Sistava

Privacy Policy

Plain-language summary of what data we collect, why, how long we keep it, and your rights to access, export, or delete it.

Last updated: May 13, 2026 Welcome to the privacy policy for Sistava, operated by SISTA AI ("we," "us," or "our"). This document explains how and why we collect, store, use, and share ("process") your personal information when you use our services ("Services"), such as: When we are the controller vs. the processor. This Privacy Policy explains how we collect and use personal data when Sistava acts as the data controller — for example, when you create an account directly with us, when you use our website, or when you sign up as an individual user of the platform. In those cases, Sistava decides the purposes and means of the processing, and this Privacy Policy applies in full. When you use the Services as part of an organization — for example, when your employer or a customer provisions you a workspace, when you interact with an AI employee deployed by another business, or when your data is processed by Sistava on behalf of a paying customer for the purpose of operating their AI workforce — that organization is the data controller and Sistava acts as a data processor on their behalf. The organization's own privacy notice governs how your personal data is handled in that context, and you should review their policies for more information. Our processing in that role is governed by our Data Processing Agreement , and the sub-processors involved are listed on our Sub-processors page . Accessibility: This policy is available in accessible formats upon request. If you need assistance accessing this document, please contact us at support@sista.ai . Using our Services, including visiting our websites, accessing our applications, software, and other services under the sista.ai domain, including but not limited to: Using the Sistava platform to hire, onboard, and manage AI employees that execute real work autonomously, including team coordination, tool integrations, durable execution, and full observability across employees, teams, and organizations. Using the Sistava marketplace to discover, clone, and customize pre-built AI employee templates, team configurations, and individual skills published by Sistava or by other users. Connecting third-party tools and data sources (apps, documents, calendars, CRMs, databases, knowledge bases) to enable AI employees to execute work on your behalf. Accessing the Sistava workspace to manage your account, subscriptions, AI employee configurations, teams, and credit usage. Engaging with us in various ways, including sales, marketing, or events. If you have any questions or concerns about this notice, your privacy rights, or our practices, please contact us at support@sista.ai . If you disagree with our policies and practices, please do not use our Services. For more information about our terms and conditions, please review our Terms of Service .

Summary of Key Points

This summary highlights the essentials from our privacy notice. You can dig into details by following the "Learn more" link after each key point or by using the table of contents below. What personal information do we process? Depending on how you use our Services, we may process account details (e.g., email), billing data (via Stripe), website/app usage data, device/network data (e.g., IP, browser), AI interaction data (chat messages, task instructions, voice recordings if using voice channels, and transcripts), and — if you manage AI employees — employee configurations, tool connections, and usage analytics. If you choose social logins, we may receive basic profile info from that provider. Learn more . Do we process any sensitive personal information? If you use voice channels, we process voice recordings and transcripts which may contain sensitive information. We do not use voice for biometric identification. Chat messages and task instructions may also contain sensitive information depending on user content. Learn more . Do we collect any information from third parties? We don't buy personal data from brokers. If you use social logins, we may receive limited profile information from that provider. We also use analytics and other tools that collect data on our behalf to improve the Services. How do we process your information? We use personal data to provide and improve the Services, authenticate users, deliver support, fulfill orders and billing, communicate important updates, enhance security/fraud prevention, and comply with law. For AI features, we process chat messages, task instructions, tool interaction data, and context data to operate AI employees. Learn more . In what situations and with whom do we share personal information? We share data with service providers under contract, including cloud hosting (AWS, Hetzner, GCP), payments (Stripe), analytics (e.g., Google Analytics, PostHog for product analytics and session replay where enabled), and AI model providers (e.g., OpenAI, Anthropic, Moonshot AI, Google, xAI, OpenRouter) — and during business transactions if applicable. Learn more . How do we keep your information safe? We implement organizational and technical measures (e.g., TLS 1.3 in transit, AES-256 at rest, access controls, audits, and security training). No system is 100% secure, but we work to protect your data. Learn more . What are your rights? Depending on your location (e.g., EEA/UK/Switzerland/Canada and certain U.S. states), you may have rights to access, correct, delete, restrict, or object to processing, obtain portability, and opt out of certain uses. Learn more . How do you exercise your rights? Submit a data subject request or contact us. For all privacy-related requests (access, deletion, correction, portability), email support@sista.ai with the subject "Privacy Request" using the email tied to your account. For security-related issues, contact security@sista.ai . International data transfers: We may process/store data in the U.S. and the Netherlands and use EU Standard Contractual Clauses and other safeguards for cross-border transfers. Learn more . Do we collect information from minors? Our Services may be used by individuals under 18 with parental/guardian consent. Data is used to operate and improve the Services; we do not sell personal data. Learn more . AI service providers: To power AI features, certain data (e.g., chat messages, task instructions, context, and interaction data) may be processed by AI providers under strict contracts and safeguards; you can request deletion. Note: Opt-out of AI model training applies only to Sistava-controlled models, not to third-party AI providers (e.g., OpenAI, Anthropic, Moonshot AI, Google, xAI, OpenRouter) whose processing is required for service delivery. Learn more . Cookies and tracking: We use cookies/similar tech for functionality, analytics, and performance, not for targeted advertising, and we never sell your personal data. You can manage preferences via the cookie banner. Learn more . Do-Not-Track: We currently don't respond to browser DNT signals due to the lack of an industry standard. Your cookie banner selections are honored instead. Want to learn more about what we do with any information we collect? Review the privacy notice in full below.

