This Privacy Policy is issued pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR") and in accordance with Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (the "Italian Privacy Code"). It describes how Logikamente s.r.l. collects, uses, shares and protects personal data in connection with the donia® platform.
1. Data Controller
The Data Controller for personal data processed through the donia® platform and the website donia.cloud is:
- Company: Logikamente s.r.l.
- Registered office: Ferrara, Italy
- Email: privacy@donia.ai
Where you, as a Customer, upload or process personal data of your employees, operators, or other individuals through the Service, you act as the independent Data Controller of that data and Logikamente s.r.l. acts as the Data Processor on your behalf, pursuant to Article 28 GDPR. In that context, processing is governed by the Data Processing Agreement ("DPA") incorporated into our Terms of Service.
2. Scope of this Policy
This Policy applies to:
- Visitors to the donia.cloud website and any associated marketing pages;
- Individuals who register for or use the donia® Service (including free trial users);
- Contact persons of prospective or current Customer organizations;
- Individuals who contact us via email, form submissions, or other channels.
It does not govern the personal data that Customers upload into the Service as part of their operational use. That data is processed under the DPA and the Customer's own privacy policies.
3. Personal Data We Collect
3.1 Data you provide directly
- Account data: name, surname, email address, company name, job title, country, and password (stored as a hashed value);
- Billing data: billing address, VAT number, payment method details (processed by our payment provider; we do not store card numbers);
- Communication data: messages, requests, or other content you send us via contact forms, email, or chat;
- Profile preferences: language settings, notification preferences, and platform configuration choices.
3.2 Data collected automatically
- Usage data: features accessed, workflows created and executed, node types used, frequency and duration of sessions;
- Technical data: IP address, browser type and version, operating system, device type, screen resolution, referring URL;
- Log data: server-side access logs, error logs, API call metadata (endpoint, timestamp, response code — not request/response body content);
- Cookie data: as described in Section 8 below.
3.3 Data from third parties
- If you sign up using a third-party identity provider (e.g., Google Workspace or Microsoft Azure AD), we receive your name, email address, and profile picture from that provider, subject to your settings there;
- Publicly available professional information (e.g., LinkedIn) where you have contacted us in a B2B context and we are establishing a commercial relationship.
4. Purposes and Legal Basis of Processing
We process personal data only where we have a valid legal basis under Article 6 GDPR (and, where applicable, Article 9 GDPR for special categories). The table below summarizes our processing activities:
| Purpose | Data categories | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Account creation and management | Account data | Art. 6(1)(b) — performance of a contract |
| Provision of the Service and customer support | Account data, usage data, technical data | Art. 6(1)(b) — performance of a contract |
| Billing and payment processing | Account data, billing data | Art. 6(1)(b) — performance of a contract; Art. 6(1)(c) — legal obligation (tax/accounting) |
| Electronic invoicing (SDI / fatturazione elettronica) | Billing data, VAT number | Art. 6(1)(c) — legal obligation (Italian tax law, D.L. 119/2018) |
| Security monitoring, fraud prevention, and abuse detection | Technical data, log data, usage data | Art. 6(1)(f) — legitimate interest (securing our systems and users) |
| Product analytics and Service improvement | Usage data, technical data (aggregated / pseudonymized) | Art. 6(1)(f) — legitimate interest (improving our product) |
| Marketing communications (newsletter, product updates) | Account data, communication data | Art. 6(1)(a) — consent; or Art. 6(1)(f) for existing customers (soft opt-in, Art. 130(4) Italian Privacy Code) |
| Responding to inquiries and pre-sales communication | Communication data, account data | Art. 6(1)(b) — pre-contractual measures; or Art. 6(1)(f) — legitimate interest |
| Compliance with legal obligations and cooperation with authorities | All applicable categories | Art. 6(1)(c) — legal obligation |
Where we rely on legitimate interests (Art. 6(1)(f)), we have conducted a balancing test and determined that our interests are not overridden by your fundamental rights and freedoms. You may request the outcome of this assessment at privacy@donia.ai.
5. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, in compliance with applicable legal obligations. Our default retention periods are:
| Category | Retention period | Rationale |
|---|---|---|
| Account data (active users) | Duration of contract + 12 months | Support and contractual claims window |
| Account data (after termination) | 30 days for data export, then deleted | Customer data portability right |
| Billing records and invoices | 10 years | Italian tax law (Art. 22 D.P.R. 600/1973) |
| Server and access logs | 12 months | Security monitoring; Garante guidance |
| Marketing consent records | Until consent withdrawn + 2 years | Evidence of lawful processing |
| Support communications | 3 years from last interaction | Statute of limitations for contractual claims |
| Anonymized/aggregated analytics | Indefinite | No longer constitutes personal data |
At the end of the applicable retention period, data is securely deleted or irreversibly anonymized.
6. Data Sharing and Sub-processors
We do not sell, rent, or trade your personal data. We share personal data with third parties only in the following circumstances:
6.1 Sub-processors
We use a limited set of carefully selected sub-processors to operate the Service. All sub-processors are bound by data processing agreements that meet GDPR requirements. Our current sub-processors include categories such as:
- Cloud infrastructure (hosting, storage, compute) — EU-region servers where possible;
- Payment processing — PCI DSS-certified providers; card data is handled exclusively by the payment provider;
- Email and communication delivery — for transactional emails (account activation, invoices, alerts);
- Product analytics — privacy-first analytics tools; no behavioral profiling for advertising;
- Customer support tooling — ticketing systems used by our support team.
An up-to-date list of sub-processors is available upon request at privacy@donia.ai. We will notify you of any material changes to our sub-processor list with at least 10 days' advance notice.
6.2 Legal obligations and authorities
We may disclose personal data to public authorities (including the Italian Guardia di Finanza, Agenzia delle Entrate, or judicial bodies) where required by law, court order, or official regulatory request, and only to the extent strictly necessary.
6.3 Corporate transactions
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections. Affected users will be notified in advance.
7. International Data Transfers
We process and store data primarily within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g., to a sub-processor headquartered in the United States), we ensure adequate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission under Decision 2021/914/EU;
- Transfer Impact Assessments (TIAs) where required to supplement SCCs;
- Adequacy decisions by the European Commission, where applicable (e.g., transfers to countries deemed adequate under Art. 45 GDPR).
You may request a copy of the applicable SCCs or information on the transfer mechanism in use by contacting privacy@donia.ai.
8. Cookies and Tracking Technologies
We use cookies and similar tracking technologies on donia.cloud in accordance with the Italian Garante's cookie guidelines (Provvedimento dell'8 ottobre 2020) and the ePrivacy Directive 2002/58/EC.
8.1 Cookie categories
| Category | Purpose | Consent required |
|---|---|---|
| Strictly necessary | Session management, authentication, CSRF protection, load balancing | No — essential for service operation |
| Functional / preference | Language preference, UI settings, timezone | Yes |
| Analytics | Aggregated usage statistics, page views, feature adoption (pseudonymized) | Yes |
| Marketing / profiling | We do not use cookies for behavioural advertising or cross-site tracking | N/A |
8.2 Cookie consent and management
When you first visit donia.cloud, a consent banner is displayed. Strictly necessary cookies are activated without consent. For all other categories, your explicit consent is required before the cookies are set. You may withdraw or modify your consent at any time by clicking the "Cookie settings" link in the footer, or by adjusting your browser settings. Note that disabling functional cookies may affect the usability of certain features.
8.3 Do Not Track
We respect browser-level "Do Not Track" (DNT) signals. When DNT is enabled, we limit data collection to strictly necessary and functional categories only.
9. Your Rights as a Data Subject
Under the GDPR (Articles 15–22) and the Italian Privacy Code, you have the following rights with respect to your personal data:
- Right of access (Art. 15): You may request a copy of the personal data we hold about you and information on how it is processed.
- Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17): You may request deletion of your personal data where it is no longer necessary, where consent is withdrawn, or where processing is unlawful — subject to our retention obligations under law.
- Right to restriction of processing (Art. 18): You may request that we limit processing of your data in certain circumstances (e.g., while a dispute is being resolved).
- Right to data portability (Art. 20): Where processing is based on consent or contract, you may receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
- Right to object (Art. 21): You may object at any time to processing based on legitimate interests, including for direct marketing purposes. In the latter case, processing must stop immediately upon objection.
- Rights related to automated decision-making (Art. 22): You have the right not to be subject to solely automated decisions, including profiling, that produce legal or similarly significant effects. We do not engage in such automated decision-making in our Service.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of your rights, submit a written request to privacy@donia.ai. We will respond within 30 days of receipt, as required by Art. 12 GDPR. We may request identity verification before processing your request. There is no charge for exercising your rights, except for manifestly unfounded or repetitive requests.
9.1 Right to lodge a complaint
If you believe that processing of your personal data violates the GDPR or applicable Italian law, you have the right to lodge a complaint with the competent supervisory authority. In Italy, the supervisory authority is the Garante per la protezione dei dati personali:
- Website: www.garanteprivacy.it
- Email: garante@gpdp.it
- PEC: protocollo@pec.gpdp.it
You may also lodge a complaint with the supervisory authority of your EU Member State of habitual residence, place of work, or place of the alleged infringement.
10. Security Measures
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Art. 32 GDPR and Italian Privacy Code provisions. Our security measures include:
- Encryption in transit: All communications between clients and the Service are encrypted using TLS 1.2 or higher;
- Encryption at rest: Data stored on our servers is encrypted at the storage level;
- Access control: Role-based access control (RBAC) limits data access to authorized personnel only; access is logged and audited;
- Password security: User passwords are hashed using industry-standard algorithms (bcrypt); we never store plaintext passwords;
- Multi-factor authentication (MFA): Available and strongly recommended for all user accounts;
- Vulnerability management: Regular security assessments, penetration testing, and dependency scanning;
- Incident response: In the event of a personal data breach, we will notify the Garante within 72 hours of becoming aware (Art. 33 GDPR) and inform affected data subjects without undue delay where the breach poses a high risk (Art. 34 GDPR).
No system is 100% secure. If you discover a security vulnerability, please contact security@donia.ai. We operate a responsible disclosure policy and will acknowledge your report within 48 hours.
11. Minors
The donia® Service is designed for business use by organizations and their authorized personnel. It is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact privacy@donia.ai and we will promptly delete such data.
12. Changes to this Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or regulatory guidance. When we make material changes, we will:
- Update the "Last updated" date at the top of this page;
- Notify registered users via email at least 15 days before the changes take effect;
- Display a prominent notice within the Service dashboard.
We encourage you to review this Policy periodically. Your continued use of the Service after the effective date constitutes acknowledgment of the updated Policy. Where changes require renewed consent (e.g., a new processing purpose based on consent), we will collect such consent before proceeding.
13. Contact and Data Protection Officer
For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact:
- Data Controller: Logikamente s.r.l., Ferrara, Italy
- Privacy inquiries: privacy@donia.ai
- Data breach reporting: security@donia.ai
- General support: support@donia.ai
In accordance with Art. 37 GDPR and the guidelines of the Italian Garante, Logikamente s.r.l. has assessed the obligation to appoint a Data Protection Officer (DPO). Where required, the DPO can be contacted at privacy@donia.ai, marking the subject line "Attn: DPO".
This Privacy Policy was last updated on April 7, 2026. Previous versions are available upon request at privacy@donia.ai.