Privacy Policy

Last updated: September 2025

This privacy policy explains how FTRE.co (trading as “Sayra”), operated by Jonathan Lafer, processes personal data. We are based in the Netherlands and process data in accordance with the General Data Protection Regulation (GDPR / AVG) and Dutch law.

1. Who is the data controller?

Controller:

Jonathan Lafer, trading as FTRE.co / Sayra

Denneweg, 2514 CB, The Hague, Netherlands

KvK: 96260238

Email: [email protected] | [email protected]

We are not currently required to appoint a Data Protection Officer. For all privacy matters, please use the contact details above.

2. Scope

This policy applies to:

Visitors to our website.
Users of the Sayra platform.
Clients engaging us for services.
Individuals filmed or recorded for avatar creation (with explicit consent).
Persons contacting us via email or WhatsApp.

3. Categories of personal data we process

Identification & contact: name, email address, phone number.
Account & billing: login identifiers, payment info (handled by Stripe), invoices, usage records.
Avatar-related data (special category): voice and video recordings for avatar creation and operation; associated prompts/scripts.
Platform usage: session identifiers, feature usage metrics, timestamps, error/log data.
Communications: inquiries, support requests, email content, WhatsApp messages.
Marketing & preferences: newsletter opt-ins, interests you tell us about.
Website & device data: IP address, device/browser info, cookie IDs, analytics events.
Knowledge assets (client-provided): documents, FAQs, guidelines provided for integration with the platform.

Special category data (biometric). Voice and video recordings may constitute biometric data. These are only processed with explicit consent, obtained during filming/recording and documented.

4. Sources

Directly from you (sign-up, inquiry, filming/recording sessions, support).
Your organization (if your employer is our customer).
Automatically via cookies/analytics when you use our website/platform.
Third-party tools that you or we connect (e.g., OpenAI, HeyGen, ElevenLabs, Suno, WhatsApp, Stripe, Brevo, Google Analytics).

5. Purposes and legal bases

Purpose	Examples	Legal basis (GDPR)
Provide & operate the platform	Account creation, access control, running avatars, voice/video/knowledge functions	Art. 6(1)(b) contract
Create & display avatars	Filming/recording sessions; rendering avatars; voice synthesis	Art. 6(1)(a) consent for special categories via Art. 9(2)(a)
Process inquiries & support	Emails, WhatsApp, contact forms	Art. 6(1)(b) contract or Art. 6(1)(f) legitimate interests (to respond)
Billing & payments	Usage tracking, invoicing, tax records	Art. 6(1)(b) contract, Art. 6(1)(c) legal obligation (tax)
Platform improvement & safety	Diagnostics, debugging, preventing abuse	Art. 6(1)(f) legitimate interests
Marketing communications	Newsletters, updates	Art. 6(1)(a) consent (opt-in; may withdraw anytime)
Analytics & cookies	Measuring traffic/UX	Art. 6(1)(a) consent (via Complianz)
Compliance	Responding to lawful requests	Art. 6(1)(c) legal obligation

6. Cookies and tracking

We use the Complianz consent banner to collect and manage your choices. Categories:

Strictly necessary (session/auth, security).
Analytics (e.g., Google Analytics).
Marketing (where applicable).

You can change or withdraw consent at any time via the cookie settings on our site. Use of Google Analytics and Google Fonts may transmit your IP address and device info to Google.

7. Third-party recipients and international transfers

We rely on third-party providers to deliver parts of the service. Some are located outside the EEA, meaning your data may be transferred internationally. Where applicable, transfers are subject to Standard Contractual Clauses (SCCs) or other safeguards provided by the vendor. Key providers:

Hosting & infrastructure: DigitalOcean (EU – Amsterdam).
AI/video/voice/music: HeyGen (video avatars), OpenAI (conversation, TTS, vision), ElevenLabs (voice), Suno (music).
Analytics and website: Google Analytics, Google Fonts, Complianz (consent).
Communications: WhatsApp Business (Meta), Brevo (email).
Payments: Stripe (as independent controller for payment data).

Because these providers may process data outside the EU and under their own terms, we cannot guarantee absolute confidentiality once content is transmitted to their APIs. We minimize shared personal data where feasible (pseudonymization/anonymization).

8. Retention

We keep personal data only as long as necessary for the purposes listed above or as required by law:

Conversation/chat content: up to 7 days by default, unless you request longer retention.
Avatar recordings & knowledge bases: for the duration of the client relationship or until consent is withdrawn.
Account and support records: typically 24 months after last activity.
Marketing subscriptions: until withdrawal of consent or after 24 months of inactivity.
Server logs & diagnostics: typically 90 days.
Invoices, payments, and tax data: 7 years (Dutch fiscal retention duty).

Backups and archival copies are purged on rolling schedules.

9. Your rights (EU/Netherlands)

You have the right to:

Access your data.
Rectify inaccurate or incomplete data.
Erase data (“right to be forgotten”).
Restrict processing.
Data portability.
Object to processing based on legitimate interests and to direct marketing.
Withdraw consent at any time (cookies, marketing, biometric/filming).
Lodge a complaint with the Autoriteit Persoonsgegevens (Dutch DPA).

To exercise rights, email [email protected] or [email protected]. We may verify your identity before fulfilling requests.

10. Children

Our services are intended for professional/business use and are not directed at children under 16. We do not knowingly process children’s data without parental consent.

11. Automated decision-making and profiling

We do not make legal or similarly significant decisions based solely on automated processing. AI services are used to generate conversational responses, voice/video rendering, and content generation, but human-meaningful decisions are not made automatically.

12. Security

We implement reasonable technical and organizational measures (access controls, encryption, monitoring, least-privilege administration). Despite safeguards, no system is perfectly secure, especially where data is transmitted to external AI APIs outside our control.

13. Data breaches

In the event of a personal data breach, we will assess risk and, where required, notify the Dutch DPA within 72 hours and affected individuals without undue delay, in line with Articles 33–34 GDPR.

14. Payments

Payments are processed by Stripe. Stripe acts as an independent controller for certain payment data. We only receive limited billing identifiers and transaction metadata for invoicing.

15. Communications and WhatsApp

If you contact us via email or WhatsApp Business, we will use your information to respond. WhatsApp (Meta) processes data under its own terms and may transfer data outside the EEA. Please do not share sensitive information over messaging apps.

16. Use of AI providers and confidentiality of chats

For avatar operation and related features, conversation content may be transmitted to third-party AI providers (e.g., OpenAI, HeyGen, ElevenLabs, Suno). Chats should not be treated as confidential communications, and we encourage you not to share sensitive personal data in prompts or sessions unless strictly necessary. We do not intentionally use your conversation content to train our own models.

17. International transfers

Where data is transferred outside the EEA, we rely on safeguards such as SCCs or vendor participation in adequacy frameworks. You may request information about specific transfer safeguards by contacting us.

18. Changes to this policy

We may update this policy to reflect changes in our services, providers, or legal requirements. The latest version will appear here with the “Last updated” date. Where changes materially affect your rights, we will provide additional notice.

19. Contact

Questions, requests, or complaints about this policy: