Policy on the processing of personal data
Pursuant to Articles 13 and 14 of EU Regulation No. 679/2016 (GDPR)
Policy on the processing of personal data
In order to conduct correct and transparent processing, Aptus.AI S.r.l. provides the following privacy policy (“Privacy Policy”) – drafted pursuant to Articles 13 and 14 of Regulation (EU) No. 679/2016 on the “Protection of Individuals with regard to the Processing of Personal Data” (“GDPR”) and Legislative Decree No. 196/2003 (the “Privacy Code”), as amended by Legislative Decree No. 101/2018 – intended for all those who visit and interact with the “Aptus.AI” platform, accessible at the Internet address https://next.aptus.ai (“Platform”).
1. Definitions
Aptus.AI: is Aptus.AI S.r.l., with registered office in Pisa (PI), Via dell’Argine No. 1, 56122, VAT No. 02288220508.
Client: is a legal entity or a natural person, who intends to use the Services, through its Users.
Contract: the contract from time to time entered into by Aptus.AI and the User for the use of the Services.
Cookies: cookies are text files (letters and/or numbers) that contain packets of information that are stored on Data Subjects’ computers or mobile devices every time they visit a website through a browser. On each subsequent visit, the browser sends the cookies back to the website that originated them or to another website. Cookies can be stored only for the time of use of a particular site (i.e., session cookies), or for a longer period of time and independent of the session (i.e., persistent cookies).
Data Controller: the natural or legal person, public authority, service or other body that, individually or jointly with others, determines the purposes and means of the processing of Personal Data within the meaning of Article 4 of the GDPR.
Data Processor: is the natural or legal person, public authority, service or other body that processes Personal Data on behalf of the Data Controller pursuant to Article 4 of the GDPR.
Data Subjects: the natural persons to whom the Personal Data refer, pursuant to Article 4 of the GDPR.
European Economic Area: indicates the EU countries, Norway, Iceland and Liechtenstein.
Fees: any fees charged by Aptus.AI to the Client for the use of the Services through the Platform.
Personal Data: any information relating to a natural person who is identified or identifiable, directly or indirectly, by reference to name, an identification number, location data, an online identifier, or characteristic elements of his or her physical, physiological, genetic, mental, economic, cultural, or social identity.
Plan: indicates one among the plans indicated on the Platform, to which predetermined Services correspond.
Processing: means any operation or set of operations involving Personal Data, such as, but not limited to, collection, organization, structuring, storage, modification, extraction, consultation, use, communication, interconnection, restriction, erasure and destruction.
Services: the services enjoyed by Users through the Platform, as described in the Contract.
SLA Services: the services, if any, provided by Aptus.AI for the benefit of Clients qualified as “enterprise clients” in accordance with the annex “Service Level Agreement” of the Contract.
Third Party Entities: means (i) official databases and publication channels of publicly accessible regulatory and normative bodies; and (ii) databases and publication channels to which Aptus.AI has access or, subject to Client’s request and authorization, databases and publication channels to which the Client has access.
Third Party Providers: means the third party providers that Aptus.AI uses, whether they are technical providers of services that are partially or entirely essential for the use of the Services (such as, but not limited to, cloud providers, AI providers, payment processor, etc.), or services that are not essential but bring added value to the use of the Services (such as, but not limited to, Platform integrations with Microsoft Teams, Google Workspace, etc.).
Users: all natural person users belonging to and/or related to the Client who, individually, use the Platform in the name and on behalf of the Client.
2. Data Controller and Data Protection Officer – Who processes Personal Data?
The owner of the Processing of Personal Data is Aptus.AI S.r.l.
