Loading...
Loading...
Data Controller: Gitogi Srl, Piazza IV Novembre 4, 20124 Milano — VAT No. 14288420962
Data Controller Contact: privacy@gitogi.com | Certified Email (PEC): pec@pec.gitogi.com
Pursuant to Art. 37(1) GDPR, the designation of a Data Protection Officer (DPO) is not mandatory for Gitogi Srl, as the company does not carry out large-scale processing of special categories of data or systematic monitoring of data subjects. The controller is directly reachable at the contact details provided above for any privacy-related enquiry.
We collect personal data that you voluntarily provide through our contact forms, the AI Readiness assessment, newsletter subscription, resource downloads, and interactions with our AI chatbot. Data may include: first name, last name, email, company name, role, profession, firm size.
Your data is processed for the following purposes:
| Purpose | Legal Basis | Retention |
|---|---|---|
| Responding to contact requests | Art. 6(1)(b) (performance of contract) | 12 months if not converted |
| AI Readiness Assessment | Art. 6(1)(a) (consent) | 30 days if not converted |
| Newsletter delivery | Art. 6(1)(a) (consent, double opt-in) | Until unsubscription + 3 months |
| Free guide downloads | Art. 6(1)(b) (performance of contract) | 12 months |
| Marketing communications | Art. 6(1)(a) (separate consent) | Until withdrawal + 3 months |
| Automated lead scoring | Art. 6(1)(f) (legitimate interest) | 24 months of inactivity |
| AI Chatbot | Art. 6(1)(a) (consent) | 90 days |
| Consent registry (GDPR audit) | Art. 6(1)(c) (legal obligation) | 5 years |
| AI audit log (AI Act) | Art. 6(1)(c) (legal obligation) | 5 years |
| Service purchases and order processing | Art. 6(1)(b) (performance of contract) | 10 years (Italian fiscal obligation D.P.R. 633/72) |
| Quote requests for professional services | Art. 6(1)(b) (pre-contractual measures) | 5 years |
| AI Tools platform (policy generator, inventory, compliance checker) | Art. 6(1)(b) (performance of contract) | User-controlled (deleted with account) |
| AI Literacy certification and learning | Art. 6(1)(b) (performance of contract) | User-controlled (deleted with account) |
| Community forum and member profile | Art. 6(1)(b) (performance of contract) | User-controlled (deleted with account) |
| Content access logging (templates, tools) | Art. 6(1)(f) (legitimate interest) | 2 years |
We use an automated scoring system (lead scoring) to classify contacts based on their level of interest, pursuant to Art. 22 GDPR.
The system is rule-based (not machine learning) and relies exclusively on behavioural signals: email type, declared profession, firm size, completed assessment, downloaded guides, newsletter subscription.
We do not use sensitive data (Art. 9 GDPR) in score calculation.
You have the right to:
For more details, please see the AI Transparency.
The chatbot on this website is a generative artificial intelligence system based on third-party Large Language Models (LLMs), with Anthropic as the primary provider and OpenAI as fallback.
Data is retained for the time strictly necessary to fulfil the purposes for which it was collected, as indicated in the table in section 2. Where configured, scheduled cleanup routes enforce the retention windows described below. For third-party processors and out-of-band systems, deletion may require operational follow-up under the applicable provider workflow.
The following providers act as data processors pursuant to Art. 28 GDPR:
Locations and safeguards below reflect our configured deployment choices and the contractual terms in force with each provider. Where processing occurs outside the EU, the specific transfer mechanism is indicated in the table and detailed in section 8.
