Privacy

Privacy Policy

Last updated: June 24, 2026 · GDPR-aligned

Short version: Senticly is built around a zero-knowledge encryption model. Your email content and credentials are encrypted with AES-256-GCM using a key derived from your password. We cannot read your emails — not because of policy, but because the decryption key never reaches our servers.

Table of Contents

Who We Are
What Data We Collect
What We Cannot Access
How We Use Your Data
Data Storage & Security
Retention & Deletion
Third Parties
Your Rights (GDPR)
Cookies & Sessions
Contact & DPO

Who We Are

Senticly is an AI-powered email intelligence service operated by Stagi Servizi Tecnici. For privacy matters, contact us at software@stagiservizitecnici.com.

What Data We Collect

Data	Purpose	Stored as
Username & email address	Account identity, password reset notifications	Plaintext in database
Password	Authentication	bcrypt hash only — never plaintext
PBKDF2 salt	Key derivation input (not the key itself)	Plaintext in database
Recovery key hash	Backup access verification	bcrypt hash only
Email credentials (IMAP/POP3)	Connecting to your mailbox	AES-256-GCM ciphertext
Cached email content	AI retrieval and search	AES-256-GCM ciphertext
Support ticket messages	Customer support	Plaintext (submitted by you)
Usage metrics	Plan limit enforcement (weekly AI message count)	Aggregate counts only

We do not collect analytics, tracking pixels, advertising identifiers, or any data beyond what is listed above.

What We Cannot Access

We are technically unable to read your email content or your email credentials. Both are encrypted with AES-256-GCM before being written to our database. The decryption key is derived from your password via PBKDF2 and lives only in your PHP session while you are logged in. It is never stored anywhere on our infrastructure.

This means:

Senticly staff cannot read your emails, even if they wanted to.
A database breach would expose only ciphertext — useless without your key.
We cannot comply with requests to produce your email content, because we do not have it in readable form.
If you lose your password and your Recovery Key, no one can recover your data — including us.

How We Use Your Data

Account management: username and email are used for login, session management, and transactional emails (welcome, support ticket notifications).
Service delivery: encrypted credentials are decrypted in-session to connect to your mailbox and sync emails.
AI processing: decrypted email content is passed to our AI provider (AIML API) within your active session to generate answers to your queries. We do not retain these requests or responses on our servers beyond the session.
Plan management: weekly AI usage counts are stored to enforce plan limits.

We do not sell your data. We do not use your data for advertising. We do not profile you.

Data Storage & Security

Your data is stored in an SQLite database on our server infrastructure. The following technical controls are in place:

Email credentials and cached email content: AES-256-GCM encryption at rest
Passwords: bcrypt with cost factor 11
Key derivation: PBKDF2-SHA256, 100,000 iterations, unique per-user salt
Recovery key: stored as a bcrypt hash only
Session: server-side PHP session with HttpOnly, SameSite=Lax cookies

The encryption key is held in memory only for the duration of your authenticated session and is never written to disk or database.

Retention & Deletion

Your data is retained for as long as your account is active. You may request account deletion at any time by:

Opening a support ticket from within the app
Emailing software@stagiservizitecnici.com from your registered address

Upon deletion, all associated data — including encrypted email cache, credentials, usage records, and support tickets — is permanently removed. There is no recovery after deletion.

Support ticket content is retained for 12 months after ticket closure for legal and quality purposes, then deleted.

Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights under GDPR:

Right of access: Request a copy of the data we hold about you.
Right to rectification: Correct inaccurate personal data (username, email) via Settings.
Right to erasure: Request deletion of your account and all associated data.
Right to data portability: We can provide your account data in a machine-readable format upon request.
Right to object: Object to processing of your personal data.
Right to restrict processing: Request restriction of processing under certain circumstances.

Note: Due to the zero-knowledge encryption model, we cannot provide the content of your encrypted emails in readable form — only the ciphertext, which is meaningless without your key.

To exercise any of these rights, contact software@stagiservizitecnici.com. We will respond within 30 days.

Cookies & Sessions

Senticly uses a single session cookie (aiescan_sess) to maintain your authenticated session. This cookie is:

HttpOnly — not accessible to JavaScript
SameSite=Lax — protected against cross-site request forgery
Session-scoped — deleted when you close your browser or log out

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

Contact & DPO

For any privacy-related requests, questions, or complaints:

Email: software@stagiservizitecnici.com

You also have the right to lodge a complaint with your national data protection authority (e.g., Garante Privacy in Italy).