NinjaiBot Privacy Policy (AI Chatbot)
This Privacy Policy explains how NinjaiBot (“Chatbot”, “we”, “us”, or “our”) collects, uses, and protects the personal data of users (“Users”) in compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).
By using the Chatbot, you agree to this Policy.
1. Who We Are and Scope
This Privacy Policy applies to the AI chatbot service provided by NinjaiBot, developed and operated by:
Data Controller (for demo and direct use):
AlgeniaLab Srl – Via Cavour 2, 22074 Lomazzo (CO), Italy – info@algenialab.com
When NinjaiBot is embedded on a client’s website or app, the Client acts as the Data Controller, and AlgeniaLab Srl (NinjaiBot) acts as Data Processor under Article 28 GDPR.
This policy covers all chatbot interactions, APIs, and connected channels (such as websites, WhatsApp, or other integrated messaging tools).
2. Categories of Personal Data
NinjaiBot may process the following categories of data:
Conversation Data: Messages and inputs sent by users through the Chatbot interface.
Technical and Usage Data: IP address, device type, browser information, timestamps, and session logs (used for diagnostics, security, and performance).
Cookies and Tracking Technologies: Only essential cookies required for the operation of the Chatbot. Non-essential cookies are used only with user consent.
Contact Information (optional): Name, email, or phone number — collected only when voluntarily provided (e.g. via forms or follow-up requests).
Sensitive Data: The Chatbot does not request or intentionally process special categories of personal data (Article 9 GDPR). Users are advised not to share such data.
3. Purpose and Legal Basis for Processing
The collected data is utilized to:
| Purpose | Data Categories | Legal Basis (Art. 6 GDPR) |
|---|---|---|
| Providing the chatbot service and responding to messages | Conversation, technical data | Contract performance (6.1.b) |
| Service maintenance, quality assurance, security | Logs, technical data | Legitimate interest (6.1.f) |
| Handling contact or support requests | Contact data, conversation data | Contract performance or pre-contractual measures (6.1.b) |
| Sending newsletters or marketing communications | Contact data | Consent (6.1.a) |
| Compliance with legal obligations | Relevant data | Legal obligation (6.1.c) |
AI Training and Fine-tuning:
NinjaiBot does not use customer or user conversation data to train public AI models. Any optional model fine-tuning is opt-in only, based on a written agreement or explicit consent.
4. Data Retention
Personal data are kept only for the time strictly necessary to fulfill the purposes outlined above:
- Chat conversations: 30 days by default (configurable upon client request), then deleted or anonymized.
- Technical and security logs: 90 days (up to 180 days if required for investigations).
- Support or contact data: Up to 24 months after the case is closed.
- Marketing data: Until consent withdrawal or after 24 months of inactivity.
- Billing and contractual data: 10 years (in accordance with tax and civil law).
5. Data Sharing and Sub-Processors
We share personal data only where necessary, under data processing agreements ensuring confidentiality and security.
Recipients may include:
- Hosting and infrastructure providers located in the EU.
- AI model providers (LLMs) such as OpenAI or others, limited strictly to the processing required to generate responses.
- Security and monitoring tools, processing anonymized or pseudonymized data.
- Legal or regulatory authorities, when required by law.
All sub-processors are bound by Data Processing Agreements (DPAs) compliant with Article 28 GDPR and, where applicable, Standard Contractual Clauses (SCCs) for international data transfers.
6. International Data Transfers
When data are transferred outside the European Economic Area (EEA), appropriate safeguards are applied:
- Standard Contractual Clauses (SCCs) approved by the European Commission,
- Additional technical and organizational measures, such as encryption and minimization,
- Transfer Impact Assessments (TIAs) in compliance with EU standards.
Whenever possible, data are stored and processed within the EU.
7. Security Measures
NinjaiBot implements state-of-the-art security measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 where applicable),
- Access control based on the “need-to-know” principle,
- Secure development practices, and
- Regular monitoring, vulnerability testing, and staff confidentiality obligations.
No online system is 100% secure, but continuous improvements are in place.
8. Cookies and Similar Technologies
The Chatbot uses only strictly necessary cookies to operate.
Any non-essential cookies (analytics, marketing) are disabled by default and activated only with explicit user consent, which can be withdrawn at any time through cookie settings.
9. Children’s Privacy
Our services are not intended for children under 14 (Italy’s minimum age for digital consent).
If we become aware of data collected from minors without parental consent, it will be erased immediately.
10. Automated Decision-Making
NinjaiBot does not perform automated decision-making that produces legal or similarly significant effects.
AI responses aim solely to assist or inform users and do not constitute profiling under Article 22 GDPR.
11. Your GDPR Rights
Under the GDPR, you may:
- Access your data
- Rectify inaccuracies
- Request deletion (“right to be forgotten”)
- Restrict processing
- Object to processing
- Request data portability
- Withdraw consent at any time
To exercise these rights, email privacy@ninjaibot.com or info@algenialab.com.
You can also contact your local Data Protection Authority — in Italy, the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it).
12. California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
Your rights include:
- Right to Know: You may request details about the personal information we collect, use, or disclose.
- Right to Access: You can obtain a copy of your personal data we hold.
- Right to Delete: You may request deletion of your personal information, subject to legal exceptions.
- Right to Correct: You may request correction of inaccurate personal data.
- Right to Opt-Out of Sale or Sharing: NinjaiBot does not sell personal information, nor share it for cross-context behavioral advertising.
- Right to Non-Discrimination: You will not receive different prices or services for exercising your rights.
You can submit a verified consumer request by emailing privacy@ninjaibot.com.
If necessary, we will verify your identity before acting on your request.
We may collect the following categories of information under the CCPA definitions:
- Identifiers (e.g., name, email address, IP address)
- Internet or network activity (e.g., chatbot interactions, logs)
- Inference data (e.g., preferences or context for better service responses)
We retain data only as long as necessary for the purposes described above and in accordance with applicable law.
13. Data Controller and Contact
AlgeniaLab Srl
Via Cavour 2, 22074 Lomazzo (CO), Italy
Email: info@algenialab.com
Privacy inquiries: privacy@ninjaibot.com
If a Data Protection Officer (DPO) is appointed, contact details will be published here.
14. Policy Updates
We may modify this Privacy Policy from time to time.
Updates will be posted on this page with a revised “Last updated” date.
For significant changes, we will notify users via the Chatbot or email (where applicable).
15. For Business Clients (B2B Integration)
When a client embeds NinjaiBot on their own website or app:
- The Client is the Data Controller.
- NinjaiBot / AlgeniaLab Srl acts as Data Processor under Article 28 GDPR.
- A Data Processing Agreement (DPA) and list of sub-processors are available upon request.
- Clients must inform their users about the chatbot integration and include a reference to this policy for transparency.
✅ Compliance Standards:
- EU GDPR (Reg. 2016/679)
- UK GDPR
- CCPA / CPRA (California)
- ISO 27001 / 27701 alignment
- EU Standard Contractual Clauses (2021/914)
Last Updated: 2025-10-10