Privacy Policy

Data Protection Declaration

In the following, we provide you with information about the collection of personal data when using this website. The service provider as defined in Sec. 13 Telemediengesetz (TMG) [Telemedia Act] and thus the data controller under the EU General Data Protection Regulation (GDPR) is Hidden Italy (officially registered in Germany under the name Die Versteckte Toskana e.K.). More information on the contact details are set forth in our legal notice.

One note in advance: Data protection is a human right. We will never sell, lease out or otherwise disseminate or publish your personal data. 

The protection of your privacy and personal data is of great importance to us. We attach great care to such aspect in the course of our online activities. Therefore, our data protection practice is in accordance with the applicable data protection provisions, in particular the General Data Protection Regulation (GDPR) as well as further legal regulations.

In order to protect your data against accidental or deliberate manipulation, loss, destruction or access by unauthorised parties in the best possible way, we use technical and organisational security measures which we continuously optimise in accordance with technical and legal developments.

Access to personal data at Hidden Italy is granted only to individuals who need such data to perform their duties within the controller, have been informed of the statutory provisions on data protection and have undertaken to adhere to them in accordance with the applicable statutory provisions.
Below, we would like to explain to you which of your personal data we collect and for which purposes we use them. Therefore, we would like to ask you to read the below information carefully.

1. Definitions of Terms
The Data Protection Declaration of Hidden Italy is based upon the terminology which was used by the issuers of European guidelines and regulations upon adoption of the GDPR. Our Data Protection Declaration should be easy to read and understand, both for the public and for our customers and business partners. To guarantee this, we would like to explain the terms used beforehand.
a) Personal Data
Personal data as defined in Art. 4(1) of the GDPR means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristics specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b)    Data Subject
Data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for processing.
c)    Processing
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d)    Data Controller or Processing Controller
‘Controller’ or ‘processing controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
e)    Consent
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Collection and Storage of Personal Data

In particular, we collect and store your personal data for the following purposes:

For our own internal records
To improve the services which we offer
To contact you regarding a specific enquiry
To send you advertising e-mails on services, offers and other things which might be of interest to you
To send you information on a rental property
To keep you up to date with our news
To show you special offers
To ask you for feedback

In detail, the following personal data are processed:

a) When visiting the website
When accessing our website, information used by the browser on your device is automatically sent to the server hosting our website. This information is stored temporarily in a so-called log file. The following information is collected in this process without any manual input from you and will be stored until its automatic erasure:

  • IP address of the accessing computer,
  • date and time of access,
  • name and URL of the file accessed,
  • website from which the access originates (referrer URL),
  • browser used and, as the case may be, the operating system of your computer and the name of your access provider.

We will process the aforementioned data for the following purposes:

  • guaranteeing smooth establishment of connection to the website,
  • guaranteeing comfortable use of our website,
  • evaluating system security and stability as well as
  • for other administrative purposes.

The legal basis for data processing is Art. 6(1) sentence 1 point (f) of the GDPR. Our legitimate interest follows from the purposes of data processing that are listed above. Under no circumstances will we use collected data to draw conclusions regarding your person.

Furthermore, we use website cookies when you visit our website. You can find further explanations on this under No. 5 of this Data Protection Declaration.

b) When using our contact form
Should you have queries of any kind, we offer you the option to contact us using a contact form provided on our website. In this case, a valid email address must be entered so that we know who is sending the query and so that we are able to reply to it. You may provide further information if you wish.

Data processing for contacting us takes place based on Art. 6(1) sentence 1 point (a) of the GDPR and based on your consent provided voluntarily by you.

The personal data collected by us when you use the contact form will be erased automatically once the request submitted by you has been dealt with. You can find further information on this under No. 12 of this Data Protection Declaration.

c) When using our newsletter
Our website allows you to subscribe to our company newsletter. The nature of the personal data transmitted to the processing controller at the time the subscription to the newsletter is made can be seen in the input screen used to this end.

The personal data collected in connection with registration for the newsletter is used only for the delivery of our newsletter. Data processing for contacting us takes place based on Art. 6(1) sentence 1 point (a) of the GDPR and based on your consent provided voluntarily by you. You can find further information under No. 10 of this Data Protection Declaration.

d) When booking our holiday homes
The collection, processing, use and transfer of the personal data collected takes place in accordance with Art. 6 (1) sentence 1 point (b) of the GDPR and only to the extent required for the performance of the contractual relationship between us as data controller and you as customer.

