Privacy notice on the processing of personal data

This notice is issued pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter: GDPR) and of Italian Legislative Decree no. 196 of 30 June 2003 (Privacy Code), as amended by Legislative Decree no. 101 of 10 August 2018.

This notice describes the way SOUTH PIXEL S.R.L., trading as DEZIQ, collects, uses and protects the personal data of users who interact with the institutional website www.deziq.com and with the SaaS products provided by the same company (hereinafter, collectively, the Services).

The processing of personal data follows the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, pursuant to Article 5 GDPR.

The data controller is SOUTH PIXEL S.R.L. (trading as: DEZIQ), with registered office at Via Pascoli 13, 76015 Trinitapoli (BT), Italy. Tax code, VAT number and Companies Register number: 09018310723. REA: BT-335706. Sole Director: Quaranta Alessio.

Institutional contacts:

• Institutional PEC: southpixel@pec.it
• Privacy e-mail: privacy@deziq.com (dedicated contact for GDPR requests)
• Website: https://www.deziq.com/en

For any communication regarding the processing of personal data, the data subject may contact the controller via the privacy e-mail address or by registered mail with return receipt to the registered office.

Note: SOUTH PIXEL S.R.L. has not appointed a Data Protection Officer (DPO) pursuant to Article 37 GDPR, as the processing carried out does not fall within the mandatory cases. Should such an obligation arise, the controller will proceed with the appointment and the publication of the related contact details.

The controller processes personal data relating to the following categories of data subjects.

2.1 Visitors of the institutional website (www.deziq.com)

• Navigation data: IP address, browser type and version, operating system, pages visited, access times, referring URL. Generated automatically and stored temporarily in server log files.
• Data voluntarily provided: first name, last name, e-mail, company name and information entered in contact, demo request or newsletter forms.
• Data collected via cookies and similar technologies: please refer to the dedicated Cookie Policy.

2.2 Prospects and leads (DEZIQ CRM and sales intelligence activities)

• Personal and professional data: first name, last name, job title, company, sector, company size.
• Contact data: business e-mail, phone.
• Data enriched via Explorium API: data from public sources (LinkedIn, company websites, chamber of commerce registers), including role, technologies adopted, public financial indicators, purchase intent signals.
• Scoring data: commercial relevance scores generated by the DEZIQ CRM system.

Note: prospect data may be collected not directly from the data subject. In that case, the notice is provided at the first useful contact (Article 14 GDPR).

2.3 Customers and end users of SaaS products

• VEENDO (B2X e-commerce): personal and contact data of the account holder; data on products, catalogue and transactions; access logs.
• IMOOGE (AI photography): registration data; uploaded images (potentially containing special categories of data under Article 9 GDPR, if they allow identification); AI-generated outputs; usage logs.
• QUILL (RAG chatbot on documents): registration data; uploaded documents (which may contain third-party data); conversation logs.
• MATCHBOARD (sports display): registration data; configuration preferences; access logs.
• DEZIQ CRM: internal CRM users’ data; prospect data managed by the customer (in this case SOUTH PIXEL S.R.L. acts as data processor pursuant to Article 28 GDPR).

2.4 Business users of development and consulting services

Personal and contact data of corporate representatives; data necessary for the execution of contracts; data contained in the systems or documents shared within the service.

3.1 Handling contact and information requests. Purpose: responding to requests via form or e-mail. Legal basis: performance of pre-contractual measures (Article 6(1)(b) GDPR) or consent where not pre-contractual (Article 6(1)(a) GDPR).

3.2 Provision of SaaS Services. Purpose: account management, access to features, support, invoicing. Legal basis: performance of the contract (Article 6(1)(b) GDPR).

3.3 Compliance with legal obligations. Purpose: accounting and tax retention, response to authorities. Legal basis: legal obligation (Article 6(1)(c) GDPR).

3.4 Direct marketing. Purpose: sending commercial communications and newsletters. Legal basis: consent of the data subject, revocable at any time (Article 6(1)(a) GDPR).

3.5 Sales intelligence and B2B outbound (DEZIQ CRM). Purpose: identifying potential clients, enriching profiles, scoring, pipeline management, sending personalised communications to corporate contacts. Legal basis: legitimate interest of the controller in carrying out B2B commercial activity towards potentially interested parties (Article 6(1)(f) GDPR), subject to a balancing test and without prejudice to the right to object.

3.6 Image processing via IMOOGE. Purpose: AI-based photographic processing. Legal basis: explicit consent provided at upload for any processing of biometric data or identifying physical features (Article 9(2)(a) GDPR).

3.7 Statistical analysis and improvement of the Services. Purpose: aggregate analysis of the use of the Services. Legal basis: legitimate interest of the controller (Article 6(1)(f) GDPR).

