Privacy Notice

Privacy Policy

Last updated: June 11, 2026 - pursuant to the GDPR (Reg. (EU) 2016/679) and Legislative Decree 196/2003 (Italian Privacy Code) as amended by Legislative Decree 101/2018

1. Data Controller

Vimage Srl

VAT / Tax Code: 03654120272

Registered office: Via Scortegara 173, 30035 Mirano (VE) - Italy

Privacy email: privacy@vimage.it

Vimage Srl has not appointed a Data Protection Officer (DPO) as the conditions set out in Article 37 of the GDPR do not apply. For any matter relating to data protection you may contact the Controller at the addresses indicated above.

2. Data Processed and Purposes

We process the following personal data for the purposes indicated:

Data provided through the contact form

Data: First name, last name, email, telephone, company name, message, answers to the multi-step form (type of space, objective), source of origin (UTM parameters of the advertising campaign, landing page, referrer)

Purpose: Respond to requests for information and consultation; attribute the contact to its source channel in order to measure campaign effectiveness

Legal basis: Explicit consent for the form data (Art. 6.1.a GDPR); legitimate interest for the source data (Art. 6.1.f GDPR, contact qualification)

Retention: 24 months from collection, subject to legal obligations

Data provided through the AI chatbot (AI assistant)

Data: Text messages sent by the user and responses generated by the virtual assistant

Purpose: Provide real-time informational assistance about Vimage services and solutions

Legal basis: Explicit consent by accepting the "AI Chatbot" category in the cookie preferences panel (Art. 6.1.a GDPR)

Retention: Conversations are stored in anonymised form on our servers for statistical analysis and service improvement purposes. Retention: 12 months

Browsing data

Data: IP address, browser type, pages visited, access times

Purpose: Site security, fraud prevention, aggregate analysis

Legal basis: Legitimate interest (Art. 6.1.f GDPR)

Retention: 30 days in system logs

Anonymous visit statistics (self-hosted)

Data: Pages visited, referrer, country, device, browser, visit duration (no cookies, no IP, no personal identifiers)

Purpose: Site improvement and measurement of content effectiveness

Legal basis: Legitimate interest (Art. 6.1.f GDPR) - no cookies installed, fully anonymous data, Vimage self-hosted server in the EU. Active by default (even with "Necessary only"), can be disabled by the user via the cookie preferences panel (opt-out)

Retention: Aggregated data, not attributable to natural persons. Retained for up to 24 months

Google Tag Manager + Google Analytics 4 (Consent Mode v2 Advanced)

Data: GTM loads on every page in cookieless mode (no cookies, no personal data without consent). With consent: _ga, _ga_* cookies for visit statistics (pages, sessions, acquisition, behaviour)

Purpose: Tag container (GTM) and advanced traffic analysis (GA4). Without consent: only aggregated anonymous signals for statistical modelling

Legal basis: Legitimate interest (Art. 6.1.f) for cookieless GTM loading. Explicit consent (Art. 6.1.a) for activating GA4 cookies

Retention: _ga cookie: 2 years. Aggregated data in GA4: 14 months. Cookieless pings: not retained

3. AI Chatbot and Message Processing

The site integrates a virtual assistant ("Vimage AI") that uses artificial intelligence models to provide information about Vimage services and solutions. When you use the chatbot, the messages you send are transmitted to our server and forwarded to a third-party AI service for generating the response. Under the contractual terms of the AI providers, the messages are not used to train the models.

AI providers used: Depending on the configuration, the service may use Anthropic (Claude), OpenAI, Google (Gemini) or self-hosted models (Ollama). The active provider is chosen by the Controller based on quality and security criteria.

Data transmitted: The text of the messages sent by the user in the chat. No additional identifying personal data (name, email, IP) is transmitted to the AI providers.

Retention: Conversations are stored in anonymised form on our servers for statistical analysis and service improvement purposes (retention: 12 months). AI providers may retain data according to their own data retention policies.

Recommendation: We ask that you do not enter sensitive personal data (health, financial or judicial data) in the chatbot messages.

4. Nature of Data Provision

Providing data through the contact form is optional. However, failure to provide the data marked as mandatory (name, email) will make it impossible for Vimage to respond to the request. Use of the chatbot is entirely optional and requires the user's explicit consent.

