Privacy Policy
1. Introduction
Sirio Agency ("Sirio", "we", "us") is an AI + Digital agency based in Lviv, Ukraine, serving clients across Ukraine and the EU. We deliver services across nine categories (AI Chatbots, AI Automations, Web Development, AI Voice Agents, Reputation Management, AI Marketing, AI Customer Support, HR Automation, Creative AI). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have under Ukrainian data-protection law and the EU General Data Protection Regulation (GDPR) where applicable to users in the EU/EEA.
For any privacy-related question, contact privacy@sirio.agency.
2. Data Controller
The data controller responsible for processing your personal data is:
Sirio Agency
Lviv, Ukraine
Email: privacy@sirio.agency
3. Website Visitor Data
This section covers data collected from visitors of sirio.agency. We collect the minimum data needed to respond to your inquiry and to keep the site secure.
Contact form data that you submit voluntarily: your name, email address, company (optional), and message content.
Technical data collected automatically for security and service delivery: your IP address (anonymised in our application logs; Cloudflare retains raw logs for 30 days for abuse protection) and browser User-Agent string.
We do not use tracking cookies, advertising pixels, marketing analytics, session recorders, or any third-party behavioural tracking.
4. Client-Services Data & Data Processing Agreement
This section covers data processed in the course of delivering services to clients who have engaged us under a Statement of Work (SoW). Depending on the service, this may include:
- Chatbot / voice-agent conversations — end-user messages, transcripts, audio samples, session metadata, CRM identifiers;
- Automations — data routed through workflows (tickets, leads, documents, spreadsheets, invoices, etc.) depending on the integration;
- HR automation — candidate CVs, application forms, screening outputs (acts as a high-risk AI system under the EU AI Act — see §9);
- Customer support — support tickets, chat logs, knowledge-base articles;
- Marketing — audience segments, email lists provided by the client, campaign content and performance data;
- Creative AI — briefs, reference materials, brand assets, generated outputs;
- Reputation management — public reviews, response drafts, sentiment data.
Mandatory DPA. Where we process personal data on behalf of a client, we act as a processor under GDPR Art. 28; the client acts as the controller. Before processing begins, we sign a Data Processing Agreement (DPA) that defines: subject matter and duration, nature and purpose, categories of data and data subjects, sub-processors used, security measures, and the client's audit and instruction rights. The DPA is a prerequisite — no personal data is processed without it. A template is available at privacy@sirio.agency.
Training data. We do not use client data to train our own models, and we configure our third-party AI providers (where the option is available) to opt out of training on client inputs and outputs. Specific opt-out settings are listed in the DPA.
5. How We Use Data
Your data is used only for the following purposes:
- Responding to your contact-form inquiries.
- Follow-up email correspondence where you have initiated a conversation or engaged our services.
- Site security: detecting and preventing spam, abuse, and automated attacks.
We do not use your data for automated marketing, profiling, or ad targeting.
6. Legal Basis for Processing (GDPR Art. 6)
- Consent — Art. 6(1)(a): when you submit the contact form, you consent to us processing the data you provided in order to respond.
- Legitimate interest — Art. 6(1)(f): keeping the site secure, preventing abuse, and maintaining reasonable business records.
7. Data Retention
- Contact-form submissions: kept for up to 12 months after the last interaction, then deleted or anonymised.
- Cloudflare server logs: retained for 30 days (Cloudflare's standard period).
- Business-related correspondence with clients: retained for up to 3 years as required by Ukrainian business-record rules.
8. Sub-Processors
For the website itself we use a single sub-processor. For the services we deliver to clients, the sub-processors in use are determined by the SoW and listed in the project-specific DPA. The categories below reflect the providers we typically use:
Infrastructure & hosting. Cloudflare, Inc. — hosting, CDN, WAF, and email routing for privacy@sirio.agency. See Cloudflare's Privacy Policy.
AI & LLM providers. OpenAI (GPT, DALL·E, Whisper), Anthropic (Claude), Google (Gemini, Vertex AI) — depending on the use case. Each provider has its own terms, DPA, and regional processing options (including zero data retention / no-training configurations where available).
