Pricing

Pricing

Blog

Blog

Contact

Contact

Portal

Portal

Find us on

Pricing

Pricing

Blog

Blog

Contact

Contact

Portal

Portal

Find us on

Privacy Policy

SirenDM

PRIVACY POLICY

Last Updated: April 29, 2026  |  Effective Date: April 29, 2026

WHO THIS POLICY COVERS



This Privacy Policy applies to our Clients — agencies and creators who hold SirenDM accounts.

SirenDM is an infrastructure provider. Clients are the Data Controllers for their End User (Fan) data.

End Users of Client services should refer to the Client's own privacy notice for information

about how their data is used in those conversations.

1. Who We Are and Our Role

SirenDM ("we," "us," "our") is a B2B SaaS automation and CRM platform based in the Czech Republic and subject to EU law including GDPR.

Our role differs depending on whose data is involved:

Data subject

Our role

What this means

Client (account holder)

Data Controller

We determine how we process your account data. This Policy governs.

End User / Fan

Data Processor (on Client's behalf)

We process Fan data only on Client instruction. The Client is responsible for their privacy notice.

2. Information We Collect — About Clients

2.1  Account Information

  • Full name and organisation name

  • Email address

  • Country of operation

  • Account type (agency or creator)

  • Contact preferences (Telegram, WhatsApp, Instagram)

2.2  Content and Configuration

  • Photos, videos, and media files uploaded for Agent use

  • Text descriptions, metadata, and captions

  • Agent settings, persona configurations, and scripts selected from the Prompt Library

  • Telegram bot credentials (stored encrypted at rest)

2.3  Age Verification and Compliance Records

SirenDM does NOT collect or store: performer identity documents, government-issued ID copies,

age verification records, or performer consent documentation.



What we DO record for compliance purposes:

  •  Timestamp of Client's certification that all performers are 18+ (age_18_plus_confirmed_at)

  •  Timestamp of Terms of Service acceptance

  •  Timestamp of Privacy Policy acceptance

  •  Timestamp and record of AI Disclosure Feature status changes (enabled/disabled + acknowledgment text)

  •  Per-campaign outreach certification timestamps and acceptance records

  •  Content legality confirmation timestamp



Clients are solely responsible for maintaining performer age verification records per applicable law.

Audit rights: We reserve the right to request compliance documentation from Clients at any time. Failure to provide documentation within 48 hours may result in account suspension.

2.4  Payment Information

  • Processed by Paddle.com (subscription billing) and Telegram Stars (fan micropayments)

  • We do not store full card details

  • Invoice history and transaction records

  • Telegram Stars balance and withdrawal history

  • TON wallet addresses provided by Clients for payouts

2.5  Usage and Platform Data

  • Agent performance analytics (messages sent, engagement rates, response times)

  • Session data (login timestamps, feature usage)

  • Device information (browser, OS, IP address) for security purposes

  • Prompt Library selection logs (which templates were selected and when)

  • Compliance feature activation/deactivation logs (AI Disclosure Feature, Age Gate Feature)

3. End User (Fan) Data — Processed on Client Instruction

SirenDM processes End User data as a Data Processor acting on Client instruction.

Clients are the Data Controllers for this data. End Users should refer to their Creator's

privacy notice. The information below describes what data is technically processed

through our infrastructure on Clients' behalf.

3.1  Fan Identifiers

  • Telegram numeric ID and first name (provided by Telegram's API on message receipt)

  • Telegram username (where provided by the user to Telegram)

3.2  Inferred Location Data

  • Country and city inferred from conversation content (not collected from Telegram directly)

  • Timezone (inferred from conversation context)

  • Country tier classification (used for session analytics by Clients)

Note: Location data is inferred from what Fans voluntarily share in conversation. SirenDM does not use GPS or device location tracking.

3.3  Conversation Data

  • Full message text — both Fan messages and AI-generated responses

  • Timestamps of each message

  • Message type (Fan message vs AI response)

  • Media delivery records (type of media sent, stars price if applicable)

  • Telegram message IDs (for delivery confirmation)

3.4  Behavioural and Session Metadata

  • Message count per session

  • Fan sentiment classification (curious / engaged / disappointed)

  • Fan type classification (used by Client for conversation strategy)

  • Session phase and AI conversation stage

  • Links shared counter, media sent counter

  • Last seen timestamp

  • Language detected

3.5  Payment Data (Fan-side)

  • Telegram Stars transactions (payment IDs, amounts, timestamps)

  • Total spend per session

  • Fan conversion status (subscribed to Client's paid platform)

3.6  What We Do NOT Store

  • Media files (photos, videos) — only Telegram's file_id reference pointer is stored; actual media remains on Telegram's servers

  • Fan phone numbers or email addresses

  • Fan government ID or identity documentation

4. Client Outreach Feature — Cold DM Data

Clients may use the Platform's outreach tools to send messages to Telegram users discovered via public groups. This feature processes the following data on Client instruction:

  • Telegram ID, username, first name, last name (from public Telegram profiles)

  • Profile information visible publicly (bio, activity status)

  • Group source (which public group the contact was discovered in)

  • Campaign parameters set by Client

  • Message template selected by Client

  • Send status and timestamp

Legal responsibility: Clients are the Data Controllers for all outreach data and must have a lawful

basis under the ePrivacy Directive and applicable national law to contact each recipient.

