Privacy

1. Data Controller

The Data Controller of personal data is the organization that issues the account to the user for accessing the Divergen application (hereinafter “Controller”).

2. Data Processor

Edisonweb S.r.l. VAT 03235060872 (“Edisonweb”) acts as Data Processor (sub-processor) on behalf of the Controller, providing the technological services necessary for the operation of the Divergen app and connected platforms.

3. Purpose and Legal Basis of Processing

Users’ personal data are processed exclusively for:

  • allowing authenticated access to the Divergen app;
  • ensuring the correct technical functioning of the services;
  • ensuring the security and maintenance of the platform;
  • storing user conversations, in order to provide service continuity and improvement;
  • processing responses through generative artificial intelligence models (LLMs) provided by:
    • Microsoft Azure OpenAI Service, as a sub-technology provider;
    • infrastructures managed directly by the Controller (e.g., on-premise servers or the organization’s private cloud).

The legal basis of processing is the performance of the contract between the user and the Controller, pursuant to Art. 6, para. 1, letter b) GDPR.

4. Categories of Data Processed

The Divergen app may process the following categories of data:

  • identification and contact data (name, surname, email, username);
  • login/authentication credentials;
  • technical and log data relating to the use of the platform;
  • contents of conversations entered and received by the user through the app.

No special categories of data pursuant to Art. 9 GDPR are processed, unless specifically instructed by the Controller. Users are advised not to include unnecessary sensitive information in conversations.

5. Processing Methods

Processing is carried out using electronic and telematic tools, in compliance with the principles of fairness, lawfulness, transparency, and data minimization.

Conversations are stored to ensure service continuity and to allow improvement of interactions.

  • When responses are processed via Microsoft Azure OpenAI Service, Edisonweb remains responsible as sub-processor, and the data are not used by Microsoft or Edisonweb to train LLM models, in accordance with Azure API terms.
  • When processing is carried out through LLMs installed or managed directly by the Organization (Controller), responsibility for data management, related security measures, and any transfers lies entirely with the organization itself.

Appropriate technical and organizational measures are adopted to ensure the security and protection of personal data, including encryption in transit and at rest.

6. Data Communication and Transfers

Personal data will not be disclosed.

They may be communicated to third-party providers acting as sub-processors, appointed by the Processor and bound by agreements in compliance with Art. 28 GDPR.

The use of Microsoft Azure OpenAI Service may involve the transfer of data to third countries (e.g., the United States). In such cases, transfers take place exclusively on the basis of adequate safeguards pursuant to Arts. 44 et seq. GDPR, such as Standard Contractual Clauses (SCCs) and additional security measures.

Further information is available in Microsoft’s official documentation: Non-EU Data Transfers (Microsoft).

7. Data Retention and Deletion

Personal data, including conversations, are retained for the duration of the user account or according to the instructions received from the Controller.

General retention rule: conversations are retained for the duration of the contract between Edisonweb and the Organization, unless the Organization requests a more restrictive deletion policy or the user deletes them independently.

User deletion: through the app, the user can delete individual conversations or the entire history via the dedicated data management section.

Account deletion: the deletion of the user account and related data may be requested by the Organization (Controller) that created and assigned the account. To initiate the deletion procedure, it is necessary to open a ticket through the support center, also accessible within the app.

Specific retention period: if no explicit retention period is indicated, personal data will be deleted or blocked as soon as the purpose or legal basis for retention no longer applies. However, retention may continue beyond this period in the event of legal disputes (imminent or ongoing), the initiation of legal proceedings, or legal obligations requiring retention. In any case, at the end of the periods provided by law, the data will be blocked or deleted, unless a new legal basis justifies further retention.

8. Data Subject Rights

Users, as data subjects, may exercise the rights provided by Arts. 15–22 GDPR, including:

  • right of access, rectification, erasure, and restriction of processing;
  • right to data portability;
  • right to object to processing.

Requests must be addressed directly to the Data Controller. Edisonweb will provide technical support to the Controller to enable the exercise of rights.

9. Complaint to the Supervisory Authority

Data subjects have the right to lodge a complaint with the Italian Data Protection Authority or with the Supervisory Authority of their Member State.

10. Use of Artificial Intelligence and Limitations of Responses

It is clarified that the use of the Divergen App does not constitute any automated decision-making process pursuant to Art. 22 of Regulation (EU) 2016/679 (GDPR).

The application provides only informational suggestions generated by artificial intelligence models (LLMs). Such suggestions are not binding and must always be subject to verification and critical evaluation by the user or the organization using the platform.

11. Contacts

For further information on the processing of personal data relating to the use of Divergen, users should refer to the Controller that issued the account.