Voice & speech. ElevenLabs (voice synthesis), Deepgram or OpenAI Whisper (speech-to-text), Twilio or similar (telephony) — used for voice-agent deployments.
Creative AI. Suno (music generation), Midjourney (image generation), Runway (video generation), and similar generative tools — used for Creative AI deliverables.
Automation & integration. n8n (self-hosted or cloud), Make, Zapier, Pinecone (vector database), Supabase, and client-side CRMs (HubSpot, Salesforce, Pipedrive, etc.) — depending on the automation scope.
Communication & email. Resend (transactional email for contact-form delivery), Google Workspace (business email).
The specific, up-to-date list of sub-processors that apply to a given client engagement is attached to the DPA signed for that engagement. We notify clients in advance of any material change to that list and give them a reasonable opportunity to object.
We do not use Google Analytics, Google Ads tracking, Meta Pixel, LinkedIn Insight Tag, or any other third-party tracking or advertising service on sirio.agency. No third-party cookies are set on this site.
9. EU AI Act Compliance
Where our services process personal data through AI systems, we act in line with the EU AI Act (Regulation (EU) 2024/1689), which entered into force on 1 August 2024 with staged obligations through 2026–2027.
- No prohibited practices (Art. 5). We do not build or operate systems for social scoring, manipulative behavioural techniques, emotion recognition in workplaces or education, untargeted scraping of facial images, or biometric categorisation based on sensitive attributes.
- High-risk systems (Annex III). Our HR-automation services (CV screening, candidate ranking) qualify as high-risk. For these engagements the client (as deployer) and we (as implementation provider) agree on: a risk-management system, data-governance practices, technical documentation, logging, human oversight, transparency to end-users, and accuracy and robustness testing. These obligations are documented in the SoW and DPA.
- GPAI transparency (Art. 50). End-users interacting with our chatbots, voice agents, or other direct-interaction AI systems are informed they are talking to an AI. For Creative AI deliverables (deepfakes, synthetic media), we apply metadata labelling or visible disclosure where required.
- Data subject rights. Rights under GDPR Art. 15–22 apply fully to data processed by AI systems we operate (see §10).
10. Your Rights (GDPR Art. 15–22)
You have the following rights regarding your personal data:
- Right of access (Art. 15) — ask what data we hold about you.
- Right to rectification (Art. 16) — correct inaccurate data.
- Right to erasure / "right to be forgotten" (Art. 17) — have your data deleted.
- Right to restriction of processing (Art. 18) — limit how we use your data.
- Right to data portability (Art. 20) — receive your data in a machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest.
- Right to lodge a complaint with a supervisory authority:
- Ukraine — Ukrainian Parliament Commissioner for Human Rights
- Netherlands (for EU/EEA users) — Autoriteit Persoonsgegevens
To exercise any of these rights, email privacy@sirio.agency. We respond within 30 days as required by GDPR.
11. Data Transfers
Some of our service providers (notably Cloudflare) may process data outside the EU/EEA, including the United States. Such transfers are covered by Standard Contractual Clauses (SCCs) as provided in GDPR Art. 46.
See Cloudflare's GDPR commitments for details.
12. Security Measures
We take reasonable technical measures to protect your data:
- HTTPS with TLS 1.3 encryption for all traffic.
- HSTS (Strict-Transport-Security) to prevent protocol downgrade.
- Cloudflare Web Application Firewall (WAF) for abuse and bot protection.
- Access to personal data is limited to authorised personnel on a need-to-know basis.
- Periodic security review of our stack and dependencies.
13. Children's Privacy
Our services are aimed at businesses and are not directed at children under 16 (GDPR Art. 8). We do not knowingly collect personal data from children. If we become aware that we have received data from a child, we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last Updated" date at the top of the page reflects the latest revision. Material changes will be communicated via the site or, where you have an ongoing relationship with us, by email.
15. Contact Us
Privacy-related queries: privacy@sirio.agency.
For general inquiries use our contact page.