Company Information
SETOR AI Spółka z ograniczoną odpowiedzialnością
- KRS: 0001202220
- NIP: 7123502599
- REGON: 543088690
- Address: Tomasza Zana 1, 20-601 Lublin, Poland
- Email: [email protected]
- Website: https://setor.ai
- Application: https://app.setor.ai
Introduction and Scope
This Privacy Policy explains how SETOR AI collects, uses, discloses, and protects personal data when you visit our website, use our application, or otherwise interact with our services. The policy reflects our actual data processing practices across product analytics, ad attribution, and cross-device identity linking for marketing purposes.
Affected Categories
This policy applies to:
- Customers – businesses and individuals subscribing to our service
- Authorized Users – persons authorized by customers to access the service
- Website Visitors – individuals visiting setor.ai or related sites
- End Users – individuals interacting with a customer’s Instagram account through our service
Administrator vs. Processor Distinction
When processing data on behalf of customers (such as Instagram direct messages), SETOR AI acts as a data processor under a Data Processing Agreement (Attachment A to Terms). This policy primarily addresses SETOR AI’s activities as a data controller for our own purposes (account management, billing, analytics, marketing, ad attribution, communications).
1. Data Controller Identity
1.1 Controller Details
SETOR AI Spółka z ograniczoną odpowiedzialnością
- Registered: District Court Lublin-Wschód, Commercial Register #0001202220
- VAT ID: PL7123502599
- Address: ul. Tomasza Zana 1, 20-601 Lublin, Poland
1.2 Privacy Contact
All privacy inquiries, requests, and concerns: [email protected]
We aim to respond within five (5) business days and resolve substantive requests within thirty (30) calendar days, subject to applicable legal extensions.
1.3 Privacy Contact Point and Data Protection Officer
SETOR AI has designated a Privacy Contact Point available at [email protected]. If required by applicable law, a formal Data Protection Officer will be appointed, with contact details published here and communicated to the supervisory authority (Polish Data Protection Office – UODO President).
2. Scope and Application
2.1 Territorial Scope
This policy applies to personal data processing by SETOR AI from its seat in the European Union (Poland), regardless of data subjects’ location, and to processing involving individuals in the EU when connected to offering goods/services or monitoring behavior within the EU.
2.2 Related Documents
Read this policy alongside:
- Terms of Service (setor.ai/terms) – governing customer relationships
- Data Processing Agreement (Attachment A to Terms) – governing processor activities
- Cookie Policy (setor.ai/cookies) – detailing cookie and tracking technologies
- List of Sub-processors – available upon customer request
In case of conflict between this policy and the Data Processing Agreement regarding processor activities, the agreement takes precedence.
2.3 Legal Basis – No Implied Consent
Using our website or service does not constitute consent for purposes requiring it (analytics, ad-tech, electronic marketing). Such processing occurs only after separate, prior, granular consent or another valid legal basis stated herein.
3. Categories of Personal Data Collected
3.1 Account Data
- Identification: name, job title, business role
- Contact details: work email, phone number
- Company information: company name, size, website, industry sector
- Authentication: username, password (cryptographic hash), multi-factor authentication data
- Subscription data: selected pricing plan, subscription status, trial information
- Consent records: timestamp and version of accepted Terms and Privacy Policy, IP address and browser identifier at consent time
3.2 Instagram Account Data (via Meta API)
- Business/creator account identifiers and profile information (username, display name, profile picture, follower count, account category)
- Associated Instagram page information
- Permissions and access tokens granted by customer through Meta authorization
- Account connection status and integration functionality data
- Instagram account statistics and engagement metrics (as authorized by customer)
SETOR AI is a Meta Verified Technology Partner. Data processing complies with Meta Platform Terms and Instagram Platform Regulations. Authentication occurs solely through Meta’s OAuth 2.0 process; login credentials are never accessed, stored, or processed.
3.3 Google Account Data (via Google APIs)
When customers authorize Google service connections:
- Google account identifier and email address
- OAuth 2.0 access and refresh tokens from Google authorization
- Data from authorized Google services (calendar availability, spreadsheet data)
- Metadata regarding Google API usage
Google API User Data Policy Compliance: Our use of Google API data complies with the Google API Services User Data Policy, including Limited Use requirements. We do not use Google user data for advertising, AI model training, or machine learning. Access is limited to explicitly enabled functionality.
Authentication occurs exclusively through Google’s OAuth 2.0 process; Google account passwords are never accessed, stored, or processed.
3.4 Message Content (Instagram Direct Messages)
Core service functionality involves processing Instagram DMs to enable automated conversation management:
- Incoming and outgoing message content
- Conversation thread metadata (timestamps, message IDs, participant IDs)
- Attachment types and media metadata
- Labels, tags, and customer-assigned notes
- Automated response content generated by our service
- Conversation classification and assessment data (lead qualification scores, sentiment indicators)
Message content may contain personal data about customer contacts (End Users). For such third-party data, the customer is the data controller; SETOR AI processes solely as a processor under the Data Processing Agreement.
3.5 Service Usage Data and Analytics
- Feature usage data (accessed functions, frequency, interaction patterns)
- Session information (login timestamps, session duration, session IDs)
- Performance data (load times, error events, API response metrics)
- Configuration data (settings, automation rules, saved templates)
- Onboarding progress and setup wizard completion data
- Usage metrics (processed messages, engaged contacts, API calls, automation actions) for usage-based billing and tier management
3.6 Payment Data
Payment processing is handled by Stripe, Inc. We do not store full credit/debit card numbers, CVV codes, or bank account details. We collect and retain:
- Billing name and address
- Last four digits of payment card
- Transaction identifiers and references
- Subscription billing history, invoice records, and payment status
- Tax identification numbers (where applicable)
All payment card data is collected, stored, and processed exclusively by Stripe in compliance with PCI-DSS Level 1 standards.
