# Privacy Policy Plain-language summary of what data we collect, why, how long we keep it, and your rights to access, export, or delete it. Last updated: May 13, 2026 Welcome to the privacy policy for Sistava, operated by SISTA AI ("we," "us," or "our"). This document explains how and why we collect, store, use, and share ("process") your personal information when you use our services ("Services"), such as: When we are the controller vs. the processor. This Privacy Policy explains how we collect and use personal data when Sistava acts as the data controller — for example, when you create an account directly with us, when you use our website, or when you sign up as an individual user of the platform. In those cases, Sistava decides the purposes and means of the processing, and this Privacy Policy applies in full. When you use the Services as part of an organization — for example, when your employer or a customer provisions you a workspace, when you interact with an AI employee deployed by another business, or when your data is processed by Sistava on behalf of a paying customer for the purpose of operating their AI workforce — that organization is the data controller and Sistava acts as a data processor on their behalf. The organization's own privacy notice governs how your personal data is handled in that context, and you should review their policies for more information. Our processing in that role is governed by our Data Processing Agreement , and the sub-processors involved are listed on our Sub-processors page . Accessibility: This policy is available in accessible formats upon request. If you need assistance accessing this document, please contact us at support@sista.ai . Using our Services, including visiting our websites, accessing our applications, software, and other services under the sista.ai domain, including but not limited to: Using the Sistava platform to hire, onboard, and manage AI employees that execute real work autonomously, including team coordination, tool integrations, durable execution, and full observability across employees, teams, and organizations. Using the Sistava marketplace to discover, clone, and customize pre-built AI employee templates, team configurations, and individual skills published by Sistava or by other users. Connecting third-party tools and data sources (apps, documents, calendars, CRMs, databases, knowledge bases) to enable AI employees to execute work on your behalf. Accessing the Sistava workspace to manage your account, subscriptions, AI employee configurations, teams, and credit usage. Engaging with us in various ways, including sales, marketing, or events. If you have any questions or concerns about this notice, your privacy rights, or our practices, please contact us at support@sista.ai . If you disagree with our policies and practices, please do not use our Services. For more information about our terms and conditions, please review our Terms of Service . - workspace.sista.ai — The Sistava platform: web application for hiring, onboarding, and managing AI employees, teams, and organizations - AI employee marketplace and templates — discovering, cloning, and publishing AI employee configurations, teams, and skills - AI agent execution and orchestration services — autonomous task execution, delegation, and team coordination - Tool integrations and connected applications — OAuth connections, API keys, and data source integrations - Voice and text communication channels — chat, email, phone, and messaging integrations - Personal Mailbox channel — each AI employee gets a platform-hosted email address (e.g. kamran+marketing@mail.sista.ai ) so customers can email them directly. Mail received at and sent from these addresses passes through our backend and is stored for up to 12 months for service operation, debugging, and audit purposes (GDPR Art 6(1)(f) legitimate interest). These addresses are platform-internal AI-employee mailboxes and are distinct from your own personal or business email accounts. - Connected user inboxes (Composio Gmail / Outlook OAuth tool) — if you explicitly grant the agent OAuth access to your own Gmail or Outlook so it can read or send mail on your behalf, the connection token is held by our integration partner Composio. The agent calls Gmail/Outlook through Composio at the moment a request runs — we do not bulk-copy your inbox, and raw email bodies you read or send through the tool are NOT persisted to our database in human-readable form. Anything the agent decides to remember from those reads ends up in the agent's memory (see below) as embeddings or structured facts, not as the original message text. Revoke access at any time by disconnecting the tool inside the Workspace, or directly in your Google / Microsoft account. - How agent memory stores what it learns — conversations, training documents, and tool outputs that the agent decides to remember are NOT, in most cases, kept as plain readable text. They are stored as one or more of: (a) numeric vector embeddings in our knowledge stores, used for semantic search; (b) structured entities and relationships in a knowledge graph (e.g. "Kamran works on Marketing"); or (c) short free-text notes the agent itself chose to write into its persistent notebook. Raw input transcripts are kept only for the active conversation thread and the bounded retention windows listed in this policy (chat ~180 days, mailbox ~365 days, training entries ~30 days). Outside those windows, what survives is embeddings and graph facts, not the original text. - How we treat data from apps you connect — when you authorize the AI employee to access a third-party tool, application, channel, data source, or service (examples include but are not limited to Slack, Telegram, WhatsApp, Microsoft Teams, Gmail, Outlook, Google Drive, Notion, HubSpot, Salesforce, calendars, databases, knowledge bases, MCP servers, custom webhooks, and any other integration we may add in the future), our default behavior is to leave your data where it is . We do not bulk-copy, mirror, or shadow-index the contents of those systems into our databases. Instead, the agent reads on demand: at the moment a task runs, it fetches only the specific records it needs for that turn (for example, the last fifty messages in a Slack channel you asked it to summarize, or a single Notion page you referenced), processes them in memory to produce its answer, decides what is worth remembering, and discards the rest. What it retains ends up in agent memory as embeddings, structured graph facts, or short notes — not as the original raw content. Inbound channel events that you deliberately send to the agent (a Slack mention, a DM, a Telegram message, a voice call, an email to a personal mailbox address, a webhook) are treated as chat input and retained under the chat-message and channel windows listed in this policy. We do not read, copy, or store other content from those channels unless a feature you turn on explicitly requires it, in which case the feature description and this policy will say so. Specific exceptions where raw third-party content is stored on purpose include: (a) training and knowledge ingestion, where you point the agent at a document or data source for training and the content is chunked, embedded as numeric vectors, and stored in our knowledge stores for the training-entry retention window; (b) platform-hosted channels we operate end-to-end (such as the Personal Mailbox channel and chat threads inside Sistava), which follow the retention windows in this policy; and (c) short-lived diagnostic, audit, and abuse-prevention logs that may capture fragments of requests and responses. You can revoke any integration at any time from the Workspace, or directly in the