Legal

Datenschutzerklärung

Zuletzt aktualisiert: March 17, 2026

How we collect, use, and protect your personal data.

1. Data Controller

The data controller for personal data processed through the BlueKeys platform is:

  • Ferraro Filippo — BlueKeys
  • Ditta Individuale — ATECO 799004
  • Via Santa Maria dell'Orto 19 Sc. A
  • 80053 Castellammare di Stabia (NA), Italy
  • P.IVA: 10979511218 — CF: FRRFPP85D03G568N
  • Email: info@bluekeys.it
  • Phone: +39 320 369 6668

This Privacy Policy is provided in accordance with Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR") and the Italian Legislative Decree no. 196/2003 (as amended by Legislative Decree no. 101/2018).

For any privacy-related inquiries, data access requests, or to exercise your rights under GDPR, contact: privacy@bluekeys.it

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Data

When you create an account, we collect your full name, email address, password (stored in hashed form), phone number (optional), and profile photo (optional). For Host accounts, we additionally collect your tax identification number, bank account details (IBAN), and business registration information where applicable.

2.2 Booking Data

When you make or receive a booking, we collect booking dates, number of guests, special requests, communication between Host and Traveler, and booking status history.

2.3 Payment Data

Payment information (credit card numbers, bank account details) is collected and processed directly by our payment processor, Stripe. BlueKeys does not store full credit card numbers. We retain transaction records, amounts, dates, and payment status for accounting and legal purposes.

2.4 Property Data

For Hosts, we collect property details including address, descriptions, photographs, amenities, pricing, availability, and house rules.

2.5 Device and Usage Data

We automatically collect information about your device and how you interact with the Platform, including IP address, browser type and version, operating system, referring URLs, pages viewed, time spent on pages, click patterns, and device identifiers.

2.6 Communication Data

We collect the content of messages exchanged through the Platform's messaging system, as well as any emails or other communications you send to us directly.

3. Legal Basis for Processing

We process your personal data on the following legal bases under the GDPR:

  • Performance of a contract (Art. 6(1)(b) GDPR): Processing necessary to provide our services, including account management, booking processing, payment handling, and Host-Traveler communication.
  • Legitimate interest (Art. 6(1)(f) GDPR): Processing necessary for fraud prevention, platform security, improving our services, and internal analytics. We balance our legitimate interests against your rights and freedoms.
  • Legal obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with legal obligations, including tax reporting, anti-money laundering requirements, and responding to lawful requests from authorities.
  • Consent (Art. 6(1)(a) GDPR): Processing based on your explicit consent, such as marketing communications and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

4. How We Use Your Data

We use your personal data for the following purposes:

  • Creating and managing your account;
  • Processing bookings and facilitating payments between Hosts and Travelers;
  • Enabling communication between Hosts and Travelers;
  • Verifying Host identities and property information;
  • Sending booking confirmations, reminders, and transactional notifications;
  • Providing customer support and resolving disputes;
  • Improving and optimising the Platform through analytics;
  • Detecting and preventing fraud, abuse, and security incidents;
  • Complying with legal and regulatory requirements;
  • Sending marketing communications (only with your consent).

5. Third-Party Data Sharing

We share personal data with the following categories of third parties, only to the extent necessary for the purposes described:

Third PartyPurposeData Shared
StripePayment processingName, email, payment details
SupabaseDatabase hosting and authenticationAccount data, booking data
VercelWebsite hosting and CDNIP address, usage data
OTA PlatformsChannel distribution (if enabled by Host)Property data, availability
Hosts / TravelersFacilitating bookingsName, contact info, booking details

We do not sell your personal data to third parties. We require all third-party service providers to process personal data in accordance with the GDPR and to implement appropriate security measures.

6. International Data Transfers

Some of our third-party service providers (including Stripe, Supabase, and Vercel) may process data outside the European Economic Area (EEA). In such cases, we ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Adequacy decisions by the European Commission;
  • EU-US Data Privacy Framework certification (where applicable).

7. Data Retention

We retain personal data for the following periods:

  • Account data: For the duration of your account, plus 3 years after account closure;
  • Booking data: 10 years from the booking date (as required by Italian tax law);
  • Payment records: 10 years (as required by Italian tax and accounting regulations);
  • Communication data: 3 years from the date of the communication;
  • Device and usage data: 26 months from collection;
  • Marketing consent records: For the duration of consent, plus 3 years.

After the applicable retention period, data is securely deleted or anonymised.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and to receive a copy of that data.
  • Right to rectification (Art. 16): You have the right to have inaccurate personal data corrected and incomplete data completed.
  • Right to erasure (Art. 17): You have the right to request the deletion of your personal data, subject to legal retention obligations.
  • Right to restriction (Art. 18): You have the right to request the restriction of processing of your personal data in certain circumstances.
  • Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21): You have the right to object to processing based on legitimate interest, including profiling.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw consent at any time.
  • Right to lodge a complaint: You have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at www.garanteprivacy.it.

To exercise any of these rights, please contact us at privacy@bluekeys.it. We will respond to your request within 30 days.

You can also delete your account directly from your Account Settings page.

9. Cookies

We use cookies and similar tracking technologies on the Platform. For detailed information about the cookies we use, their purposes, and how to manage them, please refer to our Cookie-Richtlinie.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/SSL) and at rest;
  • Secure authentication mechanisms, including password hashing and optional two-factor authentication;
  • Regular security audits and vulnerability assessments;
  • Access controls limiting data access to authorised personnel only;
  • Secure hosting infrastructure with industry-standard certifications.

While we take all reasonable precautions, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your data.

11. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that data promptly. If you believe that a child under 18 has provided us with personal data, please contact us at info@bluekeys.it.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make material changes, we will notify you by email or by posting a prominent notice on the Platform at least 30 days before the changes take effect. We encourage you to review this Privacy Policy periodically.

13. Contact Information

For any questions or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

FAQ

Wie verwendet BlueKeys meine persönlichen Daten?+
Wir verwenden Ihre Daten nur zur Abwicklung von Buchungen, zur Kommunikation mit Gastgebern und zur Verbesserung unserer Dienste. Wir verkaufen Ihre Daten niemals an Dritte.
Kann ich die Löschung meiner Daten beantragen?+
Ja. Gemäß der DSGVO können Sie jederzeit die Löschung Ihrer persönlichen Daten beantragen, indem Sie info@bluekeys.it kontaktieren.

Alles an einem Ort

Unterkünfte, Touren, Transfers und Bootscharter — eine Plattform, eine Buchung

Verifizierte Gastgeber

Jede Unterkunft persönlich von unserem Team geprüft

24/7 Concierge

Lokale Unterstützung von der Buchung bis zum Check-out

Lokale Expertise

Mit Sitz in Sorrent — wir kennen jeden Winkel