Privacy Policy

Protecting your privacy


This privacy notice describes how Casa Nova SRL (“We”) collect and use the personal information of our customers and prospective customers in accordance with the General Data Protection Regulation (GDPR) and other relevant legislation.

To market and provide our services we need to gather data. We want to be transparent about why we need the personal details we request when you engage with us and how we will use them.

We will protect the privacy and security of your personal information and will always take commercially reasonable and appropriate security measures within our power to keep your information safe.

Please read this policy carefully, along with our Terms and Conditions and any other documents referred to within this notice to understand how we collect, why we use, and how we store your personal information.

By providing us with your personal information, you consent to the collection and use of any information you provide in accordance with this privacy policy.

We comply with the principles of data protection law. This says that the personal information we hold about you must be:

1. Used lawfully, fairly and in a transparent way.

2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

3. Relevant to the purposes we have told you about and limited only to those purposes.

4. Accurate and kept up to date.

5. Kept only as long as necessary for the purposes we have told you about.

6. Kept securely.

For the purpose of the General Data Protection Regulations (GDPR) the data controller is Casa Nova SRL, whose registered address is Via A. Panerai, 55, 52037 Sansepolcro (AR), Italia. As we use online services (such as, for example, Facebook, Twitter, Google Mail, Google Apps and various holiday rental websites), the providers of those services may process data on our behalf in order to enable us to communicate with you or fulfil your orders or rental bookings.

What personal data we may collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are "special categories" of more sensitive personal data which require a higher level of protection.

We collect information every time you interact with us. The information we may collect from these interactions may include, but is not limited to:

How we collect information

Your possible interactions

Information we may collect

Information you give to us

By filling in forms on any of our websites

By filling in forms at shows, events or when visiting our garden or staying at our rental properties

By corresponding with us by phone, email, in person or otherwise

By subscribing to our email list

By placing orders on any of our websites

By booking any of our rental properties

By entering competitions, promotions or surveys

By responding to one of our mailings

By interacting with us on social media

Your name

Your address

Your email address

Your telephone number

Your payment information

Details of products or services you have received from us or inquired about

Details about our contact or correspondence with you

Information about any inquiries or complaints you make to us

Your login information, purchases and wishlist(iris website customers)

Your passport number and date of birth (required for compliance with Italian law requiring notification of those staying in our rental properties)

Information we collect when you interact with our websites or social media feeds

We are not technological adepts ourselves, but we use a number of services provided by those who are (as, for example, Google Analytics, Wordpress and Ecwid). These may involve collecting data:

When you visit any of our websites, social media sites or our blog

When you search for products or services

When you participate in social media functions (eg comment, share or review stories, products or blogs)

When you report a problem with our site or app

Your Internet Protocol (IP) address

Your browser type and version

Your time zone setting

Your browser plug-in types and version

Your operating system and platform

The pages you visit, for how long and the actions you perform

Page response times

Your browser cookies (these are used to collect information about how visitors use our website and WordPress blog. We use the information to compile reports and to help us improve the website. The cookies collect information in an anonymous form, including the number of visitors to the website and blog, where visitors have come to the website from and the pages they visited. Google’s own privacy policy can be reviewed here.)

Information we receive from other sources

ÂIf you consent to hear from us on other sites

If we require information to execute a contract

When you visit one of our properties we may collect CCTV footage which will be used for security purposes only

Other publicly available information, such as directory listings

Your name

Your address

Your email address

Your telephone number

Your payment information

Your login information (customers)

CCTV footage

Legal basis we rely on to collect information

The law on data protection sets out a number of different reasons for which a company may collect and process your personal data, including:

1.To fulfil a service: We use your information to execute contracts or services that you have entered into. This includes communications relating to your order, deliveries and payments via phone, email and SMS (for example to let you know if a delivery is delayed or payment has failed). In order to process and fulfil your order, we may need to share your information with others (eg supplying delivery address to couriers and supplying payment information to payment processors in order to collect payment).