third-party provider's own account. - Scheduling and task management features — recurring work, kanban boards, and automated triggers - Credit-based usage metering — subscription plans and credit purchases - Any other subdomains or software solutions provided by Sistava, including but not limited to consultancy portals, client-specific applications, and future product offerings ## Summary of Key Points This summary highlights the essentials from our privacy notice. You can dig into details by following the "Learn more" link after each key point or by using the table of contents below. What personal information do we process? Depending on how you use our Services, we may process account details (e.g., email), billing data (via Stripe), website/app usage data, device/network data (e.g., IP, browser), AI interaction data (chat messages, task instructions, voice recordings if using voice channels, and transcripts), and — if you manage AI employees — employee configurations, tool connections, and usage analytics. If you choose social logins, we may receive basic profile info from that provider. Learn more . Do we process any sensitive personal information? If you use voice channels, we process voice recordings and transcripts which may contain sensitive information. We do not use voice for biometric identification. Chat messages and task instructions may also contain sensitive information depending on user content. Learn more . Do we collect any information from third parties? We don't buy personal data from brokers. If you use social logins, we may receive limited profile information from that provider. We also use analytics and other tools that collect data on our behalf to improve the Services. How do we process your information? We use personal data to provide and improve the Services, authenticate users, deliver support, fulfill orders and billing, communicate important updates, enhance security/fraud prevention, and comply with law. For AI features, we process chat messages, task instructions, tool interaction data, and context data to operate AI employees. Learn more . In what situations and with whom do we share personal information? We share data with service providers under contract, including cloud hosting (AWS, Hetzner, GCP), payments (Stripe), analytics (e.g., Google Analytics, PostHog for product analytics and session replay where enabled), and AI model providers (e.g., OpenAI, Anthropic, Moonshot AI, Google, xAI, OpenRouter) — and during business transactions if applicable. Learn more . How do we keep your information safe? We implement organizational and technical measures (e.g., TLS 1.3 in transit, AES-256 at rest, access controls, audits, and security training). No system is 100% secure, but we work to protect your data. Learn more . What are your rights? Depending on your location (e.g., EEA/UK/Switzerland/Canada and certain U.S. states), you may have rights to access, correct, delete, restrict, or object to processing, obtain portability, and opt out of certain uses. Learn more . How do you exercise your rights? Submit a data subject request or contact us. For all privacy-related requests (access, deletion, correction, portability), email support@sista.ai with the subject "Privacy Request" using the email tied to your account. For security-related issues, contact security@sista.ai . International data transfers: We may process/store data in the U.S. and the Netherlands and use EU Standard Contractual Clauses and other safeguards for cross-border transfers. Learn more . Do we collect information from minors? Our Services may be used by individuals under 18 with parental/guardian consent. Data is used to operate and improve the Services; we do not sell personal data. Learn more . AI service providers: To power AI features, certain data (e.g., chat messages, task instructions, context, and interaction data) may be processed by AI providers under strict contracts and safeguards; you can request deletion. Note: Opt-out of AI model training applies only to Sistava-controlled models, not to third-party AI providers (e.g., OpenAI, Anthropic, Moonshot AI, Google, xAI, OpenRouter) whose processing is required for service delivery. Learn more . Cookies and tracking: We use cookies/similar tech for functionality, analytics, and performance, not for targeted advertising, and we never sell your personal data. You can manage preferences via the cookie banner. Learn more . Do-Not-Track: We currently don't respond to browser DNT signals due to the lack of an industry standard. Your cookie banner selections are honored instead. Want to learn more about what we do with any information we collect? Review the privacy notice in full below. ## Table of Contents - 1. What Information Do We Collect? - 2. How Do We Process Your Information? - 3. What Legal Bases Do We Rely On to Process Your Personal Information? - 4. When and With Whom Do We Share Your Personal Information? - 5. AI Employee Platform Data Processing - 6. How Do We Handle Your Social Logins? - 7. Is Your Information Transferred Internationally? - 8. How Long Do We Keep Your Information? - 9. How Do We Keep Your Information Safe? - 10. Do We Collect Information from Minors? - 11. What Are Your Privacy Rights? - 12. Controls for Do-Not-Track Features - 13. Do United States Residents Have Specific Privacy Rights? - 14. Do Other Regions Have Specific Privacy Rights? - 15. Do We Make Updates to This Notice? - 16. How Can You Review, Update, or Delete the Data We Collect from You? - 17. How Can You Contact Us About This Notice? - 18. Client Services & Consultancy - 19. AI Service Provider Data Sharing - 20. Do We Use Cookies and Other Tracking Technologies? ## 1. What Information Do We Collect? Personal information you disclose to us In Short: We collect personal information that you provide to us. Our Data Collection Principle: We collect data you provide to us and data collected automatically when you use our Services, limited to what is necessary to provide, improve, and secure our Services. We do not collect, access, or manipulate your data beyond what is necessary for these purposes. We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us. Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following: Sensitive Information. If you use voice communication channels, we process voice recordings and transcripts which may contain sensitive information depending on user content. Chat messages and task instructions may also contain sensitive information depending on what you provide. While we do not process traditional sensitive categories (e.g., health, race, religion), voice recordings may be considered sensitive in some jurisdictions. We handle them with enhanced safeguards and do not use voice recordings for biometric identification. We process this data only as necessary to provide our Services and in accordance with applicable data protection laws. Safeguards For Sensitive Inputs. We apply a range of technical and operational safeguards to reduce the risk that sensitive content — including credentials accidentally pasted into chat or similar inputs — is retained or exposed. These include automated redaction of detected credentials on ingestion, encryption of authentication material at rest, access controls, and additional measures we do not publicly enumerate. No safeguard is perfect, and the right way to grant an AI employee access to a service is the supported OAuth or connection flow rather than sharing a credential. You remain responsible for the content you submit. See our Acceptable Use Policy for details. Payment Data. We may collect data necessary to process your payment if you choose to make purchases, such as your payment instrument number and the security code associated with your payment instrument. All full card numbers and CVV codes are handled and stored exclusively by Stripe; we do not store full payment card numbers on our servers. We do, however, receive and store a limited set of payment metadata from Stripe to support billing, account records, fraud prevention, and customer support — including the last four digits of your card, the card brand, the card expiration month and year, the cardholder country, and Stripe customer and payment-method identifiers. You may find Stripe's privacy notice here: https://stripe.com/en-nl/privacy . Social Media Login Data. We may provide you with the option to register with us using your existing social media account details, like your Facebook, X (formerly Twitter), Google, GitHub, or other social media account. If you choose to register in this way, we will collect certain profile information about you from the social media provider, as described in the section called "How Do We Handle Your Social Logins?" below. All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information. Information automatically collected In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you use our Services. We automatically collect certain information when you visit, use, access, or interact with our Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes. Approximate Location. We infer your approximate geographic location (such as country, region, or city) from your IP address for purposes such as fraud prevention, regional service routing, regulatory compliance, language defaults, and aggregated analytics. We do not collect precise GPS location data, device-level coordinates, or any background location signals. Where you connect a tool that has its own location data (for example, a calendar event location), that location is governed by the third-party provider's privacy policy, not by this one. Like many businesses, we also collect information through cookies and similar technologies. The information we collect includes: - Email addresses - Passwords - Billing addresses - Chat messages and task instructions sent to AI employees - AI employee configurations (persona, skills, duties, tools) - Connected tool and data source information - Voice recordings and transcriptions (if using voice channels) - Website/application usage data - Task and schedule configurations - Team and organization settings - Marketplace contributions (published employee templates, skills) - Professional information (if you apply for employment or engage in consultancy with us, including CVs, references, work history, and professional qualifications) - Log and Usage Data: Service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. This log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called "crash dumps"), and hardware settings). - Device Data: Information about your computer, phone, tablet, or other device you use to access the Services. This data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information. - Location Data: We collect approximate location information based on your IP address. We do not collect precise GPS location data. This IP-based location information helps us provide region-specific features and comply with applicable laws. IP-based location is automatically provided by your network connection and is approximate only, not precise geolocation data. ## 2. How Do We Process Your Information? In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your personal information for a variety of reasons, depending on how you interact with our Services, including: AI Employee Interaction Data. When using the AI Employee Platform, we collect and process: Workspace and Configuration Data. For users who manage AI employees, we collect: Data Processing and Storage. We process and store your data as follows: Third-Party Integrations. Our service may integrate with: - To facilitate account creation and authentication and otherwise manage user accounts: We may process your information so you can create and log in to your account, as well as keep your account in working order. - To deliver and facilitate delivery of services to the user: We may process your information to provide you with the requested service. - To respond to user inquiries/offer support to users: We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service. - To send administrative information to you: We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information. - To fulfill and manage your orders: We may process your information to fulfill and manage your orders, payments, returns, and exchanges made through the Services. - To save or protect an individual's vital interest: We may process your information when necessary to save or protect an individual's vital interest, such as to prevent harm. - Chat messages and task instructions sent to AI employees - AI employee responses, outputs, and execution results - Voice recordings and transcriptions (if using voice communication channels, processed via Deepgram) - Tool interaction data (actions taken by AI employees through connected tools via Composio and direct integrations) - Task and schedule configurations - Delegation and team coordination data - Activity timeline and execution traces - AI employee configurations (persona, skills, duties, tools) - Team configurations and organization settings - Connected tool and data source information and access credentials - Usage analytics and performance metrics - Payment and billing information - Credit usage and metering data - Chat messages and task instructions are processed in real-time and stored for service delivery and continuity - Voice recordings (if applicable) are processed in real-time and stored for up to 12 months for service delivery and improvement, unless a longer retention period is required by law or for legitimate business purposes (e.g., dispute resolution) - Transcriptions are stored for up to 12 months to improve AI understanding and response accuracy, after which they are deleted unless required for legal or contractual obligations - AI employee memory and context data is stored to maintain continuity across conversations - Workspace configurations and settings are stored securely - Analytics data is anonymized where possible - AI model providers (e.g., OpenAI, Anthropic, Moonshot AI, Google, xAI, OpenRouter) for language model processing - Deepgram for speech-to-text and text-to-speech processing (voice channels) - Stripe for payment processing and subscription management - PostHog for product analytics and session replay (where enabled) - Google Analytics for website analytics - Sentry for error tracking and performance monitoring - Datadog for Real User Monitoring, Application Performance Monitoring, and log aggregation (EU data residency) - Composio for third-party tool integrations (OAuth connections to hundreds of SaaS applications) - AWS, Hetzner, and Google Cloud Platform (GCP) for cloud infrastructure, hosting, and storage - Cloudflare for WAF, CDN, and DDoS protection - Connected tools and applications authorized by you (e.g., Gmail, Slack, Notion, CRMs, calendars) via OAuth - Data sources and knowledge bases specified by users ## 3. What Legal Bases Do We Rely On to Process Your Personal Information? In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests. If you are located in the EU or UK, this section applies to you. The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information: If you are located in Canada, this section applies to you. We may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time. In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including, for example: Legal bases by processing purpose. The table below maps each purpose for which we process your personal data to the specific legal basis we rely on under the GDPR. This satisfies our obligation under Article 13(1)(c) of the GDPR to inform you of the legal basis for each processing activity. Automated decision-making. Sistava does not engage in solely-automated decision-making that produces legal effects or similarly significant effects on you within the meaning of Article 22 of the GDPR. AI employees execute tasks autonomously on your direction, but you remain the decision-maker: you instruct them, you can review their work, you can pause or stop them, and you can require human approval for sensitive actions. No sale of personal data. We do not sell your personal data within the meaning of the California Consumer Privacy Act (CCPA) , the GDPR, or any equivalent law. We do not engage in cross-context behavioral advertising and we do not share personal data with advertisers. - Consent: We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time. - Performance of a Contract: We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you. - Legal Obligations: We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved. - Vital Interests: We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person. - If collection is clearly in the interests of an individual and consent cannot be obtained in a timely way - For investigations and fraud detection and prevention - For business transactions provided certain conditions are met - If it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim - For identifying injured, ill, or deceased persons and communicating with next of kin - If we have reasonable grounds to believe an individual has been, is, or may be a victim of financial abuse - If it is reasonable to expect collection and use with consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province - If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records - If it was produced by an individual in the course of their employment, business, or profession and the collection is consistent with the purposes for which the information was produced - If the collection is solely for journalistic, artistic, or literary purposes - If the information is publicly available and is specified by the regulations - Purpose — Data type — Legal basis - To create and administer your Sistava account, sign you in, and provide the Services governed by our Terms of Service — Identity & contact data; account credentials; payment information; inputs and outputs you generate; technical/usage information — Performance of a contract (Art. 6(1)(b) GDPR) - To process payments, manage subscriptions, issue invoices, and prevent payment fraud — Identity & contact data; payment information; billing history — Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for tax, accounting, and anti-fraud requirements - To operate AI employees, run agentic workflows, store memory, ingest training data, and execute connected-tool actions on your behalf — Inputs and outputs; training data; tool credentials (encrypted); chat messages; files; voice transcripts; agent memory and knowledge graphs — Performance of a contract (Art. 6(1)(b)). Where you submit special-category data, your explicit consent under Art. 9(2)(a) - To communicate with you about the Services, send transactional emails, account notifications, security alerts, and respond to support requests — Identity & contact data; communication content — Performance of a contract (Art. 6(1)(b)) for transactional messages; legitimate interests (Art. 6(1)(f)) for security and operational notices - To send marketing communications, newsletters, product updates, and promotional content about Sistava — Identity & contact data; marketing preferences — Your consent (Art. 6(1)(a)) where required by law; otherwise legitimate interests (Art. 6(1)(f)) in promoting our Services. You can opt out at any time. - To prevent fraud, abuse, and violations of our Terms of Service or Acceptable Use Policy; to investigate suspected misuse; to protect our rights and the rights of others — Identity & contact data; technical/usage information; inputs and outputs (where flagged for safety review) — Legitimate interests (Art. 6(1)(f)) in protecting our business and users; legal obligation (Art. 6(1)(c)) to cooperate with authorities - To investigate and resolve security incidents and personal data breaches — Identity & contact data; technical/usage information; logs; affected inputs and outputs — Legitimate interests (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)) to protect personal data and notify regulators - To debug, monitor, and improve the operational stability of the Services — Technical/usage information; error logs; performance traces — Legitimate interests (Art. 6(1)(f)) in maintaining a reliable platform - To analyze aggregated, anonymized usage data and improve features (excluding model training) — Anonymized/aggregated technical and usage information — Legitimate interests (Art. 6(1)(f)) - To investigate and resolve disputes, complaints, and chargebacks — Identity & contact data; account history; relevant inputs and outputs; communication history — Legitimate interests (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)) - To enforce our Terms of Service, Acceptable Use Policy, and other agreements — Identity & contact data; technical/usage information; inputs and outputs — Performance of a contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) - To comply with legal, tax, accounting, regulatory, audit, and law-enforcement requirements — Identity & contact data; payment information; transaction records; relevant communications — Legal obligation (Art. 6(1)(c)) ## 4. When and With Whom Do We Share Your Personal Information? In Short: We may share information in specific situations described in this section and/or with the following third parties. Vendors, Consultants, and Other Third-Party Service Providers: We may share your data with third-party vendors, service providers, contractors, or agents ("third parties") who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our third parties, which are designed to help safeguard your personal information. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will also not share your personal information with any organization apart from us. They also commit to protecting the data they hold on our behalf and to retaining it for the period we instruct. See Section 19 (AI Service Provider Data Sharing) for a comprehensive list of our third-party service providers and sub-processors. We also may need to share your personal information in the following situations: - Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. ## 5. AI Employee Platform Data Processing AI Transparency Disclosure ( EU AI Act , Article 50 ): The AI Employee Platform uses artificial intelligence to power AI employees. When you interact with an AI employee through chat, voice, or other channels, you are communicating with an AI system, not a human being. AI employees are powered by large language models (LLMs) from providers such as OpenAI, Anthropic, Moonshot AI, Google, xAI, OpenRouter, and others, and their responses are generated by AI. All AI employee interactions are clearly labeled as AI-generated within the platform interface. Automated Decision-Making: AI employees may execute tasks, use tools, delegate work, and produce outputs autonomously based on your instructions. These automated actions are taken on your behalf and under your direction. You retain full control over what AI employees are authorized to do through skill, duty, tool, and approval configurations. The platform provides human-in-the-loop approval gates for sensitive operations, activity timeline