Privacy Policy
Last updated: March 28, 2026
This Privacy Policy (“Privacy Policy”) describes how CrewBitz Srl collects, uses, stores, and protects personal data pursuant to Regulation (EU) 2016/679 (“GDPR”) and applicable Italian legislation.
1. Data Controller
CrewBitz Srl (“CrewBitz”, “we”, “our”) is the Data Controller of personal data collected through the website crewbitz.com and related services.
2. Data Protection Officer (DPO)
As of the date of publication of this policy, no Data Protection Officer (DPO) has been appointed pursuant to Art. 37 of the GDPR, as the mandatory conditions set forth by the regulation are not met.
The Data Controller reserves the right to periodically reassess the need to appoint a DPO in relation to the evolution of data processing activities.
For any request concerning the processing of personal data, the Data Controller can be contacted at: [email protected]
3. Data collected and purposes
3.1 Website visitors
For visitors to the crewbitz.com website, we collect exclusively:
- Technical session cookies: necessary for the functioning of the website, without profiling purposes.
We do not use tracking cookies or third-party analytics tools. No profiling activity is carried out on website visitors.
3.2 Clients (companies)
For Clients who subscribe to the CrewBitz service, we collect and process:
- Registration data: contact person’s first and last name, business email address, company name, industry sector, company size.
- Service usage data: actions performed by Ployers, system logs, performance data and usage metrics.
- Billing data: data necessary for invoicing and payment, managed through Stripe when active as a payment processor.
3.3 B2B prospects
For business prospects, we may collect and process:
- Public business data: company name, industry, size, publicly available information.
- Business email: business email address used for B2B commercial communications.
4. Legal basis (Art. 6 GDPR)
The processing of personal data is based on the following legal grounds:
| Category | Legal basis | Reference |
|---|---|---|
| Clients — service delivery | Performance of a contract | Art. 6(1)(b) GDPR |
| Clients — tax and accounting obligations | Legal obligation | Art. 6(1)(c) GDPR |
| B2B prospects — commercial communications | Legitimate interest | Art. 6(1)(f) GDPR |
| Newsletter | Explicit consent | Art. 6(1)(a) GDPR |
| HR Ployer — health data and special categories | Obligation under employment law | Art. 9(2)(b) GDPR |
For processing based on consent (Art. 6(1)(a)), the Data Subject has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.
For processing based on legitimate interest (Art. 6(1)(f)), the Data Controller’s legitimate interest consists in promoting its B2B services to potentially interested companies. The Data Subject always has the right to object to such processing.
5. Recipients and sub-processors
Personal data may be disclosed to the following recipients, each acting as a sub-processor pursuant to Art. 28 GDPR:
| Sub-processor | Service | Location | Safeguards |
|---|---|---|---|
| Contabo | Server hosting (VPS) | Germany (EU) | Native GDPR — intra-EU processing |
| DeepInfra | LLM inference (AI) | USA | Standard Contractual Clauses (SCC) |
| Anthropic | LLM inference (AI) | USA | Standard Contractual Clauses (SCC) |
| Cloudflare | CDN, SSL, DDoS protection | USA | Standard Contractual Clauses (SCC) |
| Zoho | Transactional email | India/EU (EU servers) | Servers in EU |
Personal data is not sold, transferred, or disclosed to third parties for third-party marketing purposes.
6. Extra-EU transfers
Some sub-processors are based in the United States of America. Transfers of personal data to such entities are carried out in compliance with the following safeguards:
- Standard Contractual Clauses (SCC): standard contractual clauses adopted by the European Commission (Implementing Decision 2021/914), entered into with each extra-EU sub-processor.
- EU-US Data Privacy Framework: where applicable, US-based sub-processors adhere to the EU-US Data Privacy Framework programme, which provides an adequate level of protection recognised by the European Commission.
The Data Controller carries out a Transfer Impact Assessment for each extra-EU sub-processor and adopts the supplementary measures necessary to ensure a level of protection substantially equivalent to that guaranteed by the GDPR.
