Plain-Language Summary: Sidekik AI is a Prodocut of HOLLER AI LLC operates a private AI assistant platform. Your data is hosted on dedicated infrastructure assigned to your organization. We do not use your data to train AI models. We do not sell your data. You own your data. This policy explains exactly what we collect, why, and how it is protected.
Sidekik AI is a Prodocut of HOLLER AI LLC ("SideKik," "we," "us," or "our") is a software company incorporated in the United States that provides a private, enterprise-grade AI assistant platform accessible at https://sidekikai.com. Our platform enables organizations to deploy a dedicated AI assistant that ingests their proprietary data, connects to their business applications, and provides intelligent, context-aware responses — all within a privately hosted environment.
This Privacy Policy describes how Sidekik AI is a Prodocut of HOLLER AI LLC collects, uses, stores, shares, and protects personal information and organizational data in connection with our website, platform, and related services (collectively, the "Services").
If you are a customer organization ("Customer"), this policy governs both your use of our platform and the personal data of your end users ("End Users") that may be processed through our Services. If you are an individual visiting our website, this policy governs the limited information we collect about your visit.
When you register for a SideKik account or request a demo, we collect:
When you use the SideKik platform, we may collect:
As part of the onboarding process, Customers may upload or connect the following types of organizational data to their private SideKik instance:
Important: All corporate data is stored exclusively within your organization's dedicated, private infrastructure instance. It is not co-mingled with data from other customers, not accessible to SideKik employees without your explicit authorization, and not used for any purpose other than powering your private AI assistant.
When you visit sidekikai.com, we collect standard web analytics data including page views, referral sources, browser type, and approximate geographic location. See our Cookie Policy for details.
We use the information we collect for the following purposes:
| Purpose | Legal Basis (GDPR) | Data Used |
|---|---|---|
| Providing and operating the Services | Contract performance | Account info, usage data, corporate data |
| Account authentication and security | Legitimate interest / Contract | Email, IP, device info |
| Billing and payment processing | Contract performance | Billing info (via Stripe) |
| Customer support and onboarding | Contract performance | Account info, support tickets |
| Service improvement and debugging | Legitimate interest | Anonymized usage/error logs |
| Legal compliance and fraud prevention | Legal obligation / Legitimate interest | IP, account info, logs |
| Marketing communications (opt-in only) | Consent | Email address |
| A2P messaging (SMS notifications) | Consent (explicit opt-in) | Phone number |
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
Each SideKik customer receives a fully isolated deployment consisting of:
When corporate data is ingested into SideKik, the following process occurs entirely within your private instance:
When an End User submits a query to SideKik:
Note on AI Model Providers: When using cloud-based AI models (e.g., Anthropic Claude, OpenAI GPT), queries and context are transmitted to those providers' APIs under their respective data processing agreements. SideKik configures these connections with data processing addenda (DPAs) where available. Customers may opt for fully self-hosted, open-source models (e.g., Llama, Mistral via Ollama) to eliminate all external data transmission.
Conversation logs are stored in your private Supabase database. Customers control retention periods and can configure automatic deletion. SideKik staff cannot access conversation logs without explicit written authorization from the Customer administrator.
Application-to-Person (A2P) messaging refers to SMS or MMS messages sent from our platform to your registered phone number for purposes such as two-factor authentication (2FA), account alerts, and service notifications.
We only send A2P messages to users who have explicitly provided consent. Consent is obtained through:
SideKik may send the following types of A2P messages:
Message frequency varies by account activity. Standard carrier message and data rates may apply.
You may opt out of A2P messaging at any time by:
SideKik complies with the Telephone Consumer Protection Act (TCPA) and all applicable state and federal regulations governing A2P messaging. We maintain records of consent for a minimum of five (5) years. We do not use automated dialing systems for marketing purposes without prior express written consent.
SideKik's A2P messaging campaigns are registered with The Campaign Registry (TCR) under the 10-Digit Long Code (10DLC) framework as required by U.S. mobile carriers. Our registered use cases include: account notifications, two-factor authentication, and customer care.
When a Customer connects their Google Workspace account to SideKik via our Google Cloud integration, the following applies:
Depending on the features enabled, SideKik may request the following Google OAuth scopes:
| Scope | Purpose | Required |
|---|---|---|
| gmail.readonly | Read email for AI context retrieval | Optional |
| gmail.send | Send drafted email responses | Optional |
| calendar.readonly | Read calendar events for scheduling context | Optional |
| calendar.events | Create/update calendar events | Optional |
| drive.readonly | Read Drive files for document ingestion | Optional |
| drive.file | Create/modify files in Drive | Optional |
SideKik's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
Customers can revoke SideKik's access to their Google account at any time by visiting Google Account Permissions or through the SideKik integrations settings panel. Upon revocation, all stored OAuth tokens are immediately deleted from your SideKik instance.