3.8 IT security and fraud prevention. Purpose: system monitoring, detection of unauthorised access. Legal basis: legitimate interest of the controller (Article 6(1)(f) GDPR).

Data is processed by electronic and paper-based tools by authorised personnel or designated processors, bound by confidentiality obligations. The infrastructure is based on Next.js, AWS, Vercel, OpenAI API and Explorium API.

Security measures include: encryption in transit (TLS/HTTPS) and at rest, access control (least privilege), multi-factor authentication (MFA) for administrators, log monitoring, periodic backups and staff training. In case of a data breach, the controller will notify the supervisory authority within 72 hours and inform the data subjects where required (Articles 33-34 GDPR).

Data is retained for the time strictly necessary for the stated purposes. The retention criteria are as follows:

• Navigation data and server logs: 30 days.
• Contact form data (without contract): 24 months from the first contact.
• SaaS account data (active user): for the entire duration of the contract.
• SaaS account data (after cancellation): 10 years from termination for legal obligations and litigation.
• Tax and accounting data: 10 years (tax compliance).
• Prospect data (DEZIQ CRM): 24 months from the last profile update, unless an objection is raised.
• Marketing campaign data: until consent is withdrawn, plus 12 months for legal documentation.
• IMOOGE images: duration of the session; outputs stored according to preferences; sources deleted within 30 days unless otherwise configured.
• QUILL session logs: 12 months.
• Business contractual data: 10 years from the conclusion of the contract.

Once these terms expire, data is securely deleted or irreversibly anonymised.

Some providers are based outside the EU. Transfers take place in compliance with Chapter V of the GDPR, using Adequacy Decisions or Standard Contractual Clauses (SCC).

Main transfers:

• Amazon Web Services (United States): user data, logs. Safeguard: SCC and AWS DPA. Data is mostly processed within the EU, with limited extra-EU operations.
• OpenAI, L.L.C. (United States): API content (no model training on API data). Safeguard: SCC and OpenAI DPA.
• Explorium (Israel / United States): prospect data. Safeguard: Adequacy Decision for Israel; SCC for the US.
• Vercel, Inc. (United States): navigation data and logs. Safeguard: SCC and Vercel DPA.

A copy of the safeguards may be requested at privacy@deziq.com.

The controller relies on the following data processors (Article 28 GDPR):

• Amazon Web Services EMEA S.à r.l. (Luxembourg/USA): cloud infrastructure, storage and computing.
• OpenAI, L.L.C. (USA): AI language models for the products.
• Explorium AI Ltd. / Vibe Prospecting (Israel/USA): prospect data enrichment.
• Vercel, Inc. (USA): hosting, CDN and distribution.
• Stripe, Inc. (USA, where applicable): payment processing.
• Transactional e-mail providers (e.g. Resend, SendGrid): sending notifications.

Where DEZIQ provides SaaS services and the customer acts as data controller, SOUTH PIXEL S.R.L. takes on the role of data processor. The conditions are governed by the Data Processing Agreement (DPA) attached to the contracts.

Each data subject may exercise the rights provided for in Chapter III of the GDPR:

• Access (Article 15): obtain confirmation of the processing and access to the data.
• Rectification (Article 16): correct inaccurate or incomplete data.
• Erasure or “right to be forgotten” (Article 17): erase data in specific cases (e.g. withdrawal of consent).
• Restriction (Article 18): temporarily block the processing in case of disputes.
• Portability (Article 20): receive the data in a structured format and transfer it to another controller.
• Objection (Article 21): object to processing based on legitimate interest, including B2B profiling. In that case the controller will refrain from processing unless there are compelling legitimate grounds.
• Withdrawal of consent (Article 7): revocable at any time without prejudice to previous processing.
• Complaint (Article 77): contact the Italian Data Protection Authority (www.garanteprivacy.it).

How to exercise these rights: requests must be sent to privacy@deziq.com, by PEC to southpixel@pec.it, or by registered mail with return receipt to the registered office, with the subject line “Exercise of GDPR rights”. The reply will be provided free of charge within one month (extendable to three months for complex cases).

DEZIQ CRM integrates sales intelligence and marketing automation features. The system uses APIs for the automatic enrichment of profiles from public sources, algorithms to assign relevance scores (lead score) and segmentation to personalise outbound communications.

This profiling does not produce legal effects on the data subject or similarly significant impacts (Article 22 GDPR). The lead score is an internal prioritisation tool. High-impact decisions always involve human intervention.

The processing is based on B2B legitimate interest (Article 6(1)(f)). The data subject may object at any time by writing to privacy@deziq.com with the subject line “Objection to DEZIQ CRM profiling”.

The controller reserves the right to amend this notice for regulatory or operational developments. Updates will be published on this page with a change to the header date. If the changes concern processing based on consent, new consent will be requested. We invite users to consult this document periodically.