๐ GDPR Register of Processing Activities
Pursuant to Article 30 of Regulation (EU) 2016/679 ยท Updated July 2026
1. Controller
| Name | Antonio Di Cecco |
| Project | AmicoAI |
| Contact | @antoniodicecco (Telegram) ยท privacy@amico-ai.com |
| Role | Sole proprietor, independent developer |
2. Processing Activities
| Activity | Description |
|---|---|
| Chat service provision | The user sends text messages to an LLM API endpoint. The API processes each request independently and returns a response. No messages are stored server-side. |
| Local storage | Conversation history, personality profile, and preferences are stored exclusively in the browser's localStorage. No server has access to this data. |
| Image search | The agent may send keyword queries to Pixabay API to retrieve profile images. No personal data is included in API calls. |
3. Categories of Data Subjects
- Users aged 13 or older (age verified at access)
- Users under 13 with parental consent (self-declared)
4. Categories of Personal Data
Server-side: none. The LLM API provider receives only the text message content and returns a response. The API provider complies with GDPR and does not log conversations.
Client-side (localStorage): conversation history, MBTI personality type, chosen name, age, gender, profile photo URL, inferred user preferences. All data remains on the user's device.
5. Legal Basis (Art. 6 GDPR)
| Performance of a service (Art. 6.1b) | The chat functionality is provided at the user's request. Processing is necessary to deliver the conversational AI service. |
| Consent (Art. 6.1a) | Minor users (under 13) require parental consent, self-declared at service access. |
6. Data Retention
Server-side: No data is retained. Each API request is independent (stateless).
Client-side: Data persists in localStorage until the user clears browser cache. No automatic expiration.
7. Technical and Organizational Measures
- AI provider connection uses TLS encryption (HTTPS)
- No accounts, no passwords, no user registration
- No tracking cookies, no analytics, no telemetry
- AI provider is stateless โ no conversation logs retained
- All user data stored client-side in browser localStorage
- No third-party data sharing or sales
8. Data Transfers (Third Countries)
Messages sent to the LLM API provider may be processed on servers located in the United States or other countries. The provider certified under the EU-US Data Privacy Framework and complies with Standard Contractual Clauses (SCCs) adopted by the European Commission.
9. Data Subject Rights
Since all data is stored exclusively on the user's device, data subjects may exercise their rights (access, rectification, erasure, restriction, portability, objection) by:
- Managing or deleting data: Clear the browser cache / localStorage
- Exporting data: Use browser developer tools to inspect localStorage contents
- Contacting the controller: @antoniodicecco (Telegram)
Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): the Italian Data Protection Authority (Garante per la protezione dei dati personali).
10. Data Breach Management (Art. 33-34)
Given that AmicoAI stores no personal data server-side, the risk of a personal data breach is negligible. However, in the event that the AI provider experiences a security incident that could affect user data in transit:
- The provider maintains contractual obligations to notify the controller of any data breaches
- Users will be notified via the service itself (in-app message) and/or via Telegram channel
- A breach notification will be filed with the Garante per la protezione dei dati personali within 72 hours if required
- No sensitive data categories are ever transmitted, reducing breach severity
This register is maintained in compliance with Art. 30 GDPR. Last updated: July 2026.