Privacy Policy
Last updated: 25 July 2025
1. Who We Are
This Privacy Policy explains how GenComply S.r.l. ("we", "our", "us") collects, uses, and protects your personal data when you interact with our website and services.
- Company Name: GenComply S.r.l.
- Registered Office: Via Privata Beltrame Cristiani 5, 20162 Milan (MI), Italy
- Contact Email: [email protected]
- VAT number: IT14312740963
We act as the data controller under the EU GDPR and UK GDPR, and as a business under the California Consumer Privacy Act (CCPA).
2. What Data We Collect
We collect and process the following categories of data:
a. Data You Provide
- Contact Form Data: Name, email address, company name, job title, phone (optional), and message content.
- Assessment Inputs: Any information you submit to receive a personalized AI-driven assessment (e.g. compliance information, organizational details, internal practices).
b. Automatically Collected Data
- Device and Usage Information: IP address, browser type, operating system, referral URLs, interaction data (via cookies and analytics tools).
- Logs and diagnostic data from usage of the assessment engine.
3. How and Why We Use Your Data
| Purpose | Legal Basis (EU/UK GDPR) | Justification (CCPA) |
|---|---|---|
| Responding to contact form queries | Legitimate interest / Pre-contractual measures | Business purpose |
| Providing AI-driven assessments | Performance of a contract / Legitimate interest | Business purpose |
| Improving our services | Legitimate interest | Business purpose |
| Ensuring security and compliance | Legal obligation / Legitimate interest | Business purpose |
| Marketing communications (opt-in) | Consent | With explicit consent |
4. Third-Party Service Providers
We use trusted third-party processors to operate our services:
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| AWS | Cloud infrastructure | EU/US | Standard Contractual Clauses (SCCs) |
| OpenAI | LLM-based assessment generation | US | SCCs + AI Act compliance monitoring |
| Anthropic | AI processing | US | SCCs + Data Processing Addendum (DPA) |
| Google LLC | Analytics and reCAPTCHA | EU/US | IP anonymization, SCCs |
| Google Tag Manager | Tag management system | EU/US | IP anonymization, SCCs |
| Hotjar | User behavior analytics | EU | SCCs, DPA |
| Cookiebot | Cookie consent management | EU | SCCs, DPA |
5. Data Sharing and Transfers
Your data may be transferred outside the EU/UK, including to the US, only with adequate safeguards such as:
- Standard Contractual Clauses (SCCs)
- Data Processing Agreements (DPAs)
- Privacy Shield (for legacy references only)
We do not sell or rent your personal data.
6. Data Retention
We retain personal data only as long as necessary for the purposes outlined in this policy, unless a longer retention period is required by law.
- Contact data: up to 12 months after last interaction.
- Assessment data: up to 24 months unless deletion is requested earlier.
7. Your Rights
Under the GDPR (EU/UK)
- Access your data
- Rectify inaccurate data
- Request deletion (right to be forgotten)
- Restrict or object to processing
- Data portability
- Withdraw consent at any time
To exercise your rights, contact: [email protected]
Under the CCPA (California)
- Right to know what personal information we collect
- Right to request deletion
- Right to opt-out of sale (we do not sell your data)
- Right to non-discrimination
To exercise your rights, email: [email protected]
You may also authorize an agent to submit requests on your behalf.
8. Cookies and Tracking
We use essential, performance, and analytics cookies. Our website uses services including Google Analytics, Google Tag Manager, Hotjar, and Cookiebot to enhance user experience and analyze website performance. You can manage your preferences through the cookie banner or your browser settings.
For detailed information about the cookies we use, please visit our Cookie Declaration page.
9. Data Security
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption in transit and at rest
- Access control and audit logging
- Periodic security reviews
10. Children’s Privacy
Our services are not directed to individuals under 16 years of age. We do not knowingly collect data from minors. If we become aware of such data, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy to reflect legal or operational changes. Any updates will be published on this page with a revised “Last updated” date.
12. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices:
Email: [email protected]
Address: GenComply S.r.l., Via Privata Beltrame Cristiani 5, 20162 Milano, Italy