Legal

Privacy Policy

Last updated: May 25, 2026Effective: May 25, 2026

VYRA DATA INC. (operating as VYRA Data, referred to in this policy as “VYRA Data,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, store, share, and protect personal information when you visit vyradata.com, contact us, purchase or use our services, communicate with us, or otherwise interact with our business.

By using our website or services, you agree to the practices described here. If you do not agree, please do not use our website or services.

1. Who we are

VYRA DATA INC. is a corporation incorporated under the laws of Nova Scotia, Canada. We provide nine services across three lanes (Foundation, Build, Shopify, Search, Ads, Creative, Social, Care, Insights), and operate a customer-facing SaaS at app.vyradata.com and a merchandise store at shop.vyradata.com.

For privacy matters we act as a data controller in respect of website visitors, sales prospects, and our own staff, and as a data processor in respect of Customer Content that our business clients upload to Insights or hand to us during a service engagement.

Privacy Officer
Designation:Privacy Officer, VYRA DATA INC.
Subject tag:Privacy Inquiry
Postal:2 Ralston Ave, Suite 100Dartmouth, NS B3B 1H7Canada
EU/UK contact:support@vyradata.com (the Privacy Officer also serves as the EU/UK contact)

2. What this policy covers

This Privacy Policy applies to:

  • The marketing website at vyradata.com, including all subpages and brand microsites we publish under it.
  • The Insights SaaS application at app.vyradata.com, including the web app, the public API, and any embedded reporting widgets.
  • The merchandise store at shop.vyradata.com.
  • All nine VYRA services: Foundation, Build, Shopify, Search, Ads, Creative, Social, Care, and Insights.
  • Communications you have with VYRA staff by email, phone, chat, SMS, video, in-person meetings, or in-app messaging.

Third-party platforms we connect to on your behalf (Meta, Google, Apple, and similar) have their own privacy policies. This policy covers our handling of the data we access through those connections, not the platforms themselves.

3. Personal data we collect

We collect the following categories of personal information:

Account and identity

  • Name, business name, role/title, work email, work phone.
  • Login credentials (hashed; passwords are never stored in plaintext).
  • Multi-factor authentication tokens and recovery codes.
  • Profile photo and display preferences, if you provide them.

Billing

  • Billing name, billing address, GST/HST registration number where you provide one.
  • Invoice history, payment status, subscription plan, seat count.
  • Payment card information is collected and stored by Stripe, our payment processor. We do not store full card numbers.

Usage and telemetry

  • IP address, browser, operating system, device type, viewport size.
  • Pages visited, features used, timestamps, referring URL.
  • Audit-log entries (administrative actions, sign-in events, permission changes).
  • Error reports and performance traces forwarded by Sentry.

Third-party platform tokens (OAuth)

  • Encrypted access tokens and refresh tokens for Meta, Google, Apple, and other platforms you authorize.
  • Account identifiers (Page ID, Ad Account ID, Property ID).
  • The minimum scopes required for the service you purchased.

Customer Content

  • Drafts, briefs, brand assets, copy, images, and documents you upload or hand to us.
  • AI prompts and outputs generated through Vyn on your behalf.
  • Reports we generate for you from data pulled via your authorized OAuth connections.

Communications

  • Email threads, support tickets, meeting notes, chat transcripts.
  • Recordings of consultations or onboarding calls, only when both parties consent.

Cookies and similar technologies

  • Session, CSRF, and load-balancer cookies (strictly necessary).
  • Locale, theme, and sidebar-state preferences (functional).
  • Analytics identifiers from GA4 and PostHog (opt-in).
  • Meta Pixel identifiers and conversion events (opt-in, default off).

Full inventory at the Cookie Policy.

4. How we use it (lawful bases)

For visitors and customers in the EU/EEA and UK, the lawful basis (under GDPR Article 6 and UK GDPR) for each processing activity is as follows:

  • Contract (Art. 6(1)(b)): account management, billing, delivering the services you purchased, customer support, and security of your account.
  • Legitimate interest (Art. 6(1)(f)): fraud prevention, abuse detection, securing our systems, defending legal claims, product analytics on anonymized telemetry, improving our services.
  • Consent (Art. 6(1)(a)): analytics cookies, advertising cookies, marketing email, optional features that process additional data (e.g. recording a consultation call).
  • Legal obligation (Art. 6(1)(c)): tax records, CRA filings, breach reporting, responding to lawful access requests.

