Siesta AI Siesta AI
Naplánovať demo
Prihlásiť sa Naplánovať demo Začať zadarmo

PRIVACY POLICY

Last updated: 09/03/2026

Who We Are

This Privacy Policy describes how Siesta AI s.r.o., with its registered office at:

Bruselská 266/14, Vinohrady, 120 00 Prague 2, Czech Republic

Company ID (IČO): 23855312

("Siesta AI", "we", "us", or "our")

processes personal data in connection with:

  • our website available at https://siesta.ai

  • our Software-as-a-Service platform ("Platform")

  • and related services.

Siesta AI s.r.o. is a company incorporated under the laws of the Czech Republic.

Contact Information

If you have any questions about this Privacy Policy or the processing of your personal data, you may contact us at:

Email: info@siesta.ai

Postal address:

Siesta AI s.r.o.

Bruselská 266/14

120 00 Prague 2

Czech Republic

GDPR Contact

For matters specifically related to data protection and the exercise of your rights under the General Data Protection Regulation (EU) 2016/679 ("GDPR"), you may contact:

Jan Mudroch

Email: info@siesta.ai

Siesta AI has not appointed a Data Protection Officer (DPO), as it is not required under applicable law. However, we have designated a responsible person for data protection compliance.

Scope of This Policy

To ensure transparency and simplicity, Siesta AI maintains this single Privacy Policy covering all interactions with our services. We distinguish between data collected via our public website (where we act as a Data Controller), administrative data required for platform access and billing (where we act as a Data Controller), and the actual content processed within our AI platform (where we act solely as a Data Processor). This structure ensures that both casual website visitors and enterprise platform users understand exactly how their data is handled and who is responsible for its protection.

This Policy is therefore structured into three main categories:

Website Data

This includes personal data collected when:

  • you visit our website,

  • you use contact forms,

  • you subscribe to communications,

  • you interact with cookies or analytics tools.

In this context, Siesta AI acts as a Data Controller.

Platform Account Data

This includes personal data processed when:

  • an organization creates an account,

  • users are registered within a workspace,

  • billing and subscription management occurs,

  • system logs and technical metadata are generated.

In this context, Siesta AI acts as a Data Controller for account and administrative data.

Customer Content

This includes personal data contained in:

  • documents uploaded to the Platform,

  • chat prompts and AI interactions,

  • meeting recordings and transcripts,

  • indexed knowledge bases,

  • vector embeddings derived from such content.

In this context:

  • the Customer (organization) acts as the Data Controller,

  • Siesta AI acts solely as a Data Processor, processing such data exclusively on documented instructions from the Customer and in accordance with the applicable Data Processing Addendum (DPA).

We do not use Customer Content for model training or our own independent purposes.

When We Act as Data Processor

In connection with the use of the Platform by organizational customers, Siesta AI processes certain personal data solely on behalf of and under the instructions of the Customer.

In this context:

  • the Customer acts as the Data Controller, and

  • Siesta AI acts solely as a Data Processor within the meaning of Article 4(8) GDPR.

Our processing of such data is governed by the applicable Data Processing Addendum (DPA) concluded between Siesta AI and the Customer.

Categories of Data Processed as Data Processor

When providing the Platform, we may process personal data contained within:

Customer Content

This includes any data uploaded, transmitted, or otherwise made available to the Platform by or on behalf of the Customer, including:

  • documents (PDF, DOCX, XLSX, TXT, CSV),

  • knowledge base content,

  • wiki pages,

  • tickets,

  • database records,

  • internal business documentation.

Such content may contain personal data relating to employees, customers, contractors, or other individuals.

Prompts and AI Interactions

We process:

  • chat inputs submitted by users,

  • instructions to AI assistants,

  • contextual queries,

  • conversation history.

These prompts may include personal data entered by users.

Uploaded Files and Connected Data Sources

Where the Platform integrates with external systems (e.g., collaboration tools, document repositories, databases), we may process:

  • synchronized files,

  • meeting transcripts and recordings,

  • CRM data,

  • internal communications.

Processing occurs strictly for the purpose of enabling search, retrieval, and AI-assisted workflows.

Embeddings and Vectorized Data

As part of retrieval-augmented generation (RAG) and semantic search functionality, textual data may be transformed into:

  • vector embeddings,

  • indexed representations stored in a vector database.

Although embeddings are not directly human-readable, they represent derived forms of the original data and are therefore treated as personal data where applicable.

