Last updated: 17 July 2026
This policy describes how personal data of users who visit the website mabellguesthouse.com, request information, or make a booking with Mabell Guest House are collected and processed.
1. Data controller
The Data Controller is:
Mabell Viola
Località Pantano
Strada Aurelia Bagni Sant’Agostino 7A
00053 Civitavecchia (RM)
VAT no. 13397901003
Phone: +39 339 448 7494
Email: mabellviola2018@gmail.com
2. Categories of personal data processed
Through the website, the following categories of data may be collected:
- first name and last name;
- email address;
- phone number;
- residential or billing address, when necessary;
- information related to the guests included in the booking;
- date of arrival and departure;
- number of guests and preferences related to the stay;
- information voluntarily provided in the website forms;
- data necessary for issuing receipts or invoices;
- information related to the booking and payment;
- IP address, browser type, device used, and technical browsing data;
- any communications sent via email or WhatsApp.
The full payment card details are not stored directly by Mabell Guest House. Online payments are handled via Stripe, which processes payment data according to its own terms and privacy notices.
3. Purposes and legal bases for processing
Requests for information
Data sent through the contact form, via email, phone, or WhatsApp are used to respond to the user’s requests.
The legal basis is the performance of pre-contractual measures requested by the data subject.
Bookings and management of the stay
The data provided during booking are processed for:
- checking room availability;
- recording and confirming the booking;
- processing payment;
- communicating with the customer;
- organising check-in and check-out;
- providing the requested services;
- handling any changes, cancellations, or refunds.
The legal basis is the performance of the accommodation contract and the pre-contractual measures requested by the user.
Administrative, tax, and public-safety obligations
The data may be processed to comply with obligations set out under tax, accounting, administrative, and public-safety regulations, including the communication of guest data to the competent authorities.
The legal basis is compliance with legal obligations to which the Data Controller is subject.
Online payments
The data necessary for payment are transmitted to Stripe to authorise and manage the transaction, prevent fraud, process any refunds, and comply with the regulatory obligations applicable to payment services.
The legal basis is the performance of the contract and, for some activities carried out by the payment service provider, compliance with legal obligations or the pursuit of a legitimate interest in the security of transactions.
Site security and operation
Technical browsing data are processed to ensure the proper functioning of the website, prevent unauthorised access, fraud, cyberattacks, and malfunctions.
The legal basis is the Data Controller’s legitimate interest in ensuring the security of the website and its systems.
Google Maps
The website may display an interactive map provided by Google Maps. The service is activated only after the user’s consent, when requested.
Google may collect technical data, IP address, device information, and data related to interaction with the map.
The legal basis is the user’s consent, which may be withdrawn at any time through the cookie management panel.
The website may include a link or a button to contact the property via WhatsApp.
When the user uses WhatsApp, the data are also processed by the service provider according to its own privacy policy. Mabell Guest House uses the information received exclusively to respond to the request, manage the booking, or provide assistance related to the stay.
4. Nature of data provision
Providing the data marked as mandatory in the booking forms is necessary to complete and manage the booking.
Failure to provide such data may make it impossible to confirm the stay or provide the requested service.
Providing data in the contact forms is optional; however, without the necessary information it may not be possible to respond to the request.
5. How processing is carried out
Personal data are processed using IT tools and, when necessary, in paper form.
The Data Controller adopts appropriate technical and organisational measures to protect data against loss, unlawful use, unauthorised access, alteration, or disclosure.
Access to data is permitted only to persons who need it in order to carry out their duties.
6. Data recipients
Within the limits strictly necessary, data may be disclosed to:
- hosting and website maintenance providers;
- developers and technicians appointed to manage the platform;
- Stripe and other parties involved in payment management;
- tax, accounting, or legal consultants;
- IT and communication service providers;
- email service providers;
- Google, in case the map is used;
- WhatsApp and the companies of its group, when the user chooses to use this channel;
- public authorities, law enforcement agencies, and other entities to which disclosure is mandatory by law.
Providers that process data on behalf of the Data Controller are appointed as data processors when required by law.
7. Transfers of data outside the European Economic Area
Some providers, including Google, Stripe, and WhatsApp, may process personal data also outside the European Economic Area.
In such cases, the transfer takes place based on the tools provided for by the GDPR, such as adequacy decisions, standard contractual clauses, or other guarantees recognised by the applicable regulations.
8. Retention period
Data are kept for the time necessary to achieve the purposes for which they were collected.
In particular:
- requests for information are kept for the time necessary to respond and, as a rule, no longer than 12 months from the end of the communication;
- booking data are kept for the duration of the contractual relationship and afterwards for the period required by tax, accounting, and administrative regulations;
- tax documents are kept for the terms set by law, normally for at least 10 years;
- data necessary to handle complaints or disputes may be kept until the end of the relevant limitation periods;
- technical data and security logs are kept for the strictly necessary period to protect the website;
- cookie preferences are kept for the period indicated in the Cookie Policy.
9. Data subject rights
Where applicable, the data subject may exercise the following rights:
- obtain confirmation as to whether or not personal data concerning them are being processed;
- access their data;
- request the rectification or update of them;
- request erasure of them;
- obtain restriction of processing;
- object to processing based on legitimate interest;
- receive the data in a structured, commonly used, machine-readable format;
- withdraw consent previously given, without affecting the lawfulness of processing carried out before withdrawal;
- lodge a complaint with the Data Protection Authority (Garante) for the protection of personal data.
Requests may be sent to:
The Data Controller may request the information necessary to verify the applicant’s identity.
10. Third-party data provided by the user
Anyone making a booking for other people declares that they are authorised to share the relevant personal data and undertakes to inform the other guests about the contents of this Privacy Policy.
11. Minors
The website services are not intended for the independent collection of data by minors.
Bookings must be made by adults. The data of minors staying at the property may be collected by the parent, guardian, or another responsible adult, exclusively for booking management and for fulfilment of requirements set out by law.
12. Links to external services
The website may include links to websites or services managed by third parties.
Mabell Guest House does not control how such parties process personal data. The user is invited to consult the respective privacy notices before using these services.
13. Changes to the Privacy Policy
This notice may be updated following changes in laws, technology, or organisational measures.
The updated version will be published on this page with the date of last update indicated.
