This policy describes the processing of personal data carried out through the Kadeon service (hereinafter "Service"), operated by STS Lab SRL, pursuant to Regulation (EU) 2016/679 ("GDPR") and applicable Italian law.
1. Data controller
The data controller is STS Lab SRL ("Controller"), P.IVA 02009010477, Firenze (FI), Italia. To exercise your rights or for any enquiry you may write to privacy@stslab.it.
2. Categories of data processed
2.1 Account and identity data
- Account data: organisation name, email address, password (stored exclusively in hashed/encrypted form, never in clear text).
- Profile data: legal entity type, company name, VAT number, fiscal code, SDI code (Codice Destinatario) for electronic invoicing, registered address, telephone number — collected during onboarding and used to configure reception of electronic documents.
- Document identities: names, codes and routing configurations associated with document identities created by the customer (sender names, trusted sender addresses, SDI codes).
- User roles: the Service manages three roles (operator, tenant_admin, superadmin) whose assignment is recorded in the system. Information on the role determines the permissions accessible to each user.
2.2 Usage and technical data
- Consumption data: number of AI tokens processed, number of documents ingested, storage used, number of API calls — recorded for quota management and billing purposes.
- Technical logs: access log, IP address, user agent, date/time of operations, audit log of sensitive actions (plan changes, account creation/deletion, identity approvals).
- Onboarding and preference data: wizard progress, local storage keys (onboarding completion state, operator acknowledgements) used to personalise the interface.
2.3 Document and email content
- Emails and attachments: emails acquired from mailboxes connected via IMAP (address, subject, body, attachment files) and the structured data extracted from them (amounts, dates, VAT codes, invoice numbers, etc.) processed on behalf of the customer.
- Documents uploaded via API or upload: files uploaded directly through the upload interface or integration API.
- Extraction results: structured fields extracted by the AI engine from documents, review and validation annotations made by operators.
2.4 Mailbox connection data
- IMAP configuration parameters (host, port, username, encrypted password) stored at-rest in the database using application-level encryption. Connection credentials are never exposed in clear text via the API.
- Date and time of last polling, connection statistics, error logs.
2.5 WhatsApp Bridge data
- If the WhatsApp integration is enabled for the tenant: configuration of the WhatsApp Business channel (API token stored encrypted, phone number ID, account name). The Service does not record the content of WhatsApp conversations: the Bridge is used only for notification/transmission routing, not for storing messages.
2.6 Payment and billing data
- Subscription plan (Free, Pro, Enterprise, Pay-per-use), billing period, subscription status, renewal date.
- Stripe customer ID and subscription ID — references to Stripe, not actual card details.
- Invoice history, amounts billed, payment status. Full card details are managed exclusively by Stripe; the Controller has no access to complete card numbers.
- Data relating to refund requests and plan changes (upgrades/downgrades) with proration applied.
2.7 Support and communication data
- Support tickets: subject, body, messages exchanged in the in-app chat between the customer and the support team, ticket status, timestamps.
- Transactional emails: email address of recipients, subject, content of notifications sent by the platform (email verification, quota alerts, billing notifications, plan change confirmations, support ticket replies).
- SMTP configuration: outgoing SMTP parameters configured by the tenant (host, port, username, encrypted password). Also in this case, credentials are stored encrypted at rest.
3. Purposes and legal basis
- Provision of the Service and account management — performance of a contract (Art. 6.1.b GDPR).
- Document acquisition, AI extraction and operator review — performance of a contract with the customer.
- Security, abuse prevention and logging — legitimate interest of the Controller (Art. 6.1.f) in protecting the infrastructure.
- Invoicing, accounting, tax compliance — legal obligation (Art. 6.1.c), in particular pursuant to D.P.R. 633/1972 and civil code rules on accounting records.
- Service notifications (email verification, quota alerts, billing events, support replies) — performance of a contract.
- Audit log of sensitive operations — legitimate interest in protecting the security and integrity of the system.
- Statistical analytics on aggregated consumption (for internal use, without individual identification) — legitimate interest.
4. Role of the customer (Processor / Co-Controller)
For the content of emails, attachments and extracted structured data, the customer using the Service acts as autonomous Controller of the data of its own data subjects (e.g. suppliers, customers whose invoices are processed), while STS Lab SRL acts as Data Processor pursuant to Art. 28 GDPR. Processing takes place in accordance with the customer's documented instructions and within the limits of the Data Processing Agreement (DPA) agreed at the time of activating the paid Service.
The customer remains solely responsible for: the legality of the acquisition of the emails and documents processed; the completeness and accuracy of the profile data entered; the management of permissions of users (operators) added to the account.
5. Retention
- Account data: for the duration of the contractual relationship and for the time required by accounting and tax obligations (generally 10 years from the end of the tax year).
- Documents and extracted data: according to the retention settings chosen by the customer (the Service provides configuration of automatic deletion after a specified number of days). In the absence of specific settings, data is retained for the duration of the subscription.
- Technical logs: maximum 12 months from recording, unless longer retention is required for security investigations or legal obligations.
- Support tickets: for 24 months from closing of the ticket, unless otherwise requested by the customer.
- Payment data: for the mandatory periods under fiscal and civil law (10 years).
- After termination: data are deleted or anonymised within 30 days of termination of the contractual relationship, unless legal obligations require otherwise or the customer requests export before deletion.
6. Recipients and transfers outside the EU
Data may be processed by providers acting as sub-processors:
- Hosting and infrastructure: cloud/dedicated servers located in Italy (EU). The main database, application and document storage are hosted on Italian servers.
- Email delivery (SMTP): the platform SMTP and per-tenant SMTP configurations may use third-party SMTP providers (e.g. Amazon SES) for sending transactional notifications.
- Payments: Stripe Inc. (USA) — data transfer regulated by Standard Contractual Clauses (SCC). Stripe processes only data necessary for payment processing; the Controller has no access to complete card details.
- External AI cloud provider (fallback): when the local AI engine is unavailable or for load balancing/failover, the text of emails and content of attachments may be transmitted to AI providers on external cloud servers (currently Anthropic PBC, USA — Claude API). This feature can be disabled at any time from the AI configuration panel; if disabled, no content is sent to external providers and all processing takes place exclusively on the Controller's servers in Italy. Activation requires the customer to own a personal Anthropic API key. Data transfers to the USA take place under Standard Contractual Clauses.
- WhatsApp Business Platform (Meta Platforms Inc., USA): if the WhatsApp Bridge is enabled, messages are transmitted through Meta's platform. Data transfer regulated by SCC.
7. Rights of the data subject
You may exercise at any time the following rights pursuant to Articles 15–22 GDPR:
- Access (Art. 15): right to obtain confirmation of processing and a copy of the data.
- Rectification (Art. 16): right to obtain correction of inaccurate data.
- Erasure (Art. 17): right to deletion ("right to be forgotten"), subject to legal obligations.
- Restriction of processing (Art. 18): right to limit processing in the cases specified.
- Data portability (Art. 20): right to receive data in a structured, machine-readable format.
- Objection (Art. 21): right to object to processing based on legitimate interest.
- Complaint: right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali — www.garanteprivacy.it).
Requests must be sent to privacy@stslab.it. The Controller will respond within 30 days.
8. Security
We adopt appropriate technical and organisational measures, including:
- Encryption of sensitive credentials and secrets at rest (IMAP passwords, SMTP passwords, API tokens, payment configurations) using application-level symmetric encryption.
- Role-based access control (operator / tenant_admin / superadmin) with strict multi-tenant isolation: each tenant can access only its own data.
- Transport encryption (HTTPS/TLS) for all communications between browser, application and external services.
- Audit log of sensitive operations (access, data changes, plan changes, user creation/deletion).
- Automatic suspension in case of repeated payment failures, to protect account integrity.
- Separation between internal SMTP (platform notifications) and per-tenant SMTP (customer outgoing email).
No system is 100% secure; in the event of a personal data breach we will comply with the notification obligations under Art. 33–34 GDPR.
9. Changes
This policy may be updated following changes to the Service, new features or regulatory developments. Changes will be published on this page with the new update date. For material changes, notification will be provided via email or in-app notification. Continued use of the Service after the effective date of the changes constitutes acceptance.