Privacy Policy

§ Data controller

The Data Controller for personal data collected through this Website is:

Data Protection Officer (DPO)

Pursuant to Article 37 GDPR, Archibuzz S.r.l. has appointed a Data Protection Officer (DPO):

01 Personal data processed

Personal data means any information relating to an identified or identifiable natural person (Data Subject), within the meaning of Article 4 GDPR. Strateego.ai processes the following categories of personal data:

02 Processing methods

Personal data is processed in compliance with the principles of lawfulness, fairness, transparency, and data minimisation under Article 5 GDPR. Processing is carried out by electronic means with appropriate technical and organisational security measures to prevent unauthorised access, disclosure, alteration, or destruction of data.

03 Purposes of processing and legal bases

4.1 Responding to information requests

Data provided via the contact form or by email is processed to respond to the Data Subject's requests. Legal basis: consent of the Data Subject (Art. 6(1)(a) GDPR). Retention: until consent is withdrawn or the request is fulfilled, and in any case no longer than 12 months.

4.2 Registration and account management

Registration data is processed to enable access to the Platform and use of the Services. Legal basis: performance of a contract (Art. 6(1)(b) GDPR). Retention: for the entire duration of the contractual relationship and up to 30 days from the deletion request. Billing data: 10 years for tax obligations.

4.3 Provision of the free preliminary report

Data entered in the onboarding chatbot (name, email, URL) is processed to generate the free competitive report and activate the 15-day trial. Legal basis: steps prior to entering into a contract at the Data Subject's request (Art. 6(1)(b) GDPR).

4.4 Provision of subscription Services

Data is processed to perform the subscription contract, manage billing, renewals, and support. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and legal obligation for tax data (Art. 6(1)(c) GDPR). Retention: 10 years for tax and accounting data; usage data for 30 days after termination of the relationship.

4.5 Competitive monitoring and public data scraping

To provide the monitoring Service, Strateego.ai automatically collects publicly accessible data (social posts, ads, website content) relating to brands entered by the User, using web scraping technologies. Such data may occasionally relate to identifiable natural persons (e.g. the name of a director mentioned in a public post). In such cases, the Controller acts on the basis of legitimate interest in competitive monitoring, limiting processing to data that is strictly necessary and publicly accessible. Legal basis: legitimate interest of the Controller and the User in market monitoring (Art. 6(1)(f) GDPR). Retention: data history for up to 180 days depending on the subscribed plan.

4.6 Processing via Artificial Intelligence

Content entered in the AI Advisor and monitoring data is processed through artificial intelligence systems provided by third-party providers (OpenAI, LLC) to generate analyses, strategic recommendations, and AI Output. Legal basis: performance of a contract (Art. 6(1)(b) GDPR). Retention: AI Advisor conversations are retained for the duration of the subscription and may be deleted on request. AI processing does not produce automated decisions with legal effects within the meaning of Article 22 GDPR.

4.7 Newsletter and commercial communications

With the Data Subject's explicit consent, data is processed to send newsletters and promotional communications relating to Strateego.ai Services. Legal basis: consent (Art. 6(1)(a) GDPR). Retention: until consent is withdrawn, exercisable via the unsubscribe link in each email or by writing to info@strateego.ai.

4.8 Soft spam (communications to existing customers)

The Controller may send commercial communications by email relating to services similar to those purchased, without explicit consent, pursuant to Art. 130(4) of Legislative Decree 196/2003. Legal basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR), with the right to object at any time.

4.9 Statistics and Platform improvement

Aggregated and anonymised usage data is analysed to improve Platform functionality. The Controller reserves the right to use data derived from Platform use in anonymised and aggregated form for analysis and development purposes. Legal basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR) for anonymised and aggregated data; consent for data that is not fully anonymised.

4.10 Compliance with legal obligations

Data is processed to comply with obligations under laws, regulations, and tax legislation, including Legislative Decree 231/2007 on anti-money laundering. Legal basis: legal obligation (Art. 6(1)(c) GDPR). Retention: 10 years or the period required by applicable law.

04 Transfer of data to third countries

5.1 Payment providers

Payment data is processed by Stripe, Inc. (USA) and PayPal Holdings, Inc. (USA), acting as processors under Article 28 GDPR with appropriate contractual safeguards (Standard Contractual Clauses and/or EU-US Data Privacy Framework).

