Privacy Policy
Last updated: 2026-02-25
1. Data Controller
The data controller is [RAGIONE_SOCIALE], with registered office at [SEDE_LEGALE], VAT number [P_IVA] (hereinafter "Controller" or "we").
For any questions regarding the processing of your personal data, you can contact us at: [EMAIL_PRIVACY].
2. Personal Data Collected
We collect the following categories of personal data:
Registration data: email address and password (encrypted with bcrypt).
Profile data: name provided during onboarding, preferences related to the virtual character (name, personality, chosen avatar).
Voluntarily provided data: age and country of residence, if spontaneously shared during conversations.
Conversation content: messages exchanged with the AI character, including automatically extracted memories to personalize the experience.
Payment data: processed directly by Stripe Inc. We do not store or access your credit card details. We only store the Stripe customer identifier to associate the subscription with your account.
Technical data: IP address (for security and rate limiting), browser language, interaction timestamps.
3. Purposes of Processing
Your personal data is processed for the following purposes:
Service delivery: managing your account, generating AI character responses, personalizing the experience through the memory system.
Service communications: sending transactional emails (welcome, email verification, account and subscription notifications).
Security: abuse prevention, rate limiting, protection against unauthorized access.
Service improvement: aggregate and anonymous usage analysis to improve the quality of responses and features.
We do not use your data for commercial profiling, targeted advertising, or resale to third parties.
4. Legal Basis
The processing of your data is based on:
Performance of a contract (Art. 6.1.b GDPR): processing is necessary to provide the service you registered for.
Consent (Art. 6.1.a GDPR): for sending communications not strictly necessary for the service. You can withdraw your consent at any time.
Legitimate interest (Art. 6.1.f GDPR): for service security, fraud prevention, and service improvement through aggregate analysis.
5. Data Retention
Active account: your data is retained for the duration of your account.
Account deletion: in case of voluntary deletion, all your data (messages, memories, profile) is permanently deleted within 30 days.
Unverified account: accounts that do not complete email verification are automatically suspended after 7 days and permanently deleted after 16 days from registration.
Payment data: payment information is retained for the period required by applicable tax regulations.
6. Data Sharing
To provide the service, we share your data with the following third-party providers:
Anthropic PBC (USA) — chat messages are processed by the Claude artificial intelligence to generate virtual character responses.
Stripe Inc. (USA) — handles payments and subscriptions securely. Stripe is PCI DSS Level 1 certified.
Resend Inc. (USA) — used for sending transactional emails (account verification, notifications).
fal.ai (USA) — used for generating virtual character images.
Hetzner Online GmbH (Germany) — server hosting where the service is hosted.
We do not sell, rent, or share your personal data with third parties for marketing purposes.
7. International Data Transfers
Some of our providers (Anthropic, Stripe, Resend, fal.ai) are based in the United States. Data transfers to the USA are based on:
- European Commission adequacy decision (EU-US Data Privacy Framework), where applicable.
- Standard Contractual Clauses (SCCs) approved by the European Commission.
We take all necessary supplementary measures to ensure an adequate level of protection for your data.
8. Your Rights
Under the GDPR, you have the right to:
Access: obtain confirmation of the existence of processing and access your personal data.
Rectification: obtain the correction of inaccurate data or the completion of incomplete data.
Erasure: obtain the deletion of your personal data ("right to be forgotten").
Restriction: obtain the restriction of processing in certain cases.
Portability: receive your data in a structured, commonly used, and machine-readable format.
Object: object to the processing of your data on legitimate grounds.
Withdraw consent: withdraw at any time any consent previously given.
To exercise your rights, contact us at [EMAIL_PRIVACY]. We will respond within 30 days.
You also have the right to lodge a complaint with the competent supervisory authority (Italian Data Protection Authority — www.garanteprivacy.it).
9. Cookies and Tracking Technologies
VirtualGF exclusively uses local storage technologies (browser localStorage) for:
- Maintaining the login session (JWT token)
- Saving language preferences
- Storing the current subscription plan
We do not use profiling cookies, third-party cookies, tracking pixels, or analytics tools. We do not perform cross-site tracking.
10. Security
We implement appropriate technical and organizational measures to protect your personal data:
- HTTPS/TLS encrypted connection across the entire site
- Passwords encrypted with bcrypt algorithm
- JWT token authentication with expiration
- Rate limiting to prevent abuse
- Server access restricted and protected by SSH key
- Regular data backups
11. Age Requirement
The VirtualGF service is exclusively reserved for individuals aged 18 or older. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will immediately delete the account and all associated data.
12. Changes to this Privacy Policy
We reserve the right to update this policy at any time. In case of substantial changes, we will inform you via email at the address associated with your account.
The date of the last update is always indicated at the top of this page. We encourage you to review it periodically.