Cipriani Milano S.r.l. with registered office in Milano, via Gerolamo Morone n. 8, (the “Company” or “Cipriani”) is the data controller which determines the means and purposes of processing the personal data of all users of the website (the “Website”).

This privacy policy is provided in accordance with the national and European Regulation no. 679/2016 – General Data Protection Regulation, or any other regulation issued by any authority for the protection of personal data.


Data Controller
Cipriani Milano S.r.l. with registered office in Milano, via Gerolamo Morone n. 8, C.F. e P.IVA 04563270273.

Data Processor

The person or legal entity, public administration and or any other entity that processes personal data on behalf of the Data Controller, according to this privacy policy.


It means “Casa Cipriani” in Milan, via Palestro 24, or any other location of “Casa Cipriani” in Italy or abroad.

Interested Party

The Interested Party is the person to which refers the collected Personal Data.

Personal Data (or Data)

Personal Data means any and all information which, directly or indirectly or jointly to any other information, identify or make a person identifiable.

It means the services made available to the User through the Website or at the Facility.

Usage Data

It refers to all the information collected automatically through the Website including, by way of example and not limited to: the IP addresses or domain names of the computers used by the User who connects with the Website, the addresses in URI (Uniform Resource Identifier) notation, the time of the request, the method in forwarding the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc. ) the country of origin, the characteristics of the browser and the operating system used by the visitor, the various temporal connotations of the visit (for example the time spent on each page) and the details of the itinerary followed within the Website, with particular reference to the sequence of the pages consulted, to the parameters relating to the operating system and the IT environment of the User.


The person who uses the Website and / or access the Facility as a customer, member, or applicant for membership and who, unless otherwise specified, coincides with the Data Subject.


The website, through which Users’ Personal Data are collected.


The Data Controller is Cipriani Milano S.r.l. with registered office in Milano, via Gerolamo Morone n.8, tax code 04563270273.

Data Controller may appoint a Data Processors in order to process Personal Data for the purposes indicated below and a Data Protection Officer or DPO, who will assess the protection of the personal data. Users may contact the Data Controller at any time, sending a question or request regarding their Personal Data by sending an email to this email address:


The Personal Data collected through the Website, directly or through third parties, include but is not limited to:

Contact information, we collect this type of information:

  • From the User, for example through the newsletter subscription, by using the Website, by submitting requests, creating an account, making a reservation, checking in at the Facility, attending at events or by contacting the customer service;
  • Third party services, such as booking websites or travel rate aggregators, when making a reservation through a third party;
  • Other third-party partners, such as brands we collaborate with or host events with;
  • Our service providers who manage our customer database, provide data processing and storage services; or send communications on our behalf.

Information regarding the access to the Facility, we also collect information relating to visits to the Facility for capacity planning purposes and to comply with guidelines, regulations and government provisions.

Geo-location information, we may make use of technology to determine the User’s current location via Website. Some of our location-enabled services require Personal Data for the features to work. If the User wishes to use the particular feature, it will be asked to consent to Personal Data being used for this purpose. The User can enable or disable location services when using the Website.

Reservation information, information on the User and the guest such as name and surname, e-mail address, payment information and billing information.

Membership application, personal and / or corporate e-mail address, name, surname, date of birth, gender, domicile and residence address, mobile phone number, information on the payment method, personal photo, work information and other personal information necessary to support application, cookies, and usage data.

Personal Data may be provided directly by the User or, in the case of Usage Data, collected automatically when using the Website.

Unless otherwise specified, all the Data requested by the Website are mandatory. If the User refuses to provide them, it may be impossible for Cipriani to provide the Service. In cases where the Website indicates some Data as optional, Users are free to refrain from providing such Data, without this having any consequence on the availability of the Service or on its operation.

Users who may have doubts about which data are mandatory are invited to contact the owner.

The User declares and guarantees that the Personal Data belong and refer to the User himself, assuming all related responsibility for this declaration and releasing the Owner from any liability to third parties.


Data processing methods

Data Controller uses specific security methods in order to guarantee that data processing is compliant to the regulation on the protection of personal data and in order to avoid the access, the unauthorized disclosure, the manipulation, or destruction of the Personal Data. 

In any case, Data could be transferred to other companies of the Cipriani Group, to the entities appointed by the Data Controller to perform specific activities and/or, more in general, in their favour if they act as independent data controller and/or data processor, and the notification and/or disclosure of Personal Data required by the law, or authorities, courts, or other public entities for the aim of defence or State security or prevention, assessment or repression of crime.

