Login Register

Privacy Notice

Version: 1.2 Effective: 27/01/2026

Privacy Notice
Version: 1.2
Last updated: 27 January 2026
Data Controller (for processing carried out under the Provider’s responsibility): Paolo Valter Caroli (VAT No. 03809550134)
Address: Via Malpensata, 21 – 23900 Lecco (LC), Italy
Trade name: AIsapiens
Privacy contact: privacy@aisapiens.ai
Legal contact: legal@aisapiens.ai
Support/Security contact: info@aisapiens.ai
DPO: info@aisapiens.ai

1. Purpose of this notice and scope of application

This Privacy Notice describes how AIsapiens processes personal data when you:

  • browse or use the AIsapiens web services and application (the “Platform”);
  • create and manage an account;
  • use document-processing, AI/LLM, and communications-management features (email/WhatsApp/audio/upload);
  • purchase credits or make payments via Stripe;
  • contact support or assistance.

This notice does not replace any specific agreements for Business Customers (e.g., the DPA — Data Processing Agreement) governing processing carried out on behalf of an Organization.

2. Privacy roles: when AIsapiens is Controller and when it is Processor

2.1 Processing where AIsapiens acts as Controller

AIsapiens acts as a Controller for data necessary to:

  • create and manage the account (e.g., email, credentials, access logs);
  • manage security, prevent abuse, and perform audit and monitoring of the Platform;
  • manage payments and invoicing, within the limits of data received from payment providers;
  • respond to support requests and send administrative/operational communications;
  • comply with legal obligations and defend rights.

In such cases, the contacts and rights set out in this Notice (Section 12) apply directly vis-à-vis AIsapiens.

2.2 Processing where AIsapiens acts as Processor (Business Customers / Organizations)

When an Organization uses the Platform to process documents and communications containing personal data (e.g., invoices containing names, customer/supplier emails, WhatsApp messages), the Organization is typically the Controller and AIsapiens acts as Processor, processing data on the Organization’s instructions and under the relevant DPA.

In such cases, to exercise privacy rights relating to content and processing “on behalf of” the Organization, the data subject should normally contact the Controller (the Organization).

3. Categories of personal data processed

Data categories vary depending on enabled features and configured integrations.

3.1 Account and identification data

  • email address (used for authentication);
  • optional name/role (if provided);
  • membership in Organizations and permissions/roles;
  • access and security logs (timestamps, relevant events, IP addresses, session identifiers).

3.2 Uploaded or imported content (“Customer Content”)

  • uploaded documents (PDFs, images, scans, attachments), including invoices and product sheets;
  • text and prompts entered into chat/AI agents;
  • audio files and related transcriptions (if the feature is enabled);
  • derived content: extracted text, structured fields, classifications, summaries, AI-generated outputs.

Such content may include personal data and, in some cases, special categories of data, depending on what the user uploads.

3.3 Data from communications integrations

  • Email (IMAP): headers, message bodies, attachments, and metadata, if the user/Organization connects an inbox using credentials provided by the Customer;
  • WhatsApp: messages and attachments handled through integration with Meta, if enabled;
  • conversation classification and routing data;
  • any suggested or automatically sent replies (depending on configuration).

3.4 Usage, log, and audit data

  • system and audit logs (user actions, application events, errors);
  • application and feature usage logs (including for measuring consumption/credits);
  • “run status”/process logs (e.g., extraction/OCR results);
  • API key usage logs (if any) and verification attempts.

3.5 Payment data (via Stripe)

Payments are processed by Stripe. AIsapiens may receive payment-related metadata (e.g., transaction outcome, identifiers, subscription/credit status). Full payment method details (e.g., card number) are processed by Stripe.

3.6 Cookies and similar technologies

Cookies and/or local storage may be used for Platform operation (see Section 11).

4. Purposes of processing

AIsapiens processes data for:

4.1 Provision of the Services

  • document processing (OCR, extraction, classification, analysis);
  • management and automation of communications (email/WhatsApp/audio/upload);
  • generation of AI outputs (e.g., extracted fields, summaries, replies).

