Privacy Policy

1. Data Controller

The Data Controller pursuant to art. 4, no. 7 of the GDPR is:

Antalia AI S.R.L. — Via dei Coronari 45, 00186 Rome (RM), Italy.

VAT and Tax ID 18487481006 — REA RM 1787996.

Email: amministrazione@antalia.ai — PEC: antaliaai@pec.it.

No Data Protection Officer (DPO) has been appointed, as the processing activities do not fall within the cases listed in art. 37 GDPR. Any privacy-related request may be sent directly to the Controller at the addresses above.

2. Categories of data collected

We collect the following categories of personal data:

Data voluntarily provided through the contact form: name, email address, company (optional), request type, message content.

Navigation data collected in aggregated form via Vercel Analytics in privacy-friendly mode: requested URLs, referrer, country (approximate geolocation), device and browser type. Full IP addresses are not collected, no tracking cookies are used, and no fingerprinting or profiling is performed.

Server technical logs: partial IP address, request timestamp, user agent. These are collected solely for security and diagnostic purposes.

Any data entered into the AI chatbot (when active): the conversation text is transmitted to Anthropic PBC to generate responses, is not used to train models and is not retained beyond what is necessary for the operation of the service.

3. Purposes of the processing

Data is processed for the following purposes:

a) responding to requests for information, demos, partnerships or collaborations received through the contact form or the chatbot;

b) implementing pre-contractual measures and, if established, managing the subsequent contractual relationship;

c) fulfilling obligations imposed by law, regulation or EU legislation (e.g. tax and accounting);

d) ensuring site security, preventing fraud and abuse, analysing service usage in aggregated form to improve it.

4. Legal basis for processing

Pursuant to art. 6 GDPR, the legal bases of the processing are:

— Consent of the data subject (art. 6(1)(a)) for submission of the contact form, expressed through an acceptance checkbox;

— Performance of pre-contractual measures requested by the data subject (art. 6(1)(b));

— Compliance with legal obligations to which the Controller is subject (art. 6(1)(c));

— Legitimate interest of the Controller in network security and aggregated usage analysis (art. 6(1)(f)), documented through an internal balancing test in favour of the data subject's rights.

5. Recipients and Data Processors

Data is not disclosed or sold to third parties for commercial purposes. It may be communicated to entities appointed as Data Processors pursuant to art. 28 GDPR, under a dedicated Data Processing Agreement (DPA):

— Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA): hosting, CDN and privacy-friendly analytics;

— Resend Inc. (2261 Market Street #5039, San Francisco, CA 94114, USA): transactional email delivery for the contact form;

— Anthropic PBC (548 Market Street PMB 90375, San Francisco, CA 94104, USA): provider of the language model service used by the chatbot (when active); conversations are handled in no-training mode.

Data may also be disclosed to public authorities, legal advisors, accountants and appointed auditors, exclusively for legal or contractual compliance purposes.

6. Data transfers outside the European Union

Some of the Processors listed above (Vercel, Resend, Anthropic) are based in the United States of America. Data transfers are performed on the basis of:

— Standard Contractual Clauses adopted by the European Commission under Decision 2021/914/EU;

— any adherence by the provider to the EU–U.S. Data Privacy Framework, where applicable;

— additional technical measures (TLS 1.2+ encryption in transit, encryption at rest), organisational measures (restricted access, logging) and contractual measures adopted in light of the Court of Justice of the EU ruling C-311/18 (Schrems II).

Data subjects may obtain a copy of the safeguards adopted by writing to amministrazione@antalia.ai.

7. Retention period

Data is retained for the time strictly necessary for the purposes for which it was collected:

— Data provided through the contact form: maximum 24 months from collection, unless a contractual relationship is established;

— Technical logs and security data: maximum 12 months;

— Data related to contractual relationships: for the entire duration of the contract and thereafter for 10 years in compliance with civil and tax obligations (art. 2220 Italian Civil Code, art. 22 Presidential Decree 600/1973);

— Chatbot conversations: not retained beyond the user session, except for documented security needs.

8. Rights of the data subject

In relation to the processing activities described, the data subject may at any time exercise the rights provided by arts. 15-22 GDPR:

— right of access to personal data (art. 15);

— right to rectification of inaccurate or incomplete data (art. 16);

— right to erasure, a.k.a. right to be forgotten (art. 17);

— right to restriction of processing (art. 18);

— right to data portability (art. 20);

— right to object to processing based on legitimate interest (art. 21);

— right not to be subject to automated decision-making, including profiling (art. 22);

— right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.

9. How to exercise your rights

The data subject may exercise their rights by sending a written request, together with a copy of a valid ID document, to one of the following addresses:

— Email: amministrazione@antalia.ai

— PEC: antaliaai@pec.it

— Postal mail: Antalia AI S.R.L., Via dei Coronari 45, 00186 Rome (RM), Italy.

The Controller will respond without undue delay and in any case within 30 days of receiving the request, pursuant to art. 12 GDPR.

10. Right to lodge a complaint

A data subject who considers that the processing of their personal data infringes the GDPR has the right to lodge a complaint with the competent supervisory authority, which in Italy is:

Garante per la protezione dei dati personali — Piazza Venezia 11, 00187 Rome — www.garanteprivacy.it — Email: protocollo@gpdp.it — PEC: protocollo@pec.gpdp.it.

The right to bring proceedings before a judicial authority remains unaffected.

11. Data security

The Controller adopts technical and organisational measures appropriate to ensure a level of security commensurate with the risk, in accordance with art. 32 GDPR. Such measures include: encryption in transit (TLS 1.2+) and at rest, access management based on the principle of least privilege, access logging, backup and disaster recovery procedures.

12. Changes to this Privacy Policy

The Controller reserves the right to amend this Privacy Policy to reflect any regulatory or service evolution. Changes will be published on this page and the date at the bottom will be updated. Users are invited to review this Privacy Policy periodically.