Privacy Policy

Last updated: September 23, 2025

This Privacy Policy describes how McFrancis (hereinafter "we", "our" or the "Company") collects, uses and protects the personal information that the user ("you" or "the user") provides when using our website [www.mcfrancis.com] (the "Site").

1. Data Controller

The Data Controller is Steven Di Francesca (DFRSVN00H05L219A), with registered office at Via Sandro Botticelli, 58 Turin, VAT number: 12272120010.

Data Controller email address: steven@mcfrancis.com

2. Types of Data Collected

Among the Personal Data collected by this Site, either independently or through third parties, there are: Cookies, Usage Data, name, surname, email address, phone number, uploaded files and documents, images, company data (company name, VAT number, IBAN, address, contacts), security test data and various types of Data.

Personal Data may be freely provided by the User or, in the case of Usage Data, collected automatically during the use of this Site. For security improvement purposes, we may also collect technical data related to the website or infrastructure indicated by the user for security testing.

Data voluntarily provided by the user

The optional, explicit and voluntary sending of email to the addresses indicated on this site, or the completion of contact forms, involves the subsequent acquisition of the sender's address, necessary to respond to requests, as well as any other personal data included in the message. Access to the restricted area of the platform (Dashboard) involves the insertion and processing of additional data such as profile images, documents (PDF, DOC, etc.), company signature, commercial and financial data. Data entered in support tickets, including any attachments, are stored to manage assistance requests. For security improvement purposes, users may provide information about their website or infrastructure for security testing.

Navigation Data

The computer systems and software procedures responsible for the operation of this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by their very nature could, through processing and associations with data held by third parties, allow users to be identified.

3. Purpose of Processing

User Data is collected to allow the Data Controller to provide its Services, as well as for the following purposes:

• Contacting the User: Responding to requests for information, quotes, or of any other nature indicated by the form header.
• Statistics: Monitoring and analyzing traffic data and tracking User behavior (e.g. through Google Analytics with anonymized IP).
• Interaction with AI Human (Sami): Conversations with the virtual assistant are processed to provide relevant responses and improve service quality. Conversation data may be analyzed in aggregate and anonymous form for training and optimization purposes.
• Legal compliance: Complying with legal obligations and requests from authorities.

3.1 Security Improvement

With the explicit consent of the user, we may perform proactive security tests (penetration tests) on the website or infrastructure indicated by the user. This activity is carried out to:

• Identify potential security vulnerabilities
• Improve the overall security of digital systems
• Provide security recommendations and reports
• Prevent cyber attacks and data breaches

During security tests, we may collect technical data such as: system configurations, network responses, security logs, vulnerability information. This data is processed exclusively for security improvement purposes and is not shared with third parties except as required by law.

Data collected during security tests is retained for the time necessary to complete the analysis and provide security reports, and in any case for no more than 12 months from the completion of the test, unless longer retention is required by law.

Exclusive Purpose: The purpose of such tests is solely preventive and improvement-oriented. Information about any vulnerabilities discovered will be treated with the utmost confidentiality, communicated exclusively to the User and used only to advise and implement necessary security measures. Under no circumstances will such activities be conducted with malicious intent or to damage the User's systems.

Voluntary Nature of Consent: Giving consent for this specific purpose is entirely voluntary and does not in any way affect the use of other services offered by the Site.

4. Legal basis for processing

The Data Controller processes Personal Data relating to the User if one of the following conditions exists:

• the User has given consent for one or more specific purposes (including security testing as per point 3.1);
• processing is necessary for the performance of a contract with the User and/or for the implementation of pre-contractual measures;
• processing is necessary to comply with a legal obligation to which the Data Controller is subject;
• processing is necessary for the pursuit of the legitimate interest of the Data Controller or third parties.

5. Retention period

Data is processed and stored for the time required by the purposes for which it was collected. Therefore, Personal Data collected for purposes related to the performance of a contract between the Data Controller and the User will be retained until the performance of such contract is completed. Personal Data collected for purposes attributable to the legitimate interest of the Data Controller will be retained until such interest is satisfied. Data collected for security testing purposes (point 3.1) will be retained for no more than 12 months from the completion of the test, unless longer retention is required by law.

6. User Rights

Users may exercise certain rights with reference to Data processed by the Data Controller. In particular, the User has the right to:

• withdraw consent at any time (including consent for security testing).
• object to the processing of their Data.
• access their Data.
• verify and request rectification.
• obtain restriction of processing.
• obtain deletion or removal of their Personal Data.
• receive their Data or have it transferred to another controller (portability).
• file a complaint with the competent data protection supervisory authority.

To exercise User rights, Users can address a request to the Data Controller's contact details indicated in this document.

7. Cookie Policy

This Site uses Cookies. To learn more and to view the detailed information, the User can consult the Cookie Policy.

8. Changes to this privacy policy

The Data Controller reserves the right to make changes to this privacy policy at any time by informing Users on this page. Please therefore consult this page regularly, referring to the date of last modification indicated at the bottom. This policy was last updated on January 15, 2025, to include information about security testing activities.