Privacy Policy
What we collect, where it goes, who accesses it, how you delete it. No unreadable legalese.
Last updated: May 13, 2026
Data controller: Labutech Srls — Milan, Italy — VAT no. 10522260966 — contact: info@profree.co
1. What data we collect
Registration data
- Name (required)
- Email (required, no disposable/throwaway email)
- Password (encrypted by Supabase Auth, never in plain text)
- Telegram username (optional, to link the bot)
- Telegram user ID (auto-populated on the first /start)
Usage data
- Messages sent to the bot (text, voice transcriptions, photo descriptions)
- Tasks, projects, goals and calendar items created in the GTD system
- Identity declared during onboarding (who you are, what you're building, what you can't stand)
- Conversation history (multi-turn memory, last 20 turns)
- 3-layer memory (short-term 48h, mid-term, long-term)
- Message count, plan, trial/subscription expiry
Technical data
- Server logs (errors, performance, anonymous)
- Essential technical cookies (user session) — always on, no opt-out (required for the service to work)
- Analytics cookies (Vercel Analytics, anonymous) — granular opt-in via the cookie banner
- Marketing cookies (Instagram/Meta pixel) — granular opt-in via the cookie banner
2. Where your data lives
- Database and authentication: Supabase (Frankfurt data center, EU). Postgres with encryption at rest.
- Frontend hosting: Vercel (USA, but the site accesses EU data; EU↔USA data transfer covered by Standard Contractual Clauses).
- Bot hosting: Railway (USA, also under SCCs).
- AI processing: Anthropic (Claude API, USA) for the bot's reasoning; OpenAI (Whisper API, USA) only to transcribe voice notes. Both under enterprise privacy terms: your data is NOT used to train the models.
3. Why we process your data (legal bases)
- Performance of a contract (art. 6.1.b GDPR): to provide you the Otto service.
- Legitimate interest (art. 6.1.f): technical logs for debugging and security, billing.
- Explicit consent (art. 6.1.a): only for analytics and marketing, collected via the cookie banner with granular opt-in, revocable at any time.
4. How long we keep data
- Short-term memory: 48 hours from the last capture (auto-expiry)
- Mid-term and long-term memory: as long as your account is active
- Conversation history: indefinite while the account is active (you can request partial deletion)
- Billing data: 10 years as required by Italian tax law
- Everything else, on account deletion: removed within 14 business days of the request
5. Who accesses your data
- Chris La Porta (Labutech Srls admin), for support and debugging, only if strictly necessary
- Automated systems (bot, cron, AI providers): programmatic access, never human
- No one outside these parties. No sale to third parties. No data brokers.
6. Your rights (GDPR)
You have the right to:
- Access: ask us for a copy of all your data (reply within 30 days)
- Rectification: correct inaccurate data from your dashboard or by email
- Erasure (right to be forgotten): dashboard → Delete account, or email info@profree.co
- Portability: export in JSON format within 7 days of the request
- Restriction of processing: suspend processing on request
- Objection: revoke consent for analytics/marketing (via the cookie banner → Customize)
- Complaint: to the Italian Data Protection Authority (garanteprivacy.it)
7. International transfers
Some of our providers (Vercel, Railway, Anthropic, OpenAI) are based in the USA. EU→USA transfers happen under the Standard Contractual Clauses approved by the European Commission, compliant with the GDPR and the Schrems II ruling.
8. Security
- HTTPS everywhere (TLS 1.3)
- Passwords stored only as hashes (Supabase Auth, bcrypt)
- Postgres Row Level Security (RLS) on every sensitive table
- API tokens never exposed to the client
- 2FA on the roadmap for Executive/Enterprise plans
9. Changes
We update this policy transparently. Significant changes are communicated by email at least 30 days before they take effect.
10. Contact us
For any privacy matter: info@profree.co. We reply within 3 business days.