Sirma AI Platform — Privacy & Cookie Policy

Privacy and Data Protection Policy for the Sirma AI Platform (sirma.ai) Publishing date: 07.05.2026

SIRMA GROUP HOLDING JSC is a public company registered in the Commercial Register at the Registry Agency with UIC 20010236, with registered office and address: 135 Tsarigradsko Shosse Blvd., Sofia 1784, tel: +359 2 9768310, email: office@sirma.com, website: sirma.com

Scope: This Privacy and Data Protection Policy applies exclusively to the Sirma AI platform (available at https://sirma.ai) (the “Platform”), an enterprise-grade Agentic AI platform for building, deploying, and managing AI agents, developed and operated by SIRMA GROUP HOLDING JSC (referred to as “the Company”, “we”, or “us”). This policy does not cover other websites, products, or services of Sirma Group Holding JSC or its subsidiaries, which are governed by their own respective privacy policies.

With this Privacy and Data Protection Policy, SIRMA GROUP HOLDING JSC takes into account the privacy of users of the Sirma AI Platform and strives to protect against unauthorized processing of their personal data.

This document contains information on how we process personal data, the type of personal data that is collected, the purpose of using the collected personal data, the access of third parties to such data, the security measures to be taken with regard to the collection of personal data, as well as the options you own in connection with the use of the personal data you provide. All personal data is collected and processed in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws, including the laws in force in Bulgaria regulating personal data protection.

Terms Used

  • “Personal data” means any information by which an individual is identified or can be identified.
  • “Data subject” is a natural person who is identified or identifiable on the basis of certain information.
  • “Processing” means any operation or set of operations performed with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission, dissemination or other means by which data become available, arranged or combined, restricted, deleted or destroyed.
  • “Administrator” (also referred to as “Data Controller”) means a natural or legal person, a public authority, an agency or other entity which, alone or jointly with others, defines the purposes and means of processing personal data. In this case, the data controller is SIRMA GROUP HOLDING JSC, with its registered office at 135 Tsarigradsko Shosse Blvd., Sofia, processing data for the purposes of providing the AI services via the Sirma AI Platform at sirma.ai.
  • “Personal data processor” means a natural or legal person, a public authority, an agency or other entity that processes personal data on behalf of the controller. In the context of this policy, personal data processors include employees of SIRMA GROUP HOLDING JSC, as well as third-party service providers engaged to support the operation of the Platform (see Section “Third-Party Service Providers” below).

SIRMA GROUP HOLDING JSC handles personal data when you use the services provided through the Sirma AI Platform at sirma.ai. Personal data processed by SIRMA GROUP HOLDING JSC is provided directly by you, generated through your use of the Platform, or collected automatically.

The legal bases on which SIRMA GROUP HOLDING JSC handles personal data are:

  • Performance of a contract (Article 6(1)(b) GDPR): Processing necessary to provide you with the Platform’s services upon your voluntary registration, including account creation, authentication, AI services, and service delivery.
  • Legitimate interest (Article 6(1)(f) GDPR): Processing necessary for the security and integrity of the Platform, including fraud prevention, abuse detection, and service improvement.
  • Voluntary consent (Article 6(1)(a) GDPR): Where applicable, for purposes such as receiving marketing communications. Where consent is the legal basis, you may withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Legal obligation (Article 6(1)(c) GDPR): Where processing is required to comply with applicable law.

When you sign in using Google Sign-In, consent for the sharing of your Google account data is obtained through Google’s OAuth consent screen. For other processing activities, the applicable legal basis is indicated alongside the description of the processing purpose.

Personal Data You Provide

Personal data you provide directly is processed and used for the purposes set out in this Policy. To use the Platform, you must create an account using Google Sign-In or password-based registration. The personal data we collect upon your registration is: your name (first name and last name), email address, and (if using Google Sign-In) Google account identifier. This is the minimum information required to create and identify your account on the Platform.

When you provide or generate content on the Platform (for example, by naming AI agents or knowledge bases), please be aware that certain content may be visible to other members of your organization or team within the Platform. We recommend not including sensitive personal data in agent names, descriptions, or other shared content.

The purposes of collecting the specified personal data are described below in this privacy and data protection policy.

Account Creation and Google Sign-In

The Platform offers account creation and sign-in using your Google account through the Google Sign-In service. The Platform also supports password-based authentication. Details about the data received, used, and stored through Google Sign-In are described in the “Sign in with Google” section below.

Sign in with Google

Our application offers you the option to create an account and sign in using your Google account through the Google Sign-In service (“Google Sign-In”). This section describes what data we receive from Google when you use this feature, how we use it, how we store it, and your rights in connection with it.

What Data We Receive from Google

When you choose to sign in with your Google account, Google shares with us only the information you authorize during the OAuth consent screen. For the standard Sign in with Google feature, this includes:

  • Your Google account name (first name and last name)
  • Your Google account email address
  • Your Google account unique identifier (a numeric user ID assigned by Google)
  • Your Google account profile picture URL (if publicly available on your account)

We do not receive your Google password, payment information, contacts, calendar data, Gmail messages, Google Drive files, or any other Google product data. We request only the minimum information needed to create and identify your account.

How We Use This Data

We use the data received from Google exclusively for the following purposes:

  • To create and uniquely identify your account in our application
  • To display your name within the application interface
  • To send you account-related communications to your email address
  • To authenticate you on subsequent sign-ins without requiring you to re-enter credentials

We do not use your Google account data for advertising, profiling, or any purpose other than account management and authentication as described above.

The legal basis for processing your Google account data for account creation, identification, communication, and authentication is the performance of a contract to which you are a party, namely the provision of our application services upon your voluntary registration (Article 6(1)(b) of the GDPR). The retention of a pseudonymized technical record (one-way salted hash of your Google user identifier) for the purpose of preventing re-registration abuse is based on the legitimate interest of SIRMA GROUP HOLDING JSC in maintaining the security and integrity of its services (Article 6(1)(f) of the GDPR). You have the right to object to processing based on legitimate interest at any time by contacting us at gdpr@sirma.ai.

How We Store This Data

Your name, email address, and Google user identifier are stored in our application database and are protected by encryption at rest. Your Google profile picture is not stored by us; it is loaded directly from Google’s servers when displayed in the application. This may involve the transfer of data to servers located outside the European Economic Area (EEA). Such transfers are subject to appropriate safeguards, including Google’s compliance with Standard Contractual Clauses (SCCs) approved by the European Commission or other applicable transfer mechanisms under Articles 44–49 of the GDPR.

We do not store Google OAuth access tokens or ID tokens beyond the duration of the authentication session. Once your identity is confirmed and your session is established, raw Google tokens are discarded.

How Long We Retain This Data

The retention periods for your Google account data are the same as for all personal data on the Platform. Please see the standalone “How Long We Retain Your Data” section below for full details, including the 30-day grace period for account deletion and the 90-day anti-abuse record retention.

How We Share This Data

We do not sell, rent, or share your Google account data with third parties, advertising platforms, data brokers, or information resellers. We do not use your Google account data to serve you personalized or interest-based advertising.

Your Google account data may be accessed by our employees or authorized processors solely for the purposes of operating and maintaining the application, investigating security issues, or complying with applicable law. All such persons are bound by confidentiality obligations and must comply with Google API Services User Data Policy.

Categories of recipients who may access your Google account data include:

  • (a) Cloud infrastructure and hosting providers that store and process data on our behalf
  • (b) Technical service providers engaged in application maintenance and support
  • (c) Competent authorities where disclosure is required by applicable law

A current list of sub-processors is available upon request by contacting gdpr@sirma.ai.

Compliance with Google API Services User Data Policy

Our use of data received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • Data obtained from Google APIs is used only to provide or improve user-facing features that are clearly visible within our application.
  • We do not transfer or sell Google user data to third parties except as necessary to provide our services to you, for security purposes, or as required by law.
  • We do not use Google user data to serve advertisements, including retargeted, personalized, or interest-based advertising.
  • We do not allow humans to read your Google user data unless you have expressly consented to a specific review, it is necessary for security purposes, or it is required by applicable law.
  • Employees, contractors, and service providers who have access to Google user data are bound by the same obligations described in this policy.

Disconnecting Your Google Account

You can disconnect your Google account from our application at any time by accessing your account settings and selecting the option to unlink or remove your Google Sign-In connection. After disconnecting, you may continue to access your account using password-based authentication, if you have set a password. If you have not set a password, you will need to set one or reconnect a Google account to regain access.

You can also revoke our application’s access to your Google account at any time through your Google Account security settings at https://myaccount.google.com/permissions.

