Book now
Book now
En It

Privacy policy

of the users visiting the websites of STRAF Hotel

Pursuant to Article 13 EU Regulation GDPR 2016/679

This page contains a description of the policies for managing the website in regards to processing the personal data of the users who visit the site and their privacy. This information is provided pursuant to article 13 General Data Protection Regulation UE GDPR 679/2016 – Laws concerning the Protection of Personal Data and the individuals who interact with the web services of STRAF Hotel, which is accessible by telematics means through the following web address:,

which corresponds to the home page to the home page of the official website of STRAF Hotel on Via San Raffaele, 3 - 20121 Milano.

The information provided does not concern other online websites, pages or services that can be accessed via hyperlinks on the above website but relate to resources outside the STRAF Hotel domain.


Following access to this website, data pertaining to persons that are identified or identifiable may be processed. The “Controller” of the personal data collected following a visit to our website or any other data used for providing our services is Lira Spa - Gestione Hotel Straf.


The Lira Spa Data Protection Officer (DPO) is Mr. Massimo Bruno who can be contacted at: .


Data processing pertaining to the web services of this website [physically hosted by SiteGround Spain S.L. "" in a Intra EU server located in Amsterdam (NL), sub-processor of RELACTIONS S.R.L. ( appointed as Data Processor]  is carried out at ours headquarters and said data is processed only by the technical personnel in charge of processing of the data processing office, or by eventual persons in charge of processing who are entrusted to process occasional maintenance operations.

The personal data obtained from the users who submit hotel booking requests or through informative material (informative notes, newsletters, registration, etc) is used only to carry out the services or assistance requested and is not transmitted to third parties, except in the following possible cases:

• Business partners of STRAF Hotel or Design Hotels (Marriott Group) ( ) Lira SPA Data
• Processor, through its service provider Sabre GLBL Inc ( ) – USA, Design Hotels Data
• Processor, to whom the Data Controller transmits data exclusively in order to process on-line Bookings via SynXis web
• platform (, among which ATHENA Solutions S.R.L. ( ) ITA, Channel Manager • Booking System Providers;
• Software suppliers: web check-in and PMS – SIGESGROUPS ( ) ITA;
• Persons, companies or professional offices who lend assistance and consulting services to Lira Spa;
• subjects whose right to access data is recognized by legal provisions or by authorities' orders;


Personal Data can be shared within the hotels of “Design Hotels – MARRIOTT Group”, including companies located in a country that is not a member of the European Union and that may not guarantee the adequate safeguards provided by the Privacy Code, in accordance with Chapter V of the GDPR 679/2016, or of the called “Milan Hoteliers” Network of which Lira Spa belongs, with a view to supplying specific services requested. The credit card data used for booking will be automatically unavailable at the end of the stay.


Navigational data

The information systems and software procedures relied upon to operate this web site acquire personal data as part of their standard functioning; the transmission of such data is an inherent feature of Internet communication protocols. Such information is not collected in order to relate it to identified data subjects, however it might allow user identification per se after being processed and matched with data held by third parties. This data category includes IP addresses and/or the domain names of the computers used by any user connecting with this web site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of such requests, the method used for submitting a given request to the server, returned file size, a numerical code relating to server response status (successfully performed, error, etc.), and other parameters related to the user's operating system and computer environment. These data are only used to extract anonymous statistical information on website use as well as to check its functioning; they are erased immediately after being processed. The data might be used to establish liability in case computer crimes are committed against the website; except for this circumstance, any data on web contacts is currently retained for no longer than seven days.

Data voluntarily provided by the user

Sending e-mail messages to the addresses mentioned on this website, which is done on the basis of a freely chosen, explicit, and voluntary option, entails acquisition of the sender's address, which is necessary in order to reply to any request, as well as of such additional personal data as is contained in the message(s).

Data will be retained only for registration request to send the newsletters or special offers, and will not be disclosed to anyone.

The personal information regarding the individual who visited the website is not collected or used. The visitors remain anonymous. The only exception to this rule concerns the information for personal identification needed to fulfill the contractual obligations of bookings on behalf of the user.


In the event of bookings made through the website, the user must provide his name, address, telephone number and information regarding the payment manners and credit card used. Lira Spa - Gestione Hotel Straf will use said information only to process the bookings and to send specific information, which is relevant to the confirmation of said, such as a receipt, the booking code and the conditions.

The information provided will not be used for marketing purposes and will not be sold, transmitted, given by contract or sent to third parties an any way, with the exception of our provider of on-line booking services, Design Hotels and his sub data processor Sabre GLBL Inc. with his Bookings Central System SynXis ( with server located in a country outside the EU (USA), to whom elaboration of the bookings is entrusted to, only for online bookings purposes.

In any event, the administrator of the website guarantees the use of scrupulous procedures in order to protect the navigational data and the use of particular precautions to protect the data pertaining to the credit card, which is provided during on-line bookings.


Site visitors can register for our newsletter service. By registering, the user's e-mail address will automatically be included in a list of contacts to which e-mail messages will be sent. The newsletter will be containing periodic updates with commercial and promotional information relating to initiatives, events or promotions of the data controller.

To subscribe to the newsletter, you can use the registration forms on the site by entering your name and e-mail address. The information supplied with the registration form will be only used to sending our newsletter via e-mail and will not be disclosed to third parties. The newsletters will be sent through the SYS Dat Turismo platform acting as data processor.

