Privacy Policy
Responsible party
Brandfusion Burlet (lynox AI)
Neue Jonastrasse 71, 8640 Rapperswil SG, Switzerland
[email protected]
EU Representative (Art. 27 GDPR)
We have appointed Prighter Group with its local partners as our privacy representative and your point of contact for the European Union (EU).
Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative or make use of your data subject rights, please visit:
https://app.prighter.com/portal/13646667120
Summary
We believe in transparency. Here's the short version:
- lynox the product (@lynox-ai/core) collects no user data. It runs on your infrastructure. We don't access your data in normal operations.
- lynox.ai the website uses privacy-friendly analytics (Plausible) and, with your consent, ad measurement cookies for Google Ads.
- lynox Managed Hosting requires an email address and payment via Stripe. We store only what's needed to run your instance and process billing.
- We don't sell your data. We don't share it with third parties beyond what's described below.
1. Website analytics (no consent required)
We use Plausible Analytics to understand how visitors use this website. Plausible:
- Sets no cookies
- Collects no personal data
- Does not track you across websites
- Is designed to operate without requiring cookie consent under GDPR, PECR, and CCPA
Data collected: page views, referrer, country (from IP, not stored), device type, browser. All data is aggregated — no individual visitors can be identified.
2. Ad measurement (consent required)
If you accept marketing cookies via our consent banner, we enable:
- Google Consent Mode v2 — signals your consent state to Google. When denied, Google receives anonymous, cookieless pings for statistical modeling only.
- Google Analytics 4 (server-side via Measurement Protocol) — helps us understand which marketing channels lead to signups. Data is processed through our own server (
t.lynox.ai) before reaching Google. - Google Ads conversion tracking — measures whether ad clicks lead to meaningful actions (e.g., copying the install command, subscribing to the newsletter, completing a purchase).
Cookies that may be set with consent: _gcl_*, _ga_*, _gid.
3. Consent management
We use Klaro (open source, self-hosted) as our consent manager. Your consent choice is stored in a first-party cookie (lynox_consent) for 365 days. You can change your choice at any time by clearing your cookies or clicking "Settings" in the consent banner.
4. Data we collect
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Page views (anonymous) | Website analytics | Legitimate interest | Aggregated, no personal data |
| Consent choice | Remember your preference | Legitimate interest | 365 days (cookie) |
| Google click ID (gclid) | Ad conversion tracking | Consent | Session only |
| UTM parameters | Marketing attribution | Consent | Session only |
| GA4 events | Marketing analytics | Consent | 14 months (GA4) |
| Email address (newsletter) | Product updates & announcements | Consent | Until unsubscribe |
| Name, company (Managed Hosting) | Account identity, invoicing, legal correspondence | Contract | Duration of subscription + 120 days (see DPA) |
| Sanctions/embargo screening (Managed Hosting) | To comply with sanctions law we (a) match your name against consolidated public sanctions/embargo lists (SECO, EU, UN, OFAC) locally on our own infrastructure — your name is not sent to any third-party screening provider — where a possible match only flags the account for manual human review and does not by itself block you or make an automated decision about you; and (b) apply a deterministic check that refuses signup where the billing address is in a comprehensively embargoed country (Cuba, Iran, North Korea, Syria). | Legal obligation / legitimate interest (sanctions & embargo law) | A review flag is kept for the duration of the subscription. |
| Email address (Managed Hosting) | Authentication, billing notifications, support | Contract | Duration of subscription + 120 days (see DPA) |
| Billing address (Managed Hosting) | Invoicing, VAT compliance, jurisdiction | Contract / Legal obligation | Duration of subscription + 120 days (see DPA) |
| Per-run AI cost (run id, model, cost in cents) | Budget & fair-use enforcement (Managed tier) | Contract | Duration of subscription + 120 days (see DPA) |
| Payment information | Subscription billing | Contract | Managed by Stripe (see their privacy policy) |
| Card fingerprint (trial abuse prevention) | Detect and prevent the same physical payment card from starting multiple free trials (anti-fraud / anti-farming). A one-way pseudonymous hash derived from a token supplied by Stripe; we never see or store the card number. | Legitimate interest (Art. 6(1)(f) GDPR / Art. 31(1)(e) revDSG) | 24 months from collection, independent of account lifetime (see below) — required so the control persists after account deletion. |
| Referral attribution (referrer customer ID) | Record which existing customer referred a new customer, to credit the referral reward. | Contract (Art. 6(1)(b) GDPR / Art. 31(2)(a) revDSG) | Duration of subscription + 120 days; retained as a transaction record for the accounting-mandated period. |
