Sierra RealtimeSierra Realtime

Privacy Policy

Last updated: January 1, 2026

Sierra Realtime ("we", "us", "our") is operated by Epic Essentials. This policy explains what personal information we collect when you use the Sierra Realtime platform (web app, mobile apps, desktop apps, and the API), why we collect it, how it's used, who it's shared with, and the rights you have over it.

1. Information we collect

1.1 Information you provide

  • Account profile — email address, display name, avatar, time zone, job title (optional), and password (stored as a bcrypt hash, never in plaintext).
  • Organization data — the organization name and any settings you configure (branding, retention rules, custom roles, etc.).
  • Communications — messages you send in chats and channels, recordings you choose to capture, transcripts produced by our AI services when you opt in, files you upload, whiteboard strokes, and meeting metadata (room name, scheduled time, participants).

1.2 Information we collect automatically

  • Usage telemetry — IP address, browser/OS user-agent, pages visited, timestamps, request latency, and error reports. Used for security (rate limiting, anomaly detection) and to improve the product.
  • Real-time media — during a call we transmit audio + video through our SFU (LiveKit). Media is end-to-end encrypted between you and the SFU; we don't keep media on disk unless you explicitly start a recording.
  • Push tokens — APNs / FCM device tokens you provide so the app can ring you for incoming calls. Tied to your user account.

1.3 Information from third parties

If you log in via Google, Microsoft, or another SSO/SAML provider, we receive your name, email, and any group claims your IT admin maps to roles in our app. If you connect a SaaS integration (Slack, Jira, etc.), we store an OAuth access/refresh token scoped to that integration's API.

2. How we use your information

  • To deliver the service (route calls, store messages, transcribe audio, etc.).
  • To authenticate you, enforce access controls, and detect abuse.
  • To send transactional emails (meeting invites, password resets, alerts).
  • To debug errors and improve performance.
  • To comply with legal obligations (subpoenas, retention rules, eDiscovery).

We do not sell personal information. We do not use your message content, recordings, or transcripts to train any third-party model. AI features run on infrastructure controlled by your organization (or, when the platform-hosted option is enabled, on Sierra Realtime's own infrastructure — never delegated to a third-party LLM provider for training).

3. Sharing & sub-processors

We share data only with sub-processors who help us deliver the service:

  • Cloud infrastructure — AWS / Hetzner / your own self-hosted servers, depending on deployment model.
  • Object storage — MinIO / S3 / your own — for recordings, uploads, and avatars.
  • Email — your configured SMTP relay (per-org override available).
  • Push delivery — Apple (APNs) for iOS, Google (FCM) for Android. Tokens only; message content is end-to-end-fetched by the app.
  • Bot defense — Cloudflare Turnstile during signup. Cloudflare receives your IP and a challenge token, never your account data.
  • Analytics & observability — internal Prometheus / Grafana / Loki / Tempo. No third-party analytics SDKs run in the app.

A current list of sub-processors is available on request to legal@epicessentials.xyz.

4. International transfers

If you're in the EEA, UK, or Switzerland and your organization's deployment is hosted outside that region, we rely on the EU Standard Contractual Clauses (SCCs) to transfer your personal data lawfully. Our DPA (linked at the top of this page) incorporates the SCCs by reference.

5. Retention

Recordings, transcripts, and chat messages are retained per your organization's policy (admin-configurable in Admin → Compliance). Account profile data is retained for the lifetime of your account; you can request deletion at any time (see Section 7). Audit logs are retained for a minimum of 90 days for security forensics.

6. Security

TLS 1.2+ in transit. Bcrypt-hashed passwords. AES-256 envelope encryption for object storage with optional bring-your-own-key (BYOK) integration. Tenant isolation is enforced at the application layer with row-level org scoping plus optional information-barrier rules. We have an annual third-party security review and run continuous dependency vulnerability scanning. Full details: DPA, Annex II.

7. Your rights

Subject to applicable law (GDPR for EEA/UK residents, CCPA/CPRA for California residents, PIPEDA for Canadian residents, LGPD for Brazilian residents), you have the right to:

  • Access — download your account data via Settings → Data export.
  • Correct — edit your profile in-app at any time.
  • Delete — delete your account via Settings → Danger Zone → Delete account. We honor deletion requests within 30 days unless we're required to retain data for a legal hold.
  • Object / restrict / port — email privacy@epicessentials.xyz.
  • Lodge a complaint — with your local supervisory authority (e.g. the ICO in the UK, your DPA in the EEA).

8. Children

Sierra Realtime is not directed to children under 16. We don't knowingly collect personal information from children. If you believe a child has created an account, contact privacy@epicessentials.xyz and we'll remove it.

9. Changes to this policy

We'll post any material changes here and notify you in-app at least 30 days before they take effect. Continued use of the service after the effective date means you accept the updated policy.

10. Contact

Privacy questions: privacy@epicessentials.xyz
Data Protection Officer: dpo@epicessentials.xyz
General legal: legal@epicessentials.xyz