Privacy & Security

    Privacy Policy

    Notice on the processing of personal data pursuant to EU Regulation 2016/679 (GDPR).

    Last updated: v2.1 — 06/06/2026

    Document language

    This document informs the natural person (the "Data Subject") about the processing of their personal data (the "Personal Data") collected by the data controller, NT VENTURES S.R.L., with registered office at Via Lorenteggio 47, 20146 Milan (MI), Italy, Italian Tax Code / VAT 14718310965, REA MI-2802909, email [email protected], PEC [email protected] (the "Controller"), through the website and application ideaproof.io (the "Application").

    Data Protection Officer (DPO): not appointed. Appointment is not mandatory under Art. 37 GDPR given the Controller's scale and the nature of its processing activities. For any privacy-related request the Data Subject may contact the Controller at [email protected].

    Material changes to this notice are notified by email to registered Data Subjects at least 30 days before they take effect, and published on the Application. If the Data Subject does not accept the changes, they must stop using the Application and may request the Controller to delete their Personal Data.

    1. Categories of Personal Data processed

    The Controller processes the following types of Personal Data voluntarily provided by the Data Subject:

    • Contact data: name, surname, email address, phone number, profile image, authentication credentials and any further information sent by the Data Subject.
    • OAuth credentials: identifiers and profile data received from Google when the Data Subject signs in via OAuth.
    • Tax and payment data: tax code, VAT number, billing address; payment-card data is handled directly by Stripe and never reaches the Controller's systems.
    • User-generated content: business ideas, prompts, briefs, URLs and any other input sent to the AI features.
    • AI-generated outputs: validation reports, market analyses, business plans, brand strategies and similar artefacts derived from the inputs.

    The Controller also processes the following types of Personal Data collected automatically:

    • Technical logs: IP address, user agent, referer, request timestamps, HTTP error codes.
    • Usage data: pages visited, number of clicks, actions taken, session duration.

    Should the Data Subject decide not to provide Personal Data that is mandatory by law, by contract or necessary to enter into the contract with the Controller, it will be impossible for the Controller to establish or continue any relationship with the Data Subject. The Data Subject who shares third-party Personal Data with the Controller is directly and exclusively responsible for their origin, collection, processing, communication or disclosure.

    2. Cookies and similar technologies

    The Application uses cookies, web beacons, unique identifiers and other similar technologies. The full Cookie Policy is available at https://ideaproof.io/cookies.

    3. Purposes, legal bases and retention

    The Controller processes Personal Data for the purposes and on the legal bases set out in the table below. For purposes based on legitimate interest the Controller has performed a documented balancing test (LIA), available on request, concluding that the Data Subject's rights and freedoms are not overridden.

    Purpose Legal basis Retention
    Account creation, authentication and contract performance Performance of the contract (Art. 6.1.b) Duration of the contract + 10 years (tax limitation)
    AI output generation (idea validation, market analysis, business plan, etc.) Performance of the contract (Art. 6.1.b) Until account deletion
    Payment processing and invoicing Legal obligation (Art. 6.1.c) — tax law 10 years
    Email marketing of similar products to existing customers (soft opt-in) Legitimate interest (Art. 6.1.f GDPR) and Art. 130, par. 4, Legislative Decree 196/2003 (Italian Privacy Code) Until objection or 24 months of inactivity
    Direct marketing (newsletters, promotions) Consent (Art. 6.1.a) Until consent is withdrawn
    Security, fraud prevention, infrastructure monitoring Legitimate interest (Art. 6.1.f) Technical logs: 12 months
    Aggregated analytics and product improvement Consent for cookies (Art. 6.1.a) / legitimate interest for anonymous data Up to 13 months (analytics cookies)
    Legal defence and compliance with authority orders Legal obligation / legitimate interest For the duration of the proceedings

    Automated decision-making. No automated decision-making producing legal or similarly significant effects on the Data Subject (Art. 22 GDPR) is carried out. AI outputs are decision-support material reviewed and acted upon by the Data Subject.

    4. Processing methods and recipients of Personal Data

    Personal Data is processed using electronic tools, with organisational and logical methods strictly related to the stated purposes and through the adoption of adequate security measures.

    Personal Data is processed exclusively by:

    • persons authorised by the Controller to process Personal Data and bound by confidentiality;
    • parties acting autonomously as independent controllers or appointed by the Controller as data processors (e.g., business partners, consultants, IT companies, hosting providers);
    • parties or entities to whom Personal Data must be disclosed by law or by order of the authorities.