Revoking access in your Google Account settings does not automatically delete your account or data in our application. To request full deletion of your account and all associated personal data, please use the account deletion feature available in the application settings. The deletion option is accessible within two clicks from your account settings. Upon initiating deletion, you will see a confirmation dialog explaining what data will be deleted and the 30-day grace period before permanent purge. You may also contact us at gdpr@sirma.ai to request deletion or for any questions regarding your data.

Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) has been conducted for the Google Sign-In feature in accordance with Article 35 of the GDPR. The assessment evaluates the risks associated with the processing of Google account data and confirms that appropriate technical and organizational measures are in place to mitigate identified risks. A summary of the DPIA is available upon request by contacting gdpr@sirma.ai.

AI Services and Conversation Data

The Sirma AI Platform enables you to create, configure, and interact with AI agents. When you use these services, the following additional categories of personal data may be processed:

Conversation history. Your text-based interactions (prompts and responses) with AI agents on the Platform are stored in our application database. Conversation history is retained for as long as your account is active to enable you to review and continue prior interactions. Upon account deletion, all conversation history is permanently purged in accordance with the timelines described in the “How Long We Retain Your Data” section.

Uploaded content. Files, documents, and other content you upload to the Platform for use in knowledge bases or AI agent interactions are stored on our infrastructure. You are responsible for ensuring that any content you upload does not contain third-party personal data unless you have the legal basis to share it with us for processing. Content uploaded to knowledge bases may be transformed into vector embeddings (mathematical representations) for the purpose of enabling AI search and retrieval functionality. These embeddings are stored alongside the original content and are permanently deleted when you delete the knowledge base or upon account deletion.

AI agent configuration data. Information you provide when creating and configuring AI agents, including agent names, descriptions, system prompts, and configuration parameters.

Voice and video interactions. If you use the Platform’s voice or video AI features, audio and video recordings are processed and stored as artifacts associated with your account. The resulting text transcriptions are also stored as part of your conversation history. Voice and video artifacts are retained for as long as your account is active and are permanently deleted upon account deletion.

Data sent to third-party AI providers. To provide AI services, your prompts and relevant context may be transmitted to third-party large language model (LLM) providers (such as OpenAI, Google, or Anthropic) for processing. These providers process data solely to generate responses to your requests. We do not send your account credentials, payment information, or Google account data to LLM providers. For information on how each provider handles data, please refer to their respective privacy policies. We are committed to establishing appropriate contractual safeguards with all third-party AI providers in accordance with applicable data protection law.

Legal basis: The processing of AI conversation data, voice and video recordings, and related content is based on the performance of our contract with you (Article 6(1)(b) GDPR) — specifically, the provision of the Platform’s AI services that you have registered to use or otherwise access.

Payment and Licensing Data

When you purchase a license for the Platform, payment processing is handled by our third-party payment processor, Stripe, Inc. (“Stripe”). We do not collect, store, or have access to your full credit card number or bank account details. Stripe processes your payment information in accordance with the Payment Card Industry Data Security Standard (PCI-DSS).

We receive from Stripe only the information necessary to manage your license, which may include: transaction identifiers, license plan details, payment status, the last four digits of your payment method, and billing country. This data is used solely for license management, invoicing, and fraud prevention.

For information on how Stripe handles your payment data, please refer to Stripe’s Privacy Policy at https://stripe.com/privacy.

Legal basis: Processing of payment-related data is based on the performance of our contract with you (Article 6(1)(b) GDPR) and compliance with applicable tax and accounting obligations (Article 6(1)(c) GDPR).

Third-Party Service Providers (Sub-Processors)

To operate the Platform, we engage third-party service providers who may process personal data on our behalf. We are committed to ensuring that all sub-processors implement appropriate technical and organizational security measures in accordance with applicable data protection law.

CategoryPurpose
Cloud infrastructure and hosting providersPlatform hosting, database storage, file storage
AI / LLM providersProcessing of user prompts to generate AI responses
Payment processingLicense billing and payment handling
Speech-to-text and text-to-speech providersVoice AI features

Data storage locations. Depending on the deployment configuration, your data may be stored in data centers located in the European Union, the United States, the United Kingdom, or other regions. Where the Platform is deployed on client infrastructure, data storage locations are determined by the client’s own infrastructure choices.

International data transfers. Where personal data is transferred to countries outside the European Economic Area (EEA) that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards as required by GDPR Articles 44–49, including Standard Contractual Clauses (SCCs) approved by the European Commission or other applicable transfer mechanisms. Information about the specific safeguards applied to your data is available upon request by contacting gdpr@sirma.ai.

