By means of this privacy notice, drawn up pursuant to Articles 13-14 of Regulation (EU) 2016/679 (“GDPR”) and in compliance with the principles set out therein, Syllotips S.r.l. wishes to inform you about the methods of processing personal data collected and processed through the website www.syllotips.com (“Website”) and the Syllotips platform (“Platform”), an artificial intelligence-based knowledge management service that enables companies to capture, organise and make accessible their internal know-how through AI agents.

This privacy notice is addressed to visitors to the Website, to contacts of client companies and to end users of the Platform (i.e. the employees and collaborators of the companies that use the Syllotips services). With regard to end users of the Platform, it is specified that Syllotips acts as data processor pursuant to Art. 28 GDPR on behalf of the client company, which remains the data controller of the data of its own employees and collaborators.

Any third-party websites accessible via links remain subject to the privacy notice provided by the operator of the relevant third-party website. We invite you to read such documents before browsing third-party websites.

1. Who decides why and how your personal data are processed?

The data controller is Syllotips S.r.l., VAT No. 17232791008, with registered office at Piazza Crati, 20, 00199 Rome, e-mail: info@syllotips.com (hereinafter the “Controller” or the “Company”).

With regard to the processing of data of end users of the Platform (employees and collaborators of client companies), Syllotips acts as data processor pursuant to Art. 28 GDPR, on the basis of a data processing agreement (DPA) entered into with each client company. In this context, the client company is the data controller and the data subject may exercise their rights by contacting their own company directly.

2. How to contact the Data Protection Officer?

The Controller has appointed a Data Protection Officer (“DPO”) who can be contacted by sending an e-mail to the e-mail address dpo@syllotips.com or by writing to: Data Protection Officer c/o Syllotips S.r.l., Piazza Crati, 20, 00199 Rome.

3. What types of data do we process?

From the moment you express interest in the services offered by the Controller and throughout the contractual relationship, we may process various pieces of information relating to you (“Data”).

During browsing and use of the Website and the Platform, we may collect and process the following categories of data:

personal identification data: first name, surname, job title, company name of the organisation to which you belong;

contact data: business e-mail address, telephone number;

access data: unique user identifiers and authentication tokens received through single sign-on (SSO) providers (Microsoft and Google). SylloTips does not have access to users' authentication credentials (such as passwords), which remain under the sole control of the identity provider selected by the user or the client company;

data relating to support requests: content of the technical support or information request;

Platform usage data: information generated in the context of using the Platform, such as log data, questions submitted to the AI agents, generated responses, knowledge base content uploaded, interactions and workflows;

browsing data: IP address, domain name, URL used, information regarding the operating system and the IT environment used;

data relating to surveys and polls: assessment of the quality and appreciation of the services.

It is specified that data entered into the Platform by end users of client companies (e.g. questions, documents, knowledge base content) may contain personal data whose type depends on the use made by the client company. For such data, Syllotips acts as data processor and processes them exclusively in accordance with the documented instructions of the client company.

4. What do we use your data for, what legal basis authorises us to use them and for how long do we retain them?

The Company acquires and processes your Data for the purposes specified below. The processing is legitimised by the legal basis indicated for each purpose pursuant to Art. 6 of the GDPR.

Data will be retained in a form that allows the identification of data subjects for a period of time not exceeding the achievement of the purposes indicated, in compliance with the principle of data minimisation under Art. 5(1)(c) GDPR.

a)
Purpose: Website browsing and technical operation

Browsing data collected through the website www.syllotips.com will be processed to enable its use, ensure IT security and the technical improvement of the Website itself.

Legal basis
Legitimate interest
[Art. 6(1)(f) GDPR]
Attributable to the Controller’s need to enable the use of the Website and its improvement.

Retention period
Duration of the browsing session for technical data.

b)
Purpose: Management of contact and demo requests

Data provided by filling in contact forms, demo requests or pricing requests will be processed to manage and respond to the data subject’s requests.

Legal basis
Performance of pre-contractual measures
[Art. 6(1)(b) GDPR].

Retention period
12 months from the closure of the request, unless a contractual relationship is established.

c)
Purpose: Performance of the contract and provision of services

Data of company contacts (admin, billing contact, authorised users) will be processed for the management of the contractual relationship, the activation and configuration of the Platform, invoicing and technical support.

