Privacy Policy
Ultima actualizare: July 16, 2026
This notice is provided by Nexys S.r.l., pursuant to Art. 13 and Art. 14 of EU Regulation 2016/679 ("GDPR"), to users who register, access, and use the online platform/application https://immobilixia.com, hereinafter also the "Platform" or "Application" or the Immobilixia application.
This notice concerns exclusively the processing of personal data carried out through the Platform, and not any processing carried out through other third-party websites, platforms, applications, or services accessible via links present on the Platform, for which the user is invited to consult the respective privacy notices.
This notice concerns, in particular, the processing connected to account registration, access via credentials or a Google account, management of the user account, the purchase of packages or subscriptions, payment management, use of rendering features, image uploads, and the entry of prompts or text instructions by the user.
1. Data Controller
The Data Controller is: Nexys S.r.l., Galleria Arrigo Protti no. 2, 34121 - Trieste (TS), Italy, VAT No.: 01447020320, info@nexys.it - PEC: amministrazione@pec.nexys.it, tel.: 3489446372
For any request relating to the processing of personal data and the exercise of the rights recognized by the GDPR, the user may contact the Data Controller at the address indicated above.
2. Type of Data Processed
Through the Site, the Data Controller may process the following categories of personal data:
i. Registration and account data
During registration on the Platform, the user may be asked to indicate whether they intend to register as an individual or as a company/professional.
Depending on the type of registration selected and the features used, the following may be processed, by way of example:
- Country of origin;
- e-mail address;
- first and last name;
- residence;
- tax code;
- username;
- password;
- any further data necessary for managing the account and the user profile.
The password chosen by the user is not accessible in clear text by the Data Controller and must be kept diligently by the user, avoiding sharing it with third parties.
ii. Data processed in case of access via a Google account
The Platform may allow registration or access via a Google account.
In that case, Nexys S.r.l. may receive from Google the data necessary for user authentication and for creating or managing the account on the Platform, such as, by way of example, account ID, first name, last name, e-mail address, and any further data made available by the user according to their Google account settings.
Processing carried out by Google remains governed by Google's own privacy notice and the terms of use applicable to Google services, which the user is invited to consult.
iii. Payment, billing, and purchase data
For the purchase of packages, credits, subscriptions, or services, payments will be managed through specialized third-party providers, such as payment providers, payment networks, checkout services, or other payment methods selected by the user, including, by way of example, payment card, Klarna, Bancontact, Amazon Pay, EPS, or other systems that may be available.
Nexys S.r.l. does not collect or store the user's full payment card data. Such data is processed directly by the payment providers and/or the parties involved in managing the transaction, in accordance with their respective privacy notices and terms of service.
iv. Data relating to use of the Platform
During use of the Platform, the Data Controller may process data relating to the activities carried out by the user, such as, by way of example:
- date and time of access;
- features used;
- number of renderings requested;
- packages, credits, or subscriptions available and used;
- history of operations carried out on the Platform, to the extent necessary for managing the account and the service;
- usage settings and preferences;
- technical logs and data necessary to ensure the security, continuity, and proper functioning of the Platform.
v. Browsing, log, and technical data
The IT systems and software procedures used to operate the Platform may acquire, during their normal operation, certain data whose transmission is implicit in the use of Internet communication protocols.
This category may include, by way of example, IP addresses, domain names of the devices used by users, URI/URL addresses of the requested resources, time of the request, method used to submit the request to the server, size of the file received in response, numeric code indicating the status of the server's response, as well as other parameters relating to the user's operating system, browser, and IT environment.
Such data is processed to enable the technical functioning of the Platform, ensure system security, prevent unauthorized access, fraud, or improper use of the service, and resolve any technical issues.
vi. Cookies and similar technologies
The Platform may use cookies and similar technologies to enable the proper functioning of the service, manage the user session, ensure security, remember technical preferences, measure use of the Platform, and, where applicable, enable features or services provided by third parties.
Technical cookies, necessary for the Platform to function, do not require user consent.
Any use of non-anonymized analytics cookies, profiling cookies, marketing tracking tools, or other cookies not strictly necessary will occur only with the prior consent of the user, in the manner indicated in the cookie banner and in the Cookie Policy.