3. Data Disclosure

Your personal data are not disclosed to third parties for any purposes other than the purposes listed below.

We will only pass on your personal data to third parties, if:

  • you have given your express consent in accordance with Art. 6(1) sentence 1 point (a) of the GDPR,
  • disclosure is necessary pursuant to Art. 6(1) sentence 1 point (f) of the GDPR in order to assert, exercise or defend legal claims and if there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data,
  • in the case of a legal obligation to disclosure according to Art. 6(1) sentence 1 point (c) GDPR, and
  • doing so is legally permissible and, pursuant to Art. 6(1) sentence 1 point (b) GDPR, necessary for the execution of contractual matters with you.

4. Erasure of Your Data

To the extent your data are no longer needed for the above purposes, they will be deleted. To the extent data need to be stored for legal grounds, they will be blocked. Then, the data are no longer available for further use.

5. Use of Cookies

When you visit our website, information is stored on your computer in form of a cookie within your browser software. The cookie contains information on your use of the website. The use of cookies facilitates your use of the functions as we recognise your computer when you visit us again; thus, repeated data entry is made easier for you.

The cookies used by us (small files with configuration information) assist in identifying the use frequency and the number of users of our website and to enable you to use the service to its full extent. This is a legitimate interest in the sense of Art. 6(1) point (f) of the GDPR.

Most browsers are set so that they accept cookies automatically. You can deactivate the storage of cookies, however, or set your browser so that you are notified as soon as the cookies are placed. Furthermore, you can delete the cookies stored from your hard disk at any time. Please note that your use of our website may be limited if you deactivate the storage of cookies.

6. Social Media Plug-Ins

Based upon Art. 6(1) sentence 1 point (f) of the GDPR, we use social plug-ins from social networks on our website for the purpose of raising the profile of our company this way. The underlying advertising purpose is to be considered a legitimate interest in terms of GDPR. For this, there are small symbols with buttons (social media plug-ins) on our websites which invite you to use the social media (such as Facebook and Twitter). The links/buttons of social networks and platforms used within our website generally establish a contact between social networks and the users only if users click the links/buttons and the respective networks and/or the websites thereof are accessed. This function has the same operating principle as a regular online link. The following list provides an overview of the social media providers linked, including links to their privacy notices which contain further information on the processing of data and options to object:

a) Facebook

Social media plug-ins from Facebook are used on our website in order to make the use more personal. For this, we use the Facebook button. This is a service provided by Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA.

If you access any of the pages on our website that contains such a plug-in, your browsers will establish a direct connection with the servers of Facebook. Facebook directly transfers the plug-in contents to your browser, which then includes them on the website.

Through the embedding of the plug-ins, Facebook receives the information that your browser has accessed the corresponding page of our website even if you do not have a Facebook account or are not currently logged in to Facebook. This information (including your IP address) will be transferred by your browser directly to a server of Facebook in the USA and stored there.

If you are logged in to Facebook at that time, Facebook can assign your visit to our website to your Facebook account. If you interact with the plug-ins and press the Facebook button, the corresponding information will also be transferred directly to a server of Facebook, where it will then be stored. The information will also be published on Facebook and shown to your Facebook friends.

Facebook can use this information for the purposes of advertising, market research and the needs-oriented design of the Facebook pages. For this purpose, use, interest and relationship profiles are created by Facebook, for the evaluation of your use of our website in terms of the advertisements that you are shown by Facebook, to inform other Facebook users about your activities on our website, and to provide further services associated with the use of Facebook, for example.

If you do not wish Facebook to assign the data collected via our website to your Facebook account, you must log out of Facebook before your visit to our website.

For further information on the purpose and the extent of the collection and processing of data by Facebook and on your associated rights and settings options for the protection of your private sphere, please refer to the data protection information of Facebook (

b) Twitter

Plug-ins from the short-message network Twitter Inc. (Twitter) are embedded on our web pages. You can recognize the Twitter plug-ins (tweet button) by the Twitter logo on our web page. An overview of the tweet buttons is available here (

If you access a page on our website that contains a plug-in of this kind, a direct link between your browser and the Twitter server will be established. In this way, Twitter receives the information that you have visited our website with your IP address. If you click on the Twitter “tweet button” while you are logged into your Twitter account, you can link the contents of our website to your Twitter profile. If you do so, Twitter can assign your visit to our website to your user account. Please note that as the provider of the websites, we have no knowledge of the contents of the transferred data or its use by Twitter.

