Legal

PRIVACY POLICY

pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR)

Last updated: April 12, 2026

1. Data Controller

The Data Controller is:

  • Name: Michele Bogoni
  • VAT ID: 04555040239
  • Registered office: Via Novella, 5/E – 37032 Monteforte d'Alpone (VR), Italy
  • Email: info@truereply.it

For any request regarding the processing of personal data, the user may contact the Data Controller at the email address above.

2. Categories of data collected

2.1 Data of registered users (TrueReply customers)

Upon registration and during use of the service, we collect:

  • Identification data: first name, last name, email address
  • Authentication data: password (cryptographic hash via Firebase Authentication)
  • Billing data: processed and stored by Stripe Inc. TrueReply neither stores nor has access to credit card data
  • Usage data: number of conversations, messages, voice minutes consumed, chatbot configuration
  • Uploaded content: documents, URLs, and texts uploaded to the chatbot knowledge base

2.2 Data of visitors of customers' websites (chatbot end users)

When a visitor interacts with a TrueReply chatbot installed on a customer's website, we collect:

  • Chat messages: the content of the conversation with the chatbot
  • Anonymous visitor identifier: a random ID generated by the browser and stored locally (localStorage) to ensure session continuity
  • Session identifier: a random UUID generated for each chat session
  • Page URL: the web page the visitor is on at the time of the interaction
  • Device type: mobile or desktop
  • Contact data voluntarily provided: name, email, phone number, or other information the visitor chooses to share during the conversation (lead capture)
  • Voice call data (if active): caller number, call duration, conversation transcript

2.3 Data collected on truereply.it

When browsing truereply.it, we collect data via:

  • Google Analytics 4: anonymized browsing data (pages visited, session duration, traffic source, device type)
  • Meta Pixel (Facebook): browsing data for remarketing and advertising conversion analysis
  • Microsoft Clarity: anonymous session recordings, heatmaps, and page interaction data to improve user experience
  • Brevo (Sendinblue): email address, in case of voluntary subscription to the newsletter

3. Purpose and legal basis of processing

Purpose Data processed Legal basis
Provision of the SaaS service and account management Identification, authentication, usage data Performance of a contract (Art. 6.1.b GDPR)
Payment processing and invoicing Billing data (via Stripe) Performance of a contract (Art. 6.1.b GDPR)
Operation of the AI chatbot Chat messages, session data, page URL, device type Legitimate interest of the Controller and customers (Art. 6.1.f GDPR)
Lead capture on behalf of customers Contact data voluntarily provided by the visitor Consent of the data subject (Art. 6.1.a GDPR)
AI voice service Phone number, call duration, transcript Legitimate interest (Art. 6.1.f GDPR)
Website traffic analysis and site improvement Browsing data (GA4, Clarity) Consent (Art. 6.1.a GDPR)
Remarketing and advertising Browsing data (Meta Pixel) Consent (Art. 6.1.a GDPR)
Newsletter delivery Email address Consent of the data subject (Art. 6.1.a GDPR)
Development of custom commissioned solutions Identification data, project data Performance of a contract (Art. 6.1.b GDPR)
Compliance with legal and tax obligations Identification data, billing data Legal obligation (Art. 6.1.c GDPR)

4. Methods of processing

Personal data are processed using IT and electronic tools, with logic strictly related to the purposes stated above and, in any case, in such a way as to ensure the security and confidentiality of the data.

Processing via artificial intelligence: messages sent by end users to the chatbot are processed by third-party AI models (Anthropic Claude for text chat, Google Gemini for voice) to generate relevant answers. Messages are sent to AI providers exclusively for real-time processing and are not used to train models. Conversations are stored in a Firestore database to allow the customer to monitor interactions.

Processing via embeddings: documents uploaded to the knowledge base are transformed into numerical representations (embeddings) via OpenAI to enable semantic search. Original texts are not retained by OpenAI.

5. Data processors and recipients

To provide the service, the Controller relies on the following sub-processors:

Provider Service Location Privacy Policy
Google Cloud / Firebase Hosting, database, authentication, cloud functions EU (eur3) privacy.google.com
Stripe Inc. Payment processing, invoicing USA (SCC) stripe.com/privacy
Anthropic PBC AI chat processing (Claude) USA (SCC) anthropic.com/privacy
OpenAI Inc. Text embedding generation USA (SCC) openai.com/privacy
Telnyx LLC Telephony and voice calls USA (SCC) telnyx.com/privacy
Google (Gemini) AI voice processing USA (SCC) ai.google/privacy
Google (Calendar API) Google Calendar integration (availability read and event creation, after OAuth consent) USA (SCC) policies.google.com/privacy
SiteGround Hosting of truereply.it EU siteground.com/privacy
Brevo (Sendinblue) Email marketing and newsletter EU (France) brevo.com/privacy
Google (Analytics) Web traffic analysis USA (SCC) policies.google.com/privacy
Meta Platforms Remarketing and conversion analysis USA (SCC) facebook.com/privacy
Microsoft (Clarity) User behavior analysis USA (SCC) privacy.microsoft.com

6. Data transfers outside the EU

Some of the sub-processors listed above are based in the United States. Data transfers to such parties take place on the basis of the Standard Contractual Clauses (SCC) approved by the European Commission pursuant to Art. 46.2.c GDPR, as well as the EU-US Data Privacy Framework where applicable.

The main database (Firestore) is hosted in the EU region (eur3 – europe-west) and data resides there permanently. Transmission to US-based AI providers occurs exclusively for the real-time processing of requests and does not entail the permanent retention of data by such providers.

7. Data retention period

  • Account data: retained for the entire duration of the contractual relationship and for 10 years thereafter, for tax and legal compliance
  • Chatbot conversations: retained for the duration of the customer's subscription. Upon account deletion, they are removed within 30 days
  • Lead capture data: retained for the duration of the customer's subscription and accessible through the dashboard or Google Sheets
  • Voice recordings and transcripts: retained for the duration of the customer's subscription
  • Browsing data (GA4, Clarity, Meta Pixel): according to the retention policies of the respective providers (typically 14–26 months)
  • Newsletter data (Brevo): until consent is revoked by the data subject
  • Widget session data (localStorage): 30 minutes of inactivity (session); the visitor ID persists until the user manually clears browser data

8. Rights of the data subject

Pursuant to Articles 15–22 of the GDPR, the data subject has the right to:

  • Access: obtain confirmation of the existence of personal data concerning them and to receive it in an intelligible form
  • Rectification: obtain the correction of inaccurate data or the integration of incomplete data
  • Erasure: obtain the erasure of their personal data in the cases provided for by the GDPR
  • Restriction: obtain the restriction of processing in the cases provided for by the GDPR
  • Portability: receive their data in a structured, commonly used, and machine-readable format
  • Objection: object to the processing of their data for reasons related to their particular situation
  • Withdrawal of consent: withdraw at any time any consent given, without affecting the lawfulness of processing based on consent prior to withdrawal

To exercise their rights, the data subject may send a request to info@truereply.it. The Controller will respond within 30 days of receipt of the request.

The data subject also has the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

9. TrueReply's role in the processing of end users' data

TrueReply acts as a Data Processor on behalf of its customers (Data Controllers) with respect to the data of end users interacting with the chatbots. The customer who installs the TrueReply chatbot on their website is responsible for informing their visitors about the processing of personal data via the chatbot, in compliance with the GDPR.

10. Google User Data (Google API Services)

TrueReply integrates with Google Calendar via the Google API Services, after the user's explicit consent through an OAuth 2.0 flow. This section describes which data we receive, how we use it, how we protect it, and how the user can revoke access at any time.

10.1 Scopes requested

Google scope Why we request it
openid Uniquely identify the Google account that authorized the connection.
https://www.googleapis.com/auth/userinfo.email Display the connected Google account's email in the TrueReply dashboard, so the user always knows which account is in use.
https://www.googleapis.com/auth/calendar.readonly List the user's calendars so the customer can pick which calendar to enable for bookings. We do not read events with this scope.
https://www.googleapis.com/auth/calendar.events Read free/busy availability of the selected calendar to propose open slots to end users via the chatbot, and create new events when a booking is confirmed. We only read event details when the chatbot needs to confirm a previously booked appointment.

We only request the minimum scope strictly necessary for the functionality. We do not request the full calendar scope nor calendar.settings.

10.2 How we use Google data

  • Availability lookup: when a website visitor chats with the customer's bot and asks for an appointment, TrueReply queries the selected calendar's freeBusy endpoint in real time to compute open slots consistent with the customer's configured working hours. We do not persist free/busy data.
  • Event creation: upon appointment confirmation, TrueReply creates an event on the customer's calendar via events.insert. The event's content (title, description, attendees) is derived exclusively from the visitor's input and from the customer's configured template.
  • Event read-back: if the chatbot needs to confirm a previously booked appointment, we call events.get with the event ID.

We do not use Google data for advertising purposes, we do not sell it, we do not share it with third parties, and we do not use it to train machine-learning models.

10.3 Google data retention and protection

  • OAuth refresh tokens are encrypted at rest via envelope encryption: AES-256-GCM with a random Data Encryption Key per token, itself wrapped with Google Cloud KMS (keyring truereply-secrets, key oauth-tokens, 90-day rotation). Only our backend Cloud Function holds the IAM permission to decrypt the DEK.
  • Access tokens are cached only for their validity window (typically one hour) and never persisted longer than necessary.
  • All Google data in transit travels over TLS 1.2+ (HTTPS) only.
  • Events we create and slots we read are not persisted in our database: they live only in the user's Google Calendar.
  • Access to Google data is restricted to TrueReply's backend Cloud Function (europe-west1). The voice service (Cloud Run) never holds tokens nor decrypts them: it calls authenticated internal endpoints that return only the aggregated operation result.

10.4 Limited Use disclosure

TrueReply's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

10.5 Revocation and deletion

The user can revoke access to their Google data at any time:

  • from the TrueReply dashboard: Integrations → Google Calendar → Disconnect (revokes the refresh token on Google's side and deletes the calendarConnector record from Firestore).
  • directly from Google: myaccount.google.com/permissions.

Upon disconnection, the encrypted refresh token is removed from our Firestore within seconds. Residual access tokens expire automatically within one hour.

10.6 Contact for Google data

Questions about Google data handling: info@truereply.it.

11. Security measures

The Controller adopts technical and organizational measures appropriate to ensure a level of security commensurate with the risk, including:

  • Encryption of data in transit (HTTPS/TLS) and at rest (Firebase/Google Cloud encryption)
  • Authentication via Firebase Authentication with cryptographic hashing of passwords
  • Payment processing via Stripe (PCI DSS Level 1 certified), with no transit or storage of card data on TrueReply servers
  • Tenant data isolation: each customer accesses only their own data through Firestore security rules
  • Rate limiting on public endpoints to protect against abuse
  • Widget in Shadow DOM for isolation from the hosting page context

12. Changes to this policy

The Controller reserves the right to make changes to this policy at any time. Changes will be published on this page with an indication of the last update date. Users are encouraged to consult this page periodically.

13. Contact

For any questions regarding this policy or the processing of personal data, you can contact the Controller by writing to: info@truereply.it