Privacy Policy

Data Controller: Gitogi Srl, Piazza IV Novembre 4, 20124 Milano — VAT No. 14288420962

Data Controller Contact: privacy@gitogi.com | Certified Email (PEC): pec@pec.gitogi.com

Pursuant to Art. 37(1) GDPR, the designation of a Data Protection Officer (DPO) is not mandatory for Gitogi Srl, as the company does not carry out large-scale processing of special categories of data or systematic monitoring of data subjects. The controller is directly reachable at the contact details provided above for any privacy-related enquiry.

1. Data We Collect

We collect personal data that you voluntarily provide through our contact forms, the AI Readiness assessment, newsletter subscription, resource downloads, and interactions with our AI chatbot. Data may include: first name, last name, email, company name, role, profession, firm size.

2. Purposes of Processing

Your data is processed for the following purposes:

3. Automated Profiling and Lead Scoring

We use an automated scoring system (lead scoring) to classify contacts based on their level of interest, pursuant to Art. 22 GDPR.

The system is rule-based (not machine learning) and relies exclusively on behavioural signals: email type, declared profession, firm size, completed assessment, downloaded guides, newsletter subscription.

We do not use sensitive data (Art. 9 GDPR) in score calculation.

You have the right to:

• Know the score assigned to you
• Request an explanation of the criteria used
• Contest the score and obtain a human review
• Object to automated profiling (Art. 21 GDPR)

For more details, please see the AI Transparency.

4. AI Chatbot

The chatbot on this website is a generative artificial intelligence system based on third-party Large Language Models (LLMs), with Anthropic as the primary provider and OpenAI as fallback.

• Conversation messages are sent to AI providers to generate responses
• Conversations are stored in Supabase Postgres and scheduled for deletion after 90 days via the retention-cleanup job
• You are not required to provide personal data to use the chatbot
• If you voluntarily provide personal data in the conversation, it is processed as described above
• Messages are automatically scanned for voluntarily provided contact data (email, phone number) to associate the conversation with your lead profile for commercial follow-up purposes

5. Data Retention

Data is retained for the time strictly necessary to fulfil the purposes for which it was collected, as indicated in the table in section 2. Where configured, scheduled cleanup routes enforce the retention windows described below. For third-party processors and out-of-band systems, deletion may require operational follow-up under the applicable provider workflow.

6. Privacy by Design (Art. 25 GDPR)

• Data minimisation: we collect only the personal data strictly necessary for each purpose
• Pseudonymisation: AI audit logs record anonymised input summaries (no personal identifiers)
• Encryption in transit (TLS 1.3) and at rest (AES-256-GCM for stored API keys)
• Least-privilege access controls for all data stores
• Scheduled cleanup routes are implemented for several categories; their execution depends on the configured external scheduler and does not replace processor-side deletion workflows
• Granular consent management: separate opt-in for each processing purpose
• Consent Mode v2: analytics and marketing technologies activate only after explicit user consent

7. Sub-processors

The following providers act as data processors pursuant to Art. 28 GDPR:

Locations and safeguards below reflect our configured deployment choices and the contractual terms in force with each provider. Where processing occurs outside the EU, the specific transfer mechanism is indicated in the table and detailed in section 8.

We do not sell or share your data with third parties for marketing purposes.

8. Transfers Outside the EU

Some of our sub-processors are based in the USA. For each US-based provider, the applicable transfer mechanism is as follows:

• Anthropic PBC — EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) as supplementary safeguard
• OpenAI Inc. — EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) as supplementary safeguard
• Stripe Inc. — EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) as supplementary safeguard
• Google LLC — EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) as supplementary safeguard
• Resend Inc. — EU-US Data Privacy Framework (DPF)
• Sentry (Functional Software) — EU-US Data Privacy Framework (DPF)

Supabase, Upstash, and PostHog process data exclusively within the European Union (Frankfurt, DE) based on our configured deployment regions.

Should the EU-US Data Privacy Framework adequacy decision be invalidated, transfers will continue under the Standard Contractual Clauses already in place with each provider that has adopted them, supplemented by additional technical measures where necessary.

9. Your Rights (Art. 15–22 GDPR)

You have the right to:

• Access (Art. 15): obtain a copy of your personal data
• Rectification (Art. 16): correct inaccurate data
• Erasure (Art. 17): request the deletion of your data. Deletion requests are handled through the self-service flows available in the product and, where necessary, through operational follow-up with external processors under their applicable workflow.
• Restriction (Art. 18): restrict processing
• Portability (Art. 20): receive your data in a structured format (JSON/CSV)
• Objection (Art. 21): object to processing based on legitimate interest
• Withdrawal of consent (Art. 7(3)): withdraw consent at any time
• Human review (Art. 22): request a human review of automated decisions

You can exercise your rights:

• Through the Your Data page (self-service export and deletion)
• By writing to privacy@gitogi.com
• Via certified email (PEC) to pec@pec.gitogi.com

You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (www.garanteprivacy.it).

10. Cookies

For our cookie policy, please refer to our Cookie Policy.

11. Artificial Intelligence

For detailed information on the use of artificial intelligence on this website, please see the AI Transparency page, designed to support the transparency obligations of EU Regulation 2024/1689 (AI Act).

12. Processing as Processor — Aegis Platform

When a client organisation ("Controller") uses the Aegis platform (aegis.gitogi.com), Gitogi Srl acts as Processor pursuant to Art. 28 GDPR with respect to the personal data that the Controller uploads to or generates within the platform.

In this capacity:

• The scope, purposes and means of processing are determined exclusively by the Controller
• Gitogi processes such data solely on the Controller's documented instructions
• A Data Processing Agreement (DPA) governs the relationship — available at /dpa/
• The up-to-date list of sub-processors engaged in Aegis operations is published at /sub-processori/
• Technical and organisational security measures applied to Aegis are described at /misure-sicurezza/

13. Processing in Consulting Engagements

In the course of consulting and advisory engagements (AI governance, AI Act compliance, AIRA methodology), Gitogi Srl may process personal data communicated by the client. The legal basis depends on the engagement:

• Art. 6(1)(b) GDPR — performance of the consulting contract
• Art. 28 GDPR — where Gitogi acts as Processor on the client's behalf, governed by a dedicated DPA (/dpa/)

Use of AI tools in consulting activities. To deliver the engagement, Gitogi may use AI tools — including, but not limited to, Anthropic Claude, OpenAI ChatGPT, and Google Gemini — to analyse documents, generate drafts, or accelerate research. The following safeguards apply:

• All AI tools are configured with training opt-out enabled: client data is not used to train third-party models
• Data minimisation: only the data strictly necessary for the specific analytical task is submitted to the AI tool
• Where possible, data is pseudonymised or anonymised before submission
• AI-generated outputs are always reviewed by a qualified professional before delivery to the client
• Specific AI tools and processing purposes are documented in the DPA annex for each engagement

14. Cross-References to Legal Documents

• Data Processing Agreement (DPA) — Art. 28 GDPR processor terms for Aegis and consulting clients
• Sub-processor List — up-to-date register of sub-processors and change notification procedure
• Security Measures — technical and organisational measures pursuant to Art. 32 GDPR
• Cookie Policy
• AI Transparency — AI Act (Reg. 2024/1689) disclosure
• Terms of Service

15. Language

This Privacy Policy is available in Italian and English. In the event of any discrepancy between the Italian and English versions, the Italian version shall prevail.

Last updated: April 12, 2026