Personal Data Collected Automatically

When you visit the Platform, our web server automatically recognizes and collects your IP address that has been determined by your ISP and does not personally identify you.

Summary Information – Log Files – Like many other platforms, we get information from log files: IP address; ISP (Internet Service Provider); the browser you use when visiting the Platform (such as Google Chrome, Internet Explorer and Mozilla Firefox); the time spent on the Platform, and which pages you’ve visited.

Cookies: This is a small amount of information the web server sends to the web browser, allowing the server to collect feedback from the browser. You can choose to delete our or third-party cookies using the options of each browser. This may affect interaction with the Platform or other sites.

You can find more information about cookies at: http://www.allaboutcookies.org/faqs/cookies.html

We use the following types of cookies:

  • Statistics cookies that anonymously remember your computer or mobile device when you visit the Platform. They follow the search method and help us understand how users interact with the Platform in order to improve our services.
  • Service cookies that help us make the Platform as effective as possible. They allow you to remember your login session and to keep your preferred settings.

Where third-party analytics cookies are used, third-party organizations do not have access to our cookies, and we do not have access to theirs. Third-party cookies are subject to those organizations’ own privacy policies.

We do not use any advertising cookies, and the Platform does not display advertisements.

Purposes of Processing Your Personal Data

SIRMA GROUP HOLDING JSC processes your personal data only for the purposes described below:

  • For creating, authenticating, and managing your account on the Platform
  • For providing the Platform’s AI services, including processing your interactions with AI agents, maintaining conversation history, and managing your AI agent configurations and knowledge bases
  • For processing and storing voice and video interactions through the Platform’s voice AI features
  • For processing payments and managing your license for the Platform
  • To measure and analyze usage patterns on the Platform in order to improve our services
  • To send you service-related communications (e.g., account notifications, security alerts, service updates)
  • To ensure the security, integrity, and proper functioning of the Platform, including fraud and abuse prevention
  • To comply with applicable legal obligations

Recognition and IP address collection allows:

  • Disclosure of users’ identity when required by law or legal procedures
  • Analyzing traffic to the Platform and preventing malicious attacks
  • Detecting and preventing unauthorized access or abuse of the Platform

Processing of Personal Data of Persons Under the Age of 16

We understand the importance of taking additional precautions to protect children’s safety. In accordance with Article 8 of the GDPR and the Bulgarian Personal Data Protection Act, children under the age of 16 are not allowed to create accounts on the Sirma AI Platform without the explicit consent of their parent or guardian. We will delete each account on the Platform that is created by a child under the age of 16 without the permission of a parent or guardian, as soon as we are informed about it.

If you are under the age of 16, please do not send any information about yourself, including, but not limited to, name, address, telephone number, email address, and more. If we learn that we have collected personal information from a child under the age of 16 without the consent of a parent or guardian, we will delete this information as quickly as possible. If you believe we may have information from or about a child under 16, please contact us at office@sirma.com.

What We Do to Protect Your Personal Information

We are making serious efforts to ensure the security of the Platform. The data you provide us is protected by TLS (Transport Layer Security) encryption. TLS is a standard method in the area of personal data encryption so that it can be securely transferred over the Internet.

Access to the Platform is secured through Google Sign-In authentication or password-based authentication. Your Google credentials are never transmitted to or stored by us. Session management is handled through secure, encrypted tokens. API keys you provide for accessing the Platform’s services are stored securely using industry-standard encryption.

All data at rest, including your account information, conversation history, voice and video artifacts, and uploaded content, is protected by encryption at rest. Sensitive credentials (such as API keys you may configure for AI agents) are stored in a dedicated secrets management system with additional encryption.

Keeping the privacy and security of your personal information is of the highest priority, and restricting access to it only to those employees of SIRMA GROUP HOLDING JSC who need access to it in order to fulfill their role and to enable our services being provided to you. We will keep your information confidential unless disclosure is required by law or for technical purposes.