Nature and Purpose of Processing

We process Customer Content solely for the purpose of:

  • providing the Platform and its functionalities,

  • enabling AI-assisted responses,

  • indexing and retrieving relevant content,

  • maintaining platform security and stability.

We do not:

  • determine the purposes of processing Customer Content,

  • use Customer Content for independent commercial purposes,

  • sell or license Customer Content,

  • use Customer Content to train foundational AI models.

Legal Basis for Processing (Processor Context)

When acting as a Data Processor, Siesta AI does not independently determine the legal basis for processing.

The applicable legal basis for the processing of personal data contained in Customer Content is determined by the Customer as Data Controller.

Depending on the Customer's specific use case, the legal basis may include:

  • Article 6(1)(b) GDPR - Performance of a contract

  • Article 6(1)(c) GDPR - Legal obligation

  • Article 6(1)(f) GDPR - Legitimate interest

  • Article 6(1)(a) GDPR - Consent

The Customer is solely responsible for:

  • identifying and documenting the appropriate legal basis,

  • ensuring transparency towards data subjects,

  • complying with all applicable data protection laws.

Processing on Documented Instructions

Siesta AI processes Customer Content exclusively:

  • in accordance with documented instructions from the Customer,

  • as set out in the applicable service agreement,

  • in accordance with the Data Processing Addendum (DPA).

We implement appropriate technical and organizational measures to ensure that processing meets the requirements of the GDPR.

Subprocessors

In order to provide the Platform, we may engage Subprocessors, including:

  • cloud infrastructure providers,

  • AI model providers,

  • storage and database services,

  • security monitoring providers.

We engage Subprocessors strictly under written agreements that require:

  • GDPR-compliant processing,

  • confidentiality obligations,

  • implementation of appropriate technical and organizational measures,

  • compliance with international transfer requirements.

All Subprocessors are bound by contractual obligations that provide data protection guarantees equivalent to those set out in our DPA.

A current list of Subprocessors is available at: https://siesta.ai/trust/subprocessors

International Data Transfers

Where Subprocessors are located outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs),

  • or other legally recognized transfer mechanisms.

Where Customers configure integrations with third-party AI providers independently, the Customer remains responsible for assessing the legality of such transfers as Data Controller.

When We Act as Data Controller

In the following cases, Siesta AI determines the purposes and means of processing personal data and therefore acts as a Data Controller under the GDPR.

Website Data

When you visit our website (https://siesta.ai), we may process certain personal data.

Categories of Data and Legal Basis

Server Logs and IP Addresses

When you access our website, our servers automatically process:

  • IP address

  • date and time of request

  • browser type and version

  • operating system

  • referrer URL

  • requested pages

Purpose:

  • ensuring website security

  • preventing abuse and fraud

  • maintaining system stability

  • diagnosing technical issues

Legal basis:

Article 6(1)(f) GDPR - Legitimate Interest (ensuring security, stability, and integrity of our website)

Log data is retained for a limited period necessary for security and operational purposes.

Contact Forms and Direct Communication

When you submit a contact form or contact us via email, we process:

  • first name

  • last name

  • email address

  • company name (if provided)

  • content of your message

Purpose:

  • responding to inquiries

  • pre-contractual communication

  • business communication

Legal basis:

  • Article 6(1)(b) GDPR - Performance of contract or steps prior to entering into a contract

  • Article 6(1)(f) GDPR - Legitimate Interest (responding to business inquiries)

We retain this data for the period necessary to handle your inquiry and for up to three (3) years thereafter unless a contractual relationship is established.

Cookies

Our website uses cookies and similar tracking technologies.

Cookies may be classified as:

  • strictly necessary (essential) cookies,

  • analytical cookies,

  • preference cookies.

Strictly necessary cookies are required for the functioning and security of the website and are processed based on legitimate interest.

Analytical cookies are used only where required consent has been provided via our cookie banner. You may withdraw your consent to non-essential cookies at any time through the cookie settings interface.

Legal basis:

  • Essential cookies - Article 6(1)(f) GDPR - Legitimate Interest

  • Analytical cookies - Article 6(1)(a) GDPR - Consent

Detailed information regarding:

  • the types of cookies used and their purpose,

  • retention periods,

  • and how to manage consent

is available in our separate Cookie Policy, accessible at: https://siesta.ai/trust

Analytics Tools

Where analytical tools are used (e.g., website performance monitoring tools), we process:

  • pseudonymized identifiers

  • usage data

  • interaction data

Purpose:

  • improving website functionality

  • optimizing performance

  • understanding aggregate usage trends

Legal basis:

Article 6(1)(a) GDPR - Consent (where required under applicable law)

Analytics data is processed in pseudonymized form and is not used to identify individual visitors.

