Privacy policy
Information about the Data Controller
Evolbot di M. V. is the data controller for personal data for the Evolbot service. The company has its registered office at via Carlo Ghega 3, Trieste, Italy, and manages a SAAS platform dedicated to creating and configuring chatbots and AI assistants. The service is accessible through the website https://www.evolbot.com and is available in Italian and English for a global user base.
For all matters relating to privacy and personal data protection, users can contact the data controller at the email address privacy@evolbot.com. Currently, the company has not appointed a Data Protection Officer (DPO), as it does not fall within the cases of mandatory appointment provided for by the GDPR.
The service is exclusively aimed at users over 18 years of age and requires direct registration through an online form to access the platform's functionalities. The nature of the service focuses on providing configurable AI tools that use OpenAI APIs to generate intelligent responses and manage automated conversations.
Types of Personal Data Collected
Registration and Identification Data
During the registration process for the Evolbot service, various types of personal data necessary for creating and managing the user account are collected. For private users, the required information includes first name, last name, email address, phone number, tax code, country of residence, complete address, city and postal code. These data represent the minimum set necessary for user identification and service provision.
For business users, the registration process requires additional information specific to legal entities. In addition to standard data, the company name and VAT number are collected, essential elements for managing tax obligations and correct billing of services. This additional data allows distinguishing between private and business users, applying appropriate tax and contractual procedures.
The registration system is designed to collect exclusively the information necessary for service operation, following the data minimization principle provided by the GDPR. No information exceeding the declared purposes is requested, and all fields are clearly identified as mandatory or optional during the registration process.
Payment and Transaction Data
Payment management for the Evolbot service is completely delegated to the Stripe platform, recognized as a worldwide leader in online payment services. Evolbot never receives, manages or stores sensitive credit card data from users, thus ensuring the maximum level of security for financial transactions. This architectural choice significantly reduces risks associated with payment data management and ensures compliance with PCI DSS standards.
The only payment-related information that Evolbot receives from Stripe is that strictly necessary for billing and service terms management. This data includes the payment order number, transaction outcome, type of plan purchased and information necessary to generate invoices, without ever including sensitive details such as credit card numbers or security codes.
The payment process is completely transparent for the user, who can monitor the status of their transactions through the service's reserved area. All payment-related communications occur through secure and encrypted channels, ensuring the protection of financial information throughout the entire transactional process.
Data Uploaded via Chatbots and APIs
A fundamental component of the Evolbot service concerns the management of documents and data that users upload to interact with chatbots and use OpenAI APIs. These contents often represent sensitive or proprietary user information, which is why processing occurs with particular attention to security and user control. Data is stored both on Evolbot servers and OpenAI servers, following their respective security policies.
It is important to emphasize that all data uploaded by users is never used to train artificial intelligence models. This guarantee represents a distinctive element of the service, ensuring users that their information remains confidential and does not contribute to improving AI systems used by others. Data is used exclusively for providing the service requested by the specific user.
Users maintain full control over their content and can independently delete documents, conversations and uploaded data at any time through the service interface. This self-management functionality ensures maximum flexibility and respect for data subjects' rights, allowing granular management of information present on the platform.
Purposes of Data Processing
Account Management and Service Provision
The main purposes of processing personal data collected during registration include creating and managing the user account, a fundamental element for personalized access to the Evolbot service. This data allows unique identification of each user, personalization of the usage experience and ensuring access security through secure authentication systems. Account management also includes updating profile information and personalizing usage preferences.
Service provision represents the central purpose of processing, as the collected data is essential to allow users to configure and use AI chatbots. This includes managing personalized configurations, saving user preferences, synchronization between devices and providing personalized technical support. Processing is necessary for executing the service contract stipulated with the user.
Tax and legal compliance constitute another important purpose, particularly for data such as tax code and VAT number. These processes are necessary to comply with legal obligations relating to billing, accounting document retention and communications with tax authorities. Customer assistance finally represents a complementary purpose that uses contact data to provide technical support and respond to user requests.
Communications and Marketing
Newsletter management constitutes a specific purpose of processing based on user consent. For newsletter registration, only name and email address are collected, information used for sending promotional communications, product updates, informative articles and materials of interest to service users. This marketing activity is always based on explicit and revocable consent from the data subject.
Users maintain full control over received communications and can unsubscribe from the newsletter at any time using the link present in each email or by directly contacting the service. Unsubscription results in immediate removal of the email address from distribution lists and, if requested, complete deletion of data associated with the newsletter service.
The communication management system is designed to respect individual user preferences, allowing granular personalization of received content. User data is never used for unauthorized communications or for transfer to third parties for commercial purposes.
Analysis and Service Improvement
The use of analysis tools such as Matomo and Google Analytics 4 is aimed exclusively at aggregated statistical analysis of traffic to improve the service. These tools are configured to collect data anonymously, in full respect of user privacy and current regulations. The implementation of Cookiebot ensures transparent management of user preferences regarding tracking.
Data collected through these tools is used exclusively for internal analysis aimed at understanding service usage, identifying areas for improvement and optimizing user experience. It is never transferred to third parties or used for commercial purposes other than improving the service itself. Aggregated analysis allows identifying trends and usage patterns without compromising individual user privacy.
Users can review and modify their consent regarding tracking at any time by accessing the Privacy Policy page of the website. This functionality ensures full control over privacy preferences and allows balancing usage experience with the desired level of privacy.
Data Retention
Retention Duration by Data Type
Registration data provided by users is retained indefinitely to ensure service continuity and the possibility of restoring the account when necessary. However, users maintain full control over their data and can request complete deletion of their account at any time, which automatically results in removal of all associated registered data. This retention method balances the operational necessity of the service with user rights.
