Privacy Policy
Effective Date: December 3, 2025
This policy is fully compliant with the EU General Data Protection Regulation (GDPR).
1. Data Controller
The Data Controller responsible for the processing of your personal data under this policy is:
Chat 71 S.r.l.
Address: Via Montenapoleone, 21, 20121 Milano, Italy
Email: privacy@chat71.com
DPO Contact: [Designated DPO Email/Contact Details]
2. Categories of Personal Data Processed
We process the following categories of data, primarily collected from visitors to our website and users of the Chat 71 platform (our clients' customers):
- Identification Data: Name, email address, phone number (collected during demo sign-ups or client account creation).
- Platform Usage Data: Chat transcripts, timestamp, device type, IP address, and technical metadata related to the interaction with the chatbot.
- E-commerce/CRM Sync Data: Customer ID, Order History, Cart contents, Lead Score (processed only as a Data Processor on behalf of our clients).
- Marketing Data: Preferences regarding receiving marketing communications.
3. Legal Basis for Data Processing (GDPR)
We rely on the following legal bases for processing your personal data, in accordance with Article 6 of the GDPR:
- Contractual Necessity (Art. 6(1)(b)): For processing required to fulfill our contract with our clients (e.g., providing the Chat 71 service functionality).
- Legitimate Interests (Art. 6(1)(f)): For improving our service, ensuring platform security, and conducting non-intrusive analytics, provided your fundamental rights do not override these interests.
- Consent (Art. 6(1)(a)): For sending marketing communications, where explicit consent is provided.
- Legal Obligation (Art. 6(1)(c)): For compliance with legal requirements, such as tax and accounting laws.
4. Your Rights as a Data Subject
Under the GDPR, you have the following rights regarding your personal data:
- Right of Access (Art. 15): To obtain confirmation on whether your data is being processed and to access that data.
- Right to Rectification (Art. 16): To have inaccurate personal data corrected without undue delay.
- Right to Erasure ('Right to be Forgotten') (Art. 17): To have your data erased under specific conditions (e.g., data is no longer necessary for the purpose for which it was collected).
- Right to Restriction of Processing (Art. 18): To limit the way we use your data under specific circumstances.
- Right to Data Portability (Art. 20): To receive your data in a structured, commonly used, and machine-readable format.
- Right to Object (Art. 21): To object to processing based on legitimate interests or for direct marketing purposes.
To exercise any of these rights, please contact the Data Controller using the details provided in Section 1. We will respond within one month of receiving your request.
5. International Data Transfers
As a company based in Milan, Italy (EU), all data processing activities primarily occur within the European Economic Area (EEA). However, some of our sub-processors (e.g., cloud hosting providers) may be located outside the EEA.
In such cases, we ensure that an adequate level of data protection is maintained through the implementation of one of the following safeguards:
- Binding Corporate Rules (BCR).
- Adherence to an adequacy decision by the European Commission.
- Implementation of the **Standard Contractual Clauses (SCCs)** approved by the European Commission.
6. Data Security and Retention
Security Measures
We have implemented appropriate technical and organizational measures to protect personal data, including pseudonymisation, encryption (both in transit and at rest), access control, and regular security audits of the C71-Language Core and platform infrastructure.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for satisfying any legal, accounting, or reporting requirements. Retention periods are determined by applicable laws and the nature of the data.
7. Changes to this Privacy Policy
We may update this policy periodically to reflect changes in our data processing practices or legal requirements. We will notify you of any material changes by posting the new policy on this page and updating the 'Effective Date' at the top.