Privacy Policy

Effective date: May 1, 2026

1. Introduction

This Privacy Policy explains how Eido Studios, Inc. ("Company," "we," "us," or "our") collects, uses, discloses, and otherwise processes Personal Data in connection with our website (the "Site") and our in-product feedback and analytics platform (the "Services"). If you are a Customer or Visitor, your use of or access to the Site or Services indicates your acknowledgment of the practices described in this Privacy Policy. If you are a User of a Customer's application, the Customer is responsible for providing you with any required privacy notices and obtaining any necessary consents on your behalf. Our processing of your data in that context is governed by our agreement with the Customer. When you signed up for the Services, you entered into an agreement with Eido Studios' terms of use for the Services, which includes obligations in this Privacy Policy (the "Agreement").

Sideband is an in-product feedback platform for software teams. It enables customers to define event-based triggers, collect in-app feedback from users, and analyze those responses using analytics and AI-assisted summarization to better understand user behavior and improve their products.

Table of Contents

1. Introduction
2. Personal Data We Collect
3. How We Collect Personal Data
4. How We Use Personal Data
5. How We Disclose Personal Data
6. Data Retention
7. Data Security
8. International Data Transfers
9. Privacy Rights
10. Children's Information
11. Changes to This Privacy Policy
12. Contact Information

Roles and Scope

To help clarify how this Privacy Policy applies:

• Customers are businesses that use our Services.
• End Users are individuals who interact with our Customers' applications where our Services are implemented.
• Visitors are individuals who visit our Site or interact with us directly.

In many cases, particularly when data is collected through our SDK or integrations, we act as a service provider or processor on behalf of our Customers. This means:

• The Customer determines what data is collected and why.
• The Customer is responsible for providing any required notices and obtaining consent from Users.
• Our processing of that data is governed by our agreements with the Customer.

As a result, if you are a User of one of our Customers' applications, the Customer's privacy policy will generally apply to your data in the first instance.

Where we process Personal Data on behalf of Customers, such processing is governed by our Data Processing Addendum ("DPA"), available at https://sideband.ai/docs/dpa

2. Personal Data We Collect

We collect different types of Personal Data depending on how you interact with us whether as a Customer, User, or Visitor.

2.1 Data Collected from Customers

When a business signs up for and uses our Services, we collect information necessary to create and manage accounts, deliver the Services, and support the relationship. This may include:

• Contact Data, such as name, email address, phone number, and business mailing address.
• Account and Profile Data, including usernames, passwords, company name, role or title, and workspace-related metadata.
• Billing and transaction information, such as billing address and payment-related details (note that payment card information is typically processed by third-party providers).
• Commercial Data, including purchase history, subscription details, and usage patterns.
• Device Data, such as device identifiers, operating system, and browser type.
• Analytics and Usage Data, including IP-based geolocation, pages visited, session duration, feature usage, and interaction events.
• User-Generated Content, such as survey responses, feedback, or messages submitted through the Services.

For example, when a Customer administrator creates an account, we may collect their email address and company name, and when they use the platform, we may collect information about which features they view or use.

2.2 Data Collected from End Users (on Behalf of Customers)

When our Services are implemented within a Customer's application, we process data on behalf of our Customers about their End Users, based on the Customer's configuration. This typically includes:

• Demographic Data, such as language preferences.
• Device data, such as device identifiers, operating system, and device type.
• Analytics and Usage Data, such as events triggered within the application, screens viewed, and session activity.
• Location Data, typically derived from IP address (e.g., approximate geographic region).
• User-Generated Content, such as responses to in-app surveys or feedback prompts.
• Inferred data, such as general behavior patterns derived from usage.

We do not independently determine what End User data is collected; instead, this is controlled by the Customer through their SDK implementation and configuration, and we process such data solely on their behalf.

