Request Demo
Zucchetti Hospitality renders this Privacy Policy solely and exclusively for the purpose of downloading the "Zucchetti" Vertical Booking application; furthermore, it does not cover the use of any other websites through which the User may access / or use the application.
The App is dedicated to the managers of the accommodation facilities that have purchased the Vertical Booking application and not to the users of the aforementioned.
Data Controller
The data controller of the personal data, solely and exclusively for the purpose of downloading the application, pursuant to Article 4 point 7) of the GDPR is Zucchetti Hospitality S.r.l with registered office in Lodi, Via Solferino, n. 1, 26900 - e-mail ufficio.privacy@zucchetti.it
Data Protection Officer
The person responsible for data protection is Dr. Mario Brocca, whom you can contact by sending an e-mail to dpo@zucchetti.it.
Developer
The Developer of the application is Zucchetti Hospitality srl, with registered office in Lodi, Via Solferino n. 1, 26900 - ufficio.privacy@zucchetti.it
Personal data collected
The services provided by the App, as well as its features and functions, require the registration of users with the following data in the VerticalBooking management product in order to use the VerticalBooking APP:
Name
Surname
Email
Username
Password
We would like to point out, however, that the computer systems and software procedures used to operate the App (such as Apple Store, Google Play or App Gallery), acquire during their normal operation, some data in any case referable to the User whose transmission is implicit in the use of internet communication protocols, smartphones and devices used. This category of data includes, but is not limited to, geographical location, telephone identity, the User's contact details, e-mails. The User may consult the Privacy information available on the following sites:
-Apple Store - http://www.apple.com/legal/privacy/it/
-Google Play - https://www.google.it/intl/it/policies/privacy/
-App Gallery - https://consumer.huawei.com/it/legal/privacy-policy/
The VerticalBooking app and customised versions collect the following data:
• Username, password and connection token required to access the app's functionalities.
• personal data: username, password, device information (device, deviceid, osname, osversion).
The VerticalBooking app does not provide for the enablement and consent of features such as Geolocation, Camera and other personal data access features.
Compulsory or optional nature of providing data and consequences of refusal
The provision of data is optional, but they are necessary for the provision of the service. Refusal to provide them does not allow the provision of the service and use of the app.
Treatment modalities
Processing takes place electronically and while using the app, personal data are redirected via secure connections to the VerticalBooking management product installed by the centre that holds the ownership of the data of customers and users of the app. The above data are never permanently saved either on the app or on the device. The user can delete the above data on the app by using the logout function or by uninstalling the app.
Secure processing procedures for personal and sensitive user data
The developer has developed and implemented secure data processing procedures consisting of security measures at the technical organisational level and at the service level.
In particular, the security measures that can be configured at application level by the Data Controller Customer are:
Access Profiles
The application ensures that the customer only has visibility of the data he or she owns.
Managing access credentials
- Username: access to the system is through the unique identification of the person accessing it. During the system set-up phase, the holder is given a credential for the VerticalBooking management system and, on request, authorisation to use the data from the app.
- Password: A password associated with the username must be provided to access the platform. The complexity of the password must have the following characteristics:
o Length of 8 characters
o Must contain an uppercase character
o Must contain a lower case character
o Must contain a numeric character
o Must contain a special character taken from the following alphabet `[$%*:,£)(@#;+_\-]
o The password must be different from the previous 5
Managing access profiles
- The client may not create users who have a higher competence than its own.
- The customer has the option of creating other users who will have visibility of the data held by the customer according to an access profile chosen by the customer and who have equal or lesser competence than the customer.
- Disabling/Disabling Credentials: the customer can disable created users, reset the expiry date of passwords and re-move created users.
- Credit Card Data Visibility: At the creation stage, the user does not have permission to view credit cards, nor permis-sion to grant visibility of card data to other users. The customer may request technical support to be granted permis-sion for credit card visibility for users under their own jurisdiction.
Cryptography techniques
- Password encryption: the password is encrypted with a cryptographically secure hashing algorithm and stored with a 'salt'. The hash is calculated using a key stretching procedure to combat brute force attacks.
- Two factor authentication: in order to display credit card data, the customer must pass a two-factor authentication. The first factor authentication consists of providing the username + password pair described above.
The second authentication factor involves one of the following:
o Identification via a certified IP address
o OTP (one time password) through user registration and verification by the Authy platform (www.authy.com)
Log tools
The customer has the possibility of viewing the operations that users within his competence have performed on the plat-form via a section offering log extraction tools.
Credit Cards
Credit card access is managed at every level according to the PCI-DSS guidelines.
