This notice (hereinafter, the "Privacy Policy") describes the methods by which Humassistant – sole proprietorship of Francesco Sganga (hereinafter, also the "Controller"), processes the personal data of users who visit the website humassistant.com and its subdomains (hereinafter, the "Site"), as well as of individuals who use the Humassistant SaaS platform within business-to-business (B2B) contractual relationships, in compliance with Regulation (EU) 2016/679 ("GDPR") and applicable national legislation on personal data protection.
This Privacy Policy provides information regarding the categories of personal data processed, the purposes and legal bases of processing, the recipients of the data, retention periods, as well as the rights granted to data subjects pursuant to the GDPR and the methods for exercising them.
It is understood that, with reference to personal data uploaded, transmitted or otherwise processed within the Humassistant platform on behalf of customers, the Controller acts as a Data Processor, pursuant to Article 28 GDPR, as governed by the specific Data Processing Agreement (DPA).
Users are invited to carefully read this notice and to contact the Controller for any clarification or to exercise their rights pursuant to the GDPR.
The Data Controller is:
For any questions regarding the processing of personal data or to exercise your rights pursuant to the GDPR, please contact the Controller at the following email address:
The Controller has not appointed a Data Protection Officer (DPO), as the requirements pursuant to Article 37 GDPR are not met.
During navigation of the Site and use of the Humassistant platform, different categories of personal data may be processed, depending on the methods of interaction and services used. Data may be provided directly by the data subject, collected automatically during use of the Site or Platform, or processed on behalf of Customers as part of the provision of SaaS Services.
IP address, browser type and version, operating system, referring and exit URLs, access time, device identifiers (e.g. Device ID, UUID), technical site usage events, system logs, saved preferences.
Information on purchasing habits, browsing history, interactions with promotional content, wish lists, expressed or inferable preferences, including automated analyses (with consent).
Data on the geographical location of the device (e.g. city, approximate area), collected through browser or mobile network, with prior consent.
Content entered in contact, support, partnership or review forms; messages, comments or personalized requests sent to the Controller; attached documents or files.
Personal data is processed in compliance with the principles of lawfulness, fairness, transparency and minimization, exclusively for the purposes indicated below and in accordance with applicable legislation.
For each purpose, the legal basis of processing pursuant to Article 6 of the GDPR is indicated and, where relevant, the reference to the retention period.
Personal data provided during registration or subsequently is processed to allow the creation, management and administration of the Account of the Customer and authorized users, as well as to allow access to and use of the Humassistant SaaS Platform. This purpose includes authentication activities, credential management, password recovery, Account configuration, information updates, as well as Account suspension or closure. The legal basis of processing is performance of a contract or pre-contractual measures at the request of the data subject (Art. 6, par. 1, lett. b) GDPR).
Personal data is processed to allow the provision of SaaS Services, management of the Subscription, execution of the Order Form, operational management of the contractual relationship and fulfillment of the obligations assumed by the Controller towards the Customer. The legal basis of processing is performance of a contract to which the data subject is party (Art. 6, par. 1, lett. b) GDPR).
Personal data is processed for the issuance of invoices, payment management, bookkeeping and compliance with applicable tax and civil law obligations. The legal basis of processing is compliance with legal obligations to which the Controller is subject (Art. 6, par. 1, lett. c) GDPR).
Personal data provided by the Customer or authorized users through support channels (email, contact forms, tickets, chat or other support tools) is processed to provide technical or operational support, respond to information requests, manage reports, complaints or communications relating to the Services. The legal basis is performance of the contract (Art. 6, par. 1, lett. b) GDPR) and the legitimate interest of the Controller to ensure an efficient and continuous service (Art. 6, par. 1, lett. f) GDPR).
Personal data may be processed to ensure the security of the Platform, prevent unauthorized access, fraudulent or abusive use, detect technical anomalies, as well as to ascertain violations of contractual conditions or applicable regulations. Data may also be processed for the management of complaints, disputes, requests from competent authorities or for the protection of the Controller's rights in court or out of court. The legal basis of processing is the legitimate interest of the Controller in system security, abuse prevention and protection of its rights (Art. 6, par. 1, lett. f) GDPR); where applicable, compliance with legal obligations (Art. 6, par. 1, lett. c) GDPR).
The processing of personal data takes place in compliance with the principles of lawfulness, fairness, transparency and minimization, as provided by Articles 5 and 25 of Regulation (EU) 2016/679 ("GDPR").
Data is processed mainly with electronic and computer tools, through the adoption of adequate technical and organizational measures to ensure security, confidentiality, integrity and availability. In particular:
In some cases, for specific purposes (e.g. administrative or accounting management), data may also be processed in paper format, with controlled access and storage in protected environments.
Processing operations include, among others, collection, recording, organization, storage, consultation, use, communication, deletion and destruction of data. All activities are carried out in compliance with the principle of minimization, processing only the data necessary in relation to the purposes indicated in this notice.
Finally, the Controller periodically performs security tests, internal checks and system updates to ensure an adequate level of protection against risks arising from processing.
For the proper functioning of the Site and the platform, the Controller uses third-party suppliers who process personal data on behalf of the company, in compliance with the contractual and regulatory obligations provided by Regulation (EU) 2016/679 ("GDPR").
All listed suppliers operate as Data Processors ex art. 28 GDPR, where applicable, or as independent Controllers in cases where they determine the purposes and means of processing.
Annex
The Controller is committed to carefully selecting its external suppliers, favoring partners that guarantee high standards of security, reliability and GDPR compliance.
The list of suppliers and integrated services may be updated periodically, also depending on the technical and organizational evolution of the platform. Any substantial changes will be promptly communicated through updates to this notice.
The provision of personal data may be mandatory or optional in relation to the specific purposes for which the data is collected and processed, as described in this Privacy Policy.
Failure to provide data marked as mandatory may result in the Controller's inability to establish or manage the contractual relationship, provide the requested SaaS Services or comply with legal obligations.
The provision of data for optional purposes is free and any refusal does not prejudice the use of the main Services, but may limit access to ancillary functions or receipt of specific communications.
Personal data is retained for a period of time not exceeding that necessary to achieve the purposes for which it is processed, in compliance with the principles of storage limitation and minimization referred to in Article 5, paragraph 1, lett. e) of the GDPR, as well as applicable legal obligations.
The Controller adopts differentiated retention criteria based on the nature of the data and the purposes of processing. In particular:
At the end of the retention periods indicated above, personal data is deleted, anonymized or made permanently non-attributable to data subjects, through adequate technical and organizational procedures. The Controller adopts suitable measures to ensure that data is not retained beyond the time necessary in relation to the purposes for which it was collected, except for legal obligations or the need to protect the Controller's rights.
Personal data may be communicated to third parties exclusively for the pursuit of the purposes indicated in this Privacy Policy and in compliance with the principles of lawfulness, fairness, minimization and proportionality.
The communication of data is limited to what is strictly necessary and takes place in compliance with the guarantees provided by the GDPR.
The Controller may communicate personal data to third parties who act as Data Processors pursuant to Article 28 GDPR, on the basis of specific contractual agreements that govern the methods and purposes of processing as well as the security measures adopted.
This category includes, by way of example:
Personal data may be processed by persons authorized by the Controller, who operate under its direct authority and in compliance with documented instructions, within the limits of their respective duties. This category includes, by way of example, administrative staff, technical support staff and persons in charge of Platform management and maintenance.
Personal data may be communicated to public authorities, entities or supervisory bodies, where this is required by legal or regulatory provisions or following legitimate requests from competent authorities.
The Controller selects data recipients based on criteria of reliability, technical competence and adequacy of the security measures adopted.
Cookies are small text files that websites visited by the User send to their device (computer, smartphone, tablet), where they are stored to be retransmitted to the same sites on subsequent visits. Cookies allow recognition of the User's device, collect information about their browsing and, in some cases, personalize the online experience.
Cookies can be:
This Site uses different types of cookies, which can be classified as follows:
At first access to the Site, the User will see a cookie banner through which they can:
Consent can be modified or revoked at any time.
Non-technical cookies will be installed only if the User has expressed free, specific, informed and documentable consent, in accordance with Art. 7 GDPR.
Some cookies are managed by external suppliers (e.g. Google, Meta, Hotjar), who may operate as independent Controllers. In these cases, reference is made to their respective notices for more details on processing methods and exercise of rights.
