Skip to main content

Privacy Policy

This page describes how the website is managed with regard to the processing of personal data of users who consult it. This information is also provided pursuant to Article 13 of the EU Regulation 2016/679 – General Regulations for the Protection of Personal Data (hereinafter referred to as GDPR) to those who interact with the web services of the Hotel Capitolo Riviera, accessible electronically from the address The information is provided only for this website and not also for other websites that may be consulted by the user through links for which the Owner is not responsible.


The data controller is the company Agras Investment Srl, in the person of the legal representative p.t., with registered office in via Uberto Visconti di Modrone n. 11 – 20129 Milan, VAT No. 11484350969.


Within the scope of the processing activities of your personal data, external subjects formally designated as Data Processors pursuant to Article 28 of EU Reg. 2016/679 may be involved. Please note, in particular, that the Data Controller has identified the company we-go srl based in Galleria Spagna, 27 – 35126 Padova (PD) as the Data Processor for the management of the website. The full list may be requested from the Data Controller.


Processing related to the web services of this site takes place at the headquarters of the Company, as well as at the Managers identified pursuant to Article 28 of the GDPR. In any case, data processing will be performed only by adequately qualified technical personnel in charge of processing. No data resulting from the web service is communicated or disseminated. Where Users interact with the site services through their social profiles, their personal data may be processed by companies based outside the European Union. Users are therefore invited to check their respective privacy policies.


– Navigation data.
The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified interested parties, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users connecting to the site, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and computer environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct operation and are deleted immediately after processing. The data could be used to ascertain liability in case of hypothetical computer crimes against the site: except for this eventuality, at present the data on web contacts do not persist for more than thirty days.
– Data voluntarily provided by the user .
The personal data communicated directly and optionally by the web user, for example by filling in the forms in the “contact” and “write us” sections, including name, e-mail address, telephone number, are acquired directly by the Data Controller in order to respond to the requests made by the user.
The user is advised not to enter in the free text fields special categories of personal data such as, for example, those related to health status.


Personal data are processed by duly trained personnel in charge of the processing and are preserved by appropriate security measures adopted by the Data Controller and designed to prevent any form of unauthorized, unlawful and incorrect access, disclosure, modification and destruction.
The processing is carried out mainly in a computerized manner and with computerized tools.


Personal Data provided by the user through the website in question will be processed by the Data Controller solely for the following purposes:
a) Execution of a contract to which the user is a party or for the adoption of pre-contractual measures at the user’s request, such as, for example, the management and/or modification of reservations, contact management, inquiries regarding the activities and services provided by the hotel, also through the completion of specific forms. The legal basis for the processing is found in Article 6(1)(b) of the GDPR 2016/679. Consent Not Required;
b) Sending email communications to the provided address as part of the activities mentioned in the previous point a), for the promotion and sale of products or services similar to those described. The legal basis is represented by Article 130, paragraph 4 of Legislative Decree 196/2003 (so-called soft-spam). In this case, the data subject may initially or in subsequent communications refuse such use and processing by communicating through the specific link provided in the communications or by sending a request to the Data Controller to object to the processing free of charge.
c) Sending periodic email communications to the address provided when you subscribe to our newsletter for marketing and advertising purposes. Consent Required
d) Purposes of research and statistical analysis on aggregated anonymous data, aimed at measuring the functioning of the Site, measuring traffic, and evaluating usability and interest to make it more functional and efficient; Consent not required as it does not involve the processing of personal data;
e) For accounting, tax, and administrative purposes. The legal basis is represented by Article 6(1)(c) of GDPR 2016/679, or the processing is necessary to comply with a legal obligation to which the data controller is subject. Consent not required;
f) Purposes related to compliance with laws and regulations. The legal basis is represented by Article 6(1)(c) of GDPR 2016/679, or the processing is necessary to comply with a legal obligation to which the data controller is subject. Consent not required
g) Purposes necessary to establish, exercise, or defend a right in legal proceedings or whenever judicial authorities exercise their judicial functions. The legal basis is represented by Article 6(1)(f) of GDPR 2016/679, or the processing is necessary for the legitimate interests pursued by the data controller. Consent not required


The Data Controller undertakes to circumscribe the areas of circulation and processing of personal data (e.g., storage, archiving, retention of data on its servers) to countries that are part of the European Union, with an express prohibition to transfer them to non-EU countries that do not guarantee (or in the absence of) an adequate level of protection, i.e., in the absence of protection tools provided by the EU Regulation 2016/679 – CHAPTER V (Accession to the Data Privacy Framework, adequacy decision, Standard Contractual Clauses or explicit consent from the data subject).


