Privacy Policy

SegreteriaZen Platform

Last updated: December 1, 2024

Premise

This Privacy Policy describes how personal data of users (hereinafter "Users" or "Professionals") who register and use the SegreteriaZen platform (hereinafter "Platform" or "Service") is processed.

The Platform provides professionals (accountants, labor consultants, and other professionals) with an AI-based virtual secretary service, accessible via WhatsApp Business API, integrated with calendar management systems and customizable knowledge base.

This notice is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR), Legislative Decree 196/2003 (Privacy Code) as amended by Legislative Decree 101/2018, Regulation (EU) 2024/1689 (AI Act) and Law 132/2025 on artificial intelligence.

1. Data Controller

The Data Controller for personal data of Platform Users is:

2. Roles in Data Processing

2.1 Role Structure

The Platform operates according to a B2B2C multi-tenant model that provides for the following role structure under GDPR:

• The Platform Provider (HPR DIGITAL MEDICINE S.R.L.) acts as Data Controller for the data of registered Users (Professionals) and as Data Processor (pursuant to Art. 28 GDPR) for the data of Professionals' end clients.
• The Professional (accountant or other professional) using the Platform acts as independent Data Controller for the personal data of their clients who interact via the WhatsApp service.

2.2 Data Processing Agreement

The relationship between the Provider and Professionals is governed by a Data Processing Agreement (DPA) compliant with Art. 28 GDPR, which defines: subject and duration of processing, types of data processed, categories of data subjects, confidentiality obligations, security measures, conditions for using sub-processors, procedures for exercising data subject rights, and data breach management.

3. Categories of Personal Data Processed

3.1 User Data (Professionals)

We process the following categories of data:

• Identification and contact data: name, surname, email address, phone number, professional office address, tax code, VAT number.
• Professional data: professional association membership, registration number, specializations.
• Access data: authentication credentials (encrypted password), access logs, IP addresses.
• Configuration data: virtual assistant preferences, customized knowledge base, calendar configuration.
• Payment data: billing and payment information for the service.
• OAuth tokens: access tokens for integrations with third-party services (Google Calendar) stored securely via Supabase Vault.

3.2 End Client Data (processed on behalf of the Professional)

As Data Processor on behalf of Professionals, we process:

• WhatsApp phone number and profile name
• Content of conversations with the AI virtual assistant
• Appointments and related information
• Communication metadata (timestamp, message delivery status)

4. Purposes and Legal Bases for Processing

4.1 For User Data (Professionals)

Contract performance (Art. 6.1.b GDPR)

Account registration and management, provision of AI virtual secretary service, management of integrations (WhatsApp, Google Calendar), technical assistance and support.

Legal obligations (Art. 6.1.c GDPR)

Tax and accounting compliance, mandatory document retention, response to requests from competent authorities.

Legitimate interest (Art. 6.1.f GDPR)

Fraud prevention and Platform security, service improvement through aggregate and anonymized analysis, protection of rights in legal proceedings.

Consent (Art. 6.1.a GDPR)

Sending commercial communications about new features or services (newsletter), participation in surveys or market research. Consent may be withdrawn at any time.

4.2 For End Client Data

Processing of end client data is carried out exclusively on behalf of and under documented instructions from the Professional (Controller), for the purposes determined by them in the provision of their professional services.

5. Use of Artificial Intelligence

5.1 AI Act Notice

The virtual assistant is based on Google Vertex AI / Gemini technology and is classified as a limited-risk AI system. End users interacting via WhatsApp are explicitly informed, at first contact, that they are communicating with an artificial intelligence system.

5.2 AI Functionality

The AI system performs the following functions:

• Automatic response to frequently asked questions based on the Professional's knowledge base
• Appointment management and interaction with Google Calendar
• Collection of preliminary information for client requests
• Routing of complex requests to the Professional

5.3 Human Oversight

Pursuant to Art. 16 of Law 132/2025, artificial intelligence is a support tool and does not replace the judgment and responsibility of the Professional. Escalation to a human operator is always guaranteed, and the Professional maintains full oversight of significant interactions.

5.4 Automated Decisions

The AI system does not make decisions based solely on automated processing that produce legal effects or significantly affect data subjects under Art. 22 GDPR. The activities performed (appointment management, informative responses) do not constitute automated decisions relevant for GDPR purposes.

