Moonlight Venice
ES
Reservar
Reservar →

Privacy

How Moonlight Venice collects, uses, and protects your personal data.

Last updated: 4 June 2026

At a glance

We collect the bare minimum needed to answer your enquiries and let you book a stay. We do not profile visitors, we do not run advertising trackers, and we do not sell or share your data with third parties for marketing. The sections below set out the detail required by Article 13 of the EU General Data Protection Regulation (GDPR) and the Italian Codice Privacy (Legislative Decree 196/2003 as amended).

Who we are

Moonlight Venice is the data controller for personal data processed through this website, reachable at https://moonlightvenice.it. For any privacy matter, or to obtain our full registered business details (legal name, VAT number, and postal address), write to info@moonlightvenice.it.

We have not appointed a Data Protection Officer. Article 37 GDPR does not require one for a private accommodation operator of our size, since our processing is not large-scale, systematic monitoring and does not involve special categories of data.

What we collect, and why

When you send an enquiry

Our contact and apartment enquiry forms collect the name, email address, travel dates, party size, and any free-text message you choose to write. We use this only to reply to you and to manage a possible booking. The legal basis is the steps taken at your request before entering a contract (Article 6(1)(b) GDPR). Providing this data is not a legal obligation, but if you choose not to provide it we cannot answer your enquiry.

Technical and security data

To protect the forms against abuse we generate a one-way salted hash of your IP address and the user-agent string sent by your browser. These hashes cannot be reversed into the original values and we never use them to identify you personally. The legal basis is our legitimate interest in keeping the service secure and free from spam (Article 6(1)(f) GDPR). You can object to this processing at any time using the contact above; the balancing test for this interest is available on request.

Audience measurement

We measure aggregate traffic with a privacy-first, cookieless analytics service that does not profile visitors, does not set storage on your device, and does not collect personal identifiers. Because no information is stored or read on your terminal equipment, Article 5(3) of the ePrivacy Directive does not require prior consent for this measurement. See the cookie policy for detail.

Cookie-consent records

If a cookie consent banner is active on the site, we keep an accountability record of each consent decision (date, the categories you accepted, the site language, and a salted hash of your IP and user-agent). This is required by Article 7(1) GDPR so we can demonstrate that consent was given. Today the banner is inactive because no non-essential cookies are set, so no consent records are created.

Who processes your data

We rely on a small number of vetted service providers acting as data processors on our behalf under written agreements that satisfy Article 28 GDPR:

  • Vercel Inc. (United States) for website hosting and form delivery.
  • Neon Inc. (United States, EU region) for the database that stores enquiries.
  • Cloudflare Inc. (United States) for cookieless, aggregate traffic analytics and edge security.
  • CARTO (Spain and United States) for basemap tiles displayed on apartment maps. Loading a map sends your IP to CARTO so the tiles can be served; no cookie is set.

Where a provider processes data outside the European Economic Area, the transfer is governed by the European Commission Standard Contractual Clauses (Decision 2021/914) supplemented by the technical and organisational safeguards described in our records of processing.

We do not sell personal data, and we do not share it with third parties for their own marketing.

How long we keep it

  • Enquiry messages: up to 24 months from your last interaction with us, unless a booking is made, in which case the contract retention period applies.
  • Booking and tax records: 10 years from the end of the relevant fiscal year, as required by Italian tax law (Article 2220 Civil Code, Article 22 DPR 600/1973).
  • Security hashes (anti-abuse): up to 12 months.
  • Administrator session cookie: 7 days, refreshed on activity, deleted at logout.
  • Consent records (when the banner is active): 24 months, as recommended by the Garante.

Your rights

Under Articles 15 to 22 GDPR you have the right to:

  • access your data and obtain a copy of it;
  • have inaccurate data corrected and incomplete data completed;
  • have your data deleted, where one of the grounds in Article 17 applies;
  • restrict the processing of your data;
  • receive your data in a portable, machine-readable format and transmit it to another controller;
  • object to processing based on our legitimate interest, including profiling (we do not profile);
  • withdraw any consent you have given, at any time, without affecting the lawfulness of processing carried out before the withdrawal (Article 7(3) GDPR).

To exercise any right write to info@moonlightvenice.it. We answer within one month at the latest, as required by Article 12(3) GDPR.

You also have the right to lodge a complaint with your supervisory authority. In Italy this is the Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Roma, web garanteprivacy.it.

Automated decisions and profiling

We do not take decisions about you by purely automated means within the meaning of Article 22 GDPR. Replies to enquiries and booking decisions are made by people.

Children

This website is not directed at children under 16. We do not knowingly collect data from minors. If you believe a child has provided us with data, write to us at the contact above and we will delete it.

Security

All traffic to and from this site is encrypted with TLS. Database access is restricted to authenticated administrators using individual credentials, and administrator sessions are protected by signed, HTTP-only, same-site cookies. We log access to support audit and incident response. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you in accordance with Article 34 GDPR.

Changes to this notice

We may update this notice as the site evolves, the law changes, or we add new services. Material changes will be highlighted at the top of this page and, where appropriate, communicated by email to people we are in contact with. The "Last updated" date above always reflects the current revision.