Privacy Policy

Last updated: June 2026

1. Data Controller

The Data Controller is Flowvenue SRL, with registered office at Viale Giorgio Ribotta 11, 00144 Rome, Italy (VAT no. IT18366041004, REA RM-1780474). Contact: info@flowvenue.com, certified email (PEC) flowvenue@pecimprese.it.

2. Purpose of Processing

Personal data collected through the website and conversational CRM services are processed for the following purposes:

Provision of requested services (account management, CRM, customer support).
AI-assisted features (conversational assistant, process automation and design).
Service communications and improvement of user experience.
Direct marketing activities with prior consent.
Statistical analysis and profiling, if authorized
Compliance with legal obligations.

3. Legal Basis

Processing is based on:

Contract performance (Art. 6.1.b GDPR);
Legal obligations (Art. 6.1.c GDPR);
Data subject consent (Art. 6.1.a GDPR) for marketing and profiling activities;
Legitimate interest of the Controller (Art. 6.1.f GDPR), balanced with data subject rights, for security and service improvement purposes.

4. Types of Data

Identifying data (name, surname, email, phone, company).
Navigation data (IP addresses, logs, cookies).
Data related to conversations managed through the CRM platform.
Special categories of data (Art. 9 GDPR) only if voluntarily provided by the user during service use and processed with enhanced protection measures.
Identifying data (name, email, phone), navigation data (IP, cookies), CRM conversation data, special categories only if voluntarily provided.

5. Methods and Security

Data is processed using electronic tools and adequate technical-organizational measures (encryption, pseudonymization, access controls) in compliance with privacy by design and by default principles.

6. Retention

Data will be retained for a period not exceeding that necessary to achieve the purposes:

Contractual data: up to 10 years from relationship termination (civil and tax obligations).
Marketing data: until consent withdrawal and in any case not beyond 24 months.
Profiling data: maximum 12 months.

7. Communication and Transfers

Data may be communicated to:

IT service providers, hosting, cloud providers (e.g. AWS).
Identity and authentication providers (e.g. Auth0).
Large language model (LLM) providers, where used with Flowvenue-managed credentials (e.g. Anthropic, OpenAI) — see Sec. 7-bis and DPA Annex 2.
External consultants and professionals (legal, tax, technical).
Public authorities in cases provided by law.
Any transfers to non-EU countries will only be made to subjects with EU Commission adequacy decisions or through Standard Contractual Clauses (Arts. 44-49 GDPR).

7-bis. Artificial intelligence and language models (LLM)

Flowvenue uses large language models (LLMs) for conversational features, process design, translation assist, and similar use cases. Depending on the organization's configuration and subscribed plan, LLM inference may occur through one or more of the following paths:

Flowvenue-managed LLM — inference via approved providers (default Anthropic Claude Sonnet 4.6; alternative OpenAI or Anthropic models among supported options, where enabled). Content required for inference may be transmitted to such vendors as sub-processors, under their respective terms (including, where applicable, prohibition on using API/Enterprise content to train models). Sub-processor list: DPA Annex 2.
Bring Your Own Key (BYOK) — if the organization configures its own credentials (OpenAI, Anthropic, or a compatible endpoint, including dedicated cloud or private/on‑premise LLM infrastructure), inference runs with the organization's chosen provider, which is not a Flowvenue sub-processor for that inference path. Organization keys are stored encrypted (AES-256-GCM).
External LLM clients via MCP Server — the organization may connect external LLM clients (e.g. Claude, ChatGPT, Gemini, Copilot with MCP support) to Flowvenue's MCP Server. LLM inference runs on the organization's chosen environment; Flowvenue hosts MCP tools with authorization (OAuth 2.0 with PKCE), scopes, rate limiting, and audit of tool calls.

For business customers, further contractual detail is in the Data Processing Agreement (Section 5), Terms of Service (Section 10), and the Information Security compliance documentation.

LLM-generated responses may contain inaccuracies; for critical information (personal data, amounts, configurations), always verify status in the platform's deterministic backend (processes, data objects, instances).

8-bis. Use of Google APIs

Flowvenue uses Google APIs (such as Google Calendar, Gmail or other Google services authorised by the user) solely to provide the functionalities explicitly requested by the user within the conversational CRM platform.

Data obtained through Google APIs:

are used only to deliver the functionalities requested by the user;
are not used for advertising purposes;
are not shared with third parties other than those strictly necessary for the provision of the service;
are not sold or used for marketing or external profiling purposes.

Processing of data from Google APIs is carried out in compliance with the Google API Services User Data Policy, including the Limited Use provisions.

The user may revoke access to their Google data at any time directly from their Google account settings or by contacting the Data Controller.

8. Data Subject Rights

Users have the right to:

Access, rectify and delete their data (Arts. 15-17 GDPR).
Restrict or object to processing (Arts. 18-21 GDPR).
Request data portability (Art. 20 GDPR).
Withdraw consent at any time, without prejudice to the lawfulness of processing based on consent given before withdrawal.
Lodge a complaint with the Data Protection Authority (www.garanteprivacy.it)

9. Profiling

Flowvenue uses conversational CRM systems that may include profiling processes to improve interaction and provide personalized responses. Such processing occurs only with explicit consent and ensuring the user the possibility to request human intervention.

Marketing and profiling activities do not use in any way data from Google services.

10. DPO

Flowvenue has appointed a Data Protection Officer (DPO), contactable at: info@flowvenue.com

11. Updates

This Privacy Policy may be updated at any time to adapt to regulatory changes or services offered. Updated versions will be published on this page with revision date.

This privacy notice is compliant with the General Data Protection Regulation (GDPR) of the European Union and Italian regulations on personal data protection.