Privacy Policy

Last updated: July 3, 2026

Responsible party

Brandfusion Burlet (lynox AI)
Neue Jonastrasse 71, 8640 Rapperswil SG, Switzerland
[email protected]

EU Representative (Art. 27 GDPR)

We have appointed Prighter Group with its local partners as our privacy representative and your point of contact for the European Union (EU).

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative or make use of your data subject rights, please visit:
https://app.prighter.com/portal/13646667120

Summary

We believe in transparency. Here's the short version:

1. Website analytics (no consent required)

We use Plausible Analytics to understand how visitors use this website. Plausible:

Data collected: page views, referrer, country (from IP, not stored), device type, browser. All data is aggregated — no individual visitors can be identified.

2. Ad measurement (consent required)

If you accept marketing cookies via our consent banner, we enable:

Cookies that may be set with consent: _gcl_*, _ga_*, _gid.

3. Consent management

We use Klaro (open source, self-hosted) as our consent manager. Your consent choice is stored in a first-party cookie (lynox_consent) for 365 days. You can change your choice at any time by clearing your cookies or clicking "Settings" in the consent banner.

4. Data we collect

Data Purpose Legal basis Retention
Page views (anonymous) Website analytics Legitimate interest Aggregated, no personal data
Consent choice Remember your preference Legitimate interest 365 days (cookie)
Google click ID (gclid) Ad conversion tracking Consent Session only
UTM parameters Marketing attribution Consent Session only
GA4 events Marketing analytics Consent 14 months (GA4)
Email address (newsletter) Product updates & announcements Consent Until unsubscribe
Name, company (Managed Hosting) Account identity, invoicing, legal correspondence Contract Duration of subscription + 120 days (see DPA)
Sanctions/embargo screening (Managed Hosting) To comply with sanctions law we (a) match your name against consolidated public sanctions/embargo lists (SECO, EU, UN, OFAC) locally on our own infrastructure — your name is not sent to any third-party screening provider — where a possible match only flags the account for manual human review and does not by itself block you or make an automated decision about you; and (b) apply a deterministic check that refuses signup where the billing address is in a comprehensively embargoed country (Cuba, Iran, North Korea, Syria). Legal obligation / legitimate interest (sanctions & embargo law) A review flag is kept for the duration of the subscription.
Email address (Managed Hosting) Authentication, billing notifications, support Contract Duration of subscription + 120 days (see DPA)
Billing address (Managed Hosting) Invoicing, VAT compliance, jurisdiction Contract / Legal obligation Duration of subscription + 120 days (see DPA)
Per-run AI cost (run id, model, cost in cents) Budget & fair-use enforcement (Managed tier) Contract Duration of subscription + 120 days (see DPA)
Payment information Subscription billing Contract Managed by Stripe (see their privacy policy)
Card fingerprint (trial abuse prevention) Detect and prevent the same physical payment card from starting multiple free trials (anti-fraud / anti-farming). A one-way pseudonymous hash derived from a token supplied by Stripe; we never see or store the card number. Legitimate interest (Art. 6(1)(f) GDPR / Art. 31(1)(e) revDSG) 24 months from collection, independent of account lifetime (see below) — required so the control persists after account deletion.
Referral attribution (referrer customer ID) Record which existing customer referred a new customer, to credit the referral reward. Contract (Art. 6(1)(b) GDPR / Art. 31(2)(a) revDSG) Duration of subscription + 120 days; retained as a transaction record for the accounting-mandated period.
Trial end date & reminder schedule Track when a free trial ends and send automated reminder emails (3 and 1 day before conversion). Contract / Legitimate interest (Art. 6(1)(b)/(f) GDPR) Duration of subscription + 120 days; reminder send-logs purged after 120 days.
Chat content & attached files (Managed Hosting) AI conversation, agent reasoning, attached document/image analysis Contract Retained for the duration of the active subscription as necessary for service performance (Art. 6(1)(b) GDPR / Art. 31(2)(a) revDSG — contract); deleted on customer request or on account closure.
OAuth-connected mailbox content (IMAP) Email triage, reply drafting, conversation context Contract Transient (current conversation turn only); local mail-state.db persists message-ID + folder metadata to avoid re-fetching
Google Calendar entries Scheduling, time-aware agent context Contract Transient (read per request, not persisted)
Knowledge-graph / memory_store derived entities Long-term agent memory, cross-thread recall, semantic search Contract memory_delete deactivates the memory and excludes it from all agent retrieval; row purge follows in the storage maintenance cycle
Agent action logs / activity events Audit trail for tool calls (send email, modify CRM, call third-party API, etc.) Contract / Legal obligation 365 days

