AI Transparency

Data Controller: Gitogi Srl, Piazza IV Novembre 4, 20124 Milano — VAT No. 14288420962

Last updated: April 12, 2026

In compliance with EU Regulation 2024/1689 (AI Act) and Italian Law 132/2025 on artificial intelligence, this page describes how Gitogi uses artificial intelligence systems on its website, platform, and in the delivery of consulting services.

1. AI Systems in Use

gitogi uses three artificial intelligence-based systems:

1.1 AI Assistant (Chatbot)

The chatbot on this website is a generative artificial intelligence system based on Large Language Models (LLMs). It is not a human.

• Purpose: to provide information about gitogi services, answer general questions about AI governance, and direct visitors to the most relevant resources.
• Technology: third-party language models with Anthropic as the primary provider and OpenAI as fallback, integrated via the Vercel AI SDK with retrieval-augmented generation (RAG) over the website's content.
• Data residency: conversations and extracted lead metadata are stored in Supabase Postgres for the deployment environment. Messages are sent to external AI providers (Anthropic/OpenAI) for response generation.
• Retention: conversations are scheduled for deletion after 90 days through the retention-cleanup job. The actual execution cadence depends on the configured external scheduler.
• Lead extraction: messages are automatically scanned using pattern matching (regex) to extract voluntarily provided contact data (email, phone number). This data is associated with the conversation for commercial follow-up purposes.

1.2 Automated Lead Scoring

We use an automated scoring system to classify contacts based on their level of interest and relevance. This system falls within the category of automated profiling under Article 22 of the GDPR.

• Purpose: to prioritise contacts that show greater interest in our services, in order to provide more timely and relevant follow-up.
• How it works: the score is based exclusively on behavioural signals: email type (professional vs. free), declared profession, firm size, assessment completion, guide downloads, and newsletter subscription.
• What we do NOT consider: age, gender, ethnicity, sexual orientation, political or religious opinions, health status, or any other sensitive data (Art. 9 GDPR).
• Algorithm: deterministic rule-based, not a machine learning model. Each signal has a fixed, documented, and verifiable weight.
• Versioning: each version of the algorithm is uniquely identified (currently v1.0.0) and every calculation is recorded in the AI audit log.
• Separation of systems: commercial lead scoring is tracked separately from the AI Readiness Assessment scoring flow. In the audit trail these appear as distinct systems (`lead_scoring` and `assessment_scoring`).

1.3 AI Tools Platform

The AI Tools platform provides generative AI-powered document creation for AI governance purposes (AI policies, tool inventories, compliance checklists, AI literacy plans, AI Act disclosure templates).

• Purpose: to help professionals create AI governance documentation as informational drafts, which must be reviewed and customised by the user.
• Technology: Claude Sonnet 4 (Anthropic) as primary provider, with OpenAI GPT-4o-mini as fallback via the centralized provider factory. Integrated via the Vercel AI SDK with streaming responses. Low-temperature generation (0.3–0.4) for factual, structured content.
• Data processed: user inputs (company data, questionnaire responses) and generated documents. Data is sent to the active AI provider selected by the centralized runtime configuration.
• Data residency: inputs and outputs are stored in Supabase Postgres for the deployment environment.
• Retention: data follows the product's account, document deletion, and GDPR deletion workflows. Third-party processor deletion outside the platform requires operational follow-up where applicable.
• Limitations: generated documents are informational drafts and do NOT constitute legal or professional advice. They may contain inaccuracies. The user is responsible for verifying, customising, and validating all generated content before use.
• Access: requires an AI Consultant subscription or higher, plus acceptance of a specific disclaimer.
• Rate limiting: 20 generations per hour per user.

1-bis. AI Act Classification (EU Reg. 2024/1689)

In accordance with the risk classification framework established by EU Regulation 2024/1689 (AI Act), the AI systems used by Gitogi are classified as follows:

None of the systems used by Gitogi falls within the high-risk or unacceptable-risk categories under Articles 5 and 6 and Annex III of the Regulation.

2. Scoring Algorithm Transparency

In compliance with AI Act Art. 12 (record-keeping) and Art. 50 (transparency), we publicly document how the algorithm works:

3. Limitations and Potential Errors

3.1 Chatbot

• Responses are generated automatically and may contain inaccuracies or hallucinations. They do not replace professional advice.
• Anonymous and free-tier users: the chatbot responds based on the public content of the website and the regulatory knowledge base. It does not access personal data.
• Subscribed (authenticated) users: to provide personalised guidance, the chatbot also uses your learning progress, logged training hours, adaptive profile (strengths/weaknesses), and module content. This data is shared with the AI provider solely for response generation and is not retained by the provider.
• Study mode: the chatbot accesses the specific module content and your quiz scores to provide contextualised tutoring.
• It does not retain context across different sessions (unless the user is authenticated).

