Privacy Rights Notice

1. Introduction and Scope

This Privacy Rights Notice explains how Vezpa di Paolo Vezzola (hereinafter "Vezpa" or "We") processes personal information in compliance with:

PIPEDA Personal Information Protection and Electronic Documents Act -- Canada's federal private-sector privacy law
Quebec Law 25 Act respecting the protection of personal information in the private sector, as modernized by Bill 25 (Loi 25) -- GDPR-like provisions for Quebec residents
PIPA (BC) Personal Information Protection Act -- British Columbia's provincial privacy law
PIPA (AB) Personal Information Protection Act -- Alberta's provincial privacy law
CASL Canada's Anti-Spam Legislation -- governing electronic commercial messages and marketing

1.1 Who This Applies To

This notice applies to:

Accommodation managers who use Vezpa (direct clients)
Guests staying at properties that use Vezpa
Business partners and suppliers
Visitors to the vezpa.it website

1.2 Dual Role of Vezpa

Vezpa operates in two distinct roles:

ORGANIZATION (CONTROLLER) For data of property managers (clients) - we determine the purposes and means of processing
SERVICE PROVIDER (PROCESSOR) For guest data - we process data on behalf of the property manager under their instructions

2. Business Identity and Contact Details

Organization:

Vezpa di Paolo Vezzola
Registered office: Desenzano del Garda (BS), 25015, via San Zeno 67, Italy
VAT: 04449070988
Email: [email protected]

3. Categories of Personal Information Collected

3.1 Manager Data (Clients)

Category	Type of Data	Mandatory
Identifiers	Name, surname, date of birth, email address, phone number	Required
Contact information	Email, phone, mailing address	Required
Commercial information	Company name, BN (Business Number)/tax ID, property details, subscription records	Required
Financial information	Payment card (via Stripe - PCI DSS compliant), billing address	Required for subscription
Internet or network activity	Access logs, IP address, platform activity, browsing history on our site	Automatic
Professional information	Business type, property type, role	Voluntary

3.2 Guest Data (as Service Provider)

Category	Type of Data	Business Purpose
Identifiers	Name, surname, date and place of birth, citizenship	Guest registration and legal compliance
Government-issued ID	ID type, number, issue date, issuing authority	Legal compliance (where required by provincial/municipal law)
Contact information	Email, phone, address	Booking management and communications
Commercial information	Stay dates, number of guests, room, rates	Booking management
Financial information	Transactions, receipts	Payment processing and tax compliance

Sensitive Personal Information:

Vezpa does NOT intentionally collect sensitive personal information such as:

Social Insurance Numbers (SIN)
Racial or ethnic origin
Religious beliefs
Health information
Biometric or genetic data
Sexual orientation
Precise geolocation

If such data is entered by mistake, it must be deleted immediately.

4. Purpose and Legal Basis for Processing

4.1 For Managers (Clients)

Business Purpose	Legal Basis (PIPEDA Principle)	Retention
Provision of PMS service	Consent / Contractual necessity	Duration of contract + 6 years
Invoicing and accounting	Legal obligation (Canada Revenue Agency requirements)	6 years (CRA tax record retention)
Customer support	Consent / Contractual necessity	Duration of contract + 2 years
Security and fraud prevention	Legitimate business interest / Legal obligation	5 years
Service improvement	Implied consent (anonymized/aggregated data)	2 years (anonymous aggregated data)
Direct marketing	Express consent (CASL compliance)	Until consent is withdrawn or opt-out received
Legal defence	Legitimate business interest	Applicable limitation period

4.2 For Guests (on behalf of the Manager)

Business Purpose	Legal Basis	Retention
Guest registration	Legal obligation (provincial/municipal lodging laws)	Per applicable provincial/municipal requirements
Lodging tax reporting	Legal obligation (provincial/municipal tax laws)	Per provincial/municipal regulations
Booking and stay management	Consent / Contractual necessity	6 years (tax purposes, CRA)
Online check-in and communications	Consent / Contractual necessity	Duration of stay + property retention period

Note on Sale of Personal Information:

Vezpa does NOT sell your personal information. We do not disclose personal information to third parties for monetary or other valuable consideration. We do not use personal information for cross-context behavioural advertising.