Table of Contents

1. What Information Do We Collect?

Personal information you disclose to us In Short: We collect personal information that you provide to us. Our Data Collection Principle: We collect data you provide to us and data collected automatically when you use our Services, limited to what is necessary to provide, improve, and secure our Services. We do not collect, access, or manipulate your data beyond what is necessary for these purposes. We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us. Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following: Sensitive Information. If you use voice communication channels, we process voice recordings and transcripts which may contain sensitive information depending on user content. Chat messages and task instructions may also contain sensitive information depending on what you provide. While we do not process traditional sensitive categories (e.g., health, race, religion), voice recordings may be considered sensitive in some jurisdictions. We handle them with enhanced safeguards and do not use voice recordings for biometric identification. We process this data only as necessary to provide our Services and in accordance with applicable data protection laws. Safeguards For Sensitive Inputs. We apply a range of technical and operational safeguards to reduce the risk that sensitive content — including credentials accidentally pasted into chat or similar inputs — is retained or exposed. These include automated redaction of detected credentials on ingestion, encryption of authentication material at rest, access controls, and additional measures we do not publicly enumerate. No safeguard is perfect, and the right way to grant an AI employee access to a service is the supported OAuth or connection flow rather than sharing a credential. You remain responsible for the content you submit. See our Acceptable Use Policy for details. Payment Data. We may collect data necessary to process your payment if you choose to make purchases, such as your payment instrument number and the security code associated with your payment instrument. All full card numbers and CVV codes are handled and stored exclusively by Stripe; we do not store full payment card numbers on our servers. We do, however, receive and store a limited set of payment metadata from Stripe to support billing, account records, fraud prevention, and customer support — including the last four digits of your card, the card brand, the card expiration month and year, the cardholder country, and Stripe customer and payment-method identifiers. You may find Stripe's privacy notice here: https://stripe.com/en-nl/privacy . Social Media Login Data. We may provide you with the option to register with us using your existing social media account details, like your Facebook, X (formerly Twitter), Google, GitHub, or other social media account. If you choose to register in this way, we will collect certain profile information about you from the social media provider, as described in the section called "How Do We Handle Your Social Logins?" below. All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information. Information automatically collected In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you use our Services. We automatically collect certain information when you visit, use, access, or interact with our Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes. Approximate Location. We infer your approximate geographic location (such as country, region, or city) from your IP address for purposes such as fraud prevention, regional service routing, regulatory compliance, language defaults, and aggregated analytics. We do not collect precise GPS location data, device-level coordinates, or any background location signals. Where you connect a tool that has its own location data (for example, a calendar event location), that location is governed by the third-party provider's privacy policy, not by this one. Like many businesses, we also collect information through cookies and similar technologies. The information we collect includes:

2. How Do We Process Your Information?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your personal information for a variety of reasons, depending on how you interact with our Services, including: AI Employee Interaction Data. When using the AI Employee Platform, we collect and process: Workspace and Configuration Data. For users who manage AI employees, we collect: Data Processing and Storage. We process and store your data as follows: Third-Party Integrations. Our service may integrate with:

3. What Legal Bases Do We Rely On to Process Your Personal Information?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests. If you are located in the EU or UK, this section applies to you. The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information: If you are located in Canada, this section applies to you. We may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time. In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including, for example: Legal bases by processing purpose. The table below maps each purpose for which we process your personal data to the specific legal basis we rely on under the GDPR. This satisfies our obligation under Article 13(1)(c) of the GDPR to inform you of the legal basis for each processing activity. Automated decision-making. Sistava does not engage in solely-automated decision-making that produces legal effects or similarly significant effects on you within the meaning of Article 22 of the GDPR. AI employees execute tasks autonomously on your direction, but you remain the decision-maker: you instruct them, you can review their work, you can pause or stop them, and you can require human approval for sensitive actions. No sale of personal data. We do not sell your personal data within the meaning of the California Consumer Privacy Act (CCPA) , the GDPR, or any equivalent law. We do not engage in cross-context behavioral advertising and we do not share personal data with advertisers.

4. When and With Whom Do We Share Your Personal Information?

In Short: We may share information in specific situations described in this section and/or with the following third parties. Vendors, Consultants, and Other Third-Party Service Providers: We may share your data with third-party vendors, service providers, contractors, or agents ("third parties") who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our third parties, which are designed to help safeguard your personal information. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will also not share your personal information with any organization apart from us. They also commit to protecting the data they hold on our behalf and to retaining it for the period we instruct. See Section 19 (AI Service Provider Data Sharing) for a comprehensive list of our third-party service providers and sub-processors. We also may need to share your personal information in the following situations:

5. AI Employee Platform Data Processing

AI Transparency Disclosure ( EU AI Act , Article 50 ): The AI Employee Platform uses artificial intelligence to power AI employees. When you interact with an AI employee through chat, voice, or other channels, you are communicating with an AI system, not a human being. AI employees are powered by large language models (LLMs) from providers such as OpenAI, Anthropic, Moonshot AI, Google, xAI, OpenRouter, and others, and their responses are generated by AI. All AI employee interactions are clearly labeled as AI-generated within the platform interface. Automated Decision-Making: AI employees may execute tasks, use tools, delegate work, and produce outputs autonomously based on your instructions. These automated actions are taken on your behalf and under your direction. You retain full control over what AI employees are authorized to do through skill, duty, tool, and approval configurations. The platform provides human-in-the-loop approval gates for sensitive operations, activity timeline transparency for all AI actions, and the ability to suspend or terminate AI employees at any time. AI employees do not make decisions that produce legal effects or similarly significant effects concerning you without human oversight. The AI Employee Platform enables users to hire, onboard, and manage AI employees that execute real work autonomously. When you use the platform, we may collect and process: This data is processed to operate AI employees, enable autonomous execution, improve the platform, and ensure security. No sensitive personal information is collected unless you explicitly provide it via chat, voice, or task input. Data is encrypted in transit and at rest, and is not sold to third parties. You may review, update, or delete your data at any time by contacting us at support@sista.ai .

6. How Do We Handle Your Social Logins?

In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you. Our Services offer you the ability to register and log in using your third-party social media account details (like your Facebook, X (formerly Twitter), Google, or GitHub logins). Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the social media provider concerned, but will often include your name, email address, friends list, and profile picture, as well as other information you choose to make public on such a social media platform. We will use the information we receive only for the purposes that are described in this privacy notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information, and how you can set your privacy preferences on their sites and apps.

