Privacy Policy

The Data Controller is:

Romiltec S.r.l. · Innovative Startup (Startup Innovativa)
Registered office: Via Luciano Lama 44, 56012 Calcinaia (PI), Italy
Operational office: Via Provinciale Francesca Nord 92, 56020 Santa Maria a Monte (PI), Italy
VAT / Tax ID: IT02476290503
Share Capital: €10,000 fully paid
ATECO: 62.01 - Software production
Email: [email protected]

Pursuant to Article 37 of the GDPR, Romiltec S.r.l. is not required to appoint a Data Protection Officer (DPO) as it does not carry out large-scale processing of special categories of data nor systematic monitoring of data subjects as a core activity. For any questions regarding the protection of personal data, you may contact the Data Controller at [email protected].

2.1 Browsing data

The computer systems and software procedures used to operate the Platform automatically collect certain personal data during normal operations. This data, inherent in the use of Internet communication protocols, includes: IP addresses, browser type, operating system, domain name, URI (Uniform Resource Identifier) of requested resources, request timestamps, method used to submit the request, response file size, and other parameters relating to the operating system and user's computing environment.

This data is used solely to obtain anonymous statistical information about Platform usage and to ensure its proper functioning, and is deleted after processing. The data may be used to ascertain liability in the event of hypothetical cybercrimes against the Platform.

2.2 Registration and account data

Registering on the Chatty Platform involves the collection of the following personal data:

• Email address
• First and last name
• Company name (if provided)
• Password (stored in cryptographically hashed form using irreversible hashing; never accessible in plaintext)

This data is necessary to create and manage the user account, grant access to the dashboard, and ensure the security of the service.

2.3 Data from chatbot service usage

Chatty is a SaaS platform enabling its Clients (individuals or legal entities holding an account) to create and manage AI-powered chatbots for integration into their own websites or applications. In this context, two distinct roles must be distinguished:

• Platform Clients (account holders): Romiltec processes Clients' data as Data Controller, for the purpose of providing the SaaS service.
• End users of the chatbots: Messages exchanged by end users with chatbots configured by Clients pass through Chatty's infrastructure. In this context, the Client is the Data Controller for their end users' data, and Romiltec acts as Data Processor pursuant to Article 28 GDPR, on the basis of a Data Processing Agreement (DPA) incorporated into the Terms of Service.

Chatbot conversation messages are not used to train artificial intelligence models.

Once the retention periods have expired, data is deleted or irreversibly anonymised.

Personal data may be disclosed to:

• Data Processors: third parties that process data on behalf of the Controller pursuant to specific contractual agreements under Article 28 GDPR, including:
  • Hosting and cloud infrastructure providers
  • AI model providers (for generating chatbot responses)
  • Transactional email service providers
  • Payment service providers (for subscription management)
• Professional advisors: accountants, labour consultants, legal counsel, in fulfilment of contractual, accounting, tax and legal obligations
• Public authorities: when required by law or by order of a competent authority

Personal data will not be disseminated nor communicated to third parties for their own purposes without the data subject's consent.

Some of the data processors referred to in Section 5, in particular AI model providers and cloud infrastructure providers, may be established in countries outside the European Economic Area (EEA). In such cases, data transfers are carried out in compliance with the safeguards set out in Chapter V of the GDPR, including:

• Adequacy decisions: for transfers to countries that benefit from an adequacy decision by the European Commission (e.g. the EU-US Data Privacy Framework, decision of July 10, 2023)
• Standard Contractual Clauses (SCCs): approved by the European Commission under Article 46(2)(c) GDPR, for transfers to countries without an adequacy decision

A copy of the safeguards adopted may be obtained by contacting the Data Controller at [email protected].

As a data subject, pursuant to Articles 15-22 of the GDPR, you have the right to:

• Access (Art. 15):obtain confirmation as to whether your personal data is being processed and, if so, to access it
• Rectification (Art. 16):obtain the rectification of inaccurate personal data or the completion of incomplete data
• Erasure (Art. 17):obtain the erasure of personal data where one of the grounds provided by the GDPR applies
• Restriction (Art. 18):obtain the restriction of processing in the cases provided by the GDPR
• Portability (Art. 20):receive personal data in a structured, commonly used and machine-readable format
• Objection (Art. 21):object at any time to the processing of personal data based on legitimate interest
• Withdrawal of consent (Art. 7(3)):withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal
• Automated decision-making (Art. 22):not be subject to decisions based solely on automated processing, including profiling, which produce legal effects. Romiltec does not carry out automated decision-making processes that produce legal effects on data subjects

To exercise your rights, simply send a request to [email protected]. The Data Controller will respond within one month of the request, extendable by a further two months in cases of particular complexity pursuant to Art. 12(3) GDPR.

Without prejudice to any other administrative or judicial remedy, a data subject who considers that the processing of their personal data infringes the GDPR has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali):

• Piazza Venezia 11, 00187 Rome, Italy
• Email: [email protected]
• PEC: [email protected]
• Website: www.garanteprivacy.it

You may also lodge a complaint with the supervisory authority of your country of residence or habitual establishment within the EEA.

The provision of browsing data is necessary for the functioning of the Platform. The provision of registration data is necessary to create an account and access the Chatty service; failure to provide such data will make it impossible to register and use the Platform.

The provision of data for marketing purposes is optional, and withholding consent does not affect use of the service.

The Platform uses cookies and similar technologies. For detailed information on the types of cookies used, their purposes, and how to manage your preferences, please refer to the Cookie Policy.

The Data Controller reserves the right to amend this notice at any time by publishing the updated version on the Platform. In the event of material changes, appropriate notice will be given to data subjects at the email address associated with their account. We recommend checking this page periodically.