2.3 Data Collected from Visitors

When you visit our website or interact with us directly, we may collect:

• Analytics and Usage Data, such as IP address, browser type, device information, pages viewed, and session duration.
• Contact Data, such as name, email address, phone number, and business mailing address, if you choose to provide it (for example, by filling out a form or contacting us).

For example, if you submit a demo request form, we may collect your name, email address, and company information.

3. How We Collect Personal Data

We collect and process Personal Data (including, in many cases, on behalf of our Customers) about you from the following categories of sources:

• Directly from you when you provide us with such information.
  • When you create an account or use our interactive tools and Services
  • When you voluntarily provide information in free-form text boxes through the Services or through responses to surveys or questionnaires.
  • When you send us an email or otherwise contact us.
• Automatically when you or a Customer's End Users interact with the Services (including data processed on behalf of our Customers).
  • Through technologies such as cookies, SDKs, and analytics tools when you interact with our Site or Services.

Cookies and Tracking Technologies

The Services use cookies and similar technologies such as pixel tags, web beacons, clear GIFs and JavaScript (collectively, "Cookies") to enable our servers to recognize your web browser, tell us how and when you visit and use our Services, analyze trends, learn about our user base and operate and improve our Services. Cookies are small pieces of data – usually text files – placed on your computer, tablet, phone or similar device when you use that device to access our Services. We may also supplement the information we collect from you with information received from third parties, including third parties that have placed their own Cookies on your device(s).

Your browser may offer a "Do Not Track" (DNT) setting. Our Services do not currently respond to DNT signals, as there is no industry-wide standard for how such signals should be interpreted. We are monitoring our obligations with respect to Global Privacy Control (GPC) signals and will update our practices as applicable law requires.

We use cookies and similar technologies to operate and improve our Site and Services. At this time, we use only essential cookies. Descriptions of additional cookie types we may use in the future are provided below for reference.

• Essential Cookies. Essential Cookies are required for providing you with features or services that you have requested. For example, certain Cookies enable you to log into secure areas of our Services. Disabling these Cookies may make certain features and services unavailable.
• Functional Cookies. Functional Cookies are used to record your choices and settings regarding our Services, maintain your preferences over time and recognize you when you return to our Services. These Cookies help us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
• Performance/Analytical Cookies. Performance/Analytical Cookies allow us to understand how visitors use our Services. They do this by collecting information about the number of visitors to the Services, what pages visitors view on our Services and how long visitors are viewing pages on the Services.

You can decide whether or not to accept Cookies through your internet browser's settings. Most browsers have an option for turning off the Cookie feature, which will prevent your browser from accepting new Cookies, as well as (depending on the sophistication of your browser software) allow you to decide on acceptance of each new Cookie in a variety of ways. You can also delete all Cookies that are already on your device. If you do this, however, you may have to manually adjust some preferences every time you visit our website and some of the Services and functionalities may not work.

4. How We Use Personal Data

4.1 Customer Data

We use Personal Data from Customers as agreed to in the Agreement and for the following purposes that help provide, customize, and improve the Services:

• Providing access to the platform and managing accounts
• Processing orders or other transactions and administering subscriptions
• Providing the products, services, or information requested
• Meeting or fulfilling the reason you provided the information to us
• Providing customer support and troubleshooting
• Improving the Services, including testing, research, internal analytics and product development.
• Doing fraud protection, security and debugging.
• Carrying out other business purposes stated when collecting your Personal Data or as otherwise set forth in applicable data privacy laws, such as the California Consumer Privacy Act (the "CCPA").
• Marketing and selling the Services (for Customers and Visitors only)
• Correspondence, such as sending emails and other communications according to User preferences or that display content that we think will interest User.

We may use information in aggregated or de-identified form for purposes such as research, analytics, modeling, and improving our Services. Where information has been aggregated or de-identified, we will take reasonable steps to ensure it cannot reasonably be used to identify any individual. Customers are prohibited under our Agreement from submitting Sensitive Data through the Services.

