Privacy Policy
<!-- TRANSLATION_REVIEW_NEEDED: traduzione letterale automatica, review legale nativa speaker obbligatoria prima di considerare vincolante -->Privacy Policy
Last updated: 25 April 2026 Version: 1.0
1. Data Controller
GiBSeS OÜ Registered office: Tallinn, Estonia Registration number: [INSERIRE CODICE REGISTRO COMMERCIALE ESTONIA] Privacy email: privacy@boardoflegends.com Certified email / PEC: [INSERIRE SE APPLICABILE]
Pursuant to EU Regulation 2016/679 ("GDPR") and applicable national legislation, GiBSeS OÜ is the Data Controller of the personal data collected through the Board of Legends platform, accessible at boardoflegends.com (public portal) and app.boardoflegends.com (registered users application).
2. Categories of Data Collected
2.1 Data provided directly by the user
During registration:
- Email address
- Password (stored in encrypted form using bcrypt/scrypt algorithm, never in plain text)
- Display name — optional, editable
- Preferred locale (interface language)
During subscription:
- Billing data (name, address, VAT number if applicable)
- Payment data (managed exclusively by Stripe Inc., the Controller does not store card numbers)
- Country of tax residence
During use of the service:
- Content of messages written to the Legends (AI personas)
- Ideas, projects, business data voluntarily shared in sessions
- Documents uploaded as knowledge base (Advisor+, Strategist+, Board Room)
- Custom personas created by the user
- Avatar (profile picture) — optional
2.2 Automatically collected data
Technical data:
- IP address
- Browser user agent
- Browser language
- Request timestamps
- Error and diagnostic logs
Usage data:
- Sessions started, duration, phase reached
- Documents generated (type, size, timestamp)
- Sparks consumed
- Interface interactions
Cookies and similar technologies: see section 9 and our dedicated Cookie Policy.
2.3 Data NOT collected
The Controller expressly declares that it does not collect:
- Biometric data
- Health data
- Data relating to political or religious opinions, sexual orientation, trade union membership
- Data of minors under 16 years of age (the service is not directed at minors)
3. Purposes of Processing and Legal Bases
| Purpose | Legal basis (art. 6 GDPR) | Data processed |
|---|---|---|
| Service delivery (account, AI sessions, document generation) | Performance of a contract (art. 6.1.b) | All registration and usage data |
| Billing and payment management | Performance of a contract + legal obligations (art. 6.1.b + 6.1.c) | Billing data, tax data |
| Platform security (abuse and fraud prevention) | Legitimate interest (art. 6.1.f) | Technical logs, IP, timestamps |
| Service communications (email confirmation, subscription notifications) | Performance of a contract (art. 6.1.b) | Email, display name |
| Newsletter and marketing | Consent (art. 6.1.a) — explicit opt-in | Email, display name |
| Tax and accounting obligations | Legal obligations (art. 6.1.c) | Billing data |
| Aggregate platform usage analysis | Legitimate interest (art. 6.1.f) | Anonymised usage data |
Consent for the newsletter may be withdrawn at any time via the "Unsubscribe" link in each email or from the account settings.
4. Methods of Processing
Data is processed using electronic tools, protected by:
- TLS 1.3 encryption for all data in transit
- At-rest encryption on databases (PostgreSQL) and object storage (MinIO)
- Passwords stored using cryptographic hashes with a unique salt
- Role-based access control (RBAC) for administrative access
- Audit logs of sensitive operations
- Encrypted daily backups
- Two-factor authentication available for all accounts (recommended for administrative accounts)
The Controller adopts adequate technical and organisational measures pursuant to art. 32 GDPR, proportionate to the risk of the processing.
5. Data Retention
| Category | Retention period |
|---|---|
| Active account | For the entire duration of the contractual relationship |
| Account after deletion request | Grace period of 30 days (recovery possible), then deletion or anonymisation |
| Billing data | 10 years (Italian/EU tax obligation) |
| Technical and security logs | 12 months |
| Session content (messages, generated documents) | For the entire duration of the contract + 90 days after deactivation, unless an early deletion request is made |
| Documents uploaded as knowledge base | Until deletion by the user or account closure |
| Backups | Rolling 30-day retention |
After the periods indicated above, data is deleted or irreversibly anonymised, unless there are legal retention obligations.
6. Data Recipients (Data Processors)
Data may be transferred to the following parties, each appointed as a Data Processor pursuant to art. 28 GDPR:
6.1 Infrastructure providers
- Contabo GmbH (Germany): VPS server hosting
- Hetzner Online GmbH (Germany, if applicable): backup storage
- Transfer basis: intra-EU, extra-EU transfer not applicable
6.2 LLM (Artificial Intelligence) service providers
- Anthropic PBC (USA): Claude models (Haiku, Sonnet, Opus)
- OpenAI LLC (USA): possible GPT models for specific features
- Google LLC (USA): possible Gemini models for specific features
Extra-EU transfer: the providers listed above operate in the United States. The transfer takes place on the basis of:
- Standard Contractual Clauses (SCC) approved by the European Commission
- Adherence to the EU-US Data Privacy Framework (DPF) where applicable
- Supplementary measures: encryption in transit and at rest, data minimisation, controlled retention
Content transmitted to LLM providers is not used to train public models (contractual opt-out verified with Anthropic, OpenAI, Google).
