LEGAL

Privacy Policy

Last updated: May 1, 2026

1. Data Controller

The data controller for personal data collected through visualturf.ai is Davide Bollati (P.IVA 02821210024) (hereinafter "VisualTurf"), with registered office in Italy.

Contact email: info@visualturf.ai

For any inquiry related to data protection, you can contact us at the email indicated above.

2. Data We Collect

We collect personal data you provide directly when registering, using our services, or contacting us:

• Registration data: name, surname, email address, encrypted password.

• Billing data: information necessary for invoicing and payment processing through Stripe.

• Usage data: images uploaded for render generation, renders created, commercial proposals generated, and platform usage metadata.

• Technical data: IP address, browser type, operating system, pages visited, session duration.

• Communication data: content of messages sent through contact or support forms.

3. Legal Basis

We process your data under the following legal bases pursuant to Regulation (EU) 2016/679 (GDPR):

• Contract performance (Art. 6.1.b): to provide the contracted service, manage your account, and process payments.

• Consent (Art. 6.1.a): for sending commercial communications and newsletters.

• Legitimate interest (Art. 6.1.f): to improve our services, prevent fraud, and ensure platform security.

• Legal obligation (Art. 6.1.c): to comply with fiscal and accounting obligations.

4. Purpose of Processing

• Service delivery: managing your account, generating renders, creating and sending commercial proposals.

• Payment management: processing subscriptions and purchases through Stripe.

• Communications: sending transactional notifications (confirmations, account alerts), and with your consent, commercial communications.

• Service improvement: anonymized usage analysis to optimize user experience.

• Support: answering your inquiries and resolving incidents.

5. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected:

• Account data: while your account remains active, and up to 12 months after deletion.

• Billing data: 10 years in accordance with Italian tax legislation.

• Images and renders: while your account remains active. Upon account deletion, they are removed within 30 days.

• Usage and analytics data: maximum 26 months in anonymized form.

6. Data Recipients

We do not sell your data to third parties. We share your data only with:

• Stripe: payment processing (Stripe Inc., USA, subject to EU standard contractual clauses).

• Supabase: database hosting (Supabase Inc., with servers in the EU).

• Vercel: web platform hosting (Vercel Inc., with points of presence in the EU).

• AI providers: for render generation, we use third-party services. Images are processed and not stored on their servers beyond the time necessary for generation.

7. International Transfers

Some of our providers are based outside the European Economic Area (EEA). In these cases, we ensure an adequate level of protection through standard contractual clauses approved by the European Commission or the EU-US Data Privacy Framework.

8. Your Rights

Under the GDPR, you have the right to:

• Access: obtain confirmation of whether we process your data and access it.

• Rectification: correct inaccurate or incomplete data.

• Erasure: request the deletion of your data ("right to be forgotten").

• Restriction: restrict processing in certain circumstances.

• Portability: receive your data in a structured, commonly used format.

• Objection: object to processing based on legitimate interest.

• Withdrawal of consent: withdraw your consent at any time.

To exercise these rights, write to us at info@visualturf.ai. We will respond within 30 days.

You also have the right to file a complaint with the competent supervisory authority: Garante per la protezione dei dati personali (Italy) — www.garanteprivacy.it.

9. Security

We implement appropriate technical and organizational measures to protect your data: encryption in transit (TLS) and at rest, access controls, periodic audits, and incident management policies. Passwords are stored with bcrypt hash and never in plain text.

10. Modifications

We reserve the right to update this policy. In case of substantial changes, we will notify you by email or through the platform. The last update date appears at the beginning of this document.