Legal

Privacy Policy

Last updated: 9 April 2026

1. Data Controller

The Data Controller is IKIweb Internet Media s.r.l., based in Italy — VAT IT02848390122 (hereinafter “the Company”, “we” or “our”).

For any request concerning the processing of personal data you can contact us at: info@ikiweb.it.

2. Scope

This Privacy Policy applies to the website ikibrain.ai, the application platform app.ikibrain.ai, the widget that can be embedded into Customers’ websites and any related service provided by IKIbrain.

IKIbrain is a service intended for professionals and businesses. By using the Service, the user declares to act in the course of their professional or business activity.

By using the Service, the user consents to the collection and use of data as described in this notice. Data collected is used solely to provide and improve the Service.

3. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person.
  • Usage Data: data automatically collected during the use of the Service (e.g. IP address, pages visited, session duration).
  • Cookies: small text files stored on the user’s device.
  • Data Controller: the natural or legal person who determines the purposes and means of processing Personal Data (the Company).
  • Data Processor: a natural or legal person who processes Personal Data on behalf of the Controller.
  • Data Subject: the natural person to whom the Personal Data relates.
  • Customer: the professional or business that uses the IKIbrain Service.
  • Visitor: the end user who interacts with the IKIbrain chatbot embedded in the Customer’s website.

4. Data collected

4.1 Data provided by the Customer

During activation and use of the Service, we collect:

  • Contact person’s name and surname
  • Email address
  • Company name and VAT ID
  • Billing details
  • Content uploaded for chatbot training (web pages, documents, FAQs, texts)

4.2 Usage data

We automatically collect technical data while you use the Service:

  • IP address
  • Browser type and version
  • Pages visited and time spent
  • Date and time of access
  • Unique device identifiers
  • Diagnostic data

4.3 Conversation data (widget)

When a Visitor interacts with the IKIbrain chatbot embedded in the Customer’s site, we collect:

  • Text of the messages exchanged in the conversation
  • Date, time and duration of the conversation
  • Visitor’s IP address (in anonymised form)
  • Information about the Visitor’s device and browser
  • Any personal data voluntarily provided by the Visitor in the chat (name, email, phone)

Important note: the Customer is responsible for informing their Visitors about the presence of the chatbot and the processing of data through their own privacy notice compliant with applicable regulations.

4.4 Cookies and tracking technologies

We use cookies and similar technologies for the operation of the Service, the storage of preferences and the analysis of usage.

Types of cookies used:

  • Technical (necessary) cookies: essential for the operation of the Service, authentication and security.
  • Preference cookies: store user settings and preferences.
  • Analytics cookies: collect aggregated data on the use of the Service to improve its features.

The user can manage cookie preferences through their browser settings. Disabling some cookies may impair the functioning of the Service.

5. Purposes of processing

Personal Data is processed for the following purposes:

  • Service delivery: account creation and management, chatbot configuration, processing of conversations through artificial intelligence.
  • Contract management: billing, payments, subscription management, contract-related communications.
  • Service improvement: usage analysis, identification of technical issues, development of new features.
  • Service communications: technical notifications, updates, security alerts, operational communications.
  • Marketing communications: information on new features, offers and related services (subject to consent or on the basis of legitimate interest for similar services).
  • Legal obligations: compliance with tax, accounting and regulatory obligations.
  • Protection of rights: prevention of fraud, abuse and breaches of the Terms of Service.

6. Legal basis for processing

Processing of Personal Data is based on the following legal grounds (art. 6 GDPR):

  • Performance of the contract: data is necessary to deliver the Service signed up by the Customer.
  • Legal obligation: compliance with tax and regulatory obligations.
  • Legitimate interest: Service improvement, fraud prevention, marketing communications about similar services.
  • Consent: for specific marketing activities, where required by applicable law.

7. Data retention

Personal Data is retained only for as long as necessary to achieve the purposes for which it was collected:

  • Account data: for the duration of the contractual relationship and for 60 days after account deletion, to allow possible export.
  • Billing data: for 10 years from the date of the operation, as required by Italian tax law.
  • Training content (knowledge base): for the duration of the subscription. Upon termination, content and related vector indexes are deleted within 60 days.
  • Conversation data: for the duration of the subscription. Upon termination, data is deleted within 45 days, unless otherwise requested by the Customer.
  • Usage and analytics data: in aggregated and anonymised form, with no time limit.