The Data Controller will process the personal data of the data subject for the time strictly necessary to achieve the purposes set forth in this notice.
Notwithstanding the above, the Data Controller will process the Personal Data of the data subject until the term allowed by the applicable legislation to protect its interests (Art. 2947(1)(3) c.c.) as well as within the terms established by the applicable legislation.
More information regarding the retention period of Personal Data and the criteria used to determine this period may be requested by writing to the contact details of the Controller.


The Data Controller does not perform automated processing, including profiling on personal data acquired through forms on this website.
Regarding any profiling activities carried out through cookies, please refer to the relevant Cookie Policy.


Individuals to whom the personal data refers have the right at any time to obtain confirmation of the existence or absence of such data and to know their content and origin, verify their accuracy, or request their integration, updating, or correction (Chapter III of GDPR 2016/679). According to the same article, you have the right to request the erasure, transformation into anonymous form, or blocking of data processed in violation of the law, as well as to object, for legitimate reasons, to their processing. Requests should be addressed to the Data Controller at the above-mentioned contact details.

The user can freely exercise the rights as specified in Articles 15 and following of GDPR 2016/679, which we list in full below:

  • Withdraw consent at any time.
  • Object to the processing of your Data.
  • Access your Data or obtain information about the Data processed by the Data Controller, on certain aspects of the processing, and receive a copy of the same.
  • Verify and request the rectification of personal data processed.
  • Obtain, under certain conditions, the limitation of processing.
  • Obtain, under certain conditions, the erasure or removal of your Personal Data.
  • Receive your Data or request transfer to another controller.
  • Object to profiling and decisions based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects your person.

Requests should be addressed to the Data Controller.


Data subjects who believe that the processing of personal data relating to them carried out through this site is in violation of the provisions of the Regulation have the right to lodge a complaint with the Personal Data Protection Guarantor, as provided for in Article 77 of the Regulation itself, or to take appropriate legal action (Article 79 of the Regulation).


This information notice, prepared in accordance with Article 13 of GDPR 2016/679, can also be used by the Data Controller for any job postings published on websites and/or portals not directly managed by the company itself.
The Company will process the resumes received via email or through third-party companies operating in the field of personnel selection (publications on portals, etc.) to assess potential candidates for positions within the Company or those that may arise in the near future.
The processing takes place electronically, with the exception of resumes received by regular mail.
Resumes considered suitable by the Company will be kept at its headquarters for a period of 12 months and will be treated in full compliance with the security measures provided for in Article 32 of GDPR 2016/679.
Resumes that are not relevant, as well as those whose retention period has exceeded 12 months, will be deleted.
Resumes will be kept in the Human Resources office of the Data Controller and will not be disclosed to unauthorized third parties. They may be evaluated by personnel duly authorized for processing (as per Article 29 and 32, paragraph 4 of GDPR 2016/679 and Article 2-quaterdecies of Legislative Decree 196/2003), within the operational unit where the candidate is expected to perform their duties/collaboration.
For resume submission, candidates are kindly requested to adhere to the following rules:

  • Use the European format for their resume.
  • Submit the resume in PDF format.
  • Avoid including in their resume special categories of personal data as defined by Article 9 of GDPR 2016/679 (relating, in particular, to health status, religious, philosophical, or political beliefs) that are not relevant to the job offer.

The company reserves the right to delete resumes that do not comply with the above requirements.
The purpose of processing related to resume management will involve activities strictly related to the assessment, recruitment, or selection of personnel, with goals of collaboration, fixed-term or permanent employment, or internships.
In accordance with Article 111-bis of Legislative Decree 196/2003, the information provided in Article 13 of GDPR, in cases of receiving resumes voluntarily submitted by individuals for the purpose of establishing an employment relationship, will be provided at the time of the first relevant contact following the submission of the resume itself.
In compliance with the specified purposes, and in accordance with Article 6, paragraph 1, letter b) of GDPR, the consent of the data subject for the processing of personal data in resumes is not required.


Please refer to the website’s cookie policy.


The privacy policy was updated on October 5, 2023 and may be subject to future revisions.