1. Data Controller

The data controller for personal data is Monolait S.r.l. (fictitious), with registered office at Via Roma 1, 20121 Milan (MI). For any privacy-related question, you can contact us at: privacy@vinare.it.

2. Types of Data Collected

Monolait collects several types of data to provide the Service:

  • Account Data: Name, email, encrypted password, user role, subscription plan, and billing information.
  • Configuration Data: Documents, FAQs, and texts uploaded by the Customer to train the virtual assistant.
  • Conversation Data: Texts entered by end users in chats handled by the Platform.
  • Technical Data and Metrics: IP addresses, access logs, browser type, operating system, virtual assistant response times, and portal usage statistics.

3. Purposes and Legal Basis

Data is processed exclusively for the following purposes:

  • Contract Performance (Art. 6.1.b GDPR): Providing Platform features, managing subscriptions, and technical support.
  • Legitimate Interest (Art. 6.1.f GDPR): Optimizing virtual assistant performance, analyzing the use of the management dashboard to improve usability, and preventing fraud or abuse.
  • Legal Obligations (Art. 6.1.c GDPR): Tax and accounting obligations required by Italian law.

4. AI and Sub-Processors

For providing the Artificial Intelligence service and platform usage analytics, Monolait relies on trusted sub-processors:

  • AI Providers (OpenAI Ireland Ltd and Google Cloud Gemini API): Data transmitted (chat input) for response generation is NOT used to train their base models.
  • Analytics and Events (PostHog Cloud EU): Used to analyze feature adoption and bot response speed. Data is hosted on servers within the European Union (Germany).
  • Web Performance (Vercel Analytics): Used to monitor portal loading performance in a fully anonymous form.

5. Security and Retention

We adopt advanced technical measures to protect your data, including SSL/TLS encryption and database segregation.

  • Account data is retained until account closure and for the time required by law (10 years for tax purposes).
  • Conversation logs are retained for a predefined period (e.g., 12 months), unless otherwise configured by the Customer, to allow performance analysis.
  • Assistant training documents are deleted immediately upon Customer request or account closure.

6. Rights of the Data Subject

Pursuant to articles 15-22 of the GDPR, you have the right to:

  • Access your personal data and request a copy.
  • Request correction of inaccurate data.
  • Request erasure (right to be forgotten) or restriction of processing.
  • Object to processing for legitimate reasons.
  • Request data portability in a structured format.

To exercise these rights, write to privacy@vinare.it. You also have the right to lodge a complaint with the Italian Data Protection Authority.

7. Cookies and Tracking Technologies

We use cookies and tracking technologies to ensure platform functionality and analysis:

  • Technical and Session Cookies: Necessary for authentication and basic portal functioning.
  • Portal Tracking (PostHog): For authenticated portal users, we monitor feature usage (e.g., agent creation, configuration) to optimize the UX. This activity is stored via localStorage or cookies.
  • Chat Widget (PostHog): For end users interacting with the chat widget on merchant websites, tracking is fully anonymous and in-memory (cookieless). No personal data or end user IP address is recorded, nor are cookies or files written to their browser localStorage.
  • Vercel Analytics: Collects aggregated and anonymous loading speed metrics without using cookies.