Insieme.AI

    Privacy Policy

    Last updated: 23 aprile 2026 · v2.0.0

    1. Data controller

    The data controller for personal data is:

    • Company: Inloop Srl
    • Registered office: Via degli Oleandri 5, 85100, Potenza (PZ)
    • Email: inloop@legalmail.it
    • P.IVA: 02124480761

    2. Personal data collected

    We collect the following categories of personal data:

    Registration data

    • First and last name
    • Email address
    • Username (optional)
    • Password (encrypted)

    Conversation data

    • Messages sent to Companions via Telegram or WhatsApp
    • Responses generated by Companions
    • Transcribed voice commands
    • Documents uploaded by the user

    Integration data

    • OAuth tokens for Outlook (email access authorized by the user)
    • OAuth tokens for Google Calendar/Outlook Calendar
    • Telegram/WhatsApp identifiers (chat_id, phone number for WhatsApp)

    Technical and usage data

    • IP address (not permanently stored)
    • Device type and browser
    • Usage statistics (number of AI calls, audio duration)
    • Interface preferences (theme, language, text size)

    Memories (extracted memories)

    • Personal facts and information automatically extracted from conversations (e.g. name, interests, preferences)
    • Each memory is categorized (work, family, hobbies, etc.) with an importance level
    • Extraction is enabled by default and can be disabled from the Memories page
    • Memories are used to personalize Companion responses
    • Users can view, edit and delete their memories at any time

    3. Purposes and legal basis for processing

    Your personal data is processed for the following purposes, each with its own legal basis under Art. 6 of the GDPR:

    PurposeLegal basis
    Providing the Service (chat with Companions)Performance of contract (Art. 6.1.b)
    Account management and authenticationPerformance of contract (Art. 6.1.b)
    Email and calendar integrationExplicit consent (Art. 6.1.a)
    Personal document management (RAG)Performance of contract (Art. 6.1.b)
    Personalized news briefingPerformance of contract (Art. 6.1.b)
    Voice command transcriptionPerformance of contract (Art. 6.1.b)
    Security and abuse preventionLegitimate interest (Art. 6.1.f)
    Usage limits (AI budget, audio)Legitimate interest (Art. 6.1.f)
    Extraction and storage of memories from conversationsConsent (opt-out) (Art. 6.1.a)
    Smart Alerts: periodic analysis of emails and calendar for urgent notificationsExplicit consent (Art. 6.1.a) — requires active OAuth integration
    Proactive Companion messages based on user context and habitsPerformance of contract (Art. 6.1.b)
    AI usage and cost monitoring to enforce plan limitsLegitimate interest (Art. 6.1.f)
    Temporary aggregation of rapid messages to improve response qualityLegitimate interest (Art. 6.1.f)
    Service improvement (aggregated data)Legitimate interest (Art. 6.1.f)
    Website usage statistical analysis (Google Analytics)Explicit consent (Art. 6.1.a)
    Service communicationsPerformance of contract (Art. 6.1.b)
    Legal complianceLegal obligation (Art. 6.1.c)

    4. Processing of conversation data

    Messages exchanged with Companions are:

    • Sent to third-party AI models for response generation
    • Stored in our database to allow chat history viewing
    • Associated with your account to personalize the experience (custom prompt, context)
    • Used for calculating daily usage limits

    Your messages are NOT used to train artificial intelligence models. The Service's default models have been selected based on their providers' policies, which include not using user data for training.

    Custom AI Models. Users with a paid plan may select AI models different from the defaults. In such cases, Inloop Srl cannot guarantee that the chosen model's provider will not use the transmitted data to train their systems. Users who select a custom model accept this risk knowingly, subject to explicit consent collected through a dedicated disclaimer within the Service (Art. 6.1.a GDPR).

    5. Special categories of data (sensitive data)

    We do not intentionally request sensitive data (Art. 9 GDPR: health, sexual orientation, political opinions, religious beliefs, biometric data). However, conversations with Companions may occasionally contain such information by the user's free choice.

    In such cases, processing occurs on the basis of the user's explicit consent (Art. 9.2.a GDPR), manifested through the voluntary submission of such information. We encourage you not to share sensitive data unless strictly necessary for using the Service.

