This document explains what personal data we collect, why we collect it, and how we use it. We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR).

1. Data Controller

Victoria ai
Addr.: Via St. Andrea 5, Piano di Sorrento, 80063 (NA) ITALY
Email: milano@usevictoria.ai

2. Data Processors

We use trusted third-party providers to deliver our service. They process your data on our behalf and are bound by strict data protection agreements.

• Hetzner Cloud GmbH: Hosts our application servers in their data center in Frankfurt, Germany.
• Google Cloud Platform (GCP): Provides speech-to-text, generative AI, and text-to-speech services. All processing is restricted to GCP's EU regions.

3. Legal Basis and Consent

Our legal basis for processing your data is your explicit consent. We obtain this consent BEFORE any data processing begins. The service will not start until you click the "Accept Policy" button.

4. What Data We Collect and Why

We collect the minimum data necessary to provide and secure our service:

• To provide relevant answers, we capture your voice and immediately transmit it to our sub-processor, Google, to be transcribed into text. This transcription happens in real-time within their EU data centers. The resulting text is then used to generate a response. The original voice data is processed ephemerally and is not stored or saved in any permanent file by us or our sub-processors.
• Cookies: To manage your session and consent, we use the following cookies:
  • victoria_consent_given: Remembers your consent choice for 180 days so you don't have to consent on every visit. It stores no personal data.
  • rate_limit_token: An anonymous token used to prevent service abuse from a single browser. It allows us to manage connection rates without using your IP address, ensuring fair use for everyone, especially on shared networks (like hotel Wi-Fi). It is stored for one year.
  • io: A temporary, technically necessary cookie set by our connection framework (Socket.IO) to maintain a stable session. It is deleted when you close your browser tab and does not track you.

5. Data Storage, Retention, and Security

Conversation Data is ephemeral and is not stored after your session ends.
Security Audit Logs, which contain a session identifier and the initial IP address, are automatically deleted after 90 days. These logs are encrypted at rest and are subject to integrity controls (hashing) to ensure they are tamper-evident.

6. Your Rights Under GDPR

You have the right to:

• Request access to your personal data.
• Request correction of incorrect data.
• Request erasure of your personal data ("right to be forgotten").
• Object to the processing of your data.
• Request portability of your data.

To exercise these rights, please contact us at the email address listed in Section 1.

7. Right to Withdraw Consent

You can withdraw your consent at any time by clicking the "Change Consent" button. This action will immediately terminate the current session and revoke your consent for future sessions.

Accept Policy Deny