Privacy Policy

We are committed to protecting your privacy and the security of information that can, directly or indirectly, be used to identify a natural person (hereinafter “Personal Data”) throughout the entire process of the Earth Virtual Expert (EVE) website service (https://eve.philab.esa.int/) and EVE Chatbot service (https://eve.philab.esa.int/chat) (collectively, “Services”). We have created this Privacy  Policy to explain how we collect and use your Personal Data. 

For information about how we collect and use training data to develop our language models that power EVE, and your choices with respect to that data, please see the Technical Documentation.

Last updated: 29 January 2026.

1. DATA CONTROLLER

When this Privacy Policy mentions “the Company”, “we”, “us”, it is referring to the company that decides on the purposes and means of the processing of your Personal Data under this Privacy Policy.

Data Controllers Information:

Imperative Space
Elena Christodoulou
elena.christodoulou@imperativespace.com
Pi School S.R.L
Àlex R. Atrio
alex.atrio@picampus-school.com

Imperative Space and Pi School s.r.l. acts as joint data controllers for the purpose of the Services. The Data Controllers ​​determine the purposes and means of processing your personal data and under a shared agreement, we are jointly responsible for ensuring your data protection rights.

2. DOES THIS PRIVACY STATEMENT APPLY TO YOU?

This Privacy Statement applies to you if you visit https://eve.philab.esa.int/, including its sub-pages, or use our EVE project Chatbot Service, or if you receive emails from us.

Our Services are for a general audience and not aimed at children. In principle, we do not collect Personal Data from children under age 18. If you are under 14 years of age, you are requested not to provide any Personal Data. If you are under the age of 18 and you want to use our services, please rely on a parent or guardian to assist you. If a child under 18 may have disclosed Personal Data to us, the parent or guardian can contact us, and we will remove the Personal Data if required.

3. WHAT PERSONAL DATA DO WE COLLECT?

We collect Personal Data as follows:

A . When you access our Websites, our web server automatically collects certain technical information, including:
  • Your IP address
  • Browser type and version
  • Operating system
  • Date and time of access
  • Pages visited

These data elements are not unique to EVE — they are standard information that all web servers collect as part of the basic functioning of the internet. Access to these data elements is restricted to a limited number of authorised system administrators, for debugging purposes in the event of performance issues, and to security personnel in the event of security incidents.

Purpose of collection:
  • To ensure the technical delivery of the website
  • For security monitoring and abuse prevention
  • To diagnose and troubleshoot technical issues

Retention period:
These server logs are retained for no longer than 90 days after discontinuation of service, after which they are automatically deleted or anonymised, unless extended retention is required for security incident investigation.

Importantly, this data is never linked to your interactions with the AI chatbot.
B. EVE Chatbot Service
  • No personal data is requested, collected, or stored during your interactions with the AI chatbot.
  • No personal data is requested, collected, or stored during your interactions with the AI chatbot.

Retention period:
Anonymised chatbot data is retained for up to 3 years and then securely deleted unless required for legal compliance.
C. AI Model Training and Retraining
We process your data for two distinct purposes:

  1. Service Improvement (Anonymised Statistics): Your chatbot interactions (prompts and responses with all identifying elements removed) may be analysed to improve service functionality, identify errors, and understand usage patterns. This processing is not used for training or fine-tuning large language models. Legal basis: Article 6(1)(f) GDPR (Legitimate Interests)—our legitimate interest in maintaining and optimising our Services.
  2. LLM Model Development (Training and Fine-Tuning): If and only if you have provided separate, explicit, informed consent, we may use your raw prompts and responses (including potentially identifiable content) to train or fine-tune the LLMs that power EVE. This is a distinct processing purpose from operational service improvement. Legal basis: Article 6(1)(a) GDPR (Consent)—your freely given, specific, informed, and unambiguous consent to this processing.

Your Consent Rights: If you have consented to model training, you retain the absolute right to withdraw that consent at any time under Article 7(3) GDPR. Upon withdrawal, we will:
  • Cease all use of your data for future model training and fine-tuning
  • Not retroactively remove your data already incorporated into previously trained model versions (as this would be technically infeasible without retraining the entire model)


Personal Data You Provide: We collect Personal Data if you create an account to use our Services or communicate with us as follows:Without your Personal Data, we will not be able to provide you with the requested services. As a rule, the Personal Data that you provide directly or indirectly to the Company when using our services and visiting our Websites is:

  • Account Information: When you create an account with us, we will collect information associated with your account, including your name, contact information, account credentials, and date of birth (collectively, “Account Information”).
  • User Content: We collect Personal Data that you provide in the input to our Services (“Content”), including your prompts and uploads, depending on the features you use. 
  • Communication Information: If you communicate with us, such as via email or our pages on social media sites, we may collect Personal Data like your name, contact information, and the contents of the messages you send (“Communication Information”).
  • Other Information You Provide: We collect other information that you may provide to us, such as when you participate in our events or surveys or provide us with information to establish your identity or age (collectively, “Other Information You Provide”).