| Trial end date & reminder schedule | Track when a free trial ends and send automated reminder emails (3 and 1 day before conversion). | Contract / Legitimate interest (Art. 6(1)(b)/(f) GDPR) | Duration of subscription + 120 days; reminder send-logs purged after 120 days. |
| Chat content & attached files (Managed Hosting) | AI conversation, agent reasoning, attached document/image analysis | Contract | Retained for the duration of the active subscription as necessary for service performance (Art. 6(1)(b) GDPR / Art. 31(2)(a) revDSG — contract); deleted on customer request or on account closure. |
| OAuth-connected mailbox content (IMAP) | Email triage, reply drafting, conversation context | Contract | Transient (current conversation turn only); local mail-state.db persists message-ID + folder metadata to avoid re-fetching |
| Google Calendar entries | Scheduling, time-aware agent context | Contract | Transient (read per request, not persisted) |
Knowledge-graph / memory_store derived entities | Long-term agent memory, cross-thread recall, semantic search | Contract | memory_delete deactivates the memory and excludes it from all agent retrieval; row purge follows in the storage maintenance cycle |
| Agent action logs / activity events | Audit trail for tool calls (send email, modify CRM, call third-party API, etc.) | Contract / Legal obligation | 365 days |
5. Third-party services
| Service | Purpose | Data location | Requires consent |
|---|---|---|---|
| Cloudflare | Hosting, CDN, DNS, server-side event routing | Global (edge network) | No (essential) |
| Plausible Analytics | Anonymous website analytics | EU | No |
| Google Analytics 4 | Marketing analytics | US (Google LLC) | Yes |
| Google Ads | Conversion tracking | US (Google LLC) | Yes |
| Stripe | Payment processing & subscription billing | US (Stripe Inc) | No (essential for billing) |
| Hetzner | Managed Hosting server infrastructure | EU (Germany) | No (essential for hosting) |
| Anthropic, PBC | Primary AI model inference (Claude family — direct API) | United States | No (essential for AI inference) |
| Mistral AI | AI model inference for chat, agent workflows, mail-triage classification, and memory consolidation (Mistral Large family — direct API). Runs as the worker/failover profile for all managed instances; any customer can select it in Settings as their main inference provider to keep primary inference within the EU. No persistent server-side cache; no use for training per Mistral's API terms. | France (EU) | No (essential for AI inference) |
| Brevo (Sendinblue) | Email delivery (SMTP relay) and contact list management | EU (France/Germany) | No (essential for delivery) |
| Bugsink (self-hosted) | Error reporting (always active, legitimate interest) | EU (self-hosted on lynox infrastructure) | No (always active — Art. 6(1)(f) legitimate interest) |
6. Managed Hosting
If you purchase lynox Managed Hosting, additional data processing applies:
- Account data — your name, email address, company (if provided), and billing address are collected during checkout. Used for authentication (OTP verification), invoicing, billing notifications, legal correspondence, and support. Stored in our database on Hetzner (EU).
- Payment processing — handled entirely by Stripe. We never see or store your card number. Stripe collects payment details, billing address, and transaction history under their own privacy policy.
- Instance provisioning — your instance runs in an isolated container with its own encrypted vault and database, on a shared tenant host at Hetzner Cloud (Germany). Instance metadata (IP, tenant host, status) is stored in our control plane database. A dedicated single-tenant VPS is available as an Enterprise upgrade on request.
- Transactional emails — verification codes, onboarding, and billing notifications are sent via Brevo (SMTP relay, EU). Only your email address is shared with Brevo for delivery purposes.
- AI usage metering (Managed tier only) — to apply your included AI budget and the Fair Use Policy, your instance reports a per-run AI cost record to our control plane: an opaque run identifier, the model name, and the cost in cents. No prompts, responses, token-level detail, or conversation content are included.
- AI inference providers — conversation content is sent for inference to Anthropic (Claude family, United States) and Mistral AI (Mistral Large family, France/EU). By default your managed instance uses Anthropic as its main inference provider, with Mistral AI running as the worker/failover profile; you can select Mistral as your main provider at any time in Settings to keep your primary inference within the EU — a manual choice, not an automatic or segment-based default. Both providers run via their native direct APIs. Neither provider uses customer data to train or improve their models under their API terms. See the DPA for the current sub-processor list.
- Content & safety — conversation content on your managed instance is not yet encrypted at the application layer (this is on our security roadmap); access is restricted by per-tenant container isolation and OS-level permissions. We do not access conversation content in normal operations; a narrow exception-based access applies only in response to abuse reports or legal requests, and we do not routinely monitor, analyze, or read your conversations. API keys and credentials are encrypted in a dedicated vault.