You may opt out of receiving marketing communications from us by using the unsubscribe link in our emails or adjusting your account preferences where available.

4.2 End User Data (Processed on Behalf of Customers)

We process End User data strictly on behalf of our Customers and in accordance with their instructions. This includes:

• Processing Personal Data as necessary to provide the Services on behalf of our Customers
• Meeting or fulfilling the reason you provided the information to us.
• Providing support and assistance for the Services.
• Carrying out other business purposes stated when collecting your Personal Data or as otherwise set forth in applicable data privacy laws, such as the California Consumer Privacy Act (the "CCPA").

We do not use this data to build profiles across customers or for advertising purposes.

How We Use Data to Improve Our Services. We use Personal Data solely to provide the Services on behalf of our Customers. Where we use data to improve, analyze, or develop the Services, we do so only using aggregated or de-identified data that cannot reasonably be used to identify any individual or Customer. We do not use Personal Data to train artificial intelligence or machine learning models, build profiles across Customers, or serve advertising of any kind.

Because we process End User data solely at the direction of our Customers, End Users who wish to limit or stop the collection of their Personal Data should contact the Customer directly. The Customer controls how our Services are implemented within their application and is responsible for any notices, consents, and privacy rights requests relating to End Users under applicable law.

4.3 Visitor Data

We use data collected from Visitors to help provide, customize, and improve the services, and it includes:

• Processing orders or other transactions; billing
• Providing the products, services, or information requested
• Meeting or fulfilling the reason you provided the information to us.
• Providing support and assistance for the Services.
• Doing fraud protection, security and debugging.
• Maintain the security and integrity of our systems
• Marketing and selling the Services (for Customers and Visitors only)
• Carrying out other business purposes stated when collecting your Personal Data or as otherwise set forth in applicable data privacy laws, such as the California Consumer Privacy Act (the "CCPA").

5. How We Disclose Personal Data

We disclose your Personal Data to the categories of service providers and other parties listed in this section.

• Services Providers. These parties help us provide the Services or perform business functions on our behalf. They include:
  • Cloud hosting and infrastructure providers
  • Analytics and monitoring providers
  • Security and fraud prevention services
  • Customer support platforms
  • Communication and notification providers
  • AI/ML processing tools: used solely to provide analytics and summarization features within the Services. These providers process only aggregated or de-identified data for service improvement purposes and are contractually prohibited from using Customer or End-User Personal Data to train machine learning models or for any purpose beyond providing the Services.
  • Payment Processors
• Business Partners. These parties partner with us in offering various services. They include:
  • Our affiliates, which may use your information for any of the purposes described in this Privacy Policy.
• Parties You Authorize, Access, or Authenticate.
  • Third Parties: You may choose to create an account or sign in to our Services using third-party authentication providers, such as Identity / authorization providers (SSO)

These providers process data on our behalf and are subject to contractual obligations to protect it.

For more information about the service providers we use, you may request a copy of our current Subprocessor List by contacting us.

Legal Obligations

Each of the categories of Personal Data may be collected, used, and disclosed with the government, including law enforcement, or other parties to meet certain legal requirements and enforcing legal terms including: fulfilling our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities; protecting the rights, property or safety of you, Eido Studios or another party; enforcing any agreements with you; responding to claims that any posting or other content violates third-party rights; and resolving disputes. We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated or incompatible purposes without providing you notice or obtaining your consent.

Business Transfers

All of your Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part).

Aggregated or De-Identified Data

We may use and share data that has been aggregated or de-identified so that it no longer identifies any individual, for purposes such as research, analytics, and product improvement.

No Sale or Advertising Use

We do not sell Personal Data, share Personal Data with advertising networks for cross-context behavioral advertising, or disclose Personal Data to any third party for the purpose of training artificial intelligence or machine learning models. Where we share data with AI/ML service providers, such sharing is limited to aggregated or de-identified data and is governed by contractual restrictions consistent with this Privacy Policy.

