/

Privacy Policy

Last updated: 2026-03-01

1. Data Controller

Giovanni Montanaro — B2B Ecosystems (ATECO 70.20.09)
VAT: IT03470280730
Registered Office: Marina di Ginosa (TA), 74025
Email: ops@giovannimontanaro.me

2. Data Collected & Information Flows

The Controller collects the following data to provide digital infrastructures and initial Assessments (Triage):

  • Contact and Booking Forms: Name, corporate email, VAT number (for B2B validation via VIES API) and role.
  • Sandbox Infrastructure (Upload Area): Files uploaded by the user (e.g., test PDFs or mock statements used to probe the Audit Triage). Please note: documents are processed in memory (RAM) via OCR, transcribed, compiled by the AI, and instantly destroyed at the end of the session. They are not saved on any persistent database to protect your industrial security.
  • Tracking and Analytics: Online identifiers (Anonymized IP, User Agent), technical session cookies, aggregate statistics tags (Google Tag Manager, PostHog), and Retargeting Audience Pixels (LinkedIn/Meta B2B).

3. Purposes and Legal Basis

We process data based on the following legal grounds (Arts. 6 & 9 GDPR):

  • Execution of Pre-contractual Measures (Lit. B): Technical analysis of PDFs uploaded in the Sandboxes initiated explicitly by the user to demonstrate the architecture's capabilities. Scheduling diagnostic video calls.
  • Legitimate Interest (Lit. F): Anti-spam API prevention, rate-limiting against DDoS attacks, and banning for prompt injection. Delivery of technical cookies (e.g., NEXT_LOCALE for languages).
  • Consent (Lit. A): Proactive responses in the AI Chatbot, execution of tracking or analytical marketing scripts (GTM/Meta/PostHog) accepted via banner.

4. Data Processors and Extra-EU Transfer (DPF)

To scale automations, data is routed through the infrastructures of the following Sub-Processors (Data Processors, ex Art. 28 GDPR). As these are companies with servers across the EU and USA, every transfer is covered by the EU-US Data Privacy Framework (DPF) or ironclad Standard Contractual Clauses (SCCs):

  • Vercel & Cloudflare: Edge caching, WAF, and hosting of the Next.js application.
  • OpenAI: Engine for the Virtual Assistant and collator for the Audit Triage. In accordance with OpenAI's Enterprise Data Policies, your data and uploaded PDFs are NOT and will NEVER be used to train public language models (Zero Data Retention for training).
  • Meta Platforms (WhatsApp Cloud API): Delivery of transactional messaging and operational notifications to the provided number.
  • Google LLC (Tag Manager): Injection of traffic analysis scripts.

5. Retention and Security

Navigation data and temporary logs are cyclically purged. Data collected from the Contact Form and machine computation logs are retained for a maximum of 24 months. To protect Trade Secrets, a PDF uploaded into the "Sandbox" undergoes OCR data extraction and is deleted from temporary storage the exact moment the screen displays the diagnostic outcome.

6. Data Subject Rights (Arts. 15-22 GDPR)

As an EU user, you have the absolute right to: access your data, request the right to be forgotten (erasure), restrict processing, export it in a machine-readable format, and object to automated decision-making. Send an email to ops@giovannimontanaro.me. You also always have the right to lodge a formal complaint with the Italian Privacy Guarantor.