8. Sharing and transfer of data

8.1 Recipients of data

Personal Data may be disclosed to:

  • Authorised personnel of the Company, within the scope of their duties
  • Third-party service providers (sub-processors) acting on behalf of the Company, bound by data processing agreements (DPA)
  • Competent authorities, where required by law

8.2 Sub-processors

The Service relies on the following third-party providers to deliver its features:

Provider Purpose Location
OpenAI AI processing (language models) USA
Mistral AI AI processing (document OCR) EU / France
Cloudflare CDN, security and DNS USA
Qdrant Vector database (semantic search) EU

The updated list of sub-processors is available on request by contacting info@ikiweb.it.

AI providers data handling: content uploaded to the knowledge base and conversation data processed through the OpenAI and Mistral AI APIs is not used by these providers to train their artificial intelligence models, in accordance with their respective commercial API policies. Data may be retained by the providers for a limited period solely for anti-abuse monitoring, according to applicable contractual terms.

8.3 Transfer of data outside the EU

Some of our providers are based in the United States or in other countries outside the European Economic Area (EEA). In such cases, data transfer takes place on the basis of:

  • European Commission adequacy decisions (e.g. EU-US Data Privacy Framework)
  • Standard Contractual Clauses (SCC) approved by the European Commission
  • Other appropriate safeguards provided for by the GDPR (art. 46)

9. Roles in data processing

9.1 IKIweb as Controller

For Customer data (activation, billing, use of the IKIbrain platform), the Company acts as Data Controller.

9.2 IKIweb as Processor

For Visitor data interacting with the IKIbrain chatbot embedded in the Customer’s site, the Company acts as Data Processor on behalf of the Customer, who remains Data Controller.

The relationship between IKIweb (Processor) and the Customer (Controller) is governed by a Data Processing Agreement (DPA), available on request.

The Customer is responsible for:

  • Informing their Visitors about the processing of data through the chatbot
  • Collecting any necessary consents
  • Updating their privacy notice to include reference to IKIweb as sub-processor

10. Data subject rights (GDPR)

Pursuant to Regulation (EU) 2016/679 (GDPR), the data subject has the right to:

  • Access (art. 15): obtain confirmation of the existence of processing and access their Personal Data.
  • Rectification (art. 16): obtain the correction of inaccurate data or completion of incomplete data.
  • Erasure (art. 17): obtain the erasure of their data, in the cases provided for by law.
  • Restriction (art. 18): obtain restriction of processing in certain cases.
  • Portability (art. 20): receive their data in a structured, commonly used and machine-readable format.
  • Objection (art. 21): object to processing for legitimate reasons, including processing for direct marketing purposes.
  • Withdrawal of consent: withdraw consent at any time, without affecting the lawfulness of processing based on consent given before withdrawal.

To exercise their rights, the data subject can contact us at info@ikiweb.it. We will respond within 30 days of receiving the request.

The data subject also has the right to lodge a complaint with the competent supervisory authority: the Italian Data Protection Authority (www.garanteprivacy.it).

11. Data security

We adopt technical and organisational measures appropriate to protect Personal Data from unauthorised access, loss, destruction or alteration, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Role-based access control
  • Secure authentication, with the option to enable two-factor authentication (2FA)
  • Protection against unauthorised access attempts (automatic account lockout after repeated failed login attempts)
  • Regular and redundant backups
  • Continuous infrastructure monitoring

No electronic transmission or storage system can guarantee absolute security. Nevertheless, we are committed to adopting industry best practices to protect our Customers’ data.

12. Payment data

The Service does not support online payments. Activation of the Service follows direct contact with the Customer and issuance of a dedicated quote.

Payments are made by bank transfer based on the invoice issued by the Company. The Customer’s bank details and billing data are used solely for accounting, tax and contractual management purposes.

We do not collect or store credit card numbers or payment credentials on our systems.

13. Links to third-party sites

The Service may contain links to websites or services not operated by us. We have no control over the content, privacy policies or practices of such sites. We recommend reviewing the privacy notice of each site visited.

14. Minors

The Service is intended for professionals and businesses and is not directed to minors under the age of 18. We do not knowingly collect Personal Data from minors. Should we become aware of having collected data from a minor, we will promptly delete it.

15. Changes to the Privacy Policy

We reserve the right to update this Privacy Policy from time to time. Changes will be published on this page with an updated “Last updated” date.

For substantial changes, we will inform Customers via email or platform notification.

Continued use of the Service after the changes are published constitutes acceptance of the updated Privacy Policy.

16. Contacts

For any questions regarding this Privacy Policy or the processing of personal data: