Privacy Policy

Last updated: 24/02/26

This Privacy Policy explains how DUEBEE SRL,  (“DueBee”, “we”, “us”) processes personal data when you visit our websites, create an account, communicate with us, and use our services.

Controller

DUEBEE SRl,  Via Vittorio Veneto 67, 39042 Bressanone (Italy) , VAT: 03299600217, Company No.: BZ – 248492

Email: info@duebee.com

Data Protection Officer (DPO) (if applicable)

Contact: info@duebee.com

 

1) Roles: When we are Controller vs Processor

 

 

1.1 DueBee as Controller

 

We act as data controller for:

 

  • Website visitors (analytics, cookies choices, security logs)

  • Leads and contacts (sales, customer support)

  • Customer admins and billing contacts (account administration, invoicing)

  • Marketing recipients (where permitted)

 

 

1.2 DueBee as Processor (Customer Content)

 

When our customers use DueBee to process end-customer orders, contacts, messages, call recordings/transcripts, or similar operational data (“Customer Content”), our customer is the controller and DueBee acts as a processor on their behalf. In this case, processing is governed by our Data Processing Agreement (DPA) consistent with GDPR Art. 28.

If you are an end-customer of one of our business customers and want to exercise rights regarding Customer Content, please contact that business directly.

 

2) What Personal Data we collect (Controller context)

 

Depending on how you interact with us, we may collect:

A. Identity & contact data: name, business email, phone, company, role/title.

B. Account data: user ID, authentication data (hashed), admin settings, permissions.

C. Billing data: invoicing address, VAT ID, payment status, transaction references (payment card data is typically handled by the payment provider).

D. Communications: emails, chat messages, support tickets, call metadata.

E. Device & usage data: IP address, device identifiers, browser type, logs, approximate location from IP, events in the website/app.

F. Marketing preferences: opt-in/opt-out status, consent records.

G. Security data: audit logs, access logs, suspicious activity indicators.

 

3) Purposes and legal bases (Controller context)

 

We process personal data for the following purposes and legal bases under GDPR Art. 6:

 

  1. Provide and operate the Service (account creation, access, support)

    Legal basis: contract (Art. 6(1)(b)).

  2. Customer support and communications

    Legal basis: contract and/or legitimate interests (Art. 6(1)(b)/(f)).

  3. Billing, payments, accounting, and tax compliance

    Legal basis: contract and legal obligation (Art. 6(1)(b)/(c)).

  4. Security, fraud prevention, and service integrity

    Legal basis: legitimate interests (Art. 6(1)(f)).

  5. Product improvement and analytics (especially for the website/app)

    Legal basis: legitimate interests (Art. 6(1)(f)) and/or consent where required for cookies/trackers.

  6. Marketing (B2B) (newsletters, product updates, events)

    Legal basis: consent (where required) and/or legitimate interests for certain B2B communications, depending on local law; always with an easy opt-out.

 

We provide the information required by GDPR transparency rules (Articles 13/14) and aim for clarity per EDPB transparency guidance. 

 

4) Cookies and similar technologies

 

We use cookies and similar technologies for:

 

  • Strictly necessary website functions (security, load balancing, preferences)

  • Analytics and performance (if enabled)

  • Marketing (if enabled)

 

Where required under EU ePrivacy rules, we request consent for non-essential cookies/trackers and allow you to withdraw consent at any time via our cookie settings. 

(Optionally link) Cookie Notice: [URL]

Cookie Settings: [URL/button]

 

5) Sources of personal data

 

 

  • Directly from you (forms, onboarding, support)

  • Automatically (logs, cookies, device signals)

  • From our customers (only when you are a customer admin/user)

  • From third parties (e.g., enrichment/lead providers) where legally permitted; if so, we provide required Art. 14 disclosures. 

 

 

6) Sharing and recipients

 

We may share personal data with:

 

  • Service providers / processors (hosting, analytics, error monitoring, email delivery, CRM, customer support tools, payment providers)

  • Professional advisors (legal, accounting) where necessary

  • Authorities where required by law

  • Business transfers (merger/acquisition) subject to safeguards

 

We maintain appropriate contractual safeguards with processors, including data protection terms consistent with GDPR. 

 

7) International data transfers

 

If we transfer personal data outside the EEA/UK/Switzerland, we use appropriate safeguards such as EU Standard Contractual Clauses (SCCs) and implement supplementary measures as needed. (Add your exact mechanism and vendor list.)

