Facebook-f Linkedin Instagram
Facebook-f Linkedin Instagram

Privacy Policy - Chatbot "Sportellino"

This information is provided pursuant to Articles 13 and 14 of the Regulation (EU) 2016/679 (“GDPR”) and describes how the personal data of users of “Sportellino”, an information chatbot service operated by the Buonsenso Social Promotion Association, is processed. The service is restricted to users over 18 years of age residing in the European Union; use by children under 18 years of age or from outside the EU is prohibited. Personal data (including any data belonging to special categories under Art. 9 GDPR, e.g. ethnic origin, religious beliefs, health data, etc.) will be processed in compliance with current legislation and confidentiality obligations.

Data Controller and Contact Information
The Data Controller is Associazione di Promozione Sociale Buonsenso, with registered office in Via Casilina n. 3, 00182 Roma (Italy). For any request regarding privacy or the exercise of the rights listed below, you can contact the Data Controller at the email address: info@sportellino.it .

(As there is no provision for the appointment of a DPO, the above contacts should be used for any communication personal data). Purpose of Processing and Legal Basis Users’ personal data are collected and used exclusively for the following purposes, according to the relevant legal bases: • Chatbot service delivery: allowing the user to access Sportellino and take advantage of informational chatbot features (including managing conversations and support requests).

Legal basis: performance of a service requested by the user (Art. 6(1)(b) GDPR); for any processing of special categories of data (e.g., information about health, ethnicity, religious beliefs that the user should communicate) the further legal basis is the user’s explicit consent (Art. 9(2)(a) GDPR) given by acceptance of this policy. • Service improvement and AI training: analyzing in aggregate or pseudonymized form users’ conversations and interactions with the chatbot in order to improve the quality of responses, train artificial intelligence algorithms and develop new features. Legal basis: legitimate interest of the Data Controller in perfecting the service offered and its AI system (Art. 6(1)(f) GDPR); in any case, the processing of special data will rely on the explicit consent of the user, taking protective measures (e.g., pseudonymization) to minimize the impact on the rights of data subjects. 

Legal compliance and protection of rights:
to comply with obligations imposed by laws or regulations (e.g., retention of access records, verification of age or geographic origin of users of EU age) and, if necessary, to establish, exercise or defend a right in court. This includes the possible use/storage of data if it is necessary to handle disputes, prevent abuse of the service or fraud, or comply with legal requests from authorities. Legal basis: fulfillment of legal obligations (Art. 6(1)(c) GDPR) and legitimate interest of the Data Controller in the protection its rights in case of disputes or abuse (Art. 6(1)(f) GDPR); for special data, the exceptions in Art. 9(2)(f) GDPR (need to establish or defend a right in court) apply where applicable, otherwise such data will be processed only with explicit consent.

Note: Providing the data required to use the chatbot is necessary to provide the service. Any refusal to provide such data or to accept this policy will result in the inability to use Sportellino. In particular, you will be required to declare your age of majority and EU residency; the Owner may take verification measures (e.g., checks on declared age and geographic area of connection) to ensure compliance with these requirements.

Types of Personal Data Processed:
For the purposes described above, Sportellino processes different categories of personal data provided directly by the user or collected during the use of the service: • Identifying and contact information: information provided using the Sportellino service, such as first name, last name, email address, phone number (especially if access is via platforms such as WhatsApp), username or user ID, age/date of birth (to verify age of majority requirement), and proof of EU residency.

Data from conversations: the textual content of queries and messages exchanged with the chatbot. Such conversations may include common personal data (e.g., information about personal, work, study situations provided by the user in questions) and data belonging to special categories if the user voluntarily chooses to disclose them (e.g., data revealing racial or ethnic origin, religious views, health status, or information of a similar nature about the user). The system does not require the user to provide this sensitive information unless the user includes it in his or her applications; however, it may emerge from conversations based on the user’s needs, and will be processed with the additional safeguards provided by law.

Technical and Usage Data:
data collected automatically during chatbot use, such as activity logs (timestamps and duration of chat sessions), information about the device or application used (e.g., type of browser or messaging application), and the user’s IP address. In particular, IP address or other approximate geolocation data may be used only to restrict access to the service to users located in the European Union (as per the Terms of Use) and to ensure the security of the platform.