If you have any questions regarding the Processing of your Personal Data, the Data Controller can be contacted at the following numbers:
(a) Mail: Via dell’Argine No. 1, 56122, Pisa;
(b) E-mail: info@aptus.ai;
(c) PEC: aptus.ai@pec.it
3. Subject matter of the Processing – What personal data do we process?
Personal Data collected and processed by the Data Controller include:
(a) Personal Data directly provided by the User and/or the Client: this is the Personal Data of the Data Subject, which is identifying and non-sensitive (in particular, first name, last name, e-mail address, telephone number), spontaneously communicated by the User and/or the Client to Aptus.AI, through registration on the Platform and/or contact request;
(b) Personal Data automatically collected by the Platform: is the identifying and non-sensitive Personal Data of the Data Subject automatically collected by the Platform (e.g., page accesses, amount of data transferred, session ID numbers, IP addresses, URL addresses, cookies, etc.);
(c) Personal Data collected during the provision of Services: is the Personal Data of the Data Subject provided during the use of Services by the Data Subjects themselves;
(d) Personal Data collected from Third Party Entities and/or Third Party Providers with which the User interacts using the Services: this is the Personal Data of the Data Subject from Third Party Entities and/or Third Party Providers and collected during the User’s use of applications of such Third Party Entities and/or Third Party Providers (e.g., during registration, through the so-called “single sign-on” authentication system).
4. Purpose and legal basis for Processing – Why do we process your personal data?
The Data Controller processes Personal Data, also with the help of computer, telematic and manual means, for the following purposes:
(a) Allow navigation on the Platform:
Some Personal Data may be automatically collected while browsing the Platform. For the processing of some of these data it is necessary to acquire the consent of the Data Subject (e.g., analytics cookies), for others consent is not necessary (e.g., technical cookies).
For more information on how the data is processed for this specific purpose, data retention times and other details, see our Cookie Policy.
If you are a mere navigator of the Platform, this is the only Processing we perform on your Personal Data.
(b) Manage contact requests.
Personal Data may be processed for the handling of contact requests, including those related to SLA Services. Such Processing is based on the legitimate interest (Art. 6, c. 1, lett. f) of the GDPR) of Aptus.AI in responding to contact requests, which Aptus.AI considers to be overriding with respect to the Data Subjects’ right to privacy. The provision of Personal Data for this purpose is necessary and, therefore, any refusal to provide it will result in the inability to complete the request.
(c) Registration on the Platform:
Personal Data of the Client and/or Users will be processed to enable registration to the Platform and use of the Services.
The legal basis for this Processing is the performance of the Contract (Art. 6, c. 1, letter b) of the GDPR). The provision of Personal Data for this purpose is necessary and, therefore, any refusal to provide it will result in the inability to properly provide the Services identified in the Contract.
(d) Enable the Client and/or Users to use the Services:
The Client and/or Users’ Personal Data will be processed to enable you to use the Services through the Platform in accordance with the terms of the Contract.
The legal basis for this Processing is the performance of the Contract (Art. 6, c. 1, letter b) of the GDPR). The provision of Personal Data for this purpose is necessary and, therefore, any refusal to provide it will result in the inability to properly provide the Services identified in the Contract.
(e) Sending informative and promotional communications (so-called soft spam) related to the Services by e-mail:
The Client and/or User’s Personal Data may be used for general marketing purposes, consisting of sending informative and promotional communications referring to the Services available on the Platform.
The legal basis for this processing is the legitimate interest (art. 6, c. 1, lett. f) of the GDPR) of Aptus.AI, consisting in the benefit that Aptus.AI may obtain from sending informative and promotional communications that promote the sale of the Services to its Users, involving them in the growth and development of Aptus.AI, which the latter considers to be prevailing over the Users’ right to privacy (who, moreover, may reasonably expect to receive such communications).
Opposition to this Treatment may be exercised by the User, at any time, and without any reason, by following the directions set forth in Section 8(c) of this Privacy Policy or through the appropriate link to “unsubscribe” found in any promotional communication sent by the Data Controller.
