Privacy Policy

Privacy Policy

Last updated: January 2025

This Privacy Policy describes how BlackTrails, operated by Francesco Pelosio, with registered office in Italy (P.IVA: 14037021086), processes personal data as Data Controller in accordance with EU Regulation 2016/679 (GDPR).

1. Data Controller

Data Controller: Francesco Pelosio
Address: Largo Pietro Mascagni 20, Roma, Italy
Email: privacy@blacktrails.it
Website: blacktrails.it

2. Types of Data Collected

2.1 Account Information

When you register, we collect:

  • Full name
  • Email address
  • Password (encrypted using industry-standard hashing)
  • Profile preferences

2.2 AI Chat Data

When you use our AI assistant, we collect:

  • Chat messages: Content of your conversations with the AI
  • Safety logs: Messages flagged by our content moderation system
  • Error logs: Technical errors and violation attempts
  • Timestamps: Date and time of interactions

Storage details:

  • Chat messages are stored in our primary database
  • Safety violations are logged in a dedicated ai_errors table
  • Only the first 500 characters of flagged messages are stored to minimize data retention

2.3 Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Access timestamps
  • Pages visited

2.4 Cookies

We use the following types of cookies:

  • Essential cookies: Required for platform functionality (authentication, session management)
  • Analytics cookies (optional): To understand usage patterns and improve services

For detailed information, see our Cookie Policy.

3. Purpose of Processing

We process your data for the following purposes:

3.1 Service Provision (Legal basis: Contract execution)

  • Create and manage your account
  • Provide access to documentation and community features
  • Enable AI chat functionality
  • Technical support

3.2 Platform Safety (Legal basis: Legitimate interest)

  • Detect and prevent content policy violations
  • Monitor AI chat for prohibited content (hate speech, explicit material, spam)
  • Log violation attempts for security analysis
  • Prevent abuse and protect other users

3.3 Service Improvement (Legal basis: Legitimate interest)

  • Analyze usage patterns to improve AI responses
  • Identify bugs and technical issues
  • Develop new features aligned with user needs

3.4 Legal Compliance (Legal basis: Legal obligation)

  • Respond to legal requests from authorities
  • Comply with Italian and EU regulations
  • Maintain audit trails for security incidents

4. Third-Party Services and Data Sharing

We use the following external services that may process your data:

4.1 Infrastructure Providers

  • Vercel (hosting): Deploys and hosts our platform (USA/EU data centers)
  • Neon Database (PostgreSQL): Stores user accounts, chats, and safety logs (AWS infrastructure, EU region)

4.2 AI Services

  • Google Gemini API: Processes chat messages to generate AI responses
    • Messages are sent to Google's servers for processing
    • Google's data processing terms: ai.google.dev/terms
    • We use Gemini 2.5 Flash model
    • Google does not use your data to train models without consent

4.3 Analytics

We currently do not use analytics services. If we implement analytics in the future, we will update this policy and request your consent.

4.4 No Data Sales

We never sell your personal data to third parties.

5. Data Retention

5.1 Account Data

  • Retained while your account is active
  • Deleted within 30 days of account deletion request

5.2 AI Chat History

  • Regular chats: Retained indefinitely unless you delete them manually
  • Deleted chats: Permanently removed within 7 days

5.3 Safety Logs (ai_errors table)

  • Retention period: 90 days from creation
  • Automatic deletion: Old logs are purged quarterly
  • Purpose: Security analysis and trend detection

5.4 Technical Logs

  • IP addresses and access logs: 30 days
  • Error logs (server-side): 90 days

6. International Data Transfers

Some of our service providers operate servers outside the European Economic Area (EEA):

  • Vercel: USA-based with EU data centers (Standard Contractual Clauses)
  • Neon Database: AWS EU region (Frankfurt) - data stays in EU
  • Google Gemini: USA-based (Standard Contractual Clauses per Google Cloud terms)

All transfers comply with GDPR requirements through adequacy decisions or appropriate safeguards.

7. Data Security

We implement the following security measures:

  • Encryption: HTTPS for all connections, encrypted passwords (bcrypt)
  • Access controls: Role-based permissions, admin-only access to safety logs
  • Database security: Neon PostgreSQL with connection pooling and IP restrictions
  • Monitoring: Real-time alerts for suspicious activity
  • Backups: Automated daily backups with 7-day retention

Despite these measures, no system is 100% secure. We encourage users to choose strong passwords and enable two-factor authentication (if available).

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

8.1 Right of Access (Art. 15 GDPR)

Request a copy of all personal data we hold about you.

8.2 Right to Rectification (Art. 16 GDPR)

Correct inaccurate or incomplete data.

8.3 Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)

Request deletion of your data, except where retention is required by law.

8.4 Right to Restriction (Art. 18 GDPR)

Limit processing of your data in certain circumstances.

8.5 Right to Data Portability (Art. 20 GDPR)

Receive your data in a structured, machine-readable format (JSON export available).

8.6 Right to Object (Art. 21 GDPR)

Object to processing based on legitimate interest (e.g., analytics).

8.7 Right to Withdraw Consent (Art. 7 GDPR)

Where processing is based on consent, you can withdraw it at any time.

8.8 Right to Lodge a Complaint

If you believe we've violated GDPR, you can file a complaint with:

9. How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: privacy@blacktrails.it
Subject line: "GDPR Request - [Your Right]"
Include: Your account email and specific request

We will respond within 30 days (as required by GDPR).

10. Children's Privacy

BlackTrails is not intended for users under 16 years old.
If we discover that a minor has created an account, we will delete it immediately and notify the email address provided.

Parents/guardians who believe their child has provided data without consent should contact us immediately.

11. AI-Specific Privacy Considerations

11.1 What We Log

  • Normal usage: Chat messages, timestamps, user preferences
  • Policy violations: Flagged messages (first 500 chars), error type, timestamp
  • Purpose: Safety, abuse prevention, service improvement

11.2 What We Don't Log

  • Passwords (only encrypted hashes)
  • Payment information (if applicable in future)
  • Private messages between users (unless reported)

11.3 AI Training

Your chat data is not used to train Google's models unless you explicitly opt in to a research program (currently not available).

12. Changes to This Policy

We may update this Privacy Policy to reflect:

  • Changes in services or features
  • New legal requirements
  • Improvements to data protection practices

Notification method:

  • Material changes: Email notification + banner on the platform
  • Minor updates: Published on this page with updated date

Continued use after changes constitutes acceptance. If you disagree, you may delete your account.

13. Contact Us

For privacy-related questions or concerns:

Email: privacy@blacktrails.it
General inquiries: info@blacktrails.it
Data Protection Officer: Not required for this organization size

Effective Date: January 15, 2025
Version: 1.1

Francesco Pelosio
P.IVA: 14037021086
Address: Largo Pietro Mascagni 20, Roma, Italy

Privacy Policy | In-1 Chat