Privacy Policy

1. Data Controller

Exito S.r.l. is the data controller for the personal data collected and processed in connection with the DealCoach service. For any privacy-related enquiry or to exercise your rights, please contact us at the email address above.

2. Data We Collect

We collect and process the following categories of personal data:

• Account data: name, email address, password (hashed), subscription status;
• Usage data: session content, messages sent to and received from the AI, interaction logs, session timestamps;
• Technical data: IP address, browser type, device information, referral URL;
• Payment data: transaction records processed by our payment provider (Stripe); we do not store full card details;
• Communication data: any correspondence you send us via email or support channels.

3. AI Processing of Your Data

Your data may be processed using AI systems to provide and improve the Service. Specifically:

• The content of your negotiation sessions is processed by AI models to generate responses and coaching outputs;
• Session logs and inputs may be analyzed to improve the quality and accuracy of the Service;
• Anonymized and aggregated data may be used for Service improvement, research, and development purposes.

We apply data minimization principles: we collect and process only the data necessary for the stated purposes.

4. Purposes and Legal Bases

• Contract performance: to provide you with the Service you subscribed to (Art. 6(1)(b) GDPR);
• Legitimate interest: to improve the Service, prevent fraud, ensure security, and send direct marketing to existing customers (Art. 6(1)(f) GDPR);
• Legal obligation: to comply with applicable tax, accounting, and regulatory requirements (Art. 6(1)(c) GDPR);
• Consent: for non-essential cookies, marketing communications to non-customers, and any processing not covered by the above bases (Art. 6(1)(a) GDPR).

5. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this Policy, or as required by law. The following specific rules apply:

• Free / unauthenticated sessions: no session data is stored on our servers — conversations are processed in real-time only and not persisted;
• Pro / Premium sessions: session content and messages are stored for as long as your account remains active;
• After subscription cancellation (without account deletion): session history becomes read-only and is retained for 90 days, after which it is automatically and permanently deleted;
• After account deletion: all data (profile, sessions, billing details, invoices, consent logs) is immediately and permanently deleted;
• Billing and invoice records: retained for up to 5 years after account closure for legal and accounting obligations (Art. 6(1)(c) GDPR).

You may request deletion of your data at any time via your account settings or by contacting us at info@taholding.it.

6. Security Measures

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, accidental loss, destruction, or disclosure. These measures include:

• Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS (HTTPS);
• Encryption at rest: sensitive fields (billing details, VAT numbers, session content) are encrypted at the application layer using AES-256-GCM before being stored in the database;
• Password security: passwords are never stored in plaintext — only bcrypt-hashed values are stored;
• Access controls: session data is accessible only to the authenticated account owner — API endpoints enforce strict ownership checks;
• Regular reviews: security practices are reviewed periodically.

No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

7. Your Rights

Under applicable data protection law (including the GDPR), you have the following rights:

• Right of access: to obtain a copy of the personal data we hold about you;
• Right to rectification: to request correction of inaccurate or incomplete data;
• Right to erasure: to request deletion of your personal data — you may do this instantly from your account settings, or by contacting us;
• Right to data portability: to download all your personal data in JSON format from your account settings;
• Right to object: to object to processing based on legitimate interest or for direct marketing purposes;
• Right to restrict processing: to request restriction of processing in certain circumstances;
• Right to lodge a complaint: to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at www.garanteprivacy.it or with your local supervisory authority.

To exercise any of these rights, contact us at: info@taholding.it

8. Third-Party Processors

We may share your data with trusted third-party service providers who process it on our behalf under data processing agreements, including: cloud hosting providers, payment processors (Stripe), AI model providers, and analytics services. We do not sell your personal data to third parties.

9. International Data Transfers

Some of our service providers may process your data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your personal data in accordance with GDPR requirements.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or by posting a prominent notice on the Service. Your continued use of the Service after a change constitutes acceptance of the revised Policy.