This privacy policy explains how AI KOSMO SRL collects and processes personal data that you provide, or that are otherwise transmitted through the website www.aikosmo.com (the "Site"). AI KOSMO SRL is committed to ensuring full transparency and to protecting your rights in accordance with Regulation (EU) 2016/679 ("GDPR") and Legislative Decree 196/2003 as subsequently integrated and amended by Legislative Decree 101/2018 ("Privacy Code"). Personal Data are processed by the Data Controller in compliance with the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, storage limitation, accuracy, integrity, and confidentiality.

1. DATA CONTROLLER. The Data Controller is AI KOSMO SRL, with registered office in via Monte Mulat, 38 – 38037 Predazzo (TN), VAT no. 02754510226 (hereinafter the "Controller").

2. PERSONAL DATA PROCESSED. The Controller processes the following categories of personal data:

Personal data voluntarily provided by the user:

• Demo booking form: first name, surname, hotel name, hotel website, telephone number, email address;
• Call booking form: first name, email address, and any other information requested in the booking form to schedule the meeting;
• Contact form: first name, surname, hotel name, hotel website, email address;
• Contact via WhatsApp: telephone number and any other information the user chooses to share during the conversation;
• Interaction with the Intelligent Chatbot "KOSMO": the content of conversations, questions submitted and any information voluntarily provided by the user while interacting with the virtual assistant. The Intelligent Chatbot enables users to submit information requests relating to the services offered on the Site and to receive responses generated based on the basis of the information available on the Site. Interactions are initially handled by a LLM artificial intelligence system; however, the involvement of the Controller's personnel may occur upon the user’s explicit request or where the Intelligent Chatbot is unable to provide complete or adequate responses. We kindly ask you not to include your own or third-party Personal Data during interactions with the Intelligent Chatbot, unless strictly necessary to handle the request.
• Communications sent to the contact details published on the Site.

Should you provide third-party Personal Data when using the Site, you confirm that such processing is based on an appropriate legal basis pursuant to Article 6 of the GDPR, which legitimizes the processing of the Personal Data in question.

Navigation Data: the computer systems and software procedures used to operate this Site acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. While this data is not collected to identify you directly, it may allow identification when combined with information held by third parties.. This category of data includes IP addresses, domain names of the devices used by users to access the Site, the addresses of requested pages (URIs), the date and time of requests, and other parameters relating to the operating system and the user's IT environment. This data is used solely to obtain anonymous statistical information on the use of the Site, to check its correct functioning, and to identify anomalies and/or abuses, and is deleted shortly after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes against AI KOSMO SRL or third parties.

Cookies and other tracking technologies: the Site uses technical, analytical, and profiling cookies. For detailed information on the nature and purposes of the cookies used, please refer to the specific Cookie Policy, which forms an integral part of this privacy policy.

(Hereinafter, the "Personal Data")

3. PURPOSES OF PROCESSING, LEGAL BASES AND STORAGE PERIODS. Personal Data is processed for the purposes set out below, on the corresponding lawful bases, and are stored for the periods indicated:

a) Handling of contact requests, demo bookings, and call bookings

• Data processed: identification and contact details provided via forms, WhatsApp, or Calendly.
• Legal basis: execution of pre-contractual measures requested by the data subject.
• Retention period: for the time necessary to fulfill the purpose and, in the event of service request, for a period no longer than 24 months.

b) Provision of assistance and navigation support through the "KOSMO" chatbot

• Data processed: identification and contact details, content of conversations.
• Legal basis: execution of pre-contractual/contractual measures (as indicated in the document).
• Retention period: for the time necessary to fulfil the purpose and, in the event of service request, for a period no longer than 24 months.

c) Training of artificial intelligence systems

• Data processed: content of conversations, navigation data and other information collected during the use of the KOSMO chatbot.
• Legal basis: legitimate interest of the Controller in improving and developing its AI-based services.
• Retention period: for the time strictly necessary to improve the service; in any case, the user may exercise its rights as set out in section 6. Furthermore, as soon as technically feasible, the data will be processed in aggregated and anonymized form.

d) Soft spam

• Data processed: contact data (email, telephone).
• Legal basis: legitimate interest of the Controller and Art. 130, paragraph 4, Privacy Code.
• Retention period: until the opt-out is exercised by the data subject, or, in the absence of such opt-out, for a maximum period of 24 months.

e) Compliance with legal, accounting, and tax obligations

• Data processed: personal, contact, and tax related data.
• Legal basis: compliance with legal obligation to which the Controller is subject.
• Retention period: for the periods required by applicable law (e.g., 10 years for accounting purposes) and for and for the time necessary to exercise possible legal defense.

f) Security and proper functioning of the Site

• Data processed: navigation data (e.g., IP addresses).
• Legal basis: the Controller’s legitimate interest in ensuring the security of the Site and protecting company assets and users.
• Retention period: for the time necessary for the purpose and for and for the time necessary to exercise possible legal defense.

For further information regarding the retention periods of Personal Data and the criteria used to determine these periods, please contact: daniele@aikosmo.com.

4. PROCESSING METHODS AND SECURITY MEASURES. The processing of Personal Data is carried out using manual, computer, and electronic tools, with logic strictly related to the indicated purposes and, in any case, in such a way as to guarantee the security and confidentiality of the data itself. In accordance with the principles of data protection by design and by default (Art. 25 GDPR) and security obligations (Art. 32 GDPR), the Controller adopts adequate technical and organizational measures to ensure a level of security appropriate to the risk. Such measures include, where appropriate, the pseudonymization and encryption of Personal Data.

5. RECIPIENTS AND TRANSFERS OF PERSONAL DATA. Your Personal Data may be transmitted to the following recipients:

• Authorized persons pursuant to Art. 29 GDPR, acting within the scope of their duties, and subject to confidentiality obligations or appropriate statutory duties of confidentiality (e.g., employees, collaborators);

• Data Processors pursuant to Art. 28 GDPR, who process Personal Data on behalf of the Controller under a specific contractual arrangement, such as (i) providers of hosting services, IT maintenance, appointment scheduling platforms (e.g., Calendly), communication platforms (e.g., WhatsApp), and providers of artificial intelligence platforms;

• Independent Data Controllers, such as companies and professionals involved in accounting and legal services;

• Public authorities or other entities, to whom disclosure of Personal Data is mandatory under applicable law or due to an order of a competent authority.

Some of your Personal Data is shared with recipients located outside the European Economic Area, particularly to the United States. In such a case, the Controller ensures that the transfer will take place in compliance with the applicable legal provisions (Arts. 44 et seq. GDPR), by stipulating, if necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided by the European Commission or verifying the provider's adherence to certification mechanisms such as the Data Privacy Framework. To receive further information regarding the processing by third parties and the transfer of your Personal Data, you may contact: daniele@aikosmo.com.

6. YOUR RIGHTS. As a data subject, you may exercise the rights provided for in Articles 15-22 of the GDPR at any time, and in particular:

• Right of access (Art. 15): the right to obtain confirmation as to whether your Personal Data is being processed, and, where this is the case, to access such data and receive information about the processing;

• Right to rectification (Art. 16): the right to obtain the correction of inaccurate Personal Data. With specific reference to AI systems, the Controller provides tools to request and obtain the correction of Data Processed inaccurately in content generation;

• Right to erasure ("right to be forgotten" Art. 17): the right to obtain have Personal Data erased, where technically feasible and one of the conditions set out in applicable law is met;
• Right to restriction of processing (Art. 18): the right to obtain a limitation on the processing of Personal Data in certain hypotheses;
• Right to data portability (Art. 20): the right to receive your Personal Data in a structured, commonly used, and machine-readable format;
• Right to object (Art. 21): the right to object at any time to the processing of Personal Data for direct marketing purposes and for processing based on the Controller's legitimate interest, such as AI-system training;
• Right not to be subject to automated decision-making (Article 22): to obtain human intervention, to express one’s point of view, and to contest decisions based solely on automated processing.

Requests can be addressed to the Controller at: daniele@aikosmo.com.

In any case, you always have the right to lodge a complaint with the competent Supervisory Authority (in Italy: Garante per la Protezione dei Dati Personali), pursuant to Art. 77 of the GDPR, if you consider that the processing of your Personal Data infringes applicable data protection legislation. When processing is based on your consent, you may withdraw such consent at any time for any processing activity that is not strictly necessary for the provision of the services. In particular, you may opt-out of receiving promotional communications at any time by clicking on the unsubscribe link included in each of our emails or by contacting us at: daniele@aikosmo.com. Please note that the withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal, in accordance with Art. 7(3) of the GDPR.

7. USE OF ARTIFICIAL INTELLIGENCE SYSTEMS. The KOSMO Intelligent Chatbot service uses artificial intelligence technologies, specifically LLM. In accordance with the transparency principles set out in the European AI ACT, GDPR, and national legislation L. 132/2025, we provide you with the following information:

• Transparency obligation: We inform you that you are interacting with a system that uses AI components. This system is designed to support AIKOSMO personnel in receiving, interpreting and routing your requests.

• System operation and logic: The AI system analyses the text of your requests to understand their content and purpose and to direct them to the appropriate internal function or department.

• Human oversight and absence of automated decision-making: We guarantee that the AI system operates as a support tool for our personnel. No decisions producing legal effects or otherwise significantly affecting you, within the purpose of Art. 22 of the GDPR are made exclusively by automated means. All complex requests, financial matters, or relevant decisions are subject to review and validation by a human operator.

• Accuracy and non-discrimination: The AI systems are developed and are periodically monitored to minimize the risk of errors and discriminatory effects, in line with best practices and regulatory requirements.

8. MODIFICATIONS. AI KOSMO SRL reserves the right to amend or update the this privacy policy at any time, including because of changes in applicable law. You will be informed of such changes through their publication on the Site. AI KOSMO SRL therefore invites you to visit this section periodically to stay informed of the most current version of the privacy policy.

Last update: Dicember 2025