If you do not want Twitter to be able to assign your visit to our website, please log out of your Twitter user account.

For more information, please refer to the Twitter privacy policy (

c) LinkedIn

Our website uses functions of the LinkedIn network. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA.

Whenever you access one of our websites that contains functions of LinkedIn, a connection will be established to the LinkedIn servers. LinkedIn is informed that you visited our websites with your IP address. If you click on the “Recommend button” of LinkedIn and are logged on to your account with LinkedIn, LinkedIn is able to attribute your visit to our website to you and to your user account. Please note that we, the website provider, do not have access to the content of the data transferred or its use by LinkedIn.

For more information, please refer to the LinkedIn privacy policy at:

d) Google+

Our websites use Google+ functions. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Recording and forwarding of information: By means of the Google+ push button, you can publish information worldwide. Via the Google+ push button, you and other users receive personalised contents from Google and our partners. Google stores both, the information that you gave +1 for a content and information about the website that you watched when clicking +1. Your +1 can be shown as reference together with your profile name and your photo in Google services, e.g. in search results or in your Google profile, or at other places on websites and advertisements on the Internet.

Google records information about your +1 activities in order to improve the Google services for you and others. In order to be able to use the Google+ push button, you need a globally visible, public Google profile, which must at least contain the name selected for the profile. This name is used in all Google services. In some cases, this name may also replace another name that you used while sharing contents using your Google account. The identity of your Google profile may be shown to users who know your e-mail address or have other pieces of identifying information about you.

Use of the recorded information: In addition to the purposes of use explained above, the information provided by you will be used according to the applicable Google data protection regulations. Google may publish summarised statistics about the +1 activities of the users and/or will forward them to users and partners such as publishers, advertisers or connected websites.

e) YouTube

We use the provider YouTube on our website for the integration of videos. YouTube is operated by YouTube LLC with principal place of business at 901 Cherry Avenue, San Bruno, CA 94066, USA.

YouTube is represented by Google Inc. with registered office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. You can recognise the YouTube plug-ins (button) by the YouTube logo on our website.

When you access the pages of our website containing a YouTube plug-in, a connection is established to the YouTube servers and the plug-in is presented. This way, the YouTube server is informed which of our webpages you have visited. If you are logged on to YouTube as a member, YouTube will assign this information to your personal user account. When you use the plug-in, e.g. by clicking the start button of a video, this information will also be assigned to your user account. You can prevent such assignment by logging out from your YouTube user account as well as other user accounts of the companies YouTube LLC and Google Inc. and deleting the corresponding cookies of such companies before using our website.

Further information on data processing and information on data protection at YouTube (Google) is set forth at

f) Vimeo

For the integration of videos, we use the provider Vimeo. Vimeo is operated by Vimeo, LLC having its headquarters in 555 West 18th Street, New York, New York 10011.

We use Vimeo plug-ins on our website. When you access the pages containing such plug-in, a connection is established to the Vimeo servers and the plug-in is presented. In this context, the Vimeo server is informed about which of our pages you have visited. If you are logged in to Vimeo as a member, Vimeo will assign this information to your personal user account. When you use the plug-in, e.g. by clicking the start button of a video, this information will also be assigned to your user account. You can prevent this assignment by logging off from your Vimeo user account and deleting the corresponding Vimeo cookies before using our website.

For more information on the data processing and on the data privacy policy of Vimeo, please refer to

7. Information on Google Analytics

This website uses Google Analytics, a web analysis service provided by Google Inc. (“Google”). Google Analytics uses “cookies”, text files stored on your computer which help to analyse how you use our website. The information about your use of this website (including your IP address) that is generated by the cookies is transferred to a Google server in the USA and stored there. Acting on our behalf, Google will use this information in order to evaluate your use of the website, to compile reports on the website activities for the website operators and to provide further services connected to the website use and internet use to us. If legally required, or if third parties process these data on behalf of Google, Google may forward these data to third parties. However, please note that Google Analytics was extended by the code “gat._anonymizeIp();” on this website. This means that IP addresses are only collected in a shortened, i.e. anonymised, form. Google will not associate your IP address with other data of Google. You can prevent cookies from being installed on your device by changing the settings on your browser software accordingly; however, we would like to point out that if you do so, you may not have full access to all functions of this website.