For visitors in Canada, Quebec, and the United States, we collect, use, and disclose personal information with your consent unless otherwise permitted or required by law (PIPEDA s.7, Quebec Law 25, CCPA/CPRA business-purpose categories).

5. AI and Vyn processing

Vyn is our AI teammate. Vyn drafts copy, builds reports, summarizes briefs, and recommends next actions. A human reviews and approves every public-facing draft before it ships.

Provider. Vyn uses Anthropic as its AI inference provider through Anthropic's enterprise API. Vyn does not route requests to any other foundation-model provider.

No model training on your data. Under Anthropic's commercial terms, customer data submitted through the API is not used to train Anthropic's models. We do not, separately, train any model on your Customer Content.

Retention by the provider. Anthropic retains request and response data only as required to operate the API (typically a short rolling window for abuse detection) and deletes it thereafter under their data-handling policy.

Outputs. Drafts and outputs generated by Vyn from your Customer Content belong to you (see Terms §38). We retain a limited license to host, process, display, and analyze your Customer Content solely to provide the service.

Opt-out. If you do not want a particular project to use AI-assisted drafting, tell your project lead or email support@vyradata.com (subject “Privacy Inquiry”) . We will configure your account to bypass Vyn for that workstream.

6. OAuth Connect and platform data

Several VYRA services rely on you authorizing us to access your accounts on third-party platforms (Meta Business Suite, Meta Ads, Facebook Pages, Instagram, Google Analytics, Google Search Console, Google Ads, Google Tag Manager, YouTube, Apple Search Ads, and similar). When you connect a platform, you grant VYRA the permissions needed to deliver the service you purchased.

  • Token storage. Access and refresh tokens are encrypted at rest using AES-256-GCM and stored in our application database.
  • Minimum scope. We request only the scopes the specific service requires. We do not collect data outside that scope, even if the platform would technically permit it.
  • No sale or resale. We never sell or resell platform data to third parties.
  • Disconnection. You can revoke our access at any time, either inside the platform or by emailing support@vyradata.com with the subject “Privacy Inquiry”. Tokens are deleted within 30 days of disconnection.
  • Your use of third-party platforms remains governed by their own terms (Meta Platform Terms, Google API Services User Data Policy, Apple Developer Program License Agreement).

7. Cookies, pixels, and tracking

We group cookies and similar technologies into four categories: strictly necessary, functional, analytics, and marketing. Analytics and marketing categories default to off and only become active after you grant consent through the cookie banner.

The named technologies we use are:

  • Google Analytics 4 (analytics, opt-in)
  • Google Tag Manager (container only, no data collection by itself)
  • PostHog (product analytics, opt-in)
  • Meta Pixel (marketing, opt-in, default off)
  • Sentry (essential error and performance monitoring)

For the full inventory of cookies, durations, providers, and the in-page preference center, see the Cookie Policy.

Manage your cookie preferences

Update what cookies VYRA can use on your visits to vyradata.com. Changes apply immediately on this device. Other devices keep their own choices.

Current: Not yet set — you'll see the banner on your next visit
Changes pending — click Save preferences to apply.

8. Subprocessors

We use a small set of trusted vendors to deliver the services. The current roster is below. The canonical, dated list is maintained at /subprocessors.

SubprocessorPurposeRegion
StripePayments, billing, invoicingUnited States / Ireland
ResendTransactional and operational emailUnited States
AWSApplication hosting, object storage, databaseUnited States (us-east-2 Ohio)
HostingerVPS hosting for ancillary servicesEuropean Union
CloudflareDNS, CDN, edge securityGlobal
AnthropicAI inference (Vyn). No model training on customer data.United States
SentryError monitoring and performance tracesUnited States
PostHogProduct analytics (opt-in)United States / European Union
Better StackUptime and on-call monitoringEuropean Union
GoogleAnalytics (GA4), Tag Manager, Search Console (opt-in)United States
MetaMeta Pixel (opt-in, default off)United States

We may add or replace subprocessors. Material additions are posted to /subprocessors with at least 30 days’ notice before they begin processing customer personal data. If you have a DPA-based right to object, see the DPA.