5. Third-party services

Service Purpose Data location Requires consent
Cloudflare Hosting, CDN, DNS, server-side event routing Global (edge network) No (essential)
Plausible Analytics Anonymous website analytics EU No
Google Analytics 4 Marketing analytics US (Google LLC) Yes
Google Ads Conversion tracking US (Google LLC) Yes
Stripe Payment processing & subscription billing US (Stripe Inc) No (essential for billing)
Hetzner Managed Hosting server infrastructure EU (Germany) No (essential for hosting)
Anthropic, PBC Primary AI model inference (Claude family — direct API) United States No (essential for AI inference)
Mistral AI AI model inference for chat, agent workflows, mail-triage classification, and memory consolidation (Mistral Large family — direct API). Runs as the worker/failover profile for all managed instances; any customer can select it in Settings as their main inference provider to keep primary inference within the EU. No persistent server-side cache; no use for training per Mistral's API terms. France (EU) No (essential for AI inference)
Brevo (Sendinblue) Email delivery (SMTP relay) and contact list management EU (France/Germany) No (essential for delivery)
Bugsink (self-hosted) Error reporting (always active, legitimate interest) EU (self-hosted on lynox infrastructure) No (always active — Art. 6(1)(f) legitimate interest)

6. Managed Hosting

If you purchase lynox Managed Hosting, additional data processing applies:

Legal basis: contract performance (Art. 6(1)(b) GDPR). After your subscription ends, you have 30 days to export your data. After the export period, all data is permanently deleted within 90 days. See our Data Processing Agreement for details.

Automated decision-making (Art. 22 GDPR)

lynox may execute actions on your behalf (sending emails, modifying CRM entries, scheduling tasks, calling third-party APIs). These actions are taken on your explicit configuration and remain under your control; we do not perform solely automated decisions with legal or similarly significant effects on data subjects within the meaning of Art. 22 GDPR without your active configuration and review. You remain the controller for all agent-initiated actions.

International transfers

Transfers to the United States (e.g. Anthropic, Stripe, Google Analytics, Google Ads) are based on the EU Commission's adequacy decision under the EU-US Data Privacy Framework where the recipient is certified, and on Standard Contractual Clauses (Module 2/3, 2021/914) plus supplementary measures (TLS 1.3 in transit, AES-256-GCM at rest, no-training commitments under Anthropic's and Mistral's published API terms (default policy, no opt-out required)) where it is not. A copy is available on request from [email protected].

For Swiss data subjects, US transfers to Anthropic, Stripe and Cloudflare rely on the Swiss-US Data Privacy Framework or SCCs (Annex IIa). If you configure your own LLM provider (BYOK) via Settings → LLM — for example OpenAI, an OpenAI-compatible endpoint, Google Vertex AI, or a self-hosted model — any transfer to that provider is under your own agreement with it, not ours (see "Customer-configured endpoints" in our DPA). The current sub-processor list is published at /subprocessors.

Trial abuse prevention (legitimate-interest balancing test)

When you start a free trial, our payment provider Stripe supplies a card fingerprint — a one-way, irreversible token that is identical for the same physical card across attempts but cannot be reversed into a card number. We store only a keyed hash of it to prevent the same card from being used to open multiple free trials.

Purpose / legitimate interest (Art. 6(1)(f) GDPR, Art. 31(1)(e) revDSG): Free trials carry a real cost (managed infrastructure plus a per-trial AI-inference budget). Without a control, a single person can farm unlimited free trials by re-registering — abusive use that would force us to withdraw the free trial or raise prices for legitimate customers. Preventing trial-farming is our legitimate interest and is in the interest of honest customers.

Necessity: Email and IP are trivially rotated; the card fingerprint is the only signal that reliably ties multiple trial attempts to one funding source, and it arises at the payment provider in the ordinary course of billing — no additional data is collected from you.

Balancing / minimal interference: We store only a pseudonymous keyed hash, never the card number. We do not build profiles, do not score or rank you, do not make automated decisions with legal effect (Art. 22 GDPR), and do not share the fingerprint with any third party. The hash is used solely for an equality check at trial sign-up. You may object at any time (Art. 21 GDPR / Art. 30 revDSG) by contacting [email protected]; you can subscribe to a paid plan without any fingerprint check.

7. Newsletter

If you subscribe to our newsletter, we collect your email address and language preference. This data is stored by Brevo (French company, EU servers) for newsletter delivery and contact management. Legal basis: consent (Art. 6(1)(a) GDPR).

8. Your rights

Under GDPR (EU) and the Swiss Federal Act on Data Protection (revised version, "revDSG" / revFADP), you have the right to:

To exercise any of these rights, contact [email protected].

9. lynox the product

The lynox software (@lynox-ai/core) runs entirely on your own infrastructure. We have no access to your data, conversations, knowledge graph, or API keys. The software makes direct API calls to your configured AI provider — no data passes through our servers.

10. Changes

We may update this policy. Significant changes will be noted with an updated "Last updated" date, and where legally required we will notify you directly.