Privacy Policy
Last Updated February 2026
1. PURPOSE OF THIS PRIVACY NOTICE
This Notice is drafted pursuant to Articles 13 and 14 of the GDPR and aims to provide information on how Envify processes your personal data, collected through use of the Website, including all data that the user provides in order to stay informed about updates (for example by subscribing to our newsletter, interacting with our customer support, or participating in a promotion or a survey).
It is the User’s responsibility to read this Notice, together with any other notice that we may provide to supplement, update, or further explain the information regarding the collection and processing of your personal data. We will endeavour to coordinate these notices so as to present at all times the conditions applied to the processing of personal data in the most transparent and easily accessible way.
2. DATA CONTROLLER (DATA CONTROLLER)
The Company acts as the data controller and is responsible for your personal data. You may contact the data controller to receive information about the processing of personal data and to exercise the rights that the GDPR grants to the data subject, at the following e-mail address: hello@envify.ai
This Notice also applies to processing related to the provision of the “Envify” Software in SaaS mode. In the aforementioned processing operations, privacy roles vary depending on the categories of data processed: (i) for account, billing, security and technical log data (e.g. access events, invitations, roles and permissions), Envify acts as Data Controller; (ii) for data and documents uploaded to the application by the Company or the Consultant (and their respective authorised users), such parties assume the status of independent Data Controllers pursuant to Art. 4, no. 7, GDPR.
Roles and responsibilities (Company/Consultant)
The Company or Consultant using the Software determines the purposes and means of processing carried out through the platform in relation to the relevant data subjects (employees, collaborators, suppliers, customers, etc.) and, as an independent Data Controller, is responsible for: (a) the legal basis for processing; (b) information obligations towards data subjects; (c) exercise of rights under Arts. 15–22 GDPR; (d) definition of retention periods; (e) accuracy/lawfulness of uploaded data.
For such data, Envify acts as Data Processor and processes the information on the legal basis of performance of the contract (Art. 6(1)(b)) within the limits of the Controller’s instructions; Envify does not determine the purposes and means of processing. Processing related to: account management and billing, service security, support, log and audit records (Art. 6(1)(b) and (f)), as well as legal obligations (Art. 6(1)(c)) remains under Envify as independent Data Controller.
3. WHAT PERSONAL DATA DO WE COLLECT?
This paragraph describes the categories of personal data that we process. In paragraph 4 we will explain the purposes for which we process those categories of personal data.
The personal data we collect is subject to the use of our Website and acceptance through the appropriate and specific web form or through the signing of the Envify software Licence Agreement.
If you visit our Website, your browser automatically transmits certain data, such as the date and time you visited our web pages, the type and settings of your browser, your operating system, and your IP address. For further details regarding the processing of personal data collected through our website, we invite you to also review the cookie policy available here: https://envify.ai/terms-and-privacy/cookie-policy
Through our Website, we process, as data controllers, the following personal data relating to the following categories of data subjects:
Personal data provided by the Customer/User
First name and surname
Date and place of birth
Email address
Residential/domicile and shipping address
Telephone number
Personal identifiers of natural persons acting on behalf of companies
Tax code and VAT number
Traffic and log data
Personal identifiers and details of the company’s suppliers (where provided by the User)
Envify does not request or process special categories of data pursuant to Article 9 GDPR, nor health, biometric, or otherwise sensitive data, within the scope of the processing governed by this Notice.
4. FOR WHAT PURPOSES DO WE PROCESS YOUR PERSONAL DATA?
Envify processes the personal data of data subjects exclusively for specific, explicit and legitimate purposes, strictly connected to the provision of its digital services and the management of the contractual relationship.
In particular, personal data are processed to enable contact management, the subscription and performance of the contractual relationship, the creation and management of the account, the identification of the Customer and Authorised Users, as well as access to the features of the Software platform.
Data are also processed for the performance of the technical and organisational activities necessary for the proper provision of the service in Software as a Service (SaaS) mode, including configuration, maintenance, technical support, security and operational continuity activities.