Clients certify this on a per-campaign basis before any messages are sent.

SirenDM processes this data only on documented Client instruction and certification.

SirenDM is not responsible for the lawfulness of Client outreach campaigns.

5. Legal Basis for Processing (GDPR)

For Client account data we control as Data Controller:

Legal basis

Article

What we process

Contract performance

Art. 6(1)(b)

Account management, service delivery, payment processing

Legal obligation

Art. 6(1)(c)

Tax compliance (7 years), CSAM detection and reporting, regulatory compliance

Consent

Art. 6(1)(a)

Marketing emails (opt-in only), optional analytics

Legitimate interest

Art. 6(1)(f)

Platform security, fraud prevention, abuse detection, service improvement

For End User (Fan) data processed as Data Processor: we rely on the legal basis documented and warranted by the Client as Data Controller. Clients are responsible for establishing and maintaining a valid legal basis for all Fan data processing.

6. AI Processing

Conversation data is processed by the following AI providers to generate responses and embeddings:

Provider

Purpose

Location

Safeguard

Qwen (Alibaba Cloud)

AI response generation, sentiment analysis

EU servers

DPA in place, EU data residency

OpenAI

Message embeddings, vector search

United States

Standard Contractual Clauses (SCCs)

Fan message content is transmitted to these providers in real-time for response generation. Data may be retained by AI providers per their own policies. Clients who wish to opt out of AI processing should email support@sirendm.app — note that opting out disables core Agent functionality.

7. Sub-processors and Data Sharing

7.1  Infrastructure Sub-processors

Provider

Location

DPA Status

Purpose

Supabase

EU (Germany/Ireland)

DPA in place — ISO 27001

Database hosting, authentication

Cloudflare

Global

DPA — EU-US DPF certified

CDN, CSAM detection, DDoS protection

Telegram

Dubai, UAE

⚠ No standard DPA available

Message delivery, Telegram Stars payments

Paddle.com

UK/US

DPA in place — PCI DSS Level 1

Client subscription billing

OpenAI

United States

SCCs in place

Message embeddings and vector search

Telegram note: By using SirenDM, Clients acknowledge that Telegram is headquartered in Dubai (UAE) and does not offer a standard GDPR-compliant Data Processing Agreement. This is an inherent risk of operating on the Telegram platform. SirenDM uses only Telegram's official documented APIs.

7.2  We Do Not Sell Data

  • No data sales to third parties

  • No advertising networks or data brokers

  • No marketing partnerships involving Client or Fan data

7.3  Law Enforcement Disclosure

  • CSAM is automatically reported to NCMEC via Cloudflare's hash-matching system

  • We fully cooperate with investigations involving child exploitation, terrorism, and serious crime

  • We respond to valid court orders, subpoenas, and lawful government requests

  • We will notify Clients of any request for their data unless legally prohibited from doing so

8. Data Retention

Data Type

Retention Period

Legal Basis

Client account information

Until deletion or 180 days inactivity

Contract — Art. 6(1)(b)

Compliance records (ToS, PP, certifications, acknowledgments)

Indefinitely — even after account deletion

Legal obligation — Art. 6(1)(c)

Fan conversation history (chat logs)

90 days rolling — automated deletion

Legitimate interest — Art. 6(1)(f)

Fan session metadata (anonymised after deletion)

90 days, then anonymised aggregate only

Legitimate interest — Art. 6(1)(f)

Payment and transaction data

7 years

Legal obligation — tax law

CSAM detection logs

Indefinitely

Legal obligation — law enforcement

Client media (photos, videos)

Until deleted by Client

Contract — Art. 6(1)(b)

Agent configurations

Until deleted by Client

Contract — Art. 6(1)(b)

Prompt Library selection logs

Duration of account + 2 years

Legitimate interest — compliance record

AI Disclosure Feature logs

Indefinitely — compliance record

Legal obligation — Art. 6(1)(c)

Outreach campaign certifications

Indefinitely — compliance record

Legal obligation — Art. 6(1)(c)

Backups

30 days rolling

Legitimate interest — Art. 6(1)(f)

Automated deletion: Chat logs are automatically deleted after 90 days. Session data is anonymised after 90 days with personal identifiers removed and only aggregate statistics retained. The 90-day deletion job runs daily and is logged for audit purposes.

