Information on the processing of personal data pursuant to Articles 13 and 14 of EU Regulation No. 679/2016 (GDPR)
In order to conduct fair and transparent processing, Aptus.AI S.r.l. provides the following information (“Privacy Policy“) – drafted pursuant to Articles 13 and 14 of Regulation (EU) No. 679/2016 on the “Protection of natural persons with regard to the processing of personal data” (“GDPR“) and of Legislative Decree 196/2003 (“Privacy Code“), as amended by Legislative Decree 101/2018 – intended for all those who visit and interact with the “Aptus.AI” platform, accessible at the internet address https://next.aptus.ai (“Platform“).
1. Definitions
Aptus.AI: is Aptus.AI S.r.l., with registered office in Pisa (PI), Via dell’Argine n. 1, 56122, VAT No. 02288220508.
Client: is a legal entity or a natural person who intends to use the Services through its Users.
Contract: the contract signed from time to time by Aptus.AI with the User to use the Services.
Cookies: cookies are text files (letters and/or numbers) that contain packets of information that are stored on the computer or mobile device of the Data Subjects every time they visit a website through a browser. At each subsequent visit, the browser sends the cookies to the website that originated them or to another site. Cookies can be stored only for the time of use of a specific site (i.e., session cookies), or for a longer period of time independent of the session (i.e., persistent cookies).
Fees: any fee requested by Aptus.AI from the Client for the use of the Services through the Platform.
Personal Data: any information relating to an identified or identifiable natural person, directly and indirectly, by reference to a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
Third-Party Entities: indicates (i) publicly accessible databases and official publication channels of regulatory and standard-setting bodies; and (ii) databases and publication channels to which Aptus.AI has access or, upon request and authorization of the Client, databases and publication channels to which the Client has access.
Third-Party Suppliers: indicates the third parties that Aptus.AI uses, whether they are technical suppliers of services that are partially or entirely essential for the use of the Services (such as, by way of example, cloud providers, AI providers, payment managers, etc.), or of non-essential services that add value to the use of the Services (such as, by way of example, integrations of the Platform with Microsoft Teams, Google Workspace, etc.).
Data Subjects: the natural persons to whom the Personal Data refer, pursuant to Art. 4 of the GDPR.
Plan: indicates one of the plans indicated on the Platform, to which predetermined Services correspond.
Processor: the natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, pursuant to Art. 4 of the GDPR.
Services: the services used by Users through the Platform, as described in the Contract.
SLA Services: any services provided by Aptus.AI to the “enterprise” Client pursuant to the “Service Level Agreement” annex of the Contract.
European Economic Area: consists of the EU countries, Norway, Iceland and Liechtenstein.
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data pursuant to Art. 4 of the GDPR.
Processing: any operation or set of operations performed on Personal Data, such as, by way of example, collection, organization, structuring, storage, modification, extraction, consultation, use, communication, interconnection, restriction, erasure and destruction.
Users: all natural person users belonging to and/or connected to the Client who, individually, use the Platform in the name and on behalf of the Client.
Webinar: training, informational or promotional events organized by Aptus.AI in telematic mode.
2. Data Controller and Data Protection Officer – Who processes the Personal Data?
The Controller of the Processing of Personal Data is Aptus.AI S.r.l..
For any questions regarding the Processing of your Personal Data, the Controller can be contacted at the following addresses:
- Mail: Via dell’Argine n. 1, 56122, Pisa;
- E-mail: info@aptus.ai;
- Certified E-mail (PEC): aptus.ai@pec.it
3. Subject of the Processing – What personal data do we process?
The Personal Data collected and processed by the Controller include:
(a) Personal Data directly provided by the User and/or the Client: are the Data Subject’s Personal Data, identifying and non-sensitive (in particular, name, surname, e-mail address, telephone number), spontaneously communicated by the User and/or the Client to Aptus.AI, through registration on the Platform and/or contact request;
(b) Personal Data collected automatically by the Platform: are the Data Subject’s Personal Data, identifying and non-sensitive, collected automatically by the Platform (such as, e.g., page accesses, the amount of data transferred, session ID numbers, IP addresses, URL addresses, cookies, etc.);
(c) Personal Data collected during the provision of Services: are the Personal Data of the Data Subject provided during the use of the Services by the Data Subjects themselves;
(d) Personal Data collected from Third-Party Entities and/or Third-Party Suppliers with whom the User interacts using the Services: are the Personal Data of the Data Subject from Third-Party Entities and/or Third-Party Suppliers and collected during the use by the User of applications of such Third-Party Entities and/or Third-Party Suppliers (for example, during registration, using the so-called “single sign-on” authentication scheme);
(e) Personal data collected during participation in Webinars: are the Personal Data of the Data Subject, both identifying and relating to image and voice, collected during participation in Webinars organized by Aptus.AI, including name, surname, email address used for registration, video and audio image acquired during the session.
