Privacy Policy

This Privacy Policy explains how AiPricingLab (the “Service”) collects, uses, and protects personal data. It is issued in accordance with Regulation (EU) 2016/679 (the “GDPR”) and Italian Legislative Decree 196/2003 (the “Italian Privacy Code”), as amended by D.Lgs. 101/2018.

0. The short version

Privacy policies are long because law makes them long. If you only read one section, read this one. It is a plain-language summary — not a substitute for the binding text that follows.

• We are a B2B service. The people who sign up are developers; we are the controller of their account data.
• Their applications send us metering events about their end-users. For that data we act as a processorunder article 28 GDPR — the developer decides what to send and why; we process on their instructions.
• By default we only see an opaque end_user_id, event types and counts, timestamps, and the custom metadata fields the developer chose to attach. We do not see actual user prompts, AI responses, chat history or media unless the developer turns on the Optional Content Features per app.
• If the developer uses our behavioral analytics features, we also receive product-usage events (e.g. screens viewed, onboarding steps) tied to a developer-chosen identifier, together with any person-profile properties the developer attaches. See Section 4c.
• We never train AI models on Customer data or on end-user content. We do not sell, rent or share data for advertising. We do not use third-party trackers.
• Some of our infrastructure providers (Vercel, Turso, Cloudflare) are based outside the EU/EEA. Transfers rely on adequacy decisions and/or Standard Contractual Clauses.
• If you are an end-user of a third-party app that uses our SDK, please contact that appfirst — see Section 10a.
• To exercise any GDPR right, write to s.castellitti.dev@gmail.com.
• Developers building on top of us: the formal art. 28 GDPR contract is the standalone DPA at aipricinglab.space/dpa. The Service is not HIPAA-compliant and we do not sign BAAs.

1. Data Controller

The data controller is Salvatore Castellitti, an individual sole trader established in Italy, operating under the trade name AiPricingLab (“we”, “us”, the “Controller”).

Contact for any privacy matter: s.castellitti.dev@gmail.com.

We are not currently required to appoint a Data Protection Officer (DPO) under article 37 GDPR. You may still raise any GDPR-related question through the contact above.

2. Two distinct roles

Throughout this policy we distinguish two situations:

• You as our Customer - a developer or business who signs up and uses our dashboard, API and SDK. For this data we act as data controller.
• Your end-users - the people who use your application that has our SDK embedded. When you push events to us referencing an end_user_id, we act as data processor on your behalf, under your instructions, in accordance with article 28 GDPR and the data-processing terms below (Section 11).

3. What we collect about you (Customer)

When you sign up and use the Service we process:

• Identity & account data: email address, name (optional), password hash or one-time-code login state, workspace name, time zone.
• Authentication data: session tokens, login timestamps, IP address used to log in, browser/user-agent.
• API key metadata: prefix of each key (e.g. sk_live_a8f3****), creation date, last-used timestamp, revocation status. Full keys are stored only as one-way SHA-256 hashes and cannot be retrieved.
• Configuration data: apps, plans, limit groups, match rules, model catalog selections, dashboard preferences.
• Billing data (for paid tiers, when activated): name on card, last-four digits, billing country, VAT number, invoice history. Payment-card numbers are processed directly by our payment provider (Stripe) and never reach our servers.
• Operational telemetry: dashboard usage, error logs, request logs (including IP and user-agent) needed for security and debugging.
• Support communications: any email or message you send us.

4. What we process about your end-users (as processor)

When your application calls our API, you transmit metering events to us. By design we only require:

• End-user identifier (end_user_id) - an opaque string of your choosing. We strongly recommend a stable, non-identifying ID (e.g. a UUID) rather than email or full name.
• Event records: event type, quantity, timestamp, optional metadata fields you choose to send.
• Subscription state: which plan an end-user is on, period boundaries, counters.
• Behavioral analytics events - where the Customer uses the behavioral analytics features, product-usage events and person-profile properties as described in Section 4c.

We do not require, expect or want any special-category data (article 9 GDPR) about your end-users. The Customer is responsible for ensuring that the end_user_id and metadata fields it transmits do not contain unnecessary personal data, and that it has an appropriate legal basis to share them with us as its processor.

