Privacy Policy
Effective date: 28 May 2026 · Last updated: 28 May 2026
This Privacy Policy explains how Sirius IDE (the “Provider”, “we”) collects, uses, stores and discloses personal data when you use the Service. It applies worldwide and is designed to be compatible with the EU GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA), Brazil’s LGPD and similar frameworks. It is incorporated by reference into our Public Offer and Terms of Service.
1. Controller & contact
The controller of your personal data is the operator of Sirius IDE. Contact: privacy@sirius-ide.com.
2. What we collect & why
| Category | Examples | Lawful basis | Retention |
|---|---|---|---|
| Account | email, bcrypt-hashed password, verification status | contract (Art. 6(1)(b) GDPR) | until Account deletion + 30 days backup |
| Billing | Plan, invoice id, status, timestamps, payment-processor transaction reference | contract; legal obligation (tax/accounting) | up to 7 years where required by tax law |
| AI usage | token count per request, model id, timestamp, latency — not prompt content | contract; legitimate interest (quota enforcement, COGS) | 24 months, then anonymised |
| Security logs | IP address, user-agent, request id, anomaly flags — for fraud, abuse and DDoS detection | legitimate interest; legal obligation | 90 days, then aggregated |
| Support | messages you send to support@ | contract; legitimate interest | 24 months |
| Optional analytics | page views via privacy-friendly Umami / Plausible | legitimate interest; consent where required | 13 months, aggregated |
3. What we do not collect
- Project source code — unless you explicitly attach it to an AI request, we do not read your files.
- Prompt content at rest — prompts are forwarded to the chosen AI provider; we do not persist prompt bodies. Counts and metadata only.
- Payment card details or wallet seed phrases — handled by the payment processor only.
- Government identifiers — we do not request passports, addresses or phone numbers for ordinary use; KYC may apply only where law requires it.
- Cross-site trackers, click heatmaps, session recordings, third-party advertising cookies.
4. AI prompts & outputs
The Sirius AI Agent transmits your prompt to the selected third-party model provider. We do not store prompts or outputs at rest on our servers beyond the duration of the request, except for short-lived logs needed for abuse detection (max 24 hours) and aggregated counts. Third-party providers (e.g. OpenAI, Anthropic, Google, OpenRouter) process prompts under their own privacy terms; see their policies for details on their retention and training opt-outs.
5. Sub-processors
- OpenRouter / OpenAI / Anthropic / Google — AI inference (United States / European Union).
- BTCPay Server (self-hosted or third-party host) — crypto invoicing.
- Resend — transactional email (EU region, Ireland).
- Cloudflare — CDN, DNS, DDoS protection.
- Hosting provider (Njalla / VPS) — primary infrastructure (European Union).
Where personal data is transferred outside the EEA / UK, we rely on Standard Contractual Clauses (SCCs) and the UK addendum, or on the recipient’s own adequacy basis.
6. Your rights
Depending on your jurisdiction, you have the right to:
- access the personal data we hold about you;
- request correction of inaccurate data;
- request deletion (“right to be forgotten”);
- request restriction or object to processing;
- request data portability (machine-readable export);
- withdraw consent at any time, where processing is based on consent;
- lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, your national DPA in the EU, the CNIL in France).
To exercise any right, write to privacy@sirius-ide.com. We respond within 30 days. We may verify your identity before acting.
7. Security
- Passwords hashed with bcrypt; never stored or logged in plain text.
- Authentication tokens delivered in httpOnly, Secure, SameSite cookies.
- All traffic encrypted in transit via TLS 1.2+ with automatic certificate renewal.
- Database access restricted to the application service account.
- Backups encrypted at rest; access logged and audited.
- Coordinated vulnerability disclosure: security@sirius-ide.com.
No system is perfectly secure. In the event of a personal-data breach likely to result in high risk to your rights, we will notify you without undue delay and notify the competent supervisory authority within 72 hours where required by law.
8. Children
The Service is not directed to children under 16 and we do not knowingly collect data from them. If you believe a child has provided us with personal data, contact privacy@sirius-ide.com and we will delete it.
9. Cookies
We use only the cookies strictly necessary to operate the Service (session, authentication, theme preference) and, optionally, a privacy-friendly analytics script which can be disabled by your browser’s “Do Not Track” signal. We do not use advertising cookies or third-party trackers.
10. International transfers
Personal data may be processed in countries other than the one where you live. Where this happens, we rely on appropriate safeguards (Standard Contractual Clauses, UK IDTA, recipient adequacy). You may request a copy of the relevant safeguards by emailing privacy@.
11. Changes
We may update this Policy. The current version is always at this URL with the “Last updated” date. Material changes are announced by email to active Account holders at least 14 days before taking effect, except where the change is required by law.
12. Contact
Privacy: privacy@sirius-ide.com · Security: security@sirius-ide.com · Legal: legal@sirius-ide.com.