7. Data retention
Personal data is retained for the time strictly necessary to fulfil the purposes for which it was collected, in accordance with the following criteria:
| Data category | Retention period |
|---|---|
| Active clients | For the duration of the service agreement |
| Former clients | 10 years from termination (tax obligations) |
| B2B prospects (inactive) | 180 days of inactivity, then anonymisation |
| B2B prospects (never contacted) | 90 days, then deletion |
| Ployer logs | 6 months, then anonymisation |
| Support tickets | 1 year, then anonymisation |
| Candidate data (HR Ployer) | 24 months |
| Do Not Contact list | Retained indefinitely |
Upon expiry of the retention periods, data is permanently deleted or irreversibly anonymised, as indicated in the table above.
8. Data Subject rights (Art. 15-22 GDPR)
As a Data Subject, you have the right to:
- Access (Art. 15): obtain confirmation as to whether your personal data is being processed and access your personal data.
- Rectification (Art. 16): obtain the correction of inaccurate personal data or the completion of incomplete data.
- Right to erasure (Art. 17): obtain the deletion of your personal data in the cases provided for by law.
- Restriction of processing (Art. 18): obtain the restriction of processing in the cases provided for by law.
- Data portability (Art. 20): receive your personal data in a structured, commonly used and machine-readable format, and transmit it to another controller.
- Right to object (Art. 21): object to the processing of your personal data, in particular to processing for direct marketing purposes.
- Automated decision-making (Art. 22): not be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
How to exercise your rights
To exercise your rights, you may send a written request to the email address: [email protected]
The Data Controller will respond to the request within 30 days of receipt. This period may be extended by a further 60 days in the case of particularly complex or numerous requests, subject to prior notification to the Data Subject.
Complaint to the supervisory authority
The Data Subject has the right to lodge a complaint with the competent supervisory authority. In Italy, the supervisory authority is the Data Protection Authority (Garante per la protezione dei dati personali): www.garanteprivacy.it
9. Artificial Intelligence
CrewBitz uses artificial intelligence (AI) technologies as a core component of its service. Ployers are AI agents designed to automate business tasks under the Client’s supervision.
With regard to the use of AI, the Data Controller informs that:
- Human oversight: each Ployer operates under the Client’s supervision. Significant actions require human approval before execution.
- HR Ployer and AI Act: the Ployer dedicated to human resources management (HR Ployer) is classified as a high-risk AI system under the Regulation (EU) on Artificial Intelligence (AI Act). CrewBitz adopts the measures required by law, including mandatory human oversight for decisions affecting natural persons.
- No automated decision-making: significant decisions producing legal effects or similarly affecting natural persons always require human approval by the Client.
- Transparency: CrewBitz is committed to informing Clients and Data Subjects about the use of AI technologies in the processing of personal data, in compliance with the transparency obligations set forth by the GDPR and the AI Act.
10. Security
The Data Controller adopts appropriate technical and organisational measures to ensure the security of personal data, including:
- Encryption in transit: all communications take place via TLS 1.2 protocol or higher.
- EU-based servers: data is hosted on Contabo servers located in Germany (European Union).
- Data isolation: Row-Level Security (RLS) on PostgreSQL to ensure data isolation between different tenants.
- Encrypted backups: automatic daily backups with GPG AES-256 encryption.
- Principle of least privilege: access to data is limited to strictly necessary personnel with the minimum permissions required.
- Continuous monitoring: active system monitoring to detect anomalies and potential breaches.
11. Changes to this Policy
The Data Controller reserves the right to amend this Privacy Policy at any time. Changes shall be effective from the date of publication of the updated version on the website.
In the event of material changes that significantly affect the processing of personal data, the Data Controller shall notify Clients via email with reasonable advance notice.
Previous versions of this Policy are archived and available upon request.
Contact for privacy-related matters: [email protected]