7. Is Your Information Transferred Internationally?

In Short: We may transfer, store, and process your information in countries other than your own. Our servers are located in the United States and the Netherlands. If you are accessing our Services from outside these countries, please be aware that your information may be transferred to, stored, and processed by us in our facilities and by those third parties with whom we may share your personal information (see "When and With Whom Do We Share Your Personal Information?" above), in the United States, the Netherlands, and other countries. If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this privacy notice and applicable law. European Commission's Standard Contractual Clauses: We have implemented measures to protect your personal information, including by using the European Commission's Standard Contractual Clauses for transfers of personal information between us and our third-party providers. These clauses require all recipients to protect all personal information that they process originating from the EEA or UK in accordance with European data protection laws and regulations. Our Standard Contractual Clauses can be provided upon request. We have implemented similar appropriate safeguards with our third-party service providers and partners and further details can be provided upon request.

8. How Long Do We Keep Your Information?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law. We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). Voice recordings and transcripts are retained for up to 12 months from collection, and no longer than 12 months after account termination, unless required for legal or contractual obligations. Retention Summary: When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

9. How Do We Keep Your Information Safe?

In Short: We aim to protect your personal information through a system of organizational and technical security measures. We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment. Data Breach Notification. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities as required by applicable law (e.g., within 72 hours under GDPR for authorities, without undue delay for affected users). We will provide clear information about the nature of the breach, likely consequences, and measures taken or proposed to address it.

10. Do We Collect Information from Minors?

In Short: We may collect data from users under 18 years of age with appropriate consent. We do not knowingly collect personal data from children under 13 without verified parental consent. Our Services may be used by users under 18 years of age with parental or guardian consent. Data collected from users, including minors, is used for service delivery, functionality, and improvement of our Services. We do not use data from users under 13 for model training purposes. For service improvement, we may use anonymized and aggregated data that cannot identify individual users, including minors.

11. What Are Your Privacy Rights?

In Short: Depending on your state of residence in the US or in some regions, such as the European Economic Area (EEA), United Kingdom (UK), Switzerland, and Canada, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time, depending on your country, province, or state of residence. In some regions (like the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. The full set of rights available to you under the GDPR is listed below. In certain circumstances, you may also have the right to object to the processing of your personal information. Your GDPR Data Subject Rights at a Glance. To exercise any of these rights, contact us at dpo@sista.ai or through the contact details in Section 17 below. We may need to verify your identity before processing your request. We will respond within the timeframe required by applicable law (within one month under GDPR Article 12(3), extendable by two further months for complex requests). Accuracy of AI Output About You. AI employees on the Sistava platform generate responses by predicting the most likely next words based on the inputs they receive. The words an AI employee predicts may not always be the most factually accurate, and AI employees can produce outputs that contain inaccurate, outdated, or fabricated information about real people, including you. You should not rely on the factual accuracy of AI employee outputs about any individual without independent verification. If you notice that an output generated by an AI employee on our platform contains factually inaccurate information about you and you would like to request correction or removal of that information, you may submit a rectification request under Article 16 GDPR by emailing dpo@sista.ai . We will consider your request in good faith based on applicable law and the technical capabilities of the AI models involved. Because large language models do not contain a structured database of facts that we can directly edit, in some cases the most we can do is delete the specific output, prevent it from being regenerated where technically feasible, and add the corrected information to any context we control. We will not always be able to guarantee that the same or similar incorrect output will never be produced again by an AI model in response to a different prompt. Opt-Out of AI Model Training. You can opt out of your data being used for AI model training purposes by contacting us at support@sista.ai . Opt-out applies only to training or fine-tuning models controlled by Sistava, not to real-time inference required to deliver the Service. Opt-out does not affect data sharing with third-party AI providers (such as OpenAI, Anthropic, Moonshot AI, Google, xAI, or OpenRouter) that is necessary for service functionality. If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or UK data protection authority. If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner. Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section "How Can You Contact Us About This Notice?" below. However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent. Opting out of marketing and promotional communications: You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, or by contacting us using the details provided in the section "How Can You Contact Us About This Notice?" below. You will then be removed from the marketing lists. However, we may still communicate with you — for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes. Account Information If you would at any time like to review or change the information in your account or terminate your account, you can: Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements. Cookies and similar technologies: Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services. Read our Cookie Policy for more information. If you have questions or comments about your privacy rights, you may email us at support@sista.ai .

12. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice. California law requires us to let you know how we respond to web browser DNT signals. Because there currently is not an industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time.

13. Do United States Residents Have Specific Privacy Rights?

In Short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to and receive details about the personal information we maintain about you and how we have processed it, correct inaccuracies, get a copy of, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. More information is provided below. Categories of Personal Information We Collect: We have collected the following categories of personal information in the past twelve (12) months: We may also collect other personal information outside of these categories through instances where you interact with us in person, online, or by phone or mail in the context of: We will use and retain the collected personal information as needed to provide the Services or for: Sources of Personal Information: Learn more about the sources of personal information we collect in "What Information Do We Collect?" How We Use and Share Personal Information: Learn about how we use your personal information in the section, "How Do We Process Your Information?" We collect and share your personal information through: Will your information be shared with anyone else? We may disclose your personal information with our service providers pursuant to a written contract between us and each service provider. Learn more about how we disclose personal information in the section, "When and With Whom Do We Share Your Personal Information?" We may use your personal information for our own business purposes, such as for undertaking internal research for technological development and demonstration. This is not considered to be "selling" of your personal information. We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months. Your Rights You have rights under certain US state data protection laws. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law. These rights include: Depending upon the state where you live, you may also have the following rights: How to Exercise Your Rights To exercise these rights, you can contact us by submitting a data subject access request, by emailing us at support@sista.ai , or by referring to the contact details at the bottom of this document. Under certain US state data protection laws, you can designate an authorized agent to make a request on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with applicable laws. Request Verification Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information in our system. We will only use personal information provided in your request to verify your identity or authority to make the request. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes. If you submit the request through an authorized agent, we may need to collect additional information to verify your identity before processing your request and the agent will need to provide a written and signed permission from you to submit such request on your behalf. Appeals Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing us at contact@sista.ai . We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If your appeal is denied, you may submit a complaint to your state attorney general. California "Shine The Light" Law California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us by using the contact details provided in the section "How Can You Contact Us About This Notice?"

14. Do Other Regions Have Specific Privacy Rights?

In Short: You may have additional rights based on the country you reside in. Australia and New Zealand We collect and process your personal information under the obligations and conditions set by Australia's Privacy Act 1988 and New Zealand's Privacy Act 2020 (Privacy Act). This privacy notice satisfies the notice requirements defined in both Privacy Acts, in particular: what personal information we collect from you, from which sources, for which purposes, and other recipients of your personal information. If you do not wish to provide the personal information necessary to fulfill their applicable purpose, it may affect our ability to provide our services, in particular: At any time, you have the right to request access to or correction of your personal information. You can make such a request by contacting us by using the contact details provided in the section "How Can You Review, Update, or Delete the Data We Collect from You?" If you believe we are unlawfully processing your personal information, you have the right to submit a complaint about a breach of the Australian Privacy Principles to the Office of the Australian Information Commissioner and a breach of New Zealand's Privacy Principles to the Office of New Zealand Privacy Commissioner. Republic of South Africa At any time, you have the right to request access to or correction of your personal information. You can make such a request by contacting us by using the contact details provided in the section "How Can You Review, Update, or Delete the Data We Collect from You?" If you are unsatisfied with the manner in which we address any complaint with regard to our processing of personal information, you can contact the office of the regulator, the details of which are: The Information Regulator (South Africa) General enquiries: enquiries@inforegulator.org.za Complaints (complete POPIA/PAIA form 5): PAIAComplaints@inforegulator.org.za & POPIAComplaints@inforegulator.org.za

15. Do We Make Updates to This Notice?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws. We may update this privacy notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this privacy notice. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information. Review Frequency: We review this privacy policy at least annually, or more frequently as required by changes in applicable laws, regulations, or our services. We will notify users of any material changes through our Services or via email.