Platform Account Data

When an organization registers for the Platform, we process certain personal data related to account administration and service delivery.

In this context, Siesta AI acts as a Data Controller for account and administrative data.

Categories of Data and Legal Basis

Account Registration Data

We process:

  • name

  • email address

  • organizational affiliation

  • role within the organization (e.g., Admin, User)

Purpose:

  • creating and managing user accounts

  • authenticating users

  • providing access to the Platform

  • administering subscriptions

Legal basis:

Article 6(1)(b) GDPR - Performance of a contract

Billing and Subscription Data

We process:

  • billing contact details

  • company identification data

  • invoicing information

  • payment status

Purpose:

  • invoicing and payment processing

  • compliance with accounting and tax obligations

Legal basis:

  • Article 6(1)(b) GDPR - Performance of a contract

  • Article 6(1)(c) GDPR - Legal obligation (accounting and tax laws)

Billing data is retained for the period required under applicable accounting regulations (typically ten (10) years).

Security and Audit Logs

We process technical and security-related data, including:

  • IP address used to access the Platform

  • login timestamps

  • activity logs

  • audit trails

Purpose:

  • ensuring platform security

  • detecting unauthorized access

  • complying with security and compliance requirements

Legal basis:

Article 6(1)(f) GDPR - Legitimate Interest (protecting the integrity and security of our Services)

Security logs are retained for a limited period (typically 6-12 months), unless required longer for legal or security reasons.

Telemetry and Service Usage Metadata

We may process limited technical metadata related to platform usage, such as:

  • system performance metrics

  • error logs

  • token usage statistics

  • feature usage frequency

This data does not include Customer Content.

Purpose:

  • improving platform performance

  • ensuring service reliability

  • product development

  • capacity planning

Legal basis:

Article 6(1)(f) GDPR - Legitimate Interest (improving and maintaining the Services)

Telemetry data is processed in aggregated or pseudonymized form where possible.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, to resolve disputes, and to enforce our agreements.

Retention periods vary depending on the type of data and our role (Controller or Processor).

Retention When We Act as Data Controller

Website Data

Server logs (including IP addresses)
Retained for security and operational purposes for a limited period, typically not exceeding 6 months, unless required longer for security investigations.

Contact form submissions and business communications
Retained for the duration necessary to handle the inquiry and for up to 3 years thereafter, unless a contractual relationship is established.

Analytics data
Retained in pseudonymized or aggregated form for the period necessary to analyze and improve website performance, typically not exceeding 24 months, subject to tool configuration and consent settings.

Platform Account Data

Account registration data (name, email, role, organization affiliation)
Retained for the duration of the contractual relationship and for up to 3 years after termination, unless longer retention is required for legal or dispute resolution purposes.

Billing and invoicing data
Retained for 10 years in accordance with applicable accounting and tax regulations.

Security and audit logs
Retained for 6 to 12 months, unless extended retention is required for security investigations, legal proceedings, or compliance purposes.

Telemetry and service usage metadata
Retained for operational and product improvement purposes, typically not exceeding 12 months, and processed in aggregated or pseudonymized form where possible.

Retention When We Act as Data Processor

When processing Customer Content on behalf of the Customer, retention is governed primarily by the Customer's instructions and the applicable Data Processing Addendum (DPA).

Customer Content

Customer Content (including documents, prompts, transcripts, connected data, and embeddings) is retained:

  • for the duration of the Customer's active subscription, and

  • deleted following termination of the Agreement.

Unless otherwise agreed in writing, Customer Content is permanently deleted within 30 days after termination of the contractual relationship.

Backups

Customer Content may remain in encrypted system backups for a limited period following deletion.

Backups are retained for up to 30 additional days, after which they are automatically overwritten or permanently deleted.

Backup data is not actively processed and is accessible only for disaster recovery purposes.

Embeddings and Derived Data

Vector embeddings and indexed representations derived from Customer Content are deleted in alignment with the deletion of the underlying Customer Content. Deletion includes removal from active databases and associated indexes.