Personal data are also processed for the management of the contractual relationship, including administrative, accounting and tax activities, such as issuing invoices, managing payments and fulfilling the obligations provided for by the applicable legislation. Such processing is based on the need to perform the contract to which the data subject is party and on compliance with legal obligations to which the Data Controller is subject.
To facilitate understanding, the following table sets out the categories of data processed, the purposes, the legal basis and the retention periods:
The Company also informs you that, for the purposes set out above, your personal data will be processed using IT, electronic and manual tools, in compliance with the confidentiality and security rules established by law.
Personal and contact details may also be processed for the management of assistance requests, technical support and contact, as well as to respond to communications, reports or requests for information sent to Envify through the channels made available.
5. THIRD-PARTY LINKS
Our website or our app may include links to third-party websites. By clicking on or enabling such links, third parties may process your personal data; therefore, we invite you to also refer to the privacy policy of those sites.
6. WITH WHOM CAN WE SHARE YOUR PERSONAL DATA?
Personal data processed by Envify may be disclosed, within the limits strictly necessary for pursuing the purposes indicated in this Notice, to third parties acting on behalf of the Provider or providing services functional to the delivery of the service and the Software platform.
In particular, personal data may be shared with providers of technological and infrastructure services, such as, by way of example, hosting providers, cloud services, workflow automation platforms, application monitoring tools, authentication systems and cybersecurity systems.
The Client declares that they are fully aware and accept that, for the provision of functionalities based on large language models (LLMs) and artificial intelligence services, the Envify service relies on specialised third-party providers that make available models, APIs and technological infrastructures. Such parties process personal data as independent data controllers or, where applicable, as external processors, in accordance with their respective privacy notices and data protection policies.
The customer user is clearly informed that they remain the sole and exclusive data controller of any personal data entered into the application or contained in uploaded documents, fully assuming all responsibility with regard to legal basis, information notice, consents where necessary, security measures, retention periods, exercise of data subjects’ rights, as well as any further compliance required by the GDPR and applicable legislation. Data entered by the user when using third-party LLMs is end-to-end encrypted.
With regard to automated product classification functionalities, Envify also makes use of services provided by OpenAI, L.L.C., through use of the GPT-4 model via the Chat Completions API in a commercial environment.
Within the scope of this integration, the data transmitted via API consists exclusively of textual product descriptions for classification purposes, without references to identified or identifiable natural persons. Therefore, no personal data is transmitted or processed within the meaning of Article 4(1) of Regulation (EU) 2016/679 (GDPR).
For completeness of information, please consult OpenAI’s privacy notice, available at the following link: https://openai.com/policies/privacy-policy.
With reference to automated document analysis functionalities and the processing of accounting and financial documents, Envify also uses the services of Anthropic Ireland Ltd., as the contractual entity for the European Union, under the commercial account “Envify S.r.l. — Commercial API Enterprise”.
Processing carried out through such services may involve the transmission of text extracted from invoices, utility bills and financial documents uploaded by the Client, potentially containing personal data, including indirectly identifying data (such as, by way of example, company names, supplier addresses, invoice numbers, amounts, consumption data, tax codes or company VAT numbers). Anthropic operates in compliance with its Commercial Terms, including the Data Processing Addendum (DPA) and Standard Contractual Clauses (SCC) pursuant to Articles 28 and 46 GDPR.
Data transmitted via API is subject to a retention period limited to 30 days, unless Zero Data Retention (ZDR) mode is activated, where requested. The data is not used for training artificial intelligence models, as participation in training programmes such as the Development Partner Program is excluded, and the commercial API policy applies, which precludes its use for training purposes.
Where processing involves transfers to third countries, including the United States (Google Cloud Platform infrastructures – us-central1/us-east4), such transfers take place on the basis of the Standard Contractual Clauses incorporated into the contractual terms and the additional safeguards provided by the DPA, in accordance with Articles 44 et seq. GDPR.