Personal Data Processing Collected from Curriculum Vitae

Lira Spa accept Personal Curriculum Vitae of possible candidates via electronic format. Providing spontaneous and voluntary of the Curriculum Vitae data will be considered as implicitly informed consent by the data subjects for personal data processing contained, only following the purposes related to the selection of potential candidates.

The data processed for the purpose of selection of candidates are personal useful to search for the particular profile. In general, the nature of the data is normal, except in some cases where you may indicate any sensitive data necessary to identify the specific requirements of the regulations, such as specifying a particular protected class, the suitability for certain jobs and / or start-ups required, within the limits set by the General Provision of June 5, 2019 which modified the General Authorisation of the Garante (Italian Supervisor Authority) no. 1 of December 15, 2016 on the processing of sensitive data in work relationships;

The provision of data relating to the selection of candidates is required. Any refusal to provide such data makes it impossible to perform an orderly selection and the possible recruitment. The data in question will not be disclosed to anyone.

General Rules for providing the CV

Any CV received spontaneously, uploaded in the appropriate form available on this website, replying to a job advertisement or to a request from us, will be stored directly by person in charge of the processing in accordance with the safety guidelines of personal data adopted in compliance with the security measures according to Chapter IV Section 2 of GDPR 679/2016. These will be printed only on the occasion of a meeting and a conversation with the data subject. After the interview, if the candidate is not selected, the CV will be stored for three months and after will be deleted and / or destroyed. In all other cases, after a short period of time and after the talks and after the trial period (90 days) CVs will be deleted from the PC and, if printed, they will be destroyed.

In all other cases, after a short period of time and after the talks and after the trial period (90 days) CVs will be deleted from the PC and, if printed, they will be destroyed.

Data Subjects can send their CVs in the following ways:

 • form in this website available at the following LINK;

 • by ordinary mail to the address: Human Resources Dpt, Lira Spa - Gestione Hotel Straf, via San Raffaele 3, 20121 Milano

 • by e-mail at: 


According to the provisions set forth in art. 5 par. 1 lett. e) of the Regulation (EU) 2016/679, collected personal data shall be retained in a form which permits identification of data subjects for a period not exceeding the purposes for which the personal data were collected and subsequently processed.

Data retention periods depend on the purposes of the processing:

 • purposes related to technical navigation data for the correct functioning of the website: retention only for the related session, after which the data are deleted;

 • purpose of reply to info request/services supply request (up to 12 months for contact requests; 10 years for administrative / accounting / financial documentation relating to the provision of a service);

 • data collection for staff recruitment (up to 3 months);

 • newsletter, marketing or promotional communications in general (24 months - until withdrawal of consent);

 • purpose of di administrative / accounting / financial management: 10 years as as required by law for the conservation of administrative / accounting / financial documentation.


In this website we are applied cookies technologies for different purposes, including computer technology authentication or to monitor sessions, and to store specific technical information regarding the users that access to the web server provider, in compliance with Guidelines on cookies and other tracking tools adopted on the websites (10 June 2021) of the Italian Data Protection Authority and Guidelines of the European Data Protection Board (EDPB) of May 2020. More information on the cookies adopted available in the Cookie Policy of this site web.


Personal data is not transferred to non-EU third countries, except for any cases described above where, in any case, the adoption of appropriate safeguards is ensured, in compliance with Chapter V of the GDPR.

For transfers to the USA or others extra EU countries, in the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, it takes place on the basis of:

• Google Advertising Cookie: by standard data protection clauses adopted by the EU Commission (pursuant to Article 46, 2c GDPR) according to commission implementing decision (EU) 2021/914(5) of 4 June 2021 for the transfer of personal data to third countries;

• Booking Data, Design Hotels - MARRIOTT: the transfer is necessary for the performance of a contract between the data subject and the controller, or the implementation of pre-contractual measures taken at the data subject's request, pursuant to art. 6 a) and 49 paragraph 1, b) of the GDPR.


Subject to the specifications made with regard to navigation data, users are free to provide the personal data listed in the request forms of Hotel Straf or referred to in contacting the hotel in order to provide CV, to make on-line bookings or to request delivery of information materials and other communications. Failure to provide such data may entail the failure to be provided with the items requested.


Personal data is processed with automated means for no longer than is necessary to achieve the purposes for which it has been collected. Specific security measures are implemented to prevent the data from being lost, used unlawfully and/or inappropriately, and accessed without authorisation. There is no provision for an automated decision-making process for the processing of personal data.


You may contact the Data Controller or the DPO at any time to exercise your rights as provided for in Chapter III GDPR 679/2016, in particular, the right to request access to and rectification or erasure of personal data or restriction of processing concerning you or to object to processing, the right to obtain a copy of the personal data being processed as well as the right to data portability, also by sending a written request to the following e-mail address:


If a data subject considers that the processing of personal data relating to him or her as performed via this website infringes the Regulation, he or she has the right to lodge a complaint with the Garante pursuant to Article 77 of the Regulation, or else to bring a judicial proceeding against the Garante pursuant to Article 79 of the Regulation.


Implementing Directive (EU) 2019/1937, was issued on D. Lgs. n. 24 of 10 March 2023 concerning "the protection of persons who report breaches of Union law and containing provisions concerning the protection of persons who report breaches of national law".

The company has activated the reporting channels in compliance with Legislative Decree no. 24 /2023. The reporting portal is accessible at the following link: All the information and operating methods for activating the reporting channels can be found on this portal.