What we observe in chat, agent and multi-turn flows.Where the Customer's application is a chatbot, copilot or autonomous agent, each turn the Customer chooses to instrument is sent to us as a separate metering event. Without the Optional Content Features we still only see end_user_id, event type, quantity, timestamp and custom metadata for each turn — not the underlying text. If the Customer has enabled Prompt Logging, the full conversation history that the Customer chooses to attach to the promptfield (including system prompts, retrieved context, prior assistant turns and tool-call payloads, if the Customer serialises them there) is received and stored by us. If the Customer has enabled Media Uploads, AI-generated images, audio and video produced in the same flow are received and stored by us. We never intercept traffic between the Customer's application and its AI provider; data only reaches us because the Customer's code chose to send it.

4a. Optional Content Features (prompts, responses, media)

Two features of the Service are off by default and opt-in per appby an authorised member of the Customer's workspace:

• Prompt Logging - when the Customer enables it, the SDK may transmit and we store free-form prompt and response text strings associated with each metering event.
• Media Uploads- when the Customer enables it, the SDK may transmit and we store binary artefacts (images, video clips, audio files) produced by the Customer's AI generation flow, associated with each metering event.

We process this content strictly as a processor on the Customer's documented instructions, under article 28 GDPR and the DPA terms below (Section 11). The Customer is the controller. We do not select, generate, prompt, review, sample or otherwise determine the content; we host it because the Customer asked us to.

Because this content is supplied by the Customer's application, it may foreseeably contain personal data, special-category data within the meaning of article 9 GDPR (e.g. health, sexual orientation, religious belief, biometric data), data relating to criminal convictions under article 10 GDPR, intellectual property of third parties, or other sensitive content. The Customer is exclusively responsible for: (i) selecting an appropriate legal basis under articles 6 and (where applicable) 9 GDPR for capturing such content; (ii) providing end-user information and notice under articles 13–14 GDPR; (iii) obtaining any required consents (including under art. 7 of the Italian Privacy Code, the AI Act, and any sectoral rules); (iv) conducting a DPIA under article 35 GDPR where required; (v) honouring end-user data-subject requests under articles 12–23 GDPR; and (vi) ensuring that the content does not breach the Acceptable Use rules of the Terms of Service. We act on the Customer's instructions for retention, deletion and export of this content.

Object-storage layout and pseudonymisation. Media files are stored in a Cloudflare R2 bucket under an object-key path of the form {mode}/ws_{workspaceId}/app_{appId}/eu_{endUserIdHash}/{YYYY}/{MM}/{eventId}/{mediaId}.{ext} , where endUserIdHashis an HMAC-SHA-256 of the Customer's end-user identifier computed with a workspace-scoped secret. This pseudonymises the end-user identifier inside the object-key path so that requests targeted at a single end-user's folder can be served without exposing the raw identifier to the storage layer.

Optional bring-your-own bucket. Customers may, where the feature is available, route Media Uploads to a Cloudflare R2 (or comparable) bucket they own and manage. In that case we remain a processor with respect to the upload flow, but the Customer is the data controller of the destination bucket and the sole party responsible for its security, retention, deletion, breach notification and legal-hold obligations.

4b. No AI model training, no advertising, no resale

We do notuse any of the following for training, fine-tuning, retrieval-augmenting, evaluating, distilling, or otherwise improving any AI model (whether ours, our processors', or any third party's):

• your account data, configuration, dashboard activity or support communications;
• metering events, end_user_id values and custom metadata fields submitted by your application;
• prompts, AI responses and conversation history captured through Prompt Logging;
• images, audio, video and other binary artefacts captured through Media Uploads;
• tool-call payloads, retrieved context and any agent traces serialised into the payloads above.

We do not sell, rent, license or otherwise share this data for advertising or for any independent commercial purpose. We do not embed third-party advertising scripts, behavioural-advertising cookies, ad-network identifiers or cross-site fingerprinting tools in the Service.

We may, however, use aggregated and irreversibly de-identified statistics for the purposes set out in Section 5 (e.g. to publish benchmarks, monitor platform reliability, or improve the Service's capacity planning). Aggregated statistics, by definition, do not identify any individual.

4c. Behavioral analytics (capture, identify, alias)

Separately from metering, the Service offers an optional behavioral analyticscapability that a Customer may choose to use through our SDK. The Service is not a transparent proxy; data reaches us only when the Customer's application calls the analytics methods.

• capturerecords a product-usage event — for example a screen or page view, an onboarding step, a paywall impression or a feature-engagement event — against a behavioral identifier (distinctId) the Customer chooses. Properties the Customer attaches are stored with the event; reserved $set / $set_once properties update a person profile held for that identifier.
• identify links an anonymous behavioral identifier to an identified one and merges the associated event history and person profile into a single person record.
• alias records that two identifiers belong to the same person, without merging their histories.

For this data the Customer is the controller and the Provider is a processor under article 28 GDPR, exactly as for metering events (Section 2). The Customer decides which behavioral events to capture, what properties to attach, and which identifier to use; we process on its documented instructions. We again recommend a stable, non-identifying distinctId rather than an email address or full name.

Behavioral analytics builds a record of how an end-user moves through the Customer's application and can therefore amount to profiling within the meaning of article 4(4) GDPR. The Customer is exclusively responsible for: (i) selecting an appropriate legal basis under article 6 GDPR; (ii) providing end-user information and notice under articles 13–14 GDPR; (iii) obtaining any consent required by law, including consent under the ePrivacy rules and art. 122 of the Italian Privacy Code where its integration stores or reads identifiers on the end-user's device; and (iv) honouring end-user data-subject requests under articles 12–23 GDPR; and (v) not using behavioral analytics to track, profile or re-identify a person the Customer knows or ought reasonably to know is a minor without a valid legal basis and any parental consent required by article 8 GDPR (see Section 13). We do not use behavioral analytics data to train AI models and we do not sell it (see Section 4b).

5. Why we process this data, and on what legal basis

6. Cookies and similar technologies

We use only the cookies and local-storage entries that are strictly necessary to operate the Service: a session cookie set by Better Auth to keep you signed in, a smallapl-theme entry in localStorage to remember your dark/light preference, and an apl_mode cookie that remembers whether your dashboard is in live or test mode. These are exempt from prior consent under art. 122 of the Italian Privacy Code and the EDPB Guidelines 2/2023.

We do not currently use third-party advertising cookies, cross-site trackers, or fingerprinting tools. If we add non-essential analytics in the future, we will request your consent through a cookie banner before activating them.

7. How we share data

We share personal data only with carefully selected service providers acting as our data processors under article 28 GDPR. As of the date of this policy:

• Vercel Inc. (United States / EU regions) - application hosting and CDN.
• Turso / ChiselStrike Inc. - managed libSQL/SQLite database.
• Cloudflare, Inc.- object storage for Media Uploads (Cloudflare R2) and edge networking. Where a Customer connects its own Cloudflare R2 (or comparable) bucket, that bucket is operated under the Customer's own contract with Cloudflare and the Customer is the controller of its contents.
• Resend (Resend Inc.) - transactional email delivery (login codes, notifications).
• Better Auth - authentication library (executed inside our own infrastructure; no separate processor flow).
• Stripe Payments Europe Ltd. - payment processing (only when paid tiers are activated; Stripe acts as an independent controller for card data).

We do not sell, rent, or trade personal data — see Section 4b for the full commitment. We may disclose information to law-enforcement bodies or regulators only where required by a binding legal instrument or to defend a legal claim, on the terms described in Section 12a.

8. Transfers outside the EU/EEA

Some of our processors are based in or operate from the United States. When personal data is transferred outside the EU/EEA we rely on appropriate safeguards under Chapter V GDPR, including:

• adequacy decisions of the European Commission (e.g. the EU–US Data Privacy Framework, where the recipient is certified); and/or
• Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), with additional technical and organisational measures where necessary.

You may request a copy of the relevant safeguards by writing to s.castellitti.dev@gmail.com.

