plusflorence@humancompany.com

PERSONAL DATA PROCESSING POLICY

pursuant to Articles 13–14 of EU Regulation 2016/679 (the GDPR)

This Policy clearly and transparently describes how we process the personal data of the users who browse the plushostels.com website or use the digital services available therein. It therefore applies to all data collection and management activities that occur when the user accesses our pages, consults the information sections or interacts with the tools made available on the website. This Policy does not concern any of the information collected through other methods and/or websites that can be accessed via the links on our portals, which are covered by specific policies. 

This Policy is amended, supplemented or updated periodically, including in consideration of any changes in the applicable legislation or provisions of the Data Protection Authority and/or the European Data Protection Board. Changes and updates to the Policy will be brought to the attention of data subjects by updating the link to the Privacy Policy in the footer and/or in other specific sections of the website. Data subjects are therefore invited to regularly consult this Policy to understand the latest updated version, ensuring that they are always informed about the methods of collection and processing of their personal data. 

  1. Data Controllers

The Data Controller is hu Openair S.r.l. (hereinafter, also referred to as the "Data Controller" or "the Company"), with its registered office at Via Generale C. A. dalla Chiesa, 13 – 50136 – Florence (Florence), Tax Code: 02098970482 and VAT ID: 00282740976, which can be contacted at the following email address: privacy@humancompany.com.  

The Data Protection Officer (DPO) can be contacted at the following email address: rpd.huopenair@humancompany.com.  

  1. Data Types 

Below are the types of personal data processed within the limits of the purposes defined in this Policy:

  • Personal data provided by the user 

In the course of using the website, the user may voluntarily provide the following personal data, which is necessary to access the available services and functions:

  • Personal and contact data, including their first name, last name, email address and any other data provided by the user to make bookings via the website, for example.

  • Details of bookings made, such as the booking number, arrival and departure date, and booking confirmation code.  

  • Payment data, such as the credit/debit/bank card number (limited to the data necessary to identify/track the transaction, with the number partially obscured), including data relating to the means of payment (type of card) and the payment networks used. 

It should be noted that, within the scope of an online booking, the user may provide personal data relating to other people (for example, travelling companions and/or accompanying minors). In such cases, the user is required to inform the data subjects about the processing of their personal data, including the type of data collected, the purposes and retention times, and the parties who may access it, as well as the methods by which they can exercise the rights provided for by the GDPR, including by sharing this Privacy Policy.

In addition, the voluntary sending of email messages to the addresses indicated on the website entails the acquisition of the email address and any other personal data (for example, first and last name, telephone number, address, etc.) entered in the electronic communication, as well as the sender's data, as necessary to respond to requests. 

  • Browsing data 

By browsing the website, certain technical information relating to the hardware and software used by users may be collected automatically by the computer systems that allow the website to function. The transmission of this information is implicit in Internet communication protocols. It may include, for example, the user's IP address, the domain name of the device used, the identifier of the requested resources (URI), the browser type and version, the presence of plug-ins, the identifier of the mobile device (such as the IDFA or Android ID), and further parameters relating to the operating system and the computing environment.   

  • Data collected using cookies 

The website uses technical cookies necessary for its operation and, only with the user's consent, profiling cookies or third-party cookies. Information on the types of cookies used, their purposes, retention times, and how to revoke or modify consent can be found in the Cookie Policy, which can be consulted in full.  

  1. Purposes and Legal Bases of Processing  

The personal data collected via the website is processed exclusively for the purposes described in this section, in compliance with the legal bases provided for by the GDPR. 

  • Website browsing 

During the simple consultation of the pages, some data is processed to ensure the proper functioning of the websites, monitor their traffic, identify any malfunctions and prevent abuse or illegal activities. These are essential activities to keep the platforms secure and to offer users a stable and reliable service.  

The legal basis for this processing is the legitimate interest of the Data Controller, as provided for by Article 6, paragraph 1, point f of the GDPR, consisting of the protection of data security, the proper functioning of the website, and the improvement of service standards.  

  • Statistical analysis on an aggregate basis 

The data of the data subject and the information collected using cookies or similar technologies may be processed in aggregate form, in such a way as to preclude personal identification, in order to analyse, review and improve the Company's services and/or for the conduct of surveys aimed at measuring the level of general customer satisfaction, as well as for the efficient management of resources and for further internal statistical analysis.

The legal basis is the legitimate interest of the Data Controller in improving its services and research for commercial purposes (Article 6, paragraph I, point f of the GDPR). 