4.2 Account and access management

  • authentication, session management, roles and permissions;
  • administration of Organizations and users.

4.3 Security and abuse prevention

  • account protection, rate limiting, audit logging, investigation of anomalies;
  • safeguarding the integrity of the Platform and data.

4.4 Consumption measurement, credits, and reporting

  • counting and reporting of credit-based activities;
  • user/Organization data export (XLSX, JSON, ZIP) and export lifecycle management.

4.5 Support and operational communications

  • handling support requests and service-related communications.

4.6 Legal obligations and protection of rights

  • applicable compliance obligations, handling disputes, and legal defence.

5. Legal basis (GDPR, where applicable)

When AIsapiens acts as Controller, typical legal bases include:

  • Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR): account creation, provision of purchased services, credit/plan management.
  • Legitimate interests (Art. 6(1)(f) GDPR): security, fraud/abuse prevention, reliability improvements, defence of rights.
  • Legal obligation (Art. 6(1)(c) GDPR): applicable compliance requirements.
  • Consent (Art. 6(1)(a) GDPR): where required (typically for non-essential cookies or specific communications).

When AIsapiens acts as Processor for an Organization, the legal basis is determined by the Controller (the Organization).

6. Automated communications and automated processing

The Platform may:

  • classify communications;
  • suggest or send replies (e.g., ORA), depending on the Organization/User configuration.

These processes are operational support tools. The User/Organization is responsible for configuring any human review mechanisms and for verifying outputs before external use, especially where they may produce significant effects on third parties.

7. Data sharing and recipients

AIsapiens may share personal data with:

7.1 Suppliers and third-party services (based on enabled features)

  • OpenAI: AI/LLM processing (text, prompts, documents/extracted texts, audio transcriptions if enabled).
  • Google Cloud Vision: OCR/text extraction from files.
  • Docling: OCR/text extraction from files.
  • Mistral: OCR/text extraction from files.
  • Meta (WhatsApp): WhatsApp channel management and message delivery/receipt.
  • Stripe: payment processing and transaction management.
  • Inmotion: email delivery services (e.g., sending service communications).

7.2 Infrastructure and hosting (EU)

The Platform is hosted in the EU. In particular, the primary infrastructure (application, database, file storage, and Qdrant) is hosted in Germany with Contabo. Contabo may process data as an infrastructure provider (e.g., server storage, networking, and infrastructure-level system logging).

7.3 Advisors, legal obligations, and protection of rights

Data may be disclosed to advisors (e.g., legal/accounting) and competent authorities where required by law or to defend rights.

8. International transfers

AIsapiens hosts its primary infrastructure in the EU (Germany). However, use of certain third-party providers may involve processing and/or transfers of personal data to countries outside the EEA/UK/CH, depending on their architecture and enabled features.

8.1 AI/LLM processing in the United States (OpenAI)

For AI/LLM functionalities provided through OpenAI, queries to LLM models take place in the United States. Consequently, use of such functionalities may involve transfers of personal data to the USA (limited to the data sent for the specific requested processing, such as prompts/text and portions of content necessary for the function).

8.2 Safeguards for transfers (where required)

Where a transfer is made to a country outside the EEA/UK/CH not covered by an adequacy decision, AIsapiens adopts appropriate safeguards pursuant to Art. 46 GDPR, typically through:

  • Standard Contractual Clauses (SCCs) adopted by Decision (EU) 2021/914; and
  • reasonable and proportionate supplementary measures (e.g., minimization of transferred data, encryption in transit, access controls, multi-tenant segregation, logging/audit), where required by the context.

Where the transfer recipient effectively falls within the scope of an applicable adequacy decision (e.g., the EU–US Data Privacy Framework), the transfer may rely on such adequacy, within the applicable scope.

For processing carried out on behalf of Business Customers, transfer rules and safeguards are further specified in the relevant DPA.