16. How Can You Review, Update, or Delete the Data We Collect from You?

Based on the applicable laws of your country or state of residence in the US, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. To request to review, update, or delete your personal information, please send us email at support@sista.ai with the subject "Privacy Request" and make sure you send us the email address you used to sign up for our service. Data Portability: If you request a copy of your personal data, we will provide it in a structured, commonly used, and machine-readable format (e.g., JSON or CSV) within 30 days of your verified request, subject to applicable legal requirements.

17. How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may email us at support@sista.ai for privacy-related inquiries, or contact@sista.ai for general inquiries. For security-related issues, contact security@sista.ai . Data Protection Officer (DPO). For all data protection inquiries, data subject access requests (DSARs), rectification requests, erasure requests, and any other matter relating to your personal data under GDPR, contact our Data Protection Officer at dpo@sista.ai . While Sistava is not currently required by Article 37 GDPR to appoint a formal DPO, we maintain a dedicated privacy contact at this address to ensure data subject requests are routed and handled consistently. Lead Supervisory Authority. Sistava is incorporated in the Netherlands. Our lead supervisory authority for the purposes of GDPR Article 56 is the Dutch Autoriteit Persoonsgegevens (Dutch Data Protection Authority) . If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens or with the supervisory authority of your EU member state of residence. The full list of EU supervisory authorities is maintained by the European Data Protection Board . For UK residents, you may also contact the UK Information Commissioner's Office (ICO) . For Swiss residents, you may contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) .

18. Client Services & Consultancy

In addition to our SaaS products, Sistava provides consultancy, debugging, and managed services for client companies. When we act as a service provider or consultant for business clients, our role and data handling differ from our standard SaaS services. Our Role as Data Processor: When providing consultancy, debugging, cloud management, or custom development services to business clients, we typically act as a Data Processor (or sub-processor) on behalf of our client, who remains the Data Controller. For healthcare clients, we offer HIPAA-compliant processing governed by a separate Business Associate Agreement (BAA). In these scenarios: Types of Client Data We May Process: Data Retention for Consultancy: Client data retention follows the terms specified in the applicable service agreement. Upon termination of the engagement, we will return or delete client data as instructed, subject to any legal retention requirements. Sub-Processors: We may engage sub-processors (e.g., cloud providers, specialized tools) to deliver consultancy services. Sub-processors are subject to equivalent data protection obligations and are disclosed to clients upon request or as required by the DPA.

19. AI Service Provider Data Sharing

To power the AI features of our Services, including AI employee execution, autonomous task processing, and intelligent responses, certain data may be shared with and processed by third-party AI service providers. This section describes how we handle data sharing with these providers. Data Shared with AI Providers: Our AI Service Providers: Our complete and current list of sub-processors is maintained on our Sub-processors page . The list below is rendered from the same source of truth ( routes/legal/_data/subprocessors.ts ) so it cannot drift out of sync. Each provider name links to the provider's official privacy policy so you can verify their data-handling practices directly. Safeguards: Your Rights Regarding AI Data Processing:

20. Do We Use Cookies and Other Tracking Technologies?

In Short: We may use cookies and similar tracking technologies to collect and store your information. We use cookies and similar tracking technologies (like web beacons and pixels) to gather information when you interact with our Services. Some online tracking technologies help us maintain the security of our Services and your account, prevent crashes, fix bugs, save your preferences, and assist with basic site functions. We also permit third parties and service providers to use online tracking technologies on our Services for analytics and reporting purposes. These third parties may use their technology to collect information about your use of our Services to help compile usage statistics for our platform. We use cookies and similar technologies for functionality, analytics, and performance purposes only — not for targeted advertising. We never sell your personal data. You can manage your preferences via the cookie banner displayed when you first visit our Services. Types of cookies we use: How to manage cookies: Most web browsers allow you to control cookies through their settings. You can set your browser to refuse cookies or to alert you when cookies are being sent. Please note that if you disable cookies, some features of our Services may not function properly. For more information about the cookies we use and your choices regarding cookies, please see our Cookie Policy or contact us.