3.7 Technical Data, IP Address, and Server-Side Geolocation
We automatically collect technical data during website visits or application use:
- IP address – collected in full and used for security, abuse prevention, traffic routing, and load balancing; IP address constitutes personal data per CJEU ruling C-582/14 Breyer
- Server-side geolocation derived from IP – approximate country, city, region code, and geographic coordinates at locality level; we do not use precise device geolocation (GPS) without separate consent
- Browser type, version, and identifier (user agent)
- Operating system and device type
- Referring page URL and exit page
- Network and connection information
- Timezone and language settings
We explicitly disclose that we collect and use full IP addresses and derived server-side geolocation (country, city, region, approximate coordinates). Legal basis is our legitimate interest (GDPR Article 6(1)(f), in light of Recitals 47 and 49) for security, fraud prevention, and proper traffic management. You have the right to object based on your particular circumstances (GDPR Article 21(1)).
3.8 Cookie and Tracking Data
We use cookies and similar tracking technologies on our website and application. This includes own cookies for session management and authentication (not requiring consent), plus analytics and marketing cookies loaded only after your prior consent. Full details appear in our Cookie Policy at setor.ai/cookies.
3.9 Marketing Attribution, Advertising, and Conversion Analytics Data
When visiting via marketing campaigns or participating in our qualification quiz, we may collect and process:
- UTM parameters (source, medium, campaign, content, term)
- Click identifiers (e.g., Meta click ID –
fbclid) - Referring page information and target URL
- Quiz result identifier and conversion events (quiz start, qualified result, registration, subscription start)
- Analytics events and, with consent, session recording and advertising pixels
- Hashed identifiers (email hash, IP hash) for conversion matching in ad tools
- IP hash (ip_hash) – pseudonym calculated via hash function from IP address plus quiz result identifier, used solely to link events from the same lead across devices in our analytics. Raw IP is not stored in analytics; ip_hash never serves as an identity key and does not link different persons sharing an IP (e.g., behind NAT)
UTM parameters and basic referrer data are stored in first-party cookies with limited validity for internal marketing attribution. Other advertising purposes (pixels, Conversions API, session recording, identity stitching for remarketing) are performed exclusively with your consent per Sections 4 and 15.
3.10 Communication Data
- Your contact information (name, email address)
- Communication content and any attachments
- Communication metadata (date, time, subject)
4. Purposes, Legal Bases, and Retention Periods
We process personal data only under valid GDPR Article 6 legal bases. The following table provides comprehensive processing details per GDPR Articles 13(1)(c)–(d) and 14(1)(c)–(d):
| # | Processing Activity | Data Categories | Legal Basis (GDPR Art. 6(1)) | Retention Period |
|---|---|---|---|---|
| 1 | Account creation and management | Identification, contact, company, authentication, subscription, consent metadata | (b) Contract – necessary for contract performance and account management | Duration of contract + 30 days; consent records separately per Section 10 |
| 2 | Service provision – DM automation | Instagram messages, conversation metadata, automated responses, classification data | (b) Contract – core functionality subscribed by customer | Duration of contract + 180 days |
| 3 | AI model processing (response generation) | DM content (input), generated responses (output) | (b) Contract – integral to service; (f) Legitimate interest – quality improvement (aggregated/anonymized data only) | Transient; aggregated/anonymized metrics up to 36 months |
| 4 | Instagram account integration | IG account identifiers, profile data, access tokens | (b) Contract – necessary for service functionality via Meta API | Duration of contract + 30 days; tokens revoked after disconnection |
| 5 | Google service integration | Google account ID, OAuth tokens, authorized service data | (b) Contract – necessary for customer-enabled functions; (a) Consent for initial OAuth authorization | Duration of connection + 30 days; tokens revoked after disconnection |
| 6 | Payment processing | Billing name/address, last 4 card digits, transaction IDs, invoices | (b) Contract; (c) Legal obligation – Accounting Act, VAT Act | 5 years from fiscal year-end (Accounting Act Article 74) |
| 7 | Product analytics (PostHog) and session recording | Usage data, session info, performance metrics, masked session recordings, identifiers | (a) Consent – browser-side analytics and session recording loaded only post-consent | Per consent; generally up to 36 months, then deletion or anonymization |
| 8 | Ad attribution and optimization (Meta Pixel, Conversions API) | Browse behavior, conversion events, click IDs, hashed identifiers (email hash) | (a) Consent – prior, granular consent only (CJEU C-252/21) | Per Meta retention and your consent |
| 9 | Identity stitching and marketing profiling | UTM, fbclid, quiz result ID, email/email hash, ip_hash (pseudonym linked to quiz result ID – raw IP never stored in analytics), CRM data, cross-device conversion events | (a) Consent for ad-tech/remarketing; (f) Legitimate interest for internal attribution only (no external sharing) | Attribution records and ip_hash up to 36 months, then deletion or anonymization; cookies per Cookie Policy |
| 10 | Email marketing | Email address, name, engagement data (opens, clicks) | (a) Consent (prior opt-in, Polish Electronic Communications Act Article 398); also in B2B relations | Until consent withdrawal + 30 days; consent records 3 years |
| 11 | Customer support | Contact details, communication content, metadata | (b) Contract; (f) Legitimate interest – support quality maintenance | 24 months from issue resolution |
| 12 | Security monitoring, IP, and geolocation | Access logs, IP addresses, server-side geolocation, auth events, error logs | (f) Legitimate interest – system protection, fraud prevention, routing (Recitals 47, 49); (c) Legal obligation where applicable | 12 months |
| 13 | Legal compliance and documentation | Financial/tax documents, consent records, legal correspondence | (c) Legal obligation; (f) Legitimate interest – claim enforcement | Tax documents 5 years; claims per limitation period (typically 3–6 years under Civil Code) |
| 14 | Fraud prevention and abuse detection | Account activity patterns, IP addresses, device fingerprints | (f) Legitimate interest – service integrity and user protection | 24 months |
| 15 | Onboarding and setup wizard tracking | Wizard progress, selected configurations, IG connection status | (b) Contract – to facilitate service configuration | Duration of contract |
| 16 | Billing and usage measurement | Usage metrics, pricing tier, billing adjustments | (b) Contract – to determine applicable fees | Duration of contract + 5 years (Accounting Act) |
Legitimate Interest Balancing Tests: For processing relying on legitimate interest (GDPR Article 6(1)(f)), we have conducted balancing tests weighing our interests against data subjects’ rights and freedoms. These assessments are documented internally and available to the supervisory authority upon request. Contact [email protected] for details on specific balancing tests.