    6. Data sharing and recipients

    Your personal data may be shared with the following recipients, all bound by confidentiality obligations and data processing agreements (Art. 28 GDPR):

    • AI Providers: Artificial intelligence model providers for generating Companion responses. For default models, messages are transmitted for processing and not retained by the providers for training. For custom models chosen by the user (Premium feature), data processing policies depend on the individual provider and Inloop Srl cannot guarantee that data will not be used for training.
    • Telegram/WhatsApp: Messaging platforms used as communication channels. Messages transit through their infrastructure.
    • Google/Microsoft: Only if the user authorizes email or calendar integration via OAuth.
    • Google Analytics: Web analytics service (Google Ireland Limited). Collects anonymous data about site usage, activated only with the user's explicit consent.
    • Microsoft Clarity: Behavioral analytics service (Microsoft Corporation). Collects anonymous heatmaps and session recordings to improve user experience. Activated only with the user's explicit consent.
    • Sentry: Error tracking service (Functional Software Inc). Receives JavaScript error stack traces to help us fix bugs. No user personal data is sent. Activated only with the user's explicit consent.

    We do not sell, rent, or transfer your personal data to third parties for marketing purposes. We do not perform profiling for commercial purposes.

    Insieme AI's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

    Specifically, data obtained through Google Calendar APIs (scope calendar.events) and Microsoft Graph APIs (Outlook email and calendar) is used exclusively for user-requested features (managing events, reading emails, creating drafts). Email and event content is not permanently stored on our servers but processed in real-time and discarded after the operation. OAuth tokens are stored securely to enable user-authorized access.

    7. International data transfers

    Some of our sub-processors may process data outside the European Economic Area (EEA). In such cases, transfers are based on: Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other appropriate safeguards pursuant to Articles 44-49 of the GDPR.

    You may request information about the specific safeguards adopted by contacting us at inloop@legalmail.it.

    8. Data retention periods

    We retain your data for the time strictly necessary for the purposes for which it was collected:

    Data categoryRetention period
    Account data (email, name)Until account deletion
    Conversation historyUntil account deletion or deletion request
    Uploaded documentsUntil deleted by the user or account deletion
    OAuth tokens (email/calendar)Until service disconnection
    Usage data (statistics)Daily reset; aggregates retained for 12 months
    Notes and remindersUntil deleted by the user or account deletion
    MemoriesUntil deleted by the user or account deletion
    Transcribed audioNot retained after transcription
    AI usage logs (costs and calls)12 months
    Proactive message logs12 months
    Security logs6 months
    Data after account deletionDeletion within 30 days of request

    9. Data subject rights

    Under Articles 15-22 of the GDPR, you have the following rights:

    • Access (Art. 15): Obtain confirmation of the existence of your data and receive a copy.
    • Rectification (Art. 16): Correct inaccurate or incomplete data.
    • Erasure (Art. 17): Obtain the deletion of your data ("right to be forgotten").
    • Restriction (Art. 18): Restrict processing in certain circumstances.
    • Portability (Art. 20): Receive your data in a structured, machine-readable format.
    • Objection (Art. 21): Object to processing based on legitimate interest.
    • Withdrawal of consent: Withdraw consent at any time, without prejudice to prior processing.

    The Service allows you to exercise some rights directly: you can delete your account, clear chat history, remove documents, and disconnect OAuth services from the Settings.

    To exercise the right to data portability (export data in JSON format), use the "Export my data" function in Settings > Your Data.

    10. How to exercise your rights

    You can exercise your rights through the following channels:

    • Email: inloop@legalmail.it
    • Self-service features in the Service Settings
    • Registered mail to the registered office address

    We will respond to your request within 30 days of receipt (extendable to 60 days in complex cases, with reasoned communication). In case of no or unsatisfactory response, you may file a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali - www.garanteprivacy.it).

    11. Automated decision-making and profiling

    The Service uses artificial intelligence to generate conversational responses. This processing does not produce legal effects nor significantly affect the user within the meaning of Art. 22 GDPR, as responses are purely informational and for entertainment purposes.

    We do not perform automated profiling that produces legal or significant effects. Usage limits (AI budget, audio duration) are applied uniformly to all users and do not constitute individualized decisions.

    12. Protection of minors

    The Service is not intended for persons under 16 years of age. We do not knowingly collect data from persons under 16. If we become aware that we have collected data from a person under 16 without parental or guardian consent, we will promptly delete it.

    If you are a parent or guardian and believe that your child under 16 has provided personal data to Inloop Srl, please contact us at inloop@legalmail.it.

