INDIGO AI S.r.l., as “controller”, according to Article 13 Regulation (EU) 2016/679 (hereinafter “GDPR”), wishes to provide the following specific information as regards the processing of personal data of the chatbot service users.
1. Data controller
The Data Controller is INDIGO AI S.r.l. with registered office in via Torino n. 61, postcode 20123, Milan (MI), Italy, e-mail firstname.lastname@example.org. The appointed DPO, according to Art. 37, Regulation EU 2016/679, is Mr. Aldo Benato lawyer, e-mail: email@example.com.
2. Types of data processed
Indigo AI S.r.l. processes personal data provided voluntarily by users, through registration and use of the chatbot, or acquired by Indigo AI S.r.l. through the Facebook platform, in particular: name, surname, fiscal code, VAT number, e-mail, telephone number ("personal data"). Indigo AI S.r.l. can also handle particular data relating to health and sex life, racial and ethnic origin of an individual, his or her religious, political and philosophical beliefs and membership, voluntarily provided by users [eg in the context of the use of the service] to be able to satisfy users' requests ("particular data"). Indigo AI S.r.l. can process the data collected through the use of technical cookies.
3. Purpose of the processing
Personal data will be processed for the following purposes:
- Purposes related to the performance of the requested services, ie to answer the questions asked by users and to send them the requested information.
- Purposes related to the fulfillment of obligations established by law, by a regulation, by EU legislation or by an order of the Authority (such as in the field of anti-money laundering) to which the Data Controller is subject.
- Purposes related to the exercise of a legitimate interest of the Controller, including for example the right to defence in court.
- Specific and separate prior consent will be asked for the following marketing purposes:
- to send you by e-mail, postal service and /or text message and /or chat and /or phone contacts, newsletters, commercial communications and /or advertising material on products or services offered by the Data Controller and to detect the degree of satisfaction with the quality of the services;
- to send you via e-mail, postal service and /or text message and /or phone contacts, commercial and / or promotional communications of third parties (for example, business partners).
Particular data will be processed for the following purposes:
- Upon specific and separate consent, purposes related to the performance of the requested services, or to answer the questions asked by users.
- Allow consultation of the chatbot, as they permit the chatbot to work.
4. Nature of data provision
Without prejudice to what is indicated in relation to technical cookies, which are necessary for the chatbot to work properly, users are free to provide their personal data, but the provision of data is a necessary prerequisite for the execution of the service. Failure to provide such data may make it impossible for the Controller to receive questions by chatbot and to send the requested information. Users are free to provide their personal data and to give their consent for the sending of promotional communications. Failure to grant consent will not allow the Data Controller to send its promotional offers. Users are free to provide their own particular data and to give their consent, to receive answers to the questions posed in the chatbot on the subject of health and sexual life, of the individual's racial and ethnic origin, of his/ her religious, political and philosophical beliefs and membership.
5. Processing methods
Personal data will be processed using automated tools and in paper form. The Data Controller will process the personal data for the time necessary to fulfill the aforementioned purposes and, in any case, for not more than 10 (ten) years from the termination of the contract for the purposes related to the services offered and for no more than 2 years from the collection of data for the purposes regarding marketing activities. Specific security measures will be adopted to prevent the loss of personal data, illicit or incorrect use and unauthorized access. In particular, specific security measures are observed to prevent the loss of data, illicit or incorrect use and unauthorized access, including:
- planning periodic database backups;
- database access limitation through the use of credentials;
- database access limitation through policies based on belonging to the same network in the AWS cloud;
- the limitation of access to machine requests through the use of ssh keys;
- limited access to environment configurations by creating accounts with distinct roles.
6. Persons authorized to process data
The personal and particular data voluntarily provided by you through the registration and use of the chatbot or acquired by Indigo AI S.r.l. via Facebook Messenger, Telegram, Whatsapp, Google Hangouts, Skype, Viber, LINE, WeChat can be communicated:
- to the employees and the associates of the Data Controller in Italy and abroad, in their capacity as persons authorized to process data and/or internal data processors and/or system administrators;
- to third-party companies or other natural or legal persons (ie, credit institutions, professional firms, consultants, insurance companies for the provision of insurance services, etc.) that carry out activities in outsourcing on behalf of the Controller, acting as Data Processors external to Indigo AI S.r.l.
The updated list of these Data Processors is kept at the registered office of the Data Controller.
7. Data transfer
Personal data are stored on servers located in Ireland and Frankfurt, within the European Union. In any case, it is understood that the Controller, if necessary, will have the right to move the servers even outside the EU. In this case, the Data Controller ensures, from now on, that the extra-EU data transfer will be carried out in compliance with the applicable legal provisions, upon stipulation of the standard contractual clauses imposed by the European Commission.
8. Rights of the data subjects
The user, as data subject, has the right to exercise at any time the rights mentioned in Articles 12 ff of EU Regulation 2016/679, namely:
- the right to access your personal data and to obtain information about the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be communicated and, where possible, the retention period;
- the right to obtain your personal data to be erased (where no longer necessary), corrected (if it is found they are inaccurate);
- the right to restrict Indigo’s processing of your personal information;
- the right to object the processing;
- the right to data portability;
- the right to withdraw consent to processing;
- the right to oppose an automated decision-making process (based on profiling) which may affect the data subject;
- the right to complain to the national DPA (Data Protection Authority – the Italian DPA is the “Garante per la protezione dei dati personali”).
To exercise the aforementioned rights, to make a report or to receive information on the processing methods, requests can be made by writing to the Data Controller at via Torino 61, Milan (MI), 20123 or at the following email address: firstname.lastname@example.org.
Processing means any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, comparison or interconnection, limitation, cancellation or destruction of data.