Privacy Policy - Mila SRL
Last Updated: January 27, 2026
Introduction
Welcome. Your privacy is of paramount importance to us. This Privacy Policy describes how Mila SRL ("we," "us," or "our") collects, uses, shares, and protects personal information of users ("user" or "you") who use our website www.milapartments.com (the "Site") and our short-term rental accommodation booking services (the "Services").
This document has been drafted in compliance with Regulation (EU) 2016/679 (known as the "GDPR") and applicable data protection regulations. We invite you to read it carefully to understand our privacy practices.
For any questions related to this policy, you can contact us at direzione@milapartments.com.
1. Data Controller
The Data Controller of your personal data is:
Mila SRL Registered Office: Corso Indipendenza, 5 - 20129 Milan (Italy) VAT Number: IT08846990961 Contact Email: direzione@milapartments.com Phone: +39 02 4003 1125
2. Types of Data Collected
We collect various categories of personal data to provide and improve our Services. Below are the main types of data collected, either independently or through third parties:
A. Data Provided Voluntarily by the User
- Personal and Contact Data: Name, surname, email address, phone number, residential address, date and place of birth, nationality.
- Booking Data: Dates of stay, number of guests, accommodation preferences, special requests.
- Payment Data: Information related to credit/debit cards or other payment methods. This data is securely managed by our payment service providers compliant with the PCI-DSS standard and is not stored on our servers.
- Guest Registration Data: Identity document (ID card, passport) in compliance with public security laws (e.g., obligation to report to the Police in Italy).
- Communications: Content of messages exchanged with our customer service or through the Site's contact forms.
B. Data Collected Automatically
- Usage Data: Information about how you interact with our Site, including pages visited, searches performed, links clicked, IP address, browser type and device, operating system, and access dates/times. This data is also collected through cookies and similar technologies.
- Geolocation Data: We may collect approximate information about your location (at city or country level) from your IP address to personalize your experience.
C. Data Collected from Third Parties
- Online Booking Platforms (OTA): If you book our accommodation through platforms such as Booking.com, Airbnb, etc., we receive from them the necessary data to manage your booking (e.g., name, stay dates, contacts).
- Social Media: If you interact with our social profiles or use social login features, we may receive data from the social network provider based on your privacy settings on that platform.
The provision of certain data is mandatory for the execution of the booking contract and to comply with legal obligations. Refusal to provide such data may result in the inability to provide the requested Services.
3. Purpose and Legal Basis for Processing
We process your personal data for specific purposes and only in the presence of an adequate legal basis. The purposes and their respective legal bases are as follows:
| Processing Purpose | Data Processed | Legal Basis |
|---|---|---|
| A. Service Provision | Personal, contact, booking, payment data | Contract Execution with the user (e.g., managing the booking, providing accommodation, assisting the customer). |
| B. Legal Compliance | Personal data, identity document data | Legal Obligation (e.g., reporting guest presence to public security authorities, tax and accounting obligations). |
| C. Communications and Marketing | Name, email address, booking history | User Consent (to send newsletters, promotional offers, discounts) or Legitimate Interest (for service communications or marketing of similar services already purchased). |
| D. Service Improvement and Statistics | Usage data, aggregated geolocation data | Legitimate Interest (to analyze Site usage, improve user experience, and develop new services). |
| E. Security and Fraud Prevention | Usage data, payment data, personal data | Legitimate Interest (to protect our Site, prevent fraudulent activities, and ensure transaction security). |
| F. Rights Protection | All relevant data categories | Legitimate Interest (to exercise or defend a right in court). |
The user has the right to withdraw their consent for marketing purposes at any time, without prejudicing the lawfulness of processing based on consent given before withdrawal.
4. Processing Methods and Security Measures
Personal data processing is carried out through computer and/or telematic tools, with organizational methods and logic strictly correlated to the stated purposes. We adopt appropriate technical and organizational security measures to prevent unauthorized access, disclosure, modification, or destruction of personal data, in compliance with Art. 32 of the GDPR.
5. Communication of Data to Third Parties
Your personal data may be communicated to third parties for the purposes described above. Such parties will operate as Data Processors (appointed by us) or as independent Data Controllers. Categories of recipients include:
- Technical Service Providers: Hosting providers, IT companies, email platform providers.
- Payment Service Providers: Banks and companies managing online payments.
- Booking Platforms (OTA): To synchronize availability and manage bookings.
- Consultants and Professionals: Law firms, accountants, labor consultants.
- Public Authorities: Public security authorities (e.g., Police), tax agencies, and other authorities to which communication is legally mandatory.
- Authorized Personnel: Our employees and collaborators duly instructed and authorized to process data.
We do not disclose your personal data to indeterminate subjects. The updated list of Data Processors can be requested at any time from the Data Controller.
6. Data Transfer Abroad
Personal data is processed at the Data Controller's operational offices and in any other location where the parties involved in processing are located. Your data may be transferred to countries outside the European Union (EU) or European Economic Area (EEA).
In such cases, we ensure that the transfer complies with GDPR provisions, for example:
- To countries that the European Commission has deemed to offer an adequate level of protection.
- Based on Standard Contractual Clauses (SCC) approved by the European Commission.
- In the presence of other adequate safeguards provided by the GDPR.
For more information on data transfers, you can contact the Data Controller.
7. Data Retention Period
We retain your personal data for the time strictly necessary to achieve the purposes for which it was collected and to comply with legal obligations.
- Data for Contract Execution: Retained for the entire duration of the contractual relationship and, after termination, for the legal limitation period (typically 10 years for civil and tax purposes).
- Data for Legal Obligations: Retained for the period required by applicable law (e.g., data for reporting to the Police).
- Data for Marketing Purposes (based on consent): Retained until withdrawal of consent by the user.
- Data for Legitimate Interest: Retained until satisfaction of such interest, unless the user objects to processing.
Upon expiration of the retention period, personal data will be deleted or irreversibly anonymized.
8. Rights of the Data Subject
As a data subject, you have the right to exercise the following rights at any time, pursuant to Articles 15-22 of the GDPR:
- Right of Access (Art. 15): Obtain confirmation of whether or not processing of data concerning you is taking place and, if so, access to the data and information about processing.
- Right to Rectification (Art. 16): Obtain correction of inaccurate personal data concerning you.
- Right to Erasure ("Right to be Forgotten," Art. 17): Obtain erasure of your personal data in certain circumstances.
- Right to Restrict Processing (Art. 18): Obtain restriction of processing in certain cases.
- Right to Data Portability (Art. 20): Receive in a structured, commonly used, and machine-readable format the personal data concerning you and transmit it to another controller.
- Right to Object (Art. 21): Object at any time to processing of your data for direct marketing purposes or when processing is based on legitimate interest.
- Right Not to Be Subject to Automated Decision-Making (Art. 22): Not be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you.
To exercise your rights, you can send a request to the Data Controller's email address: direzione@milapartments.com.
You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State where you habitually reside, work, or where the alleged violation occurred (for Italy, the Data Protection Authority - Garante per la Protezione dei Dati Personali, www.gpdp.it).
9. Cookie Policy
Our Site uses cookies and other tracking technologies. For detailed information, we invite you to consult our Cookie Policy available on the Site.
10. Changes to This Privacy Policy
We reserve the right to modify this privacy policy at any time, giving appropriate notice to users on this page. Please consult this page regularly, referring to the last update date indicated at the top.
If changes affect processing whose legal basis is consent, we will collect your consent again if necessary.
Privacy Contacts: Mila SRL - direzione@milapartments.com - +39 02 4003 1125
This Privacy Policy complies with Regulation (EU) 2016/679 (GDPR).