Advertising and ad-tech purposes (pixels, Conversions API, session recording, remarketing, identity stitching for advertising) are based solely on your consent, not legitimate interest, consistent with the CJEU ruling dated July 4, 2023, in case C-252/21 (Meta Platforms v. Bundeskartellamt).
5. AI Data Processing
5.1 SETOR AI as Configurable Tool
SETOR AI provides a configurable AI and machine learning tool. The customer independently configures the AI persona, including how it presents itself, automation rules, response templates, and behavior parameters. AI technologies enable core functionalities:
- Natural language processing – understanding intent, context, and meaning in Instagram messages
- Automated response generation – creating contextually appropriate, personalized replies
- Conversation classification and routing – categorizing by topic, intent, urgency, or sales stage
- Sentiment analysis – analyzing message tone to determine response strategy
- Lead qualification – identifying and scoring potential customers from conversation signals
- Content moderation and safety filtering – verifying content to prevent abuse
5.2 Integral Nature of AI Processing
AI processing constitutes an essential component of the service and is necessary for contract performance. Without AI processing, core service automation cannot be delivered. By subscribing and using the service, customers acknowledge and accept AI technology for these purposes under the Terms.
5.3 Technology Partners and Confidentiality
We partner with specialized AI and machine learning infrastructure providers. Specific vendors, models, and configurations may change over time. The current List of Sub-processors is maintained and available upon customer request at [email protected], updated per the sub-processor change procedure (Section 8.3).
5.4 Data Minimization and No Training on Customer Data
- Message content is transmitted to AI processing infrastructure only to the extent necessary for requested functionality
- No training on customer data: we do not use customer data or End User message content for general model training, fine-tuning, or improvement without separate, explicit consent. Our agreements with AI sub-processors contractually prohibit using processed data for their general model training
- Transient processing: AI input and output data are processed real-time and not retained by AI sub-processors after session completion, except limited abuse-prevention logging (typically 30 days, auto-deleted)
- No cross-customer processing: one customer’s data is never used to improve or influence service for another customer
5.5 Product Improvement on Aggregated and Anonymized Data
To maintain and improve service quality and safety, we may process aggregated or irreversibly anonymized data (e.g., effectiveness statistics, quality response metrics, error rates). The legal basis is our legitimate interest (GDPR Article 6(1)(f)). For such derivative aggregated data, SETOR AI acts as controller; customer content remains customer’s property and is not used beyond stated purposes. We do not treat aggregated data as automatically excluded from GDPR – where re-identification remains possible, we apply full protections.
5.6 Human Oversight
Customers retain genuine control over AI results through: configuring rules, templates, and persona parameters in the control panel; ability to review, edit, override, or delete any response before or after sending; visibility into all automated conversations; ability to pause or disable AI automation anytime. See Section 12 for details.
6. Google Services Data Processing
6.1 Overview
SETOR AI may integrate with Google services when customers authorize connections. This section provides transparency on our data processing through Google APIs per the Google API Services User Data Policy.
6.2 Google Services and Data Access
| Google Service | Data Accessed | Purpose |
|---|---|---|
| Google Calendar | Calendar availability, event metadata | Schedule meetings with prospects from Instagram conversations |
| Google Sheets | Customer-specified spreadsheet data | Data export and reporting |
| Google Account (OAuth) | Email address, account ID | Authentication and account linking |
6.3 Google Data Processing Principles
a) Necessity and Proportionality: we request only minimal OAuth scopes necessary for enabled functions.
b) Purpose Limitation: Google user data is used solely to provide the authorized integration function, never for advertising, profiling, or cross-service data enrichment.
c) No Secondary Use: Google user data is never used for advertising, AI model training, sale or licensing to third parties, credit assessment, or unrelated purposes.
d) Data Retention: Google API tokens are encrypted at rest (AES-256), revoked, and deleted within 30 days of integration disconnection or account closure. Connected service data is not retained beyond active sessions.
e) Employee Access Restrictions: employees access raw Google data only when customer has explicitly consented, for security necessity, legal requirement, or after anonymization for operational metrics.
6.4 Google OAuth Token Security
- Encrypted at rest using AES-256 encryption
- Transmitted only via encrypted TLS 1.3 connections
- Access to token storage restricted via role-based access controls
- Customers may revoke SETOR AI access anytime at myaccount.google.com/permissions
6.5 Google’s Role
Google processes data transmitted via its APIs per its own Google Privacy Policy. SETOR AI does not control or assume responsibility for Google’s processing on its own platforms.
7. Instagram Data Processing Details
7.1 Overview
Instagram integration is core service functionality. This section provides transparency on personal data processing related to Instagram for both customers and End Users.
7.2 Instagram-Specific Data Categories
| Data Category | Source | Controller Role | Purpose |
|---|---|---|---|
| Instagram profile (username, display name, picture, follower count) | Meta API | Customer (Administrator); SETOR AI (Processor) | Account management, control panel display |
| Instagram access tokens | Meta OAuth | SETOR AI (Administrator for token management) | API authentication |
| Incoming DM content from End Users | Meta webhooks | Customer (Administrator); SETOR AI (Processor) | Response generation, conversation management |
| Outgoing DM content (automated + manual) | Service-generated | Customer (Administrator); SETOR AI (Processor) | Service delivery |
| Conversation metadata (timestamps, thread IDs) | Meta API | Customer (Administrator); SETOR AI (Processor) | Conversation threading, analytics |
| End User profile data (IG username, profile picture) | Meta API | Customer (Administrator); SETOR AI (Processor) | Conversation identification |
| Profile picture analysis (AI vision) | Meta API + vision model | Customer (Administrator); SETOR AI (Processor) | Context-aware response personalization (customer-controlled) |
| Lead qualification results | Service-generated | Customer (Administrator); SETOR AI (Processor) | Sales funnel management |
| Engagement metrics | Meta API / service-derived | Customer (Administrator); SETOR AI (Processor) | Performance reporting |
7.3 Information for End Users (DM Participants)
a) Who controls your data: the Instagram account owner to whom you sent a message is the controller regarding your DM content and related data. SETOR AI processes as a processor on their behalf.
b) What happens to your messages: your messages may be processed by AI technology to generate responses, classify conversations, and/or route to a representative. Specific processing depends on account owner’s configuration.
c) Your rights: direct all data subject rights requests to the Instagram account owner (controller). You may also contact SETOR AI at [email protected]; we will forward your request to the relevant customer or assist as processor.
d) AI Transparency: per the EU AI Act (Article 50), the customer, as the entity configuring the persona and deploying the tool to their audience, is responsible for disclosing AI interaction. SETOR AI provides the capability for such disclosure (configurable message). See Section 17 for details.
e) Data Retention: your message data is retained during the customer’s subscription and deleted within 180 days of customer account closure. Customers may delete individual conversations anytime.
7.4 Meta Platform Compliance
- Meta Platform Terms – permissible API use
- Instagram Platform Terms – Instagram API access
- Meta Data Use Checkup – periodic Meta compliance verification
- Meta App Review – validated permissions per Meta review process
SETOR AI is a Meta Verified Technology Partner, confirming compliance with Meta’s technical standards, data processing requirements, and security practices.
7.5 Instagram Account Risks
Customers should be aware that Meta may independently restrict, suspend, or terminate access to Instagram accounts or the Instagram API beyond SETOR AI’s control, including for Terms violations, unusual activity patterns, community guideline enforcement, or platform-level changes. See the Terms for detailed provisions.
8. Data Recipients and Sub-processors
8.1 Recipient Categories
We may share personal data with sub-processors acting on our behalf under GDPR Article 28 agreements (with appropriate technical and organizational measures), independent controllers (Stripe, Meta for their own purposes), professional advisors (lawyers, accountants, auditors with confidentiality obligations), regulatory and law enforcement bodies (as required by law), and transaction parties in merger or acquisition scenarios (with data protection continuity). We define sub-processor categories broadly, allowing vendor substitution within a category without amendment, subject to the change procedure in Section 8.3.
8.2 Sub-processor List
The following table lists current sub-processors and other recipients. For each US-based entity, the transfer mechanism is noted (DPF and/or Standard Contractual Clauses – SCC with Transfer Impact Assessment – TIA). The “Trains on Data” column indicates whether the entity uses transmitted data for training its own models.
| Entity | Purpose | Location | Transfer Mechanism | Trains on Data |
|---|---|---|---|---|
| OpenAI, L.L.C. | AI response generation | USA | DPF + SCC | No (API; opt-in only) |
| Anthropic, PBC | Backup AI model | USA | SCC / DPF | No (contractual) |
| Google LLC (Gemini) | Profile picture analysis (vision) and response generation | USA | DPF + SCC | To be verified contractually |
| OpenRouter, Inc. | AI model API gateway | USA | SCC (weakest link per destination model) | Depends on destination model |
| Groq, Inc. | Call audio transcription | USA | SCC | No (contractual) |
| Changes AI, Inc. / fal.ai | Image generation | USA | SCC | No (contractual) |
| ElevenLabs, Inc. | AI call voice synthesis | USA | SCC | No (contractual) |
| Meta Platforms, Inc. | Instagram/Facebook/WhatsApp API, ad attribution | USA | DPF (co-controller for own purposes) | Per Meta policy |
| Twilio Inc. | SMS and voice calls | USA | DPF + SCC | No |
| Slack Technologies / Salesforce | Team integration | USA | DPF + SCC | No |
| Stripe, Inc. | Payments and subscriptions | USA | DPF + SCC | No |
| Attio | CRM | USA / EU | SCC (outside EEA) | No |
| iClosed | Sales CRM | USA | SCC | No |
| Gleap | Support widget and issue reporting | EU / USA | SCC (outside EEA) | No |
| HighLevel (GoHighLevel) | CRM and calendars | USA | SCC | No |
| Calendly | Meeting booking | USA | DPF + SCC | No |
| Cal.com | Meeting booking | EU / USA | SCC (outside EEA) | No |
| RapidAPI | Public IG profile research | USA | SCC | No |
| Notion | Internal notes | USA | SCC | No |
| Resend | Email delivery (active) | USA | SCC | No |
| Postmark | Email delivery (alternative) | USA | SCC | No |
| SendGrid / Twilio | Email delivery (alternative) | USA | DPF + SCC | No |
| Nodemailer / SMTP | Email delivery (alternative) | EU / USA | SCC (outside EEA) | No |
| PostHog | Product analytics and session recording | EU (Frankfurt – data residency) | N/A (within EEA) | No |
| Sentry | Error monitoring | USA / EU | SCC (outside EEA) | No |
| Cloudflare, Inc. | Hosting / CDN / R2 / Workers | USA / global | DPF + SCC | No |
| Amazon Web Services (S3) | Backups | EU / USA | DPF + SCC | No |
| Hetzner Online GmbH | Self-hosted PostgreSQL (primary database) | Germany, EU | N/A (within EEA) | No |
| Neon | Alternate database | EU / USA | SCC (outside EEA) | No |
| PlanetScale | Alternate database | USA | SCC | No |
| pg-boss | Task queue (within PostgreSQL) | Germany, EU | N/A (within EEA) | No |
| Upstash, Inc. | Cache and rate limiting (Redis) | EU / USA | SCC (outside EEA) | No |
| Vercel, Inc. | Frontend hosting and delivery (edge) | USA / global | DPF + SCC | No |
OpenRouter, Inc. functions as a gateway to multiple AI models from various providers; actual data protection depends on the destination model. We treat this entity as requiring heightened scrutiny (weakest link) and limit data scope accordingly.
