PRIVACY POLICY & GDPR

Last Updated: November 10, 2025

Effective Date: November 10, 2025

INTRODUCTION

SirenDM ("we," "us," "our," or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

By accessing or using SirenDM, you acknowledge that you have read and agree to be bound by this Privacy Policy.

1. INFORMATION WE COLLECT

Account Information

• Full name

• Email address

• Country

• Account type (agency or creator)

• Contact preferences (Telegram, WhatsApp, Instagram)

Content You Upload

• Photos, videos, media files

• Text descriptions and metadata

• Agent settings and configurations

• Telegram bot credentials (encrypted)

Age Verification & Content Compliance

Creator Responsibility:

SirenDM does NOT collect, store, or maintain:

• Performer identity documents

• Government-issued ID photos or copies

• Age verification records

• Performer consent documentation

What Creators Must Do:

You are legally required to:

• Verify all performer ages via government-issued identification

• Maintain age verification records per applicable law (such as 18 U.S.C. § 2257 in the United States)

• Keep records for the legally required retention period

• Provide records to SirenDM immediately upon request

What We Track:

For GDPR compliance purposes, we record:

• Your certification that you have verified all performer ages (timestamp: age_18_plus_confirmed_at)

• Your acceptance of legal responsibility for age verification

• Your agreement to provide records upon request

• Terms of Service acceptance timestamp

• Privacy Policy acceptance timestamp

• Content legality confirmation timestamp

Our Audit Rights:

We reserve the right to randomly audit creators for age verification compliance. If you cannot provide complete documentation within 48 hours of request, your account will be suspended and may be terminated.

Platform Role:

SirenDM operates as a hosting platform under the e-Commerce Directive (EU) and similar intermediary liability frameworks. We rely on creator certifications and do not independently verify performer ages or content legality.

Payment Information

• Processed by Telegram Stars and Paddle.com (we don't store full card details)

• Invoice history

• Transaction records

• Telegram Stars balance and withdrawal history

• TON wallet addresses (for payouts)

Usage Data

• Chat logs with fans (stored for 90 days)

• Analytics (clicks, views, engagement)

• Session data (duration, frequency, timestamps)

• Device information (browser, OS, IP address)

• Fan interaction patterns (response times, purchase behavior)

AI Processing Data

• Messages sent to and from your AI agents

• Sentiment analysis results

• Conversation context and history

• Fan behavioral insights

2. LEGAL BASIS FOR PROCESSING (GDPR)

We process your data under these legal bases:

GDPR Article 6(1)(b) - Contract Performance

• Account management

• Content delivery

• Payment processing

• Service provision

GDPR Article 6(1)(c) - Legal Obligation

• Age verification compliance (child protection)

• CSAM detection (federal law)

• Tax compliance (7-year retention)

• Law enforcement requests

• Regulatory compliance

GDPR Article 6(1)(a) - Your Consent

• GDPR consent checkbox during signup

• Marketing emails (if opted in)

• Optional analytics

• Non-essential cookies

GDPR Article 6(1)(f) - Legitimate Interest

We process certain data based on legitimate interest, including:

Platform Safety and Integrity:

• Monitoring for illegal content (CSAM, illegal activity)

• Fraud detection and prevention

• Account security and abuse prevention

• Compliance with legal obligations

• Service improvement and optimization

Balancing Test:

• Our interest: Preventing illegal content distribution, protecting users, legal compliance, service quality

• Your rights: Privacy, data protection, confidentiality

• Safeguards: Minimal data collection, limited retention (90 days for chat logs), encryption, access controls, anonymization where possible

Your Right to Object:

You may object to processing based on legitimate interest by emailing support@sirendm.app. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

GDPR Article 9(2)(g) - Special Category Data (Explicit Content)

We process sexually explicit content based on substantial public interest in preventing child exploitation:

• Automatic CSAM detection

• Manual content review when flagged

• Immediate removal and law enforcement reporting

• Platform safety and child protection

You gave explicit consent during signup by accepting our Terms of Service.

3. HOW WE USE YOUR DATA

Service Provision

• Creating and managing your account

• Delivering content to fans

• Processing payments via Telegram Stars

• Providing customer support

• Enabling AI-powered conversations

AI Processing

Your content and fan messages are processed by:

• xAI Grok - AI conversation generation, sentiment analysis, response personalization

• OpenAI - Message embeddings, vector search, content similarity matching

What this means:

• Fan messages are sent to these third-party AI providers (based in the United States)

• Messages are processed in real-time to generate responses

• AI analyzes sentiment, intent, and conversation context

• Data may be retained by AI providers per their own policies

Your choices:

• Continue using the service with AI processing enabled

• Object to AI processing (may limit functionality) - email support@sirendm.app

Child Protection

• Age verification tracking (certification acceptance)

• CSAM detection via automated scanning (Cloudflare)

• Abuse monitoring and reporting

• Content removal and account bans

• Law enforcement reporting when required

Legal & Compliance

• Tax compliance and record-keeping

• Fraud prevention and detection

• Platform security and integrity

• Investigating violations

• Responding to legal requests

Platform Improvement

• Analytics and performance monitoring

• Feature development

• User experience optimization

• Service quality improvement

4. WHO WE SHARE YOUR DATA WITH

Essential Service Providers

Supabase - Database hosting (EU/US)

• Data Processing Agreement: ✓ In place

• GDPR Compliance: ISO 27001 certified

• Purpose: Data storage, authentication, real-time subscriptions

Cloudflare - CDN, CSAM detection, security (Global)

• Data Processing Agreement: ✓ In place

• GDPR Compliance: EU-US Data Privacy Framework certified

• Purpose: Content delivery, CSAM detection via privacy-preserving hashing, DDoS protection

Telegram - Message delivery, payment processing (Dubai, UAE)

• Data Processing Agreement: ⚠️ Not publicly available

• GDPR Compliance: Limited - Telegram is headquartered in Dubai

• Purpose: Bot messaging, Telegram Stars payments, business connections

• Note: By using SirenDM, you acknowledge that Telegram may not meet full GDPR standards and is headquartered outside the EU.

Paddle.com - Payment processing (UK/US)

• Data Processing Agreement: ✓ In place

• GDPR Compliance: PCI DSS Level 1 certified

• Purpose: Subscription billing, invoicing (if applicable)

xAI (Grok) - AI conversation processing (United States)

• Data Processing Agreement: ⚠️ Standard commercial terms

• GDPR Compliance: Standard Contractual Clauses (SCCs)

• Purpose: AI-powered chat responses, sentiment analysis, conversation intelligence

• Data shared: Fan messages, conversation context, agent instructions

• Note: Message data is sent to U.S. servers for real-time processing.

OpenAI - Message embeddings and search (United States)

• Data Processing Agreement: ⚠️ Requires Enterprise plan for full DPA

• GDPR Compliance: Standard Contractual Clauses (SCCs)

• Purpose: Vector search, message similarity matching, content embeddings

• Data shared: Message content for embedding generation

• Note: Message data is sent to U.S. servers for processing.

Data Transfer Safeguards

For processors outside the EU:

• Standard Contractual Clauses (SCCs) where available

• EU-US Data Privacy Framework participation (where applicable)

• Encryption in transit (TLS/SSL) and at rest (AES-256)

• Minimal data sharing (only what's necessary for service operation)

• Contractual data protection obligations

Your Right to Object:

If you object to data processing by U.S.-based AI providers, email support@sirendm.app with "AI Processing Opt-Out". Note: Opting out of AI processing will disable agent functionality as AI is core to the service.

Law Enforcement

We may disclose data if legally required:

• CSAM automatically reported to NCMEC (National Center for Missing & Exploited Children) via Cloudflare

• Full cooperation with investigations involving child exploitation, terrorism, or serious crimes

• Court orders, subpoenas, and lawful government requests

• Emergency situations involving imminent harm

We Do NOT Sell Your Data

• No data sales to third parties

• No marketing partnerships involving your data

• No data brokers

• No advertising networks

5. DATA RETENTION

Automated Deletion

• Chat logs: Automatically deleted after 90 days

• Session data: Anonymized after 90 days (identifiers removed, aggregated statistics retained)

• Account data: Deleted within 30 days of account closure (except legally required records like tax documents)

• Backups: Overwritten on 30-day cycle

Why 90 Days for Chat Logs?

• Industry standard for messaging platforms

• Allows reasonable dispute resolution window (most occur within 60 days)

• Balances operational needs with data minimization principle

• Complies with GDPR storage limitation requirement

6. YOUR GDPR RIGHTS

You have the right to:

Article 15 - Access

Request copy of your data:

• Available formats: JSON export, CSV (for analytics)

• Timeline: 30 days

• Cost: Free

• How: Email support@sirendm.app with "Data Access Request"

• Include: Your account email and verification information

Article 16 - Rectification

Correct inaccurate data:

• Update via account settings (self-service)

• Or email support@sirendm.app with corrections

• Timeline: Immediate via dashboard, 30 days via email

• Cost: Free

Article 17 - Erasure ("Right to be Forgotten")

Request account deletion:

• Method: Settings → Delete Account (self-service)

• Or email: support@sirendm.app with "Account Deletion Request"

• Timeline: All data deleted within 30 days

• Exception: Tax records kept 7 years (legal requirement per tax law)

• Exception: CSAM reports kept indefinitely (legal obligation)

What gets deleted:

• Account information

• Agents and content

• Chat logs and session data

• Analytics data

• Personal identifiers

What is retained:

• Financial records (7 years for tax compliance)

• CSAM detection logs (permanent for law enforcement)

• Anonymized aggregate statistics (no personal identifiers)

Article 18 - Restrict Processing

Limit how we use data:

• Turn off analytics tracking

• Disable certain data processing

• Email: support@sirendm.app with "Restrict Processing Request"

• Timeline: 30 days

• Note: May limit service functionality

Article 20 - Data Portability

Download your data:

• Format: JSON (machine-readable, portable to other services)

• Includes: Account info, agents, content metadata, analytics

• Timeline: 30 days

• Cost: Free

• How: Email support@sirendm.app with "Data Portability Request"

Article 21 - Object

Opt out of certain processing:

• Marketing emails (unsubscribe link in emails)

• Analytics tracking

• AI processing (note: may disable core functionality)

• Cannot object to contract-necessary processing (service delivery, payments)

• Email: support@sirendm.app with "Processing Objection"

Article 22 - Automated Decision-Making

We use AI for:

• Content recommendations

• Conversation responses

• Sentiment analysis

• Pricing suggestions

Your rights:

• Request human review of automated decisions

• Object to automated decision-making

• Email: support@sirendm.app

Article 77 - Lodge Complaint

File complaint with data protection authority:

Czech Republic (our location):

• Authority: ÚOOÚ (Office for Personal Data Protection)

• Website: www.uoou.cz

• Email: posta@uoou.cz

• Address: Pplk. Sochora 27, 170 00 Prague 7, Czech Republic

Your country:

You may also file with your local data protection authority.

7. INTERNATIONAL DATA TRANSFERS

Your data is stored and processed in:

• EU (Primary): Supabase EU servers (Germany, Ireland)

• United States: xAI, OpenAI, Cloudflare processing

• Global: Cloudflare CDN (content delivery)

Transfer Safeguards

• Standard Contractual Clauses (SCCs) approved by European Commission

• EU-US Data Privacy Framework (for certified companies)

• Encryption in transit and at rest

• Contractual data protection obligations

• Regular security audits

Request EU-Only Storage

If you prefer EU-only data storage (where technically feasible), email support@sirendm.app with "EU Storage Request". Note: This may limit AI functionality as xAI and OpenAI are U.S.-based.

