Data Protection Notice

Effective Date: [February 22, 2025]

1. Data Controller

The data controller processing personal data collected through this platform is ASC27 S.r.l. an Italian incorporated under the laws of the Republic of Italy whose registered address is Via Tirso, 14, Rome, Italy

2. Processing of Personal Data Within the EU or Legally Approved Countries

All personal data collected and processed through this platform are processed with the General Data Protection Regulation (GDPR) and other applicable data protection laws within the European Union or in countries for which an adequacy decision has been issued or for which standard clauses approved by the European Commission are in force.

3. Processing of Queries and Prompts

Queries and prompts entered by users for the purpose of improving the LLM are not associated with the identity of the user who submitted them. Consequently, no user data are injected into the model. However, to ensure the integrity and lawful use of the platform, the association between queries, prompts, and users is retained separately and securely. This last information may be used exclusively for the following purposes:

• Filing legal actions against attempts to poison the model or illegal uses of the platform.
• Reporting misconduct to supervisory authorities.
• Disclosing information to law enforcement agencies or courts as required by law.

4. Prohibition on Using Third-Party Personal Data Without Authorization

Users are strictly prohibited from entering any third-party personal data into the platform without obtaining the specific, informed, and documented authorisation of the data subjects concerned, including consent for the potential use of such data for model improvement purposes.

5. Processing of Personal Data for Service Use, Provision, and Billing

Personal data collected to enable the use of the platform and for billing purposes are processed in accordance with the relevant legal obligations, including tax and accounting regulations. Such data are retained for the periods prescribed by applicable laws.

Access to the platform is authenticated either through Google or, at the user’s choice, internally by the data controller.

When using Google authentication, users acknowledge that Google acts as an autonomous data controller and may collect additional information during the authentication process. The collection and processing of such data are subject to Google’s privacy policy and terms of service, and the data controller is not involved in or responsible for these processing activities.

The email confirming the registration through the local platform is sent by a smart SMTP service, which does not retain any personal information.

6. Retention of Personal Data

Personal data collected and processed for the protection of the company’s rights are retained for the duration of the applicable statute of limitations. Personal data used to improve the LLM are retained indefinitely to provide evidence of the data processing activities in case of regulatory investigations or legal proceedings.

7. Legal Basis for Processing

Processing of personal data is based on one or more of the following legal grounds:

• Performance of a contract for providing LLM services.
• Compliance with legal obligations applicable to the company.
• Legitimate interests pursued by the company, such as ensuring platform security and protecting company rights.
• The user’s consent, where required by law.

8. Consent to Processing

Consent is not required for the processing of personal data necessary to fulfill contractual or legal obligations or to initiate or defend against legal actions.

Additionally, the use of anonymised prompts and queries for improving the LLM does not require user consent, however the user can deny the authorization to this processing purpose.

9. Data Subjects’ Rights and How to Exercise Them

Users have the following rights under the GDPR:

• Right to access their personal data and obtain information about their processing;
• Right to rectify inaccurate or incomplete personal data;
• Right to erase personal data in certain circumstances;
• Right to restrict processing under specific conditions;
• Right to object to processing based on legitimate interests;
• Right to data portability, where applicable;
• Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
• Right to lodge a complaint with a supervisory authority or a court if they believe their data protection rights have been violated.

The data subject may exercise his or her rights by sending a registered letter with return receipt to the registered office of the data controller.

If the request is formally correct, the Data Controller shall respond to the data subject within thirty working days of receiving the request, unless the decision requires more time to be taken. In this case, the Data Controller shall inform the data subject of the need for a longer period of time and, if possible, quantify it.

Within the aforementioned deadline, the Data Controller shall communicate the decision and the related motivation to the data subject, informing him/her of the ways in which it is possible to contact the ordinary Judge or the national Data Protection Authority.

10. Reliability of the Outputs

The LLM is not designed to provide exact or reliable information about individuals and should not be used for this purpose. In any case, the LLM is not intended to generate responses regarding specific individuals

11. Security Measures

Appropriate technical and organisational measures are implemented to ensure the confidentiality, integrity, and availability of personal data, as well as to prevent unauthorised access, disclosure, alteration, or destruction.

12. Usage of Cookies

This Cookie Policy explains how Vitruvian ("we," "our," or "us") uses cookies and similar technologies to recognize you when you visit our website [vitruvian.asc27.com] ("Website"). It explains what these technologies are, why we use them, and your rights to control their use.

12.1. What Are Cookies?

Cookies are small text files that are stored on your device (computer, tablet, or mobile) when you visit a website. They help websites function properly, improve user experience, and provide analytical data.

12.2. Types of Cookies We Use

We use the following types of cookies:

• Essential Cookies: Necessary for the website to function properly, such as those enabling security and authentication features.
• Performance Cookies: Help us understand how visitors interact with the website by collecting and reporting information anonymously.
• Functionality Cookies: Allow us to remember your preferences and settings to enhance your experience.

12.3. How We Use Cookies

We use cookies to:

• Ensure the Website operates efficiently.
• Analyze usage patterns and improve performance.
• Provide personalized content and advertising.
• Enhance security and prevent fraud.

12.4. Third-Party Cookies

Some cookies are placed by third-party services we use, such as analytics tools (e.g., Google Analytics) and advertising partners. These third parties may collect information about your online activities over time and across different websites.

12.5. How to Manage Cookies

You can manage or disable cookies through your browser settings. However, disabling essential cookies may impact the functionality of the Website.

For more information on managing cookies, visit:

• Google Chrome
• Mozilla Firefox
• Apple Safari
• Microsoft Edge

13. Legal Remedies

The data subject has the right to lodge a complaint with the Data Protection Authority in accordance with Legislative Decree no. 196/03 and the information provided on the website of the Data Protection Authority: www.garanteprivacy.it.

Alternatively, the data subject may lodge a complaint with the competent court.