8.3 General Sub-processor Authorization and Right to Object
By using the service, customers provide SETOR AI general written consent to use sub-processors, including their change and addition, per GDPR Articles 28(2) and 28(4). The change procedure is:
- SETOR AI notifies customer of intent to add or change a sub-processor with at least fourteen (14) days’ advance notice
- Customer may object only on documented, justified grounds related to data protection regarding that processor
- No objection within 14 days constitutes acceptance
- Upon valid objection, the customer’s only remedy is to terminate the affected service portion, without other claims
8.4 Aggregated Data Sharing – No Personal Data Brokerage
SETOR AI does not conduct personal data brokerage or sell personal data enabling identification of specific individuals. We reserve the right to share, publish, or commercially use anonymized and aggregated statistics and insights that do not enable identification of any individual, such as industry benchmarks and market reports.
9. International Data Transfers
9.1 Transfer Mechanisms
Some sub-processors are based outside the European Economic Area (EEA), including the United States. When transferring personal data outside the EEA, we apply appropriate safeguards, including at least one of:
- Standard Contractual Clauses (SCC): transfer per SCC adopted under Commission Implementing Decision (EU) 2021/914, with supplementing measures
- EU-US Data Privacy Framework (DPF): transfer to DPF-certified US entities administered by the US Department of Commerce
- Adequacy Decision: transfer to countries recognized by the European Commission as providing adequate data protection (GDPR Article 45)
9.2 Transfer Impact Assessments (TIA)
Per EDPB Recommendation 01/2020 (following the CJEU Schrems II ruling, C-311/18), we conduct Transfer Impact Assessments (TIA) for each sub-processor outside the EEA. Assessments consider the destination country’s legal framework (e.g., US FISA Section 702, Executive Order 14086), the entity’s practical experience with authority requests, effectiveness of supplementing measures, and data sensitivity. For gateway-only entities (e.g., OpenRouter), we apply heightened scrutiny and minimize data scope.
9.3 Supplementing Measures
- Technical: encryption in transit (TLS 1.3) and at rest (AES-256); pseudonymization where feasible; data minimization
- Contractual: Data Processing Agreements with SCC plus additional protective clauses; commitments to challenge disproportionate authority requests; notification obligations (where legally permissible)
- Organizational: access controls restricting personnel; regular compliance audits; employee training
9.4 Right to Information
Data subjects may request copies of applicable SCC and supplementing measures. Submit requests to [email protected]. Some commercial terms may be redacted for confidentiality, but data protection obligations are disclosed in full.
9A. Customers and Transfers Outside the European Union (Global Clause)
SETOR AI serves customers worldwide, including those based or operating outside the EU and EEA. This section sets additional rules for such customers and for data transfers in both directions – to and from the European Union.
9A.1 Representation Regarding Local Legal Compliance
Customer represents and warrants that its use of the service and engagement with its audience (recipients, contacts, End Users) complies with applicable law in its jurisdiction and their jurisdictions, including:
- Local electronic marketing and communications law – including in the US the Telephone Consumer Protection Act (TCPA) and Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM Act), and equivalents in other countries (e.g., Canada’s CASL)
- Local consumer protection law – including fair dealing and consumer disclosure requirements
- Local AI disclosure requirements – including obligations to inform persons they are contacting an AI system (e.g., EU AI Act Article 50; US state laws such as California’s Bolstering Online Transparency Act – ‘B.O.T. Act’)
- Local data protection law – including in the US, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) and other state and national privacy laws
Customer bears sole responsibility for obtaining all consents and legal bases required by applicable law for customer and its recipients, and indemnifies SETOR AI from, and agrees to remedy and cover reasonable costs (including legal fees) arising from, customer’s breach of the above provisions.
9A.2 Bi-directional Transfers and US Mechanism
Personal data transfers under the service flow in both directions – both to the European Union and from the European Union to third countries. For transfers to the United States, the primary mechanism is the EU-US Data Privacy Framework (DPF) for certified entities, with an automatic fallback mechanism of Standard Contractual Clauses (SCC) adopted by Commission Implementing Decision (EU) 2021/914, including conducted Transfer Impact Assessment (TIA) and supplementing measures per Section 9. Should any entity’s DPF certification expire, be revoked, or become invalid, the transfer remains protected under applicable SCC without service interruption.
9A.3 Governing Law and Local Compliance
Regardless of customer’s location, the law governing this policy and SETOR AI’s relationship is Polish law plus directly applicable EU law (Section 21). SETOR AI ensures service compliance with Polish and EU law; customer ensures compliance with local law applicable to its jurisdiction and recipients’ jurisdictions.
9A.4 Export and Sanctions Clause
Customer represents and warrants that it is not subject to sanctions (not listed on EU, UN, US sanctions lists including OFAC, nor controlled by a sanctioned entity), is not based in or operating from a comprehensively sanctioned jurisdiction, and will not use the service for prohibited purposes, including violation of applicable export and sanctions laws. Breach entitles SETOR AI to immediately suspend or terminate service.
10. Data Retention Periods
We retain personal data only for the time necessary to achieve collection purposes, fulfill legal obligations, resolve disputes, and enforce agreements, per the GDPR storage limitation principle (Article 5(1)(e)). Retention periods are:
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| Account data | Duration of contract + 30 days | Contract; then deletion/anonymization |
| Instagram message content | Duration of contract + 180 days | Contract; customer may request earlier deletion |
| Instagram access tokens | Duration of connection; revoked upon disconnection | Contract |
| Google OAuth tokens | Duration of connection + 30 days | Contract; encrypted at rest |
| Google connected service data | Real-time only; not retained | Contract |
| AI input/output data | Transient (not retained post-session) | Contract |
| Payment and financial documents | 5 years from fiscal year-end | Legal obligation (Accounting Act Article 74; VAT Act) |
| Product analytics and session recordings | Up to 36 months, then deletion/anonymization | Consent |
| Ad attribution and analytics data | Up to 36 months | Consent; legitimate interest (internal attribution) |
| IP hash (identity stitching in analytics) | Up to 36 months, then deletion/anonymization | Consent (raw IP not stored in analytics) |
| Marketing consent records | Duration of relationship + 3 years | Legitimate interest (compliance demonstration) |
| Support correspondence | 24 months from issue resolution | Legitimate interest |
| Security logs, IP, geolocation | 12 months | Legitimate interest |
| Cookie data | Per Cookie Policy | Consent / Necessity |
| Consent records (Terms/Privacy Policy acceptance) | Duration of contract + 6 years | Legal obligation (GDPR accountability, limitation periods) |
Deletion Procedures: upon retention period expiry, personal data is securely and permanently deleted or irreversibly anonymized within 30 days via methods appropriate to the storage medium.
