement | |
| Microsoft | https://privacy.microsoft.com/en-us/privacystatement |
7. Data Retention Periods
The Controller retains Personal Data only for the periods of time necessary to pursue the purposes indicated in this document, or for the timeframes provided for by specific regulations.
- Personal Data processed for the purpose of "Provision of the service" will be retained for a period not exceeding 10 years;
- Personal data processed for the purpose of "Payments and Billing" will be retained for a period not exceeding 10 years (art. 2220 c.c.)
- Personal Data processed for Direct Marketing purposes will be retained for a period not exceeding 2 years, or until the data subject revokes consent to processing.
- The duration of persistence of individual cookies is reported within the "Cookie Policy";
- Without prejudice to the possibility for the Controller to retain Personal Data for the period of time provided for and allowed by Italian law for the purposes of "Legal protection" of its interests (art. 2946 and 2947 c1, c.3 c.c.).
After the expiration of such retention periods, Personal Data will be deleted or made anonymous, if not retained for further purposes based on appropriate legal grounds.
8. Recipients
Personal Data collected by the Data Controller may be communicated or made accessible, for the execution of the purposes indicated above, to the following categories of subjects:
- Employees and collaborators who assist the Controller in processing operations, subject to express authorization for processing and possibly to the execution of confidentiality agreements;
- Subjects providing outsourcing services on behalf of the Controller, as Data Processors: cloud computing service providers, freelancers, companies or professional firms providing assistance and consulting activities to the Data Controller, or subjects delegated to carry out hosting and technical maintenance activities, including software maintenance, network equipment and electronic communication networks;
- Independent data controllers to whom the communication of data is necessary for the purposes of providing the service requested by the data subject.
- Independent data controllers in the pursuit of their own purposes (subject to consent from the data subject);
- Public authorities, in the event that such communication is required by law.
After the expiration of such retention periods, Personal Data will be deleted or made anonymous, if not retained for further purposes based on appropriate legal grounds.
9. Rights of the Data Subject
At any time, the Data Subject may access the information concerning them and request its rectification, deletion, restriction of processing, and portability. They may also object, in whole or in part, to the processing and have the right not to be subject to automated decision-making concerning natural persons, including profiling.
To exercise the rights referred to in Articles 15-22 of the GDPR, the Data Subject may contact the Data Controller in the manner indicated in the "Contacts" section (see art. 10). The Data Controller must respond to the request within 1 month, or communicate any delay in response in the case of numerous and/or complex requests (the extension cannot exceed 2 months in any case). In any case, the Data Subject always has the right to lodge a complaint with the competent Supervisory Authority (Data Protection Authority), pursuant to Article 77 of the Regulation, if they believe that the processing of their Personal Data is contrary to the applicable regulations.
Contacts
For further information about the processing of Personal Data carried out in execution of the contract, or to submit a request to exercise rights, it is possible to contact the Controller at the email address: info@anett-hotel.com
AI Kosmo
Privacy Information Clause
[X]. Processing of personal data through the KOSMO virtual assistant
An interactive virtual assistant chatbot is active on our website to assist you during navigation, provide information about our services, and answer your questions. This service is developed by AI KOSMO S.r.l., which acts as Data Processor pursuant to Article 28 of the GDPR, on the basis of a specific agreement governing its tasks and responsibilities. The Data Controller of the data you provide through the Chatbot remains anett-hotel.com
The Chatbot uses Large Language Model (LLM) artificial intelligence systems to understand your requests and provide relevant responses.
a. Categories of data processed
The processing concerns the following personal data:
· Data actively provided by the user: any information that you voluntarily type into the chat window, such as questions, requests for information, first name, last name, contact details, or stay preferences;
· Session-related technical data: IP address, browser type, operating system, and other technical data necessary to ensure the proper technical functioning of the chat;
· Conversation content: the full text of your interactions with the Chatbot.
b. Purposes and legal basis of the processing
Your personal data are processed for the following purposes:
· Provision of chat-based assistance and support services: to respond to your requests, assist you during navigation, and provide you with the necessary information about our services. The legal basis for this processing is the legitimate interest of the Data Controller in providing efficient and immediate customer support. In the case of pre-contractual requests (e.g. quotations, booking availability), the legal basis is the performance of pre-contractual measures.
