Privacy Policy

Effective Date: October 26, 2025

1. Introduction and Scope

Nube Solutions S.r.l. ("Nube," "we," "us," or "our"), headquartered in Milano, Italy, is dedicated to upholding the highest standards of data protection. This Privacy Policy details the processes by which we collect, utilize, and manage personal data collected from individuals who use our AI Messenger Chatbot and related services.

This policy is fully compliant with the European Union's General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). By accessing or using our services, you acknowledge and agree to the terms described herein.

2. Data Controller and Contact Information

For the purposes of the GDPR, Nube Solutions S.r.l. is the Data Controller of your Personal Data.

Nube Solutions S.r.l.

Address: Via della Conciliazione, 10, 20123 Milano, Italy

DPO Email: privacy@nube.ai

3. Types of Data Collected and Purpose

• Interaction and Chat Data: This includes the text, links, sentiment data, and metadata from conversations with the Nube Chatbot.

  Purpose: To provide the requested service, execute API integrations (like order lookup), train and continuously improve the underlying AI models, and generate summarized conversational reports for our business clients. This data is processed based on contractual necessity and legitimate interest for service optimization.

• Usage and Technical Data: Information automatically collected regarding access, such as IP address, device IDs, browser type, operating system, pages visited, timestamps, and error logs.

  Purpose: Service maintenance, security monitoring (e.g., detecting denial-of-service attacks), performance analytics, and technical troubleshooting. Processed based on legitimate interest.

• Client and Billing Data: For our corporate customers, we collect business contact details (name, job title, company address, email, phone number) and billing information.

  Purpose: Account setup, contractual fulfillment, invoicing, and service notifications. Processed based on contractual necessity.

4. Legal Basis for Processing (GDPR Article 6)

We process your Personal Data only when we have a legal basis to do so:

• **Contractual Necessity:** Processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract (e.g., providing the Chatbot service).
• **Legitimate Interest:** Processing is necessary for the purposes of the legitimate interests pursued by Nube or by a third party (e.g., improving the AI model, security, fraud prevention), except where such interests are overridden by your interests or fundamental rights.
• **Legal Obligation:** Processing is necessary for compliance with a legal obligation to which Nube is subject.
• **Consent:** In limited cases, we may rely on your explicit consent for specific processing activities, which you can withdraw at any time.

5. Data Sharing and Disclosure

We may share your Personal Data with the following categories of recipients:

• **Service Providers:** Third-party companies that perform services on our behalf, such as hosting, data analysis, and payment processing. These providers are bound by strict contractual obligations to keep data confidential and secure.
• **Business Clients:** We share aggregated or anonymized conversation data with the Nube business client whose chatbot you interacted with for their own analytics and business operations.
• **Legal Compliance:** When required by law or in response to valid requests by public authorities (e.g., a court order or government agency).

6. International Data Transfers

As Nube is based in Italy (EEA), the collection, processing, and storage of data are primarily within the European Union. However, our Chatbot services rely on global cloud infrastructure and may involve transferring data to locations outside the EEA (e.g., the United States).

When transferring Personal Data outside the EEA, we ensure a similar degree of protection is afforded by implementing appropriate safeguards, such as reliance on adequacy decisions (e.g., EU-U.S. Data Privacy Framework) or implementing Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Data Security and Retention

We have implemented robust technical and organizational measures, including encryption, access controls, and regular security audits, to protect your Personal Data from accidental loss, unauthorized access, misuse, alteration, or disclosure.

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including for satisfying any legal, accounting, or reporting requirements. Generally, conversation logs are anonymized within 90 days and retained only in aggregated form for model improvement. Client Data is retained for the duration of the contractual relationship plus a period necessary to comply with legal record-keeping obligations.

8. Your Data Protection Rights (GDPR)

Under the GDPR, you have the right to:

• **Right of Access (Article 15):** Request a copy of the data we hold about you.
• **Right to Rectification (Article 16):** Request correction of inaccurate or incomplete data.
• **Right to Erasure (Article 17):** Request the deletion of your Personal Data (the 'right to be forgotten').
• **Right to Restriction of Processing (Article 18):** Request that we temporarily stop processing your data.
• **Right to Data Portability (Article 20):** Request your data be transferred to another controller in a structured, commonly used, and machine-readable format.
• **Right to Object (Article 21):** Object to processing based on legitimate interest or direct marketing.

To exercise any of these rights, please submit your request to our DPO using the contact information provided in Section 2. We will respond within one month of receiving your request.

9. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy periodically. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top of the policy.