2.When you consent: We may use your personal information and order history to tell you about relevant products, events, competitions and news. For example, when you sign up to a newsletter or tell us you want to hear from us by completing your preferences. You can ask us to stop sending you marketing messages by contacting us at any time. If you change your mind you can update your choices at any time by contacting us.

3.If we have legitimate interest: The GDPR defines legitimate interest as a reasonable business or commercial interest for processing your personal information. For example, sending a direct mail if there is a change of booking such that a rental period you enquired about becomes available or when a plant you expressed an interest in becomes available.

How we use your information

If you wish to change how we use your data, you’ll find details in the “What are my rights?” section below. Remember, if you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some services you’ve asked for.

What we use your data for

Legal basis

To process your orders and services requested from us


To process your rental bookings


To respond to your queries, complaints or refund requests


To remind you of relevant deadlines (such as for rental payments that are due, or time by which the property needs to be vacated) or pass on information relevant to rental bookings (such as directions to the property)


To let you know when you have an unconfirmed order in your basket.


To let you know about changes to your order, availability or deliveries


To let you know about changes to our service (eg delisting products)


To keep a record of your relationship with us and your information up to date


To process payments


To comply with mandatory legal requirements (as for example registering the presence of rental guests with the Carabinieri)


To tell you about our news, events, offers, new products or services, changes in availability or other information about our services we believe may interest you


To keep you informed about the work you are supporting by doing business with us


To exclude you from online advertising and avoid unnecessary spend on marketing

Legitimate interest

To develop and improve our systems (eg pages you visit, to investigate any problems you encounter with our site)

Legitimate interest

To send you requests for feedback via surveys to help improve our service

Legitimate interest

To build a picture of who our current customers are and what they like, to inform our business decisions (eg to identify popular products, or help us locate potential new customers)

Legitimate interest

To protect our website and our customers (eg to investigate phishing or fraudulent activity)

Legitimate interest

To ensure the content on our site or app is presented effectively for your device and is secure

Legitimate interest

To measure and understand advertising effectiveness through research and analysis

Legitimate interest

To automatically customise the contents of our website, emails or other channels based on the data we hold about you

Legitimate interest

Note that if you purchase a gift for someone from us, we will need their personal details (for example name and address) in order to process the order and delivery. However, we will never contact them for any other purpose other than to process your gift.

Who we share your information with

Sometimes we may share your data with third parties where we are required by law, where it is necessary to administer the relationship between us or where we have another legitimate interest in doing so. We do so on one of the legal bases defined above (service, legitimate interest and consent). We only provide third parties with the information they need to perform the exact services we receive from them and we do not sell your data to third parties. Where the third party is providing a service to us, we check their policies to ensure that your privacy is respected and protected at all times. If at any time we stop using third party services, any information held by them will either be deleted or rendered anonymous.

An additional basis of “legal compliance” applies here. For example, we may come under a duty to pass on information to law enforcement agencies, if we become aware of people involved in fraud, non-payment or other criminal activity.

We may also be legally bound to share your data in the future with a third party if Casa Nova SRL is subject to sale or asset transfer.

Who we share your data with

How we protect your data

Your rights

We use external email platforms (such as Google Apps and Google Mail) to fulfil our service and marketing communication needs

Google’s privacy policy provides the protections required by the GDPR when processing data for customers operating within the EU.

Use of a third party email provider is necessary and legitimate for us to execute the service you sign up for with us.

Google’s own privacy policy can be reviewed here

Online advertisers and platforms such as (Google, Twitter, LinkedIn, Wordpress and Facebook) to show you relevant information about our products

The processing is completed using pseudonymised (subjected to a technical process which replaces your data with codes, so it is unidentifiable to anyone without additional information) email addresses to protect your privacy. This transfer is a bulk process so neither we, nor the third party, has sight of any individual’s data.

As a customer you can consent or opt out from online marketing by updating your communication preferences in your account (this may take up to 30 days to process).

Read more about how ads are displayed on each platform and how to control your data: FacebookGoogleLinkedInTwitterWordpress

Online advertisers and platforms to exclude current customers from seeing advertising (to save money)

The processing is completed using pseudonymised (subjected to a technical process which replaces your data with codes, so it is unidentifiable to anyone without additional information) email addresses to protect your privacy. This transfer is a bulk process so neither we, nor the third party, has sight of any individual’s data.

It is our legitimate interest to take all reasonable steps to avoid unnecessary cost.

We use Facebook’s services to identify people similar to our current customers. This is the most cost-effective way for us to show Facebook users matching that profile messages about us and gain new customers.

The processing is completed using pseudonymised (subjected to a technical process which replaces your data with codes, so it is unidentifiable to anyone without additional information) email addresses to protect your privacy. This transfer is a bulk process so neither we, nor the third party, has sight of any individual’s data.

It is our legitimate interest to take all reasonable steps to acquire new customers whilst avoiding unnecessary cost.

Where we keep your information

We take reasonable steps necessary to ensure that your data is treated securely and in accordance with this privacy policy. We take commercially reasonable and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach if we are legally required to do so.

The data that we collect from you is stored either within the European Economic Area ("EEA") or on servers that we rent from Rackspace US Inc, who have mechanisms in place for compliance with the GDPR pursuant to the EU-U.S. Privacy Shield ( Where we share your data with third parties, as described above, that information may be held by the third party outside of the EU. You should refer to the privacy policy of the relevant third parties for more information as to the safeguards they provide (for example by following the links in this document).

All information you provide to us is stored on secure servers, except payment card information. To maintain the highest level of security, we never store or have visibility of your card details.

Where we have given you (or where you have chosen) a password which enables you to access your account with us, you are responsible for keeping this password confidential. Do not share your password with anyone and change it regularly. We recommend changing your password at least every three months.

From time to time, our website may contain links to third party websites. If you follow a link to any of these websites, please note that they will have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

How long we store your data for

We will hold your personal information on our systems for as long as is necessary for the processing of our contractual obligations with you or as long as you give us consent to do so.

Since customers book or order with us at varied intervals, sometimes returning after a number of years, it is in our legitimate interest to store your data for a period of no longer than 5 years after your last booking or order or communication from you to us. During this time, we will continue communicating with you as outlined by this policy unless you actively close your account or change your preferences. At 5 years after your last order, we may email you to check if you’d like to leave your account open and continue hearing from us and we will otherwise close your account, remove you from our mailing list, any personal identifiable information held by us will be deleted, and your purchase history rendered anonymous.

Your rights

Your rights

How to activate your rights

To ask us not to process your data for marketing purposes


Or call 0039-3389974107 and send a confirmatory letter to Casa Nova SRL, Via A.Panerai, 55, 52037 Sansepolcro (AR), Italia

To ask us to erase all of the personal information we hold about you (Right to Erasure also known as the right to be forgotten)


Or call 0039-3389974107 and send a confirmatory letter to Casa Nova SRL, Via A.Panerai, 55, 52037 Sansepolcro (AR), Italia

To request access to all of the information we hold about you


Or call 0039-3389974107 and send a confirmatory letter to Casa Nova SRL, Via A.Panerai, 55, 52037 Sansepolcro (AR), Italia

To ask us not to process your data for the purpose of our legitimate interest. We will action your request unless we believe the legitimate interest overrides your circumstances


Or call 0039-3389974107 and send a confirmatory letter to Casa Nova SRL, Via A.Panerai, 55, 52037 Sansepolcro (AR), Italia

Changes to this policy

This policy applies with effect from 25 May 2018.

Any changes we may make to our privacy policy in the future will be posted on this page. Please check back if you wish to see any subsequent updates or changes to our privacy policy.

Questions or complaints

If you have any questions that haven’t been covered, please contact us (person responsible for data compliance: Patricia Robertson):


Call 0039-3389974107

Casa Nova SRL, via A Panerai, 55, 52037 Sansepolcro (AR), Italia

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (IDPA):