With regard to service procedures, security of treatment is ensured for each mode of delivery as follows:
TELEPHONE ASSISTANCE
It presents no problems from a personal data processing point of view. No data or files are transmitted and communication remains verbal.
EMAIL ASSISTANCE
When providing assistance by email, Zucchetti Hospitality technicians will always include the disclaimer in the text of the message to make the Holder aware of the summary information and the contact details he or she can use to exercise his or her rights or the rights of those concerned.
Credit card data is never transmitted by Zucchetti Hospitality staff by email or communicated by telephone.
Credit card details are not accessible to Zucchetti Hospitality staff.
In the event that Zucchetti Hospitality personnel receive communications (e-mails) containing credit card data, they are obliged to
1. report the event to security control personnel
2. inform the customer that card data must not be transmitted over unsecured channels.
ASSISTANCE THROUGH HTTPS CONNECTION
In order to access the platform with supervisor competence, technical support must log in from one of the office IPs or via VPN (Virtual Private Network).
SUPPORT THROUGH SSH CONNECTION VIA VPN
For system maintenance and administration Zucchetti Hospitality technicians access systems via ssh protocol with two-factor authentication.
Categories of recipients to whom the data may be disclosed
Personal data collected by the VerticalBooking App may be disclosed to :
DATA CENTRE
EQUINIX DATACENTER in Milan (ML2)
Datacenter where the servers and necessary equipment physically reside
DATACENTER STACK Infrastructure in Siziano, Pavia (MIL01)
Datacentre where the servers and necessary equipment physically reside
Google Cloud Platform - Cloud Service
BUSINESS PARTNERS
Booking platforms, such as Expedia and Booking.com, can communicate booking data to Zucchetti Hospitality.
Zucchetti Hospitality communicates all the necessary data to PCI Booking Systems (a tokenization platform) for credit card tokenization.
OUTSOURCED SERVICES
Zucchetti Hospitality uses Google's GSuite and Microsoft Azure for the domain verticalbooking.com and Zucchetti.it and Zucchetti.com as incoming and outgoing mail servers for communications related to the domain. Mails sent by customers to technical support may contain identification data and are stored on Google and Microsoft servers.
Zucchetti Hospitality uses an external supplier to handle two-factor authentication via OTP (one time password), the company Authy - a Twilio company, 375 Beale St, Suite 300, San Francisco, CA 94105.
Zucchetti Hospitality, in order to transmit system communications relating to bookings (notifications, confirmations, updates, etc.) uses the services provided by MAIL UP.
Personal data retention period
The user can delete personal data stored on the app by using the logout function or by uninstalling the app.
The personal data of hotel bookers expire 5 years after they have been entered into the VerticalBooking management system. The customer can request the deletion of personal data by means of a written request to the technical support department, which will implement the deletion procedure and reduce the retention period.
Credit card data is not stored in the Vertical Booking platform. Financial and credit card information is stored on the PCI Booking systems (a tokenization platform). Vertical Booking instructs, via a secure API, PCI Booking to delete credit card data that is in the system for more than 60 days from the date of the reservation (date of booking).
Purposes of the processing for which personal data are intended
The app is used for
1 - consultation of reservations
2 - tariff management: modification of day-by-day prices, modification of tariff grids, modification of derivation grids
3 - availability management
4 - management of restrictions: stop-sale and minimum stay
5 - sales report by room, channel and rate plan
Downloading the app is voluntary and at any time the user can uninstall it or change the permissions and authorisations so that no more personal data is recorded.
Scope of knowledge of your data
The app's processed data are transmitted to the VerticalBooking management product, online booking software for hotels and hotel chains. The App complements the entire Suite consisting of Booking Engine, Synchro Channel Manager, Metasearch Manager, CRO (Central Reservation Office), GDS Connectivity and Representation, Marketing and Intelligence Tools and Mobile App (iOs/Android).
The Vertical Booking platform collects and stores the personal data of the booking parties that make a reservation from the different distribution channels with which Vertical Booking is connected.
Territorial scope of treatment
The data provided will be processed in Italy and Belgium.
Rights of data subjects
Limited to the processing of data in the context of downloading the App, you may exercise your rights by sending an email to ufficio.privacy@zucchetti.it. In particular, you may request access to the personal data concerning you, you may request that it be corrected or deleted, or you may request that the processing be restricted and you may object to the processing. In addition, you will have the right to data portability and, should you wish to lodge a complaint, you may also lodge it with the Data Protection Authority. For all matters concerning the processing of data in connection with the use of the management system, the user must contact the Data Controller.