The company SIPA S.p.A. (hereinafter the “Service Provider”), located in Vittorio Veneto (TV), Italy,via Caduti del Lavoro 3, the controller of the personal data, pays the utmost attention to the security and confidentiality of personal data in the performance of its business activities.

TYPES OF PERSONAL DATA RELATING TO YOU THAT CAN BE COLLECTED

The following categories of personal data relating to you may be collected (the term “personal data” is understood to refer jointly to all the categories outlined below):

• Biographical and contact data (e.g. information relating to name, telephone number, email address);
• Payment details: (e.g. IBAN code).
• IP Address and Geolocation Data: (e.g. information derived from your IP address, such as your approximate country and city).
• Technical usage data automatically collected during your authenticated session: (e.g. email address, IP address, browser type, and the URL of the page where an error occurred), processed solely for error monitoring and service reliability purposes.

HOW WE COLLECT YOUR PERSONAL DATA

The Service Provider collects and processes your personal data on the basis of the relationship existing with you. If you provide personal data on behalf of someone else you must make sure, in advance, that the interested have read this document. The Service Provider asks for your help to maintain your personal data up-to-date, informing us of any changes.

PURPOSES YOUR PERSONAL DATA CAN BE USED FOR

Service Provider may process your personal data for one or more of the following purposes, for the specified basis:

1. Establishment of the relationship: the Service Provider may process your personal and contact data in order to proceed with the establishment and management of the resulting relationship. Processing Assumption: the provision of data must be considered mandatory for the execution of contractual / pre-contractual measures. Failure to provide such data may result in the inability to carry out your request.
2. Compliance with legally binding requests to to meet legal obligations, rules and regulations as well as to defend a right in court: the Service Provider may process your personal data to fulfill a legal obligation and / or to defend its rights in court. Processing Assumption: legal obligations to which the Service Provider is obliged to comply.
3. Personalization of Content and Security: the Service Provider may process your IP address to determine your approximate geographical location (country and city) in order to provide a better user experience, such as displaying content in your local language or currency, and for security purposes, such as monitoring for suspicious activity. Processing Assumption: this processing is based on the legitimate interest of the Service Provider to provide a secure and functional service tailored to the user's location.
4. Error monitoring and service reliability: the Service Provider may automatically process your email address, IP address, browser type, and the URL of the page where an error occurred, in the event of an application error during your authenticated session. This data is used solely to diagnose technical issues and, where necessary, to contact the affected user. Processing Assumption: this processing is based on the legitimate interest of the Service Provider to maintain a secure and functioning service (Art. 6(1)(f) GDPR). Data is transmitted to PostHog (see "Use of Analytics and Monitoring Tools" below) and stored exclusively on servers located within the European Union.

HOW WE KEEP YOUR PERSONAL DATA SECURE

The Service Provider uses suitable security measures in order to guarantee protection, security, integrity and accessibility of your personal data. All of your personal data is stored on our protected servers (or on suitably stored paper copies) or on the servers of our suppliers, and are accessible and usable on the basis of our standards and security policies (or equivalent standards for our suppliers).

HOW LONG WE STORE YOUR DATA FOR

The Service Provider only stores your personal data for the period of time necessary for fulfilling the purposes the data was collected for or for fulfilling any other legitimate connected purpose. Your personal data which is no longer necessary, or for which there is no longer any legal basis for storage, will be irreversibly anonymised or destroyed in a secure manner.

PARTIES YOUR PERSONAL DATA MAY BE SHARED WITH

Your personal data may be accessed by duly authorised employees, as well as external suppliers, where necessary, appointed data processors. This includes the use of local databases from third-party service providers, such as MaxMind for geolocation services, to process data without it leaving our protected servers, and PostHog (PostHog Inc., operating its EU infrastructure at eu.i.posthog.com) for error monitoring, with all data stored exclusively on servers located within the European Union. Please contact the Service Provider by email sipaprivacy@zoppas.com if you wish to request a list of the data controllers and the other subjects to whom your data are communicated.

USE OF ANALYTICS AND MONITORING TOOLS

Umami Analytics

We use Umami Analytics to help us understand how visitors interact with our website. Umami Analytics is a privacy-focused tool that does not collect personal data, such as names, email addresses, or any other personally identifiable information. All data collected is anonymized and is used solely for the purpose of analyzing website performance and improving user experience.

Data Collection: Umami Analytics collects anonymized data such as:

• Anonymized IP addresses
• Browser type and version
• Pages visited and time spent on each page
• Referring site details

No Cookies: Umami Analytics does not use cookies, ensuring that no personal data is stored on your device and no cookie consent banner is required.

Compliance: The use of Umami Analytics is fully compliant with GDPR and CCPA, ensuring the highest standards of privacy and data protection.

PostHog Error Monitoring

We use PostHog for error monitoring to detect, diagnose, and resolve technical issues that occur while you use our service. PostHog operates its EU infrastructure at eu.i.posthog.com, and all data is stored exclusively on servers located within the European Union.

Data Collection: In the event of an application error during your authenticated session, PostHog automatically collects:

• Your email address (to identify and, where necessary, contact the affected user)
• Your IP address
• Browser type and version
• The URL and HTTP method of the request that caused the error
• The error stack trace (no user-generated content is included)

Purpose: This data is used solely to diagnose technical problems and maintain service reliability. It is not used for profiling or marketing.

Legal Basis: Processing is based on the legitimate interest of the Service Provider to maintain a secure and functional service (Art. 6(1)(f) GDPR). No consent is required as the processing is strictly limited to what is necessary for error resolution and does not override your privacy interests.

Data Retention: Error events are retained only for the period necessary to investigate and resolve the underlying technical issue, in accordance with our general data retention policy.

Langfuse

We use Langfuse to log users' questions to our chatbot in order to improve our chatbot's performance and provide better responses to user queries.

Data Collection: Langfuse logs the questions users ask our chatbot. This may include any information voluntarily provided by users during their interactions with the chatbot.

Purpose of Data Collection: The data collected by Langfuse is used to:

• Analyze and improve chatbot responses
• Understand common user queries and improve user experience

Data Anonymization: While Langfuse logs user questions, we ensure that any personal data included in these logs is anonymized to the extent possible.

Compliance: The use of Langfuse is designed to be compliant with GDPR and CCPA, ensuring that user privacy is maintained and that no personal data is collected without user consent.

CONTACTS

For any doubts or comments as well as to exercise your rights you can write to sipaprivacy@zoppas.com. For any complaints or recommendations regarding the processing procedures of your data the Service Provider will make every effort to address your concerns. However, if you wish, you may forward your complaints or recommendations to the data protection supervisory authority using the contact details on the website www.garanteprivacy.it.

YOUR DATA PROTECTION RIGHTS AND RIGHT TO MAKE CLAIMS TO THE SUPERVISORY AUTHORITY

Under certain conditions you have the right to ask to Service Provider:

• to access your personal data;
• for a copy of the personal data you supplied us with (so-called data portability);
• to correct data in our possession;
• to delete any data the Service Provider has no legal basis to process;
• to object to processing where provided by the applicable legislation;
• to revoke your consent, where processing is based on your consent;
• to limit the way in which the Service Provider processes your personal data, up to the limits provided by the applicable legislation.

The exercising of the above rights is subject to certain exceptions relating to the safeguarding of the public interest (e.g. the prevention or identification of crimes) and certain interests of the Service Provider. In the event of you exercising any of the above mentioned rights, the Service Provider will be required to verify that you are entitled to exercise the respective right and the Service Provider will generally respond to any requests within a month.