Privacy Policy

1. Who we are

Controller: Stephen Bellotto (Sliema, Malta). Contact for data protection: designer@stephenbellotto.com.

Supervisory authority: Information and Data Protection Commissioner (IDPC) Malta — idpc.org.mt.

2. Data we process

Forms (briefing, contact, newsletter): name, email, company, phone, message, attachments, language.

Admin/team access: email + hashed password + session tokens.

Technical/security logs: IP, user-agent, pages visited, timestamps.

AI interactions: prompts you submit + AI-generated content (text, image, translation, analysis).

Meta integrations (if connected): Page ID, IG User ID, access tokens (encrypted), inbox messages, post metadata.

3. Purposes and legal basis (GDPR Art. 6)

A. Reply to your contact — pre-contractual steps (Art. 6(1)(b)).

B. Deliver our services — contract performance (Art. 6(1)(b)).

C. Newsletter — explicit opt-in consent (Art. 6(1)(a)).

D. Tax / accounting obligations — legal duty (Art. 6(1)(c)).

E. Operate the dashboard — legitimate interest (Art. 6(1)(f)).

F. Generate AI content on your behalf — contract performance.

G. Publish to social networks via Meta — your explicit authorization.

H. Detect fraud, protect infrastructure — legitimate interest.

We DO NOT process special-category data (Art. 9) without explicit, specific consent.

4. Who we share data with (subprocessors)

Vercel Inc. (US) — hosting, blob storage, edge functions.

OpenAI Ireland Ltd. / Anthropic PBC (US) — AI generation (text/image). API mode: providers DO NOT train on your data.

Google LLC (Gmail API + Calendar API) — sending transactional email and reading calendar availability on your behalf.

Translated S.r.l. (Italy, MyMemory) — translation fallback.

Meta Platforms Ireland Ltd. — only when you connect a Meta account.

Stephen Bellotto's use of information received from Google APIs will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. Google data is used only to send email and read calendar availability on your behalf, never for advertising, and no human reads it except with your explicit consent or for security or legal reasons.

5. International transfers

Some providers process data in the US under Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework.

Email designer@stephenbellotto.com to request a copy of the safeguards.

6. Retention

Contact requests with no follow-up: 6 months. Client data after contract: 10 years (tax obligation, Malta). Newsletter: until unsubscribe. Technical logs: 12 months. AI prompts/output: up to 90 days. Encrypted backups: 30 days after main deletion.

7. Your rights (GDPR Arts. 15–22)

Access, rectify, erase, restrict, port, object, withdraw consent at any time, and not be subject to solely automated decisions.

How: email designer@stephenbellotto.com with proof of identity. We answer within 30 days (extendable by 60 in complex cases).

Complaint: IDPC Malta or your national authority (edpb.europa.eu).

8. Cookies

We use a minimum set of essential cookies and ask for opt-in consent for analytics/marketing cookies via a banner. See /cookies for the full table and re-open the consent manager at any time.

9. Meta integrations (Instagram, Facebook, WhatsApp)

Data collected only when you connect your Meta account: identifiers, encrypted tokens, posts you publish, inbox messages (if enabled).

Purpose: only the actions you authorize. Never used for profiling, sale or third-party analytics.

Deletion: disconnect the app under Meta Settings, or email designer@stephenbellotto.com (subject: « User Data Deletion — Meta »). We act within 30 days. We also implement the Data Deletion Callback at /api/meta-deletion-callback (Meta sends us deletion requests automatically).

10. Automated decisions and AI (GDPR Art. 22 + EU AI Act)

AI-generated content is identified as such (UI badge).

Models: OpenAI gpt-4o-mini (text), gpt-image-1 (image); or Anthropic Claude. Providers DO NOT use your data to train models.

We do not take decisions with legal or significant effect without human review. You can request human intervention and contest any automated outcome.

11. AI automation app for clients (B2B)

When you use our AI automation app for your business, we act as Processor (Art. 28). You are the Controller. We sign a Data Processing Agreement (DPA) before any data is processed. Tenants are isolated; other clients do not see your data.

12. Security

TLS 1.3, encryption at rest for sensitive data, principle of least privilege, monitored access. Breach notification within 72h to the authority (Art. 33) and to data subjects when high risk (Art. 34).

13. Children

Service not directed to users under 16 (consent age for information-society services in Malta). Contact us to delete any inadvertent collection.

14. Changes

Material changes are communicated to subscribers/clients 30 days in advance. Current version dated 2026-06-03.

15. Contact

designer@stephenbellotto.com · Stephen Bellotto, Sliema, Malta. Applicable law: Maltese law and EU law. Forum: Maltese courts, without prejudice to consumer-protection rights in your EU country of residence.