  • Request management 

The personal data acquired when the user uses the addresses indicated on the websites to send requests is processed by the Data Controller for the sole purpose of providing the requested information by way of an effective and comprehensive response.  The optional, explicit and voluntary sending of such communications involves the subsequent acquisition of the sender's address and any other personal data included in the message, which, unless otherwise duly communicated, will be stored for the time necessary to meet the requests. 

This processing is necessary to follow up on requests of a pre-contractual nature, pursuant to Article 6, paragraph 1, point b of the GDPR, as well as to satisfy the Data Controller’s legitimate interest in correctly managing the communications received, as provided for by Article 6, paragraph 1, point f of the GDPR. 

  • Online booking service

The data subject’s personal data collected at the time of booking will be processed by the Data Controller to allow the user to book at the sites, pay, and follow up on booking requests; in addition to enabling the communication of service notices relating to the booking. 

Within the scope of the booking, the user can, optionally, explicitly and voluntarily, enter any special requests relating to their stay in the "notes" field. The Data Controller invites the user not to provide special data pursuant to Article 9 of the GDPR (for example: health information, such as the indication of diseases, allergies or food intolerances; requests related to reduced mobility or disability; membership of protected categories; data capable of revealing racial or ethnic origin; religious beliefs associated with food preferences or service needs, etc.); however, if the user decides to enter said data, such data will be processed exclusively to process the request and only if strictly necessary for the management of the booking.

The legal basis of the processing is the execution of pre-contractual/contractual measures (Article 6, paragraph I, point b of the GDPR) and, with regard to any special categories of data referred to above, the consent of the data subject (Article 9, paragraph II, point a of the GDPR). The provision of data is mandatory, as it is necessary to follow up on booking requests, and failure to provide data may make it impossible to meet these requests.

  • Marketing activities

Subject to the specific and express consent of the data subject, the data concerning them may be processed by the Data Controller for the purpose of sending advertising, promotional and/or direct sales material, or for carrying out market research or other forms of commercial communication, as well as to submit satisfaction questionnaires via email. 

The legal basis for this processing is the consent of the data subject (Article 6, paragraph I, point a of the GDPR). Any consent given may be freely withdrawn at any time, without prejudice to the lawfulness of the processing carried out before the withdrawal. The withdrawal of consent may be communicated in the manner described in Section 9, "Rights of data subjects", of this Policy.

  • Purposes related to the protection of rights, including those of the data subject.

Personal data will be processed by the Company to protect its rights, including with respect to any requests, or to take legal action, including with regard to claims made against it or third parties, as well as to prove that it has provided a response to any requests for the exercise of one or more of the data subject's rights. 

The legal basis of the processing is the Company’s legitimate interest in the protection of its rights (Article 6, paragraph I, point f of the GDPR). 

  • Compliance with legally binding requests to comply with legal obligations, regulations or provisions/requests from the competent authorities, including supervisory authorities.

The personal data of the data subject may be processed to comply with a legal obligation and/or provisions/requests from the competent authorities, including supervisory authorities.

In this case, the legal basis is the fulfilment of legal obligations to which the Company is subject (Article 6, paragraph I, point c of the GDPR). 

  1. Data retention period

Personal data is stored for different periods of time depending on the specific purpose for which it was collected. The retention periods are established in compliance with the principles of limitation and minimisation provided for by the GDPR, and the data is deleted or anonymised once the period associated with its processing purpose has expired.  

Below are the retention periods for the different purposes listed above:

  • Website browsing: browsing data is stored for a maximum period of 30 days, unless longer times are necessary for system security needs or for the detection of any cybercrime.  

  • Aggregate analysis and improvement of products/services: the data processed for the pursuit of this purpose is processed in aggregate and anonymous form.

  • Request management: The data collected when the user uses the various channels is stored for the time strictly necessary to manage and respond to the user’s request, after which it is deleted or anonymised. 

  • Booking services: the data processed for the pursuit of these purposes will be stored for a period of time not exceeding 10 years from the booking date.

  • Marketing activities: the data processed for the pursuit of these purposes will be stored for a period of time not exceeding 24 months from their registration, without prejudice to the possibility of withdrawing consent and the right to object.

  • Purposes related to the protection of rights, including those of the data subject: the data processed for the pursuit of this purpose will be stored for the entire duration of the related proceedings, and, in any case, for the time deemed reasonably necessary by the Company for the protection of its rights, including in relation to the related limitation periods. 

  • Fulfilment of legally binding requests to comply with legal obligations, regulations or provisions/requests from the competent authorities, including supervisory authorities: the data processed for the pursuit of this purpose will be stored for the entire duration of the proceedings before the competent authorities, in addition to the relevant limitation periods.

