This notice describes how the personal data of Users of the website dallamaga.com ("the Service") is processed, pursuant to Articles 13 and 14 of the GDPR (Regulation (EU) 2016/679) and Italian Legislative Decree 196/2003 (the Italian Privacy Code), as amended by Legislative Decree 101/2018. The Service is offered on an anonymous basis: there is no user account, no registration and no profiling.
To protect the privacy of the business owner, the owner's full name and surname and the full address of the registered office are always available upon request by writing to the email address [email protected]. Requests are answered promptly.
The Service is designed to minimise the collection of personal data (the principle of data minimisation under Article 5(1)(c) GDPR). Only the following categories are processed:
IP address, browser user-agent, operating system type and version, language setting, access timestamps, pages visited, HTTP referer. This data is collected automatically by the IT systems for the proper operation of the Service, for aggregate statistical purposes and for security purposes (abuse detection, anti-fraud, anti-bot).
Technical session identifier (an ephemeral token stored client-side), Sibyl selected, interaction mode (voice/text), session start and end timestamps, remaining duration of purchased credit.
Text typed by the User, voice transcription (in voice mode), responses generated by the artificial intelligence, symbolic cards drawn. Such content is processed in real time and handled exclusively for the time strictly necessary to generate the response. For details on retention periods, see Section 03.
In voice mode, starting the session requires the browser's authorisation to access the microphone. The captured audio stream is transmitted in real time, in encrypted form, to the artificial intelligence providers for the sole purposes of speech-to-text (real-time automatic transcription) and text-to-speech (synthesis of the voice response).
The User's voice is processed exclusively for the purposes indicated above and is not used to uniquely identify the User: consequently, pursuant to Article 4(14) GDPR and EDPB Guidelines 3/2019, it does not constitute biometric data and does not fall within the special categories of data under Article 9 GDPR. The audio stream is not recorded, retained, archived or used to train voice models, nor for profiling purposes.
Due to the inherent way microphones work, the stream may capture background noise, voices of third parties present, ringtones or audio content from other devices. Such content, where unintentionally captured, is processed under the same ephemeral logic applied to the User's voice. Responsibility for its lawfulness (consent of any third parties present) rests exclusively with the User, in accordance with the Terms of Service.
Billing email (optional, provided when purchasing a package), package purchased, amount, Stripe transaction identifier, payment outcome. Payment card data does not pass through the Data Controller's servers: it is collected, stored and processed directly by Stripe Payments Europe Limited acting as an independent data controller.
In the event of a request for an electronic invoice: business name or full name, tax code and/or VAT number, recipient code or certified email (PEC), billing address.
Emails sent by the User to [email protected]: content of the message, any attachments, sender's email address.
Data that the Data Controller does NOT collect and does NOT wish to receive. The Service does not request and does not wish to receive special categories of data within the meaning of Article 9 GDPR (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation), nor data relating to criminal convictions or offences (Article 10 GDPR). The User is urged not to share such information during the sessions; in any event, the ephemeral nature of the processing (see Section 03) ensures that any contact of the Data Controller with such data ceases rapidly.
The data collected is processed for the following purposes, each based on a specific legal basis under Article 6 GDPR:
The provision of the data strictly necessary for the delivery of the Service is mandatory: refusal makes it impossible to use the Service. The provision of data relating to electronic invoicing is optional, unless expressly requested by the User.
Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected, subject to the following maximum periods:
Once these periods have expired, the data is deleted or irreversibly anonymised.
The Service is designed in accordance with the principle of privacy by design (Article 25 GDPR), so as to structurally minimise the retention of conversation content:
This architecture has an important consequence for the User: it is not possible to retrieve the content of a past session. Users who wish to keep a record of their session are invited to save a copy themselves during the session (screenshot or manual transcription), in compliance with the provisions of Section 9 of the Terms of Service on the intellectual property of the generated content.
This design choice is motivated by the fact that conversations with the Sibyls may touch on personal and intimate topics: structural non-retention guarantees the User the greatest possible confidentiality, well beyond what the law strictly requires.
To deliver the Service, the Data Controller relies on qualified third parties acting as data processors (Article 28 GDPR) or as independent data controllers, each governed by a specific agreement (Data Processing Agreement or equivalent). The sub-processors used as at the date of this version are:
Role: electronic payment processing.
Location: Ireland (European Union).
Status: independent data controller for payment data under its own privacy policy.
Role: generation of text and voice responses from the User's inputs.
Location: United States of America (outside the European Union).
Status: data processors under Article 28 GDPR for data transmitted via commercial API.
The Data Controller selects providers which, as at the date of this version, state in their terms applicable to the commercial API channel: (a) that they do not use the inputs and outputs transmitted to train their models; (b) that they apply limited technical data retention policies aimed exclusively at service security; (c) that they ensure GDPR compliance through Standard Contractual Clauses approved by the European Commission.
The up-to-date list of AI providers currently used is available upon request by writing to [email protected]. The Data Controller periodically verifies that the conditions referred to above continue to be met.
Role: CDN, DDoS protection, network optimisation, DNS.
Location: United States of America.
Transfer outside the EU: Standard Contractual Clauses pursuant to Article 46 GDPR; Cloudflare's Data Processing Addendum applies automatically.
Role: hosting of the Service's application servers.
