Personal data processing notice pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR)‍

Last updated: 25/03/2026

1. Data Controller

The Data Controller of your personal data is:

Company name: Algor Lab S.r.l.

‍Registered office: Corso Castelfidardo 30/A, Turin, Italy

‍VAT number: IT12537010014

‍Email: info@algoreducation.com

‍PEC (certified email): algorlab@pec.it

2. Scope of application

This notice applies to the processing of personal data carried out through:

• the Algor Lab website (hereinafter "Website");
• the mobile application for iOS and Android (hereinafter "App");
• any other digital service provided by Algor Lab S.r.l. (hereinafter collectively, the "Platform").

3. Personal data collected

3.1 Data provided by the user

• Registration data: first name, last name, email address, password (encrypted), date of birth.
• Third-party authentication data: profile information from the Google account or Apple ID used for Single Sign-On (SSO).
• Uploaded content: documents (PDF, Word, TXT), images (JPG, PNG), audio and video files uploaded for processing through the Platform's artificial intelligence features.
• Communications: data contained in any messages sent to the support service.

3.2 Automatically collected data

• Usage data: pages visited, features used, frequency and duration of sessions, type of concept maps and summaries generated.
• Device data: model, operating system, App version, unique device identifiers, language, time zone.
• Log data: IP address, date and time of access, any errors and crash reports.
• Data from third-party SDKs: analytical data collected by Firebase Analytics/Google Analytics, Facebook SDK, and advertising platforms (Google Ads, TikTok Ads, Apple Search Ads) as described in Section 8.

3.3 Data NOT collected

The Platform does not collect geolocation data, biometric data, or data relating to health, sexual orientation, political opinions, religious beliefs, or other special categories of data under Article 9 GDPR. No judicial data is processed under Article 10 GDPR.

4. Purposes and legal bases of processing

4.1 Performance of a contract (Art. 6.1.b GDPR)

• Registration and management of the user account.
• Provision of Platform services: generation of concept maps, automatic summaries, AI-powered document analysis.
• Processing of content uploaded by the user through integrated AI services.
• Management of subscriptions and payments.
• Technical assistance and customer support.

4.2 Consent (Art. 6.1.a GDPR)

• Sending marketing communications, newsletters, and promotional material relating to the Controller's or third parties' products and services.
• Profiling: analysis of Platform usage habits for sending personalised commercial communications.
• Sending push notifications to the mobile device.
• Collection and use of device advertising identifiers (IDFA on iOS via App Tracking Transparency; GAID on Android via Consent Management Platform) for advertising campaign attribution and measurement purposes.

Consent is optional and may be withdrawn at any time without affecting the lawfulness of processing based on consent given before withdrawal.

4.3 Legitimate interest (Art. 6.1.f GDPR)

• Prevention of fraud and Platform abuse.
• Improvement and optimisation of the services offered.
• Aggregate and anonymous analysis of Platform usage.

4.4 Legal obligation (Art. 6.1.c GDPR)

Fulfilment of fiscal, accounting, and administrative obligations required by applicable law.

5. Processing of minors' data

The Platform is also intended for users under the age of 14, as an educational tool for students. Algor Lab pays the utmost attention to the protection of minors' data, in compliance with Article 8 GDPR and Article 2-quinquies of Legislative Decree 101/2018, which sets the digital consent threshold at 14 years of age in Italy.

5.1 Parental consent

For users under the age of 14, registration on the Platform requires verified consent from a parent or legal guardian. Consent is collected through an email verification process: at the time of registration, an email is sent to the address provided by the parent containing a confirmation link that must be activated within 48 hours. In the absence of confirmation, the account is not activated and the collected data is deleted.

5.2 Specific safeguards for minors

• Minors' data is not used for commercial profiling purposes.
• Minors' data is not used to send direct marketing communications.
• Minors' data is not tracked via advertising identifiers (IDFA/GAID). Advertising SDKs are disabled for accounts identified as belonging to minors.
• Privacy information is provided in clear and understandable language for a young audience.
• The parent or legal guardian may at any time exercise the data subject's rights on behalf of the minor, including account deletion.