9. How long we keep data

• Account & profile data: for as long as your account exists, plus up to 90 days after deletion to allow account recovery and security checks.
• Metering events & counters: kept for as long as the corresponding workspace and app exist. They are not currently subject to automatic time-based deletion or anonymisation. A Customer may, at any time, request deletion of a specific end-user's metering data by writing to s.castellitti.dev@gmail.com, and all such data is removed when the workspace or app is deleted.
• Behavioral analytics events & person profiles: kept for as long as the corresponding workspace and app exist, on the same basis as metering events; test-mode analytics data is hard-deleted after 30 days.
• Prompt and response logs (Optional Content Feature, when enabled by the Customer): retained for 7 days on the Free tier and 30 days on paid tiers, after which they are deleted by an admin cleanup job. The Customer may request earlier deletion at any time. Per-field cap: 32 KB, server-side truncated above the cap.
• Uploaded media(Optional Content Feature, when enabled by the Customer): retained for the duration agreed with the Customer, subject to a default maximum of 30 days for sandbox/test-mode content and to the Customer's deletion and account-termination instructions for live content. Rows that never complete the upload step are marked “orphaned” by a background sweep and removed on a best-effort basis. Where a Customer routes uploads to its own bucket, retention is controlled exclusively by the Customer.
• Billing & invoice records: 10 years from issuance, as required by Italian tax legislation (D.P.R. 633/1972 and D.P.R. 600/1973).
• Server logs: typically 30–90 days, longer if needed for an ongoing security investigation.
• Support emails: up to 24 months after the conversation ends.

After the applicable retention period, data is either deleted or irreversibly anonymised.

10. Your rights under the GDPR

As a data subject you have the right to:

• Access the personal data we hold about you (art. 15);
• Rectify inaccurate or incomplete data (art. 16);
• Have your data erased(“right to be forgotten”), subject to legal-retention obligations (art. 17);
• Request restriction of processing while a dispute is being resolved (art. 18);
• Data portability - receive a structured, machine-readable copy of data you provided (art. 20);
• Object to processing based on legitimate interest, including for direct marketing (art. 21);
• Withdraw consent at any time, where processing is based on consent (art. 7);
• Lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Roma - www.garanteprivacy.it) or another competent supervisory authority.

To exercise any of these rights, write to s.castellitti.dev@gmail.com. We will respond within 30 days, extendable by up to two further months for complex requests (art. 12 GDPR).

10a. If you are an end-user of an application that uses our SDK

If you reached this page because a third-party application you use has integrated the AiPricingLab SDK, please note the following:

• We are a processor with respect to the data that application transmits to us about you. We act on its documented instructions; we do not decide why your data is collected, what is collected, or for how long it is kept beyond the defaults documented in Section 9.
• The operator of the application you use is the data controller. They are required, under articles 13–14 GDPR (and, where applicable, our Terms of Service §4a), to inform you of our role and to receive your data-subject requests on our behalf as a sub-processor.
• You should, in the first instance, contact the operator of that application— not us — to exercise your access, rectification, erasure, restriction, portability, objection or withdrawal-of-consent rights under articles 15–22 GDPR. They have the keys, identifiers and account context required to recognise you and to instruct us to act on your data.
• If you cannot identify the operator, or if you have already contacted them and they have not actioned your request within a reasonable time, you may write to us at s.castellitti.dev@gmail.com. We will, where lawfully possible, forward your request to the relevant Customer, ask them to act on it, and notify you of the outcome. We may need to verify your identity before doing so. We may be unable to identify you in our systems without the operator's assistance, because we typically only hold an opaque identifier they chose for you.
• You may also lodge a complaint with the Italian Data Protection Authority or another competent supervisory authority (see Section 10).

11. Data Processing Agreement (DPA)

For data we process on your behalf about your end-users (i.e. Customer Personal Data within the meaning of art. 28 GDPR), our processing is governed by the standalone Data Processing Agreement available at aipricinglab.space/dpa (the “DPA”). The DPA is incorporated by reference into our Terms of Service and forms part of the agreement between us. It sets out, in particular:

• the subject-matter, duration, nature, purpose, types of personal data and categories of data subjects of the processing (Schedule 1);
• our obligations as your processor under articles 28, 32–36 GDPR (including confidentiality of personnel, assistance with data-subject rights, security incident notification within 72 hours, and deletion or return at the end of the services);
• the technical and organisational measures we apply to Customer Personal Data (Schedule 2);
• the current list of sub-processors and the prior-notice and objection mechanism for changes (Schedule 3 and DPA §7);
• the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 3) for transfers of Customer Personal Data to sub-processors outside the EU/EEA, with the selections and annex content set out in DPA §12.

On request to s.castellitti.dev@gmail.com, we will provide a countersigned PDF copy of the DPA for your records.

HIPAA and Business Associate Agreements. The Service is not HIPAA-compliant and is not designed for the handling of Protected Health Information (PHI). We do not currently sign Business Associate Agreements (BAAs). Customers operating in scope of HIPAA, or transmitting healthcare data subject to equivalent regimes, must not transmit PHI to the Service (see Terms §4).

12. Security

We implement appropriate technical and organisational measures to protect personal data, including: TLS for data in transit, encryption at rest where supported by our database and object-storage providers, access control and least-privilege roles for staff, hashed storage of credentials and API keys, HMAC-based pseudonymisation of end-user identifiers in media object-key paths (Section 4a), workspace-scoped secret material for that pseudonymisation, audit logging, isolation of test-mode and live-mode storage, and regular software updates.

No system is perfectly secure. If we become aware of a personal-data breach likely to result in a risk to data subjects, we will notify the competent supervisory authority within 72 hours and, where required by article 34 GDPR, the affected users without undue delay.

We do not guarantee disaster-recovery backups of content stored through the Optional Content Features. Customers who require such guarantees must keep their own copy of any prompt, response or media file that has legal, evidentiary, medical, financial or business-continuity value.

12a. Law-enforcement, regulatory and government requests

We may receive requests for personal data from law-enforcement bodies, regulatory authorities, courts or other government entities. Our approach is:

• We will only disclose personal data where we are compelled to do so by a binding legal instrument (e.g. a court order, judicial warrant, or other enforceable demand) that is valid under Italian and EU law, or where disclosure is necessary to protect life, prevent serious harm, or respond to a credible security incident.
• We do not build, operate, or knowingly cooperate with the operation of any general-purpose surveillance or bulk-data-collection programme. There is no back-door access to Customer Data or end-user data, and no contractual obligation on us to provide such access.
• Where we receive a request that targets Customer Data or end-user data we process on a Customer's behalf, we will, where legally permitted, give the affected Customer reasonable notice so that they can challenge the request or seek a protective order. Where we are legally prohibited from notifying the Customer (e.g. a gag order), we will challenge the prohibition through the channels available to us and will notify the Customer as soon as the prohibition lapses.
• We will, where lawfully possible, narrow the scope of any request to the minimum personal data strictly required to comply with the lawful instrument, and refuse requests that are overbroad, fishing-expedition in nature, or that target categories of data not described in the instrument.
• We may, in the future, publish a transparency report describing the number and type of government requests received and the proportion challenged or refused. We do not currently publish one because volumes are not yet sufficient to be meaningful.

13. Children

The Service is intended for businesses and developers. It is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact s.castellitti.dev@gmail.com and we will delete it.

Minors among a Customer's end-users.A Customer's application may itself be used by minors. We act only as a processor, we receive an opaque identifier, and we cannot determine an end-user's age. The Customer, as controller, is solely responsible for: identifying whether its end-users include children; determining the applicable digital-consent age (16 by default under article 8 GDPR; 14 in Italy under art. 2-quinquies of the Italian Privacy Code); obtaining any parental or guardian consent that threshold requires; applying age-appropriate design and the heightened protections children's data demands; and carrying out a DPIA under article 35 GDPR where required. The Customer must not use the behavioral analytics features (Section 4c) or the Optional Content Features to track, profile or re-identify a person it knows, or ought reasonably to know, is a minor without those safeguards in place — see Terms of Service §4.

14. Automated decision-making

We do not use the personal data we hold about you to make decisions producing legal effects concerning you, or similarly significantly affecting you, by solely automated means within the meaning of article 22 GDPR.

15. Changes to this Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent version. Material changes will be notified by email or through the dashboard before they take effect.

16. Contact

Any privacy-related question or request can be sent to s.castellitti.dev@gmail.com.