Privacy Policy
How we process your personal data and the data of people who appear in the memories you upload.
Last updated: 29 May 2026
This document covers particularly sensitive processing (data of deceased people and of third parties): please read it carefully.
1. Data controller
The data controller is STARS SRL (P.IVA 18548941006). For any request regarding your data, write to hello@berightback.digital.
Where the purposes and means of processing are determined by you (for example the content you choose to upload to build an avatar), we act as a processor or, as the case may be, as an independent controller for the technical aspects of providing the service.
2. What data we process
We process very different categories of data:
- Account data: name, email, password (encrypted), language preferences, technical access data.
- Content you upload ("memories"): text, photos, audio, video, documents, chat exports (e.g. WhatsApp), and the descriptive data of the avatar (biography, traits, typical phrases).
- Data of deceased people: memories often relate to a loved one who has passed away.
- Data of living third parties: photos and chats may contain faces, voices and messages of people other than you (the other party in a chat, relatives, friends).
- Derived data: text fragments and numerical representations (embeddings) generated to enable semantic search across your memories.
- Usage data: technical logs, security events, content processing status.
Your memories may contain special categories of data under Art. 9 GDPR (e.g. religious or political beliefs, health, sex life, biometric data such as voice and face). We process them solely to provide the service and on the basis of your explicit consent.
3. Purposes and legal bases
- Providing the service (creating and running the avatar, conversations, processing memories) — legal basis: performance of the contract (Art. 6.1.b GDPR).
- Processing special categories of data contained in memories — legal basis: your explicit consent (Art. 9.2.a GDPR), revocable at any time.
- Ensuring security, abuse prevention and technical continuity — legal basis: legitimate interest (Art. 6.1.f GDPR).
- Complying with legal obligations (tax, responses to authorities) — legal basis: legal obligation (Art. 6.1.c GDPR).
- Sending you service communications and, if enabled, notifications — legal basis: contract and/or consent.
4. Data of deceased people and third parties
This is the most sensitive aspect of the service. In Italy the data of deceased people remains protected: under Art. 2-terdecies of the Italian Privacy Code, rights may be exercised by those who have their own interest, act to protect the data subject, or for family reasons worthy of protection.
The data of living third parties contained in the content you upload (for example in a chat or a group photo) belongs to those people, who retain all the rights granted by the GDPR.
For this reason, at the time of upload we ask you to declare that you are entitled to use those materials. Relatives of the deceased and interested third parties may at any time object to the processing or request its erasure through the dedicated page or by writing to hello@berightback.digital.
5. Who we share data with (providers)
To run the service we rely on providers acting as processors. Relevant content is transmitted to these providers only to the extent necessary:
- Supabase — authentication, database and content storage.
- OpenAI — generating embeddings for semantic search and, as a fallback, generating responses and text-to-speech.
- DeepSeek — generating the avatar's conversational responses.
- Push notification provider (web-push) for spontaneous messages, if enabled.
Important: the service is NOT end-to-end encrypted and content is shared with the providers listed above to the extent necessary to provide the AI features.
6. Transfers outside the European Union
Some providers may process data outside the European Economic Area. In particular, DeepSeek operates outside the EU. In such cases we adopt appropriate safeguards (e.g. standard contractual clauses) to protect your data even where it is transferred outside the EU.
7. How long we keep data
We keep data for as long as you keep your account and avatar active. You can delete individual memories, an avatar, or your entire account at any time; upon deletion the associated data is removed within reasonable technical time, unless legal obligations require longer retention (e.g. administrative/tax data).
8. Your rights
At any time you can exercise the rights under Arts. 15-22 GDPR:
- Access to your data and a copy of it.
- Rectification of inaccurate data.
- Erasure ("right to be forgotten").
- Restriction of and objection to processing.
- Portability of the data you provided to us.
- Withdrawal of consent, without affecting processing already carried out.
To exercise them, write to hello@berightback.digital. You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante, www.garanteprivacy.it).
9. Minors
The service is reserved for people over 18. We do not knowingly collect account data of minors. If a memory concerns a minor, we ask for particular caution and that you are entitled to process their data.
10. Security
We adopt appropriate technical and organisational measures (row-level access control on the database, encryption in transit, account segregation). No system is 100% secure: please use a strong password and do not share your account.
11. Changes to this policy
We may update this policy. In case of material changes we will notify you. The date at the top indicates the last update.