6. Data Recipients

6.1 Categories of Recipients

Personal data may be disclosed to:

• Authorized personnel: employees and collaborators of the Controller, duly instructed and bound by confidentiality.
• IT service providers: entities providing technical services for Platform operation, appointed as Data Processors.
• Competent authorities: when required by law or to protect the Controller's rights.

6.2 Sub-processors

For the provision of the Service, we use the following sub-processors:

• Meta Platforms Ireland Ltd / WhatsApp Ireland Ltd (Ireland/USA) - WhatsApp Business API messaging service
• Google Ireland Ltd / Google LLC (Ireland/USA) - Vertex AI and Google Calendar services
• Supabase Inc (USA/EU) - Database and cloud infrastructure (configured on EU region)

The updated list of sub-processors is available on request. Any changes will be communicated with at least 30 days notice, with the right to object.

7. Data Transfers to Third Countries

Some of our sub-processors are based in the United States. Data transfers to the USA are made based on the following safeguards:

• EU-US Data Privacy Framework: Meta Platforms Inc, WhatsApp LLC, and Google LLC are certified under the DPF, as per the European Commission's adequacy decision of July 10, 2023.
• Standard Contractual Clauses: For sub-processors not DPF certified (e.g., Supabase), Standard Contractual Clauses approved by the European Commission with Decision 2021/915 are in place.

The Supabase database is configured on EU region to minimize data transfers to third countries.

8. Retention Period

Personal data is retained for the following periods:

• Account data: for the duration of the contractual relationship and for 10 years thereafter for tax and legal obligations.
• WhatsApp conversations: retained according to the policies defined by the Professional (Controller), with a maximum period of 24 months unless otherwise documented.
• Access and security logs: 12 months for IT security purposes.
• Billing data: 10 years from the date of the transaction.
• Marketing consents: until consent is withdrawn and for 2 years thereafter for evidentiary purposes.

9. Data Subject Rights

Under Articles 15-22 of the GDPR, data subjects have the right to:

• Access (Art. 15): obtain confirmation of processing and a copy of personal data.
• Rectification (Art. 16): correct inaccurate data or complete incomplete data.
• Erasure (Art. 17): obtain erasure of data, within legal limits.
• Restriction (Art. 18): restrict processing in certain circumstances.
• Portability (Art. 20): receive data in structured format and transfer to another controller.
• Objection (Art. 21): object to processing based on legitimate interest.
• Withdrawal of consent (Art. 7): withdraw consent at any time, without affecting the lawfulness of prior processing.

10. Right to Lodge a Complaint

Data subjects have the right to lodge a complaint with the Data Protection Authority:

11. Security Measures

The Controller implements appropriate technical and organizational measures pursuant to Art. 32 GDPR, including:

• Multi-tenant isolation: Row Level Security (RLS) in Supabase to ensure complete data separation between different Professionals.
• Encryption: data encryption at rest (AES-256) and in transit (TLS 1.2+).
• Access control: multi-factor authentication (MFA), Role-Based Access Control (RBAC), principle of least privilege.
• Secure secret management: storage of OAuth tokens via Supabase Vault with dedicated encryption.
• Audit logging: recording of all access to personal data with 12-month retention.
• Incident response procedures: structured plan for data breach management with notification within 72 hours.

12. Data Protection Impact Assessment (DPIA)

The Controller has conducted a Data Protection Impact Assessment (DPIA) pursuant to Art. 35 GDPR, considering the use of new technologies (AI), potentially large-scale processing, and transfers to third countries. The DPIA is available on request to supervisory authorities.

13. Cookies and Similar Technologies

The Platform website uses technical cookies necessary for operation and, subject to consent, analytical cookies to improve user experience. For detailed information, please refer to the Cookie Policy available on the website.

14. Changes to Privacy Policy

The Controller reserves the right to modify this Privacy Policy at any time. Changes will be communicated via email and/or publication on the Platform website. The date of the last update is indicated at the top of the document. Continued use of the Service after publication of changes constitutes acceptance thereof.

15. Contacts

For any questions regarding this Privacy Policy or personal data processing: