Privacy Policy

This privacy notice describes the processing of personal data related to the use of the "EMSy" digital services.

We process data according to lawfulness, fairness, transparency, minimization, integrity and confidentiality (art. 5 GDPR).

• Account data: name, email, profession, organization/company, preferences.
• Usage data and technical logs: IP address, device identifiers, timestamps, application events, errors.
• User-Generated Content: texts and information entered in forms/input areas excluding any data that directly or indirectly identifies patients.
• Billing/payment data: company name, VAT ID/Tax ID, address, transaction amounts and metadata (card data is managed by payment service providers).

• Service Delivery (art. 6.1.b GDPR – contract).
• Support and operational communications (art. 6.1.b).
• Security, fraud prevention, legal defense (art. 6.1.f – legitimate interest).
• Analytics, product improvement and scientific research on aggregated or anonymized data (art. 6.1.a – consent via CMP, when requiring non-technical cookies/identifiers).
• Direct marketing (newsletter/updates) only with consent (art. 6.1.a) and revocable at any time.
• Billing and accounting/tax obligations (art. 6.1.c – legal obligation).

The Services are prohibited for minors under 18 years of age. We may implement reasonable age and professional qualification verification measures.

The failure to provide the necessary data for contractual performance prevents the use of the Services. Consent for analytics/marketing is optional.

We use technical cookies/SDKs to deliver the Services. Analytics/marketing tools are activated only with prior consent through a cookie banner/CMP with "Accept all", "Reject all" and granular choice options. Consent can be withdrawn at any time from the "Cookie Preferences" link.

We process data with vendors who act as Data Processors (art. 28 GDPR) or independent Controllers for specific purposes.

The main providers include:

• Vercel, Inc. - hosting/app delivery (USA/EU, EU–US DPF)
• Stripe, Inc. - PSP payments (USA/EU, EU–US DPF)
• Google LLC - analytics (USA/EU, EU–US DPF, consent only)
• OpenAI - language models (USA/EU, SCC + TIA, no training)
• Anthropic - language models (USA, SCC + TIA, no training)
• Pinecone - vector database (USA/EU, SCC + TIA)

Important note: Where available, we prioritize EU regions and pseudonymization/minimization measures. We do not use your content to train third-party models. Patient data is never shared with external providers.

For certified EU-US Data Privacy Framework (DPF) providers (e.g., Vercel, Stripe, Google), transfers occur on the basis of an adequacy decision. For other providers (e.g., OpenAI, Anthropic, Pinecone), we use Standard Contractual Clauses (SCC) accompanied by Transfer Impact Assessment (TIA) and supplementary technical measures (encryption, minimization, pseudonymization).

• Account data: for the duration of the relationship and up to 24 months from last access, unless required by law.
• Submitted content (no patient data): up to 90 days, then pseudonymization/anonymization where possible.
• Technical/security logs: 6 months (unless further retention is necessary for security or defense purposes).
• Billing: according to legal requirements (up to 10 years).
• Marketing: until consent is withdrawn and, in any case, 24 months of inactivity.

We implement appropriate technical and organizational measures: encryption in transit and at rest where applicable, access controls, logging, hardening, backups, data minimization, environment segregation, periodic vendor review.

You can exercise the rights referred to in articles 15–22 GDPR (access, rectification, erasure, restriction, portability, objection; withdrawal of consent) by writing to info@emsy.io. We respond within 30 days. You can always file a complaint with the Data Protection Authority (www.gpdp.it).

In case of personal data breach:

• Notification to the Data Protection Authority (art. 33 GDPR) within 72 hours if the breach is likely to result in a risk to the rights and freedoms of natural persons.
• Communication to data subjects (Article 34 GDPR) without undue delay if the breach is likely to result in a high risk.

We may employ light profiling logic for gamification/leaderboard and non-invasive personalization of the experience. Profiling does not produce significant legal effects nor significantly impact the User in an analogous manner. You can object at any time by contacting us.

We may update this privacy notice; in case of substantial modifications, we will provide adequate notice.