Privacy Policy

Last updated: 21 November 2025

This Privacy Policy explains how SeriousBit SRL (“SeriousBit”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal data when you use recalletta.ai and our related websites, APIs, SDKs, integrations, and services (collectively, the “Service”).

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Who we are

The Service is operated by:

SeriousBit SRL A company organized under the laws of the Republic of Moldova Registered office: Republic of Moldova, Straseni, Cojusna, str. Viteazul Mihai, 223 Email: support@seriousbit.com

For purposes of applicable data protection laws, SeriousBit is generally the controller of the personal data processed via the Service, except where we process personal data strictly on your documented instructions as your processor (for example, where we store and retrieve code and project data as “memory” for your AI assistants).

If you are an organization using the Service for your own end users, you may also be a controller of their data.

2. Scope of this Privacy Policy

This Privacy Policy applies to:

Visitors to our websites (including recalletta.ai);
Users who create an account or use our APIs, SDKs, IDE plugins, or other integrations;
End users whose data may be processed through our Service when our customers integrate recalletta.ai into their own products.

It does not apply to:

Third‑party websites, services, or applications that we do not control, even if accessed via our Service;
Processing carried out independently by our customers in their own systems.

3. The data we collect

We collect different categories of data, depending on how you use the Service.

3.1 Data you provide to us directly

Account information
- Name, username/handle, email address, password (stored in hashed form), organization name, role.
- Billing and invoicing details (billing contact, company name, VAT or tax ID, billing address, payment method details via our payment processor).
Communication data
- Emails and messages you send to us (support requests, feedback, bug reports).
- Content of any other communications with us (including via forms, in‑product chat, or social channels, to the extent you choose to use them).
User Content and Memory Data (as defined in your Terms of Service)
- Code, prompts, comments, documentation, repository metadata, issue descriptions, architectural notes, and other information you or your applications send to the Service.
- Derived “memory” representations such as embeddings, vector indexes, summaries, associations between entities (e.g., linking issues to files), and conversation context linked to users or projects.

When this information identifies or can reasonably be linked to an individual, it is treated as personal data.

3.2 Data we collect automatically

When you visit our websites or use the Service, we may automatically collect:

Log data
- IP address, browser type and version, operating system, device identifiers, date and time of access, referring URL, pages viewed, and interactions with our website or dashboard.
- API request metadata (endpoint, timestamps, response codes, latency, authentication method).
Usage data
- Features used, configuration options, number of requests, project/workspace identifiers, integration usage (for example, which IDE plugin or CI integration is calling the Service).
- Performance metrics and error traces.
Cookie and tracking data
- Cookies and similar technologies for session management, security, and analytics (see Section 11).

3.3 Data from third‑party sources

If you enable or connect integrations, we may receive data from:

Identity providers (e.g., GitHub, Google, other OAuth providers):
- Basic profile information (name, username, email, avatar), unique IDs, and organization/team memberships as allowed by your authorization.
Developer tools and platforms (e.g., Git hosting, issue trackers, CI systems, IDEs):
- Repository metadata, commit metadata (author, email, timestamps), issue/ticket titles and descriptions, branches, pull request metadata, logs and configuration, depending on your integration settings and permissions.

You control which integrations you connect and what scopes you grant.

3.4 Children’s data

The Service is not intended for children under 16, and we do not knowingly collect personal data from children under 16. If you believe we have collected such data, contact us so we can delete it.

4. How we use personal data and legal bases

Where applicable data protection law (e.g., GDPR) requires a legal basis, we rely on the following:

4.1 To provide and maintain the Service

Legal basis: performance of a contract; legitimate interests

We process data to:

Create and manage your account;
Authenticate you and secure access;
Store and serve User Content and Memory Data on your behalf;
Provide persistent memory and context retrieval for your AI assistants and tools;
Operate integrations you have enabled;
Provide customer support.

4.2 To improve and develop the Service

Legal basis: legitimate interests

We use usage data, logs, and limited samples of data (where necessary and subject to appropriate safeguards) to:

Monitor performance and reliability;
Diagnose errors and troubleshoot issues;
Develop new features and improve existing ones;
Conduct analytics about how the Service is used (aggregate and de‑identified where possible).

By default, we do not use your User Content or Memory Data to train general, shared machine‑learning models that are offered to other customers. If we ever introduce an explicit opt‑in program for such training, that will be clearly described and configurable, and will not apply to you unless you opt in.

4.3 To communicate with you

Legal basis: performance of a contract; legitimate interests; consent (for certain marketing)

We may:

Send you service‑related communications (for example, onboarding, security notices, changes to terms or policies);
Respond to your support requests and questions;
Send you information about new features, offers, or events related to the Service, where permitted by law. You can opt out of non‑essential marketing emails at any time via the unsubscribe link.

4.4 To ensure security and prevent abuse

Legal basis: legitimate interests; legal obligations

We use data to:

Detect, prevent, and investigate fraud, abuse, or security incidents;
Enforce our Terms of Service and acceptable use rules;
Protect the rights, property, and safety of SeriousBit, our users, and the public.

4.5 To comply with legal obligations

Legal basis: legal obligations

We may process and retain data as required by applicable law, for tax and accounting, regulatory compliance, and responding to lawful requests and legal claims.

5. How we use AI, memory, and your data

5.1 Memory and context

The core of recalletta.ai is to maintain long‑term memory for AI assistants:

We store and index User Content and derived Memory Data so that your AI assistants can retrieve relevant context across sessions, projects, repositories, or users;
We maintain associations (for example, between files, issues, conversations, and users) to provide better recall;
You can often configure which data is ingested, how it is segmented (by project, workspace, organization), and who has access.

You are responsible for ensuring that you have the necessary rights and consents to store and process such data in this way, especially where it includes personal data of third parties (for example, commit authors, ticket reporters, or team members).

5.2 Use of third‑party AI models

When you instruct the Service or your integration to use a third‑party AI model, we may:

Transmit relevant portions of your prompts, context, and Memory Data to that model provider;
Receive Output (e.g., code suggestions, explanations, summaries) from that provider and return it to you.

We restrict these transmissions to what is necessary to fulfill your requests and operate the Service. The third‑party provider’s use of such data is governed by their own terms and privacy policies, which you should review.

We do not sell your personal data.

We may share personal data in the following situations:

6.1 Service providers and subprocessors

We use trusted third‑party service providers to support our operations (hosting, storage, logging, analytics, payment processing, email delivery, etc.). These providers may process personal data on our behalf and only under instructions consistent with this Privacy Policy and appropriate confidentiality and security obligations.

6.2 Third‑party integrations you enable

When you connect integrations (for example, Git hosting services, issue trackers, IDEs, CI/CD tools), we may:

Receive data from those services as described in Section 3.3;
Send data back to them as part of the integration’s functionality (for example, posting comments, updating statuses, or creating links).

The relevant third‑party services act as controllers of their own processing activities. Their use of data is governed by their own privacy policies.

6.3 Legal requirements and protection

We may disclose data if we reasonably believe it is necessary to:

Comply with an applicable law, regulation, legal process, or enforceable governmental request;
Enforce our Terms of Service, including investigation of potential violations;
Detect, prevent, or otherwise address fraud, security, or technical issues;
Protect the rights, property, or safety of SeriousBit, our users, or the public, as required or permitted by law.

6.4 Business transfers

If SeriousBit is involved in a merger, acquisition, restructuring, sale of assets, or similar transaction, personal data may be transferred as part of that transaction. We will take reasonable steps to ensure the confidentiality of personal data and inform you of any material change of ownership or control where required by law.

7. International data transfers

Our infrastructure and some of our service providers may be located in countries other than your own, including countries that may not provide the same level of data protection as your jurisdiction.

Where required by law (for example, for transfers from the European Economic Area, the UK, or similar jurisdictions), we take appropriate safeguards, such as:

Using jurisdictions deemed to provide an adequate level of protection;
Implementing Standard Contractual Clauses or equivalent mechanisms with service providers;
Applying technical and organizational measures to protect data in transit and at rest.

You can contact us if you want more details about the specific transfer mechanisms used in relation to your data.

8. Data retention

We retain personal data for as long as reasonably necessary for the purposes described in this Privacy Policy, including:

For the duration of your account and your usage of the Service;
For a reasonable period after account closure to maintain backups, comply with legal obligations, and resolve disputes.

Indicative retention logic (you can replace with your concrete rules):

Account data: retained while your account is active and for 5 years thereafter, as required for legal, accounting, and audit purposes.
User Content and Memory Data: retained while your account and relevant workspace/project remain active or until you delete it or configure stricter retention rules.
Logs and telemetry: retained for 6 months for security, debugging, and analytics, then deleted or anonymized.

You can often delete or request deletion of certain data via your account tools. Where we are obliged by law to retain certain data for longer, we will do so.

9. Security

We implement technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures may include:

Encryption of data in transit and at rest (where appropriate);
Access controls and role‑based permissions;
Secure key management and secrets handling;
Logging and monitoring for abnormal patterns or threats;
Regular updates and patching of critical infrastructure.

Despite these measures, no system can be guaranteed to be completely secure. You are responsible for safeguarding your passwords, API keys, and other authentication credentials, and for choosing secure configurations for your integrations and repositories.

10. Your rights and choices

Your rights depend on your jurisdiction and, where applicable, the role in which we process your data (controller vs. processor). Where laws such as the GDPR or equivalent apply, and where SeriousBit acts as a controller, you may have the following rights:

Right of access – to obtain confirmation whether we process your personal data and to receive a copy.
Right to rectification – to correct inaccurate or incomplete personal data.
Right to erasure – to request deletion of your personal data in certain circumstances (for example, where it is no longer needed, or you withdraw consent and there is no other legal basis).
Right to restriction of processing – to request limitation of certain processing activities.
Right to data portability – to receive personal data you provided in a structured, commonly used, machine‑readable format and to transmit it to another controller where feasible.
Right to object – to object, on grounds relating to your particular situation, to processing based on legitimate interests, including profiling. You also have the right to object to direct marketing.
Right to withdraw consent – where processing is based on consent, you may withdraw it at any time (this does not affect processing prior to withdrawal).

To exercise these rights, contact us at support@seriousbit.com. We may need to verify your identity before responding. Where we process personal data on behalf of a customer as processor, we may redirect your request to that customer.

You also have the right to lodge a complaint with a supervisory authority in your country or region, if applicable.

For users in the EU/EEA, this will typically be your local data protection authority; for Moldova, the competent authority is the relevant national data protection authority.

11. Cookies and similar technologies

We may use cookies and similar technologies (such as local storage and pixels) for:

Strictly necessary purposes – to provide login, session management, security, and core functionality.
Preferences – to remember your settings and choices in the dashboard.
Analytics and performance – to understand how the Service is used and improve it (for example, using privacy‑respecting analytics tools).

You can control cookies via your browser settings and, where available, via in‑product cookie controls. Blocking certain cookies may impact the functionality of the Service.

If we use third‑party analytics or tracking cookies that are not strictly necessary, we will implement consent mechanisms where required by law.

12. Third‑party links and services

The Service may contain links to third‑party websites or services, and may integrate with third‑party platforms. We are not responsible for the privacy practices of such third parties. You should review their privacy policies to understand how they handle your data.

13. When we act as processor for our customers

For some features, particularly when you use recalletta.ai as an embedded component in your own product, we may process personal data on your behalf as a processor (or equivalent under applicable law).

In that scenario:

You are responsible for providing appropriate notices and obtaining any required consents from your end users;
We process the data only on your documented instructions and in accordance with any Data Processing Agreement in place;
We implement technical and organizational measures appropriate to the risk, as described in this Policy and in the DPA.

If an end user contacts us directly about data processed on behalf of our customer, we may refer the user to that customer and/or inform the customer of the request.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do so, we will:

Update the “Last updated” date at the top; and
Where appropriate, provide additional notice (for example via email or in‑product notifications), especially for material changes.

Your continued use of the Service after the effective date of an updated Privacy Policy constitutes your acknowledgement of the changes. If you do not agree with the updated Policy, you should discontinue using the Service.

15. Contact

If you have questions or requests regarding this Privacy Policy or our data practices, you can contact:

SeriousBit SRL Email: support@seriousbit.com Address: Republic of Moldova, Straseni, Cojusna, str. Viteazul Mihai, 223