6. Data Retention

We retain Personal Data only for as long as necessary to provide the Services, operate and improve our business, comply with legal obligations, and resolve disputes.

Because we generally process End User Personal Data on behalf of our business customers, retention of that data is primarily determined by the customer. In these cases, we retain Personal Data for the duration of the customer relationship and in accordance with the customer's instructions, as needed to provide, secure, support, and improve the Services. This may include Customer account and workspace information, event and usage data collected through our SDK or APIs, survey responses and feedback, system logs and diagnostic data, and AI-generated outputs such as summaries or insights derived from customer-provided data.

When a customer relationship ends, we will delete or return Personal Data in accordance with the applicable agreement, unless we are required to retain it for legal, security, or legitimate business purposes such as auditing or dispute resolution. Some data may remain in backups for a limited period before being securely deleted.

We may also retain aggregated or de-identified data for longer periods, provided it can no longer reasonably be used to identify an individual, and may be used for analytics and improving the Services.

7. Data Security

We seek to protect your Personal Data from unauthorized access, use and disclosure using appropriate physical, technical, organizational and administrative security measures based on the type of Personal Data and how we are processing that data. You should also help protect your data by appropriately selecting and protecting your password and/or other sign-on mechanism; limiting access to your computer or device and browser; and signing off after you have finished accessing your account. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the internet or storing data is completely secure.

8. International Data Transfers

The Services are operated and hosted in the United States by Eido Studios and its service providers. If you are located outside the United States, your Personal Data may be transferred to, stored in, and processed in the United States and other countries where we or our service providers operate. These jurisdictions may have data protection laws that are different from those in your country of residence. Where required by applicable law, we will take steps designed to ensure that international transfers of Personal Data are made in accordance with applicable legal requirements. By using the Services, you understand that your Personal Data may be transferred to jurisdictions outside of your location as described in this Privacy Policy.

9. Privacy Rights

Certain jurisdictions provide individuals with specific rights regarding their Personal Information. We will comply with applicable legal requirements and honor valid requests made in accordance with those laws.

Nevada Resident Rights

If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties. You can exercise this right by contacting us at privacy@sideband.ai with the subject line "Nevada Do Not Sell Request" and providing us with your name and the email address associated with your account. Please note that we do not currently sell your Personal Data as sales are defined in Nevada Revised Statutes Chapter 603A.

Depending on your location, you may have certain rights regarding your Personal Data.

California Residents

Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to contact us to prevent disclosure of Personal Data to third parties for such third parties' direct marketing purposes; in order to submit such a request, please contact us at privacy@sideband.ai.

Your browser may offer you a "Do Not Track" option, which allows you to signal to operators of websites and web applications and services that you do not wish such operators to track certain of your online activities over time and across different websites. Our Services do not support Do Not Track requests at this time. To find out more about "Do Not Track," you can visit http://www.allaboutdnt.com/.

California Consumer Privacy Act

This section applies to California residents and describes our data collection practices in accordance with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

The table below describes the Personal Information we collect when you use our Services as a customer or prospective customer, or when you visit our Site. The sources of this Personal Information are described in the "How We Collect Personal Data" section above, and the purposes for which we use it are described in the "How We Use Personal Data" section above.

Privacy Rights for California Residents

Under the California Consumer Privacy Act ("CCPA"), California residents have specific rights regarding their Personal Information. This section describes those rights and explains how California residents may exercise them.

The rights described below may apply to California residents under the CCPA.

• Right to Access: You may request information about the Personal Information we collect, use, and share about you. We will also explain how we process your data and any limitations on fulfilling your request.
• Right to Data Portability: You may request a copy of your Personal Information in a portable format, where technically feasible.
• Right to Delete: You may request that we delete Personal Information we have collected from you, subject to certain legal exceptions. If applicable, we will also ask our service providers to delete it.
• Right to Opt-Out of Sale or Sharing: You may opt out of the "sale" or "sharing" of your Personal Information, as defined under the CCPA. If this applies, you can exercise this right through the mechanisms we provide in the Services or by contacting us.
• Right to Correct: You may request that we correct inaccurate Personal Information we maintain about you.
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights.

