Privacy notice

Andrea AI Privacy Policy

This notice explains how personal data collected through the multilingual public website, the contact form, and the internal portal used by authorized users is processed.

Last updated: 7 April 2026

Data controller

Available contact and company details are shown below. Any empty field can be completed in production configuration with the official Nil-Tech S.r.l. corporate details.

Contact
info@nil-tech.net
Company
Nil-Tech S.r.l.
VAT no.
05614380268

Scope

This notice applies to the public Andrea AI pages available in Italian, English, French, and German, to the public contact form, and to the internal reserved area used by authorized employees and administrators.

Categories of personal data

Depending on the area used, the following data may be processed:

  • browsing data and technical logs generated by the systems, including IP address, user agent, session data, and security logs;
  • identification and contact data entered in the public form: first name, last name, company, email, phone number, and message content;
  • cookie and technical preference choices stored in the browser;
  • reserved-area account data such as name, business email, role, account status, last login, password-change history, and application sessions;
  • prospect data entered or viewed by authorized users in the internal portal.

Purposes and legal bases

  • website operation, application security, abuse prevention, spam prevention, and protection against unauthorized access: controller’s legitimate interest under Article 6(1)(f) GDPR;
  • handling contact, demo, pilot, or commercial/technical requests submitted by the data subject: pre-contractual measures taken at the data subject’s request under Article 6(1)(b) GDPR;
  • management of internal reserved-area accounts and related operations performed by authorized users: organizational legitimate interest and, where applicable, contractual or pre-contractual obligations;
  • compliance with legal, tax, administrative, or rights-protection obligations: Article 6(1)(c) GDPR;
  • optional non-technical cookies or tools, where activated in the future: user consent under Article 6(1)(a) GDPR.

Mandatory or optional provision of data

Providing data marked as necessary in the forms is required to submit a contact request or access the reserved area. Without the mandatory data, the request cannot be handled or access cannot be granted.

Processing methods and security measures

  • Processing is carried out with electronic tools and organizational measures proportionate to the risk.
  • Access to data is limited to authorized personnel and technical providers acting as processors or authorized persons.
  • The website adopts measures such as authentication, protected sessions, anti-spam and anti-bot controls, rate limiting, and application security headers.
  • No solely automated decision producing legal or similarly significant effects on the data subject is made through the website forms.

Recipients of data

Data may be disclosed, to the extent strictly necessary, to hosting and infrastructure providers, parties supporting maintenance and security of the website, appointed advisors or professionals, and competent authorities where required by law.

Transfers outside the EEA

Some technical services or infrastructure providers may involve access to or processing in countries outside the EEA. In those cases, the controller adopts the safeguards provided by Articles 44 et seq. GDPR, including adequacy decisions or standard contractual clauses where applicable.

Retention periods

  • browsing data and security logs: up to 30 days, unless longer retention is needed to investigate abuse or security incidents;
  • cookie preferences: up to 6 months;
  • public contact requests and related prospects: up to 24 months from the last meaningful contact, unless longer retention is required by legal or contractual needs;
  • reserved-area data: for the duration of the access authorization and, as a rule, up to 24 months after deactivation, unless different legal obligations or rights-protection needs apply;
  • data required to defend legal claims or comply with mandatory obligations: for the period required by applicable law or dispute management.

Data subject rights

Data subjects may exercise the rights provided by Articles 15-22 GDPR, where applicable: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent for processing based on consent.

Data subjects also have the right to lodge a complaint with the competent supervisory authority or seek judicial remedy.

Cookies and similar tracking tools

The website uses technical cookies required for operation, session security, and storing cookie choices. Optional categories displayed in the preference panel are currently inactive and will remain disabled until a future activation based on user consent.

Minors

The website and portal are not designed for use by minors under 18. We do not knowingly collect minors’ data through the website forms.

Policy updates

This notice may be updated for legal, organizational, or technical reasons. The version published on the website is the one currently in force.