Loading...
Loading...
Data Controller: Gitogi Srl, Piazza IV Novembre 4, 20124 Milano — VAT No. 14288420962
Data Controller Contact: privacy@gitogi.com | Certified Email (PEC): pec@pec.gitogi.com
Pursuant to Art. 37(1) GDPR, the designation of a Data Protection Officer (DPO) is not mandatory for Gitogi Srl, as the company does not carry out large-scale processing of special categories of data or systematic monitoring of data subjects. The controller is directly reachable at the contact details provided above for any privacy-related enquiry.
We collect personal data that you voluntarily provide through our contact forms, the AI Readiness assessment, newsletter subscription, resource downloads, and interactions with our AI chatbot. Data may include: first name, last name, email, company name, role, profession, firm size.
Your data is processed for the following purposes:
| Purpose | Legal Basis | Retention |
|---|---|---|
| Responding to contact requests | Art. 6(1)(b) (performance of contract) | 12 months if not converted |
| AI Readiness Assessment | Art. 6(1)(a) (consent) | 30 days if not converted |
| Newsletter delivery | Art. 6(1)(a) (consent, double opt-in) | Until unsubscription + 3 months |
| Free guide downloads | Art. 6(1)(b) (performance of contract) | 12 months |
| Marketing communications | Art. 6(1)(a) (separate consent) | Until withdrawal + 3 months |
| Automated lead scoring | Art. 6(1)(f) (legitimate interest) | 24 months of inactivity |
| AI Chatbot | Art. 6(1)(a) (consent) | 90 days |
| Consent registry (GDPR audit) | Art. 6(1)(c) (legal obligation) | 5 years |
| AI audit log (AI Act) | Art. 6(1)(c) (legal obligation) | 5 years |
| Service purchases and order processing | Art. 6(1)(b) (performance of contract) | 10 years (Italian fiscal obligation D.P.R. 633/72) |
| Quote requests for professional services | Art. 6(1)(b) (pre-contractual measures) | 5 years |
| AI Tools platform (policy generator, inventory, compliance checker) | Art. 6(1)(b) (performance of contract) | User-controlled (deleted with account) |
| AI Literacy certification and learning | Art. 6(1)(b) (performance of contract) | User-controlled (deleted with account) |
| Community forum and member profile | Art. 6(1)(b) (performance of contract) | User-controlled (deleted with account) |
| Content access logging (templates, tools) | Art. 6(1)(f) (legitimate interest) | 2 years |
We use an automated scoring system (lead scoring) to classify contacts based on their level of interest, pursuant to Art. 22 GDPR.
The system is rule-based (not machine learning) and relies exclusively on behavioural signals: email type, declared profession, firm size, completed assessment, downloaded guides, newsletter subscription.
We do not use sensitive data (Art. 9 GDPR) in score calculation.
You have the right to:
For more details, please see the AI Transparency.
The chatbot on this website is a generative artificial intelligence system based on third-party Large Language Models (LLMs) running on AWS Bedrock in the European Union (eu-south-1, Milan): Claude as the primary provider, with Mistral as fallback. Direct US providers (Anthropic, OpenAI) are disabled by default and may be enabled only by the administrator with supplementary safeguards.
Data is retained for the time strictly necessary to fulfil the purposes for which it was collected, as indicated in the table in section 2. Where configured, scheduled cleanup routes enforce the retention windows described below. For third-party processors and out-of-band systems, deletion may require operational follow-up under the applicable provider workflow.