6. Use of artificial intelligence

The Platform uses artificial intelligence technologies to provide the following features:

• Automatic generation of study content from texts and documents.
• Responses to requests related to uploaded study content, upon user request.

6.1 Data processing via AI provider

To provide these features, content uploaded by the user is transmitted to Google Gemini (Google LLC). Processing takes place on servers located within the European Union. It is noted that:

• Data is transmitted exclusively for the processing requested by the user and is not used by the AI provider to train its own models.
• Data is processed on infrastructure located in the European Union, in compliance with the GDPR.
• The user may at any time delete content uploaded from their account.

6.2 Limitations of artificial intelligence and disclaimer

Content generated by the Platform's artificial intelligence (concept maps, summaries, analyses) is produced automatically and may contain errors, inaccuracies, omissions, or outdated information (so-called "hallucinations"). The user is therefore invited to always verify the accuracy and completeness of generated results before relying on them.

Algor Lab does not guarantee the correctness, completeness, or suitability of AI-generated content for any specific purpose. The use of AI-generated results is entirely at the user's own risk. The Controller cannot be held liable for any damages arising from the use of or reliance on automatically generated content.

6.3 Automated decisions

The Platform's AI features are support tools and do not produce decisions with legal or significant effects on the user under Article 22 GDPR. The user always retains full control over the generated results and may freely modify or delete them.

7. Payments

The Platform offers subscription-based paid services. Payments are managed exclusively through external payment platforms (Stripe and PayPal), which act as independent data controllers for payment data. Algor Lab does not collect, store, or have access to your credit card details or PayPal account information.

For information on how these providers process data, please refer to their respective privacy policies:

• Stripe: https://stripe.com/privacy
• PayPal: https://www.paypal.com/privacy

8. SDKs and third-party services

The Platform integrates the following third-party SDKs and services, each with its own purposes:

8.1 Analytics

Firebase Analytics / Google Analytics (Google LLC) – collection of anonymous and aggregated data on Platform usage for statistical analysis and service improvement purposes. Privacy policy: https://policies.google.com/privacy

8.2 Advertising and measurement

Facebook SDK (Meta Platforms, Inc.) – measurement of advertising campaign effectiveness and conversion attribution. Privacy policy: https://www.facebook.com/privacy/policy

Google Ads (Google LLC) – conversion measurement and advertising campaign optimisation. Privacy policy: https://policies.google.com/privacy

TikTok Ads (ByteDance Ltd.) – conversion measurement and advertising campaign attribution. Privacy policy: https://www.tiktok.com/legal/privacy-policy

Apple Search Ads (Apple Inc.) – installation attribution and measurement of campaign effectiveness on the App Store. Privacy policy: https://www.apple.com/legal/privacy

8.3 Authentication

Google Sign-In (Google LLC) – user authentication via Google account.

Apple Sign-In (Apple Inc.) – user authentication via Apple ID.

8.4 Artificial intelligence

Google Gemini API (Google LLC) – processing of content uploaded by the user for the generation of concept maps, summaries, and document analysis. Processing takes place on servers located in the EU. Privacy policy: https://policies.google.com/privacy

8.5 Consent Management

On iOS, the App implements Apple's App Tracking Transparency (ATT) framework to request consent for tracking via IDFA. On Android, the App uses a Consent Management Platform (CMP) compliant with IAB Europe's TCF 2.2 for collecting consent for tracking via GAID and managing cookie and similar technology preferences.

Advertising SDKs may collect device identifiers (e.g. IDFA on iOS, GAID on Android) for attribution and measurement purposes. Such collection occurs exclusively with the user's prior consent. The user may withdraw consent or limit advertising tracking at any time from their device settings or through the CMP.

9. Device permissions

The App may request access to the following device permissions:

• Camera: to enable image capture and document scanning for processing through AI features.
• Photo/file gallery: to enable the upload of documents, images, audio, and video files for processing through AI features.
• Push notifications: to send notifications relating to service updates, reminders, and, with prior consent, promotional communications.

The App does not request access to the microphone or device geolocation. Each permission may be revoked at any time from the device settings, with the consequence that some features may not be available.