By using this website, you agree to the processing of the collected data by Google in the manner and for the purposes described above.

You can object to the collection and use of your IP address by Google Analytics with effect for the future at any time. For further information, please visit

You can find further information on the general terms and conditions of use of Google Analytics at:

The privacy provisions on Google Analytics can be found at:

8. Google Maps

Google Maps (third-party service) is embedded within the website. Google Maps serves the purpose of presenting maps. Google-Maps is operated by Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (hereinafter referred to as: third-party provider).

The third-party provider has to collect the IP address of the users of the website as the contents (maps) cannot be sent to the browser of the respective user without such address. This is a legitimate interest in the sense of Art. 6(1) point (f) of the GDPR. Thus, the IP address is required for the presentation of the maps in the browser of the respective user. By using Google Maps, information on the use of the service, in particular the IP address, is therefore transferred to a Google server in the USA and stored there, where applicable. If you do not agree to such processing of your data, you have the option to deactivate the “Google Maps” service and this way preventing transfer of data to Google. For this, you have to deactivate the JavaScript function in your browser. Please note, however, that you may not be able to use or to use all functions of “Google Maps” in such case. Further information on data processing by Google is set forth in the Google privacy policy at:

9. Google Web Fonts
For the uniform representation of fonts, this website uses “web fonts”, which are provided by Google. When accessing a website, your browser will load the necessary web fonts into your browser cache in order to display texts and fonts correctly.

For this purpose, the browser you use must establish a connection to the Google servers. In this way, Google finds out that our website was accessed by your IP address. Google web fonts are used to ensure uniform and appealing representation of our online offers. This is a legitimate interest in the sense of Art. 6(1) point (f) of the GDPR.

If your browser does not support web fonts, one of your computer's standard fonts will be used.
For more information regarding Google web fonts, please refer to and the Google data privacy policy:

10. Subscription to our Newsletter

Our website allows users to subscribe to our company newsletter. The nature of the personal data transmitted to the processing controller at the time the subscription to the newsletter is made can be seen in the input screen used to this end.

E-mails with marketing-related information about us, our services and offers are sent to you only subject to your express consent. Before we send any newsletters, you will receive a confirmation e-mail in which we ask you for your consent to receive our newsletter. In this confirmation e-mail, you have to confirm your newsletter subscription. Any subscriptions not confirmed will be automatically deleted. If you decide to subscribe to our newsletter, we do not ask you for your consent to receive our newsletter. For the purpose of distribution information by newsletters, the e-mail address you provide to us will be forwarded to Mailchimp which provides e-mail marketing services for us. We regard Mailchimp as data processor of third-party providers. Your e-mail address will remain in the database of Mailchimp as long as we use the services of Mailchimp for e-mail marketing or until you expressly request removal from such list.

If you are under the age of 16, you have to obtain the consent of your parents before you subscribe to our e-mail newsletter.

The personal data collected in connection with a registration for the newsletter is used only for the distribution of our newsletter and is based upon your consent under Art. 6(1) sentence 1 point (a) of the GDPR. Furthermore, newsletter subscribers can be informed by e-mail, where this is necessary to operate the newsletter service or if a related registration is required, as this might be the case if any modifications are made to the newsletter offering or in the event that the technical conditions change. No personal data collected in connection with the newsletter service will be disclosed to third parties. The data subject can terminate his or her subscription to our newsletter at any time. The consent given by the data subject to us to the retention of personal data for the delivery of the newsletter can be withdrawn at any time. Each newsletter contains a link for the purpose of withdrawing your consent; alternatively, you can send your withdrawal of consent to us by e-mail to Furthermore, the data subject also has the possibility to unsubscribe from the newsletter directly on the website of the processing controller or to communicate this to the processing controller in any other manner whatsoever.

11. Liability for Links

Our offer contains links to external third-party websites, on the contents of which we do not have any influence. We therefore cannot accept any liability for such third-party content. The person bearing ultimate responsibility for the contents of the linked websites is always the respective provider or operator of the websites. The linked websites were reviewed for potential legal violations at the time of linking. No unlawful content was identifiable at the time of linking. However, we cannot reasonably be expected to permanently monitor the content of linked websites without concrete indications of an infringement. If we become aware of infringements, we will remove such links immediately.