(f) Enable Clients to make payments of the Fees under the Contract:
The Client’s Personal Data may be processed for the purpose of payment of the Fees specified in the Contract. The legal basis for this Processing is the performance of the Contract (Art. 6, c. 1, lett. b) of the GDPR). The provision of Personal Data for this purpose is necessary and, therefore, any refusal to provide it will result in the inability to properly provide the Platform Services identified in the Contract.
(g) Retain data on Client’s means of payment (e.g., credit cards) for the sole purpose of facilitating further purchases on the Platform:
The Client’s Personal Data may be processed for the purpose of facilitating subsequent purchases by the Client, without prejudice to the possibility for the Client to purchase and access the available Services even in the absence of previous storage of payment means data. Such processing is performed exclusively by the provider of the payment method selected by the Client.
The legal basis for this processing is the free, specific, informed and unambiguous consent of the Data Subject (Art. 6, c. 1, lett. a) of the GDPR), expressed by means of a statement or positive action (e.g., flag or click) and collected by the providers of the payment method. Withdrawal of consent may be exercised at any time by following the directions provided in the privacy policies of the providers of such service.
(h) Ensure computer security, access to and use of the Platform by Users:
The Client and/or User’s Personal Data may be used to ensure the cybersecurity of the Platform.
The legal basis for this Processing is legitimate interest (Art. 6, c. 1, lett. f) of the GDPR). The provision of Personal Data for this purpose is necessary and, therefore, any refusal to provide it will result in the inability to properly provide the Platform Services identified in the Contract.
(i) Fulfil current legal obligations and enable Aptus.AI to ascertain, exercise and defend its rights in court or before any other competent authority:
The Client and/or User’s Personal Data may be processed to protect Aptus.AI’s legal position, rights and interests with respect to the signing, interpretation and performance of the Contract. Such Processing is based on: i) the legitimate interest (Art. 6, c. 1, lett. f) of the GDPR) of Aptus.AI, consisting of the benefit that Aptus.AI may obtain in protecting its legal position, rights and interests, which Aptus.AI considers to be prevailing over the Users’ right to confidentiality; and ii) where the involvement of third party authorities is necessary or appropriate, based on the legal obligation (Art. 6, c.1, c) of the GDPR) of Aptus.AI to cooperate with the competent authorities in carrying out investigations related to the execution, interpretation and performance of the Contract. The provision of data for this purpose is necessary and in case of refusal the Data Controller will not be able to provide the requested services.
(j) Allow the Client and/or User to exercise their rights:
The Data Controller may process the Client and/or User’s Personal Data in order to:
(a) acknowledge requests to exercise rights in connection with the provision of the Services of the Platform;
(b) carry out activities that prove necessary as a consequence of the exercise of such rights;
(c) receive and acknowledge requests to exercise Personal Data protection rights under the GDPR and carry out all consequent activities.
The legal basis for this processing is the fulfilment of a legal obligation to which the Data Controller is subject (Art. 6, c. 1, lett. c) of the GDPR). The provision of data for this purpose is necessary and in case of refusal the Data Controller will not be able to provide the requested services.
5. Data disclosure – To whom is Personal Data disclosed?
The Client and/or User’s Personal Data will be processed exclusively by the staff and collaborators of the Data Controller, specifically authorized under Articles 29 of the GDPR and 2-quaterdecies of the Privacy Code, or by the companies expressly appointed as Data Processors, under Article 28 of the GDPR.
The Data Subject may request from the Data Controller, at any time, an updated list of the Data Processors carrying out Processing operations on his or her Personal Data.
Personal Data will not be disseminated under any circumstances, i.e., it will not be disclosed to unspecified individuals, in any form, including by simply making it available or consulting it.
6. Data transfer – To whom is Personal Data transferred?
In general, the Data Controller does not transfer Data Subjects’ Personal Data to countries outside the European Economic Area or to international organizations.
Should this occur, the Data Controller guarantees that all transfers will be subject to the appropriate protections described in Article 46 of the GDPR.