    13. Security measures

    We adopt appropriate technical and organizational measures to protect your personal data (Art. 32 GDPR), including:

    • Encryption of data in transit (TLS/HTTPS)
    • Password encryption with secure algorithms (bcrypt)
    • Secure authentication via JWT tokens
    • Data access limited to authorized personnel
    • Regular backups and disaster recovery procedures
    • Access monitoring and security logs
    • Regular updates of systems and dependencies
    • OAuth tokens stored securely with automatic refresh

    14. Cookies and tracking technologies

    The Service uses technical and functionality cookies strictly necessary for operation, and analytics cookies activated only with consent:

    • Interface preferences: Theme (light/dark), language, text size. Stored in localStorage, not sent to external servers.
    • Authentication session: Session token to maintain access.
    • Language preference: Language choice (IT/EN). Stored in localStorage.
    • Analytics cookies (Google Analytics): Anonymous browsing data for aggregate statistics. Activated ONLY with the user's explicit consent via the cookie banner. Revocable at any time.

    15. Changes to the Privacy Policy

    We reserve the right to update this Privacy Policy to reflect changes to the Service or applicable regulations. Substantial changes will be communicated via email or notification within the Service at least 30 days in advance. The date of the last update is indicated at the top of this document.

    Marketing and data sharing with partners

    Pursuant to Art. 130 of the Italian Privacy Code (Legislative Decree 196/2003) and the Italian Data Protection Authority Guidelines 2013/2024/2025 (including Decision no. 10114967 of 27/02/2025), we collect three distinct and granular consents. None is a condition for using the Service, and each is independently revocable anytime from Settings → Privacy & Communications.

    a) Marketing emails

    If you consent, we'll send you newsletters, announcements of new features, and commercial offers from Insieme.AI via email. We use double opt-in confirmation: after ticking the consent you'll receive an email with a confirmation link; consent only becomes active after clicking the link.

    Retention: until revocation. Immediate revocation via the 'Unsubscribe' link at the bottom of every email or from Settings. Legal basis: Art. 6(1)(a) GDPR, explicit consent.

    b) Promotional messages via Companion (Telegram/WhatsApp)

    If you consent, you'll receive offers and Insieme.AI news via messages sent by your companion on Telegram or WhatsApp. This consent is separate from the companion's empathetic proactive messaging (configured in Settings → Assistants).

    Instant messaging is not covered by the soft opt-in exception (Art. 130 c.4 Italian Privacy Code): explicit opt-in consent is required. Revocable anytime from Settings.

    c) Data sharing with commercial partners

    If you consent, your identifying, account and preference data — with explicit exclusion of companion conversation contents, uploaded documents and extracted memories — may be shared with commercial partners selected by Inloop Srl, operating in the following product categories:

    • Financial services and insurtech
    • Wellbeing, mindfulness and digital mental health
    • Productivity and B2B SaaS

    No partner is currently active. Before activating any individual partner, we will notify you with a specific notice in the Privacy & Communications section, and you will have the option to revoke before any transmission. Note also that partners, once they receive the data, must obtain their own specific consent for their purposes (Italian DPA — provisions on third-party data transfers).

    Legal basis: Art. 6(1)(a) GDPR, explicit and separate consent for the purpose of communication to third parties. Retention: until revocation. Shared data is tracked in a register available upon request.

    Consent revocation

    Under Art. 7.3 GDPR, you can revoke any of these consents anytime, without prejudice to the lawfulness of prior processing. Revocation is recorded with timestamp and IP address in the consent log (append-only user_consents table), accessible directly via 'View consent history' in Settings → Privacy & Communications.

    17. Roleplay Mode Data

    Conversations made in Roleplay mode are stored in a separate database table from normal conversations. The two histories never mix.

    No AI memories or summaries are extracted from Roleplay conversations. Standard memories (from normal conversations) may be used as read-only context.

    Roleplay data is included in data exports (GDPR right to data portability) and is deleted upon request per companion or entirely upon account deletion.

    The Roleplay consent acceptance timestamp is retained for legal compliance.

    16. Contact and complaints

    For any questions regarding the processing of your personal data or to exercise your rights, contact:

    Email: inloop@legalmail.it

    You also have the right to file a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali): Piazza Venezia 11, 00187 Rome - www.garanteprivacy.it - protocollo@pec.gpdp.it

    We use cookies to improve your experience. You can choose which ones to accept. Learn more