Privacy Policy
Last updated: 9 July 2026 · Version 1.0
This Policy describes how IVEMIND Società Cooperativa Sociale(“Ivemind” or the “Controller”) processes the personal data of users of the rivedi.ai website and of the rivedi service, pursuant to Regulation (EU) 2016/679 (“GDPR”) and Italian Legislative Decree 196/2003 (the “Privacy Code”). By using the site or the service, the user acknowledges the practices described here.
This English text is provided for convenience only. In case of any discrepancy, the Italian version of this Policy prevails.
1. Data Controller
The Data Controller is IVEMIND Società Cooperativa Sociale, with registered office at Via Werner von Siemens 23, 39100 Bolzano (BZ), Italy. Tax code and VAT number: IT03138990217. Registered with the Bolzano Company Register no. 03138990217, REA BZ-235349. Certified email (PEC): ivemindscs@pec.it. For requests regarding the processing of personal data you can contact the Controller at: privacy@ivemind.com (privacy), info@ivemind.com (support and information), sales@ivemind.com (commercial requests). The Controller has not appointed a Data Protection Officer (DPO), as the mandatory conditions under Art. 37 GDPR do not apply; a privacy contact remains available at the address indicated above.
2. Description of the service
rivedi is a B2B management software (SaaS) for optical stores and practices in Italy. It allows the optical store (“Customer” or “Tenant”) to run its business — customer records, appointments, optometric record, sales, inventory, invoicing — and to communicate with its own end customers, including notifications via WhatsApp Business.
3. Categories of data processed
The Controller processes the following categories of personal data: (a) navigation data of the rivedi.ai website, collected through cookies and similar technologies (see the Cookie Policy), including truncated IP address, pages visited, device and browser; (b) contact data provided voluntarily via form or email (name, email, any message); (c) service account data (name, email, role, Cognito identifier); (d) operational data entered by the Tenant for its business: end-customer records, appointments, work orders, sales and documents, and — for notifications — phone number, content of template messages sent via WhatsApp, timestamps, delivery receipts and consents; (e) special categories of data under Art. 9 GDPR (health data: refraction, prescriptions, optometric history), processed exclusively on behalf of the Tenant and protected with field-level encryption.
4. Roles: Controller and Processor
For account and website navigation data, Ivemind acts as Data Controller. For end-customer data and health data entered by the Tenant into the platform, Ivemind acts as a Data Processor under Art. 28 GDPR, while the Controller remains the optical store (Tenant), which has the duty to inform its own customers and to collect the necessary legal bases, including consent under Art. 9 for health data.
5. Purposes and legal basis
Data are processed for: (i) provision of the service and management of the contractual relationship with the Customer (Art. 6.1.b GDPR); (ii) compliance with legal, accounting and tax obligations (Art. 6.1.c GDPR); (iii) IT security, fraud prevention, audit and legal defence (Art. 6.1.f GDPR — legitimate interest); (iv) sending commercial communications, only with explicit and revocable consent (Art. 6.1.a GDPR); (v) aggregated usage statistics with consent (Art. 6.1.a GDPR). For health data, processing is carried out on behalf of the Tenant on the basis of Art. 9.2 GDPR and the Tenant’s obligations as an optical professional; Ivemind does not determine its purposes.
6. Data retention
Data are kept for the time strictly necessary for the purposes: (a) account and configuration data: duration of the contractual relationship; (b) operational, clinical and WhatsApp data: duration of the contract plus 24 months after termination, unless the Customer requests otherwise or a longer retention obligation applies; (c) technical and audit logs: 12 months; (d) analytics cookies: maximum 14 months; (e) tax and accounting data: 10 years as required by Italian law. At the end, data are deleted or irreversibly anonymised.
7. Processors and non-EU transfers
To provide the service the Controller relies on processors under Art. 28 GDPR, bound by specific agreements (DPA): (i) Amazon Web Services EMEA SARL, cloud infrastructure provider, with data hosted in the eu-central-1 region (Frankfurt, Germany); (ii) Meta Platforms Ireland Ltd, for integration with the WhatsApp Business platform, limited to the delivery of template notifications to the Tenant’s end customers. The up-to-date list of processors is available on request by writing to privacy@ivemind.com.
8. WhatsApp notifications to end customers
rivedi allows the Tenant to send, through Meta’s WhatsApp Business Platform, template-based notifications to its own end customers who have given the relevant consent (appointment reminders, “glasses ready” notices, recalls for eye checks). With respect to those end contacts, Ivemind acts as a Data Processor under Art. 28 GDPR, while the Controller remains the Tenant, which has the duty to inform its contacts and collect the necessary legal bases. The data processed (contact’s phone number, template message content, timestamp, delivery receipts) are hosted exclusively within the European Union (AWS Frankfurt) and shared with Meta solely to deliver the message. Any requests from end data subjects (access, deletion, rectification) must be addressed first to the Tenant Controller; Ivemind provides technical support to the Tenant to fulfil them. See also the Data deletion page.
9. Rights of the data subject
The data subject may exercise at any time the rights under Articles 15-22 GDPR: access, rectification, erasure (“right to be forgotten”), restriction, portability, objection to processing based on legitimate interest, and the right not to be subject to automated decisions. Requests should be sent to privacy@ivemind.com and receive a reply within 30 days. The right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or the competent supervisory authority remains unaffected.
10. Minors
The rivedi service is not intended for children under 16. The Controller does not knowingly collect personal data of minors through the site. The Tenant’s end-customer data, including any minors assisted, are processed under the Tenant Controller’s responsibility. Anyone who believes a minor has provided personal data through the site is invited to contact privacy@ivemind.com.
11. Changes to this Policy
The Controller reserves the right to update this Policy to reflect regulatory, organisational or technical changes. The most recent version is always published on rivedi.ai with the date of the last update and the version number. In the event of material changes, registered users will be informed with reasonable notice.
12. Contact
For privacy requests, exercise of rights or clarifications: privacy@ivemind.com. For commercial requests: sales@ivemind.com. For support and information: info@ivemind.com. Official communications via PEC: ivemindscs@pec.it. Registered office: IVEMIND Società Cooperativa Sociale, Via Werner von Siemens 23, 39100 Bolzano (BZ), Italy.