· Service improvement and training of artificial intelligence algorithms: to analyse conversations (in aggregated and anonymised form where possible) in order to improve the accuracy of the Chatbot’s responses and the effectiveness of the service. The legal basis for this processing is the legitimate interest of the Data Controller and the Data Processor in improving the technology and the quality of the service offered, provided that your interests or fundamental rights and freedoms do not prevail.
The provision of data for purpose no. 1 is optional but necessary in order to use the Chatbot service. For purpose no. 2, you may object at any time, without prejudice to your ability to continue using the chat service.
c. Processing methods and security measures
The processing is carried out using IT and telematic tools. In accordance with the principles of data protection by design and by default (Article 25 GDPR), appropriate technical and organisational measures are adopted to ensure a level of security appropriate to the risk, including pseudonymisation or anonymisation of data where possible, especially for the purposes of training the algorithms.
d. Data retention period
Your personal data will be retained in accordance with the principle of storage limitation:
· For assistance purposes, conversation logs will be retained for the time strictly necessary to manage your request and, in any case, for a period not exceeding 6 months from the closure of the chat session, unless the emergence of a dispute justifies further retention.
· For algorithm training purposes, personal data will be retained in a form that allows your identification only for the time strictly necessary for analysis and extraction of information useful for improving the model, after which they will be irreversibly anonymised or deleted. In any case, this period will not exceed 90 days.
e. Data disclosure and transfers
The data collected through the Chatbot are processed by our provider AI KOSMO, appointed as Data Processor. AI KOSMO may use sub-processors (e.g. cloud service providers) for the provision of the service, in compliance with the obligations set out in Article 28 of the GDPR. The use of such services may involve the transfer of your personal data outside the European Economic Area (EEA). Such transfers will take place only where appropriate safeguards are in place, such as adequacy decisions of the European Commission or the execution of Standard Contractual Clauses.
f. Use of artificial intelligence systems
The Chatbot service makes use of artificial intelligence technologies, in particular LLMs. In line with the transparency principles set out in the European AI Act, the GDPR, and national Law No. 132/2025, we wish to provide you with the following information:
· Transparency obligation: we inform you that you are interacting with a system that uses AI components. This system has been designed to assist Hotel staff in interpreting and routing your requests.
· Operation and system logic: the AI system analyses the text of your requests in order to understand their content and purpose and to route them to the competent department.
· Human oversight and absence of automated decision-making: we guarantee that the AI system operates as a support tool for our staff. No decision producing legal effects or similarly significantly affecting you (pursuant to Article 22 GDPR) is taken in a solely automated manner. Any complex request, charge, or relevant decision is subject to review and validation by a human operator.
· Fairness and non-discrimination: AI systems have been developed and are periodically monitored to minimise the risk of errors and discriminatory effects, in line with best practices and regulatory requirements.
g. Data Subject rights in relation to the use of AI
In addition to the general rights provided for by the GDPR (access, erasure, restriction, portability, objection), we remind you that, in relation to the use of artificial intelligence systems, you are guaranteed specific rights, in line with the guidance of supervisory authorities:
· Right to rectification: if you find that the information generated by the Chatbot concerning you is inaccurate, you have the right to request its correction;
· Right to erasure: if the correction of inaccurate data is not technically possible, you have the right to obtain their erasure;
· Right to object: you may object at any time to the processing of your data for the purpose of algorithm training based on legitimate interest.
To exercise your rights, you may contact anett-hotel.com using the contact details provided in this privacy notice.