For further information on the cookies used, their purposes, retention periods, and how to manage preferences, please refer to the Platform's Cookie Policy.
vii. Data collected from third-party services
The Platform may incorporate or use services provided by third parties, such as, by way of example, hosting services, cloud infrastructure, technical maintenance, IT security, authentication via external accounts, payment management, checkout management, generation or support for processing renderings, statistical analysis tools, customer support, or other services functional to the operation of the Platform.
Such parties may process the user's personal data to the extent necessary for the provision of their respective services and, depending on the case, may act as data processors appointed by the Data Controller pursuant to Art. 28 GDPR or as independent data controllers.
Where the user interacts with third-party services, links, embedded content, or features, the processing of personal data may also be governed by the privacy notices provided by the respective providers.
N.B.: The Platform allows the user to upload images of interior spaces or properties and to enter prompts, instructions, or text descriptions in order to obtain renderings, graphic processing, visualizations, or similar content generated through technological tools and/or artificial intelligence systems.
In this context, the following may be processed:
- images, photographs, or other files uploaded by the user;
- prompts, descriptions, text instructions, or preferences entered by the user;
- renderings, processed images, or output generated by the Platform;
- technical metadata of the uploaded files, where present;
- technical data relating to the processing request.
The user is advised not to upload images containing personal data or information relating to identifiable individuals, such as, by way of example, faces, photographs of people, minors, documents, license plates, addresses, clearly identifiable house numbers, identification data, health data, confidential information, or elements otherwise suitable for directly or indirectly identifying a person.
The Platform is not intended for the processing of special categories of data pursuant to Art. 9 GDPR, such as, by way of example, data concerning health, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, or data concerning a person's sex life or sexual orientation.
The user is therefore required to upload images free of such information, or previously anonymized, obscured, or modified so as not to allow the identification of individuals.
Images, prompts, and generated output are processed exclusively to enable the provision of the service requested by the user, unless the user gives specific consent for additional and different purposes, where applicable.
3. Sources of the Data Processed
Personal data processed through the Platform is collected:
- a) directly from the user, when the latter creates an account, fills out the registration form, accesses the Platform, purchases packages or subscriptions, uploads images, enters prompts, or uses the available features;
- b) automatically, during use of the Platform, through IT systems, logs, cookies, security tools, and similar technologies;
- c) through third-party providers, such as authentication providers, payment providers, technical suppliers, cloud services, image-processing services, or other services integrated into the Platform, to the extent necessary for managing the account, providing the service, and ensuring the security of the Platform.
4. Purposes of Processing and Legal Basis
The personal data provided by Data Subjects will be processed for the purposes and on the legal bases indicated below.
| Purpose | Legal basis |
|---|---|
| a) Creation, management, and administration of the user account, including registration via form, verification of credentials, management of the user profile, and access to the Platform. | Performance of pre-contractual and contractual measures taken at the user's request, pursuant to Art. 6(1)(b) GDPR. |
| b) Provision of the rendering, virtual staging, image processing, and output generation service requested by the user through the upload of images and the entry of prompts or text instructions. | Performance of the contract or of pre-contractual measures requested by the user, pursuant to Art. 6(1)(b) GDPR. |
| c) Management of packages, credits, subscriptions, orders, payments, checkout, issuance of tax documents, and administrative-accounting obligations. | Performance of the contract, pursuant to Art. 6(1)(b) GDPR, as well as compliance with legal obligations of a tax, accounting, and administrative nature, pursuant to Art. 6(1)(c) GDPR. |
| d) Security of the Platform, prevention of unauthorized access, fraud, harmful activities, improper use, breaches of the terms of use, and protection of the technological infrastructure. | Legitimate interest of the Data Controller in ensuring the security, integrity, and reliability of the Platform, pursuant to Art. 6(1)(f) GDPR. |
| e) Use of technical cookies and tools strictly necessary for the operation of the Platform. | Legitimate interest of the Data Controller in the technical operation of the Platform, pursuant to Art. 6(1)(f) GDPR. Any use of non-necessary cookies will occur with the user's prior consent, pursuant to Art. 6(1)(a) GDPR. |
| f) Management and documentation of consents, including privacy, cookie, marketing preferences, or any further consents given by the user. | The Data Controller's legitimate interest in protecting its own rights, pursuant to Art. 6(1)(f) GDPR. |
| g) Fulfillment of obligations imposed by law, by regulations, by European legislation, or by orders of the Authority, such as invoicing or similar matters. | Compliance with legal obligations to which the Data Controller is subject, pursuant to Art. 6(1)(c) GDPR. |
| h) Establishment, exercise, or defense of a right of the Data Controller in judicial or extrajudicial proceedings, as well as management of disputes, abuse, non-compliance, or improper use of the Platform. | The Data Controller's legitimate interest in protecting its own rights, pursuant to Art. 6(1)(f) GDPR. |
Processing of special categories of data: The Platform does not require and does not intend to process data belonging to special categories pursuant to Art. 9 GDPR.