Early Deletion Requests: data subjects may request early deletion via the right to erasure (Section 11), subject to stated exceptions.
11. Rights of Data Subjects
If you reside in the EEA or another jurisdiction with data protection law, you have the following rights regarding personal data SETOR AI processes as controller:
11.1 Right of Access (GDPR Article 15)
You may request confirmation whether we process your personal data, and if so, obtain a copy with supplementary information including purposes, data categories, recipients, retention periods, and existence of automated decision-making.
11.2 Right to Rectification (GDPR Article 16)
You may request correction of inaccurate personal data and completion of incomplete data in our possession.
11.3 Right to Erasure – Right to Be Forgotten (GDPR Article 17)
You may request erasure when: (a) data is no longer necessary for collection purposes; (b) you withdraw consent and no other basis exists; (c) you exercise the right to object and no overriding legitimate grounds exist; (d) data was processed unlawfully; or (e) erasure is required by law.
Exceptions: this right is subject to exceptions including when processing is necessary to fulfill legal obligations (e.g., financial documents), establish, exercise, or defend legal claims, or exercise freedom of expression and information.
11.4 Right to Restriction of Processing (GDPR Article 18)
You may request processing restriction when you contest data accuracy, processing is unlawful and you oppose deletion, we no longer need the data but you need it for claim enforcement, or you have lodged an objection pending verification.
11.5 Right to Data Portability (GDPR Article 20)
If processing is based on consent or contract and is automated, you may receive your personal data in a structured, commonly-used, machine-readable format (JSON or CSV) and transmit it to another controller, where technically feasible.
11.6 Right to Object (GDPR Article 21)
At any time, you may object – on grounds relating to your particular circumstances – to processing based on legitimate interest (GDPR Article 6(1)(f)), including processing of IP address and server-side geolocation for security, fraud prevention, and routing (GDPR Article 21(1)). We will cease processing unless we demonstrate overriding legitimate grounds or processing is necessary for claim establishment, exercise, or defense.
Unconditional Right to Object to Direct Marketing (GDPR Article 21(2)): you have an unconditional right to object to processing for direct marketing, including marketing profiling and advertising identity stitching. Upon exercising this right, we immediately and permanently cease processing your data for such purposes.
11.7 Rights Related to Automated Decision-Making (GDPR Article 22)
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. As explained in Section 12, our service does not involve such decisions because humans – merchants or customers – make material business decisions with genuine discretion, not merely approving system-generated results.
11.8 Right to Withdraw Consent
If processing is consent-based, you may withdraw consent anytime, without affecting processing legality before withdrawal. To withdraw:
- Marketing emails: use the unsubscribe link in any marketing email
- Cookies, analytics, and ads consent: use the “Cookie Settings” link in the website footer
- Google integration: disconnect in the control panel or revoke access in Google Account settings
- Other consents: contact [email protected]
11.9 Exercising Your Rights
To exercise any right, submit a request to [email protected]. We may verify your identity using the least invasive method. We will respond within thirty (30) calendar days, extendable by sixty (60) days for complex or numerous requests. Responses are free; we may charge a reasonable fee for manifestly unfounded or excessive requests. If SETOR AI processes your data as a processor on behalf of a customer, direct requests to the customer (controller).
12. Automated Decision-Making, Profiling, and Identity Stitching
12.1 Nature of Automated Processing
The service uses AI and machine learning to automate aspects of Instagram DM management, including response generation, conversation classification, lead assessment, sentiment analysis, and routing decisions to appropriate representatives or workflows.
12.2 Marketing Profiling and Identity Stitching (Cross-Device)
In our marketing operations, we conduct identity stitching across devices and systems (cross-device and cross-system) and marketing profiling. This involves linking events along the path: quiz participation on website, email address (and its hash), CRM record, conversion events in Meta advertising tools, and billing data in Stripe. The purpose is to measure advertising effectiveness, attribute conversions, and deliver more relevant marketing.
One identifier used is ip_hash – a pseudonym calculated via hash function from the IP address plus quiz result identifier. We use it solely to link events from the same lead across devices in our own analytics. Raw IP is not stored in analytics, and ip_hash never serves as an identity key and does not link different persons sharing an IP (e.g., behind ISP NAT). ip_hash is generated only after a qualified quiz result and only with analytics consent. We retain it up to 36 months, then delete or anonymize.
Hashed identifiers, including email hash and ip_hash, remain personal data per CJEU ruling C-604/22 IAB Europe, and we apply full protection. Identity stitching and marketing profiling for advertising purposes are consent-based (Sections 4, 15). You may exercise the unconditional right to object to direct marketing anytime (GDPR Article 21(2)).
12.3 Assessment Under GDPR Article 22
Neither DM automation nor marketing profiling constitutes a decision based solely on automated processing producing legal or similarly significant effects per GDPR Article 22 because:
- Human in the loop: material business decisions (contact, offer, sale) are made by humans – merchants or customers – with genuine discretion, not by the system alone
- No sole automated legal effect: SETOR AI does not make decisions producing legal or similarly significant effects solely via automation; material decisions involve human judgment, not system rubber-stamping
- Customer oversight: customers configure rules, templates, and parameters, and may review, edit, override, or delete automated outputs
- No binding effects on individuals: the service does not make credit, employment, or essential service access decisions; marketing profiling targets communication, not exclusion
- Human contact available: End Users may always request human contact
12.4 Your Information Rights
Regardless of the above assessment, we provide transparency: upon request, we will explain in understandable terms the logic of our marketing profiling and its significance and predictable consequences. You may challenge any classification or assessment by contacting [email protected].