3.2 Lead Scoring

• The score reflects only the observed digital signals and not the actual quality of the potential client.
• A low score does not result in the refusal of any service. All contacts receive a response regardless of their score.
• The system may overestimate or underestimate a user's actual level of interest.

3.3 AI Tools

• Generated documents are informational drafts, not certified legal documents. They require professional review before use.
• The AI model may produce content that is incomplete, outdated, or not fully aligned with the user's specific regulatory context.
• Gitogi Srl does not guarantee the regulatory compliance of any generated document.

4. Your Rights

In compliance with the GDPR (Art. 15-22) and the AI Act, you have the right to:

• Know whether you have been profiled and with what score (Art. 15 GDPR).
• Request an explanation of the assigned score and the criteria used (Art. 22 GDPR).
• Contest the score and request a human review by writing to privacy@gitogi.com. Human review is handled through manual follow-up and the available privacy / support channels.
• Object to automated profiling (Art. 21 GDPR).
• Request the deletion of all your data (Art. 17 GDPR).

To exercise these rights, write to privacy@gitogi.com or use the Your Data.

5. Human Oversight

All gitogi AI systems operate under human supervision:

• The chatbot is an informational tool. No commercial decisions are made automatically based on the chatbot's responses.
• Lead scoring is a prioritisation aid. Human follow-up remains required before any commercial action.
• Every calculated score is recorded in the AI audit log with anonymised inputs, outputs, and algorithm version, in compliance with Art. 12 of the AI Act.

6. AI Providers and Data Localisation

7. Technical Documentation

In compliance with the AI Act, we maintain the following documentation:

• DPIA (Data Protection Impact Assessment) for the lead scoring system
• AI Model Card with a description of the algorithm, features used, performance metrics, and known limitations
• Audit log of every scoring calculation with anonymised inputs, outputs, model version, and separate namespaces for `lead_scoring` and `assessment_scoring`

To request a copy of this documentation, contact privacy@gitogi.com.

AI Tools Used Internally for Consulting Services

In compliance with Italian Law 132/2025, Gitogi informs its clients that the following artificial intelligence tools are used in the delivery of consulting services. All tools are used as professional support instruments and their outputs are always subject to review and validation by Gitogi professionals.

• Anthropic Claude Code / Claude Max — Software development, code analysis, technical review. The "Help improve Claude" option is disabled; data is not used for model training.
• OpenAI ChatGPT Business (2 seats) — Document analysis, draft writing, research. The "Improve the model for everyone" option is disabled; data is not used for model training.
• OpenAI Codex — AI-assisted software development. Training opt-out contractually active.
• Google Gemini (Workspace Business Standard) — Document management, data analysis, administrative support.
• Google Gemini API — Long-context document analysis for the platform Knowledge Base.
• Perplexity Enterprise Pro — In-depth web research, regulatory updates. AI data retention disabled.
• Mistral API — Natural language processing. EU-based provider with data residency within the European Union.
• Anthropic Claude API — AI integration for platform services. Data is not used for model training under the API contract.

For all tools listed above, model training and improvement options using user data are disabled.

All outputs generated via artificial intelligence are subject to human professional oversight. AI is a support tool: final responsibility for the quality and accuracy of results rests with Gitogi's professionals (Italian Law 132/2025).

In accordance with the data minimisation principle (Art. 5 GDPR), only the data strictly necessary for delivering the requested service is processed through AI tools.

Aegis AI Systems (aegis.gitogi.com)

Aegis is Gitogi's AI governance platform, currently under development, which integrates the following artificial intelligence systems:

• PII Detection Engine — A three-tier personal data detection engine: (1) pattern matching via regular expressions, (2) Named Entity Recognition via spaCy and Presidio, (3) zero-shot classifier for contextual detection. All tiers operate locally without transmitting data to third parties.
• LLM Gateway — An intelligent request routing system for AI models hosted in the EU or outside the EU, with a configurable policy engine to enforce corporate policies on data residency and information classification.

Aegis will be available soon. This section will be updated with detailed information upon release.

Compliance with Italian Law 132/2025

In compliance with Italian Law No. 132 of 26 September 2025, containing provisions on artificial intelligence, Gitogi Srl declares the following:

• The artificial intelligence systems described in this disclosure are used as support tools in the delivery of professional consulting services.
• Artificial intelligence does not replace human decision-making power. Every AI-generated output is verified, supplemented, and validated by Gitogi's professionals before being made available to the client.
• Gitogi's professionals maintain full responsibility for the quality, accuracy, and regulatory compliance of the services delivered, regardless of the use of artificial intelligence tools.
• This notice is provided in a clear, simple, and comprehensive manner, as required by law, in order to ensure maximum transparency towards clients and platform users.

8. Updates

This disclosure is updated whenever we modify the AI systems in use or their purposes. Significant changes are communicated via the newsletter and published on this page.

9. Contact

For any questions about the use of artificial intelligence on gitogi.com:

• Email: privacy@gitogi.com
• PEC: pec@pec.gitogi.com
• Contact page: gitogi.com/contatti