Data from external platforms:
if the user accesses Sportellino via third-party services (e.g., using WhatsApp or other messaging apps), some personal data inherent to those platforms may be processed. For example, using WhatsApp, the Data Controller may become aware of the user’s WhatsApp phone number and callsign, as well as messages sent on that channel. Such data will be used to the extent necessary to provide the service through that platform. It should be noted that WhatsApp (a messaging service provided by WhatsApp Inc./ WhatsApp Ireland Ltd.) acts as an autonomous data controller for personal data processed within its platform, according to its privacy policy. This means, for example, that WhatsApp may independently process data such as phone number, communication metadata, and, in some cases, encrypted chat content, according to its own terms. You are encouraged to review the privacy policies of the external platforms you use (e.g., WhatsApp’s Privacy Policy) to understand how these third parties process your data. In any case, the data that these platforms communicate to the Owner (e.g., the user’s messages necessary to deliver the chatbot response) will be processed by APS Buonsenso according to the purposes and methods described in this policy. Data Retention Personal data collected through Sportellino will be kept only as long as strictly necessary to achieve the purposes for which they are collected, according to criteria of minimization and limitation of storage. In particular, there are differentiated retention periods as follows:
Service delivery data: any account information (registration and profile data) and user conversations will be retained for as long as the user remains registered and/or uses the service. If the account is deleted by the user or the user revokes consent to processing, the associated personal data will be deleted or anonymized within a short period of time (normally within 30 days of the deletion/revocation request). In addition, in the event of prolonged account inactivity (e.g., lack of use for more than 12 months), the Data Controller may contact the user to verify interest in maintaining membership and, if no response is received, proceed to terminate the account and delete the associated data, unless additional legal requirements dictate longer retention.
Conversation data for improvement purposes: conversations and logs used to improve the service or train artificial intelligence will be retained in identifiable form only for as long as necessary for analysis and training. As a rule, this data is pseudonymized or aggregated shortly after collection, removing elements that could lead back to to the user’s identity, and raw versions of conversations are deleted within [e.g., 6 or 12 months] of their acquisition. Anonymized data (which no longer allow the user to be identified) may be retained longer for statistical analysis and algorithm improvement, as in that case it is no longer personal data.
Data for legal compliance and legal protection: information necessary to comply with regulatory obligations or to protect the rights of the Data Controller (e.g., consent logs, access logs, data useful to prove the provision of the service or to prevent abuse) will be retained for the period required by applicable laws or for the time strictly necessary to pursue any claims. In the absence of specific obligations, such data will generally not be retained beyond 10 years after the user’s last use of the service, similar to the legal limitation periods applicable to contractual claims. If litigation or assessments are pending, the data will be retained for the entire duration of the proceedings and until the terms of appeal have been exhausted, and deleted immediately after final settlement of the matter. Upon expiration of the above retention periods, personal data will be deleted, irreversibly anonymized, or otherwise processed in a form decoupled from the user’s identity. In any case, after the necessary period has elapsed, the Data Controller undertakes not to further store the user’s personally identifiable data. Method of Processing and Security Measures Personal data are processed using mainly electronic and automated tools. User interactions with Sportellino are processed by artificial intelligence systems to generate informational responses. This automated processing is limited to the provision of the responses requested by the user; no automated decisions are made that produce legal effects or similarly significantly affect the user (within the meaning of Article 22 GDPR). In any case, the Data Controller has implemented strict technical and organizational security measures to protect the processed data and prevent unauthorized access, disclosure, modification or loss of personal data. In particular, Sportellino adopts advanced security measures, including, for example:
Data encryption: communications between the user and the chatbot are protected using encryption protocols (e.g. HTTPS/TLS for the web interface, end-to-end encryption for possible use via WhatsApp) in order to ensure the confidentiality of messages in transit. Where technically feasible, the Owner also applies encryption to personal data stored on the servers so that they are unreadable to any unauthorized parties. This is in line with the measures recommended by Article 32 GDPR, which explicitly mentions encryption of personal data among the appropriate means of ensuring security.

Pseudonymization of sensitive data: for data collected through conversations, especially if they contain special categories of information, pseudonymization techniques are adopted before performing analysis or using them to train AI. In practice, direct user identifiers are replaced with codes or removed so that analysts or enhancement systems cannot immediately trace the information back to the user’s identity. This expedient reduces risks in the event of possible undue access and better protects privacy during the service development phases.

