Record of Processing Activities
A summary of how personal data flows through Noemie, as required by Art. 30 GDPR.
Controller information
[Ragione sociale], [Indirizzo], [Email contatto dati]. Data Protection Officer (if applicable): [Nome DPO o 'Not appointed — organisation below Art. 37 threshold'].
Processing activity: Account management
Purpose: creating and maintaining user accounts, authentication.
Categories of data: email address, authentication tokens.
Legal basis: Art. 6(1)(b) — performance of a contract.
Recipients: [hosting provider].
Retention: duration of account + [X mesi] after deletion request.
Transfers outside EU: none.
Processing activity: Service delivery
Purpose: providing the AI assistant — processing inputs, generating responses, learning user habits.
Categories of data: text inputs, preferences, habits, task history, calendar and email metadata (where connected).
Legal basis: Art. 6(1)(b) — performance of a contract.
Recipients: [elenco sub-processor — es. LLM provider, database provider]. [Specifica se il modello AI è interno o esterno, es. Anthropic API, OpenAI, ecc.]
Retention: duration of account.
Transfers outside EU: [specifica se usi provider fuori UE — es. API AI americane — e la base giuridica, es. standard contractual clauses].
Processing activity: Security and logging
Purpose: detecting abuse, preventing unauthorised access, debugging.
Categories of data: IP addresses, session IDs, error logs.
Legal basis: Art. 6(1)(f) — legitimate interest.
Retention: [X giorni].
Transfers outside EU: none.
Processing activity: Communications
Purpose: sending transactional emails (magic link, notifications).
Categories of data: email address.
Legal basis: Art. 6(1)(b) — performance of a contract.
Recipients: [email provider — es. Resend, Postmark, Mailgun].
Transfers outside EU: [specifica].