Anthropic may engage sub-processors, including major cloud infrastructure and technology service providers (e.g. Google Cloud Platform, AWS, Cloudflare, Stripe), in compliance with the safeguards provided by the GDPR. The updated list of sub-processors is available as set out in the provider’s contractual documentation.
For further information on how Anthropic processes personal data, please refer to the relevant privacy notice available at the following link: https://www.anthropic.com/legal/privacy.
The website, platform and technical environments used to deliver the Envify service may also contain links or connections to websites, applications or services of third parties. Access to such resources entails leaving the Provider’s sphere of control, and the Provider assumes no responsibility regarding the methods of collection, use and processing of personal data carried out by such third parties. You are therefore advised to review their respective privacy notices before providing any personal data.
Personal data may finally be disclosed to:
(a) legal, tax and accounting advisers, for purposes connected with compliance with regulatory obligations or the protection of the Provider’s rights;
(b) public authorities, bodies or supervisory organisations, where disclosure is required by legal provisions, regulations or lawful orders of the Authority.
The personal data referred to in § 3, with the exceptions provided for in this paragraph, is processed mainly within the European Economic Area (EEA). Should a transfer to third countries become necessary, Envify will ensure that such transfer takes place in compliance with the provisions of Chapter V of the GDPR, through the adoption of appropriate legal instruments, such as adequacy decisions or standard contractual clauses.
For processing operations in which Envify acts as Processor, the Company may rely on sub-processors (e.g. cloud providers, email/invitation sending services, application monitoring) appointed pursuant to Article 28 GDPR.
7. HOW LONG WILL WE USE YOUR DATA?
The Supplier retains data subjects’ personal data exclusively for the time necessary to pursue the purposes for which such data were collected and processed, in compliance with the principles of storage limitation and proportionality set out in Regulation (EU) 2016/679.
In determining retention periods, Envify takes into account the nature of the personal data, the purposes of processing, the duration of the contractual relationship, as well as the applicable legal and regulatory obligations. In particular:
account, contact and contractual relationship data – including data uploaded and generated by the user – are retained for the entire duration of the relationship and for a subsequent period not exceeding two years from termination, unless retention for a longer period is necessary to comply with legal obligations or for the establishment, exercise or defence of a right before a court;
billing and administrative data are retained for the period provided for by the applicable civil and tax legislation, and in any event for ten years from the accounting record entry;
technical and security data, including access logs, system events and information relating to the operation of technical environments and the platform, are retained for the time strictly necessary to ensure the security of the systems and the service and, in any case, for a period not exceeding twenty-four months from termination of the contractual relationship, without prejudice to any further retention obligations provided for by law.
Once the applicable retention period has expired, personal data are deleted or irreversibly anonymised, unless their further retention is required by law or is necessary for the protection of the rights of the Data Controller.
8. AUTOMATED DECISION-MAKING PROCESS
The Supplier informs that, as part of the provision of its digital services, Envify may make use of automated IT tools, including systems based on artificial intelligence technologies, in order to support the operation of the Software and improve the user experience.
These tools are used exclusively for technical and operational purposes, such as, by way of example, the processing of text inputs, the organisation of information, the optimisation of the Platform’s functionalities, and support for activities carried out by the user through the Software.
In any case, the Developer does not subject data subjects to decisions based solely on automated processing, including profiling, which produce legal effects concerning them or similarly significantly affect them, pursuant to Art. 22 of Regulation (EU) 2016/679.
The automated processing carried out by the Platform does not involve assessments, classifications, or decisions of a binding nature with regard to users and does not determine automatic legal consequences for them. Any use of outputs generated by automated systems always remains subject to the user’s assessment and responsibility.
9. HOW DO WE PROTECT YOUR PERSONAL DATA?
Envify adopts appropriate technical and organisational measures to ensure that personal data are processed in compliance with the principles of integrity, confidentiality and availability, preventing risks of unauthorised access, loss, destruction or unlawful disclosure of data.