Legal Retention Obligations

We may retain certain data beyond the above periods where required:

  • to comply with legal obligations,

  • to establish, exercise, or defend legal claims,

  • to meet regulatory or compliance requirements.

Where retention is required by law, processing will be restricted to those purposes.

International Data Transfers

Siesta AI processes personal data primarily within the European Economic Area (EEA).

We are committed to ensuring that any transfer of personal data outside the EEA is carried out in compliance with Chapter V of the GDPR.

Primary Hosting Location - Azure EU

By default, the Platform is hosted on Microsoft Azure infrastructure located within the European Union.

This means that:

  • Customer Content is stored in EU-based data centers,

  • databases and storage services are located within the EU,

  • encryption is applied both in transit (TLS 1.2+) and at rest (AES-256).

For SaaS deployments, the EU region is the standard configuration.

For Private or Customer-hosted deployments, data may remain entirely within infrastructure controlled by the Customer.

Transfers Outside the EEA

In limited circumstances, personal data may be transferred outside the EEA, including where:

  • Subprocessors operate from non-EEA jurisdictions,

  • AI model providers are located outside the EU,

  • Customers configure integrations with third-party services outside the EU.

Where such transfers occur, Siesta AI ensures that appropriate safeguards are implemented in accordance with Article 46 GDPR.

These safeguards may include:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission,

  • reliance on an adequacy decision issued by the European Commission,

  • supplementary technical and organizational measures where required.

AI Model Providers

The Platform may integrate with third-party AI model providers.

Where such providers process personal data outside the EEA:

  • processing is subject to contractual safeguards,

  • including Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.

Siesta AI ensures that, when acting as Data Processor, transfers are governed by our Data Processing Addendum (DPA) and associated safeguards.

If a Customer independently configures or enables integrations with external AI providers, the Customer remains responsible, as Data Controller, for assessing the legality of such transfers.

Transfer Risk Assessments

Where required under applicable law, Siesta AI conducts transfer impact assessments to evaluate:

  • the legal framework of the destination country,

  • the risk of government access,

  • the adequacy of contractual safeguards.

Where necessary, additional safeguards are implemented to mitigate identified risks.

Data Subject Rights

Individuals whose personal data we process have the following rights under the GDPR, subject to applicable legal limitations.

Requests may be submitted to: info@siesta.ai

We will respond without undue delay and, in any event, within one (1) month of receipt of the request, unless an extension is permitted under applicable law.

Right of Access

You have the right to obtain confirmation as to whether we process your personal data and, where that is the case, to request access to such data, including information about:

  • the purposes of processing,

  • categories of personal data concerned,

  • recipients or categories of recipients,

  • retention periods,

  • your rights under GDPR.

Right to Rectification

You have the right to request correction of inaccurate personal data and completion of incomplete personal data.

Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data where:

  • the data is no longer necessary for the purposes for which it was collected,

  • you withdraw consent (where processing is based on consent),

  • the data has been unlawfully processed,

  • deletion is required to comply with a legal obligation.

This right is subject to legal retention obligations and other lawful exceptions.

Right to Restriction of Processing

You may request restriction of processing where:

  • you contest the accuracy of the data,

  • the processing is unlawful but you oppose deletion,

  • we no longer need the data but you require it for legal claims.

Right to Data Portability

Where processing is based on a contract or consent and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object

Where processing is based on legitimate interest, you have the right to object to such processing on grounds relating to your particular situation.

We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority.

In the Czech Republic, the competent supervisory authority is:

Office for Personal Data Protection (Úřad pro ochranu osobních údajů)

Pplk. Sochora 27

170 00 Prague 7

https://www.uoou.cz

Processor Context Clarification

Where Siesta AI acts solely as a Data Processor (e.g., in relation to Customer Content), data subjects should contact the relevant Customer (the Data Controller) directly.

We will assist Customers in responding to data subject requests in accordance with the applicable Data Processing Addendum (DPA).

Automated Decision-Making

The Platform does not perform automated decision-making with legal or similarly significant effects within the meaning of Article 22 GDPR. AI-generated outputs are assistive in nature and do not independently produce legally binding decisions.

Processing of Minors' Data

The Platform and website are intended for business use.

Our Services are not directed to individuals under the age of 18.

We do not knowingly collect personal data from minors.

Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • changes in legal requirements,

  • changes in our services,

  • technological developments.

The updated version will be published on our website with a revised "Last updated" date.

Where required by law, we will provide appropriate notice of material changes.