Book now

Privacy Policy

Privacy policy

1. Data controller

MTM Srl
Piazzale Flaminio, 9 — 00196 Roma
VAT / Tax ID: 13676861001
SCIA No. QD/2016/76910 — Cat. 1
Email: 900piazzadelpopolo@gmail.com
Phone: +39 339 694 3467

2. Privacy contact and DPO

For any request regarding the processing of personal data or to exercise your rights, you can contact the controller's designated representative:
Luigi Rossetti
Email: 900piazzadelpopolo@gmail.com
Phone: +39 339 694 3467

As of the date of this document, the controller has not appointed a Data Protection Officer (DPO) pursuant to Art. 37 of the GDPR, as the mandatory requirements set out by the regulation do not apply.

3. Data collected, purposes and legal basis

The website 900roma.it, operated by MTM Srl for the accommodation 900 Piazza Del Popolo Guest House, processes personal data for the following purposes:

  • Information requests and bookings (email, phone): data provided by the user via email or phone is processed to respond to enquiries and manage bookings. Legal basis: performance of pre-contractual and contractual measures (Art. 6(1)(b) GDPR).
  • Legal obligations: guest registration and reporting to public security authorities are mandatory under Italian law (Art. 109 T.U.L.P.S.). Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).
  • Online bookings: the booking engine is managed by Blastness S.r.l., acting as data processor pursuant to Art. 28 GDPR. Blastness processes data for booking management and, with the user's consent, for marketing campaign tracking. Legal basis: contractual performance (Art. 6(1)(b) GDPR) and, for marketing, consent (Art. 6(1)(a) GDPR).

4. Types of data processed

  • Identification data: name, surname, date and place of birth, identity document, for guest registration as required by law
  • Contact data: email address, phone number, voluntarily provided for information requests or bookings
  • Browsing data: IP address, browser type, operating system, pages visited, access time, automatically collected by the website's systems

5. Processing methods

Personal data is processed using electronic and paper-based tools, strictly as necessary to pursue the stated purposes, and in compliance with the security measures required by the GDPR. Processing is carried out by the controller and by any authorised persons, who are instructed and bound to confidentiality.

6. Recipients and data processors

Personal data may be disclosed to:

  • Blastness S.r.l. — data processor for the booking engine, Universal Link tracking system (HTTP cookies for bookings and marketing) and the Quick Reserve widget for availability search (domains: blastqr.blastdemo.com, blastqr-api.blastdemo.com, cdn.blastness.biz). Details in the Cookie Policy.
  • Aruba S.p.A. — hosting provider, for website hosting services (servers in Italy/EU)
  • Public security authorities — for the mandatory reporting of guest data under T.U.L.P.S.

Data is not transferred outside the European Economic Area. The website does not use external services that involve data transfers to third countries: typefaces are hosted locally on the website's server.

7. Local storage technologies

The website uses browser localStorage to store the user's language preference (site-lang) and cookie consent preferences (cookie-consent). This is functional local storage, not HTTP cookies. Data remains in the user's browser and is not transmitted to the server. For full technical details, see the Cookie Policy.

8. Data retention

Personal data is retained for the periods indicated below, unless a different legal obligation applies:

  • Guest registration data (accommodation forms): 5 years from the date of the stay, in accordance with T.U.L.P.S. and tax obligations
  • Accounting and tax data related to bookings: 10 years, pursuant to Art. 2220 of the Italian Civil Code and applicable tax regulations
  • Contact data for information requests: maximum 24 months from the last communication, unless the request results in a booking
  • Server logs (browsing data): maximum 90 days, for IT security and diagnostic purposes

9. Data subject rights

Under Articles 15-22 of EU Regulation 2016/679 (GDPR), data subjects have the right to:

  • access their personal data (Art. 15)
  • obtain rectification of inaccurate data (Art. 16)
  • obtain erasure of data, where applicable (Art. 17)
  • restrict processing (Art. 18)
  • object to processing (Art. 21)
  • request data portability (Art. 20)
  • lodge a complaint with the competent supervisory authority: Garante per la protezione dei dati personali (www.garanteprivacy.it)

To exercise your rights, please write to: 900piazzadelpopolo@gmail.com

10. Changes to this policy

MTM Srl reserves the right to modify this policy to comply with applicable legislation or changes in the services offered. The updated version will always be available on this page, with the date of the last update.

Last updated: 1 April 2026