Privacy Policy

1. Data Controller

The data controller is ANTALIA AI S.R.L., an innovative startup, with registered office at Via dei Coronari 45 — 00186 Rome (RM), Italy. VAT / Tax Code: IT18487481006 — REA: RM-1787996 — Share capital: EUR 20,000.00. Contact: info@innovativework.it — Certified email (PEC): antaliaai@pec.it

2. Data We Collect

We collect the following categories of personal data:

• Registration data: name, business email address, company name
• Usage data: interactions with AI agents, uploaded documents, conversation history
• Technical data: IP address, browser type, device information, access logs
• Billing data: processed directly by Stripe (we do not store credit card details)

3. Purpose of Processing

• Provision of the AI virtual office service
• Account management and billing
• Service improvement and aggregate usage analytics
• Service-related communications (no marketing without consent)
• Compliance with legal and tax obligations

4. Legal Basis

Processing is based on: performance of a contract (Art. 6(1)(b) GDPR), consent (Art. 6(1)(a) GDPR), legitimate interest (Art. 6(1)(f) GDPR), and legal obligation (Art. 6(1)(c) GDPR). For users in California, we also comply with the California Consumer Privacy Act (CCPA). For users in the United Kingdom, processing is conducted in accordance with the UK GDPR.

5. Data Retention

• Account data: for the duration of the contractual relationship + 10 years (tax obligations under Italian law)
• AI conversations: until deletion by the user or account closure
• Uploaded documents: until deletion by the user or account closure
• Technical logs: maximum 12 months

6. Data Transfers and Processing Location

Your data is primarily stored on EU servers (Supabase — Frankfurt, Germany; Vercel — EU region). The AI service uses Anthropic (Claude) with servers in the United States. All transfers to non-EU countries are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with Chapter V of the GDPR. For UK users, transfers comply with the UK International Data Transfer Agreement (IDTA).

7. Your Rights

Under the GDPR, UK GDPR, and applicable privacy laws, you have the right to:

• Access your personal data
• Rectification of inaccurate data
• Erasure ("right to be forgotten")
• Restriction of processing
• Data portability
• Object to processing
• Withdraw consent at any time
• For California residents: the right to know, delete, and opt-out of the sale of personal information under CCPA (we do not sell personal data)

To exercise your rights, contact: info@innovativework.it

8. Cookies and Similar Technologies

In compliance with the ePrivacy Directive (Directive 2002/58/EC), we use the following categories of cookies and local storage technologies:

• Strictly Necessary (always active): Supabase authentication, session management, CSRF protection
• Functional (with consent): interface preferences, widget state, theme, default agent (localStorage)
• Internal Analytics (with consent): aggregate usage metrics, not shared with third parties

We do not use profiling, marketing, or third-party tracking cookies. You can manage cookie preferences via the banner displayed on the site or from your account settings.

9. Sub-Processors

• Supabase Inc. — Database and authentication (EU)
• Vercel Inc. — Application hosting (EU)
• Anthropic PBC — AI service (USA, with SCCs)
• Microsoft Azure — Text-to-speech (EU)
• OpenAI Inc. — Document indexing/embeddings (USA, with SCCs)
• Resend Inc. — Transactional email delivery (USA, with SCCs)
• Stripe Inc. — Payment processing (PCI-DSS certified)

10. Supervisory Authority

You have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali — www.garanteprivacy.it). UK users may also contact the Information Commissioner's Office (ICO — www.ico.org.uk). California residents may contact the California Attorney General's Office.