Sesori Privacy Policy

Last updated: April 18, 2026

This Privacy Policy explains how Digitalblock Labs LTD ("Sesori," "Company," "we," "us," or "our") collects, uses, stores, shares, and otherwise processes personal data when you use Sesori's official apps and services. It applies only to the official Sesori services, including the Sesori mobile app, the official local bridge software, relay services, account and authentication services, push notification services, sesori.com, voice input and server-side transcription features, diagnostics, analytics, support channels, and related hosted features we provide (collectively, the "Service").

This Privacy Policy does not apply to source builds, self-hosted deployments, unofficial builds, modified versions, forks, community distributions, or other non-official deployments, except to the extent those versions connect to an official Sesori-hosted feature. In that case, this Privacy Policy applies only to the official hosted feature interaction.

1. How Sesori works

Sesori is designed to help you monitor and interact with compatible AI coding assistants running on your own host system from your phone. The Service may include a local bridge running on your device, relay infrastructure, account and authentication services, push notifications, websites, diagnostics, analytics, voice input, server-side transcription, and other related hosted features.

In ordinary operation, Sesori infrastructure routes encrypted relay traffic between your devices. That ordinary relay routing does not ordinarily require Sesori to have plaintext access to relay payloads in transit. Some specific features you invoke do require Sesori or its sub-processors to receive readable data, including voice input and server-side transcription, short text feature processing such as session title naming and branch naming, push payload snippets, and support or diagnostic review.

2. Controller and contacts

For the official Service covered by this Privacy Policy, the data controller is:

Digitalblock Labs LTD BVI Company No. 2115105 Registered in the British Virgin Islands

You can contact us at:

[email protected] for general privacy and support matters
[email protected] for GDPR and data protection rights matters

2.1 EU Representative

Because Digitalblock Labs LTD is established outside the European Union, we have appointed the following entity as our representative in the European Union under Article 27 of Regulation (EU) 2016/679 ("GDPR"):

Efosoft EOOD UIC 207932888 Email: [email protected]

Individuals located in the EU or EEA may contact our EU Representative directly regarding the processing of their personal data or the exercise of their rights under the GDPR.

Efosoft EOOD is a related party under common ownership with Digitalblock Labs LTD.

3. Categories of data we process

Depending on how you use the Service, we may process the following categories of personal data.

3.1 Account and authentication data

account identifiers
email address and sign-in related information
authentication and session tokens
account status and basic account records
identity provider information when you choose Apple, Google, or GitHub sign-in

3.2 Connection and session metadata

relay connection metadata
session identifiers and project identifiers
timestamps, event timing, delivery status, and routing metadata
limited metadata about connected bridge or mobile sessions

3.3 Device and app metadata

device type, operating system, app version, build identifiers, and similar app environment data
IP address and general network or connectivity diagnostics
mobile platform identifiers needed for app operation, notifications, fraud prevention, or security review

3.4 Push notification data

push notification tokens
notification delivery metadata
notification payload data, including limited session metadata or partial snippets when a feature or platform flow includes them

Depending on your device settings, platform behavior, notification routing, and lock-screen controls, push notifications may display limited session metadata or partial snippets on device-level notification surfaces.

3.5 Analytics, crash, and diagnostic data

product usage events
performance metrics
crash logs and stack traces
diagnostic events and troubleshooting data

3.6 Support communications

emails you send us
attachments, logs, screenshots, or descriptions you provide in support requests
our support responses and related internal notes

Support is currently provided by email only.

3.7 Voice recordings and transcripts

voice recordings you submit through voice input features
generated transcripts and related processing outputs

Voice recordings are transmitted to Sesori servers and a third-party transcription sub-processor for processing. We do not retain voice recordings or generated transcripts after processing completes, except to the limited extent reasonably necessary for service operation, abuse prevention, security, incident response, or as required by law.

3.8 Limited readable feature-processing data

limited readable inputs and outputs needed to operate specific invoked features, such as session title naming, branch naming, or similar short text feature processing
limited readable snippets needed for push notifications, support, diagnostics, abuse review, or security investigation

4. Sources of data

We collect personal data from the following sources:

directly from you, such as when you create or use an account, send us an email, submit voice input, or contact support
from your devices and apps when they connect to or interact with the Service
from your chosen identity provider, such as Apple, Google, or GitHub, when you use that sign-in option
from our service providers and infrastructure providers that help us operate the Service
from automated logs, analytics, crash reporting, and security systems generated during Service operation

5. How we use personal data

We use personal data for the following purposes:

providing, operating, and maintaining the Service
authenticating users and managing accounts
routing connections, delivering notifications, and operating relay or hosted features
operating voice input and server-side transcription features
performing limited feature processing you invoke, such as session title naming, branch naming, or similar processing
securing the Service, preventing abuse, investigating suspicious activity, and responding to incidents
monitoring reliability, diagnosing failures, fixing bugs, and improving performance
analyzing product usage so we can understand how the Service is used and improve it
communicating with you about the Service, including support and operational notices
complying with legal obligations, enforcing our terms, and protecting our rights, users, systems, and providers

6. When Sesori processes readable content

Sesori does not ordinarily have plaintext access to encrypted relay payloads in transit during ordinary relay routing.