transparency for all AI actions, and the ability to suspend or terminate AI employees at any time. AI employees do not make decisions that produce legal effects or similarly significant effects concerning you without human oversight. The AI Employee Platform enables users to hire, onboard, and manage AI employees that execute real work autonomously. When you use the platform, we may collect and process: This data is processed to operate AI employees, enable autonomous execution, improve the platform, and ensure security. No sensitive personal information is collected unless you explicitly provide it via chat, voice, or task input. Data is encrypted in transit and at rest, and is not sold to third parties. You may review, update, or delete your data at any time by contacting us at support@sista.ai . - Chat messages and task instructions for AI employee interaction - AI employee execution data (tool calls, delegation actions, task outputs) - Voice recordings and transcriptions (if using voice communication channels, processed via Deepgram for speech-to-text and text-to-speech) — collected only when you actively use voice features, not passively - AI employee configurations (persona, skills, duties, tools) - Connected tool credentials and data source access - Team coordination and delegation data - Activity timeline and execution traces (for transparency and observability) - Memory and context data (to maintain continuity across conversations) - Credit usage and metering data - Marketplace contributions (published templates and skills) - Anonymous analytics and error logs ## 6. How Do We Handle Your Social Logins? In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you. Our Services offer you the ability to register and log in using your third-party social media account details (like your Facebook, X (formerly Twitter), Google, or GitHub logins). Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the social media provider concerned, but will often include your name, email address, friends list, and profile picture, as well as other information you choose to make public on such a social media platform. We will use the information we receive only for the purposes that are described in this privacy notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information, and how you can set your privacy preferences on their sites and apps. ## 7. Is Your Information Transferred Internationally? In Short: We may transfer, store, and process your information in countries other than your own. Our servers are located in the United States and the Netherlands. If you are accessing our Services from outside these countries, please be aware that your information may be transferred to, stored, and processed by us in our facilities and by those third parties with whom we may share your personal information (see "When and With Whom Do We Share Your Personal Information?" above), in the United States, the Netherlands, and other countries. If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this privacy notice and applicable law. European Commission's Standard Contractual Clauses: We have implemented measures to protect your personal information, including by using the European Commission's Standard Contractual Clauses for transfers of personal information between us and our third-party providers. These clauses require all recipients to protect all personal information that they process originating from the EEA or UK in accordance with European data protection laws and regulations. Our Standard Contractual Clauses can be provided upon request. We have implemented similar appropriate safeguards with our third-party service providers and partners and further details can be provided upon request. ## 8. How Long Do We Keep Your Information? In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law. We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). Voice recordings and transcripts are retained for up to 12 months from collection, and no longer than 12 months after account termination, unless required for legal or contractual obligations. Retention Summary: When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. - Voice recordings: Up to 12 months from collection, and no longer than 12 months after account termination — Service delivery and improvement - Transcriptions: Up to 12 months — AI understanding and response accuracy - Chat messages and task data: Duration of account plus 12 months post-termination — Service delivery and continuity - AI employee memory: Duration of account — Operational continuity - Account data: 12 months post-termination — Legal and contractual obligations - Consultancy/client data: As specified in service agreement or required by law — Contractual and legal requirements ## 9. How Do We Keep Your Information Safe? In Short: We aim to protect your personal information through a system of organizational and technical security measures. We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment. Data Breach Notification. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities as required by applicable law (e.g., within 72 hours under GDPR for authorities, without undue delay for affected users). We will provide clear information about the nature of the breach, likely consequences, and measures taken or proposed to address it. ## 10. Do We Collect Information from Minors? In Short: We may collect data from users under 18 years of age with appropriate consent. We do not knowingly collect personal data from children under 13 without verified parental consent. Our Services may be used by users under 18 years of age with parental or guardian consent. Data collected from users, including minors, is used for service delivery, functionality, and improvement of our Services. We do not use data from users under 13 for model training purposes. For service improvement, we may use anonymized and aggregated data that cannot identify individual users, including minors. ## 11. What Are Your Privacy Rights? In Short: Depending on your state of residence in the US or in some regions, such as the European Economic Area (EEA), United Kingdom (UK), Switzerland, and Canada, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time, depending on your country, province, or state of residence. In some regions (like the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. The full set of rights available to you under the GDPR is listed below. In certain circumstances, you may also have the right to object to the processing of your personal information. Your GDPR Data Subject Rights at a Glance. To exercise any of these rights, contact us at dpo@sista.ai or through the contact details in Section 17 below. We may need to verify your identity before processing your request. We will respond within the timeframe required by applicable law (within one month under GDPR Article 12(3), extendable by two further months for complex requests). Accuracy of AI Output About You. AI employees on the Sistava platform generate responses by predicting the most likely next words based on the inputs they receive. The words an AI employee predicts may not always be the most factually accurate, and AI employees can produce outputs that contain inaccurate, outdated, or fabricated information about real people, including you. You should not rely on the factual accuracy of AI employee outputs about any individual without independent verification. If you notice that an output generated by an AI employee on our platform contains factually inaccurate information about you and you would like to request correction or removal of that information, you may submit a rectification request under Article 16 GDPR by emailing dpo@sista.ai . We will consider your request in good faith based on applicable law and the technical capabilities of the AI models involved. Because large language models do not contain a structured database of facts that we can directly edit, in some cases the most we can do is delete the specific output, prevent it from being regenerated where technically feasible, and add the corrected information to any context we control. We will not always be able to guarantee that the same or similar incorrect output will never be produced again by an AI model in response to a different prompt. Opt-Out of AI Model Training. You can opt out of your data being used for AI model training purposes by contacting us at support@sista.ai . Opt-out applies only to training or fine-tuning models controlled by Sistava, not to real-time inference required to deliver the Service. Opt-out does not affect data sharing with third-party AI providers (such as OpenAI, Anthropic, Moonshot AI, Google, xAI, or OpenRouter) that is necessary for service functionality. If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or UK data protection authority. If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner. Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section "How Can You Contact Us About This Notice?" below. However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent. Opting out of marketing and promotional communications: You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, or by contacting us using the details provided in the section "How Can You Contact Us About This Notice?" below. You will then be removed from the marketing lists. However, we may still communicate with you — for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes. Account Information If you would at any time like to review or change the information in your account or terminate your account, you can: Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements. Cookies and similar technologies: Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services. Read our Cookie Policy for more information. If you have questions or comments about your privacy rights, you may email us at support@sista.ai . - Right of access (Art. 15): request a copy of the personal data we hold about you and information about how we process it. - Right to rectification (Art. 16): ask us to correct or complete personal data that is inaccurate or incomplete. See also "Accuracy of AI Output About You" below for the special case of AI-generated content. - Right to erasure / right to be forgotten (Art. 17): ask us to delete your personal data, subject to lawful exceptions (legal obligations, fraud prevention, defense of legal claims). - Right to restriction of processing (Art. 18): ask us to limit how we use your personal data while we resolve a dispute or correction request. - Right to data portability (Art. 20): receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller. The export and switching process in Section 18.A of our Terms of Service implements this right at the platform level. - Right to object (Art. 21): object to our processing of your personal data on legitimate-interest grounds, including profiling. Where you object, we will stop processing unless we have compelling legitimate grounds that override your rights. - Right to object to direct marketing (Art. 21(2)): opt out of all direct marketing at any time. We honor opt-outs immediately. - Right not to be subject to automated decision-making (Art. 22): not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects. We do not engage in such automated decision-making. - Right to withdraw consent (Art. 7(3)): where we rely on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. - Right to lodge a complaint (Art. 77): file a complaint with your local supervisory authority if you believe we have violated data protection law. As an EU-incorporated company, our lead supervisory authority is the Dutch Autoriteit Persoonsgegevens (AP) ; you may also contact your local DPA, the full list is at the European Data Protection Board . - Log in to your account settings and update your user account. ## 12. Controls for Do-Not-Track Features Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice. California law requires us to let you know how we respond to web browser DNT signals. Because there currently is not an industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time. ## 13. Do United States Residents Have Specific Privacy Rights? In Short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to and receive details about the personal information we maintain about you and how we have processed it, correct inaccuracies, get a copy of, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. More information is provided below. Categories of Personal Information We Collect: We have collected the following categories of personal information in the past twelve (12) months: We may also collect other personal information outside of these categories through instances where you interact with us in person, online, or by phone or mail in the context of: We will use and retain the collected personal information as needed to provide the Services or for: Sources of Personal Information: Learn more about the sources of personal information we collect in "What Information Do We Collect?" How We Use and Share Personal Information: Learn about how we use your personal information in the section, "How Do We Process Your Information?" We collect and share your personal information through: Will your information be shared with anyone else? We may disclose your personal information with our service providers pursuant to a written contract between us and each service provider. Learn more about how we disclose personal information in the section, "When and With Whom Do We Share Your Personal Information?" We may use your personal information for our own business purposes, such as for undertaking internal research for technological development and demonstration. This is not considered to be "selling" of your personal information. We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months. Your Rights You have rights under certain US state data protection laws. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law. These rights include: Depending upon the state where you live, you may also have the following rights: How to Exercise Your Rights To exercise these rights, you can contact us by submitting a data subject access request, by emailing us at support@sista.ai , or by referring to the contact details at the bottom of this document. Under certain US state data protection laws, you can designate an authorized agent to make a request on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with applicable laws. Request Verification Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information in our system. We will only use personal information provided in your request to verify your identity or authority to make the request. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes. If you submit the request through an authorized agent, we may need to collect additional information to verify your identity before processing your request and the agent will need to provide a written and signed permission from you to submit such request on your behalf. Appeals Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing us at contact@sista.ai . We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If your appeal is denied, you may submit a complaint to your state attorney general. California "Shine The Light" Law California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us by using the contact details provided in the section "How Can You Contact Us About This Notice?" - A. Identifiers — Contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address, and account name — YES - B. Personal information (California Customer Records) — Name, contact information, education, employment, employment history, and financial information — NO - C. Protected classification characteristics — Gender, age, date of birth, race and ethnicity, national origin, marital status, and other demographic data — NO - D. Commercial information — Transaction information, purchase history, financial details, and payment information — NO - E. Biometric information — Voice recordings (not used for biometric identification or voiceprints) — YES (limited, voice channels only) - F. Internet or similar network activity — Browsing history, online behavior, interest data, and interactions with our Services — YES - G. Geolocation data — Device location (IP-based, approximate location) — YES - H. Audio, electronic, sensory, or similar information — Voice recordings and transcripts created when using voice features of our Services — YES - I. Professional or employment-related information — Business contact details, job title, work history, and professional qualifications if you apply for a job with us — YES - J. Education Information — Student records and directory information (may be included in CVs or professional qualifications if you apply for employment or consultancy) — YES - K. Inferences drawn from collected personal information — Inferences drawn from any of the collected personal information listed above to create a profile or summary about, for example, an individual's preferences and characteristics — YES - L. Sensitive personal information — Voice recordings may constitute sensitive personal data under certain state laws depending on user content; we do not use voice recordings for biometric identification — YES - Receiving help through our customer support channels - Participation in customer surveys or contests - Facilitation in the delivery of our Services and to respond to your inquiries - Category A — As long as the user has an account with us - Category K — As long as the user has an account with us - Beacons/Pixels/Tags - Social media plugins: We might use social media features, such as a "Like" button, and widgets, such as a "Share" button, in our Services. Such features may process your Internet Protocol (IP) address and track which page you are visiting on our website. We may place a cookie to enable the feature to work correctly. If you are logged in on a certain social media platform and you interact with a widget or button belonging to that social media platform, this information may be recorded to your profile of such social media platform. To avoid this, you should log out from that social media platform before accessing or using the Services. Social media features and widgets may be hosted by a third party or hosted directly on our Services. Your interactions with these features are governed by the privacy notices of the companies that provide them. By clicking on one of these buttons, you agree to the use of this plugin and consequently the transfer of personal information to the corresponding social media service. We have no control over the essence and extent of these transmitted data or their additional processing. - Right to know whether or not we are processing your personal data - Right to access your personal data - Right to correct inaccuracies in your personal data - Right to request the deletion of your personal data - Right to obtain a copy of the personal data you previously shared with us - Right to non-discrimination for exercising your rights - Right to opt out of the processing of your personal data if it is used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects ("profiling") - Right to obtain a list of the categories of third parties to which we have disclosed personal data (as permitted by applicable law, including California's and Delaware's privacy law) - Right to obtain a list of specific third parties to which we have disclosed personal data (as permitted by applicable law, including Oregon's privacy law) - Right to limit use and disclosure of sensitive personal data (as permitted by applicable law, including California's privacy law) - Right to opt out of the collection of sensitive data and personal data collected through the operation of a voice or facial recognition feature (as permitted by applicable law, including Florida's privacy law) ## 14. Do Other Regions Have Specific Privacy Rights? In Short: You may have additional rights based on the country you reside in. Australia and New Zealand We collect and process your personal information under the obligations and conditions set by Australia's Privacy Act 1988 and New Zealand's Privacy Act 2020 (Privacy Act). This privacy notice satisfies the notice requirements defined in both Privacy Acts, in particular: what personal information we collect from you, from which sources, for which purposes, and other recipients of your personal information. If you do not wish to provide the personal information necessary to fulfill their applicable purpose, it may affect our ability to provide our services, in particular: At any time, you have the right to request access to or correction of your personal information. You can make such a request by contacting us by using the contact details provided in the section "How Can You Review, Update, or Delete the Data We Collect from You?" If you believe we are unlawfully processing your personal information, you have the right to submit a complaint about a breach of the Australian Privacy Principles to the Office of the Australian Information Commissioner and a breach of New Zealand's Privacy Principles to the Office of New Zealand Privacy Commissioner. Republic of South Africa At any time, you have the right to request access to or correction of your personal information. You can make such a request by contacting us by using the contact details provided in the section "How Can You Review, Update, or Delete the Data We Collect from You?" If you are unsatisfied with the manner in which we address any complaint with regard to our processing of personal information, you can contact the office of the regulator, the details of which are: The Information Regulator (South Africa) General enquiries: enquiries@inforegulator.org.za Complaints (complete POPIA/PAIA form 5): PAIAComplaints@inforegulator.org.za & POPIAComplaints@inforegulator.org.za - Offer you the products or services that you want - Respond to or help with your requests - Manage your account with us - Confirm your identity and protect your account ## 15. Do We Make Updates to This Notice? In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws. We may update this privacy notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this privacy notice. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information. Review Frequency: We review this privacy policy at least annually, or more frequently as required by changes in applicable laws, regulations, or our services. We will notify users of any material changes through our Services or via email. ## 16. How Can You Review, Update, or Delete the Data We Collect from You? Based on the applicable laws of your country or state of residence in the US, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. To request to review, update, or delete your personal information, please send us email at support@sista.ai with the subject "Privacy Request" and make sure you send us the email address you used to sign up for our service. Data Portability: If you request a copy of your personal data, we will provide it in a structured, commonly used, and machine-readable format (e.g., JSON or CSV) within 30 days of your verified request, subject to applicable legal requirements. ## 17. How Can You Contact Us About This Notice? If you have questions or comments about this notice, you may email us at support@sista.ai for privacy-related inquiries, or contact@sista.ai for general inquiries. For security-related issues, contact security@sista.ai . Data Protection Officer (DPO). For all data protection inquiries, data subject access requests (DSARs), rectification requests, erasure requests, and any other matter relating to your personal data under GDPR, contact our Data Protection Officer at dpo@sista.ai . While Sistava is not currently required by Article 37 GDPR to appoint a formal DPO, we maintain a dedicated privacy contact at this address to ensure data subject requests are routed and handled consistently. Lead Supervisory Authority. Sistava is incorporated in the Netherlands. Our lead supervisory authority for the purposes of GDPR Article 56 is the Dutch Autoriteit Persoonsgegevens (Dutch Data Protection Authority) . If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens or with the supervisory authority of your EU member state of residence. The full list of EU supervisory authorities is maintained by the European Data Protection Board . For UK residents, you may also contact the UK Information Commissioner's Office (ICO) . For Swiss residents, you may contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) . ## 18. Client Services & Consultancy In addition to our SaaS products, Sistava provides consultancy, debugging, and managed services for client companies. When we act as a service provider or consultant for business clients, our role and data handling differ from our standard SaaS services. Our Role as Data Processor: When providing consultancy, debugging, cloud management, or custom development services to business clients, we typically act as a Data Processor (or sub-processor) on behalf of our client, who remains the Data Controller. For healthcare clients, we offer HIPAA-compliant processing governed by a separate Business Associate Agreement (BAA). In these scenarios: Types of Client Data We May Process: Data Retention for Consultancy: Client data retention follows the terms specified in the applicable service agreement. Upon termination of the engagement, we will return or delete client data as instructed, subject to any legal retention requirements. Sub-Processors: We may engage sub-processors (e.g., cloud providers, specialized tools) to deliver consultancy services. Sub-processors are subject to equivalent data protection obligations and are disclosed to clients upon request or as required by the DPA. - Data processing is governed by the Master Services Agreement (MSA) or Data Processing Agreement (DPA) signed with the business client, which supersedes this general privacy policy - We process client data only as instructed by the client and for the purposes specified in the service agreement - We implement appropriate technical and organizational measures to protect client data, consistent with our security standards - Client data is logically or physically segregated from our SaaS platform data - Access to client data is restricted to authorized personnel on a need-to-know basis - We do not use client data for AI model training or improvement unless explicitly authorized by the client in writing - Source code and technical documentation - System logs, error reports, and diagnostic data - Cloud infrastructure configurations and credentials (handled with strict security protocols) - Business data as required by the service engagement - Employee or customer data of our clients (processed solely as instructed) ## 19. AI Service Provider Data Sharing To power the AI features of our Services, including AI employee execution, autonomous task processing, and intelligent responses, certain data may be shared with and processed by third-party AI service providers. This section describes how we handle data sharing with these providers. Data Shared with AI Providers: Our AI Service Providers: Our complete and current list of sub-processors is maintained on our Sub-processors page . The list below is rendered from the same source of truth ( routes/legal/_data/subprocessors.ts ) so it cannot drift out of sync. Each provider name links to the provider's official privacy policy so you can verify their data-handling practices directly. Safeguards: Your Rights Regarding AI Data Processing: - Chat messages and task instructions (to generate AI employee responses and execute tasks) - Contextual information (to provide relevant and accurate assistance) - Voice recordings/transcripts (if using voice channels, processed by Deepgram for speech-to-text and text-to-speech) - Tool interaction data (to enable AI employees to use connected tools) - AI employee memory and context (to maintain conversation continuity) - {s.dpaUrl ? ( ) : ( )} — - All AI providers are contractually bound to protect your data and process it only as instructed - Data is encrypted in transit (TLS 1.3) and at rest (AES-256) - We use API-level access with enterprise agreements that typically include data processing addenda - AI providers are prohibited from using your data for their own model training under our enterprise agreements where available - We regularly review and audit our AI providers' data practices - You can request deletion of your data from our systems and we will propagate deletion requests to AI providers where technically feasible - You can opt out of AI model training for Sistava-controlled models by contacting us - Note: Opt-out of AI model training applies only to Sistava-controlled models, not to third-party AI providers (e.g., OpenAI, Anthropic) whose processing is required for service delivery - You can request information about which AI providers processed your data ## 20. Do We Use Cookies and Other Tracking Technologies? In Short: We may use cookies and similar tracking technologies to collect and store your information. We use cookies and similar tracking technologies (like web beacons and pixels) to gather information when you interact with our Services. Some online tracking technologies help us maintain the security of our Services and your account, prevent crashes, fix bugs, save your preferences, and assist with basic site functions. We also permit third parties and service providers to use online tracking technologies on our Services for analytics and reporting purposes. These third parties may use their technology to collect information about your use of our Services to help compile usage statistics for our platform. We use cookies and similar technologies for functionality, analytics, and performance purposes only — not for targeted advertising. We never sell your personal data. You can manage your preferences via the cookie banner displayed when you first visit our Services. Types of cookies we use: How to manage cookies: Most web browsers allow you to control cookies through their settings. You can set your browser to refuse cookies or to alert you when cookies are being sent. Please note that if you disable cookies, some features of our Services may not function properly. For more information about the cookies we use and your choices regarding cookies, please see our Cookie Policy or contact us. - Essential cookies: Required for the operation of our Services. They include cookies that enable you to log into secure areas and use core features. - Analytics cookies: Allow us to recognize and count users, and see how they move around our Services. This helps us improve how our Services work. - Functional cookies: Used to recognize you when you return to our Services. This enables us to personalize our content for you and remember your preferences.