Legal
Privacy Policy
Last updated: 28 March 2026
1. Data Controller
The data controller for the processing of your personal data is Level Up, with registered office at Via [Indirizzo], [CAP] Milano (MI), Italy, VAT number IT00000000000, reachable at [email protected].
2. What data we collect and why
We collect only the personal data strictly necessary to provide the service. The legal bases for processing are indicated for each category in accordance with Article 6 of the GDPR.
| Category | Data collected | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| Account data | Group name, email address, hashed password | Account creation and authentication | Art. 6(1)(b), contract performance |
| Conversation data | Text messages and voice transcripts exchanged with AI personas | Service delivery, quality improvement | Art. 6(1)(b), contract performance |
| Payment data | Billing email, subscription tier (card details handled exclusively by Stripe) | Subscription management and invoicing | Art. 6(1)(b), contract performance |
| Technical data | IP address, browser type, session timestamps | Security, fraud prevention, service stability | Art. 6(1)(f), legitimate interests |
| Analytics data | Aggregated, anonymised usage statistics (page views, session duration) | Product improvement | Art. 6(1)(f), legitimate interests |
We do not collect special categories of personal data (Art. 9 GDPR), such as health, racial or ethnic origin, political opinions, or biometric data, and we do not conduct automated decision-making or profiling with legal effects.
3. Third-party processors
We share personal data only with third-party processors who provide contractual guarantees compliant with GDPR (Data Processing Agreements in place). The main processors are:
| Processor | Role | Data transferred | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Billing email, subscription metadata | USA (SCCs in place) |
| ElevenLabs, Inc. | AI voice synthesis | Voice audio streams (not stored by us) | USA (SCCs in place) |
| Resend, Inc. | Transactional email | Email address, message content | USA (SCCs in place) |
| Cloud database provider | Data storage | All structured data | EU region |
Transfers to the United States are covered by Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision 2021/914/EU.
4. Retention periods
We retain personal data only for as long as necessary for the purposes described above, or as required by applicable law:
- Account data: for the duration of the account, plus 12 months after deletion to comply with legal obligations.
- Conversation data: for the duration of the subscription, deleted within 30 days of account termination upon request.
- Payment data: 10 years from the date of the transaction, as required by Italian and EU tax law.
- Technical/log data: maximum 90 days, then automatically deleted.
5. Your rights under the GDPR
As a data subject, you have the following rights under Articles 15–22 of the GDPR. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
- Right of access (Art. 15): obtain a copy of the personal data we hold about you.
- Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
- Right to restriction (Art. 18): request that we limit the processing of your data.
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interests.
- Right to lodge a complaint: you may file a complaint with your national supervisory authority. In Italy: Garante per la protezione dei dati personali.
6. Security measures
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include: TLS encryption in transit, bcrypt password hashing, JWT-signed session tokens, role-based access controls, and regular security reviews. In the event of a personal data breach likely to result in high risk to your rights and freedoms, we will notify you without undue delay in accordance with Art. 34 GDPR.
7. Cookies
This website uses cookies and similar technologies. For detailed information on the cookies we use, their purpose, and how to manage your preferences, please read our Cookie Policy.
8. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify registered users of material changes by email at least 14 days before they take effect. The date of the most recent revision is shown at the top of this page.
9. Contact
For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact us at: [email protected]
Level Up · Via [Indirizzo], [CAP] Milano (MI), Italy