7. Personal Data retention period – How long do we keep Personal Data?
Personal Data is kept for the period of time strictly necessary to achieve the purposes for which it was collected. We provide below a comprehensive breakdown of the retention periods, with respect to the purposes represented in the above Section 3 of this Privacy Policy.
| Purpose | Storage time |
| (a) – Navigation on the Platform | We recommend reading the cookies policy, available on the banner on the Platform |
| (b) – Manage contact requests | 6 months from the receipt of the contact request sent by the Data Subject. Notwithstanding this time limit, if a complaint or grievance is sent, the Personal Data will be retained for the period referred to in (i) below |
| (c) – Registration to the Platform | Term of the Contract and for an additional period of 12 months after the termination of the Contract |
| (d) – Allow the provision of the Services. | Term of the Contract and for an additional period of 12 months after the termination of the Contract |
| (e) – Informational and promotional communications | 24 months following the last purchase by the Client, eligible to demonstrate an interest in the Aptus.AI Services |
| (f) – Allow the execution of payments. | Term of the Contract |
| (g) – Retention of data on means of payment | Term of the Contract |
| (h) – Ensure IT security, access to and use of the Platform. | Term of the Contract and for a period of 6 months after the termination of the Contract |
| (i) – Legal or judicial obligations and assessments. | 10 years (or for the longer period necessary for the conclusion of the court case, if any) |
| (j) – Exercise of Data Subject’s Rights. | Term of the Contract |
8. Rights of the Data Subject – What are the rights of the Client and/or User?
The GDPR guarantees each Data Subject some important rights that you can exercise against the Data Controller. These recognized rights include the right to:
(a) request from the Data Controller access to the Personal Data and information relating to the same (pursuant to Article 15 of the GDPR), the rectification and/or integration of inaccurate Personal Data or the integration of incomplete Personal Data (pursuant to Article 16 of the GDPR), the deletion of the Personal Data that concerns the Client and/or the User personally (upon the occurrence of one of the conditions indicated in Article 17, paragraph 1 of the GDPR and in compliance with the exceptions provided for in paragraph 3 of the same article), or the limitation of the Processing of Personal Data (upon the occurrence of one of the cases indicated in Article 18, paragraph 1 of the GDPR).
(b) request and obtain from the Data Controller – in cases where the legal basis of the Processing is contract or consent, and the same is carried out by automated means – Personal Data in a structured, machine-readable format, including for the purpose of communicating such Personal Data to another data controller (so-called right to personal data portability, pursuant to Article 20 of the GDPR).
(c) object at any time to the Processing of Personal Data that has as its legal basis the legitimate interest of the Data Controller (pursuant to Article 21 of the GDPR), by sending an email to Aptus.AI. In the case of exercising the right to object, the Data Controller shall refrain from further processing of Personal Data, unless it demonstrates the existence of compelling legitimate grounds for proceeding with the Processing that override the interests, fundamental rights and freedoms of the Data Subject or for the establishment, exercise or defense of a right in a court of law.
(d) withdraw consent at any time, limited to cases where the Processing is based on your consent for one or more specific purposes and involves common Personal Data (e.g., date and place of birth or place of residence) without affecting the lawfulness of the Processing based on the consent given prior to the withdrawal (pursuant to Article 13(2)(c) GDPR).
(e) file complaints to a supervisory authority (Data Protection Authority – garanteprivacy.it) (pursuant to Article 13(2)(d) GDPR).
Pursuant to Article 12 of the GDPR, the Data Controller will provide the Data Subject with information about the actions taken in relation to a request for the exercise of rights without undue delay and, in any case, within one month of receipt of the request. This period may be extended up to 3 (three) months in cases of particular complexity. The Data Controller, in the latter case, will inform the Data Subject of the extension and the reasons for the delay within one month of receipt of the request. If you have submitted a request by electronic means, the information will be provided to you, where possible, by electronic means, unless you indicate otherwise.
Last Update: 10 June 2025