6.3 Payment providers
- Stripe Payments Europe Ltd (Ireland): payment processing
- Stripe Inc. (USA): support services, on the basis of SCC + DPF
6.4 Communication providers
- Resend / [INSERIRE PROVIDER EMAIL] — transactional email sending
- Google LLC (USA) for possible use of Google Workspace by the Controller
6.5 Other recipients
- Legal, tax and accounting advisors of the Controller, bound by professional confidentiality
- Public authorities, upon legally compliant request
Data is not sold, transferred or exchanged with third parties for their own marketing purposes.
7. Data Subject Rights
Pursuant to arts. 15–22 GDPR, you have the right to:
| Right | Description | How to exercise it |
|---|---|---|
| Access (art. 15) | Obtain confirmation of processing and a copy of your data | Account settings → "Export my data" or email to privacy@boardoflegends.com |
| Rectification (art. 16) | Correct inaccurate data | Account settings, editable fields |
| Erasure / right to be forgotten (art. 17) | Obtain deletion of your data | Account settings → "Delete account" (30-day grace period) |
| Restriction (art. 18) | Restrict processing in specific cases | Email to privacy@boardoflegends.com |
| Portability (art. 20) | Receive your data in a structured and interoperable format | Account settings → "Export my data" (JSON format) |
| Objection (art. 21) | Object to processing based on legitimate interest | Email to privacy@boardoflegends.com |
| Withdrawal of consent | Withdraw consents given (e.g. newsletter) | "Unsubscribe" link in emails or account settings |
| Complaint (art. 77) | Lodge a complaint with the supervisory authority | Estonian supervisory authority (AKI - Andmekaitse Inspektsioon) or the authority in the country of your habitual residence (in Italy: Garante Privacy www.gpdp.it) |
Response times: maximum 30 days from receipt of the request, extendable by a further 60 days for complex requests (with a reasoned communication to the data subject).
Identity of the requester: the Controller may request additional information to verify identity before acting on the request, in order to protect data from unauthorised access.
8. Automated Decision-Making and Profiling
The Board of Legends service does not carry out automated decisions with legal effects on the user pursuant to art. 22 GDPR.
The responses of the Legends (AI personas) and generated documents are content created with artificial intelligence, provided for the purpose of supporting the user's decision-making. The user always remains the final decision-maker. AI content may contain inaccuracies and does not replace professional legal, financial, medical or other specialist advice.
9. Cookies and Similar Technologies
The service uses strictly necessary technical cookies for its operation (session management, authentication, language preferences) that do not require consent pursuant to art. 122 of the Privacy Code.
For analytical, functional, targeting or profiling cookies, consent is requested via a cookie banner compliant with EDPB Guidelines 03/2022 and Italian legislation (Garante Provision 2021).
Full details in the dedicated Cookie Policy.
10. Data Security and Data Breaches
In the event of a personal data breach ("data breach") that may present a risk to the rights and freedoms of data subjects, the Controller:
- Notifies the competent supervisory authority within 72 hours of becoming aware (art. 33 GDPR)
- Communicates the breach to data subjects without undue delay where the risk is high (art. 34 GDPR)
- Maintains an internal register of all breaches
11. Minors
The Board of Legends service is directed exclusively at adults (18+) or at minors authorised by a parent/guardian under the laws applicable in their country of residence, with an absolute minimum age of 16 years (GDPR threshold).
The Controller does not knowingly collect data of minors under 16 years of age. Should it become aware of such an event, it will proceed with the immediate deletion of the data.
12. International Transfers
As indicated in section 6, some processing involves the transfer of data to third countries (mainly the USA) for LLM services and Stripe.
Applied safeguards:
- Standard Contractual Clauses (SCC) pursuant to Implementing Decision (EU) 2021/914
- EU-US Data Privacy Framework (where the provider is certified)
- Technical supplementary measures (encryption) and organisational measures (minimisation, retention)
The user may request a copy of the safeguards applied by writing to privacy@boardoflegends.com.
13. Changes to This Policy
The Controller reserves the right to update this Policy. Substantial changes will be communicated via:
- A prominent notice on the platform
- Email to registered users (for changes that impact ongoing processing)
- Public versioning with the date of last update
Continued use of the service after notification constitutes acceptance of the updated version, without prejudice to the user's right to withdraw consent or close their account.
14. Contact
For any questions regarding the processing of personal data:
Email: privacy@boardoflegends.com Postal address: GiBSeS OÜ, [INSERIRE INDIRIZZO COMPLETO TALLINN]
Data Protection Officer (DPO): [INSERIRE SE DESIGNATO — il DPO è obbligatorio se rientri nei casi art. 37 GDPR, es. trattamento sistematico su larga scala. Valutare con legale.]
Estonian supervisory authority: Andmekaitse Inspektsioon (AKI) Tatari 39, Tallinn 10134 www.aki.ee
For Italian users: Garante per la protezione dei dati personali www.gpdp.it
This Policy is drafted in Italian. The Italian version prevails in the event of discrepancies with other languages.