Privacy Policy
Last updated: May 3, 2026 · Version 1.0
Sikasio ("we", "us", the data controller for Ask2Do platform data) takes data protection seriously. This Privacy Policy explains what personal data we collect when you use Ask2Do, how we use it, who we share it with, how long we keep it, and what rights you have. It applies in addition to our Terms of Service.
1. Quick summary
- We store the minimum data needed to run the service: your email, billing state, conversation history (90 days), and a hash of your tenant key.
- We never store the raw rows from your customer database. Those stay on YOUR infrastructure.
- All platform data is hosted in the European Union.
- We rely on a small set of sub-processors — an EU hosting provider, a CDN / edge provider, an AI model provider, a payment provider, and a transactional email provider.
- You have the right to access, correct, delete, or export your data. Email hello@ask2do.com and we respond within 30 days.
2. Who we are
Ask2Do is a product of Sikasio, operated from Egypt. For data-protection purposes within the EU, you can reach our designated point of contact at hello@ask2do.com.
3. What data we collect
3.1 Account data
- Email address — used for magic-link sign-in, billing notifications, and product updates. Required.
- Tenant slug and display name — the customer-chosen identifier (e.g. "ftw") and a friendly name. Required.
- Public account ID — an opaque, non-numerical identifier (format
u_<16 hex>) we display in admin UIs in place of the underlying database row id, so support tickets don't leak internal counts.
3.2 Authentication data
- Magic-link verification tokens — short-lived (10 min), single-use. Stored hashed in the
verification_tokentable. - Session cookies — issued by Auth.js after a successful magic-link click. Database-backed, revocable server-side. 15 days default lifetime.
- Tenant key hash — the long-term sidecar credential is hashed with argon2id (m=64MB, t=3, p=4) and stored. The raw key is shown to you ONCE at issue time and never lands on disk.
3.3 Usage data (conversation surface)
- Questions you ask the AI — verbatim text, for context window and audit.
- AI answers — full text including any tool calls and their results.
- Tool-call payloads — what SQL the AI proposed, what schema it asked for, etc. This crosses our cloud but is forwarded to your sidecar; results return the same path.
- Status events — "sidecar registered", "chat started", "preview approved" — for diagnostics and audit.
Conversation data is retained on our cloud for 90 days, then deleted. The audit log on YOUR database (in ask2do_audit) is yours and follows your retention rules.
3.4 Billing data
- Customer ID, subscription ID, plan, status, currency, and invoice history (held by our payment provider). We do not store card numbers — those stay with the payment provider. We retain billing metadata for 7 years to comply with accounting regulations.
3.5 Technical data
- IP address (recent connections only, in our edge / CDN provider's logs and our app logs — 30-day retention)
- Browser and OS user-agent string
- Sidecar version, OS, architecture (sent on each register event for auto-update eligibility)
3.6 What we explicitly do NOT collect
- Raw rows from your customer database. Tool-call results cross the cloud in flight but are not persisted.
- Your admin panel users' passwords, session cookies, or files.
- Any tracking or analytics identifiers from third-party analytics tools — we don't use them on the marketing site or in the portal.
- Browser fingerprints or cross-site cookies.
4. Why we process your data (legal bases)
For EU/UK customers, we rely on the following GDPR bases:
- Performance of a contract (Art. 6(1)(b)) — account data, auth data, conversation data, tool-call payloads. Required to deliver the service you signed up for.
- Legal obligation (Art. 6(1)(c)) — billing records (tax/accounting law).
- Legitimate interests (Art. 6(1)(f)) — security logging, fraud prevention, debugging. Balanced against your privacy; no profiling.
- Consent (Art. 6(1)(a)) — product update emails outside service operations. You can opt out from any such email.
5. Who we share data with (sub-processors)
We use a small set of carefully chosen sub-processors. Each is bound by data-processing terms and is GDPR-compliant.
| Sub-processor | Role | Data | Location |
|---|---|---|---|
| EU hosting provider | VPS host (cloud orchestrator + platform database) | All platform data | European Union |
| CDN / edge provider | CDN, DNS, edge runtime (portal), object storage (assets + backups), and database connection pool | HTTP requests, widget bundle, sidecar binaries, encrypted backups | Global edge; processed at EU edges where possible |
| AI model provider | Large language model inference | Your questions and tool-call results, sent to the provider for inference. Under the provider's API terms, prompts are not used to train their models. | Provider's global infrastructure |
| Payment provider | Subscription billing and payment processing | Card details (held by the provider, not us), billing address, invoice metadata | Global; processed in the EU for EU customers |
| Transactional email provider | Magic-link sign-in and account email delivery | Email address, magic-link URL, welcome email content | EU data centre |
We notify customers at least 30 days before adding a new sub-processor (via the portal banner or email). If you object, you may cancel before the new sub-processor starts handling your data.
6. International data transfers
Platform data lives in the EU. Some sub-processors (the CDN / edge, AI inference, and payment providers) operate globally. Where those involve transferring data outside the EU/UK, we rely on:
- EU Standard Contractual Clauses (SCCs) for transfers to non-adequate countries
- The relevant adequacy decisions where they exist (e.g. UK GDPR <-> EU GDPR adequacy)
7. How long we keep data
| Category | Retention |
|---|---|
| Account email + tenant metadata | For the lifetime of your account, then 30 days after termination |
| Tenant key hash | Until rotated or revoked |
| Sessions (Auth.js) | 15 days, or until logout / revocation |
| Conversation history | 90 days, then deleted |
| Audit log on YOUR database | Owned by you — your retention rules apply |
| Billing records | 7 years (legal obligation) |
| Application + access logs | 30 days |
| Backups (encrypted, on R2) | 30 days rolling, then overwritten |
8. Your rights
If you're in the EU/UK (or any jurisdiction with similar laws), you have the right to:
- Access — get a copy of the personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your account and data (we'll comply except where we're required to retain certain data, e.g. billing records under tax law)
- Portability — receive your data in a machine-readable format
- Restriction / objection — limit how we process your data
- Withdraw consent — for any processing based on consent
- Lodge a complaint with your supervisory authority (e.g. your country's data protection authority)
Email hello@ask2do.com with your request. We respond within 30 days. We may ask you to verify your identity to prevent unauthorised disclosure.
9. Children
Ask2Do is a B2B product. We don't knowingly collect data from anyone under 16. If you believe a child has provided us data, email hello@ask2do.com and we'll delete it.
10. Security
We secure platform data with:
- TLS 1.2+ for all data in transit (managed certificates at the edge and on the VPS)
- Argon2id hashing for tenant keys (never stored in plaintext)
- Encrypted backups to our object-storage provider (server-side encryption)
- Hardened VPS: SSH key-only, password auth disabled,
ufwdefault-deny except 22/80/443,fail2ban, automatic security updates viaunattended-upgrades - The platform database bound to localhost on the VPS, accessed by the cloud over an internal container network
- SQL parser enforces SELECT-only on the read path; INSERT / UPDATE require explicit human approval; DELETE / DROP / TRUNCATE / ALTER are rejected at the parser
See Security model for the engineering detail.
11. Data breach notification
If we discover a personal data breach, we'll notify affected customers within 72 hours of becoming aware, with details of what happened, what data was involved, and what we're doing about it. We also notify the relevant supervisory authority where the law requires.
12. Changes to this Policy
We may update this Privacy Policy. Material changes get at least 30 days' notice via email or in-app banner. Minor clarifications are posted with a new "Last updated" date. Continuing to use the service after the notice period means you accept the new Policy.
13. Contact
Privacy / data subject requests: hello@ask2do.com
Security incidents: support@ask2do.com
Data Processing Agreement (DPA): enterprise@ask2do.com — we sign EU-standard DPAs on request for B2B customers.