The user is therefore invited not to enter into prompts, not to upload in images, and not to communicate through the Platform special categories of data, such as, by way of example, data concerning health, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, or data concerning sex life or sexual orientation.
Should the user, despite this warning, upload or communicate unrequested special categories of data, such data will be processed only to the extent technically necessary for the provision of the requested service, subject to deletion or obscuring where possible and compatible with the management of the service, the Data Controller's rights, and legal obligations.
5. Data Controller's Legitimate Interest
When processing is based on legitimate interest, the Data Controller carries out an assessment to verify that such interest does not override the rights and fundamental freedoms of the data subjects.
The Data Controller's legitimate interest may consist, in particular, of the need to ensure the security and proper functioning of the Site, prevent abuse or fraudulent activity, manage requests and communications received through the Site, improve the reliability of its online services, and protect its own rights in judicial or extrajudicial proceedings.
The user's right to object, at any time and for reasons connected to their particular situation, to processing based on legitimate interest remains unaffected, as indicated in this notice.
6. Mandatory or Optional Nature of Providing the Data
Providing the data necessary for account registration - e-mail address, country, username, and password - is necessary to enable the creation and management of the account and access to the Platform. Failure to provide such data prevents registration or use of the Platform.
Providing the data required for access via a Google account is necessary if the user chooses that authentication method. Otherwise, the user may use, where available, registration via the form.
Providing the data necessary for the purchase of packages, credits, subscriptions, or paid services, including payment data, phone number, and any tax data requested, is necessary to enable the management of the order, payment, invoicing, and provision of the purchased service. Failure to provide such data may prevent completion of the purchase.
Providing images and prompts is necessary to use the rendering and output generation features. Without this, the Platform will not be able to generate the requested content.
Providing data for marketing, newsletter, or promotional communication purposes is optional. Failure to consent does not affect registration or use of the Platform but prevents the Data Controller from sending such communications.
Consent to the installation of non-necessary cookies or tracking tools is optional. Failure to consent does not prevent use of the essential features of the Platform, but may prevent the use of certain non-essential features or the activation of specific third-party services.
7. Processing Methods
The processing of personal data is carried out using manual, IT, and telematic tools, with logic strictly related to the purposes indicated above and, in any case, in compliance with the principles of lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, integrity, and confidentiality.
The Data Controller adopts appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, disclosure, alteration, or unauthorized processing.
Personal data will be processed by persons authorized by the Data Controller and by any external providers appointed as data processors pursuant to Art. 28 GDPR, to the extent necessary for carrying out the activities entrusted to them.
8. Data Recipients
Users' personal data may be disclosed to third parties, to the extent and for the purposes strictly related to the operation of the Platform and the provision of the requested services.
Recipients may include:
- operators, employees, collaborators, and persons authorized by the Data Controller to process personal data;
- providers of hosting, cloud infrastructure, technical maintenance, IT security, and systems management;
- payment providers, payment networks, checkout services, anti-fraud services, and parties involved in managing transactions;
- legal, tax, accounting, administrative consultants, or other professionals;
- public authorities, judicial authorities, or other parties to whom disclosure is mandatory by law or necessary to protect the rights of the Data Controller.
Such parties may act, depending on the case, as data processors appointed pursuant to Art. 28 GDPR or as independent data controllers, in accordance with their respective privacy notices and applicable agreements.
Transfer of Data Outside the EU
In the event that personal data is transferred to countries outside the EU, such transfers will take place exclusively with parties:
- For which an adequacy decision of the European Commission applies;
- That adhere to compliance frameworks;
- With which Standard Contractual Clauses have been signed, or on the basis of further derogations provided for under Art. 49 GDPR.