9. Your GDPR Rights (Client Rights)

As a Client (Data Controller for your account), you have the following rights regarding data SirenDM holds about you:

  • Art. 15 — Access: Request a copy of your data. Format: JSON export. Timeline: 30 days. Free.

  • Art. 16 — Rectification: Correct inaccurate data via account settings or by emailing us.

  • Art. 17 — Erasure: Delete your account via Settings > Delete Account. All personal data deleted within 30 days except legally required records (tax: 7 years; CSAM logs: permanent; compliance certifications: permanent for legal defense).

  • Art. 18 — Restrict processing: Email support@sirendm.app with "Restrict Processing Request".

  • Art. 20 — Portability: Download your data in JSON format within 30 days of request.

  • Art. 21 — Object: Opt out of legitimate interest processing. Cannot opt out of contract-necessary processing.

  • Art. 22 — Automated decisions: Request human review of any automated account-level decisions.

  • Art. 77 — Complaint: Lodge a complaint with the Czech data protection authority — UOOU (www.uoou.cz), or with your local supervisory authority.

For End User (Fan) rights: Fans should direct rights requests to the Creator/Client whose Telegram account they interacted with. Clients are responsible for responding to Fan data subject rights requests. SirenDM will assist Clients in fulfilling such requests as required by the DPA.

10. International Data Transfers

Your data is primarily stored in the EU (Supabase EU servers — Germany and Ireland). Some processing occurs in the United States (OpenAI) and globally (Cloudflare CDN).

Transfer safeguards for non-EU processing:

  • Standard Contractual Clauses (SCCs) approved by the European Commission — OpenAI

  • EU-US Data Privacy Framework certification — Cloudflare

  • Encryption in transit (TLS 1.3) and at rest (AES-256) for all transfers

  • Contractual data protection obligations on all sub-processors

EU-only storage: If you require EU-only data storage, email support@sirendm.app with "EU Storage Request". Note: this may limit AI functionality as OpenAI processes data in the US.

11. Security

  • Encryption at rest: AES-256 for all stored data

  • Encryption in transit: TLS 1.3 for all data transfers

  • Access controls: Role-based access, principle of least privilege

  • Authentication: Multi-factor authentication available

  • Monitoring: 24/7 security monitoring and logging

  • Backups: Encrypted, geographically distributed, 30-day rolling cycle

  • Incident response: Documented breach response procedures

Data breach notification: In the event of a breach affecting Client personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Art. 33-34.

12. Platform Age Policy

SirenDM is an 18+ business-to-business platform. Clients must be 18 or older and must operate a lawful adult content business.

Regarding End Users (Fans): SirenDM provides automation tools to adult content creators. SirenDM does not independently verify the age of End Users who communicate with Client accounts via Telegram. End User age compliance is the Client's sole responsibility. Clients certify at account activation that they will not use the Platform to engage with individuals they know or suspect to be minors.

All media distributed through the Platform is subject to SirenDM's CSAM screening and human review process before distribution. Clients who upload content warrant that all performers are 18+ with documentation maintained per applicable law.

Optional Age Gate Feature: Clients may enable a pre-media confirmation prompt requesting End User 18+ confirmation. This is an optional compliance tool — its availability does not transfer age verification obligations from Client to SirenDM.

If we discover that a minor has been engaged via the Platform, we will immediately terminate the relevant account, delete associated data, and report to child protection authorities as required.

13. Cookies and Tracking

Essential cookies (required): session cookies, authentication tokens, security (CSRF protection).

Analytics cookies (optional): usage statistics, performance monitoring, feature usage tracking.

No third-party tracking: no Google Analytics, no Facebook Pixel, no advertising trackers, no cross-site tracking.

Your choices: accept or reject non-essential cookies in our cookie banner, or manage via browser settings.

14. California Residents (CCPA/CPRA)

California residents have rights mirroring GDPR including: right to know, right to delete, right to correct, right to limit use of sensitive data. We do not sell personal information. Exercise rights by emailing support@sirendm.app with "California Privacy Rights" in the subject line. Timeline: 45 days (extendable to 90).

15. Policy Changes

Major changes: 30 days email notice before effective date. Minor changes: posted on this page with updated date, effective immediately.

Version history: Current: April 29, 2026. Previous: November 10, 2025.

16. Contact

Privacy questions: support@sirendm.app — response within 7 business days

GDPR / CCPA data requests: support@sirendm.app — subject line "[GDPR] [Request Type]" — response within 30 days

Security issues: support@sirendm.app — response within 24 hours for critical issues

Data Protection Authority (Czech Republic): UOOU — www.uoou.cz — posta@uoou.cz — Pplk. Sochora 27, 170 00 Prague 7

support@sirendm.app