9. International transfers

Personal data may be stored or processed in Canada, the United States, and the European Union, depending on the subprocessor. Our primary application infrastructure runs on AWS in us-east-2 (Ohio).

For transfers out of the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) (Module 2 for controller-to-processor transfers, Module 3 for processor-to-processor). For transfers out of the UK we rely on the UK International Data Transfer Addendum (IDTA). Copies of the executed SCCs and IDTA addenda are available on request to support@vyradata.com (subject “Privacy Inquiry”) .

For Quebec residents, transfers outside Quebec are accompanied by a privacy impact assessment under Law 25 where the data warrants one.

10. Data retention

We retain personal data only as long as required for the purposes described in this policy or by law. Specific schedules:

CategoryRetention
Account dataLifetime of account, plus 90 days after deletion
Billing records and invoices7 years (CRA requirement)
Audit logs13 months
OAuth tokensUntil disconnected, then deleted within 30 days
User content (drafts, AI outputs)Until you delete or close the account, then 30 days
Database backups35-day rolling window
Support tickets and email threads24 months from last contact
Marketing prospects (sales CRM)36 months from last contact, then deleted or anonymized
Cookie consent state13 months in localStorage; reset on clear or revisit

11. Security

We follow the security practices described on the Security Overview page. In brief:

  • TLS 1.3 in transit; AES-256-GCM for OAuth tokens and credentials at rest; AES-256 for database backups.
  • Role-based access control (RBAC). Mandatory MFA for all administrators.
  • Audit logging for sign-in, permission changes, exports, and admin actions.
  • Least-privilege principle for staff access to customer data.
  • Annual third-party penetration testing.
  • Documented incident response process with on-call rotation.

No method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but we take reasonable steps under PIPEDA, GDPR Art. 32, and Quebec Law 25 to protect the data entrusted to us.

Report a vulnerability to support@vyradata.com with the subject “Security Disclosure”.

12. Your rights — GDPR / UK GDPR (EU, EEA, UK)

If you are in the EU, EEA, or UK, you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectify inaccurate or incomplete data (Art. 16).
  • Erase your personal data (“right to be forgotten,” Art. 17).
  • Restrict processing in defined circumstances (Art. 18).
  • Receive your data in a portable, machine-readable format (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time, where consent is the lawful basis (Art. 7(3)).
  • Lodge a complaint with a supervisory authority (Art. 77). For UK residents, the ICO. For EU/EEA residents, your local DPA.

To exercise a right, email support@vyradata.com (subject “Privacy Inquiry”) . We respond within 30 days and may verify your identity before fulfilling the request.

13. Your rights — PIPEDA (Canada)

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) gives you the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Withdraw consent, subject to legal and contractual limits.
  • Be informed of disclosures we have made about you.
  • Complain to the Office of the Privacy Commissioner of Canada (OPC). We will work with you in good faith before escalation.

Send requests to support@vyradata.com (subject “Privacy Inquiry”) . Response within 30 days.

14. Your rights — CCPA/CPRA (California)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act gives you the right to:

  • Know what categories of personal information we collect, the sources, the purposes, and the categories of third parties we share with.
  • Access the specific pieces of personal information we hold about you.
  • Delete personal information we have collected from you.
  • Correct inaccurate personal information.
  • Limit our use and disclosure of sensitive personal information.
  • Opt out of the sale or sharing of personal information for cross-context behavioral advertising.
  • Non-discrimination for exercising any of these rights.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. Marketing cookies on this site default to off and only activate after opt-in consent.

Categories collected in the past 12 months: identifiers; commercial information; internet or network activity; geolocation (approximate, from IP); professional or employment-related information (where you provide it).
Categories disclosed in the past 12 months: identifiers and commercial information disclosed to Stripe (payments), Resend (email), and AWS (hosting) as service providers under contracts that restrict their use to providing the service.

Authorized agents. You may designate an authorized agent to make a request on your behalf. We will require a signed, dated authorization and reasonable proof of identity for both you and the agent.

Send California requests to support@vyradata.com (subject “Privacy Inquiry”) . You may also lodge a complaint with the California Attorney General.

15. Your rights — Quebec (Law 25)

If you are a Quebec resident, in addition to the PIPEDA rights above, Law 25 gives you the right to:

  • Data portability, in a structured, commonly used technological format.
  • Deindexation (cessation of dissemination, re-indexation, or hyperlinking) where the law permits.
  • Be informed of automated decision-making that significantly affects you, and to request a review.
  • Know when your data is transferred outside Quebec, and the safeguards in place.

A French-language version of this policy is forthcoming. In the interim, French-language requests are welcomed and answered in French at support@vyradata.com (subject “Privacy Inquiry”) .

16. Children

Our website and services are intended for businesses and adults. We do not knowingly collect personal information from children under 16. Where COPPA applies (United States, under 13), we do not knowingly collect personal information from children under 13.

If you believe a child has provided us with personal information, contact support@vyradata.com (subject “Privacy Inquiry”) for immediate deletion.

17. Breach notification

We maintain a written breach response process and a breach log per the PIPEDA Breach of Security Safeguards Regulations (SOR/2018-64).

  • PIPEDA (Canada): We will notify the Office of the Privacy Commissioner of Canada and affected individuals “as soon as feasible” where a breach of security safeguards creates a real risk of significant harm (PIPEDA s.10.1).
  • GDPR / UK GDPR: We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, where the breach is likely to result in a risk to the rights and freedoms of natural persons (Art. 33). Affected individuals are notified without undue delay where the risk is high (Art. 34).
  • CCPA / state laws: We comply with applicable U.S. state breach-notification laws, including California Civil Code §1798.82.
  • Quebec Law 25: We notify the Commission d'accès à l'information and affected individuals where the breach poses a risk of serious harm.

18. Marketing email and CASL

Canada's Anti-Spam Legislation (S.C. 2010, c. 23) requires express consent for most commercial electronic messages. We follow CASL globally for outbound marketing.

  • We request express consent before adding you to a marketing list. We log when and how consent was obtained.
  • Every marketing message identifies the sender, includes our mailing address, and contains a clear unsubscribe mechanism.
  • Unsubscribe requests are honored within 10 business days of receipt per CASL s.11(3).
  • Transactional messages (receipts, password resets, security alerts, project updates) are sent under the CASL exemption for messages necessary to provide a requested service.

19. Do Not Track and Global Privacy Control

We respect the Global Privacy Control (GPC) signal. When a visitor's browser sends GPC, we treat that as a valid request to opt out of the sale/sharing of personal information (we already do not sell or share for cross-context advertising; the signal removes any ambiguity).

We also honor the browser Do Not Track (DNT) signal where technically feasible. There is no industry consensus on a DNT response standard; we treat DNT as equivalent to an analytics opt-out for cookies we control.

21. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision.

Material changes (changes that expand the categories of data we collect, change the legal basis for processing, or add a new subprocessor that handles personal data) will be posted with at least 30 days’ notice via email and an in-app banner before they take effect. Non-material changes are effective on posting.

22. Contact

For privacy questions, requests, or complaints, contact the Privacy Officer:

VYRA DATA INC.
Privacy Officer:Privacy Officer, VYRA DATA INC.
Subject tag:Privacy Inquiry
EU/UK contact:support@vyradata.com (the Privacy Officer also serves as the EU/UK contact)
Postal:2 Ralston Ave, Suite 100Dartmouth, NS B3B 1H7Canada
Website:vyradata.com

External regulators. Canadians may complain to the Office of the Privacy Commissioner of Canada. EU/EEA residents may complain to their local supervisory authority. UK residents may complain to the Information Commissioner's Office (ICO). Californians may complain to the California Attorney General. Quebec residents may complain to the Commission d'accès à l'information.