Legal basis
Performance of a contract
[Art. 6(1)(b) GDPR].

Retention period
Duration of the contract and unless retention is required to comply with legal obligations.

d)
Purpose: Operation of the Platform and processing by means of artificial intelligence systems

Data entered by authorised users in the context of using the Platform (questions, knowledge base content, interactions with AI agents) are processed for the provision of the service, including processing by artificial intelligence models provided by sub-processors (Anthropic, PBC; Google LLC; OpenAI, LLC). Processing is carried out exclusively to generate contextual responses and not for the training of AI models by the sub-processors. For this purpose, Syllotips acts as data processor pursuant to Art. 28 GDPR on behalf of the client company, which is the data controller.

Legal basis
Performance of a contract
[Art. 6(1)(b) GDPR]

With reference to the contract between Syllotips and the client company.

Retention period
For the duration of the contract with the client company, in accordance with the documented instructions in the DPA.

e)
Purpose: Compliance with legal obligations

Data will be processed by the Controller in order to comply with obligations arising from applicable law, regulations or EU legislation (e.g. tax and accounting obligations) or to manage and respond to requests from the competent authorities.

Legal basis
Legal obligation
[Art. 6(1)(c) GDPR].

Retention period
In accordance with applicable legislation.

f)
Purpose: Customer satisfaction and service improvement

Data may be processed to carry out surveys and polls in order to assess the level of satisfaction with the services offered and to improve the features of the Platform.

Legal basis
Legitimate interest
[Art. 6(1)(f) GDPR]

Attributable to the need to improve the services offered.

Retention period
No more than 6 months from participation in the survey.

g)
Purpose: Direct marketing

Personal data will be processed for direct marketing activities, i.e. the sending (via e-mail, social media, push notifications, etc.) of communications with promotional and/or advertising content regarding the products or services offered by the Controller.

Legal basis
Consent
[Art. 6(1)(a) GDPR].

Retention period
Until withdrawal of consent or objection to processing and in any event no longer than 24 months from the date of last contact.

h)
Purpose: Newsletter

Personal data will be processed for the sending of the newsletter and for the sending of information on new features of the Controller’s Platform, updates and events.

Legal basis
Consent
[Art. 6(1)(a) GDPR].

Retention period
Until withdrawal of consent or objection to processing and in any event no longer than 24 months from the date of last contact.

i)
Purpose: Soft spam

Data will be processed for the sending, via e-mail, of communications with promotional, informational and/or advertising content, relating to products or services similar to those that are the subject of the sale pursuant to Art. 130(4) of Italian Legislative Decree 196/2003.

Legal basis
Legitimate interest
[Art. 6(1)(f) GDPR]

Attributable to the Controller’s intention to maintain the commercial relationship with the customer.

Retention period
For the time strictly necessary to achieve the legitimate interest and until any objection to processing by the data subject.

j)
Purpose: Management of complaints, protection of interests and exercise of the right of defence

The Controller may process data to exercise and protect its rights in out-of-court and judicial proceedings.

Legal basis
Legitimate interest
[Art. 6(1)(f) GDPR]

Attributable to the need to establish, exercise or defend a right.

Retention period
For the period necessary to defend or exercise the right.

k)
Purpose: Activities related to the completion of corporate transactions

Data will be processed in order to enable their communication in the event of corporate transactions (e.g. mergers, acquisitions, transfers of a business unit).

Legal basis
Legitimate interest
[Art. 6(1)(f) GDPR]

Attributable to the need to finalise corporate transactions.

Retention period
For the time necessary for such purpose.

The provision of Data for the purposes under b), c) and d) is necessary and mandatory; accordingly, in the event of refusal it will not be possible to proceed with the contractual relationship and the related provision of the requested services.

The processing activities under a), f), i), j) and k) do not require your specific consent, as they are based on the legitimate interest of the Controller pursuant to Art. 6(1)(f) of the GDPR. In any event, in accordance with the GDPR, we have carried out a thorough balancing of interests aimed at protecting and safeguarding the privacy and fundamental rights of data subjects.