5.2 AI provider — OpenAI

Data entered in the AI Advisor and monitoring data processed with AI systems is transmitted to OpenAI, LLC, based in the United States. Transfer is based on Standard Contractual Clauses and/or EU-US Data Privacy Framework. Under business customer terms of use, data transmitted via API is not used to train AI models.

5.3 Onboarding chatbot — Chatling

Data entered on the /start page is processed by Chatling Inc. For details on processing and safeguards adopted, see the Chatling privacy policy.

5.4 Other processors

Strateego.ai uses other technical service providers (hosting, cloud infrastructure, analytics) appointed as Processors under Article 28 GDPR. An up-to-date list may be requested by writing to info@strateego.ai.

05 Disclosure of data

Personal data may be disclosed to:

• Internal personnel of Archibuzz S.r.l. authorised to process data (employees and collaborators designated as persons authorised to process data).
• Service providers and commercial partners appointed as Processors under Art. 28 GDPR.
• Public or private authorities when required by law.

Data is not sold or transferred to third parties for third-party marketing purposes.

06 Cookies

Strateego.ai uses technical cookies necessary for the operation of the Website and analytical cookies and, where applicable, profiling or marketing cookies, subject to consent where required, to improve the browsing experience.

For detailed information on cookies used and how to manage consent, see the Cookie Policy available on the Website.

07 Data security

Archibuzz S.r.l. adopts appropriate technical and organisational measures under Article 32 GDPR to protect personal data from unauthorised access, loss, destruction, or disclosure. Access to systems may be monitored through technical logs and security tools to prevent abusive access, fraud, and unauthorised use of the Platform. The Platform uses HTTPS with SSL certificate for all communications.

08 Data subject rights

The Data Subject has the right to exercise the rights provided under Articles 15–22 GDPR:

To exercise your rights

The Controller will respond within 30 days of receipt of the request, except where a justified extension of a further 60 days applies in particularly complex cases.

09 Specific tools used for processing

10.1 Contact form

Data entered in the contact form (name, email, message content) is processed to respond to the Data Subject's requests. Legal basis: steps prior to entering into a contract at the Data Subject's request (Art. 6(1)(b) GDPR).

10.2 Passwordless authentication system

To access the platform, a one-time link or OTP code is sent to the User's email address. The Controller processes the email address and authentication logs for access management and security purposes. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and legitimate interest in platform security (Art. 6(1)(f) GDPR).

10.3 Stripe — Online payments

Payments are managed through Stripe, Inc., which acts as a processor. Stripe processes data necessary to manage the transaction without the Controller storing full card details. Legal basis: performance of a contract (Art. 6(1)(b) GDPR). Place of processing: United States — Safeguards: Standard Contractual Clauses (SCC) and/or EU-US Data Privacy Framework. Stripe Privacy Policy »

10.4 Traffic analysis tools (Google Analytics)

The website may use Google Analytics to collect information on site use (pages visited, time on site, interactions). Data collected is generally pseudonymised and used to improve services offered. Legal basis: User consent (Art. 6(1)(a) GDPR), where required by applicable law. Consent may be managed or withdrawn via cookie settings.

10.5 Chatling — Onboarding chatbot

The /start page includes a chatbot provided by Chatling Inc. Data entered (name, email, URL) is processed to manage the conversation and support onboarding and account creation. Such data may be transmitted to Chatling, which acts as an external service provider. Legal basis: steps prior to and/or performance of a contract (Art. 6(1)(b) GDPR). Chatling Privacy Policy »

10.6 AI provider — OpenAI

Some platform features (AI Advisor and automated analysis modules) involve processing data through OpenAI. Data is not used to train models by the provider, under applicable contractual terms. Legal basis: performance of a contract (Art. 6(1)(b) GDPR). Place of processing: United States — Safeguards: Standard Contractual Clauses (SCC) and/or EU-US Data Privacy Framework. OpenAI Privacy Policy »

10.7 Spam protection and security

The website uses HTTPS/SSL to protect transmitted data. Security and abuse prevention tools (anti-spam systems and access monitoring) may also be used to analyse traffic to ensure the integrity and security of the platform. Legal basis: legitimate interest of the Controller in system security (Art. 6(1)(f) GDPR).

10 Updates to this Privacy Policy

This Privacy Policy is subject to periodic updates to reflect regulatory changes or developments in the Service. Changes will be notified to registered Users by email with at least 10 days' notice and published on the Website.

Last updated: 12 May 2026.