Information on the Processing of Personal Data
Pursuant to articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR"), FEVEN S.R.L. provides the following information regarding the processing of personal data.
Last update: January 30, 2026
1. Data Controller
The Data Controller is FEVEN S.R.L., with registered office in Via Carlo Sigonio 16, 41043 Formigine (MO), Italy, VAT and C.F. 04071030367, REA MO-440537, in the person of the legal representative pro tempore (hereinafter "FEVEN" or the "Controller").
To exercise the rights provided for by the GDPR or for any request related to the processing of personal data, you can contact the Controller at the following addresses:
- PEC: feven.srl@pec.it
- Email: privacy@rentevoai.com
- Address: Via Carlo Sigonio 16, 41043 Formigine (MO)
2. Scope of Application
This information applies to the processing of personal data carried out through the rentevoai.com website and the Rentevo platform (hereinafter the "Service").
This information is intended for:
- Registered users (property managers and property managers) who use the Service;
- Guests of the facilities managed through Rentevo, whose messages are processed by the platform;
- Visitors of the website.
3. Personal Data Processed
3.1 Data of Registered Users (Property Manager)
- Registration data: name, email address, profile picture (optional);
- Authentication data: access credentials, session tokens, OAuth data (Google);
- Billing data: payment information managed through Stripe (the Controller does not store credit card data);
- Integration data: API keys of channel managers (encrypted with Fernet algorithm), WhatsApp Business credentials (encrypted), Telegram ID;
- Usage data: access logs, IP address, user agent, notification preferences, history of corrections to AI responses.
3.2 Guest Data
Rentevo processes guest data as Data Processor on behalf of the property manager (Data Controller of guest data). The processed data may include:
- First name and last name;
- Email address;
- Phone number (E.164 format, for WhatsApp);
- Booking codes (Airbnb, Booking.com, other channels);
- Stay dates (arrival and departure);
- Language of communication (automatically detected);
- Content of messages exchanged with the property manager.
3.3 Website Visitors Data
- Navigation data (IP address, browser type, operating system, visited pages) collected through technical cookies;
- Data voluntarily provided through contact forms (email, phone number).
4. Purpose and Legal Basis of Processing
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| User account registration and management | Execution of the contract (Art. 6.1.b) |
| Provision of the Service (automatic AI response, message synchronization, knowledge base) | Execution of the contract (Art. 6.1.b) |
| Processing of guest messages through artificial intelligence | Legitimate interest of the Controller and the user (Art. 6.1.f) |
| Payment and billing management | Execution of the contract (Art. 6.1.b) and legal obligations (Art. 6.1.c) |
| Sending operational notifications (Telegram, Web Push, email) | Execution of the contract (Art. 6.1.b) |
| Communications via WhatsApp Business API | Consent of the data subject (Art. 6.1.a) |
| Service improvement and aggregate analysis | Legitimate interest (Art. 6.1.f) |
| Compliance with legal and tax obligations | Legal obligation (Art. 6.1.c) |
| Fraud prevention and IT security | Legitimate interest (Art. 6.1.f) |
5. Use of Artificial Intelligence
The Service uses artificial intelligence models provided by third parties for the following features:
- Generation of automatic responses to guest messages (model: OpenAI GPT-4.1-mini);
- Automatic translation of messages (model: Google Gemini 2.5 Flash);
- Knowledge extraction from conversations for the knowledge base (model: Google Gemini 2.5 Flash);
- Assessment of the need for human intervention (model: Google Gemini 2.5 Flash);
- Generation of embeddings for semantic search in the knowledge base (model: Google Gemini Embedding 001).
Message contents are sent to AI providers (OpenAI and Google) for processing. These providers act as sub-processors and do not use the data to train their models when using API access. Responses generated by AI are subject to human supervision through the system.
No automated decisions are made pursuant to Art. 22 of the GDPR that produce legal effects or significantly affect data subjects. The AI generates response proposals that can be reviewed and modified by the manager.
Pursuant to Art. 50 of Regulation (EU) 2024/1689 (AI Act), you are informed that communications generated by the Service may be produced or assisted by artificial intelligence systems. The property manager is required to inform their guests of the use of AI systems in message management.
6. Recipients and Categories of Recipients
Personal data may be communicated to the following categories of recipients, all bound by confidentiality obligations and, where applicable, by data processing agreements (DPA):
| Recipient | Purpose | Country |
|---|---|---|
| OpenAI, L.L.C. | AI processing (response generation) | USA |
| Google LLC (Gemini / Vertex AI) | AI processing (translation, knowledge extraction, embeddings) | USA / EU |
| Meta Platforms, Inc. (WhatsApp) | WhatsApp Business communications | USA / EU |
| Stripe, Inc. | Payment and subscription management | USA / EU |
| Telegram FZ-LLC | Operational notifications to managers | UAE |
| Resend, Inc. | Sending transactional emails | USA |
| Google LLC (Serper) | Web search to answer guest questions | USA |
| Comet ML, Inc. (Opik) | AI performance and cost monitoring | USA |
The channel managers connected by the user (e.g. Lodgify) receive response messages generated through the Service according to the user's instructions.