Controlled access and authorized personnel: personal data are accessible only by personnel expressly authorized by the Data Controller – for example, staff members or collaborators assigned to manage and maintain the service – and only for the intended purposes. Access control and authentication policies are in place, so any access to data is tracked and allowed only within the limits of the assigned tasks. Those authorized to process data are bound by confidentiality obligations and adequately trained in data protection. Thus, data can only be accessed or processed by authorized persons acting within the scope of the authority granted to them.
Additional measures: the Owner also takes other organizational and technical measures, such as firewall and anti-intrusion systems to protect the servers, regular backups of the data in order to be able to ensure that it integrity and availability, as well as internal procedures for periodically verifying and updating the implemented security measures. The level of security is reviewed and updated regularly taking into account technological developments and the principle of proportionality to risks (Art. 32 GDPR). Disclosure of Data to Third Parties Users’ personal data will not be disseminated or publicly disclosed in any way. However, it may be disclosed to third parties within the limits of the purposes described above, as specified below:
External Data Processors: the Data Controller may use external service providers for technical and organizational support of the Sportellino platform. These third parties (e.g., server hosting/housing companies, cloud service providers or software maintenance providers) will process personal data on behalf of the Data Controller and according to its instructions, as Data Processors under Article 28 GDPR. The Data Controller ensures that appropriate contractual agreements are signed with these providers to ensure data protection (Data Processing Agreement) and that security measures are taken by them that are no less than those described in this policy. The updated list of External Processors can be obtained by contacting the Controller.
External platforms and other autonomous controllers: as highlighted, if the user chooses to interact with Sportellino through third party platforms (e.g. WhatsApp, Facebook Messenger, Telegram etc.), some data will also be processed by these platforms as autonomous controllers. WhatsApp, particular, collects and processes user data for its own purposes according to independently decided terms. Similarly, if Sportellino is made available through other external channels (social networks, third-party applications, etc.) in the future, the use of these channels will result in the application of their respective privacy policies with regard to data collected directly from them (please consult them carefully). The Owner, for its part, will limit the communication of personal data to these platforms to what is strictly necessary (for example, the chatbot will receive from the messaging service only the texts sent by the user and will in turn send replies; any profile data will be used only to identify the user in the system). Under no circumstances will APS Buonsenso transfer lists of its users or additional data to external platforms without a legal basis and without informing the data subject.

Disclosures for legal obligations: data may be disclosed to public bodies or authorities, police organs or judicial authorities only in cases where this is required by law or by orders of the authority (e.g. investigation of offenses, formal requests within legal proceedings). In such circumstances, the Data Controller will only confer the information expressly requested and within the limits of what is permitted/obligatory under data protection regulations. Outside of the above cases, no other third parties will have access to users’ personal data. In particular, data will not be transferred to third parties for marketing, profiling or other purposes other than those stated. Data Transfers Abroad Data processing will take place mainly at the Controller’s premises and through cloud servers/infrastructures located entirely in the European Union. The Controller does not transfer and does not intend to transfer users’ personal data to third countries outside the European Economic Area or to international organizations. This ensures that data is always protected by strict EU privacy regulations. In the case of using external services such as WhatsApp or others, the data you send through these platforms may transit or be stored on the systems of these providers outside the EU as well, depending on their respective global infrastructures. However, such possible transfer is done under the responsibility of the third party platforms (autonomous owners) according to their policies. APS Buonsenso ensures that, to the extent of its responsibility, all data directly managed by it remains on servers located in Europe. Should it become necessary in the future to transfer some data to third countries (e.g., to use of specific cloud services), this will only be done in the presence of one of the appropriate safeguards provided by Chapter V GDPR (e.g., European Commission Adequacy Decisions, Standard Contractual Clauses, etc.), after informing the users involved. Rights of the Interested Party As a data subject, you have all the rights provided for in Articles 15-22 of the GDPR. In particular, the user has the right to:
Access: to obtain confirmation from the Data Controller that personal data concerning him or her is or is not being processed and, if so, to obtain access to such data and all information relating to the processing (including a copy of such data in a commonly used electronic format).
Rectification: to request that one’s data be changed or updated if they are inaccurate or incomplete, without undue delay.
Deletion: to obtain the deletion (right “oblivion”) of one’s personal data, e.g., if the data are no longer necessary in relation to the purposes for which they were collected, or if the user revokes consent (and there is no other legal basis for processing) or objects to processing carried out for legitimate interest (and no compelling legitimate reasons to continue prevail), or if processing is unlawful. The Controller will provide for deletion in cases provided by law, subject to statutory exceptions (e.g., if storage is necessary for legal obligation or defense of a right).
Limitation of processing: to obtain that one’s data be processed only for storage and with suspension of all other processing, if the conditions set forth in Article 18 GDPR are met (e.g., when the user disputes the accuracy of the data, for the period necessary for appropriate verifications; or if the processing is unlawful but the user opposes deletion by requesting limitation instead; or if the data is needed by the user to exercise or defend a right court and needs it beyond the normal storage period).
Data portability: receiving in a structured, commonly used, machine-readable format personal data provided to the Data Controller, and transmitting such data to another data controller without hindrance (right applicable only to data processed by automated means, on the basis of user consent or a contract, and which have been “provided” directly by the data subject – pursuant Article 20 GDPR.