As an example, Data Controller may communicate the Interested Party’s Personal Data to:

  • other company of the Cipriani Group, for the purpose of providing the Services also in other location managed by Cipriani and/or for the purpose of attending events organized by other companies of the Cipriani Group;
  • Employees, staff, suppliers of the Company, for the purpose of their related mansion and/or contractual obligation concerning the relations with the Interested Party;
  • Legal counsel, administrative and tax counsel that advise the Company in the performance of its activity;
  • Bank institute for managing proceeds and payments arising from the agreement executed with the Interested Party; 
  • Sub-supplier and sub-contractors involved in activities connected to the execution of the agreement between Users and the Company, in their quality as external Data Processors; 
  • Public entities and/or judicial authorities and/or supervisory bodies, in case of their request, in their quality as independent data controllers; and
  • IT Service suppliers or cloud systems;

The complete list of data processors may be requested by the interested party, at any time, by sending a written request to the following address:

Storage and transfer

The Personal Data are processed at the Data Controller registered offices and are stored in United Kingdom on the server of the supplier of the data storage services.

We ensure processing is made according to this privacy policy and with a proper level of protection.

Personal Data might be transferred out of the UE or UK to be stored in server used by Cipriani or external Data Processors specifically appointed. The transfer is necessary in order to execute the Services and in particular, to allow the User the best experience at the Facility, as well as to access the facilities belonging or managed by the Cipriani Group. In any case, the transfer is carried out by Cipriani, subject to the execution with the suppliers of the servers and / or services of standard contractual clauses in compliance with the format issued by the European Commission.

Storage period

The Data are processed and stored for the time required by the specific purpose of the collection, always considering the minimization principle and for a period not longer than the time required for the purposes of the collection and processing.

In general, the Data shall be stored until the first date among:

  • the third anniversary from the last use of the Website by the User or from the last interaction of the User with Cipriani;
  • the third anniversary after the User’s account cancellation, if the User was registered on the Website.

The following categories of data may be stored for a longer time:

  • financial and accounting data (including invoices, payments, reimbursement etc.) are stored for the time indicated by any tax and accounting law; 
  • all the contents generated by the users (including purchased products, behaviours on the Website) are made anonymous, but are kept available for aggregated analysis.

At the end of the storage period the Personal Data shall be cancelled. Thus, at the end of that term, the right to access, delete, modify and the right of portability of the Data shall no longer be exercised.


Users’ Data are collected for the purpose of providing and optimize the Services and also for:

1.         the identification of the User required to access the Website and access to dedicated products and services, and also in order to properly assist the User;

2.         to confirm and manage the membership application;

3.         to confirm and manage the reservations and the stay at the Facility;

4.         provide the User with concierge services and assistance included in the Services, including sending of confirmations or pre-arrival messages, provide assistance in meetings, events or celebrations;

5.         to provide support to the User and manage the assistance requests;

6.         to inform the User about changes to the Services, and apply the terms, conditions and policies;

7.         the enforcement of rights, including the recovery of credits; (purposes from 1 to 7, “Contractual Purposes”);

8.         fulfilment of the obligation provided by the law, including notices to the competent authorities and supervision bodies and the compliance to the requirements coming from those entities (“Legal Purposes”); and

9.         in case the Interested Party expressed its consent, in order to improve the experience of the Interested Party and satisfy its needs, marketing analysis and commercial communications, development of the marketing activities and better understand users’ needs in order to improve the services (including the user interface) and the selection of products offered (“Legitimate Interest Purposes”).

For any further information related to the collected Personal Data and each purpose, User may contact the Data Controller to this address:


Collection of Personal Data is mandatory:

  • for the provision of Services and for the access at the Facility in relation to the Contractual Purposes,
  • for the legal compliance, with regard to the Law Purposes.

The Interested Party is free to provide its data and provide the consent. However, the refusal to provide the Personal Data and the related consent for the Contractual Purposes and the Law Purposes shall prevent Cipriani from executing the agreement or provide a Service.

Users may at any time request to the Data Controller for which purposes the Personal Data are collected and if it is legally grounded, provided by any agreement or necessary to execute the agreement with the User or to provide a Service.


