PRIVACY POLICY - ACCESS TO THE FACILITY'S WI-FI NETWORK AND MARKETING - UPDATE DATE: 8 NOVEMBER 2023

A) DATA PROCESSING FOR THE PETRIOLO FACILITY WIFI SERVICE

DATA CONTROLLER Petriolo s.r.l. with registered seat in Milan (MI), Italy, Corso Porta Nuova, n. 15, 20121, VAT 06642280488 ("Petriolo" or the "Controller"), PEC petriolo@pec.net, Email privacy@vignamaggio.com

SOURCE OF DATA The data is collected from the data subject or automatically by the systems of the Controller at the time of access to the Wi-Fi network of the facility.

PROCESSED DATA IDENTIFICATION AND CONTACT DATA: name, surname, e-mail address OTHER INFORMATION: IP address, Mac Address, information related to logs of access and disconnection from the Service, other parameters regarding the operating system and computer environment used by the guest. The identification data will not be correlated with users' browsing data except for specific investigation or verification needs required by the competent Authorities. In addition, the Controller does not process any data related to users' devices for the purpose of location or movement tracking (using Wi-Fi location tracking techniques).

PURPOSES OF THE PROCESSING The data is processed to allow access to the Wi-Fi network of the Controller's facility. The identification data will also be used in order to allow the competent authorities to trace the author of any illegal conduct perpetrated through the use of the Wi-Fi service.

LEGAL BASIS The execution of contractual obligations of which the guest of the facility and the Controller are a party in order to allow access to the facility's Wi-Fi (Article 6, paragraph 1, lt. B) GDPR). The fulfillment of legal obligations regarding security to which the Controller may be subject as a result of the user's access to the facility's Wi-Fi (Article 6, paragraph 1, lt. C) GDPR).

PROVISION OF DATA The provision of data for access to the wi-fi network is necessary. In the event of failure to provide, or incomplete, the Controller may not be able to allow access to the Wi-Fi network.

DATA RETENTION PERIOD The identification data for access to the Wi-Fi network will be kept by the Controller for a period of 3 days from the first connection. The Controller may keep the data to exercise or defend any right or claim in legal proceedings. The retention of telematic traffic data generated by the user is, according to the relevant legislation, exclusively on the telecommunication operators.

B) DATA PROCESSING FOR MARKETING PURPOSES

JOINT DATA CONTROLLERS Petriolo s.r.l. with registered seat in Milan (MI), Italy, Corso Porta Nuova, n. 15, 20121, VAT 06642280488 and Villa Vignamaggio S.r.l. ("Vignamaggio"), VAT 04072370481, with registered seat in via Petriolo 5 -50022- Greve in Chianti (FI), Italy, which can be reached at the following addresses: PEC petriolo@pec.net and vignamaggio@pec.vignamaggio.com, Email privacy@vignamaggio.com (the "Joint Controllers").

SOURCE OF DATA The data is collected from the data subject.

PROCESSED DATA IDENTIFICATION AND CONTACT DATA: name, surname, e-mail address, country of origin

PURPOSES OF THE PROCESSING The data may be processed for direct marketing purposes, such as sending newsletters, information and commercial communications, updates on the latest launches, offers and promotions relating to the products and services of Petriolo and Vignamaggio and partners operating in the fields of: wellness, accommodation, leisure, wines, restaurants, tours and events. The data may also be processed to perform market research, statistical analysis or other research to improve the products and services of Petriolo and Vignamaggio and of the partners belonging to the following categories: wellness, accommodation, leisure, wines, restaurants, tours and events, as well as for customer satisfaction surveys. We may carry out these activities through our newsletter, via email, even by automated means (SMS, social media). The data subject can choose to receive such communications exclusively by non-automated means (for example, non-automated telephone calls or by post) by writing an e-mail to privacy@vignamaggio.com

LEGAL BASIS The consent of the data subject to the processing of data (Article 6, paragraph 1, lt. A) GDPR).

PROVISION OF DATA The provision is optional. In case of failure to provide the data, the user will not receive offers and promotions from Petriolo and Vignamaggio, and his data will not be used for market research and statistical analysis or customer satisfaction surveys.

DATA RETENTION PERIOD If the user has given their consent, they can withdraw it at any time by clicking on the "unsubscribe" link included in our marketing email received or by sending an email to privacy@vignamaggio.com. Petriolo and Vignamaggio will no longer use and delete the processed data (i) for marketing and other commercial purposes or (ii) in order to improve relations with their customers, after 24 months from the date of the last stay.

RECIPIENTS/CATEGORIES OF DATA RECIPIENTS The data will be processed by employees of the Controller or of the Joint Controllers, depending on the processing, expressly authorized to processing on the basis of the instructions received and after the adoption of suitable measures to protect the data in relation to all the purposes indicated above. The following subjects may become aware of the data in relation to the processing purposes provided for in this policy and may process the data both as autonomous controllers and as processors duly appointed by the Controller or by the Joint Controllers, depending on the processing (the list of these processors and autonomous controllers is available upon request via e-mail to be sent to privacy@vignamaggio.com), including: - Service providers that operates as a data processor dealing with (i) the management of the servers located in the United Kingdom where the data necessary to access the Wi-Fi service will be temporarily stored; and (ii) the management of the centralized system for customer relations; - HubSpot, Inc. with registred seat in 25 First Street, 2nd Floor, Cambridge, MA 02141, USA, company that operates as a data processor dealing with the management service of the Petriolo and Vignamaggio customer database (see here for more details https://legal.hubspot.com/dpa); - Vignamaggio Servizi srl with registered seat in Via G. Pastore 3, Greve in Chianti, Florence, VAT 07016610482, company that operates as a data processor dealing with marketing services on behalf of Petriolo and Vignamaggio (sending newsletters, market research, customer satisfaction analysis); - Other subjects who carry out activities functional to the achievement of the aforementioned purposes, i.e. companies that provide IT infrastructure and IT support and consulting services; - Law firms, accountants and auditing firms; - Subjects who can access the data under EU legislation or the Member State's to which Petriolo and Vignamaggio are subject.

DATA TRANSFER TO AN NON-EU COUNTRY The data processing will be carried out at the facility of the Controller or of the Joint Controllers, depending on the processing, in Italy, as well as at the servers managed by the data processors indicated above, in the United Kingdom, South Africa and the United States. In case of transfer of personal data to third countries: - it will be ensured that the country to which the personal data will be sent guarantees an adequate level of protection, as required by Article 45 of the GDPR; or - the standard contractual clauses approved by the European Commission for the transfer of personal information outside the EEA will be adopted (these are clauses approved under Article 46 (2) of the GDPR).

DATA PROCESSING METHODS The data will be processed in compliance with the principles of correctness, lawfulness and transparency, through manual and automated methods and through the use of paper and electronic means, in any case within the limits of the purposes of the data processing(s) set out in this policy and, in any case, always guaranteeing the security and confidentiality of the data.

RIGHTS OF DATA SUBJECTS The data subject may at any time exercise the following rights under the conditions and within the limits provided for in Articles 12-22 of the GDPR by sending an email to privacy@vignamaggio.com: - Right of access (Article 15 GDPR); - Right to rectify inaccurate personal data and to obtain the integration of incomplete personal data (Article 16 GDPR); - Right to delete personal data (Article 17 GDPR); - Right to limit the processing (Article 18 GDPR); - Right to object to processing pursuant to Article 6 (1), letters (e) or (f), of the GDPR, including profiling (Article 21 GDPR); - Right to lodge a complaint with the supervisory authority (Article 77 GDPR). In the event that the data subject believes that the processing of personal data carried out by the Controller, or by the Joint Controllers, depending on the processing, occurs in violation of the provisions of Regulation (EU) 2016/679, they have the right to lodge a complaint with the Supervisory authority, in particular in the Member State in which they habitually reside or work or in the place where the alleged violation of the regulation has occurred (in Italy the Garante Privacy https://www.garanteprivacy.it/), or to refer to the appropriate judicial offices.

CONDITIONS OF USE OF THE WI-FI SERVICE

Access to the Wi-Fi network will be available free of charge, by registering on a specific captive portal, to all guests of the Controller's facility, who are of legal age. By entering the data in the registration form, the user confirms that they are at least 18 years old.

The user of the WiFi service will be responsible for the activities carried out while connecting to the internet and for any illegal or improper use of the device authorized for access. In particular, while using the WI-FI service it is prohibited to: - carry out any activity contrary to the law; - access websites that are contrary to the law or to the public purposes of the service (sites of pedophilia, which inspire violence and racism, etc.); - disturb other network users (spamming); - disseminate or use material that violates copyrights or other intellectual or industrial property rights through the network; - carry out any activity that may be aimed at circumventing or deceiving the access control and / or security systems.

The user undertakes to indemnify and hold harmless the Controller from any liability, damage or claim of third parties for any reason for the violation of the prohibitions indicated above or any other use that does not comply with the law.

The user is aware of the IT risks inherent in navigation and acknowledges that the Controller does not provide any guarantee with respect to the provision of the WiFi service with regard to quality and continuity, nor with respect to the content and information found by the user on the internet. The user also acknowledges that access to the WiFi network may not be subject to data encryption and it will therefore be the user's responsibility to take appropriate security measures to protect the data and content transmitted via their device. The Controller reserves the right to suspend the WiFi service at any time and in the event of illicit or improper use by the user, communicating the incident to the public security authorities in the event of violations that may hypothesize illegal behavior.