 

8) Data retention

 

We keep personal data only as long as necessary:

 

  • Account data: for the duration of the contract and a limited period thereafter

  • Billing data: as required by tax/accounting laws

  • Logs/security data: typically [30–180] days unless needed for investigations

  • Marketing data: until you opt out or we stop communications

 

For Customer Content processed as processor, retention is governed by the customer contract/DPA and customer instructions. 

 

9) Security

 

We implement appropriate technical and organizational measures designed to protect personal data (e.g., access controls, encryption in transit, least-privilege, logging, backups). No method of transmission/storage is 100% secure.

 

10) Your rights (Controller context)

 

Depending on your jurisdiction, you may have rights to:

 

  • Access, rectification, erasure, restriction, portability, objection

  • Withdraw consent (where processing is based on consent)

  • Lodge a complaint with a supervisory authority

 

To exercise rights, contact: info@duebee.com.

If you are an end-customer of a DueBee customer, your request should be directed to that customer (the controller).

 

 

11) Automated decision-making and profiling (Option B — GDPR Art. 13/14-ready text)

 

DueBee uses certain automated systems (including AI capabilities) to help operate the Service efficiently. In some cases, this may involve profiling and/or automated decision-making.

 

11.1 Where we use automation

 

Depending on your configuration and plan, automation may be used for:

A. Security and abuse prevention (Controller context)

 

  • Detecting suspicious logins, unusual API usage, credential stuffing, spam, or other abuse patterns.

  • Automatically applying protective actions (e.g., additional verification, rate limiting, temporary session blocks).

 

B. Account/service integrity actions (Controller context)

 

  • Automatically flagging or temporarily restricting activity that violates Acceptable Use or creates a material security risk.

 

C. Service performance and routing (Processor or Controller depending on data)

 

  • Automatically prioritizing, categorizing, or routing operational requests (e.g., support triage, message routing, call routing) based on signals such as urgency keywords, historical context, or operational rules.

 

D. Business insights and recommendations (typically Processor context)

 

  • Generating recommendations (e.g., suggested next actions, likely missing fields in an order, anomaly detection, reminders).

  • Producing summaries or suggested replies.

 

Important: When we process your operational content (orders, end-customer messages, transcripts, etc.) on behalf of our Customer, the Customer is the controller and DueBee is the processor. In that case, the Customer determines whether such automation is enabled and the purpose of the processing.

 

11.2 Logic involved (high-level explanation)

 

Our automated systems generally operate using combinations of:

 

  • Rule-based logic (e.g., thresholds, allow/deny lists, validation rules, compliance checks)

  • Statistical models / machine learning (e.g., classification of intents, anomaly detection, prioritization, probability scores)

  • Contextual signals (e.g., recent activity, device/browser patterns, rate of requests, operational metadata, historic interactions)

 

We do not use “special category” data (e.g., health, religion, political opinions) for automated decisions unless explicitly provided by you and legally permitted.

 

11.3 Significance and potential consequences

 

Depending on the context, automated processing may result in:

 

  • Security controls being applied (e.g., challenge prompts, temporary lockouts, throttling).

  • Temporary restrictions on account features where we detect high risk or apparent policy violations.

  • Prioritization/routing outcomes (e.g., certain items being placed in a queue, flagged for review, or categorized differently).

  • Recommendations that influence workflow efficiency (e.g., suggested corrections to an order before it is submitted).

 

Unless explicitly stated otherwise, these actions are designed to protect the Service and improve efficiency and are not intended to produce legal effects.

 

11.4 Human intervention, contesting decisions, and your rights

 

Where required by applicable law, you have the right to:

 

  • request human review of an automated decision,

  • express your point of view,

  • contest the decision, and

  • obtain an explanation of the decision outcome to the extent legally permissible and consistent with security needs.

 

To request review, contact [privacy@duebee.com] or your account administrator. If the relevant data is processed on behalf of a DueBee customer (processor context), please contact that customer (the controller) first; we will support them as required under our DPA.

 

11.5 How to disable or limit automation

 

Certain automation features may be configurable by Customer administrators (e.g., AI recommendations, routing rules, transcription/summarization). If you are a user, please contact your organization’s admin.

 

 

 

12) Children

 

The Service is intended for business users and not directed to children.

 

13) Contact and complaints

 

Questions: [privacy@duebee.com]

Supervisory authority: You may contact your local DPA.

 

14) Changes to this Privacy Policy

 

We may update this Policy from time to time. We will post the updated version and update the “Last updated” date. Material changes may be notified via email or within the Service.