Such transfers will in any case take place in compliance with the security measures indicated in the Schrems II Ruling of the Court of Justice of 16 July 2020.
In any case, the data will be processed by authorized persons and data processors, always for the purposes indicated by the Site or for related purposes. No generalized disclosures will be made for further purposes, and no personal information of the Data Subject will be disseminated.
9. Retention Period
Personal data will be retained for the time necessary to achieve the purposes for which it was collected and, subsequently, for the period that may be necessary to comply with legal obligations or to protect the rights of the Data Controller.
In particular:
- a) account and registration data will be retained for the entire duration of the active account and, following account closure, for a period not exceeding 24 months, subject to further retention necessary for legal obligations, dispute management, or protection of the rights of the Data Controller;
- b) data relating to purchases, payments, subscriptions, orders, invoicing, and accounting records will be retained for the period provided for by applicable civil, tax, and accounting law, generally 10 years;
- c) data relating to payment transactions processed directly by payment providers will be retained in accordance with the terms indicated in the privacy notices of the respective providers;
- d) browsing data, technical logs, and security data will be retained for the time strictly necessary for the operation and security of the Platform and, absent needs related to the investigation of offenses or protection of rights, for a period not exceeding 12 months;
- e) data relating to cookies will be retained in accordance with the terms indicated in the Cookie Policy and the preferences expressed via the cookie banner;
- f) data processed for the establishment, exercise, or defense of rights will be retained for the entire duration of any dispute and until the expiry of the applicable limitation or appeal periods.
At the end of the respective retention periods, personal data will be deleted, anonymized, or aggregated in a form that can no longer be traced back to the user.
10. Rights of the Data Subject
The user, as a data subject, may exercise at any time the rights recognized under Articles 15 et seq. GDPR and, in particular, has the right to:
- obtain confirmation as to whether or not personal data concerning them is being processed and, if so, obtain access to the personal data and information relating to the processing;
- obtain rectification of inaccurate personal data and the completion of incomplete data;
- obtain erasure of personal data, in the cases provided for by Art. 17 GDPR;
- obtain restriction of processing, in the cases provided for by Art. 18 GDPR;
- receive personal data in a structured, commonly used, and machine-readable format and, where technically feasible, obtain the direct transmission of the data to another controller, in the cases provided for by Art. 20 GDPR;
- object to the processing of personal data based on the Data Controller's legitimate interest, in the cases provided for by Art. 21 GDPR;
- withdraw at any time any consent given, without affecting the lawfulness of processing carried out prior to withdrawal;
- object at any time to the processing of data for direct marketing purposes, including the newsletter.
To exercise their rights, the user may send a request to the Data Controller at info@nexys.it.
The Data Controller will respond to requests from the data subject within the timeframes provided for by applicable law.
11. Right to Lodge a Complaint
Should the user believe that the processing of their personal data occurs in violation of the GDPR or of applicable data protection law, the user has the right to lodge a complaint with the Data Protection Authority, in accordance with the procedures indicated on the website www.garanteprivacy.it.
The user retains the right to contact the supervisory authority of the different EU Member State in which they reside, work, or where they believe the violation occurred.
12. Profiling
Except as may be indicated in the Cookie Policy with reference to non-necessary cookies or tracking tools activated with prior user consent, the Site does not use users' personal data for automated profiling activities for marketing purposes.
Any newsletter sent will be based on the consent given by the user and will not, in itself, involve profiling of the user, except as otherwise and specifically notified and subject to obtaining any consents required by applicable law.
13. Automated Decision-Making
In processing the personal data of Data Subjects, no automated decision-making processes are used, including profiling, that could produce legal effects or significantly affect the Data Subject in an automated manner.
14. Changes to These Terms
The Data Controller reserves the right to make changes to this notice at any time, giving notice to Data Subjects on this page. Data Subjects are therefore invited to periodically review this notice to stay informed of any changes. Should the changes be significant or concern processing that requires the consent of the Data Subject, the Data Controller will communicate them clearly through a specific notice on the Site (for example, a pop-up or banner) or through other appropriate means, and will request the Data Subject's consent again, if necessary.