The following providers act as data processors pursuant to Art. 28 GDPR:
Locations and safeguards below reflect our configured deployment choices and the contractual terms in force with each provider. Where processing occurs outside the EU, the specific transfer mechanism is indicated in the table and detailed in section 8.
| Provider | Service | Location | Safeguards |
|---|---|---|---|
| Supabase | Database, authentication, storage | EU (eu-central-1, Frankfurt) | N/A (data in the EU) |
| Stripe | Payment and subscription processing | USA / EU | EU-US DPF + SCCs |
| Amazon Web Services (Bedrock) | Primary AI chat (Claude Opus/Sonnet/Haiku) and intra-Bedrock fallback (Mistral Large) via AWS Bedrock with cross-region EU inference profile; knowledge-base RAG embeddings (Cohere Embed v4, 1024 dim, eu-west-1 Ireland) | EU (eu-south-1 Milan primary; cross-region EU: eu-central-1 Frankfurt, eu-west-1 Ireland, eu-west-3 Paris) | N/A (data resident in the EU); AWS EMEA SARL is a European entity, AWS Inc. is the US parent (residual CLOUD Act exposure mitigated by EUDB + Bedrock regional guarantees) |
| Mistral AI (La Plateforme) | EU-sovereign cross-cloud AI fallback — Layer 3 of resilience stack. Active only when AWS Bedrock EU is fully unavailable. | EU (Paris, France — Mistral AI SAS own infrastructure) | N/A (French company, EU infrastructure, no extra-EU transfers, no US CLOUD Act exposure) |
| Resend | Transactional email delivery and notifications | USA | EU-US DPF |
| Upstash | Rate limiting (Redis) | EU | N/A (data in the EU) |
| PostHog | Product analytics and user behavior analysis | EU Cloud (eu.posthog.com) | N/A (EU Cloud) |
| Analytics (GA4), reCAPTCHA Enterprise, Google Workspace | USA / EU | EU-US DPF + SCCs | |
| Sentry | Error tracking and session replay (active by default; Session Replay only after analytics consent) | USA | EU-US DPF |
| Perplexity | Web search for Knowledge Base Brain + Multi-LLM Consensus cross-check (P5) | USA | EU-US DPF |
| Vercel | Web application hosting (Next.js SSR), edge functions, global CDN, cron scheduler | EU (fra1, Frankfurt) — region pinned via vercel.json | EU-US DPF + SCCs (Vercel Inc. is a US company with EU-resident data) |
| Aruba | Electronic invoicing and digital preservation | Italy | N/A (data in Italy) |
| Browserless | JS-rendered scraping for regulatory monitoring (optional, no personal data) | USA | N/A — no personal data transferred |
5 additional sub-processors are listed in the registry as conditional / not active in v1.0 — currently: Stripe (UK customers — GBP), Anthropic (API diretta), OpenAI (API diretta), Google AI (Gemini API), Odoo. No user data flows through these processors until they are activated. See /sub-processori/ for full details.
We do not sell or share your data with third parties for marketing purposes.
Some of our sub-processors are based in the USA. For each US-based provider, the applicable transfer mechanism is as follows:
Supabase, Upstash, and PostHog process data exclusively within the European Union (Frankfurt, DE) based on our configured deployment regions.
Should the EU-US Data Privacy Framework adequacy decision be invalidated, transfers will continue under the Standard Contractual Clauses already in place with each provider that has adopted them, supplemented by additional technical measures where necessary.
You have the right to:
You can exercise your rights:
You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (www.garanteprivacy.it).
For our cookie policy, please refer to our Cookie Policy.
For detailed information on the use of artificial intelligence on this website, please see the AI Transparency page, designed to support the transparency obligations of EU Regulation 2024/1689 (AI Act).
When a client organisation («Controller») engages Gitogi for project services (Odoo implementations, AI integration, custom software development) or uses platform features while remaining Controller of the personal data processed, Gitogi acts as a Processor under Art. 28 GDPR.
In this capacity:
In the course of consulting and advisory engagements (AI governance, AI Act compliance, AIRA methodology), Gitogi Srl may process personal data communicated by the client. The legal basis depends on the engagement:
Use of AI tools in consulting activities. To deliver the engagement, Gitogi may use AI tools — including, but not limited to, Anthropic Claude, OpenAI ChatGPT, and Google Gemini — to analyse documents, generate drafts, or accelerate research. The following safeguards apply:
This Privacy Policy is available in Italian and English. In the event of any discrepancy between the Italian and English versions, the Italian version shall prevail.
Last updated: 10 July 2026