Controller identity and scope of this notice

BRG s.a.s., VAT ID IT02285080038, with registered office at Via Pedolazzi 161b, 28883 Gravellona Toce (VB), Italy, acts as the controller for personal data processed through we-gentic.com and the application features currently implemented in this repository. The controller's operational privacy contact is Brignoli Gabriele.

This notice covers the public website at AVB-Studio.com and the authenticated AVB-Studio workspace features currently implemented in this repository.

Categories of personal data processed

We process only the data categories that are reasonably necessary to operate the site, user accounts, internal workflows, and the related security and compliance functions.

• identity and account data, such as name, email address, email/password credentials, session identifiers, and authentication metadata
• authenticated workspace usage data, including workspace, task, profile, and operational settings records
• contact-request data submitted through the public form, such as name, email, phone, company, role, interest area, language needs, and message content
• client-onboarding and administrative data, such as company records, addresses, contacts, permissions, rate tables, and provisioning/email metadata
• technical and compliance data, such as user-agent strings, security logs, consent receipts, and delivery metadata

Purposes of processing and legal bases

Optional browser-side technologies are never activated merely because the user has read this notice. Where consent is required, it is collected separately and can be changed later from the privacy settings entry points.

• handling inbound commercial requests and contact messages: pre-contract steps requested by the data subject and legitimate interests in managing business inquiries
• account creation, authentication, password reset, and secure session continuity: contract performance or pre-contract steps plus service-security needs
• delivering application features, workspace/task operations, and client administration: contract performance and legitimate organisational interests
• sending operational email, including contact-form notifications and onboarding welcome email: pre-contract steps, contract performance, and legitimate interests in operating the service
• recording privacy choices and proving consent/refusal for optional technologies: privacy/ePrivacy compliance obligations and legitimate interests in evidencing compliance
• preventing abuse, defending the service, logging, and incident handling: legitimate interests and, where applicable, legal obligations

Processors and technical service providers

BRG s.a.s. uses selected technical providers for authentication, hosting, database services, operational email delivery, and address autocomplete. The list above reflects only the processing flows evidenced in the current repository.

• Firebase Authentication: email/password authentication, browser-session continuity, password reset, and account security; data categories involved: account credentials, session identifiers, workspace and task records, client-management data; location or access context: Google Firebase infrastructure, including possible EEA and non-EEA processing locations; safeguards: EU-U.S. Data Privacy Framework where applicable, plus contractual and technical safeguards selected for the deployed Firebase setup.
• Cloud Firestore: primary application database for product data, contact records, provisioning metadata, and consent-audit records; data categories involved: workspace records, client records, contact submissions, privacy consent receipts, operational metadata; location or access context: Google Cloud / Firebase hosting regions configured for the project; safeguards: Google contractual commitments, access controls, and project-level security configuration managed by BRG s.a.s..
• Firebase App Hosting: hosting the public website, authenticated workspace, and server-side route handlers; data categories involved: application traffic, server runtime metadata, operational logs; location or access context: Google Cloud regions used by Firebase App Hosting; safeguards: Google platform safeguards, role-based access controls, and region/service configuration managed by BRG s.a.s..
• Google Gmail API: delivery of internal notifications generated by the public contact form; data categories involved: contact form content, sender email address, reply metadata; location or access context: Google Workspace / Gmail processing locations, including possible non-EEA support access; safeguards: Google contractual safeguards and access controls tied to the dedicated workspace mailbox used for contact delivery.
• Google Maps Places API: address autocomplete and structured address resolution in the client-management interface; data categories involved: typed address queries, selected place identifiers; location or access context: Google Maps Platform processing locations, which may include non-EEA infrastructure; safeguards: Google Maps Platform contractual terms, API-key controls, and application-side minimisation of address lookups.
• Postmark: transactional welcome-email delivery when Postmark is configured as the active provider; data categories involved: recipient email address, welcome-email content, delivery metadata; location or access context: Postmark delivery infrastructure, potentially including processing outside the EEA; safeguards: provider contractual safeguards and restricted operational use only when this delivery provider is selected.
• MailerSend: transactional welcome-email delivery when MailerSend is configured as the active provider; data categories involved: recipient email address, welcome-email content, delivery metadata; location or access context: MailerSend delivery infrastructure, potentially including processing outside the EEA; safeguards: provider contractual safeguards and restricted operational use only when this delivery provider is selected.

International transfers and safeguards

Some providers may process data outside the European Economic Area, particularly through infrastructure or support access located in the United States or other third countries.

Where that occurs, BRG s.a.s. relies on the transfer mechanism available for the relevant provider, including the EU-U.S. adequacy framework where applicable, standard contractual clauses, and supplementary technical or organisational safeguards where reasonably required.

Retention criteria

Retention is described through operational criteria rather than artificial one-size-fits-all periods. The actual retention horizon depends on the function of the data, the lifecycle of the business relationship, security needs, and applicable legal or evidentiary duties.

• Contact requests and pre-sales correspondence: Contact inquiries are kept for the time needed to review the request, manage follow-up communications, document the commercial outcome, and handle any related legal or evidentiary needs.
• Accounts, workspaces, and service-delivery records: Account, workspace, and task data are retained while the account or commercial relationship remains active and afterwards only for the period reasonably needed to manage security incidents, disputes, tax/accounting duties, and continuity obligations.
• Client onboarding and administrative records: Client-management data, provisioning events, and welcome-email delivery metadata are retained for as long as required to administer the business relationship, trace operational changes, and evidence account-provisioning activity.
• Consent and privacy-choice evidence: Consent receipts are retained for the lifetime of the active policy version and for any additional period reasonably required to demonstrate GDPR and ePrivacy compliance.
• Security and operational logs: Security, abuse-prevention, and operational logs are retained only for the period necessary to investigate incidents, protect the service, and support legal or compliance obligations.

Data subject rights

You can exercise your rights by contacting info@we-gentic.com or +39 3929053362. You also have the right to lodge a complaint with Garante per la protezione dei dati personali.

• right of access
• right to rectification
• right to erasure
• right to restriction of processing
• right to data portability where applicable
• right to object in the cases provided by law
• right to withdraw consent at any time for consent-based processing

Whether data is required

Data marked as required in forms, or needed for authentication and security, is necessary to answer the request, create the account, protect the session, or make the requested feature available. Without that data, the relevant service may be unavailable.

Children

The service is intended for professional contexts and is not directed to children under 18. If you believe a minor provided personal data without an appropriate lawful basis, contact us so the case can be handled.