Privacy Policy
This privacy policy explains how Mendelbot collects, uses, and protects your personal data in compliance with the General Data Protection Regulation (GDPR).
1. Controller Identity
| Field | Value |
|---|---|
| Controller | [PLACEHOLDER: Legal name of the data controller] |
| Address | [PLACEHOLDER: Registered address] |
| Contact email | [PLACEHOLDER: [email protected]] |
| DPO | [PLACEHOLDER: DPO name and contact, or “Not appointed — processing does not meet Art. 37 thresholds”] |
2. What Data We Collect
2.1 Registered Users
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account authentication, communication | Art. 6(1)(b) — contract performance |
| Name | Display in conversations | Art. 6(1)(b) — contract performance |
| Password | Authentication (stored as bcrypt hash) | Art. 6(1)(b) — contract performance |
| Messages | AI-powered conversational responses | Art. 6(1)(b) — contract performance |
| Conversation history | Contextual AI responses | Art. 6(1)(b) — contract performance |
| Platform identities (Telegram/Discord/WhatsApp user IDs) | Multi-platform account linking | Art. 6(1)(b) — contract performance |
| Knowledge entries | User-created knowledge base content | Art. 6(1)(b) — contract performance |
2.2 Guest Users (Unregistered)
| Data | Purpose | Legal Basis |
|---|---|---|
| Platform user ID | Identify user across sessions | Art. 6(1)(f) — legitimate interest |
| Display name / username | Display in conversations | Art. 6(1)(f) — legitimate interest |
| Messages | AI-powered conversational responses | Art. 6(1)(f) — legitimate interest |
2.3 Automatically Collected
| Data | Purpose | Legal Basis |
|---|---|---|
| IP address (in audit logs) | Security monitoring, incident investigation | Art. 6(1)(f) — legitimate interest |
| Authentication events | Security, abuse prevention | Art. 6(1)(f) — legitimate interest |
| Content filter detections | Compliance monitoring (hashed, not plaintext) | Art. 6(1)(f) — legitimate interest |
3. How We Use Your Data
Your messages are processed by AI models to generate conversational responses. This involves:
- Sending your message and recent conversation history to an AI language model
- Retrieving relevant knowledge base entries for context
- Generating and returning a response
We do not use your data for:
- Advertising or marketing profiling
- Selling to third parties
- Automated decision-making with legal effects (Art. 22)
- Biometric identification or surveillance
4. Recipients and Sub-Processors
Your data may be shared with the following processors, all operating under Data Processing Agreements (GDPR Art. 28):
| Processor | Purpose | Data Shared | Location | DPA |
|---|---|---|---|---|
| Regolo s.r.l. | AI model inference | Message content, conversation history | EU (Italy) | [PLACEHOLDER: DPA date/reference] |
| OVH SAS | Object storage | Uploaded files (when applicable) | EU (France) | [PLACEHOLDER: DPA date/reference] |
| Cloudflare Inc. | CDN, DDoS protection | HTTP requests in transit | Global edge (no persistent body storage) | Cloudflare Customer DPA |
Local processing (no external data transfer):
- Embedding generation (Ollama) — runs on the same server, no data leaves the machine
5. International Transfers
All primary data processing and storage occurs within the European Union (Italy and France).
Cloudflare operates a global CDN. HTTP traffic may transit through non-EU edge nodes for users accessing from outside the EU. Cloudflare does not persistently store request or response bodies. Cloudflare’s data processing is covered by their Customer DPA and Standard Contractual Clauses.
No data is sent to US-based AI providers. The platform uses EU-hosted open-source AI models exclusively.
6. Retention Periods
| Data | Retention | Mechanism |
|---|---|---|
| Messages and conversations | 365 days (default) | Planned TTL index; manual deletion available now |
| User accounts | Until deletion requested | GDPR deletion flow |
| Audit events | 730 days (24 months) | MongoDB TTL index (automatic) |
| Content filter audit | 365 days | MongoDB TTL index (automatic) |
| Pending deletion codes | 10 minutes | MongoDB TTL index (automatic) |
| Knowledge entries | Until deleted by user or account deletion | Manual or cascade deletion |
7. Your Rights
Under GDPR, you have the following rights:
| Right | How to Exercise |
|---|---|
| Access (Art. 15) | Request a copy of your data via the /takeout command or contact [PLACEHOLDER: email] |
| Rectification (Art. 16) | Update your profile via the platform settings or contact [PLACEHOLDER: email] |
| Erasure (Art. 17) | Request account deletion via the /delete account command. A confirmation code is sent (valid 10 minutes). |
| Data portability (Art. 20) | Export your data in machine-readable JSON format via /takeout |
| Restriction (Art. 18) | Contact [PLACEHOLDER: email] to request processing restriction |
| Objection (Art. 21) | Contact [PLACEHOLDER: email]. You may also stop using the service at any time. |
| Withdraw consent | Where processing is based on consent, withdraw at any time by contacting [PLACEHOLDER: email] |
We respond to data subject requests within 30 days (Art. 12(3)).
8. Security Measures
We implement appropriate technical and organizational measures to protect your data (Art. 32):
- Encryption at rest: All personal data fields encrypted with AES-256-GCM using team-scoped data encryption keys
- Encryption in transit: TLS 1.2+ on all external connections
- Password hashing: bcrypt with salting
- Access controls: JWT-based authentication, role-based access, scoped API keys
- Audit logging: Security events logged with 730-day retention
- PII detection: Automated content filter scans for EU-specific personal identifiers (IBAN, fiscal codes, etc.)
- Blind indexes: Email lookups use HMAC-SHA256 hashes, not plaintext
9. AI-Specific Disclosure
In compliance with the EU AI Act (Regulation (EU) 2024/1689, Article 50):
- Responses from Mendelbot-powered bots are generated by artificial intelligence, not written by a human
- AI models used are open-source models hosted within the EU
- AI responses may be inaccurate and should not be relied upon for medical, legal, or financial decisions
- For full AI transparency information, see our AI Transparency page
10. Cookies and Local Storage
Mendelbot uses browser localStorage for JWT session tokens. We do not use:
- Tracking cookies
- Third-party analytics cookies
- Advertising cookies
No cookie consent banner is required under the ePrivacy Directive as localStorage is used solely for authentication (a strictly necessary purpose).
11. Children
Mendelbot is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact [PLACEHOLDER: email].
12. Changes to This Policy
We may update this policy to reflect changes in our processing activities or legal requirements. Material changes will be communicated via [PLACEHOLDER: notification mechanism — email, in-app notice, etc.].
13. Complaints
You have the right to lodge a complaint with a supervisory authority if you believe your data is being processed unlawfully.
[PLACEHOLDER: Identify the relevant supervisory authority. For Italy: Garante per la protezione dei dati personali — https://www.garanteprivacy.it/]
14. Contact
For any questions about this privacy policy or to exercise your data rights:
- Email: [PLACEHOLDER: [email protected]]
- Address: [PLACEHOLDER: postal address]
Effective date: [PLACEHOLDER: date of publication] — Last updated: February 2026