Opposition: to object at any time, for reasons related to your particular situation, to the processing of personal data concerning you based on the legitimate interest of the Controller. In case of opposition, the Data Controller will refrain from further processing of personal data unless it demonstrates the existence of compelling legitimate reasons that override the user’s rights and freedoms, or for the establishment or defense of a legal claim (Art. 21 GDPR). It should be noted that, in the context of Sportellino, the user has the right to object in particular to the use of his or her data (conversations, etc.) for the purpose of service improvement based on legitimate interest: in the event of an objection, such analysis activities will cease for the user’s data (unless they have already been anonymized) and, if technically possible, an option may be offered to use the service in a mode that does not include analysis for the purpose of improvement.

Revocation of consent: when processing is based on consent, the user has the right to revoke the consent given at any time, without affecting the lawfulness of the processing carried out before the revocation. Withdrawal of consent will result in the interruption of the provision of the service (since the user’s data can no longer be processed for the main purposes); the Data Controller will notify the user and may request confirmation as to whether the user wishes to delete the account accordingly. Revocation can be exercised as easily as consent was provided (e.g., through the account settings if available, or by contacting the Controller at the contact details below).

Complaint: if you believe that the processing of your data takes place in violation of privacy regulations, you have the right to lodge a complaint with the Italian Data Protection Authority (Italian Privacy Guarantor) or with the supervisory authority of the EU Member State where you normally reside or work, in accordance with the procedures provided for. This is without prejudice to the possibility of going directly to the judicial authority to protect one’s rights. Methods of Exercising Rights The user may at any time exercise the rights listed above by contacting the Owner. You can send a request by email to info@sportellino.it , specifying which right you wish to exercise and providing the information necessary for identification (possibly attaching a copy of an identity document, if necessary, in accordance with the procedures provided by law). Alternatively, a written notice may be sent by traditional mail addressed to: APS Buonsenso – Via Casilina 3, 00182 Rome (RM), Italy. The Data Controller undertakes to provide feedback to requests from data subjects without undue delay and, in any case, within 30 days of receipt of the request, as provided for in Article 12 GDPR. This deadline may be extended, if necessary, by an additional 60 days in case of particular complexity or number of requests, but in that case the Data Controller will inform the user about the extension and the reasons for the delay within the first 30 days. The exercise of rights is free of charge to the user, unless requests are manifestly unfounded or excessive (in which case the Data Controller may charge a reasonable administrative fee, as allowed by the GDPR). Please note that in order to revoke any consent given for specific purposes (including consent to the processing of special categories of data), the user can also use the same contact channels indicated above. Revoking consent does not affect the lawfulness of the processing carried out before revocation, and does not require reasons: the Data Controller will follow up on the revocation request and confirm its execution. Use of External Platforms (e.g., WhatsApp) – Clarification. As mentioned above, Sportellino is also accessible via external messaging platforms. We would like to reiterate that when the user uses such channels, the privacy rules of said third-party services apply in parallel. WhatsApp, for example, independently processes data (including phone number, any profile pictures, device info, as well as encrypted chat content) for its own purposes: such processing is beyond the control of APS Buonsenso and sees WhatsApp operating as a separate owner. The same applies to any other external channels (such as social networks or different messaging apps) when integrated with the Sportellino service. APS Buonsenso, as the Owner of Sportellino, guarantees that data received from users via these platforms will be processed as described in this policy. However, the user is advised to check the privacy settings of the messaging service used and read the relevant disclosures in order to understand how their data is handled outside of Sportellino. For example, the user can consult WhatsApp’s Privacy Policy to learn how WhatsApp Inc. processes personal data (available on WhatsApp’s official website or in the appropriate section of the app). Changes to the Disclosure This policy may be subject to updates or revisions over time, including in compliance with any regulatory changes or updates to the Sportellino service. In the event of material changes, registered users will be notified through appropriate channels (e.g., email or notifications in the app/web) with reasonable notice. Therefore, users are encouraged to periodically check the Privacy section on the Sportellino website for the most up-to-date version of the policy. The date of last update will be indicated at the bottom of the policy.