7. Transfer of Data to Third Countries
Some of the recipients indicated in the previous section are based in the United States of America. The transfer of data to the USA takes place on the basis of:
- EU-US Data Privacy Framework (DPF), for certified recipients;
- Standard Contractual Clauses (SCC) adopted by the European Commission, integrated by supplementary technical measures (encryption in transit and at rest);
- Contractual guarantees provided for in the DPA stipulated with each supplier.
8. Retention Period
| Data category | Retention period |
|---|---|
| User account data | For the duration of the contractual relationship and up to 12 months from cancellation |
| Guest messages | For the duration of the user account managing them |
| Billing data | 10 years from the transaction date (tax obligation) |
| Access and security logs | 6 months from collection |
| Contact form data | 12 months from request |
| Knowledge base and uploaded documents | For the duration of the user's account |
| WhatsApp messages (at Meta) | 30 days (Meta policy) |
Upon account deletion, all associated personal data is permanently deleted, except for those whose storage is required by law.
9. Rights of the Data Subjects
As a data subject, you have the right to:
- Access (Art. 15 GDPR): obtain confirmation of processing and a copy of personal data;
- Rectification (Art. 16 GDPR): correct inaccurate or incomplete data;
- Erasure (Art. 17 GDPR): request data deletion;
- Restriction (Art. 18 GDPR): restrict processing in certain circumstances;
- Portability (Art. 20 GDPR): receive data in a structured and machine-readable format. Registered users can independently export their data from the platform;
- Objection (Art. 21 GDPR): object to processing based on legitimate interest;
- Withdrawal of consent (Art. 7 GDPR): withdraw consent given at any time, without prejudice to the lawfulness of the processing carried out before the withdrawal.
Requests can be sent to privacy@rentevoai.com or via PEC to feven.srl@pec.it. The Controller will respond within 30 days of receiving the request.
Rights of Guests
Guests whose communications are processed through Rentevo can exercise their rights by contacting the property manager (Data Controller of their data). Alternatively, they can contact Rentevo at the address indicated above, which will forward the request to the competent property manager.
10. Right of Complaint
The data subject has the right to lodge a complaint with the Guarantor for the Protection of Personal Data:
- Website: www.garanteprivacy.it
- Email: garante@gpdp.it
- PEC: protocollo@pec.gpdp.it
- Switchboard: (+39) 06.69677.1
11. WhatsApp Business Communications
Rentevo uses the WhatsApp Business API provided by Meta Platforms, Inc. to allow property managers to communicate with their guests via WhatsApp. In relation to this service:
- WhatsApp messages are sent only after activation by the property manager and with the guest's consent (opt-in);
- Messages are processed by Meta as sub-processor, with maximum storage of 30 days on Meta servers;
- Phone numbers are stored in E.164 format and used exclusively for message delivery;
- Meta does not use messages sent via API for advertising purposes;
- The transfer of data to the USA is covered by the EU-US Data Privacy Framework and Meta's Standard Contractual Clauses.
The guest can withdraw consent to communication via WhatsApp at any time by communicating it to the property manager or by contacting Rentevo.
12. Cookies
For detailed information on the use of cookies and similar technologies, please refer to the Cookie Policy.
13. Analysis Tools
The site uses the following analysis tools to improve user experience and optimize the Service:
- Umami Analytics: a privacy-friendly web analysis tool that collects anonymous browsing data (pages visited, referrer, device) without using profiling cookies;
- Microsoft Clarity: a behavioral analysis tool that records anonymous user interactions (heatmaps, session recordings, clicks) to identify usability issues. The data collected is anonymous and is not shared with third parties for advertising purposes;
- Meta Pixel and Conversions API: Meta Platforms tools used to measure the effectiveness of advertising campaigns. They collect conversion data (visits, registrations) via first-party cookies and server-side submission. Legal basis: legitimate interest (Art. 6.1.f GDPR).
14. Security Measures
The Controller adopts appropriate technical and organizational measures pursuant to Art. 32 of the GDPR, including:
- Encryption of sensitive data at rest (Fernet algorithm for API keys and credentials);
- Encrypted communications via HTTPS/TLS protocol;
- Authentication based on JWT with verification via JWKS;
- Verification of HMAC-SHA256 signatures for webhooks;
- Role-based access control;
- Cascade deletion of data upon account removal;
- Data Protection Impact Assessment (DPIA) pursuant to Art. 35 of the GDPR for processing involving the use of AI technologies.
15. Changes to this Policy
The Controller reserves the right to modify this information at any time. Changes will be published on this page with an indication of the date of last update. In case of substantial changes, registered users will be informed via email or notification on the platform.