    1. Processing methods and security measures 

The processing is carried out using IT and/or telematic tools, with organisational methods and logic strictly related to the purposes indicated, always in full compliance with the principles of lawfulness, fairness, transparency, minimisation, integrity, confidentiality and security provided for by the GDPR. 

The processing is carried out in a suitable manner in order to guarantee data protection at every stage, from collection to storage, through to any deletion. The Data Controller adopts the appropriate security measures in order to prevent unauthorised access, disclosure, modification or destruction of personal data. 

  1. Data communication 

Only parties duly authorised and instructed by the Company may have access to the data. In particular, for the performance of certain processing activities, the Data Controller may communicate the data to the following categories of external parties, who will process such data, depending on the role they play in relation to the processing, as independent data controllers or as data processors pursuant to Article 28 of the GDPR, if and within the limits of what is strictly necessary for the pursuit of the purposes described in this Policy:  

  • other companies in the Human Company Group; 

  • other consultants and external suppliers who carry out activities auxiliary to the purposes stated above, such as cloud service providers, IT providers or hosting providers, postal couriers;

  • professional firms, especially where necessary for the protection of the Company's rights; 

  • banks and credit institutions, insurance companies; 

  • third-party companies, including those working to promote products and/or offer services. With particular reference to booking services, the Company makes use of the supplier Zucchetti Hospitality S.r.l. (Piazza Mino Zucchetti, 1 26900 – Lodi (Lombardy), VAT ID 02894171202); 

  • companies responsible for sending commercial and/or promotional communications in the context of marketing campaigns;

  • parties who may access the data by virtue of a provision of law, regulation or EU legislation, within the limits established by these rules. 

The updated list of data recipients is available by request to the Data Controller’s email address.   

In any case, the data will never be transferred to third parties for the pursuit of marketing purposes unrelated to those described in this Policy. 

  1. Data transfers

The Data Controller does not transfer personal data to countries outside the European Economic Area (EEA). If necessary, the data subjects will be informed in advance, and guarantee measures will be adopted for the transfer to the recipients, which, depending on the case, may entail: verification of the existence of adequacy decisions for the recipient country by the European Commission, signing of standard contractual clauses, and verification of the adoption of any additional measures in implementation of the EDPB Recommendations 01/2020.   

  1. Disclosure of data 

Personal data collected via the website is not publicly disclosed.   

  1. Rights of data subjects 

Regulation (EU) 2016/679 (GDPR) grants data subjects specific rights. In particular, in relation to the processing of their personal data covered by this Policy, the data subject may exercise the following rights with respect to the Data Controller: 

  • the right of access: the data subject may request confirmation that data concerning them is being processed, as well as further clarification about the information referred to in this Policy (Article 15 of the GDPR); 

  • the right to rectification: the data subject may request to rectify or supplement the data provided, if it is inaccurate or incomplete (Article 16 of the GDPR); 

  • the right to erasure: the data subject may request that their data be erased if it is no longer necessary for the aforementioned purposes, in the event of withdrawal of consent or objection to processing, in the event of unlawful processing, or in case of a legal obligation to erase (Article 17 of the GDPR); 

  • the right to restriction: the data subject may request that the processing of their personal data be restricted in the event that they dispute its accuracy, for the time necessary to verify it; in the event of unlawful processing for which they oppose the deletion of their personal data; in the event that their personal data is necessary for the ascertainment, exercise or defence of a right in court; and finally, in the event of objection to the processing pending verification that the legitimate reasons of the Data Controller Company take precedence over their own (Article 18 of the GDPR); 

  • the right to portability: the data subject may request to receive their data, or to have it transmitted to another Data Controller indicated by the former, in a structured, commonly used and machine-readable format (Article 20 of the GDPR); 

  • the right to object: the data subject may object at any time to the processing of their data, unless there are legitimate reasons to proceed with the processing that take precedence over their own, for example, the defence in court or exercise of rights of the Data Controller Company (Article 21 of the GDPR). 

To exercise these rights, data subjects may contact the Data Controller Company at any time by sending a request to the following email address: rpd.huopenair@humancompany.com

To ensure the correct handling of the request and data protection, the Company will verify the identity of the applicant before proceeding. Once the identity has been verified, the Data Controller will respond within 30 days of receipt of the request, except in complex cases that may require an extension, within the time limits provided for by law.  

Users also have the right to lodge a complaint with the Data Protection Authority if they believe that the processing of their data violates current legislation. The Italian Data Protection Authority can be contacted via the telephone switchboard at +39 (0)6 696771, via email at protocollo@gpdp.it or via certified email at protocollo@pec.gpdp.it.  

Last updated: 12/03/2026