Personal Data We Receive from Your Use of the Services: When you visit, use, or interact with the Services, we receive the following information about your visit, use, or interactions (“Technical Information”):Log Data: We collect information that your browser or device automatically sends when you use our Services. Log data includes your Internet Protocol address, browser type and settings, the date and time of your request, and how you interact with our Services.

  • Log Data: We collect information that your browser or device automatically sends when you use our Services. Log data includes your Internet Protocol address, browser type and settings, the date and time of your request, and how you interact with our Services.
  • Usage Data: We collect information about your use of the Services, such as the types of content that you view or engage with, the features you use and the actions you take, as well as your time zone, country, the dates and times of access, type of computer or mobile device, and your computer connection.
  • Device Information: We collect information about the device you use to access the Services, such as the name of the device, operating system, device identifiers, and browser you are using. Information collected may depend on the type of device you use and its settings.
  • Location Information: We may determine the general area from which your device accesses our Services based on information like its IP address for security reasons and to make your product experience better, for example, to protect your account by detecting unusual login activity or to provide more accurate responses. In addition, some of our Services allow you to choose to provide more precise location information from your device, such as location information from your device’s GPS.
  • Cookies and Similar Technologies: We use cookies and similar technologies to operate and administer our Services, and improve your experience. Use our Services without creating an account. We may store some of the information described in this policy with cookies, for example, to help maintain your preferences across browsing sessions. Please refer to our Cookie Policy here.

The Company does not intentionally collect or process special categories of personal data as defined in Article 9 GDPR (e.g., health data, political opinions, biometric data, etc.).

4. HOW WILL WE USE YOUR DATA?

We may use Personal Data for the following purposes:

  • To provide analysis, and maintain our Services, for example, to respond to your questions for EVE;
  • To improve and develop our Services and conduct research, for example, to develop new product features;
  • To communicate with you, including sending you information about our Project and events, for example, about changes or improvements to the Services;
  • To prevent fraud, illegal activity, or misuse of our Services, and to protect the security of our systems and Services;
  • To comply with legal obligations and to protect the rights, privacy, safety, or property of our users, or third parties.

We may also aggregate or de-identify Personal Data so that it no longer identifies you and use this information for the purposes described above, such as to analyze the way our Services are being used, to improve and to conduct research and share the outcome. We will maintain and use de-identified information in de-identified form and not attempt to reidentify the information unless required by law.

As noted above, we may use the Content you provide us to improve our Services, for example, to train the models that power EVE. 

5. HOW DO WE STORE YOUR DATA?

We’ll retain your Personal Data for only as long as we need in order to provide our Services to you, or for other legitimate business purposes such as resolving disputes, safety and security reasons, or complying with our legal obligations. How long we retain Personal Data will depend on a number of factors, such as:

  • Our purpose for processing the data (such as whether we need to retain the data to provide our Services);
  • The amount, nature, and sensitivity of the information;
  • The potential risk of harm from unauthorised use or disclosure;
  • Any legal requirements that we are subject to.

We implement reasonable technical, administrative, and organisational measures designed to protect Personal Data from loss, misuse, and unauthorised access, disclosure, alteration, or destruction. However, no Internet or email transmission is ever fully secure or error-free. Therefore, you should take special care in deciding what information you provide to the Services. In addition, we are not responsible for circumvention of any privacy settings or security measures contained on the Service, or third-party websites.

6. YOUR RIGHTS

You have the following statutory rights in relation to your Personal Data:

  • Access your Personal Data and information relating to how it is processed.
  • Delete your Personal Data from our records.
  • Rectify or update your Personal Data.
  • Transfer your Personal Data to a third party (right to data portability).
  • Restrict how we process your Personal Data.
  • Withdraw your consent—where we rely on consent as the legal basis for processing at any time.
  • Opt out of our use of your Content to train our models.
  • Lodge a complaint with your local data protection authority (see below).
  • Learn about the legal basis for data transfers abroad. 
  • Details about the right to object to processing.

You may exercise your rights against Imperative Space or Pi School s.r.l.; however, you can exercise some of these rights by sending your request to eve@picampus-school.com⁠. If you have any unresolved complaints with us, you can reach out to your local supervisory authority⁠

7. DATA TRANSFER OUTSIDE OF THE EUROPEAN UNION 

Data transfer to countries that guarantee European standards 

If this is the condition for Data transfer, the transfer of Personal Data from the EU to third countries is carried out according to an adequacy decision of the European Commission. The European Commission adopts adequacy decisions for specific countries whenever it considers that country to possess and provide Personal Data protection standards comparable to those set forth by EU data protection legislation. Users can find an updated list of all adequacy decisions issued on the European Commission's website. 

Data transfer abroad based on standard contractual clauses

If this is the condition for Data transfer, the transfer of Personal Data from the EU to third countries is carried out according to “standard contractual clauses” provided by the European Commission. This means that Data recipients have committed to process Personal Data in compliance with the data protection standards set forth by EU data protection legislation.  