12.5 Transparency for End Users
Customers deploying the service to their Instagram audience, as controllers, are responsible for appropriate transparency with End Users, including informing them of possible AI interaction (EU AI Act Article 50), providing human contact, and complying with consumer protection laws. SETOR AI provides configuration tools supporting these obligations (Section 17).
13. Data Security
13.1 Technical and Organizational Measures
We implement and maintain appropriate technical and organizational measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Key measures include:
- Encryption in transit: TLS 1.3 for all data between users, our infrastructure, and external partners
- Encryption at rest: AES-256 for sensitive data including access tokens, credentials, personal data
- Access controls: RBAC, principle of least privilege, multi-factor authentication (MFA), quarterly access reviews
- Authentication standards: minimum 16-character passwords, credential rotation for service accounts
- Network security: Cloudflare WAF, DDoS protection, intrusion detection/prevention, network segmentation
- Audit logging: immutable audit logs with 12-month retention
- Vulnerability management: SAST in CI/CD pipeline, automated dependency scanning
- Employee training: regular security awareness training
- Business continuity: RPO 24 hours, RTO 48 hours
- Vendor assessment: security evaluation before engagement and annual review of all sub-processors
- Incident response: documented plan with annual tabletop exercises
- Session recording masking: session recordings mask all text fields and input data to avoid recording personal content
13.2 Full Security Specification
Comprehensive technical and organizational measures are detailed in Attachment 1 to the Data Processing Agreement (Attachment A to the Terms). Customers may request a summary of current security measures at [email protected].
13.3 Liability Limitation
While we apply industry-standard protections and continually strengthen security, no internet transmission or electronic storage method is fully secure. We commit to commercially reasonable measures for personal data protection and prompt response to identified vulnerabilities.
14. Breach Notification
14.1 Supervisory Authority Notification
Upon discovering a personal data breach likely to risk rights or freedoms violations, SETOR AI will notify the UODO President without undue delay and, where possible, within 72 hours of discovering the breach, per GDPR Article 33.
14.2 Data Subject Notification
If a breach presents high risk to rights or freedoms, SETOR AI will notify affected data subjects without undue delay per GDPR Article 34, via email to the registered account address, in-app notification, and/or site-wide message where individual notice would be disproportionate. Notification will include the breach nature, contact details, probable consequences, and remedial measures.
14.3 Processor Breach Notification
If SETOR AI discovers a breach affecting data processed on a customer’s behalf (processor role), we will notify the affected customer without undue delay, within 24 hours of discovery, per the Data Processing Agreement. The customer (controller) retains sole discretion over supervisory authority and data subject notification.
14.4 Breach Documentation
All breaches are documented (circumstances, consequences, remedial actions) and retained for supervisory authority review per GDPR Article 33(5).
15. Cookies and Tracking Technologies
15.1 Overview and Categories
We employ cookies, pixels, local storage, and similar technologies on our website (setor.ai) and application (app.setor.ai) for three categories:
- Strictly Necessary: essential for service operation (session management, authentication, CSRF protection, consent storage) – no consent required
- Analytics and Performance: to understand site and application use (including PostHog, session recording) – requires your prior consent
- Marketing and Advertising: to track campaign effectiveness, conversion attribution, and remarketing (including Meta Pixel, Conversions API) – requires your prior consent
15.2 Requirement for Prior Active Consent
Analytics, marketing, and advertising cookies and session recording are not loaded until you provide prior active consent via the consent banner. Consent is granular (you may accept or reject each category); we do not use pre-ticked boxes (per CJEU C-673/17 Planet49) or “cookie walls.” We disclose cookie duration and third-party access.
The legal basis for accessing information on your device is Directive 2002/58/EC (ePrivacy) Article 5(3) and the Polish Electronic Communications Act Article 399 (prior consent for cookies), and for further personal data processing – Act Article 400 in connection with GDPR. Enforcement belongs to the President of the Electronic Communications Office (UKE) and UODO President.
15.3 Cookie Policy
Complete information on all cookies, purposes, retention, providers, and management instructions is in our Cookie Policy at setor.ai/cookies. Manage preferences anytime by clicking “Cookie Settings” in the website footer.
16. Electronic Marketing
Electronic marketing (email, SMS, other channels) is conducted exclusively on your prior consent (opt-in) basis per the Polish Electronic Communications Act Article 398. We apply this requirement even in B2B relations.
Marketing consent is voluntary and independent of any other service – specifically, you will receive our quiz result regardless of marketing consent. Forced or bundled consent would be invalid, so we do not impose it. You may withdraw consent anytime, effective prospectively, via the unsubscribe link in any message or by emailing [email protected].
17. Transparency Under EU AI Act
17.1 Scope and Timeline
The EU AI Act (Regulation 2024/1689) establishes AI system regulatory frameworks. Article 50 transparency obligations (AI systems directly interacting with individuals) apply from August 2, 2026. We treat the service as an AI system subject to Article 50 transparency requirements, not a high-risk system.
17.2 Roles: Provider (SETOR AI) vs. Deployer (Customer)
SETOR AI’s Role (Provider): SETOR AI fulfills the Article 50(1) design obligation by providing disclosure capability – a configurable message informing the conversation partner they are contacting an AI system. SETOR AI designs the tool to enable such disclosure and documents that the service uses AI for message generation and classification.
Customer’s Role (Deployer): the customer independently configures the AI persona, including how it self-identifies. As the entity configuring the persona and deploying it to their audience, the customer is responsible for actually informing End Users that they are interacting with AI (per Article 50(1) and subject to the exception that disclosure is unnecessary where it is obvious from context, at minimum at first interaction – Article 50(5)). The customer commits not to disable or circumvent the disclosure function and indemnifies SETOR AI for non-compliance. Customer obligations regarding emotion recognition, biometric categorization, and deepfake content (Article 50(3)–(4)) also apply if customer uses such functions.