    External data processors

    The Controller relies on the following providers as Data Processors pursuant to Art. 28 GDPR:

    Provider Country Purpose Privacy
    Stripe Payments Europe Ltd Ireland (EEA) Electronic payment processing and fraud prevention. Link
    Supabase Inc. EU region (Ireland) Database hosting and authentication management. Link
    SendGrid (Twilio Inc.) United States Delivery of transactional and marketing email. Link
    Google LLC United States Aggregated analytics (Google Analytics) and campaign measurement (Google Ads), subject to cookie consent. Link
    OpenAI L.L.C. United States Processing of submitted content for AI output generation (text). Link
    Anthropic, PBC United States Processing of submitted content for AI output generation (text). Link
    OpenRouter, Inc. United States AI provider routing and request orchestration. Link
    Contentsquare SAS France (EEA) Aggregated user-behaviour analysis, subject to consent. Link

    AI providers and training. Inputs and outputs handled by AI providers (OpenAI, Anthropic, OpenRouter) are processed under their API/Enterprise agreements, which prohibit the use of customer content to train the underlying foundation models. The Controller does not authorise any other use of such content.

    5. Place of processing and international transfers

    Personal Data is processed primarily within the European Economic Area (EEA). Transfers to non-EEA providers (notably US-based AI vendors, Google and SendGrid) take place on the basis of: (i) the EU Commission Standard Contractual Clauses (Implementing Decision 2021/914), (ii) where applicable, certification under the EU-US Data Privacy Framework, and (iii) a Transfer Impact Assessment performed by the Controller pursuant to the Schrems II ruling. A copy of the safeguards in place is available on request.

    6. Retention periods

    Retention periods per category are summarised in the table at §3. At the end of the retention period, all Personal Data will be deleted or kept in anonymous form that no longer allows the identification of the Data Subject.

    7. Security measures

    The Controller adopts technical and organisational measures appropriate to the risk, including: TLS 1.2+ encryption in transit, encryption at rest provided by Supabase, multi-factor authentication on the administration console, role-based access on the least-privilege principle, daily backups, logging and monitoring of administrative actions, and regular review of sub-processors.

    8. Data breach

    In the event of a personal data breach the Controller notifies the Italian Data Protection Authority (Garante) without undue delay and, where feasible, within 72 hours of becoming aware of it (Art. 33 GDPR). Where the breach is likely to result in a high risk to the rights and freedoms of the Data Subject, the Controller also notifies the Data Subject without undue delay (Art. 34 GDPR).

    9. Minors

    The Application is not directed to minors under 16. In Italy, pursuant to Art. 2-quinquies of D.Lgs. 196/2003 as amended by D.Lgs. 101/2018, minors aged 14 and over may consent autonomously to the processing of their data in connection with information society services. If the Controller becomes aware that it is processing data of a minor below these thresholds without verified parental consent, the data will be deleted promptly.

    10. Special categories of data

    The Controller does not request and does not intend to process special categories of data within the meaning of Art. 9 GDPR (health, religious or political opinions, biometric or genetic data, etc.). Data Subjects must not include such information in their prompts or other content submitted to the AI features.

    11. AI Act transparency

    The Application uses generative AI systems. Pursuant to Art. 50 of Regulation (EU) 2024/1689 (AI Act), the Data Subject is informed that they are interacting with an AI system and that generated outputs (text, images) are machine-generated and labelled as such within the Application.

    12. Rights of the Data Subject

    The Data Subject may exercise the following rights at any time:

    • be informed about the processing of their Personal Data;
    • withdraw consent at any time, without affecting the lawfulness of processing already carried out;
    • restrict the processing of their Personal Data;
    • object to the processing of their Personal Data;
    • access their Personal Data and obtain a copy;
    • verify and request rectification of their Personal Data;
    • obtain the deletion of their Personal Data (right to be forgotten);
    • transfer their Personal Data to another data controller (portability);
    • not be subject to automated decisions producing legal or similarly significant effects (Art. 22 GDPR);
    • lodge a complaint with the supervisory authority — Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Rome, www.garanteprivacy.it — and/or take legal action.

    To exercise these rights, the Data Subject may send a request to [email protected]. Requests are handled without undue delay and in any case within 30 days, extendable by up to a further 60 days where the request is complex (Art. 12.3 GDPR), with prior notice to the Data Subject.

    Last updated: v2.1 — 06/06/2026 — NT VENTURES S.R.L.