Legal

Privacy Policy

Last updated: April 5, 2026

Data Controller

SkyClouds SRLs
Sole Shareholder Company
Corso del Popolo 161
45100 Rovigo (RO), Italy
VAT / P.IVA: 01634740292
info@skyclouds.co
PEC: skyclouds@pec.it

1. Introduction

Welcome to Cassandra ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website cassandra.it.com and use our AI-powered customer support platform (collectively, the "Services").

This policy is compliant with the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), the Italian Privacy Code (D.Lgs. 196/2003 as amended by D.Lgs. 101/2018), and all applicable data protection laws. By using our Services, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect personal information that you voluntarily provide to us, as well as information automatically collected when you use our Services.

2.1 Information You Provide

  • Account Information: Name, email address, profile image, and organization details when you register via Clerk authentication.
  • Payment Data: When you subscribe to a plan, payment data is processed directly by Stripe. We store your Stripe Customer ID and subscription status but never store credit card numbers on our servers.
  • Knowledge Base Files: Documents you upload (PDFs, CSVs, TXT files, images) to train your AI agent. These are processed by OpenAI for content extraction and indexed for retrieval-augmented generation (RAG).
  • AI Agent Configuration: Custom AI persona settings, conversation starters, greeting messages, and behavioral instructions you define for your agent.
  • Contact Requests: Name, email, subject, and message content submitted through the contact form.
  • Cookie Preferences: Your cookie consent choices as described in our Cookie Policy.

2.2 Information Collected Automatically

  • Session Data: Authentication tokens, session identifiers, and organization context managed by Clerk.
  • Widget Visitor Metadata: When end-users interact with the Cassandra chat widget on your website, we collect browser user agent, language, platform, screen resolution, viewport size, timezone, referrer URL, and current page URL for session management.
  • Usage Analytics: Page views and performance data collected via Vercel Analytics and Microsoft Clarity (only with your consent — see Cookie Policy).
  • Error Tracking: Error stack traces, browser metadata, and session replay data collected by Sentry for debugging purposes. The Sentry instance is hosted in the EU (de.sentry.io).

2.3 AI-Processed Data

  • Conversations: When end-users chat with your AI agent, messages are processed by OpenAI to generate contextual responses using your knowledge base documents.
  • Voice Calls: When voice assistant is enabled via Vapi integration, call audio is processed in real time to provide AI-powered voice responses. Call metadata is stored for session management.
  • Knowledge Base Processing: Uploaded documents are processed by OpenAI (GPT-4o) for content extraction, then indexed using vector embeddings for retrieval-augmented generation (RAG). This processing is automated and used solely to provide accurate AI responses.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To create and manage your account, power the AI chat widget, process conversations, and provide the core functionality of Cassandra.
  • AI Agent Operation: To process conversations using your knowledge base, generate AI-powered responses, handle escalations, and provide voice support through Vapi.
  • Payment Processing: To process subscriptions, manage billing, and handle plan upgrades/downgrades via Stripe.
  • Communication: To send transactional emails (escalation notifications, system alerts) via Resend, and to respond to contact form submissions.
  • Security: To authenticate users via Clerk, manage organization access, prevent unauthorized access, and maintain platform security.
  • Improvement: To understand how users interact with our platform (with consent) via analytics tools, and to improve our services and user experience.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes.

4. Legal Bases for Processing (GDPR Art. 6)

We process your personal data based on the following legal grounds:

Processing ActivityLegal Basis
Account creation & managementContract performance (Art. 6(1)(b))
AI conversation processingContract performance (Art. 6(1)(b))
Knowledge base document processingContract performance (Art. 6(1)(b))
Voice assistant (Vapi) callsContract performance (Art. 6(1)(b))
Payment processing via StripeContract performance (Art. 6(1)(b))
Transactional emails via ResendContract performance (Art. 6(1)(b))
Widget visitor metadata collectionLegitimate interest (Art. 6(1)(f))
Error monitoring (Sentry)Legitimate interest (Art. 6(1)(f))
Analytics (Clarity, Vercel Analytics)Consent (Art. 6(1)(a))
Cookie consent managementLegal obligation (Art. 6(1)(c))

5. Third-Party Data Processors

To provide our Services, we share data with the following third-party processors. Each acts as a data processor under Article 28 GDPR, and we have appropriate Data Processing Agreements (DPAs) in place.

