This Privacy Policy describes how AT Jurisprudence Search collects, uses, and protects personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (Italian Privacy Code).
1. Data Controller
Individual data controller (persona fisica)
Resident in Italy
Email: privacy@at-search.app
For all privacy-related enquiries, requests to exercise your rights, or complaints, please contact the Data Controller at the email address above.
2. Personal Data Collected
2.1 Account data
- Email address — required for registration, login, and service communications.
- Full name — optional; provided voluntarily during registration.
- Password — stored exclusively as a bcrypt hash (one-way cryptographic function). The plain-text password is never stored, logged, or accessible to anyone, including the Data Controller.
- Subscription plan — the tier (Economy, Normal, Premium) associated with your account.
2.2 Usage data
- Query history — the legal queries you submit to the AI analysis function, together with the AI-generated responses and the list of judgments consulted.
- Saved judgments — the tribunal judgments you choose to bookmark within the application.
- Session data — authentication tokens stored as HttpOnly cookies, identifying your active session.
2.3 Billing data
Billing and payment processing is handled exclusively by Paddle (see Section 5). The Data Controller does not directly collect or store payment card details. Billing records (invoice data, subscription history) necessary for fiscal compliance are retained by Paddle as merchant of record and may be shared with the Data Controller in anonymised or aggregated form for accounting purposes.
2.4 Technical and log data
- Server access logs (IP address, HTTP method, endpoint, timestamp, HTTP status code).
- Error logs generated by the application.
2.5 Analytics data
This service uses Plausible Analytics (see Section 5), a privacy-first tool that does not use cookies, does not collect personal data, and does not track individual users across sessions or sites. No consent is required for this processing.
3. Legal Bases for Processing
| Data category | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Account data (email, name, password hash) | Registration, authentication, account management | Art. 6(1)(b) — performance of contract |
| Query history and saved judgments | Providing the service; enabling the user to retrieve past analyses | Art. 6(1)(b) — performance of contract |
| Subscription plan and quota data | Access control; enforcement of service tier limitations | Art. 6(1)(b) — performance of contract |
| Billing records | Fiscal and accounting obligations under Italian law | Art. 6(1)(c) — legal obligation |
| Server logs | Security monitoring, error diagnosis, abuse prevention | Art. 6(1)(f) — legitimate interest |
| Email address (service communications) | Account verification, password reset, policy updates | Art. 6(1)(b) — performance of contract |
4. Retention Periods
| Data category | Retention period | Basis |
|---|---|---|
| Account data | Until account deletion, plus a 30-day grace period for recovery | Contractual necessity |
| Query history and saved judgments | Until the user deletes individual records or closes the account | Contractual necessity; user control |
| Billing and fiscal records | 10 years from the date of the underlying transaction | Art. 2220, Italian Civil Code (Codice Civile) — mandatory accounting record retention |
| Server access logs | 90 days, then automatically purged | Legitimate interest; proportionality |
| Authentication tokens (cookies) | Until logout or browser session end | Technical necessity |
5. Data Processors and Sub-processors
The Data Controller engages the following third-party processors, each bound by a data processing agreement (DPA) and subject to GDPR-equivalent safeguards:
| Processor | Role | Location | Data transferred |
|---|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure and hosting | Germany (EU) | All application data stored on servers within the European Economic Area. No transfers outside the EEA. |
| Paddle.com Market Ltd | Payment processing; merchant of record | United Kingdom | Billing data (name, email, payment details, transaction records). Paddle acts as merchant of record and is an independent data controller for payment data. Transfers to the UK are covered by the EU adequacy decision currently in force. Paddle's own Privacy Policy applies to payment data. |
| Anthropic, PBC | AI language model provider (Claude API) | United States | The text of your legal queries and the retrieved judgment excerpts are transmitted to the Anthropic API to generate AI responses. Anthropic processes this data under its API usage policy and does not use API inputs to train models by default. Transfers are covered by Standard Contractual Clauses (SCCs). Users should avoid including personal data of third parties or confidential client information in queries. |
| Plausible Analytics OÜ | Web analytics | Estonia (EU) | Aggregated, cookieless usage statistics. No personal data transmitted. No cross-site tracking. |
6. Cookies
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
auth_token |
Essential / HttpOnly | Maintains your authenticated session. Cannot be read by JavaScript. Required for the service to function. | Until logout |
cookies_accepted |
Functional | Records that you have acknowledged this cookie notice, so it is not shown again. | 1 year |
No advertising, profiling, or third-party tracking cookies are used.
7. Your Rights under the GDPR
As a data subject, you have the following rights, exercisable by contacting the Data Controller at privacy@at-search.app:
- Right of access (Art. 15) — obtain confirmation of whether your personal data is being processed and receive a copy.
- Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17) — request deletion of your data, subject to the limitations described in Section 4.
- Right to restriction of processing (Art. 18) — request that processing be limited in certain circumstances.
- Right to data portability (Art. 20) — receive your personal data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest.
- Right to lodge a complaint — you may lodge a complaint with the Italian supervisory authority, the Garante per la protezione dei dati personali (www.garanteprivacy.it), or with the supervisory authority of your EU member state of habitual residence.
Requests will be responded to within 30 days. The period may be extended by a further two months where necessary, with notification of the reason for the extension.
8. Security Measures
- Passwords stored exclusively as bcrypt hashes (cost factor 12); plain-text passwords are never retained.
- Authentication via signed JWT tokens transmitted in HttpOnly, SameSite cookies.
- All data at rest stored on Hetzner infrastructure within the EU.
- Application-level access controls with role-based permissions.
No security measure is infallible. In the event of a personal data breach likely to result in a risk to your rights and freedoms, you will be notified without undue delay in accordance with Art. 34 GDPR.
9. Minors
This service is intended exclusively for legal professionals and is not directed at persons under 18 years of age. The Data Controller does not knowingly collect personal data from minors.
10. Updates to This Policy
This Privacy Policy may be updated to reflect changes in the service, applicable law, or processing activities. Material changes will be communicated to registered users by email at least 14 days before taking effect. The current version and its effective date are always indicated at the top of this page.
Continued use of the service after the effective date of an updated policy constitutes acceptance of the changes.
11. Contact
Mariano Fernando Iguera
Email: privacy@at-search.app
Supervisory Authority (Italy)
Garante per la protezione dei dati personali
Piazza Venezia 11, 00187 Roma
www.garanteprivacy.it