How we handle your data.

The Data Controller is Exelab S.r.l., with registered office in Rome, Italy. Contact details for the Controller and its data protection point of contact are available at [email protected].

For any request related to the processing of personal data (exercising your rights, reporting incidents, questions about this policy), please write to [email protected] or send postal mail to the registered office of Exelab S.r.l. in Rome.

On polyant.ai we process three categories of personal data.

Navigation data: IP address (anonymised for statistical analysis), browser type, operating system, pages visited, date and time of requests. Collected automatically by hosting and analytics systems.

Data provided voluntarily by the user: first name, last name, email address, company, role, request description, and any other fields filled in the contact forms on the site. Provided by the user through HubSpot forms.

Data related to cookies and similar technologies: pseudonymous identifiers assigned to the browser for technical, statistical and marketing purposes (the latter two only when activated with consent). Details in the cookie policy.

Operation and security of the site (legal basis: legitimate interest of the Controller, art. 6.1.f GDPR). Navigation data is processed to enable browsing, prevent abuse and protect the site from unauthorised access.

Responding to contact requests (legal basis: pre-contractual measures taken at the data subject's request, art. 6.1.b GDPR). Data submitted through contact forms is processed to reply to the request, qualify the use case and, where appropriate, set up a meeting.

Statistical measurement of traffic (legal basis: consent of the data subject, art. 6.1.a GDPR). Only if the user accepts the "Statistics" category in the cookie banner. Measurement is aggregate and pseudonymous.

Marketing and profiling (legal basis: consent of the data subject, art. 6.1.a GDPR). Only if the user accepts the "Marketing" category in the cookie banner. Enables recognition of the user on return visits, attribution of conversions to campaigns, and personalised commercial communications.

Legal obligations (legal basis: legal obligation, art. 6.1.c GDPR). Data may be processed to comply with obligations imposed by law (tax, administrative) or with requests from competent authorities.

Personal data collected through polyant.ai may be disclosed to the following parties, appointed as Data Processors under art. 28 GDPR and bound to Exelab by a specific Data Processing Agreement (DPA).

HubSpot, Inc. (Cambridge, USA). Processing: CRM, lead management, form embed, behavioural tracking after consent. Transfers outside the EU are covered by the European Commission's Standard Contractual Clauses (SCCs) and, for flows to the United States, by certification under the EU-US Data Privacy Framework (DPF).

Google LLC (Mountain View, USA). Processing: statistical traffic measurement (Google Analytics 4 with IP anonymisation), Tag Manager, Search Console. Transfers covered by SCCs and DPF.

LinkedIn Corporation (Sunnyvale, USA). Processing: tracking pixel (LinkedIn Insight Tag) for B2B campaign attribution and retargeting. Transfers covered by SCCs and DPF.

Resend, Inc. (EU region). Processing: transactional email delivery (system notifications, form confirmations). Data processed within Resend's EU region.

Render Services, Inc. (EU region). Processing: static hosting of the site, content distribution via CDN. Render serves the site with security headers configured by Exelab.

Personnel and contractors of Exelab who manage the site, commercial requests and information security may also access personal data as persons authorised to process under art. 29 GDPR.

Data is not transferred to third parties for their own independent commercial purposes.

Some of the external processors (HubSpot, Google, LinkedIn) are based in the United States. Transfers of personal data to the USA are protected by two complementary instruments.

Standard Contractual Clauses (SCCs) adopted by the European Commission with Implementing Decision (EU) 2021/914, signed between Exelab and each external processor.

EU-US Data Privacy Framework (DPF): the US providers are certified under the DPF approved by the European Commission's Adequacy Decision (EU) 2023/1795.

You can obtain a copy of the SCCs and of any other safeguards in place by writing to [email protected].

Navigation data: retained for 26 months from collection, in aggregate and pseudonymous form. Beyond that period, data is deleted or further anonymised.

Data collected through contact forms: retained for the time needed to handle the request. If the contact does not turn into a contractual relationship, data is deleted within 24 months from the last meaningful contact.

Data of commercial contacts and customers: retained for the duration of the contractual relationship and for 10 years thereafter, for tax and administrative purposes, in accordance with the applicable national legislation of the Controller.

Cookies and pseudonymous identifiers: retained for the duration set out in the cookie policy, in any case no longer than 12 months from issuance unless the user provides a new consent.

As a data subject, you may exercise the rights granted by articles 15-22 of the GDPR at any time.

Right of access (art. 15): obtain confirmation of processing and a copy of the personal data concerning you.

Right to rectification (art. 16): correct inaccurate or incomplete data.

Right to erasure (art. 17, "right to be forgotten"): request deletion of data in the cases provided for by law.

Right to restriction (art. 18): request restriction of processing pending verification or decision.

Right to data portability (art. 20): receive your data in a structured, commonly used and machine-readable format.

Right to object (art. 21): object to processing on grounds related to your particular situation, in particular against direct marketing.

Right to withdraw consent (art. 7.3) at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise one or more of these rights, write to [email protected]. We will reply within 30 days of receiving the request, or within 60 days for complex requests, notifying you of the extension.

You also have the right to lodge a complaint with the competent supervisory authority. The lead supervisory authority for Exelab is the Italian Data Protection Authority (Garante per la protezione dei dati personali): piazza Venezia 11, 00187 Rome, garanteprivacy.it. If you reside in another EU Member State, you may file a complaint with the supervisory authority of your country of residence.

polyant.ai uses strictly necessary cookies for the operation of the site and, with the user's explicit consent, statistics and marketing cookies. The full list of cookies, with provider, purpose and duration, is available in the dedicated cookie policy.

You can change or withdraw your cookie preferences at any time through the banner accessible from the footer ("Manage cookies").

Exelab adopts technical and organisational security measures appropriate to the risk, in compliance with art. 32 GDPR. Exelab's information security management system is ISO 27001 certified. Communications between the user's browser and Exelab's systems are protected with HTTPS (TLS 1.2+). Access to collected data is limited to authorised personnel and tracked in logs kept for audit purposes.

In the event of a personal data breach posing a risk to the rights and freedoms of data subjects, Exelab notifies the competent supervisory authority within 72 hours of becoming aware of it, in accordance with articles 33 and 34 GDPR. If the breach presents a high risk, the affected data subjects are informed directly.

This policy may be updated over time to reflect regulatory developments, organisational changes within Exelab or changes among the external processors used. The current version is always available at polyant.ai/privacy-policy, with the date of the last update indicated.

In the event of substantive changes, users will be informed before the changes take effect, through a notice on the site or, where appropriate, by email.