5. Data Recipients and Sub-processors

Personal data is neither sold nor disclosed to third parties for commercial purposes. For the purposes described above, the data may be processed by the following sub-processors (Art. 28 GDPR), appointed under specific agreements (DPAs) and selected to ensure an adequate level of security:

Sub-processor	Service	Location	Transfer outside the EU
Aruba S.p.A.	SMTP service for sending email	Italy (EU)	None: servers in the European Union
Serverplan S.r.l.	Website and email hosting	Italy (EU)	None: servers in the European Union
Cloudflare, Inc.	Anti-bot protection (Turnstile)	USA	SCC + EU-US Data Privacy Framework
Calendly LLC	Appointment booking	USA	SCC + EU-US Data Privacy Framework
Anthropic, PBC	AI assistant	USA	Standard Contractual Clauses (SCC)
OpenAI, LLC	AI assistant	USA	SCC + EU-US Data Privacy Framework
Self-hosted analytics	Anonymous browsing statistics. No cookies, no IP, no personal data. Can be disabled from "Manage cookies"	Italy (Vimage VPS)	No transfer outside the EU
Google Ireland Limited	Tag Manager + Analytics 4. Without consent: only anonymous signals. With consent: analytics cookies	Ireland (EU) / USA	SCC + EU-US Data Privacy Framework. IP anonymised

In addition, the data may be disclosed to the competent authorities, where required by legal obligation, court order or for the exercise of rights in judicial proceedings.

6. Transfer of Data Outside the EU (Arts. 44-49 GDPR)

When personal data is processed by sub-processors based outside the European Union (see the table in section 5), the transfer takes place in compliance with the safeguards provided for by the GDPR:

Standard Contractual Clauses (SCC) approved by the European Commission (Decision (EU) 2021/914), contractually binding the sub-processor to levels of protection equivalent to those of the EU.
EU-US Data Privacy Framework (for US sub-processors that adhere to it), an official certification following Adequacy Decision (EU) 2023/1795.
Transfer Impact Assessment (TIA) for US providers, with verification of any supplementary safeguards in accordance with EDPB guidelines 01/2020.

You have the right to request a copy of the safeguards applicable to a specific transfer by writing to the Controller's email address indicated at the bottom of this document.

7. Automated Decision-Making and Profiling

The AI chatbot generates responses in an automated manner based on the messages sent by the user. However, this processing does not produce legal effects nor does it significantly affect the user within the meaning of Article 22 of the GDPR. The chatbot's responses are purely informational and in no way constitute binding advice, a contractual offer or an automated decision with legal effects.

Vimage does not carry out any profiling of site visitors.

8. Your Rights (Arts. 15-22 GDPR)

You have the right to:

Access

Know which data we process about you

Rectification

Correct inaccurate or incomplete data

Erasure

Request the deletion of your data ("right to be forgotten")

Restriction

Restrict processing in certain cases

Portability

Receive your data in a structured format

Objection

Object to processing based on legitimate interest

Withdraw consent

Withdraw consent at any time

Complaint

Lodge a complaint with the Italian Data Protection Authority

To exercise your rights, write to privacy@vimage.it. We will respond within 30 days. You may also lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali).

9. Data Security

We adopt appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction or disclosure. These measures include: HTTPS connections, anti-spam and anti-bot protection (Cloudflare Turnstile), data access limited to authorised personnel, regular backups and encryption of sensitive data.

10. Cookies and Tracking Technologies

The site uses cookies and similar technologies (localStorage). For detailed information on the categories of cookies used, the purposes and how consent is managed, please see our Cookie Policy.

11. Minors

Our services are intended exclusively for adults (18+ years) and for business owners or representatives. We do not knowingly collect data from minors. If you believe that a minor has provided personal data, please contact us immediately.

12. Changes to the Privacy Policy

This Privacy Policy may be updated to reflect regulatory or operational changes. Substantial changes will be communicated via a notice on the site or by email to registered users. The date of the last update is shown at the top of this page.

13. Privacy Contacts

For any matter relating to privacy:

Email: privacy@vimage.it

Post: Vimage Srl - Via Scortegara 173, 30035 Mirano (VE)

Italian Data Protection Authority: www.garanteprivacy.it