SideKik uses Model Context Protocol (MCP) servers to establish secure, authenticated connections between your private AI instance and your business applications. Each MCP server operates as a bridge that:
The following integrations may be configured by Customers. Data accessed is governed by the respective third-party application's terms and the Customer's authorization:
| Integration | Data Types Accessed | Data Stored in SideKik |
|---|---|---|
| Google Workspace | Email, Calendar, Drive, Contacts | Encrypted OAuth token; query results cached temporarily |
| Microsoft 365 | Outlook, Teams, OneDrive, SharePoint | Encrypted OAuth token; query results cached temporarily |
| Salesforce / HubSpot | CRM records, contacts, deals, activities | Encrypted API key; query results cached temporarily |
| Toast POS | Sales data, orders, menu items, labor | Encrypted API key; query results cached temporarily |
| Sling / Scheduling Tools | Schedules, shifts, employee records | Encrypted API key; query results cached temporarily |
| QuickBooks / Stripe | Financial records, invoices, transactions | Encrypted API key; query results cached temporarily |
| Custom MCP Integrations | Defined by Customer configuration | Encrypted credentials; query results cached temporarily |
SideKik is not responsible for the privacy practices of third-party applications you connect to your instance. We encourage you to review the privacy policies of all connected applications. SideKik acts as a data processor with respect to data retrieved from third-party integrations; the Customer remains the data controller.
All API keys, OAuth tokens, and credentials stored for integration purposes are encrypted at rest using AES-256 encryption. Credentials are stored exclusively within your dedicated Supabase instance and are never transmitted to SideKik's central systems.
Customers control the retention period for all data stored within their private SideKik instance, including:
Default retention periods are configurable through the SideKik administration panel. Customers may set automatic deletion schedules ranging from 30 days to indefinite retention.
Upon termination of a SideKik subscription:
End Users may request deletion of their personal data by contacting their organization's SideKik administrator or by emailing [email protected]. We will process verified deletion requests within 30 days.
Analytics data collected from website visitors is retained for 24 months, after which it is automatically aggregated and anonymized.
SideKik implements the following technical security measures:
In the event of a data breach affecting your organization's data, SideKik will notify affected Customers within 72 hours of becoming aware of the breach, consistent with GDPR Article 33 requirements. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach.
For individuals in the European Economic Area (EEA), United Kingdom, or Switzerland, SideKik processes personal data under the following legal bases as defined in GDPR Article 6:
Under GDPR, individuals have the following rights with respect to their personal data:
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
SideKik offers a Data Processing Agreement (DPA) to all Customers who require one for GDPR compliance. The DPA governs the processing of personal data on behalf of the Customer and includes the Standard Contractual Clauses (SCCs) approved by the European Commission for international data transfers. Contact [email protected] to request a DPA.
SideKik has designated a Data Protection Officer (DPO) who can be reached at [email protected]. You also have the right to lodge a complaint with your local supervisory authority.
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you specific rights regarding your personal information.
In the preceding 12 months, SideKik has collected the following categories of personal information from California residents:
To submit a CCPA/CPRA request, email [email protected] with the subject line "California Privacy Request." We will verify your identity and respond within 45 days.
SideKik does not sell personal information as defined under the CCPA/CPRA. We do not share personal information with third parties for cross-context behavioral advertising purposes.
Important Notice: Sidekik AI is a Prodocut of HOLLER AI LLC is not a Covered Entity under HIPAA. However, if you are a Covered Entity or Business Associate and intend to process Protected Health Information (PHI) through SideKik, please contact us before doing so.
SideKik's dedicated infrastructure architecture is designed with HIPAA compliance considerations in mind, including:
For Customers who are Covered Entities or Business Associates under HIPAA and who intend to process PHI through SideKik, we are prepared to execute a Business Associate Agreement (BAA). Please contact [email protected] to initiate the BAA process. Do not upload PHI to SideKik without a signed BAA in place.
If PHI is processed through SideKik, Customers must ensure that the AI model provider configured for their instance also has appropriate HIPAA safeguards in place. SideKik can assist in configuring fully self-hosted, open-source AI models (e.g., Llama via Ollama) to ensure PHI never leaves your private infrastructure.
SideKik is actively working toward SOC 2 Type II certification. Our infrastructure and operational practices are aligned with the AICPA Trust Services Criteria across the following categories:
Enterprise customers requiring evidence of security controls may request our security documentation package, including penetration test summaries, infrastructure diagrams, and policy documentation, by contacting [email protected].
Unambiguous Commitment: Sidekik AI is a Prodocut of HOLLER AI LLC does not use your data — including your corporate documents, conversation history, queries, or any other information processed through your private instance — to train, fine-tune, or improve any AI model, including models operated by SideKik or any third party.
SideKik uses AI models as inference engines — meaning they receive a query and context, generate a response, and do not retain that information. Specifically:
When using cloud-based AI models, the relevant provider's data usage policies apply to API calls. SideKik selects providers that offer enterprise API agreements with no-training commitments. Customers are encouraged to review the data usage policies of their configured AI model providers.
SideKik's Services are designed for business use and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected such information, please contact us immediately at [email protected] and we will promptly delete it.
SideKik's primary infrastructure is hosted in the United States. For Customers in the EEA, UK, or other jurisdictions with data transfer restrictions, we offer the following transfer mechanisms:
SideKik may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the changes, you may terminate your account and request deletion of your data.
For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact:
Sidekik AI is a Prodocut of HOLLER AI LLC — Privacy Team
Email: [email protected]
Data Protection Officer: [email protected]
Legal: [email protected]
Security: [email protected]
Website: https://sidekikai.com