Sesori and its sub-processors process readable data in limited situations where readable processing is required for a feature you use or for operational needs, including:

voice input and server-side transcription
short text feature processing, such as session title naming and branch naming
push notification payload snippets or limited metadata
support, troubleshooting, diagnostics, abuse prevention, trust and safety review, security investigation, or incident response

Where possible, we try to keep readable processing limited to what is needed for the relevant feature or operational purpose.

7. Legal bases for processing

If GDPR or similar law applies, we generally rely on one or more of the following legal bases:

Performance of a contract (GDPR Art. 6(1)(b)), when processing is needed to provide the Service you request
Legitimate interests (GDPR Art. 6(1)(f)), when processing is needed to secure, maintain, support, analyze, administer, or protect the Service and we have determined our interests are not overridden by your rights. You may object to processing based on legitimate interests as described in Section 15
Consent (GDPR Art. 6(1)(a)), where consent is required by law or where we specifically ask for it, for example for certain analytics or tracking on supported platforms. You may withdraw consent at any time
Legal obligation (GDPR Art. 6(1)(c)), when processing is needed to comply with law, regulation, lawful requests, or mandatory recordkeeping requirements

8. Sub-processors and third-party recipients

8.1 Sub-processors acting on our behalf

We use a limited number of service providers that may process personal data on our behalf to operate the official Service. Current sub-processors are:

DigitalOcean, LLC Hosting, infrastructure, and databases European Union (Sesori-controlled servers are currently EU-hosted); provider headquartered in the United States Cloudflare, Inc. Reverse proxy, DNS, and security edge services Global edge network; provider headquartered in the United States OpenAI, L.L.C. Voice transcription and short text feature processing (e.g., session title naming) United States Anthropic, PBC Short text feature processing (e.g., session title naming) United States Google LLC (Firebase) Push notifications via Firebase Cloud Messaging, app analytics, and Crashlytics United States and Google global infrastructure Functional Software, Inc. (Sentry) Error monitoring and crash diagnostics United States

We also operate our own Sesori authentication backend on Sesori infrastructure for account and authentication services.

The list of sub-processors may change as the Service evolves. We will update this Privacy Policy to reflect changes.

8.2 Identity providers and platform ecosystems you choose

You may choose to use independent third-party platforms or identity providers, which have their own privacy practices and are not acting as Sesori sub-processors for all purposes:

Apple Inc., for app distribution via the Apple App Store, Apple sign-in, and related platform and notification services
Google LLC, for app distribution via the Google Play Store, Google sign-in, and related platform services
GitHub, Inc., when you choose GitHub as an identity provider

8.3 Other disclosures

We may also disclose personal data where reasonably necessary to:

comply with applicable law, regulation, legal process, or lawful requests from public authorities
protect the rights, property, safety, or security of Sesori, our users, our providers, or the public
detect, prevent, or investigate fraud, abuse, security incidents, or violations of our terms
enforce our terms or defend legal claims

In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business or assets, personal data may be transferred to the acquiring or successor entity. We will seek to ensure that any recipient continues to protect personal data consistent with this Privacy Policy.

8.4 No sale or sharing for advertising

Sesori does not sell personal data. Sesori does not share personal data for cross-context behavioral advertising. Sesori does not use personal data for targeted advertising.

9. International data transfers

Sesori and its sub-processors may process personal data in countries outside your own, including jurisdictions outside the European Union or European Economic Area, such as the United States.

Where personal data of individuals in the EU, EEA, or United Kingdom is transferred to a jurisdiction that has not been recognized by the European Commission or the UK Government as providing an adequate level of data protection, we rely on appropriate safeguards permitted under GDPR Chapter V and the UK GDPR. These safeguards are typically the European Commission's Standard Contractual Clauses (SCCs, Decision (EU) 2021/914), together with the UK International Data Transfer Addendum or the UK International Data Transfer Agreement where applicable, and any supplementary measures we consider appropriate.

You may request a copy of the safeguards applied to specific transfers by contacting us at the addresses in Section 2.

10. Data retention

We keep personal data for as long as reasonably needed for the purposes described in this Privacy Policy, taking into account the nature of the data, why it was collected, operational needs, security, legal obligations, and dispute or enforcement needs.

Indicative retention practices:

Ordinary relay traffic: designed to be routed in encrypted form and is ephemeral from Sesori's perspective
Voice recordings and generated transcripts: deleted after processing completes, typically within seconds of the processing flow, except to the limited extent reasonably needed for operations, abuse prevention, security, incident response, or legal compliance
Account and authentication data: retained while your account exists and thereafter for a reasonable period, typically up to 24 months, for security, fraud prevention, legal compliance, dispute handling, or enforcement
Push notification tokens: retained while needed for notification delivery and removed or allowed to expire when you log out, rotate tokens, uninstall the app, or when the token becomes stale
Analytics, crash, and diagnostic data: retained according to vendor defaults and our operational needs, typically up to 14 months for analytics events and up to 90 days for crash and error reports
Support communications: retained for up to 24 months after the issue is resolved, and longer where reasonably needed for follow-up, legal, security, or compliance reasons
Server and security logs: retained for a limited period typically up to 90 days, subject to extension where needed for security investigation or legal compliance

When retention is no longer justified, we delete, anonymize, or aggregate the data where feasible.

11. Security

We use measures intended to protect personal data and the Service, including access controls, encryption in transit, authentication controls, logging, monitoring, and operational safeguards.

No method of storage, transmission, or processing is completely secure. We cannot guarantee absolute security.

If we become aware of a personal data breach that creates a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected individuals, in accordance with applicable law.

12. Model training

Sesori will not use your content, including voice recordings and transcripts, to train machine learning or AI models, whether general-purpose or Sesori-specific.

We use third-party AI sub-processors (currently OpenAI and Anthropic) for voice transcription and short text feature processing. Our agreements with these sub-processors prohibit them from using your inputs or outputs processed on our behalf to train their general-purpose or foundation models. We rely on the API and enterprise data processing terms offered by these providers, which include no-training commitments for data submitted through their APIs.

13. Automated decision-making

We do not use your personal data for solely automated decision-making that produces legal or similarly significant effects concerning you within the meaning of Article 22 GDPR.

14. Analytics, diagnostics, and platform tracking controls

The Service currently uses analytics and diagnostic tools in the apps and hosted features, including Firebase Analytics, Firebase Crashlytics, and Sentry, to understand usage, detect failures, and improve reliability.

On iOS, we respect Apple's App Tracking Transparency framework. We do not track you across apps and websites owned by other companies without your permission through the ATT prompt where ATT applies.

On Android, we respect Google's applicable user choice and advertising ID controls.

sesori.com currently does not use cookies or website analytics. If this changes, we will update this Privacy Policy and, where required, provide appropriate consent and controls.

15. Children's privacy

The official Service is not directed to anyone under 16, except where applicable law in your jurisdiction allows valid consent to personal data processing at a lower age (in Bulgaria, the age is 14 under GDPR Article 8). If you are below the age at which you can validly consent to personal data processing under applicable law, you must not use the Service or submit personal data to us.

If you believe someone under the applicable age has provided us personal data, contact us at [email protected] and we will take appropriate steps to delete it.

16. Your privacy rights

Subject to applicable law, you may have the following rights in relation to your personal data.

16.1 Rights under the GDPR and UK GDPR

If GDPR or UK GDPR applies to you, you have the right to:

access the personal data we hold about you (Art. 15)
rectify inaccurate or incomplete personal data (Art. 16)
erase personal data in certain circumstances (Art. 17)
restrict processing in certain circumstances (Art. 18)
data portability for data you provided to us where processing is based on consent or contract and is carried out by automated means (Art. 20)
object to processing based on our legitimate interests (Art. 21)
withdraw consent at any time where processing is based on your consent, without affecting the lawfulness of processing before withdrawal
lodge a complaint with your local supervisory authority. If you are in Bulgaria, this is the Commission for Personal Data Protection (Комисия за защита на личните данни). In other EU/EEA member states, contact your national authority

16.2 How to exercise your rights

To exercise any of these rights, contact us by email at [email protected] or [email protected]. We may ask for information needed to verify your identity before responding.

We aim to respond to rights requests within 30 days of receipt, with the possibility of an extension of up to two additional months for complex or numerous requests, consistent with GDPR Article 12. We do not currently offer self-serve in-app privacy rights workflows or in-account deletion flows. Rights requests are handled by email.

17. California privacy notice

This section applies to California residents to the extent required by the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA").

We collect and use personal information as described in this Privacy Policy for service operation, security, support, diagnostics, analytics, legal compliance, and related business purposes. The categories of personal information we collect correspond to the data categories described in Section 3.

Sesori does not sell personal information
Sesori does not share personal information for cross-context behavioral advertising
Sesori does not use personal information for targeted advertising

To the extent we process sensitive personal information, we do so only to provide the Service or for closely related security, compliance, fraud-prevention, support, diagnostic, and operational purposes, within the limits permitted by CCPA/CPRA.

California residents may request to know, access, correct, or delete personal information, and may request to limit use of sensitive personal information, by emailing [email protected] or [email protected]. We will respond consistent with CCPA/CPRA, generally within 45 days of a verifiable request, with the possibility of an extension where permitted. We may need to verify your identity before responding. You may also designate an authorized agent to act on your behalf as permitted under California law.

We do not discriminate against California residents for exercising their privacy rights.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated version through the Service or at sesori.com and update the date at the top of the policy. If a change materially affects how we process your personal data, we will use reasonable efforts to provide additional notice, for example by email or in-app notice, before the change takes effect.

19. Contact us

If you have questions about this Privacy Policy or want to exercise privacy rights, contact:

[email protected] for general privacy and support matters
[email protected] for GDPR and data protection rights matters

Digitalblock Labs LTD (Registered in the British Virgin Islands)

EU Representative: Efosoft EOOD (Registered in Bulgaria)