RESTHeart Services Privacy Policy

This privacy policy governs all RESTHeart services provided by SoftInstigate Srl Società Benefit under Italian and EU law. Please contact us at info@softinstigate.com for any questions.

Last updated: May 14, 2026

Regulation (EU) 2016/679 (“General Data Protection Regulation”), hereinafter GDPR, provides for the protection of natural persons with regard to personal data.

SoftInstigate is committed to ensuring that the processing of data relating to a natural person (hereinafter “data subject”) is based on the principles of correctness, lawfulness and transparency, as well as protection of confidentiality and the rights of the data subject.

SoftInstigate will process your personal data in compliance with regulations, with the utmost care, implementing effective management procedures and processes to ensure the protection of processing, committing to protect the information communicated in such a way as to avoid unauthorized access or disclosure as well as to maintain data accuracy and to ensure appropriate use of the same.

We provide you pursuant to art. 13 of the GDPR (EU regulation 2016/679) and in consistency with the principle of transparency, the following information in order to make you aware of the characteristics and methods of data processing:

1. Identity and Contact Details

The Data Controller is SoftInstigate S.R.L. Società Benefit

Legal representative: Andrea Di Cesare
Registered office: Via del Beato Cesidio 49, 67100, L’Aquila, Italy
Email: info@softinstigate.com
Certified email (PEC): andrea.dicesare@ingpec.eu

2. Contact Details of the Data Protection Officer (DPO)

As SoftInstigate does not fall within the cases provided for in art. 37, paragraph 1, of the GDPR, a Data Protection Officer has not been appointed.

3. Types of Data Processed, Purpose of Processing, Legal Basis and Legitimate Interest

SoftInstigate collects and/or receives autonomously or through third parties the personal data indicated below which will be processed for the purposes described below.

3.1. Types of Data Processed

The information concerning you as a Data Subject includes:

Personal data (e.g., name, surname, physical address, nationality, province and municipality of residence, landline and/or mobile phone, tax code, email address/es);
Billing data necessary for invoicing products and services purchased directly from SoftInstigate;
Account data for RESTHeart service registration, including username, password hash, service tier selection, and region preferences;
Service usage data including API calls, database operations, resource consumption, and service performance metrics for billing, monitoring, and service optimization purposes;
Technical data such as IP addresses, user agent strings, and connection logs necessary for service provision and security;
Payment data necessary for billing and subscription management. Payment processing for cloud services purchased through our self-provisioning platform is handled using Stripe as our payment provider, and you are invited to review their privacy policy. For managed services, payment is typically handled through direct wire transfers;
Web traffic data processed in aggregated and automated form through privacy-focused analytics, collected only for statistical purposes and never used for user identification or profiling;
Communication data including emails, support tickets, and other communications with SoftInstigate for customer support and service delivery purposes;
Marketing data with explicit consent, including preferences for receiving information about RESTHeart services, updates, and promotional materials.
Knowledge base content (Sophia only): documents uploaded by the Customer to a Sophia Tenant for the purpose of building a private retrieval-augmented generation (RAG) knowledge base. May include text, structured data, embedded images. The Customer is responsible for the lawful basis of any personal data contained in such content (see §10.4 below).
Chat conversations (Sophia only): messages exchanged between Users and conversational AI agents through Sophia, including the messages sent by Users, the responses generated by AI agents, and metadata (timestamps, agent identifier, token usage).
Agent configurations (Sophia only): prompts, agent definitions, tags, knowledge-base scoping rules, and other configuration metadata managed by Tenant Administrators.
AI usage metrics (Sophia only): per-request metrics including model identifier, prompt and completion token counts, cost attribution, and latency, used for billing, monitoring, and service optimization.

3.2. Purpose of Processing and Legal Basis

Personal data is processed for the following purposes:

Service Delivery and Performance (Legal basis: Contract performance)

Provision of RESTHeart Cloud Services, Managed Services, and Sophia
Account management and authentication
Technical support and customer service
Service monitoring and optimization
Billing and payment processing
Knowledge base ingestion, segmentation, and embedding generation for the Sophia RAG pipeline
AI agent invocation against the Customer’s knowledge base
Chat history persistence and retrieval for User access
Multi-tenant isolation enforcement

Legal and Regulatory Compliance (Legal basis: Legal obligation)

Tax and accounting obligations
Compliance with Italian and EU regulations
Data retention as required by law

Legitimate Business Interests (Legal basis: Legitimate interest)

Service improvement and development
Security monitoring and fraud prevention
Statistical analysis and reporting
Business communications related to existing services

Promotional communications (with explicit consent)
Newsletter and service updates (with explicit consent)
Market research and surveys (with explicit consent)
Onboarding emails following RESTHeart Cloud registration

By creating an account, you agree to receive product updates and marketing communications. You can unsubscribe at any time.