Location: European Union (Italy — Milan datacenter).
Status: data processor under Article 28 GDPR.
The Data Controller reserves the right to change, replace or add sub-processors, giving prior notice through an update to this policy with at least 30 days' notice in the event of substantial changes. Users who object on reasonable grounds to a new sub-processor may request the termination of the Service and a refund of the unused remaining credit.
Some sub-processors (Cloudflare, artificial intelligence providers) are based in the United States of America, a country outside the European Economic Area. The transfer of personal data to such parties takes place on the basis of the following safeguards under Chapter V GDPR:
Particular attention is paid to the artificial intelligence providers, whose terms applicable to the commercial API channel as at the date of this version expressly provide that the data transmitted (inputs and outputs, both text and voice) is not used to train their models, unless the customer expressly opts in. The Data Controller has not given and will not give such opt-in for the Service. Technical retention of prompts by the AI providers is limited to short periods aimed exclusively at service security and abuse detection.
Voice-mode sessions involve the real-time transmission of audio streams to the artificial intelligence providers based in the United States. This transfer takes place in encrypted form (TLS 1.2 or higher), with the same legal safeguards provided for text data (Standard Contractual Clauses under Article 46 GDPR and, where applicable, the Data Privacy Framework). The audio stream is processed in streaming: neither the incoming nor the outgoing audio file is retained by the providers beyond the time strictly necessary for the speech-to-text and text-to-speech service, as stated in their applicable policies.
The User may obtain a copy of the safeguards applied (Standard Contractual Clauses, attestations of participation in the Data Privacy Framework) by writing to [email protected].
The Service uses exclusively technical cookies and equivalent technologies (sessionStorage, localStorage) strictly necessary for the operation of the website and the delivery of the Service requested by the User. For such cookies, pursuant to Article 122 of Italian Legislative Decree 196/2003 and the guidelines of the Italian Data Protection Authority (Garante) of 10 June 2021, the User's prior consent is not required.
The Service does not use profiling cookies, advertising cookies, third-party tracking cookies or marketing pixels. There is no third-party analytics tracker requiring consent.
Using voice mode requires the browser's authorisation to access the microphone. This authorisation is managed directly by the User's operating system and browser, which display a native prompt on first use. The Data Controller has no access to the microphone outside a voice session expressly started by the User. The permission can be revoked at any time from the browser's privacy settings ("Site permissions" section or equivalent).
The User may manage or delete cookies at any time through their browser settings. Disabling technical cookies may impair the operation of the Service.
The Data Controller adopts appropriate technical and organisational measures pursuant to Article 32 GDPR to ensure a level of security proportionate to the risk, including:
Despite the measures adopted, no IT system can be considered absolutely secure: in the event of a breach likely to result in a high risk to the rights and freedoms of data subjects, the Data Controller will make the notifications and communications required by Articles 33 and 34 GDPR.
The User, as a data subject under the GDPR, may exercise the following rights at any time and free of charge:
To exercise their rights, the User may write to [email protected] specifying: (a) the nature of the right being exercised; (b) the elements enabling their position as data subject to be identified (for example, the email address used for the purchase, the Stripe transaction identifier, the approximate date and time of the session). The Data Controller will respond within 30 days of receipt, extendable by a further 60 days in cases of particular complexity, informing the data subject of the extension.
Technical limit on the exercise of rights over conversations. Since the content of the readings is not retained (see Section 04), the Data Controller will be materially unable to provide a copy or erasure of such content after the end of the session, as it is no longer present in its systems. For the data that is retained (transactions, technical logs, email communications), the rights are fully exercisable within the statutory time limits.
The Service is reserved exclusively for individuals who have reached the age of majority under the applicable Italian law. The Data Controller does not knowingly collect personal data of minors.
Should the Data Controller become aware that an underage individual has used the Service by making untruthful declarations when accepting the Terms, it will promptly delete all data referable to that individual, without prejudice to the retention of the data strictly necessary to comply with legal obligations and for legal defence.
Parents or holders of parental responsibility who believe that their minor child has used the Service are invited to report this promptly to [email protected].
Users who believe that the processing of their personal data infringes the GDPR have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali), in the manner and within the time limits set out in Article 77 GDPR and Italian Legislative Decree 196/2003.
Address: Piazza Venezia 11, 00187 Roma
Switchboard: +39 06 696771
Email: [email protected] — Certified email (PEC): [email protected]
Website: www.garanteprivacy.it
Users residing in another Member State of the European Union may lodge a complaint with the supervisory authority of their country of residence, of their place of work or of the place where the alleged infringement occurred. In particular: for France, the CNIL — Commission Nationale de l'Informatique et des Libertés (cnil.fr); for Germany, the data protection authority of the Land of residence or the BfDI (bfdi.bund.de). For the United Kingdom, users may contact the ICO — Information Commissioner's Office (ico.org.uk).
This Privacy Policy may be amended at any time to bring it into line with new regulatory requirements, the evolution of the Service or the introduction of new sub-processors. Amendments will be published on this page, indicating the date of entry into force and the new version.
In the event of substantial changes that significantly affect the rights of data subjects, the Data Controller will give notice by means of a prominent notice on the website at least 30 days before the changes take effect.
Users are invited to review this policy periodically in order to stay informed about how their data is processed.