5. Processing Methods

5.1 PIPEDA Fair Information Principles

Vezpa processes personal information in accordance with the 10 fair information principles set out in Schedule 1 of PIPEDA:

Accountability: we are responsible for personal information under our control
Identifying Purposes: we identify the purposes for collection at or before the time of collection
Consent: we obtain meaningful consent for the collection, use, or disclosure of personal information
Limiting Collection: we collect only what is reasonably necessary for the identified purposes
Limiting Use, Disclosure, and Retention: we use data only for stated purposes and retain it only as long as necessary
Accuracy: we keep personal information accurate, complete, and up to date
Safeguards: we protect personal information with appropriate security measures
Openness: we make our policies and practices readily available
Individual Access: you can request access to your personal information
Challenging Compliance: you can challenge our compliance with these principles

5.2 Processing Means

Data is processed using:

Digital tools: servers, databases, web/mobile applications
Paper-based: only for necessary documents (contracts, invoices)

5.3 Access Controls

Data is accessible to:

Authorized Vezpa personnel (with personal credentials)
Access based on the "need to know" principle (least privilege)
Access logs tracked and monitored

6. Security Measures

6.1 Technical Measures

TLS/SSL Encryption: all data is transmitted encrypted (HTTPS)

Database encryption: sensitive data encrypted at-rest

Password hashing: secure algorithms (bcrypt/Argon2)

Firewall: advanced perimeter protection

Antivirus and Anti-malware: constantly updated

Daily backups: encrypted and geo-redundant

Disaster Recovery Plan: tested restoration procedures

Multi-factor authentication (MFA): for administrative access

24/7 Monitoring: anomaly and intrusion detection

Vulnerability Assessment: periodic security scans

6.2 Organizational Measures

Staff training: privacy and security training

NDA agreements: all employees sign confidentiality agreements

Security policies: documented procedures

Incident management: data breach response plan

Regular audits: periodic compliance reviews

Privacy by Design: privacy integrated into development

Access control: role-based authorizations (RBAC)

6.3 Compliance Standards

PCI-DSS Compliant: through certified payment providers (Stripe)
SOC 2 aligned practices: industry-standard security controls

7. Data Recipients and Disclosures

7.1 Categories of Recipients

Your data may be disclosed to the following categories of recipients:

Category	Recipients	Role	Purpose
Government authorities	CRA, provincial tax authorities, law enforcement (when required)	Independent controllers	Legal obligation
Hosting provider	DigitalOcean	Service provider	IT infrastructure
Payment gateway	Stripe (PCI DSS compliant)	Service provider	Payments
Email provider	IONOS	Service provider	Sending communications
OTA	Booking.com, Airbnb, Expedia, etc.	Independent controllers	Booking management
Professionals	Accountants, lawyers, consultants	Service providers	Professional advice

7.2 No Sale of Personal Information

Vezpa does not sell personal information and has not sold personal information in the preceding 12 months. We do not use personal information for cross-context behavioural advertising.

7.3 International Transfers

Data Transfers:

Vezpa is based in Italy (EU). Data may be transferred internationally as necessary to provide the service. Where personal information is transferred outside Canada, we ensure a comparable level of protection is maintained, in accordance with PIPEDA requirements and Quebec Law 25 provisions on cross-border transfers.

8. Your Privacy Rights

8.1 Rights Under PIPEDA (Federal)

Under PIPEDA, you have the following rights:

Right	Description
Right of Access	Request access to your personal information held by Vezpa, including information about how it has been used and to whom it has been disclosed
Right to Correction	Request correction of inaccurate or incomplete personal information
Right to Withdraw Consent	Withdraw consent for the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions and reasonable notice)
Right to Challenge Compliance	Challenge our compliance with PIPEDA by contacting our privacy contact or filing a complaint with the OPC

8.2 Additional Rights Under Quebec Law 25

If you are a Quebec resident, you have additional rights including:

Right to data portability: receive your personal information in a structured, commonly used technological format
Right to de-indexation: request that your personal information be de-indexed from search or dissemination mechanisms
Right to be informed of automated decisions: be informed when a decision is based exclusively on automated processing
Express consent: non-essential cookies and tracking require your express consent

8.3 Rights Under PIPA (British Columbia and Alberta)

Residents of British Columbia and Alberta have similar rights under their respective PIPA legislation, including the right to access, correct, and challenge the handling of their personal information.

8.4 How to Exercise Your Rights

You can exercise your rights through:

Email: [email protected] (subject: "Privacy Rights Request")
Mail: Vezpa di Paolo Vezzola, Desenzano del Garda, via San Zeno 67, Italy
User area: "Privacy and Data" section in the dashboard (for some rights)

8.5 Verification and Response Times

We will verify your identity before processing your request. Vezpa responds to access requests within 30 days of receipt (extendable in limited circumstances with notice to you), as required under PIPEDA.

8.6 Authorized Representatives

You may designate an authorized representative to submit a request on your behalf. We may require the representative to provide proof of authorization and may still verify your identity directly.

8.7 Limitations on Rights

Some rights may not be exercisable when:

Legal obligations require us to retain the data
Data is necessary for legal defence or to exercise legal claims
An applicable legal exception applies (e.g., solicitor-client privilege)

9. Data Breach Notification

9.1 Breach Procedure

In the event of a data breach, Vezpa:

Assesses the incident promptly upon discovery
Reports to the OPC where the breach creates a real risk of significant harm to individuals, as required by PIPEDA's mandatory breach reporting provisions
Notifies affected individuals as required by PIPEDA and applicable provincial law (including Quebec Law 25, which requires notification to the Commission d'acces a l'information du Quebec)
Documents the incident in the breach register and retains records for at least 24 months
Adopts corrective measures to prevent future breaches

9.2 Transparency

In the event of a data breach affecting you, you will receive a communication containing:

Nature of the breach
Types of information involved
Steps we have taken
Steps you can take to protect yourself
Contact information for questions

10. Children's Privacy

Vezpa's service is intended for users aged 18 and older. We do not knowingly collect personal information from children under the age of 13. Under PIPEDA, meaningful consent for the collection of children's personal information must be obtained from a parent or guardian. If we become aware that we have inadvertently collected personal information from a child under 13 without appropriate consent, we will promptly delete it.

If you believe a child under 13 has provided us with personal information, please contact us at [email protected].

11. Service Provider Agreements

11.1 Agreements with Clients (for guest data)

When the property manager uses Vezpa to process guest data:

The manager is the Organization (Controller)
Vezpa is the Service Provider (Processor)
A Data Processing Agreement (DPA) is concluded defining the terms of processing

11.2 DPA Contents

The Data Processing Agreement contains:

Subject and duration of processing
Nature and purpose of processing
Type of personal information and categories of individuals
Obligations and rights of the organization
Documented instructions on processing
Security measures implemented
Authorized sub-processors
Assistance with individual rights requests

The DPA is an integral part of the Terms of Service.

12. Privacy by Design

12.1 Built-In Privacy

Vezpa integrates data protection from the design stage:

Native encryption in all communications
Pseudonymization where possible
Data minimization in data collection
Granular access controls
Complete audit trail of all operations

12.2 Default Settings

Default settings maximize privacy:

Only strictly necessary data is mandatory
Automatic retention for the minimum legally required period
Marketing opt-in (not opt-out), as required by CASL
Data visibility limited to the minimum necessary

13. Changes to This Notice

This notice may be modified due to:

Changes in federal or provincial privacy laws
New service features
Organizational changes

Material changes will be communicated via email with at least 30 days' notice.

The last update date is always indicated at the top of the document.

PRIVACY RIGHTS NOTICE