SETOR AI does not claim exemption from all obligations, nor does the End User waive the right to know they are contacting AI – such provisions would be invalid. SETOR AI provides disclosure capability (fulfilling Article 50(1) by design); customer configures the persona; customer bears operational responsibility for actual disclosure and indemnity as deployer.
17.3 Competent Authority
The market surveillance authority for the EU AI Act in Poland will be the body designated in implementing legislation (expected to be a newly established commission, provisionally termed the Commission for AI Development and Security – KRiBSI); implementing legislation is pending. Implementing legislation will update this provision. Separately, UODO President remains the competent authority for personal data protection matters.
17.4 System Classification and Prohibited Practices
The service is not classified as a high-risk AI system per Annex III because it does not serve employment decisions, credit assessment, access to essential services, law enforcement, or migration management. Customers may not use the service for purposes resulting in such classification. Per AI Act Article 5, the service does not employ subliminal, manipulative, or deceptive techniques, exploit group vulnerabilities, perform social scoring, conduct real-time remote biometric identification, or recognize emotions in work or education contexts.
17.5 Penalties and Regulatory Evolution
Breach of Article 50 transparency obligations carries fines up to EUR 15 million or 3% of global annual revenue (whichever is higher; AI Act Article 99(4)(g)), with lower thresholds for SMEs (Article 99(6)). Should regulatory guidance or enforcement actions reclassify the service, SETOR AI will implement required measures by the applicable deadline and update this policy.
18. Liability Limitation (B2B) and Indemnification
18.1 Liability Limitation in B2B Relations
In B2B customer relations (non-consumers), within the limits of freedom of contract (Polish Civil Code Article 353(1)), SETOR AI’s total cumulative liability arising from or related to the service is limited to the total fees paid by customer in the twelve (12) months preceding the event giving rise to the claim.
To the extent permitted by law, we exclude liability for indirect, consequential, or lost profit damages (lucrum cessans); under Civil Code Article 361(2), the indemnification scope in B2B relationships may contractually limit damages to actual loss (damnum emergens).
Nothing herein limits or excludes SETOR AI’s liability for willfully caused damages (Civil Code Article 473(2), which prohibits creditor damage exclusion) or any liability that cannot be excluded or limited under mandatory law.
18.2 Consumer Protection Clause
The above liability limitations do not apply to consumers or natural persons contracting in a manner not primarily related to their professional activity, to whom consumer law applies (Civil Code Article 385(1) and 385(5)). Such persons are protected under general liability rules, and unfair contract terms do not bind them.
18.3 Customer Indemnification
Customer indemnifies and holds SETOR AI harmless from, and commits to remedy and cover reasonable costs (including legal fees) for, claims arising from:
- Customer’s lack of legal basis or consent to contact its audience (recipients, contacts, End Users)
- Failure to inform End Users they are contacting an AI system, or disabling/circumventing SETOR AI’s disclosure function
- Customer’s breach of Meta, Instagram, or WhatsApp platform terms
- Use of the service unlawfully or for high-risk AI purposes under the EU AI Act
19. Children’s Data
The service is a B2B software platform for professional business use only. The service is not directed to individuals under sixteen (16) years old, and we do not knowingly collect personal data from such individuals (the GDPR Article 8(1) age threshold applicable in Poland).
If we discover we have inadvertently collected a child’s data under 16 without proper parental/guardian consent, we will delete it immediately. If you believe we may have collected such data, contact [email protected].
Customers using the service to interact with their audience are responsible for ensuring the service is not used to process personal data of individuals below the applicable age threshold without valid parental/guardian consent per GDPR and Meta Platform Terms.
20. Right to Lodge a Complaint
Without prejudice to any other legal remedy, you have the right to lodge a complaint with the competent data protection supervisory authority, particularly in the EU member state of your habitual residence, place of work, or the place of the alleged breach (GDPR Article 77).
The competent supervisory authority in Poland (SETOR AI’s seat jurisdiction) is the President of the Office for the Protection of Personal Data (UODO), ul. Stawki 2, 00-193 Warsaw, Poland; website: uodo.gov.pl; phone: +48 22 531 03 00; email: [email protected].
We encourage prior contact at [email protected] before filing a formal complaint, as we aim to resolve privacy issues directly and promptly.
21. Governing Law and Competent Court
This policy and related matters are governed by Polish law and directly applicable EU law, including GDPR. This choice does not deprive consumers of protections afforded by mandatory law in their habitual residence.
For B2B disputes (non-consumer customers), the competent court is that of SETOR AI’s seat: the District Court Lublin-Wschód in Lublin, based in Świdnik or, for claims exceeding its material jurisdiction, the Regional Court in Lublin. In consumer matters, court jurisdiction is determined by mandatory rules.
22. Policy Updates
We may update this policy to reflect practice changes, legal evolution, regulatory guidance, or operational requirements. The last update date appears in the header.
For material changes – significantly affecting your rights or data processing – we will notify you with at least thirty (30) days’ advance notice via email to your primary account address, in-app notification, and website notice at setor.ai/privacy.
Price changes require explicit acceptance; continued service use does not constitute price increase acceptance. Where applicable law requires explicit re-consent after material changes, we will implement a re-consent mechanism and not rely on continued use. The current version is always at setor.ai/privacy; prior versions are available upon request at [email protected].
23. Contact
For questions, concerns, or requests about this privacy policy or our data processing practices, contact: [email protected]
Mailing Address: SETOR AI Spółka z ograniczoną odpowiedzialnością, ul. Tomasza Zana 1, 20-601 Lublin, Poland.
We confirm receipt within five (5) business days and provide substantive responses within thirty (30) calendar days. For suspected data breaches or urgent security concerns, include ‘SECURITY - URGENT’ in the subject line and send to [email protected].
This Privacy Policy was prepared with utmost care and based on verified legal grounds. As a legal document, it may be subject to final review and adjustment by legal counsel, particularly as case law evolves and the EU AI Act’s domestic implementation legislation develops.
Effective Date: July 1, 2026
Version: 4.0
© 2026. All rights reserved.