12. Contact Form

You have the option to make requests and bookings, inter alia, on our website; in the course thereof, you need to state personal data. The respective input mask shows which personal data is transferred and processed. If you decide to contact us via a contact form on our contact pages or by e-mail, the data will be collected in an e-mail and sent to us via the Simple Mail Transfer Protocol (SMTP). Our SMTP servers are protected by TLS (sometimes also referred to as SSL) which means that the e-mail content is encrypted before it is sent via the internet. Then, the e-mail contents will be decrypted by our local computers and devices. If you contact us (by contact form or e-mail), your information will be stored internally for the purpose of processing of the query as well as if follow-up questions arise. The personal data provided for the purpose of requesting information (such as name, address, e-mail) will be used by us only for the fulfilment and settlement of the order.

This data will be treated in a confidential manner and not disclosed to third parties which are not involved in the booking and payment process. Art. 6 I point (b) of the GDPR is the legal basis of processing.

We transfer your data to third parties only if this is required for accounting purposes (e.g. performance of bank transactions) or otherwise in order to fulfil our contractual obligations towards you. For the exercise of your rights as data subject to access, rectification, erasure, restriction of the processing and data portability, please send a brief notice to us; the contact details are set forth below. 

13. Protection of Your Personal Data

In order to process your personal data in a manner which is as secure as possible, we generally use the SSL (secure socket layer) security software for data transfer between your computer and our server. This way, each data transfer is encrypted. In addition, we maintain current technical measures in order to ensure data security, in particular for the protection of your personal data during data transfers as well as from access by third parties. These measures are adjusted in accordance with the state of the art. In principle, your personal data is stored in compliance with the legal provisions within the Federal Republic of Germany.

14. Right to access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection and withdrawal of consent

You have the right to request from us at any time information on your data stored by us in accordance with the provisions of Art. 15 of the General Data Protection Regulation. Furthermore, you can request access to them at any time free of charge and without stating reasons, where applicable, request their rectification under Art. 16 of the GDPR and/or erasure under Art. 17 of the GDPR and/or the restriction of processing of your personal data under Art. 18 of the GDPR and/or exercise your right to data portability under Art. 20 of the GDPR and/or to objection under Art. 21 of the GDPR and/or withdraw any consent to data collection and use provided to us without stating reasons. If you have granted us your consent to the use of data, you can withdraw it at any time without stating reasons and free of charge.

To this end and/or in order to receive further detailed information on data protection, please contact us at the address set forth in the legal notice or by e-mail to

15. Complaint with the Supervisory Authority Regarding Data Protection Breaches

Anyone who assumes that their rights were violated in the course of collecting, processing or using of their personal data may contact the competent data protection supervisory authority in accordance with Art. 77(1) of the GDPR. The competent supervisory authority for complaints regarding data processing performed by us is Landesbeauftragte für den Datenschutz (LDI NRW) [State Officer for Data Protection], Kavalleriestraße 2-4, 40213 Düsseldorf. The latter will take charge of the complaint and inform the data subject about the result.

The Service Provider and Controller for this Website is:

Hidden Italy (Die Versteckte Toskana, Feriendomizile Bettina Röhrig e. K.)
Logebachstraße 5
D - 53639 Königswinter

Register court Amtsgericht [Local Court] of Siegburg, HRA 3779
Owner: Bettina Röhrig
Phone: +49 (0) 2223 - 908019

For further information on the data controller, please refer to the legal notice within our website.

16. Our Relationships to Affiliates

Our partnerships: At present, we have affiliate relationships to the following companies in order to offer additional services in connection with your visit to Italy:
Auto Europe (car rental)
Weekend in Italy (museum ticket booking)

Your interaction with our affiliate partners: If you use services of one of our affiliates, please note that you become the customer of such affiliate partner and that their data protection declaration will apply. If you purchase from them, you enter into a transaction which is beyond our control; the affiliate partner will fulfil duties connected to payment, contract performance and customer service.

Auto Europe (Data Protection Declaration
Weekend in Italy (Data Protection Declaration

17. Data Protection Breaches

We will report to all relevant persons and authorities any unlawful data protection breach within the database of this website or the database(s) of one of our data processors if it is obvious that personal data stored in an identifiable manner were stolen.

18. Changes to our Data Protection Declaration

This Data Protection Declaration may change from time to time, in accordance with legislation or developments in our industry. We will not expressly inform our customers or website users about such changes. Instead, we recommend that you occasionally check this website for policy changes. Certain changes and updates to policies will be mentioned in the change log below.