8. SECURITY

We implement:

• Encryption at rest: AES-256 for stored data

• Encryption in transit: TLS 1.3 for all data transfers

• Access controls: Role-based access, principle of least privilege

• Authentication: Multi-factor authentication available

• Monitoring: 24/7 security monitoring and logging

• Regular audits: Security assessments and penetration testing

• Backups: Encrypted, geographically distributed

• Incident response: Documented procedures for data breaches

Third-Party Security Certifications

• Supabase: ISO 27001, SOC 2 Type II

• Cloudflare: ISO 27001, SOC 2

• Paddle: PCI DSS Level 1

Data Breach Notification

In the event of a data breach affecting personal data:

• We will notify you within 72 hours (GDPR requirement)

• We will notify relevant data protection authorities

• We will provide details of the breach, affected data, and remediation steps

• Contact: support@sirendm.app

Limitations

No security is 100% guaranteed. While we implement industry-standard protections, we cannot guarantee absolute security against all threats.

9. CHILDREN'S PRIVACY

Our Platform is 18+ ONLY:

• We don't knowingly collect data from minors (under 18)

• Age confirmation required during signup

• If we discover a minor, we immediately:

  • Terminate their account

  • Delete their data

  • Report to child protection authorities if necessary

  • Investigate how the minor bypassed age verification

If you believe a minor is using our platform:

Email: support@sirendm.app with evidence

10. CALIFORNIA RESIDENTS (CCPA/CPRA)

If you're in California, you have rights under CCPA/CPRA:

Your Rights

• Right to know: What personal information we collect and how we use it (same as GDPR access)

• Right to delete: Request deletion of your data (same as GDPR erasure)

• Right to opt-out of sale: We don't sell data, so this doesn't apply

• Right to correct: Update inaccurate information (same as GDPR rectification)

• Right to limit use of sensitive data: Restrict processing of sensitive information

How to Exercise

Email support@sirendm.app with "California Privacy Rights" in the subject line.

Include:

• Your name

• Account email

• Specific request (access, delete, correct, etc.)

• Verification information

Timeline: 45 days (may extend to 90 days with notice)
Cost: Free (first 2 requests per year)

Do Not Sell My Personal Information

We do NOT sell personal information to third parties. We never have and never will.

11. COOKIES & TRACKING

Cookies We Use

Essential Cookies (Required):

• Session cookies (necessary for login)

• Authentication tokens

• Security cookies (CSRF protection)

Analytics Cookies (Optional):

• Usage statistics

• Performance monitoring

• Feature usage tracking

Your Choices:

• Accept/reject in cookie banner

• Manage in browser settings

• Use private/incognito browsing (will disable functionality)

No Third-Party Tracking

• No Google Analytics

• No Facebook Pixel

• No advertising trackers

• No cross-site tracking

Do Not Track (DNT)

We respect Do Not Track browser signals for optional analytics. Essential cookies remain necessary for service operation.

12. POLICY CHANGES

We may update this policy anytime:

Major changes:

• Email notification 30 days in advance

• Continued use after notice = acceptance

Minor changes:

• Posted on this page with updated date

• Effective immediately

Version history:

• Current: November 10, 2025

• Previous: November 3, 2025

13. CONTACT US

For Privacy Questions:

Email: support@sirendm.app
Response: Within 7 business days

For Data Requests (GDPR/CCPA):

Email: support@sirendm.app
Subject: "[GDPR/CCPA] [Request Type]"
Response: Within 30 days

For Security Issues:

Email: support@sirendm.app
Response: Within 24 hours for critical issues

For Abuse Reports:

Email: support@sirendm.app
Response: Within 24-48 hours

By using SirenDM, you acknowledge that you have read, understood, and agree to this Privacy Policy.