| Provider | Service | Location | Safeguards |
|---|---|---|---|
| Supabase | Database, authentication, storage | EU (eu-central-1, Frankfurt) | N/A (dati in EU) |
| Stripe | Payment and subscription processing | USA / EU | EU-US DPF + SCCs |
| Amazon Web Services (Bedrock) | Primary AI chat (Claude Opus/Sonnet/Haiku) and intra-Bedrock fallback (Mistral Large) via AWS Bedrock with cross-region EU inference profile | EU (eu-south-1 Milano primario; cross-region EU: eu-central-1 Frankfurt, eu-west-1 Ireland, eu-west-3 Paris) | N/A (dati residenti UE); AWS EMEA SARL è entità europea, AWS Inc. USA-parent (CLOUD Act residuo mitigato da EUDB + Bedrock regional guarantees) |
| Mistral AI (La Plateforme) | EU-sovereign cross-cloud AI fallback — Layer 3 of resilience stack. Active only when AWS Bedrock EU is fully unavailable. | EU (Parigi, Francia — infrastruttura propria Mistral AI SAS) | N/A (società francese, infrastruttura in UE, nessun trasferimento extra-UE, nessuna esposizione US CLOUD Act) |
| Resend | Transactional email delivery and notifications | USA | EU-US DPF |
| Upstash | Rate limiting (Redis) | EU | N/A (dati in EU) |
| PostHog | Product analytics and user behavior analysis | EU Cloud (eu.posthog.com) | N/A (EU Cloud) |
| Analytics (GA4), reCAPTCHA Enterprise, Google Workspace | USA / EU | EU-US DPF + SCCs | |
| Sentry | Error tracking and session replay | USA | EU-US DPF |
| Perplexity | Web search for Knowledge Base Brain (optional) | USA | EU-US DPF |
| Vercel | Web application hosting (Next.js SSR), edge functions, global CDN, cron scheduler | EU (fra1, Frankfurt) — region pinned via vercel.json | EU-US DPF + SCCs (Vercel Inc. è società USA con dati residenti UE) |
| Aruba | Cloud hosting (Aegis), electronic invoicing and digital preservation | Italia | N/A (dati in Italia) |
| Microsoft / Azure | Cloud infrastructure (Aegis) | EU (Ireland) | N/A (dati in EU) |
| Browserless | JS-rendered scraping for regulatory monitoring (optional, no personal data) | USA | EU-US DPF |
4 additional sub-processors are listed in the registry as conditional / not active in v1.0 — currently: Stripe (UK customers — GBP), Anthropic (API diretta), OpenAI (API diretta), Google AI (Gemini API). No user data flows through these processors until they are activated. See /sub-processori/ for full details.
We do not sell or share your data with third parties for marketing purposes.
Some of our sub-processors are based in the USA. For each US-based provider, the applicable transfer mechanism is as follows:
Supabase, Upstash, and PostHog process data exclusively within the European Union (Frankfurt, DE) based on our configured deployment regions.
Should the EU-US Data Privacy Framework adequacy decision be invalidated, transfers will continue under the Standard Contractual Clauses already in place with each provider that has adopted them, supplemented by additional technical measures where necessary.
You have the right to:
You can exercise your rights:
You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (www.garanteprivacy.it).
For our cookie policy, please refer to our Cookie Policy.
For detailed information on the use of artificial intelligence on this website, please see the AI Transparency page, designed to support the transparency obligations of EU Regulation 2024/1689 (AI Act).
When a client organisation ("Controller") uses the Aegis platform (aegis.gitogi.com), Gitogi Srl acts as Processor pursuant to Art. 28 GDPR with respect to the personal data that the Controller uploads to or generates within the platform.
In this capacity:
In the course of consulting and advisory engagements (AI governance, AI Act compliance, AIRA methodology), Gitogi Srl may process personal data communicated by the client. The legal basis depends on the engagement:
Use of AI tools in consulting activities. To deliver the engagement, Gitogi may use AI tools — including, but not limited to, Anthropic Claude, OpenAI ChatGPT, and Google Gemini — to analyse documents, generate drafts, or accelerate research. The following safeguards apply:
This Privacy Policy is available in Italian and English. In the event of any discrepancy between the Italian and English versions, the Italian version shall prevail.
Last updated: April 12, 2026