Last updated: 2026-05-18 Effective: 2026-05-18
1. Who we are
Site Sidekick is operated by South Wave Software Development - FZCO ("Site Sidekick", "we", "us", "our"), a free zone company registered in Dubai, United Arab Emirates.
- Registered name: South Wave Software Development - FZCO
- Trade licence number: 75061, issued by the Dubai Integrated Economic Zones Authority
- Registered office: Premises DSO-IFZA, IFZA Properties, Dubai Silicon Oasis, Dubai, United Arab Emirates
- Service domain: site-sidekick.com
- Contact: info@site-sidekick.com
We are the data controller for personal data we process about you in connection with the Site Sidekick service ("the Service").
UK / EU representative
Because we are established outside the United Kingdom and the European Economic Area but offer the Service to individuals located in those territories, we have appointed a representative under Article 27 of the UK GDPR and (where applicable) the EU GDPR.
- UK representative: [NAME / ADDRESS / CONTACT — to be appointed before launch]
- EU representative (if and when applicable): [NAME / ADDRESS / CONTACT]
Until a representative is in place, please contact us directly at info@site-sidekick.com for any data-protection enquiry.
2. The data we collect
We collect and process the following categories of personal data:
Data you give us directly
- Account data: your name, email address and/or mobile phone number, and a hashed password. You may provide either an email address or a phone number (or both) when you register; we use whichever you choose as your identifier when you sign in.
- Company data (optional): your company name, company phone number, company address. You can add or omit this.
- Project data: information about jobs you create, including project names, descriptions, customer names, customer email addresses, customer phone numbers, and property addresses. This often contains personal data about people other than you — see "Information about third parties" below.
- User content:
- Audio recordings of site visits and conversations you choose to record.
- Text transcripts generated from those recordings by automated speech-to-text processing.
- Documents (PDFs, Word documents, spreadsheets, text files, RTF) that you upload to a project.
- Photographs that you upload to a project, together with any captions you add.
- Notes you type into a project.
- Billing data: if you subscribe to a paid plan, the email address you provide for billing, your subscription tier, the status of your subscription, and a Stripe customer identifier. We do not see, store, or process your full payment card details — those are handled directly by Stripe (see "Subprocessors" below).
- Communications: the contents of any messages you send us by email or other channels.
Data we collect automatically
- Usage data: dates and times of recordings, durations, processing status, cost-tracking telemetry (estimated AI processing cost per recording), and similar operational metadata used to run the Service.
- Authentication data: session cookies (web), JWT access and refresh tokens
(mobile), and a per-user revocation counter (
tokenVersion) used to invalidate outstanding tokens when you reset your password or delete your account. - IP address: captured transiently for rate-limiting and abuse-prevention purposes via our rate-limiting subprocessor.
- Error / diagnostic data: when an error occurs in your session, we may log technical details (the request URL, browser or device information, error context) to help us debug. We do not currently use any third-party analytics or tracking tools.
Information about third parties
When you create a project for a customer, or record a conversation with another person, personal data about that other person may be processed by us. Examples include a customer's name, email address, telephone number, or property address; or a contractor's voice recorded during a site visit.
You are responsible for the lawful basis on which you input or record that information — see Section 6 ("Your responsibilities") and the recording-consent clause in our Terms of Service.
Sensitive personal data
We do not intentionally collect special category data (data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation). If such information ends up in a recording, transcript, or document you upload, we treat it as ordinary content under this policy — we have no way to identify or specially handle it unless you tell us.
3. Why we process your data, and the legal basis
| Purpose | Legal basis under UK GDPR |
|---|---|
| Creating and operating your account | Performance of a contract with you (Art. 6(1)(b)) |
| Transcribing, summarising, and structuring your recordings, documents, and notes (our core Service) | Performance of a contract with you (Art. 6(1)(b)) |
| Storing your project content so you can retrieve it | Performance of a contract with you (Art. 6(1)(b)) |
| Sending transactional emails (password resets, account notices, team invitations) | Performance of a contract with you (Art. 6(1)(b)) |
| Taking payment for paid plans | Performance of a contract with you (Art. 6(1)(b)) |
| Detecting and preventing abuse, fraud, and rate-limit violations | Our legitimate interests (Art. 6(1)(f)): keeping the Service available and affordable for honest users |
| Debugging errors and improving the Service | Our legitimate interests (Art. 6(1)(f)): operating a reliable Service |
| Responding to your communications | Our legitimate interests (Art. 6(1)(f)) |
| Complying with our legal obligations (tax, accounting, lawful requests from authorities) | Legal obligation (Art. 6(1)(c)) |
We do not currently send marketing emails. If we ever do, we will rely on your consent (Art. 6(1)(a)) and you will be able to withdraw that consent at any time.
4. How we use AI to process your content
The Site Sidekick service uses third-party AI models, currently provided by OpenAI, L.L.C., to process the recordings, documents, and notes you upload:
- Audio transcription is performed by OpenAI's Whisper model.
- Summarisation, decision extraction, and structuring are performed by OpenAI's GPT-4o-mini model.
- Semantic embeddings of your content are generated using OpenAI's
text-embedding-3-smallmodel.
When you upload a recording or document, the audio bytes or text are sent to OpenAI for processing. OpenAI's API terms (in force at the time of writing) do not use API-submitted content to train OpenAI's models unless we explicitly opt in (and we do not). OpenAI may retain the data for a limited period for abuse monitoring; see OpenAI's privacy documentation for current details.
The AI outputs (transcripts, summaries, extracted events, source-of-truth sentences with citations) are stored on our infrastructure and shown only to you and to the team members you have invited to the relevant project. They are not shared with any third party other than the AI subprocessors described above.
Important: AI outputs are not guaranteed to be accurate. The Service is a productivity tool, not a substitute for human review. See the warranty disclaimer in our Terms of Service.
5. Who we share your data with (subprocessors)
We share personal data only with vetted subprocessors who help us run the Service. Each subprocessor handles a defined slice of data, under a written contract with appropriate data-protection terms (where required, including UK and EU Standard Contractual Clauses for international transfers).
| Subprocessor | Role | Where data is processed |
|---|---|---|
| Neon, Inc. | PostgreSQL database hosting | AWS eu-west-2 (London, United Kingdom) |
| Amazon Web Services, Inc. | Object storage (S3) for audio, documents, and photos; serverless compute (Lambda) for audio transcription orchestration | AWS eu-west-2 (London, United Kingdom) |
| Vercel, Inc. | Web application hosting; legacy blob storage for some web-uploaded recordings | Global edge network; primary regions vary |
| OpenAI, L.L.C. | AI transcription, summarisation, decision extraction, embeddings | United States |
| Stripe, Inc. / Stripe Payments UK, Ltd. (not currently active during beta — re-activated when paid plans launch) | Payment processing for subscriptions | United States / United Kingdom (Stripe selects the processing region) |
| Resend, Inc. | Transactional email delivery | United States |
| Upstash, Inc. | Redis-based rate limiting (transient IP / user-id keys) | Configured region (typically EU or US) |
| Inngest, Inc. | Background job orchestration for processing recordings, documents, and AI pipelines | United States |
We do not sell your personal data, and we do not share it with advertisers or data brokers.
If we add or change a subprocessor, we will update this policy. Material changes will be notified to you by email and/or an in-app notice.
6. Your responsibilities — recording other people
Site Sidekick is a tool for recording conversations. You are responsible for ensuring that you have the legal right to make the recordings you upload to the Service, including any consent required under the law of the jurisdiction(s) where you and the other people in the recording are located.
In the United Kingdom, you may generally record a conversation you are a party to for your own personal use. However:
- Using recordings for business or commercial purposes — including processing them through Site Sidekick — typically requires you to inform the other participants that you are recording, and to have a lawful basis under UK GDPR for processing the personal data of those participants.
- The position varies in other jurisdictions. Some countries (and some US states) require all-party consent.
By using the Service to upload a recording, you confirm to us that the recording was made lawfully and that you have any consents or permissions required under applicable law.
This obligation is set out in more detail in our Terms of Service.
7. Where your data is stored
Your content data (recordings, documents, notes, photos, project details, AI
outputs) is stored on infrastructure located in the United Kingdom
(AWS and Neon, eu-west-2/London region).
Other processing involves international transfers:
- To the United Arab Emirates, where we (the data controller) are established, when we administer your account.
- To the United States, when content is sent to OpenAI for AI processing, when Stripe processes a payment, when Resend sends a transactional email, or when Inngest orchestrates background jobs.
Where personal data is transferred outside the United Kingdom or the European Economic Area, we rely on appropriate safeguards under UK and EU data-protection law. For transfers to the United States these are typically the UK International Data Transfer Agreement (or UK Addendum to the EU Standard Contractual Clauses) and/or the EU Standard Contractual Clauses, supplemented by such technical and organisational measures as the receiving subprocessor maintains. For transfers to the United Arab Emirates we rely on Article 49 derogations where applicable, and on contractual safeguards we apply internally.
You can request a copy of the relevant transfer mechanism by writing to info@site-sidekick.com.
8. How long we keep your data
- While your account is active: we retain your account data and project content for as long as you keep your account open.
- When you delete your account: we mark your account as deleted immediately and revoke your authentication tokens. Within 30 days of account deletion we permanently delete or irreversibly anonymise your identifiable personal data and your project content (including recordings, transcripts, documents, notes, photos, and AI-derived outputs).
- Anonymised aggregate data: we may retain anonymised, aggregated usage data (for example, totals such as "X recordings processed across all users in month Y") indefinitely for product-improvement and reporting purposes. Once data has been anonymised so that it cannot be re-associated with you, it falls outside the scope of data-protection law.
- Billing records: we retain a limited amount of billing information (invoices, transaction records) for as long as required to meet our tax and accounting obligations, even after you delete your account.
- Backups: deleted data may persist in routine encrypted backups for a short period until the backups themselves are rotated, after which it is overwritten.
- Logs: operational and security logs are retained for up to 90 days.
If you ask us to delete a specific piece of content (rather than your whole account), we will do so promptly. Where doing so would break the citation chain of an AI-derived output, we will remove the cited content and re-derive the output without it.
9. Your rights
Under UK GDPR (and EU GDPR where it applies to you), you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete personal data.
- Erase ("right to be forgotten") your personal data in the circumstances recognised by law. Account deletion in the Service is the simplest route for most data; for anything else, write to us.
- Restrict our processing of your personal data in certain circumstances.
- Object to processing we conduct on the basis of our legitimate interests.
- Portability — receive a copy of personal data you provided to us in a structured, commonly-used, machine-readable format.
- Withdraw consent at any time, where we rely on consent (e.g. for marketing, if we ever introduce it).
- Not be subject to fully automated decisions that produce legal or similarly significant effects on you. The Service does not currently make any such decisions; AI is used to produce content for your review, not to make decisions about you.
To exercise any of these rights, write to info@site-sidekick.com. We will respond within one month and may request information to verify your identity.
If you are unhappy with how we have handled your personal data, you have the right to complain to the Information Commissioner's Office (the UK's data-protection regulator) at ico.org.uk, or to your local data-protection authority in the EU/EEA. We would, however, appreciate the chance to address your concern first.
10. Cookies and similar technologies
Site Sidekick uses only strictly-necessary cookies required to operate the Service:
- A session cookie set by our authentication provider (NextAuth) to keep you signed in to the web app.
- Short-lived impersonation cookies set only when an administrator legitimately impersonates a user account for support purposes (all such use is recorded in an audit log).
We do not use analytics, advertising, social-media, or tracking cookies. Because all cookies we set are strictly necessary, we are not required to display a cookie consent banner under the UK Privacy and Electronic Communications Regulations (PECR). If we ever introduce non-essential cookies, we will ask for your consent first.
The mobile app uses platform-secure local storage (iOS Keychain / Android Keystore via Expo SecureStore) to store your authentication tokens. It does not set web cookies.
11. Children
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at info@site-sidekick.com and we will delete the data.
12. Security
We take reasonable technical and organisational measures to protect your personal data, including:
- Encryption in transit (HTTPS / TLS) for all communications with the Service.
- Encryption at rest for stored content (provided by AWS S3 and Neon).
- Strong password hashing (bcrypt) for stored credentials.
- Token-based authentication with revocation (the
tokenVersionmechanism) that invalidates outstanding tokens when you reset your password or delete your account. - Strict access controls: only the project owner and members they have explicitly invited can access a project's content.
- Operational access to production systems is limited to a small number of authorised personnel and is logged.
No system is perfectly secure. If you become aware of a security issue, please write to info@site-sidekick.com.
13. Changes to this policy
We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top. If the changes are material, we will notify you by email and/or by an in-app notice before the changes take effect.
14. Contact
- Email: info@site-sidekick.com
- Postal: South Wave Software Development - FZCO, Premises DSO-IFZA, IFZA Properties, Dubai Silicon Oasis, Dubai, United Arab Emirates
- UK representative: [TO BE APPOINTED — see Section 1]