Privacy Policy

Updated at: 2025-07-04.

Privacy Policy | ByoViral

Privacy Policy

Last Updated: 4 July 2025

Thank you for choosing ByoViral ("ByoViral", "we", "our", or "us"). This Privacy Policy explains how we collect, use, store, share, and protect information when you visit https://www.byoviral.com and any related sub‑domains, browser extensions, APIs, or other services we offer (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to this Privacy Policy as well as our Terms & Conditions. Capitalised terms not defined here have the same meaning as in the Terms.

1. Who We Are

  • Controller – For personal data falling under the EU General Data Protection Regulation ("GDPR"), ByoViral Ltd. is the data controller.
  • Data Protection Officer (DPO) – Email: [email protected]

2. Data We (Usually Don’t) Collect

ByoViral is built to be privacy‑first and cookie‑free. We intentionally avoid collecting personally identifiable information ("PII") wherever possible. Depending on your interaction with the Service, we may process:

CategoryExamplesCollection Purpose
Anonymous Event Data Page URL, referrer, device type, browser class, anonymous session ID (hashed, rotates every 24 h), country & city (truncated IP → coarse geolocation), timestamp Provide aggregated website analytics, uptime metrics & SEO performance
Account Data Name, business email, billing address, payment method (tokenised) Create & manage your ByoViral account, process transactions, send service emails
Support Data Emails, chat transcripts, screenshots voluntarily submitted Diagnose issues & improve support
Legally‑Required Logs Server logs with truncated IPs (last 2 bytes masked) Maintain security & detect abuse

No Cookies, No Cross‑Site Tracking – We rely on first‑party scripts and do not drop persistent cookies or use fingerprinting.

3. How We Collect Data

  • Directly from You – When you create an account, subscribe to newsletters, or contact support.
  • Automatically – Via our lightweight analytics script and server logs. All IP addresses are truncated before storage so they are no longer personal data under GDPR Recital 30.
  • From Third Parties – Payment processors (for subscription management) and OAuth providers (if you choose social login).
JurisdictionBasis
EU/EEA (GDPR)Legitimate interests (aggregated analytics), Contract (account & billing), Consent (marketing emails)
UK GDPRSame as above
California (CCPA/CPRA & Delete Act)Business purpose (service delivery) & users’ right to deletion via our universal opt‑out flow
Colorado (CPA)Business purpose; consumers have rights to access, correct, delete & opt‑out of sale/targeted ads (which we do not perform)
Other US State LawsVirginia CDPA, Connecticut, Tennessee, etc. – respected via a single preference centre
EU Data Act (effective 12 Sep 2025)We enable secure export of your non‑personal data and do not impede switching providers

5. How We Use Data

  • Provide, maintain, and improve the Service
  • Generate aggregated, anonymised reports for account holders
  • Detect, prevent, and address security incidents
  • Communicate critical updates & invoices
  • Comply with legal obligations and enforce our Terms

We never sell personal data. We do not perform behavioural advertising or profiling.

6. Data Sharing & Third‑Party Processors

We disclose data only to:

  1. Infrastructure & Hosting – ISO 27001‑certified cloud providers in the EU and/or US (with EU Standard Contractual Clauses for cross‑border transfers).
  2. Payment Processing – Stripe or Paddle (PCI‑DSS compliant). Payment details are tokenised; we never store card numbers.
  3. Customer Support & Email – HelpScout and Postmark. Data residency set to EU where possible.
  4. Compliance Advisors – Auditors, accountants, and legal counsel under NDA.

All vendors are bound by data‑processing agreements and assessed annually.

7. International Transfers

  • EU→US transfers rely on Standard Contractual Clauses and (if self‑certified) the EU‑US Data Privacy Framework.
  • Data stored in the US is encrypted in transit (TLS 1.3) and at rest (AES‑256).

8. Data Retention

Data TypeDefault Retention
Anonymous event aggregates6 months (Free) · 13 months (Pro) · Custom (Enterprise)
Account & billing recordsDuration of subscription + 7 years (tax law)
Support tickets24 months
Server logs30 days

Users can request immediate deletion or shorter retention within plan limits.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access – Obtain a copy of your personal data.
  • Rectify – Correct inaccurate data.
  • Erase – Request deletion of your data.
  • Restrict – Limit processing in certain cases.
  • Portability – Receive data in a structured, machine‑readable format.
  • Opt‑Out – Object to processing for analytics or marketing.
  • Non‑Discrimination – Receive equal service if you exercise your rights.

How to Exercise Rights

  1. Self‑Serve Dashboard – Delete sites, events, or your entire account.
  2. Email – Send a request to [email protected] from the verified address.
  3. Global Privacy Control (GPC) – We honour the GPC signal for users in applicable states.
  4. Delete Act Requests – California residents may submit a one‑click deletion via our planned integration with the CPPA’s DROP platform when available.

Requests are authenticated, logged, and fulfilled within 30 days (45 days for Delete Act broker requests).

10. Cookies & Tracking Technologies

ByoViral does not use third‑party cookies, device fingerprinting, or localStorage. Limited first‑party cookies (e.g. __byo_session) may be used to maintain secure log‑ins.

11. Security Measures

  • TLS 1.3 encryption in transit; AES‑256 at rest
  • Quarterly penetration tests & annual SOC 2 audits
  • Role‑based access controls; least‑privilege IAM
  • Continuous monitoring & 24 / 7 incident response

12. Children’s Privacy

Our Service is not directed to children under 16. We do not knowingly collect personal data from minors. If you believe we have such information, contact us for deletion.

13. Changes to This Policy

We may update this Privacy Policy to reflect new features, laws, or regulatory guidance. We will notify users via email and an in‑app banner at least 30 days before material changes. Continued use after updates constitutes acceptance.

14. Contact Us

Questions, concerns, or requests? Email [email protected] or write to us at:

ByoViral Ltd.
Attn: Data Protection Officer


Legal Disclaimer: This template is provided for informational purposes only and does not constitute legal advice. Consult qualified counsel to adapt it to your specific business model and jurisdiction.

© 2025 ByoViral Ltd.