SoftInstigate may share personal data with:

Payment Processors: Stripe for cloud service payments
Cloud Infrastructure Providers: AWS and other cloud providers for service delivery
Technical Partners: Limited to service delivery requirements
Legal Authorities: When required by law or legal process
AWS Bedrock (Sophia only): Sophia accesses all large language model and embedding services exclusively through Amazon Web Services Bedrock. All AI model invocations (including any third-party foundation models made available through Bedrock) are governed by the AWS Service Terms and the AWS Data Processing Addendum. AWS Bedrock does not retain Customer Content beyond what is necessary for the operation, and does not use Customer Content to train or improve foundation models or any other AWS or third-party models.

All third-party processors are bound by appropriate data protection agreements and GDPR compliance requirements.

5. Data Retention

Personal data is retained for different periods based on the purpose:

Account data: Duration of service plus 3 years for legal compliance
Billing data: 10 years as required by Italian tax law
Service usage data: Up to 2 years for service optimization
Marketing data: Until consent is withdrawn
Communication data: 3 years for customer service purposes
Knowledge base content (Sophia): retained for the duration of the Tenant subscription. Upon termination of the Customer contract, the Customer has 60 days to export the content; after such period the content is permanently deleted.
Chat history (Sophia): retained for the duration of the Tenant subscription. The Customer (via Tenant Administrator) may configure chat retention period within the limits of the selected Service Tier.
AI usage metrics (Sophia): retained for 24 months for billing and analytics purposes.
Sophia API tokens: retained until explicit revocation by the Customer or expiration.

As a data subject, you have the following rights:

Access: Right to obtain confirmation about data processing and access to your data
Rectification: Right to correct inaccurate or incomplete data
Erasure: Right to deletion of personal data under certain conditions
Restriction: Right to restrict processing under certain conditions
Portability: Right to receive your data in a structured format
Objection: Right to object to processing based on legitimate interests
Consent withdrawal: Right to withdraw consent for marketing communications

To exercise these rights, please contact us at info@softinstigate.com.

7. Data Security

SoftInstigate implements appropriate technical and organizational measures to protect personal data, including:

Encryption of data in transit and at rest
Access controls and authentication systems
Regular security audits and monitoring
Staff training on data protection
Incident response procedures

8. International Data Transfers

Data may be transferred to countries outside the EU for service delivery purposes. All transfers are conducted with appropriate safeguards, including:

EU adequacy decisions
Standard contractual clauses
Certification mechanisms

9. Cookies and Tracking Technologies

9.1. Analytics

We use privacy-focused analytics to understand how our services are used:

No tracking cookies: We do not use tracking cookies that identify individual users
Aggregated data only: All analytics data is processed in aggregated form
Privacy-first approach: Our analytics solution is designed to respect user privacy
No personal identification: Analytics data cannot be used to identify individual users

9.2. Server-Side Tracking for Cloud Services

For RESTHeart Cloud services (cloud.restheart.com), we implement privacy-focused server-side tracking to measure service performance and marketing effectiveness.

Privacy-First Approach: We have deliberately designed our tracking system to maximize your privacy: - No tracking cookies: We built a cookie-free tracking system to avoid invasive browser tracking - No personal data sharing: We only send pseudonymized (hashed) identifiers to Google, never your actual email address or personal information - Server-side only: All tracking happens on our servers, not in your browser, giving you more control - Purpose-limited: We track only conversion events (signups, provisioning, purchases) to measure advertising campaign effectiveness, not your browsing behavior

Google Analytics 4 (GA4)

We use GA4 to track page views and user interactions within cloud.restheart.com:

Server-side tracking: All tracking is performed server-side without client-side cookies
Data pseudonymization: Email addresses are hashed (SHA-256) creating pseudonymous identifiers that cannot be reversed
Data collected: Page views, pseudonymous user identifiers (hashed email addresses), referring pages, and Google Click IDs (gclid) when present
Purpose: Understanding service usage patterns, measuring marketing campaign effectiveness, and improving user experience
Legal basis: Consent obtained during account registration (Article 6(1)(a) GDPR)
Data sharing: Only pseudonymized data is shared with Google LLC under their data processing agreement and GDPR-compliant standard contractual clauses
Privacy protection: Users cannot be individually identified from GA4 data; all personal identifiers are hashed before transmission

Google Ads Conversion Tracking

We track conversions (signups, service provisioning, purchases) for advertising campaign measurement:

Enhanced Conversions: We use Google Ads Enhanced Conversions with hashed email addresses to measure conversion performance
Data collected: Hashed email addresses (SHA-256), conversion events (signup, provision_free, purchase), conversion values, and Google Click IDs (gclid) when available
Purpose: Measuring advertising campaign effectiveness and optimizing ad performance
Legal basis: Consent obtained during account registration (Article 6(1)(a) GDPR)
Data hashing: Email addresses are hashed using SHA-256 before transmission to Google for privacy protection
Data sharing: Hashed conversion data is processed by Google LLC for conversion attribution under their data processing agreement
No cookies required: Conversion tracking works even when ad blockers or privacy browsers block tracking cookies

By creating a RESTHeart Cloud account, you consent to this server-side tracking for service improvement and marketing measurement. You can: - Withdraw consent: Contact us at info@softinstigate.com to opt out - Request data deletion: Request deletion of your tracking data at any time - Continue using services: Opting out of tracking will not affect your ability to use RESTHeart Cloud services

Data Retention

GA4 data is retained according to Google’s data retention policies (configurable, typically 2-14 months)
Conversion event logs are retained in our systems for up to 90 days for audit purposes
Google Click IDs (gclid) are stored for up to 90 days to enable conversion attribution
Upon request, we will delete your tracking data within 30 days

9.3. Essential Cookies

We may use essential cookies necessary for:

Service authentication and session management
Security and fraud prevention
Service delivery and functionality

For non-essential cookies, we will obtain your explicit consent before placing them on your device.

10. Data Processing for Different Services

10.1. RESTHeart Cloud Services

For cloud services, data processing includes:

Account registration and management through cloud.restheart.com
Payment processing through Stripe
Service usage monitoring and billing
Self-service support and documentation access
Onboarding email series: After registration, users will receive up to 6 emails with tips and suggestions over a period of several days to help them get started with the service. Users can unsubscribe from these emails at any time using the unsubscribe link provided in each email

10.2. RESTHeart Managed Services

For managed services, data processing includes:

Commercial consultation and proposal development
Custom service configuration and deployment
Enterprise support and direct communication
Wire transfer payment processing and invoicing

10.3. RESTHeart On-Premises Licensing

For on-premises licensing, data processing includes:

License key generation and management
Technical support for licensed installations
Billing and payment processing for licenses
Compliance monitoring for license terms

10.4. RESTHeart Sophia (Conversational AI Knowledge Base)

For Sophia services, data processing includes:

10.4.1 Roles and responsibilities

The Customer (typically a legal entity that subscribes to Sophia) acts as data controller with respect to:

the personal data of its Users (employees, collaborators, end-customers who access the Sophia platform under the Customer’s Tenant);
the personal data potentially contained in the documents uploaded to the knowledge base;
the personal data potentially contained in the chat conversations.

SoftInstigate Srl Società Benefit acts as data processor pursuant to Article 28 GDPR with respect to the data processed on behalf of the Customer. A separate Data Processing Agreement (DPA) is available upon request.

10.4.2 Multi-tenant isolation

Sophia is a multi-tenant service. Each Customer accesses an isolated logical partition (the “Tenant”). SoftInstigate implements access control mechanisms (role-based ACLs scoped by tenant, plus dedicated server-side checks for backend-generated documents) to ensure that data belonging to one Tenant is not accessible from another Tenant, unless explicitly configured by the Customer (e.g. public agents).

10.4.3 AI sub-processor (AWS Bedrock)

Sophia performs language model inference and embedding generation exclusively through Amazon Web Services Bedrock. All AI-related processing — including invocations of any third-party foundation model made available through Bedrock — is governed by the AWS Service Terms and the AWS Data Processing Addendum applicable to Amazon Bedrock.

When a User submits a message to an AI agent:

the message and a contextual selection of knowledge base fragments are transmitted to AWS Bedrock over an encrypted channel (TLS);
Bedrock processes the request and returns a generated response;
Bedrock does not retain the request data beyond what is necessary for the operation, and does not use Customer Content to train or improve any foundation model.