The provision of Data for the purposes under g) and h) is not mandatory. Your prior consent is therefore required, which the Company will request from time to time in the most appropriate form. The consent given may always be withdrawn by you without any consequence with respect to the contractual relationships in place with the Company.

With reference to the purpose under d), it is specified that the processing of data by means of artificial intelligence systems is carried out in compliance with the following safeguards: data are transmitted to AI providers (Anthropic, Google, OpenAI) exclusively via API for the processing of requests; the providers do not use the data received to train or improve their models; data are processed in real time and are not retained by the providers beyond the time strictly necessary for processing the request, without prejudice to the provisions of the respective security policies for abuse monitoring purposes.

5. To whom do we disclose your data?

The Company may disclose some of your Data to the entities it engages for the performance of activities necessary to achieve the purposes indicated in paragraph 4 above, including, by way of example:

providers of hosting and cloud infrastructure services (Microsoft Azure);

providers of artificial intelligence services acting as sub-processors: Anthropic Ireland, Limited; Google LLC; OpenAI, LLC. Data are transmitted to such entities exclusively via API for the processing of user requests and are not used for the training of AI models;

providers of identity and authentication services (Microsoft and Google), acting as independent data controllers, for the sole purpose of enabling user authentication via single sign-on (SSO);

providers of technical support and customer success services;

consultants and other service providers carrying out activities on behalf of the Controller (e.g. tax adviser, legal adviser);

public entities to which such data must be mandatorily disclosed by virtue of provisions of law or orders of the Authorities.

Such entities act as independent data controllers or as data processors. In the latter case, the Controller has entered into a specific agreement pursuant to Art. 28 GDPR. The list of data processors may be requested by contacting the Controller and/or the DPO at the contact details indicated in paragraph 2 above.

Your Data will be processed by the Controller’s internal personnel specifically authorised pursuant to Art. 29 of the GDPR.

6. Are your data transferred to a country outside the European Union and how are they protected?

In the context of providing its services, Syllotips engages suppliers that are based in or process data outside the European Economic Area. In particular, the artificial intelligence providers Anthropic, Google and OpenAI are based in the United States of America.

For such transfers, the Controller ensures that the processing of personal data is carried out in compliance with applicable law, adopting the following safeguards:

adequacy decisions of the European Commission, where available (including the EU-US Data Privacy Framework for certified providers);

standard contractual clauses (SCCs) approved by the European Commission pursuant to Art. 46(2)(c) GDPR;

additional supplementary technical, organisational and contractual measures aimed at ensuring a level of protection substantially equivalent to that provided by the GDPR.

The Controller periodically reviews the validity of the legal bases and safeguards adopted for international transfers. Further information on transfers and the safeguards adopted may be requested by writing to us at the contact details indicated in paragraph 2 above.

6.1 Security measures

Syllotips adopts appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR. The Platform is built on Microsoft Azure infrastructure with enterprise-grade architecture. The Company is under certification for SOC 2 Type II, ISO 27001 (information security management), ISO 27017 and ISO 27018 and it is ISO 9001 (quality management) certified, confirming its commitment to the protection of the data processed.

7. What are your rights and how can you exercise them?

As a data subject, you have the right to:

receive confirmation of the processing of your Data, request access to and a copy of the same;

request the rectification or updating of your Data, where inaccurate or incomplete;

request, where certain circumstances arise, the erasure of the Data relating to you or the restriction of processing concerning your Data;

object to processing (right to object), without prejudice to the existence of an overriding legitimate ground of the Company for the continuation of the processing;

withdraw consent, where given, to marketing activities;

request data portability, where applicable;

lodge a complaint with the Supervisory Authority or bring an action before the Judicial Authority. In Italy, the supervisory authority is the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali – www.garanteprivacy.it).

Pursuant to Article 2-terdecies of the Italian Privacy Code, in the event of death the rights relating to the personal data of the data subject may be exercised by those who have an interest of their own, or who act on behalf of the data subject as their agent, or for family reasons deserving of protection.

With regard to data processed by Syllotips as data processor on behalf of the client company, the data subject may exercise their rights by contacting their own company (data controller) directly. Syllotips will cooperate with the client company to respond to the requests received.

The above rights may be exercised by writing to the e-mail address info@syllotips.com or by contacting the DPO at the contact details indicated in paragraph 2 above.