Access, Correction, and Deletion of Personal Information

Customers

Customers may access, update, correct, or delete their account and workspace information through their account settings or by contacting us at privacy@sideband.ai

End Users

Where we process Personal Information on behalf of a business customer, End Users should generally direct requests to that customer, as the customer is responsible for responding to privacy rights requests under applicable law.

If we receive a request directly from an End User, we may either:

• refer the request to the relevant customer, and/or
• provide assistance to the customer in responding, where required by law or our agreement.

We will support our customers in responding to valid privacy requests as required by applicable law.

Privacy Rights for European Economic Area, United Kingdom, and Switzerland

If you are located in the European Economic Area ("EEA"), United Kingdom ("UK"), or Switzerland, you may have certain rights under applicable data protection laws, including the GDPR, UK GDPR, and Swiss FADP, subject to applicable limitations and exceptions.

Our Role and Legal Bases

We process Personal Data in two distinct contexts:

(A) When we act as a controller (for example, when you visit our website, create or manage an account, or communicate with us directly), we determine the purposes and means of processing your Personal Data.

In these cases, we rely on the following legal bases:

• Contractual necessity: where processing is necessary to provide the Services, manage your account, or perform our agreement with you.
• Legitimate interests: where processing is necessary for our legitimate business interests, such as operating, securing, improving, and developing our Services, provided those interests are not overridden by your data protection rights.
• Legal obligation: where processing is necessary to comply with applicable legal or regulatory requirements.

(B) When we act as a processor/service provider (for example, when we process End User data submitted through our SDK or APIs on behalf of our customers), we process Personal Data only on the instructions of our customers. In these cases, our customers are responsible for determining the appropriate legal basis for processing.

Privacy Rights

Subject to applicable law, you may have the following rights regarding your Personal Data:

• Access: You may request information about the Personal Data we process about you and obtain a copy of such data.
• Rectification: You may request correction of inaccurate or incomplete Personal Data.
• Erasure: You may request deletion of your Personal Data, subject to legal and contractual retention obligations.
• Restriction: You may request that we restrict processing of your Personal Data in certain circumstances.
• Portability: You may request a copy of your Personal Data in a structured, commonly used, and machine-readable format.
• Objection: You may object to processing based on legitimate interests, including for direct marketing purposes where applicable.
• Withdrawal of consent: Where processing is based on consent, you may withdraw consent at any time.

To exercise your rights, please contact us at: privacy@sideband.ai

We may need to verify your identity before responding to your request. In some cases, we may not be able to fully comply with a request due to legal obligations, technical limitations, or where processing is performed on behalf of a customer.

Right to File Complaint: You have the right to lodge a complaint about Eido Studios' practices with respect to your Personal Data with the supervisory authority of your country or EU Member State. A list of Supervisory Authorities is available here: https://edpb.europa.eu/about-edpb/board/members_en.

10. Children's Information

We do not knowingly or intentionally gather Personal information about children who are under the age of 16. If you become aware that a child has provided us with Personal Information, a child has provided us with Personal Information, a parent or guardian of that child may contact us at privacy@sideband.ai to have the information deleted from our records. If we learn that we have inadvertently collected the Personal Information of a child under 16, or equivalent minimum age depending on jurisdiction, we will take steps to delete the information as soon as possible and cease the use of that information in accordance with applicable law.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The "Effective Date" indicates when it was last revised. If we make material changes, we may provide additional notice, such as by email or through the Services.

12. Contact Information

If you have questions about this Privacy Policy or wish to exercise your rights, you can contact us at:

Email: privacy@sideband.ai

Address: 350 10th Ave, Suite 1000, San Diego, CA 92101

Website: https://sideband.ai/