4. Purpose and legal basis of the Processing – Why do we process your Personal Data?
The Controller processes Personal Data, also with the aid of IT, telematic and manual means, for the following purposes:
(a) To allow navigation on the Platform [consent/legitimate interest]
Some Personal Data may be automatically collected during navigation on the Platform. For the processing of some of this data, it is necessary to obtain the consent of the Data Subject (e.g. analytics cookies), for others, consent is not necessary (e.g. technical cookies).
For more information on the processing methods for this specific purpose, data retention times and other details, please consult our Cookie Policy.
If you are a simple navigator of the Platform, this is the only Processing we carry out on your Personal Data.
(b) To manage contact requests [legitimate interest]
Personal Data may be processed for the management of contact requests, including those related to SLA Services. This Processing is based on the legitimate interest (Art. 6, c. 1, lett. f) of the GDPR) of Aptus.AI to respond to contact requests, which Aptus.AI considers to be prevalent over the right to privacy of the Data Subjects. The provision of Personal Data for this purpose is necessary and, therefore, any refusal to provide them will make it impossible to complete the request.
(c) To allow registration on the Platform [performance of the Contract]
The Personal Data of the Client and/or Users will be processed to allow registration on the Platform and the use of the Services.
The legal basis for this Processing is the performance of the Contract (Art. 6, c. 1, lett. b) of the GDPR). The provision of Personal Data for this purpose is necessary and, therefore, any refusal to provide them will make it impossible to correctly provide the Platform Services identified in the Contract.
(d) To allow the Client and/or Users to use the Services [performance of the Contract]
The Personal Data of the Client and/or Users will be processed to allow you to use the Services through the Platform, as provided for in the Contract.
The legal basis for this Processing is the performance of the Contract (Art. 6, c. 1, lett. b) of the GDPR). The provision of Personal Data for this purpose is necessary and, therefore, any refusal to provide them will make it impossible to correctly provide the Platform Services identified in the Contract.
(e) Sending of informational and promotional communications (so-called soft spam) relating to the Services by e-mail [legitimate interest]
The Personal Data of the Client and/or User may be used for generic marketing purposes, consisting of sending informational and promotional communications referring to the Platform’s Services.
The legal basis for this processing is the legitimate interest (Art. 6, c. 1, lett. f) of the GDPR) of Aptus.AI, consisting of the benefit that Aptus.AI can obtain from sending informational and promotional communications that promote the sale of the Services to its Users, involving the latter in the growth and development path of Aptus.AI, which the latter considers to prevail over the right to privacy of the Users (who, moreover, can reasonably expect to receive such communications).
The User may object to this Processing at any time, and without any reason, by following the instructions in point 8(c) of this Privacy Policy or through the appropriate “unsubscribe” link present in every promotional communication sent by the Controller.
(f) To allow Clients to make payments for the Fees provided for in the Contract [performance of the contract]
The Client’s Personal Data may be processed for the purpose of paying the Fees indicated in the Contract. The legal basis for this Processing is the performance of the Contract (Art. 6, c. 1, lett. b) of the GDPR). The provision of Personal Data for this purpose is necessary and, therefore, any refusal to provide them will make it impossible to correctly provide the Platform Services identified in the Contract.
(g) To store the data of the Clients’ means of payment (e.g. credit cards) for the sole purpose of facilitating further purchases on the Platform [consent]
The Client’s Personal Data may be processed in order to facilitate subsequent purchases by the Client, without prejudice to the possibility of purchasing and accessing the available Services even in the absence of the previous storage of the payment method data. This processing is carried out exclusively by the provider of the payment method selected by the Client.
The legal basis for this processing is the free, specific, informed and unequivocal consent of the Data Subject (Art. 6, c. 1, lett. a) of the GDPR), expressed by a declaration or positive action (e.g., flag or click) and collected by the payment method providers. The withdrawal of consent can be exercised at any time, by following the instructions provided in the privacy policies of the providers of this service.
(h) To organize and manage Webinars [performance of the contract/pre-contractual measures]
The Personal Data of the Data Subjects who register for the Webinars (name, surname, email address and other data provided during registration) will be processed to allow the organization and technical management of the event, including sending access credentials, service communications relating to the event and post-Webinar information material. The legal basis for this Processing is the performance of a contract to which the data subject is a party or the execution of pre-contractual measures taken at their request (Art. 6, par. 1, lett. b) GDPR). During participation in the Webinar, the platform may automatically collect technical connection data (IP address, session duration, interactions with the platform) necessary for the technical operation of the service.
The provision of Personal Data for this purpose is necessary to participate in the Webinar and, therefore, any refusal to provide them will make it impossible to access the event.
(i) To record and use Webinar recordings [consent]
The Personal Data of the Data Subjects, including image and voice, may be recorded during the Webinars and subsequently used by Aptus.AI for the purposes of dissemination, sharing on its communication channels (including social media), archiving and further use by interested third parties. The legal basis for this Processing is the free, specific, informed and unequivocal consent of the Data Subject. This consent is collected, alternatively, (i) during the registration phase for the Webinar, by means of a specific check on a non-pre-selected box, or (ii) at the beginning of each Webinar, before the start of the recording, through a specific request from the moderator. Data Subjects who do not intend to give their consent to the recording can still participate in the Webinar by keeping their webcam and microphone off and refraining from speaking. The withdrawal of consent can be exercised at any time by following the instructions in point 8 of this Privacy Policy. The withdrawal of consent will result in the termination of the processing of the Data Subject’s Personal Data and the removal of the recording from the channels owned by Aptus.AI, it being understood that there may be technical limitations in the removal of content already disseminated on third-party platforms or already shared by other users, over which Aptus.AI has no direct control.
(j) To ensure the IT security, access and use of the Platform by Users [legitimate interest]
The Personal Data of the Client and/or User may be used to ensure the IT security of the Platform.
The legal basis for this Processing is the legitimate interest (Art. 6, c. 1, lett. f) of the GDPR). The provision of Personal Data for this purpose is necessary and, therefore, any refusal to provide them will make it impossible to correctly provide the Platform Services identified in the Contract.
(k) To comply with current legal obligations and to allow Aptus.AI to ascertain, exercise and defend its rights in court or before any other competent authority [legitimate interest/legal obligation]
The Personal Data of the Client and/or User may be processed to protect the legal position, rights and interests of Aptus.AI with regard to the subscription, interpretation and fulfillment of the Contract. This Processing is based on: i) the legitimate interest (Art. 6, c. 1, lett. f) of the GDPR) of Aptus.AI, consisting of the benefit that Aptus.AI can obtain in protecting its legal position, its rights and its interests, which Aptus.AI considers to be prevalent over the right to privacy of the Users; and ii) where the involvement of third-party authorities is necessary or appropriate, on the basis of the legal obligation (Art. 6, c.1, lett. c) of the GDPR) of Aptus.AI to cooperate with the competent authorities in carrying out investigations relating to the execution, interpretation and fulfillment of the Contract. The provision of data for this purpose is necessary and in case of refusal the Controller will not be able to provide the requested services.
(l) To allow you to exercise the rights of the Client and/or User [legal obligation]
The Controller may process the Personal Data of the Client and/or User in order to: (i) respond to requests to exercise rights in relation to the provision of the Platform’s Services; (ii) carry out the activities that prove necessary as a consequence of the exercise of these rights; (iii) receive and respond to requests to exercise the rights regarding the protection of Personal Data provided for by the GDPR and carry out all consequent activities.
The legal basis for this processing is the fulfillment of a legal obligation to which the Data Controller is subject (Art. 6, c. 1, lett. c) of the GDPR). The provision of data for this purpose is necessary and in case of refusal the Controller will not be able to provide the requested services.
5. Communication of data – To whom is Personal Data communicated?
The Personal Data of the Client and/or User will be processed exclusively by the staff and collaborators of the Controller, specifically authorized pursuant to Art. 29 of the GDPR and 2-quaterdecies of the Privacy Code, or by companies expressly appointed as Processors, pursuant to Art. 28 of the GDPR.
The Data Subject may request from the Controller, at any time, an updated list of the Processors who carry out Processing operations on their Personal Data.
6. Transfer of data – To whom is Personal Data transferred?
In general, the Controller does not transfer the Personal Data of Data Subjects to countries outside the European Economic Area or to international organizations.
Should this occur, the Controller guarantees that all transfers will be subject to the appropriate safeguards described in Article 46 of the GDPR.
7. Personal data retention period – How long do we keep Personal Data?
Personal Data is kept for the period of time strictly necessary to achieve the purposes for which it was collected. Below is an exhaustive analysis of the retention periods, in relation to the purposes represented in point 3 of this Privacy Policy.
| Purpose | Retention time |
| (a) – Navigation on the Platform | We recommend reading the cookie policy, available on the banner on the Platform |
| (b) – Manage contact requests | 6 months from receipt of the contact request sent by the Data Subject. Notwithstanding this term, in the event of a complaint or grievance being sent, the Personal Data will be kept for the period referred to in the following letter (i) |
| (c) – Registration on the Platform | Duration of the Contract and for a further period of 12 months after the termination of the Contract |
| (d) – To allow the provision of the Services | Duration of the Contract and for a further period of 12 months after the termination of the Contract |
| (e) – Informational and promotional communications | 24 months following the last purchase by the Client, suitable to demonstrate an interest in the Services of Aptus.AI |
| (f) – To allow the execution of payments | Duration of the Contract |
| (g) – Storage of payment method data | Duration of the Contract |
| (h) – To organize and manage Webinars | 12 months from the conclusion of the Webinar |
| (i) – To record and use Webinar recordings | 5 years from the date of the Webinar recording, unless consent is withdrawn |
| (j) – To ensure IT security, access and use of the Platform | Duration of the Contract and for a period of 6 months after the termination of the Contract |
| (k) – Legal or judicial obligations and assessments | 10 years (or for the longer period necessary for the conclusion of any legal case) |
| (l) – Exercise of the rights of the Data Subject | Duration of the Contract |
8. The rights of the data subject – What are the rights of the Client and/or the User?
The GDPR guarantees each Data Subject some important rights that you can exercise against the Controller. Among the recognized rights are those of:
(a) To ask the Controller for access to Personal Data and information relating thereto (pursuant to Art. 15 of the GDPR), the rectification and/or integration of inaccurate Personal Data or the integration of incomplete ones (pursuant to Art. 16 of the GDPR), the erasure of Personal Data concerning the Client and/or the User (upon the occurrence of one of the conditions indicated in Art. 17, paragraph 1 of the GDPR and in compliance with the exceptions provided for in paragraph 3 of the same article), or the restriction of the Processing of Personal Data (upon the occurrence of one of the hypotheses indicated in Art. 18, paragraph 1 of the GDPR).
(b) To request and obtain from the Controller – in cases where the legal basis for the Processing is the contract or consent, and the same is carried out by automated means – the Personal Data in a structured and machine-readable format, also for the purpose of communicating such Personal Data to another data controller (so-called right to data portability, pursuant to Art. 20 of the GDPR).
(c) To object at any time to the Processing of Personal Data whose legal basis is the legitimate interest of the Controller (pursuant to Art. 21 of the GDPR), by sending an e-mail to Aptus.AI. In the case of exercising the right to object, the Controller shall refrain from further processing the Personal Data, unless it demonstrates the existence of compelling legitimate grounds for proceeding with the Processing that prevail over the interests, rights and fundamental freedoms of the Data Subject or for the establishment, exercise or defense of a right in court.
(d) To withdraw consent at any time, limited to cases in which the Processing is based on your consent for one or more specific purposes and concerns common Personal Data (for example, date and place of birth or place of residence) without prejudice to the lawfulness of the Processing based on the consent given before the withdrawal (pursuant to Art. 13, par. 2, lett. c) of the GDPR).
(e) To lodge a complaint with a supervisory authority (Data Protection Authority – garanteprivacy.it) (pursuant to Art. 13, par. 2, lett. d) of the GDPR).
Pursuant to Art. 12 of the GDPR, the Controller will provide the Data Subject with information about the actions taken in relation to a request to exercise their rights without undue delay and, in any case, within one month of receipt of the request itself. This period may be extended up to 3 (three) months in cases of particular complexity. The Controller, in the latter case, will inform the Data Subject of the extension and the reasons for the delay within one month of receipt of the request. If you have submitted a request by electronic means, the information will be provided, where possible, by electronic means, unless you indicate otherwise.
Last updated: July 4, 2025