10.4.4 International transfers

AWS Bedrock may operate infrastructure in the United States and other jurisdictions outside the European Economic Area. Transfers are conducted with the following safeguards:

EU Standard Contractual Clauses (SCCs) approved by the European Commission, as included in the AWS Data Processing Addendum;
Supplementary technical measures (TLS encryption in transit, no persistent storage of request data on Bedrock side, pseudonymization where applicable);
AWS participation in the EU-U.S. Data Privacy Framework.

Where supported by AWS Bedrock and required by the Customer, model invocations can be scoped to specific AWS Regions (including EU Regions) to minimize cross-border transfers.

Sophia operates on an invitation-only model: no User can self-register. A Tenant Administrator or SoftInstigate administrator issues an invitation via email. The invited User, upon activation, must:

set a personal password;
explicitly accept the Sophia Terms of Service (https://restheart.com/legal/terms/sophia/);
explicitly accept this Privacy Policy;
explicitly approve the unfair clauses listed in the Terms of Service pursuant to art. 1341 c.c.

The acceptance is recorded in the User’s account with: version of the accepted documents, timestamp, IP address of acceptance. This record constitutes evidence of consent and contract conclusion.

10.4.6 User rights specific to Sophia

In addition to the general rights listed in §6 of this Privacy Policy, Sophia Users have the following Service-specific capabilities (accessible via the Sophia web interface or by request to the Customer’s Tenant Administrator):

Access to own chat history: Users may view and export their own conversations.
Deletion of own chat history: Users may delete individual conversations.
Account closure: Users may request the Tenant Administrator to disable or delete their account.

Where the Customer (as data controller) is unable or unwilling to satisfy a User’s request, the User may contact the Supplier directly at info@softinstigate.com.

10.4.7 Restrictions on uploaded content

The Customer undertakes not to upload to the Sophia knowledge base any data classified as “special categories of personal data” pursuant to Article 9 GDPR, unless a specific Data Processing Agreement addressing such categories has been signed with the Supplier.

The Customer also undertakes to ensure that the upload of any third-party content into the knowledge base is performed under appropriate intellectual property and data protection legal bases (consent, contract, legitimate interest as applicable).

10.4.8 AI-generated content and accuracy disclaimer

The Customer and its Users acknowledge that responses generated by AI agents are produced by stochastic statistical models and may contain inaccuracies, hallucinations, or fabricated references. Such responses do not constitute personal data of the User in a strict sense, but may include references to information present in the knowledge base or generated by the model. Users have the right to flag inaccurate AI-generated responses through the Sophia interface; however, the Supplier does not guarantee the correction of such responses, as they are generated dynamically at each request.

11. Children’s Privacy

Our services are not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

12. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. We will notify users of material changes by:

Posting the updated policy on our website with a new “Last updated” date
Sending email notifications to registered users for significant changes
Providing notice through our service interfaces where applicable

Continued use of our services after changes become effective constitutes acceptance of the updated privacy policy.

For Sophia, a major version bump of this Privacy Policy will trigger a blocking re-acceptance flow at the next User login: the User cannot continue to use the Service until they explicitly accept the new version. This mechanism is in addition to the email notification described above.

13. Contact Information

For any questions about this privacy policy or your personal data:

Email: info@softinstigate.com
Mail: SoftInstigate Srl Società Benefit, Via del Beato Cesidio 49, 67100, L’Aquila, Italy
Subject: Please reference “Privacy Policy” or “GDPR Request” in your communication

14. Complaints

You have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) if you believe your data protection rights have been violated:

Website: https://www.gpdp.it
Address: Piazza di Monte Citorio, 121, 00186 Roma RM, Italy

15. Legal Framework

This privacy policy is governed by:

EU General Data Protection Regulation (GDPR) 2016/679
Italian Legislative Decree 196/2003 as amended
Italian Civil Code provisions on privacy and data protection
EU Digital Services Act and related regulations

Questions About This Policy?

If you have questions about this privacy policy or how we handle your personal data, please contact us at info@softinstigate.com. We’re committed to protecting your privacy and will respond to your inquiry promptly.

View Terms and Conditions | Contact Us

Information on Personal Data Processing pursuant to Articles 12 and following of the General Data Protection Regulation (GDPR)