To learn in detail about the cookies used, their duration, third parties involved and methods to disable or manage them, the User can consult the extended Cookie Policy available at the following link: Insert link to complete Cookie Policy.
The processing of personal data takes place at the Controller's premises and through technical infrastructures and IT systems managed directly or through selected suppliers, involved in the provision of SaaS Services. Personal data may also be processed on servers or infrastructures located outside the territory of the European Union or the European Economic Area (EEA), exclusively in compliance with applicable legislation on personal data protection and, in particular, Articles 44 to 49 of Regulation (EU) 2016/679 ("GDPR").
Where, for technical or operational reasons connected to the provision of Services, personal data is transferred to countries located outside the EEA, such transfers occur only in the presence of one of the conditions provided by the GDPR and, in particular:
Transfers may concern, by way of example, providers of cloud infrastructure services, electronic communication services, technical support tools, payment systems or technological solutions functional to the provision of SaaS Services, as well as any sub-processors involved pursuant to the Data Processing Agreement (DPA). The Controller adopts suitable measures to ensure that such transfers take place in compliance with the principles of lawfulness, fairness, minimization and security of personal data, taking into account the recommendations of the European Data Protection Board (EDPB).
Data subjects can obtain information on the safeguards adopted for the transfer of data to third countries by contacting the Controller at the contact details indicated in this Privacy Policy.
Data subjects, i.e. the natural persons to whom the personal data refers, have the right to exercise specific rights provided by Regulation (EU) 2016/679 (GDPR). These rights can be exercised at any time, without additional costs, by contacting the Data Controller using the contact details provided in the dedicated section.
1. Right of access (art. 15 GDPR) Data subjects have the right to obtain confirmation of whether or not personal data concerning them is being processed and, if so, to access such data. This right allows them to receive a copy of the data and information relating to the purposes of processing, the categories of data processed, the recipients and the retention period.
2. Right to rectification (art. 16 GDPR) Data subjects have the right to obtain the rectification of inaccurate personal data concerning them and the completion of incomplete data, taking into account the purposes of processing.
3. Right to erasure (Right to be forgotten) (art. 17 GDPR) Data subjects have the right to obtain the erasure of their personal data in the cases provided by Art. 17 of the GDPR. Erasure may be requested, for example, if the data is no longer necessary in relation to the purposes for which it was collected or if the data subject withdraws consent and there are no other legal grounds for processing.
4. Right to restriction of processing (art. 18 GDPR) Data subjects may request the restriction of processing of their personal data in certain circumstances, for example if they contest the accuracy of the data or if they object to processing. During the verification period, data will be processed only for specific purposes.
5. Right to data portability (art. 20 GDPR) Data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format and to transmit it to another controller without hindrance. This right applies only to data processed by automated means and on the basis of consent or performance of a contract.
6. Right to object (art. 21 GDPR) Data subjects may object to the processing of personal data in certain situations, particularly if the processing is based on a legitimate interest of the Controller. If data is processed for direct marketing purposes, data subjects may object at any time, even without providing a reason.
7. Right to withdraw consent (art. 7 GDPR) When the processing of personal data is based on consent, data subjects have the right to withdraw it at any time. Withdrawal does not affect the lawfulness of processing based on consent given before withdrawal.
8. Right to lodge a complaint (art. 77 GDPR) Data subjects have the right to lodge a complaint with the competent supervisory authority, particularly in the Member State where they habitually reside, work or where the alleged infringement occurred. In Italy, the supervisory authority is the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it)
The Controller reserves the right to modify, supplement or update this Privacy Policy in order to adapt it to any regulatory changes, evolutions in the processing carried out or the introduction of new technical, organizational features or Services offered.
Changes will be communicated to data subjects in a clear and transparent manner through:
Changes will become effective from the date of publication of the updated version, unless otherwise indicated. Where required by applicable legislation, the Controller will collect the consent of data subjects again before carrying out the new processing.
Users are invited to periodically consult this Privacy Policy to be informed of any updates.
Last update of the Privacy Policy: 01/02/2026
Sign up for the Humassistant waiting list to be the first to access when it becomes available.