9. Information security

AIsapiens applies reasonable technical and organizational measures, including (in summary):

9.1 Encryption in transit

  • encryption of traffic between client and Platform via TLS (at least TLS 1.2+);
  • session cookies and CSRF set as “secure” in production.

9.2 Encryption at rest and data protection

  • Database: protection measures are adopted at the infrastructure level and, for certain sensitive data, application-level encryption is available (e.g., credentials/keys via symmetric encryption).
  • Files: uploaded files are stored on a file system (paths segregated by organization/user). Application-level file encryption is not currently applied; at-rest protection depends on operating system and infrastructure provider measures.

9.3 Access controls and logging

  • logical segregation by Organization and authorization controls;
  • logging and audit of events and user actions;
  • protections against abuse (e.g., login attempt limiting).

No measure can guarantee absolute security; security also depends on proper credential management by users and/or the Organization.

10. Data retention

AIsapiens retains data for as long as necessary for the stated purposes and according to settings and technical limits. Main principles and periods:

10.1 Documents

  • temporary raw uploads (processing files): approx. 24 hours (processing purpose);
  • derived data and processed content: according to the Organization’s configurations and application logic (in particular for active modules).

10.2 Communications

  • default communications retention: 365 days, with organization-level configurability (if enabled).

10.3 Logs and audit

  • system/audit logs: 90 days (configurable at organization level);
  • usage logs: typically 365 days (with possible extended retention for reporting needs);
  • run status logs: 7 days;
  • verification attempts: 30 days.

10.4 Data exports

  • export files (XLSX/JSON/ZIP) generated upon request: retained for 10 days, then automatically deleted.

10.5 Service termination / account closure

  • upon termination of the relationship or account deactivation, AIsapiens deletes or renders inaccessible operational data within 90 days, except for legal obligations or technical necessities;
  • backups: may persist for up to 90 days before being overwritten/deleted.

11. Cookies and similar technologies

The Platform may use:

  • essential cookies/technologies: necessary for authentication, session, security, and minimal preferences;
  • any third-party cookies related to payments or integrated services (e.g., checkout/payment management components).

AIsapiens does not currently use external analytics/monitoring providers such as Sentry/Datadog. If non-essential cookies (e.g., analytics/marketing) are introduced in the future, consent will be requested where required by applicable law.

12. Data subject rights

If the GDPR or equivalent legislation applies, you may exercise the rights provided (within the limits and conditions of the law), including:

  • access to data;
  • rectification;
  • erasure;
  • restriction;
  • portability;
  • objection (where applicable);
  • lodging a complaint with the competent supervisory authority (in Italy: the Italian Data Protection Authority — Garante per la protezione dei dati personali).

12.1 How to exercise your rights

  • Users of an Organization (Business Customer): requests should normally be addressed to the Controller (the Organization); AIsapiens will assist the Organization within the limits of its Processor role.
  • Users for whom AIsapiens is the Controller: you may write to privacy@aisapiens.ai.

AIsapiens may request reasonable information to verify the requester’s identity and prevent unauthorized access.

13. Minors

The Services are not intended for minors. Purchases are permitted only for individuals aged 18 or older.

14. Communications, email, and WhatsApp: Customer responsibilities and lawful bases

For features that process communications (IMAP/WhatsApp/audio), the User/Organization represents that it has authority and a legal basis to:

  • access and process contents of email inboxes connected via credentials provided by the Customer;
  • process and automate WhatsApp messages via Meta;
  • process audio and transcriptions (including use of third-party AI services for transcription, where enabled);
  • configure any automatic sending/replies in compliance with applicable laws and channel policies.

15. Changes to this notice

AIsapiens may update this Privacy Notice for legal or technical reasons or to reflect evolution of the Services. In the event of material changes, AIsapiens will provide notice by email with reasonable advance notice where applicable.

16. Contacts

For privacy questions or requests: privacy@aisapiens.ai
For security reports: info@aisapiens.ai
For legal communications: legal@aisapiens.ai