In particular, Envify implements security measures consistent with the nature of the data processed and with the risks associated with processing, including, by way of example:
(a) authentication systems and access control for the platform and the technical environments used for service delivery;
(b) protection of IT infrastructures, cloud services and technical accounts used for the operation of the AI Agent;
(c) tracking and monitoring of access, security-relevant events and operational anomalies;
(d) internal procedures aimed at ensuring the confidentiality of staff and collaborators authorised to process personal data.
Envify limits access to personal data solely to authorised persons and within the limits strictly necessary for carrying out the relevant activities, ensuring that such persons are adequately trained and bound by confidentiality obligations of a contractual or legal nature.
The Supplier periodically verifies the adequacy of the security measures adopted and provides for their updating in line with technological developments, internal organisation and identified risks, in order to ensure a level of personal data protection compliant with the applicable legislation.
10. YOUR RIGHTS
Pursuant to Regulation (EU) 2016/679, data subjects whose personal data are processed by Envify may exercise, in the cases and within the limits provided for by the applicable legislation, the rights set out below.
a) Right to be informed
Data subjects have the right to be informed about the collection and use of their personal data. This right is an expression of the transparency principle enshrined in the GDPR and is fulfilled through this Privacy Notice and any further communication provided pursuant to Articles 13 and 14 of the Regulation.
b) Right of access to personal data
Data subjects have the right to obtain confirmation as to whether or not personal data concerning them are being processed and, where that is the case, to obtain access to the personal data and the information provided for in Article 15 GDPR, as well as a copy of the data processed.
c) Right to rectification
Data subjects have the right to obtain the rectification of inaccurate personal data concerning them and, taking into account the purposes of the processing, the completion of incomplete personal data, pursuant to Article 16 GDPR.
d) Right to erasure (“right to be forgotten”)
Data subjects have the right to obtain the erasure of personal data concerning them in the cases provided for in Article 17 GDPR, where there are no legitimate grounds for continuing the processing. It is understood that the request for erasure may not be granted where the processing is necessary to comply with a legal obligation or for the establishment, exercise or defence of a legal claim.
e) Right to object to processing
In the cases provided for in Article 21 GDPR, data subjects have the right to object to the processing of personal data concerning them where the processing is based on the legitimate interest of the Controller or third parties and there are grounds relating to their particular situation. The right to object at any time to processing carried out for marketing purposes remains unaffected.
f) Right to restriction of processing
Data subjects have the right to obtain restriction of processing in the cases provided for in Article 18 GDPR, such as, by way of example, contesting the accuracy of the data or the unlawfulness of the processing.
g) Right to data portability
Data subjects have the right to receive the personal data concerning them in a structured, commonly used and machine-readable format and to transmit those data to another controller, under the conditions and within the limits provided for in Article 20 GDPR. This right applies exclusively to processing carried out by automated means and based on the performance of a contract or on the data subject’s consent.
h) Right to withdraw consent
Where the processing of personal data is based on consent, the data subject has the right to withdraw it at any time, without affecting the lawfulness of processing based on consent given before withdrawal.
i) Right to lodge a complaint with the Supervisory Authority
Data subjects have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), headquartered at Piazza Venezia no. 11, Rome, or to bring proceedings before the competent courts, where they consider that the processing of personal data concerning them infringes the applicable legislation.
10. CONTACTS
To exercise your rights or to request information on how we process your personal data, you can contact us by e-mail at hello@envify.ai and we will do our best to help you.
This Notice may be subject to updates or changes over time, including due to any regulatory changes, technological developments, or changes to the services offered. In such cases, the updated version of the Notice will be made available through the channels used to provide the service and/or on the platform, indicating the date of the latest update. The need to obtain the data subject’s consent remains unchanged where the changes concern the type of data processed, the purposes, or the processing methods for which consent is required by the applicable legislation.