1. Scope
This Privacy Policy applies to aoagents.it, marketing.aoagents.it, api.aoagents.it, aoagents.ch, AO Marketing and related AO Agents services that link to this notice (the "Service"). It explains processing under the EU General Data Protection Regulation (GDPR), applicable Italian law and, where relevant, the Swiss Federal Act on Data Protection (FADP).
It covers account users, website visitors, people who contact us, customer representatives and individuals whose publicly available professional information may appear in research prepared through the Service.
2. Who is responsible
The controller for account administration, website operation, security, support and AO Agents' own business activities is Matteo Vitali, an Italian sole trader operating as AO Agents, VAT ID IT04834300404, Via Venere 14 B, 47042 Cesenatico (FC), Italy. Contact: info@aoagents.it.
A data protection officer has not been appointed because AO Agents does not currently meet the statutory conditions requiring one. Privacy requests may be sent directly to the contact above.
3. Our role and the customer's role
AO Agents is a controller when it decides why and how personal data is used for account management, security, support, legal compliance, product administration and its own public-source research activities.
When a customer uses the Service to process personal data in its workspace and determines the purpose of that processing, the customer is normally the controller and AO Agents acts as its processor. The customer is responsible for its instructions, lawful basis, notices, retention and responses to data subjects. Where required by GDPR Article 28, customers may request a data processing agreement at info@aoagents.it.
The exact role depends on the relevant processing activity and not only on the label used in this Policy.
4. Personal data we collect
| Category | Examples |
|---|---|
| Account data | Email address, username, account identifier, hashed password, account status and settings. |
| Customer Content | Prompts, instructions, form selections, research targets, drafts, reports, templates, scratchpad material and generated content. |
| Public professional data | Names, roles, employer or business affiliation, public business contact details, public profiles, website content and other business information available from public sources or licensed APIs. |
| Usage and technical data | Feature activity, timestamps, model and provider usage, token or cost metadata, IP address, device and browser information, security events and diagnostic logs. |
| Communications | Emails, access requests, support messages, feedback and other correspondence. |
We do not intentionally request special-category data, criminal-offence data, health data, payment-card details, government identifiers or data about minors. Users must not submit such information unless we have expressly agreed appropriate safeguards in writing.
5. Where data comes from
- directly from you when you register, use the Service, submit content or contact us;
- automatically from your browser, device and use of the Service;
- from the organisation through which you access the Service;
- from public websites, company pages, professional profiles, directories, search results and other publicly accessible online sources;
- from commercial search, SEO, crawling, performance and research APIs used to provide requested features; and
- from service providers that help us secure, deliver and operate the Service.
6. Purposes and legal bases
| Purpose | GDPR legal basis |
|---|---|
| Create and administer accounts; provide requested reports, research and features | Performance of a contract or steps requested before entering one (Art. 6(1)(b)). |
| Authenticate users, prevent abuse, maintain security, troubleshoot and monitor service performance | Legitimate interests in operating a secure and reliable service (Art. 6(1)(f)); legal obligation where applicable (Art. 6(1)(c)). |
| Send access, security, service and support communications | Contract performance and legitimate interests in administering the Service. |
| Generate customer-requested business and marketing research using public or licensed information | Contract performance; the customer's documented instructions where AO Agents is processor; and legitimate interests in providing proportionate business research (Art. 6(1)(f)). |
| Comply with law, maintain records and establish, exercise or defend legal claims | Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)). |
| Measure and improve the Service using aggregated or irreversibly anonymised information | Legitimate interests while data remains personal; data that is truly anonymous is outside the GDPR. |
| Send an optional newsletter or promotional communication if introduced | Consent (Art. 6(1)(a)); no newsletter is currently sent and consent will not be bundled with Service access. |
Where we rely on legitimate interests, we consider the nature of the data, reasonable expectations, necessity, safeguards and impact on individuals. You may object as described in Section 13.
7. Public-source professional data
AO Marketing may locate and summarise publicly available business information to help users understand organisations, markets, websites and professional roles. Public data can still be personal data and is handled accordingly.
- We focus on professional and business context, not private-life information.
- Sources may include public company websites, professional pages, business directories, search results and licensed or paid APIs.
- Typical data includes a person's name, professional role, organisation, public business contact channel and public statements relevant to the requested research.
- We do not intentionally collect special-category data, information about minors or data from access-controlled private areas.
- We do not use this data to make solely automated decisions producing legal or similarly significant effects.
If you are named in a report and want to access, correct, object to or request deletion of your data, contact info@aoagents.it with enough detail to identify the relevant material. We will assess the request under the GDPR, FADP and any applicable exemptions or competing legal obligations.
8. AI processing
Customer Content and research material may be sent to third-party AI model providers to generate requested outputs. We configure and use commercial API services rather than consumer chatbot accounts. Provider handling varies by service and account configuration.
OpenAI states that API data is not used to train its models by default. Anthropic states that commercial API inputs and outputs are not used for model training by default. Their standard services may retain API content for a limited period, commonly up to 30 days, for abuse monitoring, security or legal requirements unless different controls apply.
AO Agents does not use identifiable Customer Content to train general-purpose models unless the relevant customer gives a separate, explicit opt-in. We may use aggregated or irreversibly anonymised signals to evaluate and improve the Service.
9. Service providers and recipients
We disclose personal data only where needed to provide, secure and support the Service, follow customer instructions, complete a business transfer or comply with law. Current provider categories include:
| Provider | Purpose and relevant location |
|---|---|
| Vercel | Website and frontend hosting, delivery and essential operational logs. Processing may involve the United States and other provider locations. |
| Railway | Application hosting and PostgreSQL infrastructure. The production database is intended to use an EU region; Railway states that primary operations also involve the United States. |
| Resend | Transactional email delivery. Resend states that customer data is stored in the United States. |
| OpenAI | AI model API processing. For EEA and Swiss customers, relevant services may be contracted through OpenAI Ireland, with authorised international transfers. |
| Anthropic | AI model API processing, including processing in the United States and other authorised locations. |
| Tavily | Web search and research API. Tavily identifies AlphaAI Technologies Inc. in the United States as its provider. |
| DataForSEO | SEO, search and market data APIs. DataForSEO identifies an Estonian operating entity and may use international subprocessors. |
| Apify | Web automation and public-source data collection. Apify Technologies s.r.o. is based in the Czech Republic and uses documented subprocessors. |
| Google PageSpeed Insights | Website performance, accessibility and SEO analysis for URLs submitted to the feature. |
Sentry monitoring and Vercel Web Analytics are not currently active. This Policy and the Cookie Policy will be updated before either service is enabled, and an appropriate consent mechanism will be used where required by law.
10. International transfers
Some providers process data outside Italy, the EEA or Switzerland. Where required, we rely on an adequacy decision, the European Commission's Standard Contractual Clauses, the relevant Swiss adaptations, contractual safeguards and provider security measures. Data location options do not necessarily prevent all remote support, security or subprocessor access from other countries.
You may contact info@aoagents.it for information about the safeguards relevant to a particular transfer.
11. Retention
| Data | Typical retention |
|---|---|
| Account data and workspace content | For the active account, then scheduled for deletion within 30 days after closure or a valid deletion request. |
| Backups | Residual encrypted copies may remain for up to 90 days before rotation or deletion. |
| Authentication, security and diagnostic logs | Normally up to 12 months, or longer where needed to investigate a specific incident. |
| Access requests, support and general correspondence | Normally up to 24 months after the matter is closed. |
| Legal acceptance and claim records | For the applicable limitation period, potentially up to 10 years after the relationship ends where necessary to demonstrate compliance or defend claims. |
| Third-party API copies | According to the relevant provider's retention terms; standard AI API abuse-monitoring retention may be up to 30 days. |
We may retain data for a longer period where required by law, a legal hold, security investigation or the establishment, exercise or defence of legal claims. We may retain information that has been irreversibly anonymised.
12. Security
We use measures appropriate to the current nature and scale of the Service, including encrypted transport, access controls, hashed passwords, secure authentication cookies, CSRF protection, provider access restrictions, backups and environment separation where applicable.
No system can guarantee absolute security. Users must protect their credentials, limit submitted data to what is necessary and avoid uploading sensitive information that the Service is not designed to process.
13. Your data protection rights
Depending on the applicable law and our role, you may have rights to access, rectify, erase, restrict or object to processing, receive portable data, withdraw consent and obtain information about international-transfer safeguards. You also have the right not to be subject to qualifying solely automated decisions.
Send requests to info@aoagents.it. We may verify identity and ask for information needed to locate the data. If AO Agents is processing data solely for a customer, we may direct the request to that customer or assist it in responding.
GDPR requests are normally answered within one month, subject to lawful extensions. Under the Swiss FADP, access requests are generally answered within 30 days. Rights are not absolute and lawful exemptions may apply.
14. Complaints
We encourage you to contact us first so we can address the issue. In Italy, you may lodge a complaint with the Garante per la protezione dei dati personali at garanteprivacy.it. In Switzerland, you may contact the Federal Data Protection and Information Commissioner at edoeb.admin.ch. You may also contact another competent supervisory authority where applicable.
15. Automated decision-making
The Service automates research and content generation, but AO Agents does not use personal data to make solely automated decisions that produce legal or similarly significant effects on account users or people appearing in research. Customers must not use the Service for prohibited high-impact automated decisions.
16. Minors
The Service is not intended for anyone under 18. We do not knowingly create accounts for minors or intentionally research minors. If you believe a minor's data has been submitted, contact us so we can investigate and delete it where appropriate.
17. Changes to this Policy
We may update this Policy as the Service, providers or law change. The current version and effective date will be published here. Material changes will be communicated through the Service or by email where reasonably practicable.
18. Contact
Privacy contact and controller: AO Agents - Matteo Vitali, sole trader. Via Venere 14 B, 47042 Cesenatico (FC), Italy. VAT ID: IT04834300404. Email: info@aoagents.it.