Hosting & Infrastructure

ServicePurposeData Location
VercelWeb application hosting, edge functions, serverless APIGlobal CDN (EU preferred)
ConvexPrimary backend database — stores user accounts, organizations, conversations, knowledge base data, contact sessions, and all application data in real timeUS (SCC)
Amazon Web ServicesFile storage (S3) for knowledge base documents and widget assets. Secrets Manager for encrypted API key storageConfigurable region

AI & Conversation Processing

ServicePurposeData Processed
OpenAI (GPT-4o)AI-powered conversation responses, knowledge base document extraction, and retrieval-augmented generation (RAG)Conversation messages, uploaded documents
VapiReal-time voice AI assistant — handles incoming and outgoing phone calls through the chat widgetCall audio, phone numbers, assistant configuration

Note: OpenAI processes conversation data under its API data usage policy — data sent via the API is not used for training. Vapi processes voice calls subject to Vapi's Privacy Policy.

Payments

  • Stripe: Processes all payments and subscriptions. We transmit your email and Stripe Customer ID. Stripe may collect billing address, payment method details, and tax information. We never store credit card numbers. See Stripe's Privacy Policy.

Authentication

  • Clerk: Handles user authentication, session management, organization management, and multi-factor authentication. See Clerk's Privacy Policy.

Communication

  • Resend: Sends transactional emails on our behalf (escalation notifications, system alerts). We share your email address with Resend solely for delivery purposes. See Resend's Privacy Policy.

Analytics & Monitoring (Consent-Based)

  • Microsoft Clarity: Heatmaps and session recordings to understand user behavior. Activated only with your consent. Data may be transferred to the US under the EU-US Data Privacy Framework. See Microsoft's Privacy Statement.
  • Vercel Analytics: Privacy-friendly, aggregated page view and performance analytics. Activated only with your consent. See Vercel's Analytics Privacy Policy.
  • Sentry: Error monitoring and performance tracking hosted in the EU (de.sentry.io). Collects error data under legitimate interest for platform stability. See Sentry's Privacy Policy.

6. International Data Transfers

Some of our third-party processors are located outside the European Economic Area (EEA). When transferring personal data outside the EEA, we ensure appropriate safeguards are in place pursuant to Chapter V of the GDPR:

  • EU-US Data Privacy Framework (DPF): For US-based providers certified under the DPF (e.g., Microsoft) — Art. 45 GDPR adequacy decision.
  • Standard Contractual Clauses (SCC): For other US-based providers (e.g., Convex, OpenAI, Vapi, Resend, Stripe, Clerk) — Art. 46(2)(c) GDPR.
  • EU-based services: Sentry is hosted in the EU (de.sentry.io). Vercel uses EU preferred regions where available.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

Data TypeRetention Period
Account dataUntil account deletion or 3 years of inactivity
ConversationsUntil manually deleted by organization admin or account deletion
Knowledge base documentsUntil manually deleted by user or account deletion
Widget visitor sessionsUntil organization deletion or 2 years of inactivity
Payment records10 years (Italian tax law — Art. 2220 c.c.)
Contact form submissionsResolved + 2 years
Cookie consent preferences12 months
Analytics dataAs per third-party retention policies

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption: All data is transmitted over HTTPS/TLS. Sensitive API keys (Vapi, OpenAI) are stored in AWS Secrets Manager and never exposed in the frontend.
  • Authentication: Secure session management via Clerk with JWT tokens. Support for email verification, password reset, and multi-factor authentication.
  • Access Control: Organization-based access control. Each organization's data (conversations, knowledge base, settings) is fully isolated. Convex queries enforce organization-scoped data access.
  • Infrastructure: Vercel's enterprise-grade hosting with DDoS protection. Convex provides real-time data sync with built-in access controls. AWS S3 with server-side encryption.
  • Webhook Security: All incoming webhooks (Clerk, Stripe) are verified using Svix signature verification to prevent tampering.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but we continuously review and improve our security practices.

9. Your Rights Under GDPR

Under the GDPR and Italian Privacy Code, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — Obtain confirmation of whether we process your data and receive a copy of it.
  • Right to rectification (Art. 16) — Request correction of inaccurate or incomplete personal data.
  • Right to erasure ("Right to be forgotten") (Art. 17) — Request deletion of your personal data when it is no longer necessary, or withdraw consent.
  • Right to restrict processing (Art. 18) — Request limitation of processing in certain circumstances.
  • Right to data portability (Art. 20) — Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — Object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time, without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — With the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) at www.garanteprivacy.it.

We will respond to your request within 30 days, as required by the GDPR. To exercise any of these rights, contact us at info@skyclouds.co or skyclouds@pec.it.

10. Children's Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe we may have collected data from a child, please contact us immediately.

11. Automated Decision-Making

Cassandra uses AI to automatically process conversations and generate responses based on your knowledge base. This processing is not used for profiling or making decisions that produce legal effects concerning users. The AI is used solely to provide the customer support service. Human operators can take over any conversation at any time, and end-users are informed they are interacting with an AI agent.

12. Cookies

For detailed information about how we use cookies, what cookies we set, and how to manage your preferences, please refer to our Cookie Policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. Where required by law, we will seek your consent to material changes. We recommend reviewing this page periodically.

14. Contact Us

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us: