Privacy Policy

Last updated: April 9, 2026

DeepTree is committed to protecting the privacy and personal data of all individuals who interact with our services. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit our websites, use our platform, or otherwise interact with us. Throughout this document, references to "DeepTree", "we", "us", or "our" refer to DEEPTREE S.R.L.

We encourage you to read this document carefully. If you have any questions, you can contact us at the addresses provided in Section 1.

1. Data Controller

The Data Controller responsible for the processing of your personal data is:

This Privacy Policy is issued pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter "GDPR") and the Italian Legislative Decree 196/2003 (Privacy Code), as amended by Legislative Decree 101/2018.

It applies to all personal data processing carried out through:

• Our public website at www.deeptreeai.com
• Our application platform at app.deeptreeai.com
• Our social media pages on Facebook, Instagram, and LinkedIn
• Any contact or interaction with DeepTree, including demo requests, email communications, and contractual relationships

2. What personal data we collect

We collect and process only the minimum amount of personal data necessary for each specific purpose. Depending on how you interact with us, we may process the following categories of data:

2.1 Data you provide directly

When you request a demo, register for an account, enter into a contract with us, or otherwise contact us, you may provide:

• Identification and contact data: first name, last name, email address
• Account data: login credentials (email and password) when you register on our platform
• Communication content: the content of messages you send us via email or contact forms
• Billing and payment data: business address, VAT number, bank details, and invoicing information (for clients and contractual partners)

2.2 Data collected automatically

When you visit our websites, our systems automatically collect certain technical data:

• Navigation and log data: IP address, browser type and version, operating system, device type, language settings, referring/exit pages, pages viewed, timestamps, and duration of visits. These data are generated by the IT systems and communication protocols underlying our websites.
• Cookie and similar technology data: information collected through cookies and similar tracking technologies, as described in detail in Section 6.

2.3 Data from third-party sources

If you interact with our social media pages (Facebook, Instagram, LinkedIn), the respective platforms may share aggregated statistical data (Page Insights) with us. We do not receive personally identifiable information through these channels; we only access anonymized, aggregate analytics.

3. Purposes, legal bases, and nature of data provision

Below is a detailed description of each purpose for which we process your personal data, along with the applicable legal basis, whether providing data is mandatory or optional, and the consequences of not providing it.

3.1 Provision of services and contract execution

What we do: We process your personal data to respond to your inquiries and demo requests, manage your account registration and login, provide access to our AI-powered M&A research and analysis platform, execute and manage the contract between you and DeepTree, and handle all related communications (via email, phone, messaging, or post).

Data involved: Identification and contact data, account data, billing data.

Legal basis: Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR).

Nature of provision: Necessary. If you do not provide this data, we will be unable to deliver the requested services, respond to your inquiries, or enter into a contract with you.

3.2 Legal and regulatory compliance

What we do: We process your data to fulfil obligations imposed by applicable laws, regulations, EU directives, and orders from supervisory or regulatory authorities. This includes the retention of accounting and tax documents, electronic invoicing, and compliance with anti-money laundering regulations where applicable.

Data involved: Identification data, billing and payment data (including bank details and tax information).

Legal basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR).

Nature of provision: Mandatory. Failure to provide the required data will make it impossible for us to comply with our legal obligations and, consequently, to maintain the contractual relationship.

3.3 Website operation, IT security, and maintenance

What we do: We collect navigation data and use technical cookies to ensure the proper functioning, security, and continuous improvement of our websites and IT infrastructure. This includes monitoring for potential cyber threats, investigating IT security incidents, producing anonymous usage statistics, and performing technical maintenance.

Data involved: Navigation and log data.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Our legitimate interest lies in ensuring the security, availability, and integrity of our IT systems, and in protecting both the Data Controller and website users from potential harm.

Nature of provision: Necessary for the operation of the website. Navigation data is collected automatically by our IT systems.

3.4 Statistical analysis via Google Analytics 4 (GA4)

What we do: We use Google Analytics 4 to collect and process statistical data about how visitors use our websites. GA4 does not record or store IP addresses. IP addresses are used momentarily to determine approximate geographic location and are then discarded before data is logged on any Google server. We have disabled all user profiling features, personalized advertising functions, and cross-referencing between analytics data and registered users within our GA4 configuration.

Data involved: Navigation logs (anonymized).

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR), as statistical analysis is integral to the delivery and improvement of the web service.

Additional information: Google adopts the highest security standards and holds ISO 27001 certification. Google Analytics uses regional data centers within the EU to collect data from EU users, and all data is transmitted via encrypted HTTPS connections.

3.5 Marketing communications on similar products

What we do: If you are an existing client, we may send you email newsletters and commercial communications about products or services similar to those you have already purchased or requested from us. You can opt out at any time by clicking the unsubscribe link in any email or by contacting us directly.

Data involved: Email address and identification data provided during the contractual relationship.

Legal basis: Art. 130(4) of the Italian Privacy Code (D.Lgs. 196/2003).

Nature of provision: Optional. If you object or unsubscribe, you will simply stop receiving promotional emails. This will not affect the provision of our services.

3.6 Profiling and remarketing cookies

What we do: With your explicit consent, we may use third-party profiling and remarketing cookies to display advertising messages tailored to your interests on third-party websites and social media platforms (such as Google Display Network and Facebook). These cookies are entirely managed by the respective advertising providers. DeepTree does not have the ability to monitor your browsing behavior on third-party websites.

Data involved: Cookie data (third-party analytics cookies with non-anonymized IP, third-party profiling cookies).

Legal basis: Consent (Art. 6(1)(a) GDPR).

Nature of provision: Entirely optional. If you do not give consent, DeepTree will simply be unable to display targeted advertising on third-party websites. No other service or functionality will be affected.

3.7 Protection of rights in judicial and extrajudicial proceedings

What we do: Your personal data may be processed to establish, exercise, or defend our legal rights in the context of judicial proceedings, extrajudicial disputes, or debt recovery actions.

Data involved: Identification data, contract data, and any data relevant to the dispute.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

Nature of provision: Necessary. This processing may continue beyond the standard retention terms, until the conclusion of all proceedings.

3.8 IT systems management

What we do: Your personal data is processed as part of the management, maintenance, and security of our IT infrastructure, including cloud services, email systems, CRM platforms, databases, and backup systems. This ensures business continuity and the protection of data against unauthorized access, loss, or destruction.

Data involved: Identification data, contact data, any data stored in the systems.

Legal basis: Legitimate interest of the Data Controller and of the data subjects (Art. 6(1)(f) GDPR).

Nature of provision: Necessary as a consequence of using our services.

4. Data retention

We retain personal data only for the period strictly necessary to achieve the purpose for which it was collected, after which it is securely deleted or anonymized.

At the end of the applicable retention period, personal data is deleted through secure methods appropriate to the storage medium (logical deletion for digital systems, physical destruction for paper records).

5. Methods of processing

Your personal data is processed primarily through electronic and digital means, using IT systems and tools configured to ensure data security. Where necessary, data may also be processed on paper.

All processing operations are carried out in compliance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality, as set out in Art. 5 GDPR.

Access to personal data is restricted to authorized personnel who have received formal designation and specific training on data protection obligations.

6. Cookies and similar technologies

Our websites use cookies and similar technologies. Below is a summary of the types of cookies we use.

6.1 Technical and session cookies (no consent required)

These cookies are essential for the basic functioning of our websites and for delivering the services you request. They include:

• Session cookies that enable navigation and use of website features
• Functional cookies that remember your preferences (e.g., language settings)
• Anonymized analytics cookies (with IP anonymization) that produce aggregate, anonymous statistics about website usage

These cookies are installed automatically in accordance with Art. 122(1) of the Italian Privacy Code and the Italian Data Protection Authority's guidelines of June 10, 2021 (no. 231).

Blocking these cookies will prevent you from using our websites and their services.

6.2 Profiling and non-anonymized analytics cookies (consent required)

With your explicit consent, obtained through the cookie banner displayed on first visit, we may install:

• Third-party analytics cookies with non-anonymized IP address, used to produce detailed usage statistics
• Third-party profiling cookies, used to configure and manage advertising campaigns on Google Display Network and Facebook

These cookies are entirely managed by the respective third-party providers. DeepTree does not have the ability to track your browsing behavior on third-party websites.

You can modify or withdraw your cookie preferences at any time through the cookie banner, which can be re-accessed from the link in the footer of our website, or by adjusting your browser settings.

6.3 Google reCAPTCHA

We use the Google reCAPTCHA service, provided for the European area by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), to protect our websites from automated bot traffic and ensure the security of the site for both users and our organization.

reCAPTCHA may store a cookie in your browser and capture a snapshot of the browser window. This service is activated only with your consent.

Legal basis: Consent (Art. 6(1)(a) GDPR).

Transfer of data: Use of reCAPTCHA may involve a transfer of personal data to Google.

6.4 Google Fonts

We use Google Fonts to optimize the display and readability of text content on our websites. Google Fonts files (CSS and font files) are served through the domains fonts.googleapis.com and fonts.gstatic.com.

The use of Google Fonts does not require user registration or authentication on Google systems. No cookies are stored by Google Fonts. CSS and font files are completely separate from all other Google services. Google acts as an independent Data Controller for this service.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

7. Recipients and categories of recipients

Your personal data may be communicated to the following categories of recipients:

7.1 Internal recipients

Personnel of DeepTree S.R.L. who have been formally authorized and designated for data processing, and who have received appropriate training. Access is granted on a need-to-know basis, with individual credentials and role-based access privileges.

7.2 External data processors (Art. 28 GDPR)

Third parties that process personal data on our behalf, under written agreements that ensure adequate safeguards. These include:

• Cloud and hosting providers — for the hosting, maintenance, and operation of our websites, platform, and IT infrastructure
• CRM providers — for managing client relationships and commercial pipeline
• Email marketing providers — for sending newsletters and commercial communications to existing clients
• Administrative and accounting consultants — for tax, accounting, and fiscal compliance
• Electronic invoicing providers — for issuing and storing digital invoices
• Privacy and data protection consultants — for managing and monitoring our GDPR compliance system

7.3 Joint controllers (Art. 26 GDPR)

For the Facebook Page administered by DeepTree, we act as joint controllers with Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) under Art. 26 GDPR, for the processing of personal data registered through Page Insights events.

The joint controllership agreement covers the creation of Insights events and their aggregation into Page Insights statistics. The legal basis for this processing is the legitimate interest of the Data Controller (Art. 6(1)(f) GDPR).

7.4 Other recipients

Your data will not be sold, rented, or disclosed to third parties for their own independent marketing purposes. Data may be disclosed to judicial or regulatory authorities where required by law.

8. International data transfers

Your personal data is processed primarily within the European Union. However, certain third-party services we use may involve transfers of data outside the EU/EEA:

All other processing activities take place exclusively within the European Union.

You may request a copy of the applicable transfer safeguards by writing to us at team@deeptreeai.com.

9. Your rights

Under Articles 15 through 22 of the GDPR, you have the following rights:

• Right of access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access the data and receive information about the processing.
• Right to rectification (Art. 16): You have the right to obtain the rectification of inaccurate personal data and the completion of incomplete data.
• Right to erasure (Art. 17): You have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, when you object to processing, or when the data has been unlawfully processed.
• Right to restriction of processing (Art. 18): You have the right to request that the processing of your data be restricted in certain circumstances, such as when you contest the accuracy of the data or when the processing is unlawful but you oppose deletion.
• Right to data portability (Art. 20): You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
• Right to object (Art. 21): You have the right to object at any time to the processing of your personal data carried out on the basis of our legitimate interest. Upon receiving your objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to withdraw consent (Art. 7): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Right not to be subject to automated decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. DeepTree does not currently carry out solely automated decision-making of this nature.

How to exercise your rights

You may exercise any of these rights by contacting us at:

• Email: team@deeptreeai.com
• PEC: deeptree@pec.it
• Post: DEEPTREE S.R.L., Via Sangallo 5, 20133 Milano (MI), Italy

We will respond to your request without undue delay and in any event within 30 days of receipt. This period may be extended by a further 60 days where necessary, taking into account the complexity and number of requests, in which case we will inform you of the extension within the initial 30-day period.

Right to lodge a complaint

If you believe that your rights under the GDPR have been violated, you have the right to lodge a complaint with the competent supervisory authority:

10. Security measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR. These measures include:

• Access controls: Role-based access privileges with individual credentials, ensuring that personal data is accessible only to authorized personnel on a need-to-know basis
• Encryption: All data transmitted between your browser and our servers is protected via HTTPS encryption. Wireless access to IT systems is protected by cryptographic mechanisms.
• Network security: Firewalls and intrusion detection systems monitor and control inbound and outbound network traffic
• Anti-malware protection: Antivirus applications and detection signatures are updated on a weekly basis
• Backup: Regular, complete backups of databases and systems are performed to ensure data availability and integrity
• Staff training: All personnel receive mandatory training on data protection and privacy obligations
• Supplier security: Formal agreements with all data processors ensure they apply the same level of data security as required by our own policies

11. Social media pages

We maintain official pages on Facebook, Instagram, and LinkedIn for communication, marketing, and engagement purposes.

When you interact with our social media pages (by viewing content, liking, commenting, sharing, or following), the respective social media platform collects information about you in accordance with its own privacy policy. We encourage you to review the privacy policies of each platform.

For Facebook Page Insights, we are joint controllers with Facebook Ireland Limited, as described in Section 7.3 above.

12. Children's privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor without appropriate parental consent, we will take steps to delete such data promptly. If you believe that a minor has provided us with personal data, please contact us immediately at team@deeptreeai.com.

13. Changes to this Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our data processing practices, applicable legislation, or regulatory guidance. The "Last updated" date at the top of this page indicates when the latest revision was made.

We encourage you to review this Privacy Policy periodically. For significant changes that materially affect how we process your personal data, we will provide a prominent notice on our website.

14. Applicable law and jurisdiction

This Privacy Policy is governed by Italian law and by Regulation (EU) 2016/679 (GDPR). Any disputes arising from this Privacy Policy or the processing of your personal data shall be subject to the exclusive jurisdiction of the Court of Milan, Italy, unless otherwise provided by mandatory law.

15. Contact us

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact:

We are committed to addressing your requests promptly and transparently.