Privacy Policy

The data controller for personal data processed through Kommander.ai is:

Kommander.ai Milan, Italy Email: privacy@kommander.ai

For all matters relating to your personal data, you may contact us at the email address above. We will respond to your request within 30 days as required by applicable law.

We collect the following categories of personal data:

• Account data: name, email address, company name, and password (hashed) when you create an account. • Contact data: information you provide when filling out our contact or demo request form, including phone number and any message content. • Usage data: information about how you use the Service, including pages visited, features used, and interactions with AI assistants. • Technical data: IP address, browser type and version, device type, operating system, and cookie identifiers. • Payment data: billing address and transaction identifiers (we do not store full card details, these are handled by our payment processor). • Communications: emails or messages you send us, including support requests.

We do not intentionally collect sensitive personal data (special categories under GDPR Art. 9) and ask that you refrain from submitting such data through our Service.

We process your personal data for the following purposes and on the following legal bases:

• Providing the Service (Art. 6(1)(b) GDPR, performance of a contract): creating and managing your account, delivering the features you request, and processing payments. • Customer support (Art. 6(1)(b) GDPR): responding to your inquiries and resolving issues. • Marketing communications (Art. 6(1)(a) GDPR, consent): sending newsletters and updates about our Service, where you have opted in. You may withdraw consent at any time. • Analytics and service improvement (Art. 6(1)(f) GDPR, legitimate interest): understanding how the Service is used to improve functionality and user experience, using privacy-respecting analytics tools. • Legal compliance (Art. 6(1)(c) GDPR): fulfilling obligations under applicable law, including tax and accounting requirements. • Security and fraud prevention (Art. 6(1)(f) GDPR, legitimate interest): protecting our Service and users from malicious activity.

Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

We retain your personal data only for as long as necessary for the purposes described in this Privacy Policy or as required by applicable law.

• Account data: retained for the duration of your account and for up to 5 years after account deletion for legal and accounting purposes. • Contact form data: retained for up to 2 years from the date of submission. • Usage and technical data: retained for up to 13 months in aggregated or anonymised form. • Payment records: retained for 10 years as required by Italian tax law (D.P.R. 633/1972).

When personal data is no longer required, we securely delete or anonymise it in accordance with our data retention procedures.

We do not sell your personal data. We may share your data with the following categories of recipients:

• Service providers: third-party processors who help us operate the Service (e.g., cloud hosting, payment processors, email delivery, analytics). These processors are bound by data processing agreements and may only process your data on our instructions. • Professional advisors: lawyers, accountants, and auditors where necessary for compliance. • Authorities: law enforcement or regulatory bodies where required by law or to protect our legal rights. • Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction, subject to equivalent privacy protections.

Some of our service providers may be located outside the European Economic Area (EEA). Where we transfer data to countries that do not provide an equivalent level of data protection, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

We use cookies and similar technologies on our website. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

We use Umami Analytics, a privacy-respecting analytics solution that does not use cookies, does not track users across websites, and does not collect personal data such as IP addresses or device fingerprints. Analytics data is aggregated and anonymous.

You may manage your cookie preferences at any time via the cookie settings on our website or through your browser settings.

Under the GDPR and applicable Italian data protection law, you have the following rights regarding your personal data:

• Right of access (Art. 15): obtain a copy of the personal data we hold about you. • Right to rectification (Art. 16): request correction of inaccurate or incomplete data. • Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten") in certain circumstances. • Right to restriction of processing (Art. 18): request that we limit how we use your data in certain circumstances. • Right to data portability (Art. 20): receive your data in a structured, machine-readable format and transmit it to another controller. • Right to object (Art. 21): object to processing based on legitimate interests, including for direct marketing purposes. • Rights related to automated decision-making (Art. 22): not be subject to solely automated decisions that produce significant effects on you. • Right to withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@kommander.ai. We will respond within 30 days. You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) at www.garanteprivacy.it, or with the supervisory authority in your EU member state of residence.

If you are a consumer located in the European Union, you benefit from additional protections under EU consumer law.

Distance contracts: Under Directive 2011/83/EU (implemented in Italy by D.Lgs. 21/2014), consumers have a 14-day right of withdrawal from distance contracts. If you purchase a subscription to our Service, you may withdraw within 14 days of entering into the contract, unless the Service has been fully performed with your prior express consent and acknowledgement that you lose the right of withdrawal once performance begins.

Online dispute resolution: The European Commission provides an online dispute resolution (ODR) platform for resolving disputes between consumers and online traders at https://ec.europa.eu/consumers/odr. You may also contact us directly at legal@kommander.ai to resolve any dispute.

Mandatory local law: Nothing in these policies limits or excludes rights you may have as a consumer under the mandatory provisions of the law of the EU member state in which you reside. In cases of conflict, those mandatory provisions will prevail.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/HTTPS • Encryption of data at rest • Access controls and role-based permissions • Regular security assessments • Incident response procedures

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours as required by Art. 33 GDPR. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

While we use all reasonable measures to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

This Privacy Policy is governed by and construed in accordance with the laws of Italy, including the GDPR and the Italian Personal Data Protection Code (D.Lgs. 196/2003 as amended). Any disputes arising from or related to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Milan, Italy.

If you are a consumer resident in another EU member state, you may also bring proceedings before the courts of your place of habitual residence, and you retain the benefit of any mandatory consumer protection provisions of your local law.

We may update this Privacy Policy from time to time to reflect changes in our data practices or applicable law. When we make significant changes, we will update the "Last updated" date at the top of this page and, where required by law, provide you with notice via email or a prominent notice within the Service.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy, to the extent permitted by applicable law.

For questions about this Privacy Policy or our data practices, please contact us at privacy@kommander.ai.