Users may enforce certain rights on the Personal Data collected by the Data Controller, including:

  • the right to revoke any time the consent. Users may revoke the consent previously granted for the collection of their Personal Data at any time.
  • The right to object the processing. The user can oppose the processing of their data when it occurs on a legal basis other than consent. Further details on the right to object are indicated in the section below.
  • the right of access. Users have the right to access to information on their Personal Data processed by the Data Collector, on certain aspect of the processing and to obtain copy of the Data.
  • the right to be informed and to rectification. Users have the right to assess if incorrect data are processed and to revise or make changes to their Data.
  • the right to restrict processing. Upon certain conditions, Users may limit or restrict the processing of their Data. In such a case the Data Controller shall not process the collected Data but shall keep them for storage only.
  • the right to cancellation or deletion of Personal Data. Upon certain conditions, Users may request the cancellation or deletion of the Personal Data collected by the data Controller.
  • the right to data portability. Users have the right to receive their Data in a commonly used and readable format, ad if technically possible, obtain the portability to a different data controller. This provision applies when the Data are processed by means of automated system and the processing is based on the Users’ consent, on an agreement to which the User is a party, or according to related contractual provision.
  • the right to claim. Users may claim to the competent authority or start a judicial proceeding, whenever their privacy right are not being upheld.

If the Interested Person intend to exercise the right provided under this article 7, it shall contact the data Controller to the following mail address:

Details on the right to object

When Personal Data are processed for public interest, as execution of public powers of which the Data Controller is vested or for a legitimate interest of the Data Controller, Users have the right to object to the processing of their Data for reasons connected to their special status. Users may ask the Data Controller to stop sending newsletters at any time and with no need to provide any explanation, by following the instruction indicated in the newsletter. 

How to exercise Users’ right

In order to exercise their rights, Users may address a request to the Data Controller to the contact details indicated in this document. Requests are processed by the data Controller as soon as possible.


This Website uses Cookie.

Cookies are small text content that the Website sends to the Users’ device, where they are registered to be then sent back to the Website upon the following visit to the same Website.

IT Systems and software procedures of the Website register, during their normal operation, certain personal data whose transmission is implicit in the use of internet communication protocols. This kind of information is not collected to be associated with identified subjects, but for their nature could allow users to be identified. This type of data includes IP address or domain name of personal computers used by the Users to browse the Website, the URI address (Uniform Resource Identifier), timing of the request, the method used to send the request to the server, the file dimension of the reply, the code number indicating the status of the reply form the server (successful, error) and other parameters related to the operative system and to the informatics environment of the User.

This kind of data, collected in aggregated way by means of so called “analytic” cookies are used only to obtain statistics and anonymous information on the use of the Website and to control if it works correctly. Those data could be used also, if necessary, in order to assess any liability for IT crimes which damaged the Website.

The use of the so called “session cookies” (which are temporarily recorded on the Users’ personal computer and are cancelled upon closing) is strictly limited to data aimed to identify the session (casual numbers generated by the server) which are necessary to allow a secure and efficient use of the Website.

The Website also uses the so called “technical” cookies that can be used by the Data Controller without the Users’ consent, save for the need to provide this privacy policy, and cookies for the purpose of profiling and direct marketing, to make the User watch spots or to send newsletters regarding products and/or personalized services, closer to the Users’ needs and interest.

The Website contains third parties’ cookies for the same purposes indicated above, upon which the Data Controller has no control.

The User may accept or refuse the processing of data through cookies for profiling and marketing purposes, however, the refusal may limit certain features of the Website and make the use of the Website less effective.



Users’ Personal Data may be used by the Data Controller in a proceeding or in the preliminary phases of a proceeding regarding the abuse of the Website or of the Services provided to the User.

Users acknowledge of being aware that the Data Controller might be obliged to disclose the Data upon order of a public authority.

Other information not included in this privacy policy

For any further information related to the processing of Personal Data contact the Data Controller at this address:

Privacy policy changes

The Data Controller reserves the right to change this privacy policy at any time, by notifying the Users through this page. Please read this page regularly, referring to the date of last change, indicated below. In case the changes to this privacy policy are not accepted by the Users, they shall not use the Website and they shall ask to the Data Controller to delete their Data. Save as otherwise stated, the previous privacy policy shall apply to the Personal Data collected until then.

January 31, 2022

AmexSelect Hotels
Select HotelsSelect HotelsSelect HotelsSignature Travel NetworkSerandipians Hotel Partner