8. LEGAL BASES FOR PROCESSING

Our data processing activities serve multiple purposes and handle various types of personal data under specific legal bases.

  • To provide, analyze, and maintain our Services, we process Account Information, User Content, Communication Information, Other Information You Provide, Log Data, Usage Data, Device Information, and Location Information. This processing is necessary to fulfil our contractual obligations with users, particularly in handling user prompts and providing responses.
  • For service improvement and research purposes, we utilize Account Information, User Content, Communication Information, Other Information You Provide, Data We Receive From Other Sources, Log Data, Usage Data, Device Information, and Cookies and Similar Technologies. This processing is based on our legitimate interests and those of third parties, particularly in developing and enhancing our services and training our models.
  • To facilitate communication about our Services and events, we process Account Information, Communication Information, Social Media Information, Other Information You Provide, Log Data, Usage Data, Device Information, and Cookies and Similar Technologies. This processing is based either on contractual necessity (for technical announcements) or user consent (for marketing communications).
  • For fraud prevention, security maintenance, and illegal activity prevention, we process all categories of personal data, including Account Information, User Content, Communication Information, Social Media Information, Other Information You Provide, Data We Receive From Other Sources, Log Data, Usage Data, Device Information, and Cookies and Similar Technologies. This processing is based on legal obligations or legitimate interests in protecting our Services from abuse and security risks.
  • Finally, to ensure legal compliance and protect rights, privacy, safety, and property, we process the same comprehensive set of personal data. This processing is either based on legal obligations (such as record-keeping requirements) or legitimate interests in protecting our users, affiliates, and third parties' rights and property, including analyzing log data to identify and prevent fraudulent activities.
  • Model Development and Fine-Tuning: Where users have provided separate, express consent under Article 6(1)(a) GDPR, we process raw User Content (including prompts and potentially identifiable information) for the purposes of training and fine-tuning the LLMs that power the EVE service. This processing is based on affirmative opt-in consent, which data subjects may withdraw at any time without affecting the lawfulness of prior processing.

9. HOW IS YOUR PERSONAL DATA SECURED?

We have taken adequate safeguards to ensure the confidentiality and security of your personal data. We have implemented appropriate technical, physical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access as well as all other forms of unlawful processing (including, but not limited to, unnecessary collection) or further processing, including protecting your Personal Data against unauthorized access, maintaining the confidentiality, integrity and availability of your Personal data, and training personnel on information security requirements.

However, no security measure can guarantee against compromise. You also have an important role in protecting your Personal Data. You should not share your username and password with anyone, and you should not reuse passwords across more than one website. If you have a reason to believe that your Personal Data has been compromised, please contact us.

10. HOW LONG IS YOUR PERSONAL DATA RETAINED?

Except as otherwise permitted or required by applicable law or regulation, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, as needed to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes. To determine the appropriate retention period for personal data, we consider applicable legal requirements, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes we process your personal data for, and whether we can achieve those purposes through other means. 

Under some circumstances, we may anonymise your personal data so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent. 

DETAILED DATA RETENTION SCHEDULE

Data retention is determined by the lawful basis for processing and the purpose:

Data Category Lawful Basis Retention Period Reason for Deletion
Server logs (IP, browser, OS, access logs) Article 6(1)(f) Legitimate Interests (security, debugging) 90 days after discontinuation of service Technical necessity ceases; extended retention only if security incident investigation active (max 90 days)
Anonymized chatbot usage data (no identifiers) Article 6(1)(f) Legitimate Interests (service improvement) 3 years Sufficient time to identify patterns; older data less relevant for optimization
Account Information (name, email, credentials) Article 6(1)(b) Contract (account maintenance) Duration of account + 3 years Fulfillment of contractual obligations and legal record-keeping
Raw chatbot interaction data (with consent for training) Article 6(1)(a) Consent (LLM training) Until consent withdrawn or 5 years, whichever is earlier Retained only as long as necessary for stated model training purpose; data subject can force deletion via Article 17
Communication data (emails, support inquiries) Article 6(1)(b) or (f) 2 years after last interaction Sufficient for dispute resolution and legitimate interests in record-keeping
Device/location data (non-precise) Article 6(1)(f) Legitimate Interests (security) 90 days after discontinuation of service Outdated location/device data provides no security value
Logs for security incident investigation Article 6(1)(f) or legal obligation 1 year from incident closure Compliance with legal obligations and investigation completion


Early Deletion: Data subjects may request deletion under Article 17 of the GDPR (Right to Erasure) at any time, subject to legal hold periods and legitimate-interest balancing.

11. LOCAL DPA

You have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) if you believe that your data is processed in violation of the GDPR.

Garante per la protezione dei dati personali
Address: Piazza Venezia 11 - 00187 Roma (Italia)
Tel: +39 06.696771

Email: protocollo@gpdp.it

Links
Follow us
Contact Us
 © EVE 2026
PRIVACY Policy
 AND
Cookie NOTICE