Privacy Policy

The Data Controller is {{COMPANY_LEGAL_NAME}}, with registered office at {{COMPANY_ADDRESS}}, VAT {{VAT_NUMBER}}, registered in the Company Register under REA {{REA}}. Contact: hello@componi.ai.

A Data Protection Officer has been appointed, reachable at {{DPO_EMAIL}} for any matter related to the processing of personal data or the exercise of data subject rights.

We process the following categories of personal data:

a) Registration data: first name, last name, email, hashed password, billing information for paid subscriptions.
b) LinkedIn integration data: via official OAuth we obtain access tokens, profile ID, public profile data (name, role, photo, headline), content of your posts and comments you have created, engagement metrics of your content.
c) User-generated content: drafts, corrections, content feedback, Voice Profile settings, configured RSS and news sources, editorial plans.
d) Service usage data: access logs, IP address, user-agent, visited pages, actions performed in the platform, date and time.
e) Payment data: processed directly by Stripe (external processor). We do not store full credit card numbers.

Your data is processed for the following purposes:

Provision of the Service (Art. 6.1.b GDPR — contract performance): account creation and management, integration with LinkedIn via official APIs, AI-generated drafts, content publishing, subscription management.

Individual Voice Profile training (Art. 6.1.b GDPR): analysis of your posts and corrections to create and improve your personal Voice Profile. This data stays in your workspace and is not used to train public models or shared with other users.

Legal obligations (Art. 6.1.c GDPR): invoicing, tax and accounting compliance, responses to authority requests.

Legitimate interest (Art. 6.1.f GDPR): platform security, fraud and abuse prevention, Service improvement through aggregated and anonymized analysis, communications about features similar to those subscribed to.

Direct marketing (Art. 6.1.a GDPR — consent): newsletters, promotional and informational communications. Consent is revocable at any time via the unsubscribe link or by writing to hello@componi.ai.

Processing is performed using electronic tools, applying technical and organizational measures adequate to ensure confidentiality, integrity, availability, and resilience of systems. Specifically: encryption of data in transit (TLS 1.3) and at rest (AES-256), role-based access control, workspace segregation between users, access logs, encrypted backups with limited retention, periodic security testing.

Your data may be disclosed to the following parties, appointed as processors under Art. 28 GDPR:

• Cloud infrastructure providers: Amazon Web Services (AWS) — EU servers (Ireland and Frankfurt).
• Payment processor: Stripe Payments Europe, Ltd. (based in Ireland).
• AI model providers: Anthropic PBC and/or OpenAI, LLC for processing text generation requests. Prompts sent are not used to train public models (commercial agreements with zero or limited retention).
• LinkedIn API bridge: Zernio (in beta, official OAuth). Direct migration to LinkedIn Marketing Partner API is planned in Q3 2026.
• Operational tools: transactional email providers (e.g., Postmark/SendGrid), customer support tools (e.g., Intercom), aggregated analytics tools (e.g., PostHog, Plausible).

An updated list of sub-processors is available on request at {{DPO_EMAIL}}.

Some sub-processors (e.g., AI model providers) may process data outside the European Economic Area. In such cases, transfers are safeguarded by Standard Contractual Clauses approved by the European Commission (decision 2021/914), supplemented where necessary by additional technical measures (end-to-end encryption, pseudonymization). For US providers, where applicable, we rely on their certification under the EU-US Data Privacy Framework.

Account data and generated content: retained for the duration of the contract and for 30 days after cancellation (restore and data export window), after which they are permanently deleted or anonymized.

Billing data: retained for 10 years, as required by Italian civil and tax law.

Security and audit logs: retained for 12 months.

Marketing data (newsletter): retained until consent is revoked.

Under Articles 15–22 GDPR you have the right to:

• Access: obtain confirmation of processing and a copy of your personal data.
• Rectification: correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): obtain deletion of your data in the cases provided for.
• Restriction: request restriction of processing in specific circumstances.
• Portability: receive data in a structured, commonly used, machine-readable format. Componi offers direct export of generated content in account settings.
• Objection: object to processing based on legitimate interest or for marketing purposes.
• Withdraw consent: for consent-based processing, at any time.
• Complaint: lodge a complaint with the Italian Data Protection Authority (Garante Privacy — www.garanteprivacy.it) or the supervisory authority of your EU Member State.

To exercise your rights, write to {{DPO_EMAIL}}. We will respond within 30 days.

Componi uses AI systems to generate content drafts, suggest replies to comments, and provide analytics. These processes do NOT produce decisions with legal or significant effects on the user under Art. 22 GDPR: all outputs are editorial proposals that the user can accept, modify, or reject. The publication of AI-generated content always happens under user control (Human-in-the-Loop mode or Autopilot with safety guardrails configured by the user themselves).

The Service is not addressed to minors under 18. We do not knowingly collect minors' data. Should we become aware of having processed a minor's data, we will proceed with deletion.

We reserve the right to modify this Privacy Policy to reflect regulatory updates or Service evolution. Substantial changes will be communicated via email and/or in-app notification at least 30 days in advance. The most up-to-date version is always available at www.componi.ai/privacy.html.