Regarding payment data received from Stripe, only data necessary for billing and service terms management is retained. This includes information such as payment order number and transaction details, without including additional data beyond what was already entered during the registration phase. Retention is limited to information essential for accounting and tax compliance.
Documents and data uploaded via chatbots and APIs are retained until the user decides to delete them. This user-controlled retention policy ensures that content remains available for service operation as long as necessary, but can be removed immediately upon request from the data subject. There is no predefined retention period, leaving management completely in the hands of the user.
Newsletter and Analytics Data Management
Data from users subscribed to the newsletter is retained exclusively until the user requests unsubscription from the service. This management method ensures that no longer necessary information is not maintained and fully respects the user's will to no longer receive communications. Unsubscription results in immediate and definitive removal of data from distribution lists.
For data collected through Matomo and Google Analytics 4, no specific retention expiration is provided. However, considering that this data is collected in anonymized form and used exclusively for internal statistical analysis, its retention does not present risks for user privacy. Aggregated and anonymized data does not allow individual identification and is used for long-term trend analysis.
The retention policy is regularly reviewed to ensure compliance with current regulations and industry best practices. In case of changes to processing purposes or operational needs, users are promptly informed and have the possibility to express their consent again or request data deletion.
Data Subject Rights
Methods for Exercising Rights
Users of the Evolbot service can exercise all rights provided by the GDPR by contacting the data controller at the email address privacy@evolbot.com. This dedicated channel ensures specialized management of privacy-related requests and ensures that each instance is treated with due attention and competence. The request management process is designed to be simple and accessible to all users.
The privacy request management system is optimized to ensure fast response times and efficient service. Evolbot commits to responding to all requests relating to data subject rights within a maximum period of 7 working days from receipt of the communication. This term, shorter than that provided by the GDPR, demonstrates the company's commitment to providing high-quality service even in privacy matter management.
It is important to emphasize that exercising data subject rights is completely free and involves no cost for users. Furthermore, the process does not require particular identity verification of the user, further simplifying the procedure for accessing one's rights. This choice reflects a user-friendly approach to privacy management, facilitating the exercise of fundamental rights.
Types of Exercisable Rights
Users can exercise the right of access to obtain complete information on personal data held by Evolbot, including processing purposes, categories of recipients and planned retention periods. This right allows having a complete view of the use of one's personal data and verifying the correctness of stored information.
The right of rectification allows users to request correction of inaccurate or incomplete data, ensuring that stored information is always updated and accurate. The right of erasure (right to be forgotten) allows obtaining removal of one's personal data when it is no longer necessary for original purposes or when consent to processing is revoked.
Users can also exercise the right to restriction of processing to obtain temporary suspension of data processing activities in specific circumstances, the right to object to oppose specific processing based on legitimate interests, and the right to data portability to receive their data in a structured format readable by automatic device, facilitating transfer to other service providers.
International Transfers and Data Localization
Server Management and Localization
Evolbot adopts a strict data localization policy within the European Union to ensure the maximum level of protection for user information. All personal data managed directly by Evolbot is maintained on servers located exclusively in the EU area, eliminating risks associated with international transfers to third countries with protection levels lower than European ones.
This strategic localization choice ensures that all data remains under the jurisdiction of European data protection regulations, offering users maximum guarantees of security and regulatory compliance. Internal server management also allows direct control over implemented security measures and greater speed in managing user requests related to their data.
The internal monitoring system includes periodic checks on data localization and compliance of used service providers. This proactive approach ensures that unauthorized transfers do not occur and that all data always remains under Evolbot's direct control according to European regulations.
Third-Party Services and Compliance
Regarding analysis services, Matomo is managed directly on Evolbot's proprietary servers, ensuring full control over collected data and their localization within the EU. This internal management of Matomo represents a conscious choice to maintain complete control over analytics data without having to resort to external services that could involve international transfers.
Google Analytics 4 is configured to save user data exclusively on servers located in the European Union. This specific configuration ensures that even the use of Google services remains compliant with European data protection regulations, avoiding transfers to the United States or other third countries. Compliance is ensured through data localization settings available in the Google Analytics platform.
Data Security
Technical Protection Measures
Evolbot implements various technical measures to ensure the security of users' personal data. User password protection occurs through advanced encryption algorithms that make it impossible to read access data even in case of unauthorized access to databases. This fundamental measure ensures that access credentials always remain protected and cannot be compromised by external attacks.
The access control system is based on an RBAC (Role-Based Access Control) model that limits access to personal data exclusively to authorized personnel. Each employee has access only to information necessary to perform their specific duties, minimizing the risk of unauthorized access and ensuring traceability of every operation on data. This granular approach to access management represents a best practice in personal data protection.
Infrastructure protection is ensured through monitoring and cyber attack prevention systems implemented on Evolbot servers. These systems operate 24/7 to identify and neutralize potential threats promptly, ensuring service continuity and data protection. Additionally, daily backups are performed to ensure the possibility of rapid data restoration in case of malfunctions or incidents.
Organizational Measures and Procedures
From an organizational standpoint, Evolbot personnel receive periodic training on personal data conservation and protection policies. This continuous training ensures that all employees are always updated on security best practices and current regulations, reducing the risk of human errors that could compromise data security.
The company has implemented specific procedures for managing cyber incidents, ensuring a rapid and effective response in case of security breaches. These procedures include notification protocols, risk assessment, incident containment and communication to data subjects when necessary. Preventive preparation for incident management represents a crucial element to minimize the impact of potential breaches.
Infrastructure security is verified through periodic tests on servers to check for vulnerabilities and ensure the effectiveness of implemented protection measures. These penetration tests and vulnerability assessments are conducted regularly to proactively identify potential weak points and promptly implement necessary corrections, always maintaining a high level of system security.