- Conversion measurement — when your instance is ready, we send a
purchaseevent to our tracking endpoint (subject to your consent choice). No personal data is included — only an anonymous event with a conversion value.
Legal basis: contract performance (Art. 6(1)(b) GDPR). After your subscription ends, you have 30 days to export your data. After the export period, all data is permanently deleted within 90 days. See our Data Processing Agreement for details.
Automated decision-making (Art. 22 GDPR)
lynox may execute actions on your behalf (sending emails, modifying CRM entries, scheduling tasks, calling third-party APIs). These actions are taken on your explicit configuration and remain under your control; we do not perform solely automated decisions with legal or similarly significant effects on data subjects within the meaning of Art. 22 GDPR without your active configuration and review. You remain the controller for all agent-initiated actions.
International transfers
Transfers to the United States (e.g. Anthropic, Stripe, Google Analytics, Google Ads) are based on the EU Commission's adequacy decision under the EU-US Data Privacy Framework where the recipient is certified, and on Standard Contractual Clauses (Module 2/3, 2021/914) plus supplementary measures (TLS 1.3 in transit, AES-256-GCM at rest, no-training commitments under Anthropic's and Mistral's published API terms (default policy, no opt-out required)) where it is not. A copy is available on request from [email protected].
For Swiss data subjects, US transfers to Anthropic, Stripe and Cloudflare rely on the Swiss-US Data Privacy Framework or SCCs (Annex IIa). If you configure your own LLM provider (BYOK) via Settings → LLM — for example OpenAI, an OpenAI-compatible endpoint, Google Vertex AI, or a self-hosted model — any transfer to that provider is under your own agreement with it, not ours (see "Customer-configured endpoints" in our DPA). The current sub-processor list is published at /subprocessors.
Trial abuse prevention (legitimate-interest balancing test)
When you start a free trial, our payment provider Stripe supplies a card fingerprint — a one-way, irreversible token that is identical for the same physical card across attempts but cannot be reversed into a card number. We store only a keyed hash of it to prevent the same card from being used to open multiple free trials.
Purpose / legitimate interest (Art. 6(1)(f) GDPR, Art. 31(1)(e) revDSG): Free trials carry a real cost (managed infrastructure plus a per-trial AI-inference budget). Without a control, a single person can farm unlimited free trials by re-registering — abusive use that would force us to withdraw the free trial or raise prices for legitimate customers. Preventing trial-farming is our legitimate interest and is in the interest of honest customers.
Necessity: Email and IP are trivially rotated; the card fingerprint is the only signal that reliably ties multiple trial attempts to one funding source, and it arises at the payment provider in the ordinary course of billing — no additional data is collected from you.
Balancing / minimal interference: We store only a pseudonymous keyed hash, never the card number. We do not build profiles, do not score or rank you, do not make automated decisions with legal effect (Art. 22 GDPR), and do not share the fingerprint with any third party. The hash is used solely for an equality check at trial sign-up. You may object at any time (Art. 21 GDPR / Art. 30 revDSG) by contacting [email protected]; you can subscribe to a paid plan without any fingerprint check.
7. Newsletter
If you subscribe to our newsletter, we collect your email address and language preference. This data is stored by Brevo (French company, EU servers) for newsletter delivery and contact management. Legal basis: consent (Art. 6(1)(a) GDPR).
- You can unsubscribe at any time via the link in every email.
- Upon unsubscribe, your contact is marked as unsubscribed. To request full deletion, contact [email protected].
- We do not share your email with third parties for marketing purposes.
8. Your rights
Under GDPR (EU) and the Swiss Federal Act on Data Protection (revised version, "revDSG" / revFADP), you have the right to:
- Access — request what data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your data
- Portability — receive your data in a structured format
- Restriction — request that we restrict processing of your data (Art. 18 GDPR)
- Object — object to processing based on our legitimate interests or to direct marketing (Art. 21 GDPR)
- Withdraw consent — at any time, by clearing cookies or using the consent banner
- Lodge a complaint — with your local data protection authority
To exercise any of these rights, contact [email protected].
9. lynox the product
The lynox software (@lynox-ai/core) runs entirely on your own infrastructure. We have no access to your data, conversations, knowledge graph, or API keys. The software makes direct API calls to your configured AI provider — no data passes through our servers.
10. Changes
We may update this policy. Significant changes will be noted with an updated "Last updated" date, and where legally required we will notify you directly.