10. Disclosure of personal data

Your personal data may be disclosed to the following categories of recipients:

• IT and cloud hosting service providers acting as Data Processors (Art. 28 GDPR).
• AI service providers (Google Gemini) as described in Section 6.
• Payment service providers (Stripe, PayPal) as described in Section 7.
• Analytics and advertising service providers as described in Section 8.
• CRM platforms for sending communications (subject to user consent).
• Public authorities, judicial or administrative bodies, where required by law.
• The Controller's legal, tax, and accounting advisors, for compliance with regulatory obligations.

Your personal data is not sold to third parties. Disclosure takes place exclusively for the purposes indicated above and on the basis of appropriate legal grounds.

11. Transfer of data outside the EU

The Controller is based in the European Union and data is stored on servers located in the EU. AI processing via Google Gemini also takes place on European servers. However, the use of certain third-party services (in particular Google, Meta, Apple, TikTok/ByteDance, Stripe, PayPal) may involve the transfer of personal data to countries outside the European Economic Area, in particular the United States of America, for analytics, advertising, authentication, and payment purposes.

In such cases, the transfer takes place on the basis of:

• Adequacy decisions by the European Commission (where available), including the EU-U.S. Data Privacy Framework.
• Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Art. 46.2.c GDPR.
• Additional technical and organisational supplementary measures, where necessary.

The user may request a copy of the safeguards adopted by contacting the Controller at the details provided in Section 1.

12. Retention of personal data

Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected:

• Account data: for the duration of the contractual relationship and, following account deletion, data is anonymised within 30 days of the deletion request.
• Uploaded content: for the duration of the contractual relationship. Upon account deletion, content is anonymised within 30 days.
• Marketing data: until consent is withdrawn. For inactive users, data is deleted after 12 months from the last interaction.
• Accounting and tax data: for the period required by applicable law (10 years pursuant to Art. 2220 of the Italian Civil Code).
• Log and analytics data: maximum 26 months, in aggregated and anonymised form where possible.

12.1 Account deletion

The user may request deletion of their account at any time through the Platform settings or by contacting the Controller. Following deletion, personal data and uploaded content are irreversibly anonymised within 30 days, except for data whose retention is required by law.

13. Data subject rights

Pursuant to Articles 15–22 GDPR, you have the right to:

• Access (Art. 15): obtain confirmation of whether your data is being processed and access the related information.
• Rectification (Art. 16): obtain correction of inaccurate personal data or completion of incomplete data.
• Erasure (Art. 17): obtain deletion of your personal data in the cases provided for by law.
• Restriction (Art. 18): obtain restriction of processing in the cases provided for by law.
• Portability (Art. 20): receive your data in a structured, commonly used, and machine-readable format.
• Objection (Art. 21): object to the processing of your personal data based on legitimate interest.
• Withdrawal of consent: withdraw consent given at any time, without affecting the lawfulness of processing based on consent given before withdrawal.

To exercise your rights, you may contact the Controller at the details provided in Section 1, without any particular formality. The Controller will respond to your request within 30 days of receipt, extendable by a further 60 days in cases of particular complexity.

You also have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) if you believe that the processing of your data violates the GDPR.

14. Cookies and tracking technologies

The Website uses cookies and similar technologies. For detailed information on the cookies used, their purposes, and how to manage preferences, please consult the Cookie Policy available on the Website at: https://www.algoreducation.com/en/legal/cookie-policy

The App does not use cookies but employs similar technologies (e.g. device identifiers) for the purposes described in this notice, always subject to user consent where required.

15. Security measures

The Controller adopts appropriate technical and organisational measures to ensure a level of security appropriate to the risk, pursuant to Art. 32 GDPR, including:

• Encryption of data in transit (TLS/SSL) and at rest.
• Secure authentication systems and encrypted passwords (hashing).
• Data access limited to authorised personnel on a need-to-know basis.
• Regular backups and disaster recovery procedures.
• Periodic system monitoring and auditing.

16. Changes to this notice

The Controller reserves the right to amend this notice at any time. Changes will be published on the Platform and, in the case of material changes, users will be notified by email and/or push notification. The date of the last update is always indicated at the top of the document. Users are invited to periodically review this notice for any updates.

‍