How Long We Retain Your Data

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy. The specific retention periods are as follows:

Data CategoryRetention Period
Account data (name, email, Google user identifier)Retained while account is active; permanently purged within 30 days of deletion
Conversation history (text interactions with AI agents)Retained while account is active; permanently deleted upon account purge
Voice and video artifactsRetained while account is active; permanently deleted upon account purge
Uploaded content (files, documents, knowledge bases, vector embeddings)Retained while account is active or until deleted; permanently deleted upon account purge
AI agent configurationsRetained while account is active; permanently deleted upon account purge
Payment and licensing data (license and transaction records)Retained as required by applicable tax and accounting laws
Technical logs (IP addresses, browser data)Retained for up to 12 months for security and troubleshooting
Anti-abuse record (one-way salted hash of Google user identifier)Retained for 90 days after account purge, then permanently deleted

If you request deletion of your account (either through the in-app account deletion feature or by contacting us at gdpr@sirma.ai), your account will be marked as pending deletion and you will receive a confirmation email with the effective deletion date. A 30-day grace period begins from the date of your request, during which you may cancel the deletion by logging back in. After the 30-day grace period expires, all personally identifiable information is automatically and permanently purged.

Retention beyond these periods applies only where required by applicable law.

We store your personal information for as long as necessary to provide the Platform’s services, as detailed above. The information provided and collected by you will not be sold or made available for use to any person without your personal consent.

Information can be provided in case of a request by the respective government bodies and institutions, in order and in cases determined by applicable legislation. We make every possible effort to protect your personal information, but nevertheless, when sharing information on the Internet, you should keep in mind that the transmission of information over the Internet can never be completely secure and that security cannot be fully guaranteed.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, SIRMA GROUP HOLDING JSC will notify the Bulgarian Commission for Personal Data Protection (CPDP) within 72 hours of becoming aware of the breach, in accordance with Article 33 of the General Data Protection Regulation (GDPR).

Where a breach is likely to result in a high risk to your rights and freedoms (for example, a breach involving unauthorized access to your Google account email address or user identifier), we will notify you directly without undue delay. The notification will describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it, including steps you can take to protect yourself.

To report a suspected data security issue or to receive more information about a breach that may have affected your data, please contact us at: gdpr@sirma.ai

Your Rights with Respect to Your Personal Data

You have certain rights under the applicable law with regard to the personal data we hold for you, namely:

  1. You are authorized to request access and receive personal data which is stored for you, as well as information regarding the purposes of the processing, the categories of personal data, the recipients to which your personal data may be disclosed, and others.

  2. You have the right at any time to request correction of inaccurate data relating to you, as well as supplementing incomplete data if appropriate and/or necessary for the purpose with which the data are processed.

  3. You may at any time withdraw your consent to the use of your personal data that you provided at a previous time. In this case, withdrawing your consent to the use or processing of your personal information may result in the inability to take advantage of certain features or services provided by the Platform.

  4. If you do not wish us to process your personal data, you have the right to be “forgotten” — that is, you may at any time ask for your personal information to be deleted for one of the following reasons:

    • 4.1. Your data is no longer necessary for the purposes for which it was collected or otherwise processed.
    • 4.2. If you have withdrawn your consent to the processing of your personal data.
    • 4.3. If your personal data is being processed unlawfully.
    • 4.4. In case you have objected to the processing of your personal data.
    • 4.5. Other cases provided for in the legislation governing the protection of personal data.

    You can exercise your right to erasure directly through the account deletion feature in the application settings. The in-app deletion process allows you to request deletion of your account and all associated personal data within two clicks. Upon requesting deletion, your account enters a 30-day grace period before permanent purge, during which you may cancel the request by logging back in. You may also exercise this right by submitting a written application to gdpr@sirma.ai as described below.

  5. In many cases, you have the right to request, instead of deleting the data, to restrict the processing of your personal data.

  6. Right of objection to SIRMA GROUP HOLDING JSC against the processing of your personal data, provided there is a legal basis for that.

  7. You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit this data to another controller (right to data portability), where the processing is based on consent or contract performance and is carried out by automated means (Article 20 GDPR).

All listed rights can be exercised by submitting a free written application to the following email address: gdpr@sirma.ai, sent from your registered email address, containing at least the following:

  • Username, email, and other identification data of the individual concerned
  • A description of the request
  • Reference to the Sirma AI Platform (sirma.ai)
  • The preferred form for providing information

The submission of the application is completely free of charge. The time limit for processing the application shall be one month from the date of receipt.

In addition to the above rights, SIRMA GROUP HOLDING JSC gives you the right to make some of the following changes in relation to the processing of your personal data yourself: in your profile, you can edit and delete personal data that is not mandatory for using the Platform and that you do not want to be publicly available.

More information about personal data protection can be found on the Commission for Personal Data Protection website: https://www.cpdp.bg/?p=element&aid=1115

AI is easy with Sirma

Join organizations moving beyond static automation to self-evolving enterprise intelligence.