Privacy Policy

Last updated: October 9, 2025

1. Introduction

This privacy policy will explain how Stihia Ltd. ("we", "us", "our") uses the personal data we collect from you when you use our application, Stihia Zmey. Stihia Ltd. is a private limited company registered in Bulgaria with UIC 208453727 and address Sofia 1606, Lajos Kossuth Str. 20, fl. 4, apt. 10. Stihia Ltd. is the data controller for the data processed in accordance with this policy.

2. What data do we collect?

Stihia Zmey is an interactive application where you can communicate with an AI agent. We collect the following data:

  • Conversation Data: The text of your conversations with the AI agent "Zmey". This includes all inputs you provide during your interaction.
  • Usage Data: We may collect anonymous data about your interaction with the service, such as session duration and features used, to improve our service. We do not collect personal information like your name or email address, unless you voluntarily provide it in your conversation with the agent. We do not collect IP addresses or use tracking cookies.

To protect your privacy, we strongly discourage you from sharing any personal or sensitive information in your conversations with the agent. Please avoid providing details such as your full name, address, phone number, or any other data that could identify you.

3. How do we collect your data?

You directly provide us with the data we collect. We collect and process data when you:

  • Interact with the AI agent "Zmey" by sending messages.

4. How will we use your data?

We collect your data so that we can:

  • Provide you with the core functionality of the Stihia Zmey application, which is to have a conversation with an AI agent.
  • Improve our AI models and the overall service. The conversation data is used to analyze where the agent is performing well and where it needs improvement. This data is anonymized before use in model training.
  • Conduct research and development for other products and services provided by Stihia Ltd. All data used for such purposes will be anonymized to protect your privacy.

5. Data Minimization

In accordance with GDPR principles, we only collect and process the minimum amount of personal data necessary to provide our service. We do not collect any personal information beyond what is essential for the functioning of Stihia Zmey and the purposes stated in this policy.

6. What is our legal basis for processing?

Our legal basis for processing the conversation data is your consent, provided by you when you start using the application and sending messages. For the processing of data for service improvement and for research and development purposes, our legal basis is our legitimate interest in improving and developing our application and other related services.

7. Right to Withdraw Consent

Where we process your personal data based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. To withdraw your consent, please contact us at privacy@stihia.ai. Please note that withdrawing consent may impact your ability to use our service.

8. Who do we share your data with?

To provide and improve our service, we use third-party services that may process your data. These services are:

  • Google Cloud Platform (GCP): We use GCP for hosting our application and storing conversation data.
  • LangSmith: We use LangSmith by LangChain for debugging, monitoring, and improving the performance of our AI agent. Your conversation data is sent to LangSmith for this purpose.

We have data processing agreements in place with these providers to ensure your data is protected.

9. International Data Transfers

All data we collect is stored and processed within the borders of the European Union. We do not transfer your personal data outside of the European Economic Area (EEA).

10. How do we store your data and for how long?

We securely store your data on Google Cloud Platform. We retain conversation data for a period of 5 years to support our ongoing research and development efforts and to improve our services. After this period, the data is permanently deleted.

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

  • Encryption: All data is encrypted both in transit (using TLS/SSL) and at rest.
  • Access Controls: Access to personal data is restricted to authorized personnel only, on a need-to-know basis.
  • Regular Security Audits: We regularly review and update our security measures to ensure they remain effective.
  • Secure Infrastructure: We use Google Cloud Platform's security infrastructure, which includes physical security, network security, and compliance with international security standards.

12. Data Anonymization

When we use your data for model training or research purposes, we apply anonymization techniques including:

  • Removal of any directly identifying information
  • Aggregation of data where possible
  • Use of differential privacy techniques where appropriate
  • Irreversible transformation of data to prevent re-identification

Once data is truly anonymized, it is no longer considered personal data under GDPR and cannot be linked back to you.

13. What are your data protection rights?

Under GDPR, you have the following rights:

  • The right to access – You have the right to request copies of your personal data.
  • The right to rectification – You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
  • The right to erasure – You have the right to request that we erase your personal data, under certain conditions.
  • The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions.
  • The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions.
  • The right to data portability – You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If you would like to exercise any of these rights, please contact us at privacy@stihia.ai.

You also have the right to lodge a complaint with a supervisory authority if you believe your personal data has been processed unlawfully.

14. Automated Decision-Making and Profiling

Stihia Zmey uses AI technology to generate responses to your messages. This involves:

  • Automated Processing: The AI agent processes your inputs automatically to generate contextually appropriate responses.
  • No Profiling: We do not create user profiles or make decisions about you based on automated processing that would have legal or similarly significant effects.
  • Human Oversight: While the AI operates autonomously during conversations, human oversight is maintained for system improvements and quality assurance.

The automated processing is necessary for the performance of our service. You have the right to request human intervention, express your point of view, and contest any decisions made by the AI by contacting us.

15. Children's Privacy

Our service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If you are under 16, please do not use our service or provide any information through the application.

If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information as soon as possible. If you believe we might have information from or about a child under 16, please contact us at privacy@stihia.ai.

16. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
  • If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay via email (if provided) or through a notice on our website.
  • Document all data breaches and the actions taken in response.

17. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee compliance with data protection law. If you have any questions or concerns about how your personal data is handled, you can contact our DPO:

Ivan Ivanov
Email: privacy@stihia.ai

18. Necessity of Providing Data

Providing conversation data is necessary for the use of Stihia Zmey service. Without this data, we cannot provide you with the interactive AI experience. However, providing personal information within your conversations (such as your name or email) is entirely voluntary and not required for the service to function. As stated in Section 2, we strongly discourage you from sharing any personal information.

19. Cookies

Stihia Zmey does not use cookies for tracking or advertising purposes. We may use essential cookies for the basic functionality of the website.

20. Changes to our privacy policy

We keep our privacy policy under regular review and will place any updates on this web page.

21. How to contact us

If you have any questions about our privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

Email us at: privacy@stihia.ai

22. How to contact the appropriate authority

Should you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the Commission for Personal Data Protection in Bulgaria.

Website: www.cpdp.bg

Email: kzld@cpdp.bg

Address:
Commission for the Protection of Personal Data
2, Prof. Tsvetan Lazarov Blvd.
1592 Sofia
Bulgaria