Privacy Policy
Effective date: 12 May 2026
1. Who we are
Seneca is operated by Headers s.r.o., a company registered in the Czech Republic, ID No. 06434967, with its registered office at Radniční 133/1, 370 01 České Budějovice 1, Czech Republic (“we”, “us”, “Headers”). We are the data controller for personal data processed in connection with the Seneca service available at https://senecabot.com (the “Service”).
For any privacy-related question or to exercise your rights, contact us at privacy@senecabot.com.
We have not appointed a Data Protection Officer; privacy matters are handled directly by our management.
2. What this policy covers
This policy explains how we collect, use, share and protect personal data when you visit our website, create a Seneca account, or use the Service. It applies to both account holders (“Customers”) and visitors who interact with a Seneca-powered chat (“End Users”).
3. Personal data we process
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, name, organization name, password hash | Provided by you |
| Knowledge content | Documents, URLs, snippets uploaded into a Knowledge Base | Provided by you |
| Conversation data | Messages exchanged with a Seneca agent, agent responses, citations | Generated through use |
| Usage data | Login times, feature usage, agent activity | Generated through use |
| Technical data | IP address, browser type, device information, error logs | Collected automatically |
| Billing data (when applicable) | Invoicing details, transaction records | Provided by you / payment processor |
We do not intentionally collect special categories of data (health, religion, political opinions, etc.). Please do not upload such data into a Knowledge Base unless you have a lawful basis to do so.
4. Why we process your data and on what legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the Service (account, agent operation, citations, hosting) | Performance of a contract |
| Authentication and security (magic-link login, abuse prevention) | Performance of a contract / legitimate interest |
| Communication about the Service (transactional emails, service updates) | Performance of a contract |
| Aggregated, anonymized analytics to operate and maintain the Service | Legitimate interest |
| Compliance with legal obligations (tax, accounting, requests from authorities) | Legal obligation |
| Marketing communications (only with explicit opt-in) | Consent |
Important: we do not use Customer Content (uploaded knowledge or conversations) to train any AI model. Customer Content is processed solely to operate the Service for the Customer who provided it.
5. Subprocessors
We rely on the following subprocessors. All process personal data within the European Union under contractual data protection terms (DPA) compliant with the GDPR:
| Subprocessor | Purpose | Region |
|---|---|---|
| Anthropic | Large language model API (chat responses) | EU endpoint |
| Supabase | Database, authentication, file storage | EU |
| Amazon Web Services (AWS) | Underlying cloud infrastructure | EU |
| Vercel | Web application hosting | EU |
| Cloudflare (R2) | Object storage for Knowledge Base files | EU |
| Northflank | Agent runtime container hosting | EU |
| Resend | Transactional email delivery | EU |
| Langfuse | Service observability and tracing | EU |
| Plausible | Privacy-friendly website analytics (no cookies, no personal data) | EU |
We update this list when subprocessors change. Material additions will be communicated in advance.
6. International transfers
We aim to keep all processing within the European Union. Where any subprocessor processes data outside the EU/EEA in exceptional circumstances (for example, disaster recovery), the transfer is governed by Standard Contractual Clauses approved by the European Commission.
7. How long we keep your data
| Data category | Retention period |
|---|---|
| Account data | For the duration of the account |
| Knowledge content | For the duration of the account |
| Conversations | For the duration of the account |
| Technical and security logs | Up to 90 days |
| Billing and accounting records | As required by Czech tax law (typically 10 years) |
When you close your account, we keep your data for a 30-day grace period (in case of accidental deletion or recovery). After 30 days, your data is permanently deleted from active systems. Backup copies are overwritten in our regular backup rotation.
8. How we share data
We do not sell personal data. We share personal data only with:
- our subprocessors (listed above), strictly to operate the Service;
- public authorities, when required by law and only to the extent legally necessary;
- a successor entity in the event of a corporate transaction (merger, sale of assets), in which case continuity of this Privacy Policy will be ensured.
9. Your rights
You have the following rights under the GDPR:
- Access - request a copy of personal data we hold about you.
- Rectification - correct inaccurate or incomplete data.
- Erasure - request deletion of your data.
- Restriction - ask us to limit processing in certain cases.
- Portability - receive your data in a structured, machine-readable format.
- Objection - object to processing based on our legitimate interest.
- Withdraw consent - where processing is based on consent, you can withdraw it at any time.
- Lodge a complaint with a supervisory authority - for the Czech Republic, this is the Office for Personal Data Protection (Urad pro ochranu osobnich udaju, www.uoou.cz).
To exercise any of these rights, email privacy@senecabot.com. We will respond within 30 days.
10. Children
The Service is not directed at children under 16. If you are under 16, please do not create an account or upload personal data. If we learn that we have collected data from a child under 16 without proper consent, we will delete it promptly.
11. Cookies and similar technologies
We use only functional cookies required for the Service to work (for example, your login session). We do not use advertising or tracking cookies.
For website analytics we use Plausible, which does not set cookies and does not collect personal data. It only counts anonymous page views.
12. Security
We protect personal data with industry-standard measures: encryption in transit (TLS), encryption at rest, access controls, audit logging, and least-privilege database permissions. No system is perfectly secure - if we detect a personal data breach affecting you, we will notify you and the supervisory authority within the timeframes required by law.
13. Changes to this Policy
We may update this Privacy Policy from time to time. If changes are material, we will notify Customers by email at least 30 days before they take effect, and post the new version on our website with the updated effective date.
14. Contact
Headers s.r.o.
Radniční 133/1, 370 01 České Budějovice 1, Czech Republic
ID No. 06434967
Email: privacy@senecabot.com