1. Who We Are
- Controller – For personal data falling under the EU General Data Protection Regulation ("GDPR"), ByoViral Ltd. is the data controller.
- Data Protection Officer (DPO) – Email: [email protected]
2. Data We (Usually Don’t) Collect
ByoViral is built to be privacy‑first and cookie‑free. We intentionally avoid collecting personally identifiable information ("PII") wherever possible. Depending on your interaction with the Service, we may process:
Category | Examples | Collection Purpose |
---|---|---|
Anonymous Event Data | Page URL, referrer, device type, browser class, anonymous session ID (hashed, rotates every 24 h), country & city (truncated IP → coarse geolocation), timestamp | Provide aggregated website analytics, uptime metrics & SEO performance |
Account Data | Name, business email, billing address, payment method (tokenised) | Create & manage your ByoViral account, process transactions, send service emails |
Support Data | Emails, chat transcripts, screenshots voluntarily submitted | Diagnose issues & improve support |
Legally‑Required Logs | Server logs with truncated IPs (last 2 bytes masked) | Maintain security & detect abuse |
No Cookies, No Cross‑Site Tracking – We rely on first‑party scripts and do not drop persistent cookies or use fingerprinting.
3. How We Collect Data
- Directly from You – When you create an account, subscribe to newsletters, or contact support.
- Automatically – Via our lightweight analytics script and server logs. All IP addresses are truncated before storage so they are no longer personal data under GDPR Recital 30.
- From Third Parties – Payment processors (for subscription management) and OAuth providers (if you choose social login).
4. Legal Bases for Processing
Jurisdiction | Basis |
---|---|
EU/EEA (GDPR) | Legitimate interests (aggregated analytics), Contract (account & billing), Consent (marketing emails) |
UK GDPR | Same as above |
California (CCPA/CPRA & Delete Act) | Business purpose (service delivery) & users’ right to deletion via our universal opt‑out flow |
Colorado (CPA) | Business purpose; consumers have rights to access, correct, delete & opt‑out of sale/targeted ads (which we do not perform) |
Other US State Laws | Virginia CDPA, Connecticut, Tennessee, etc. – respected via a single preference centre |
EU Data Act (effective 12 Sep 2025) | We enable secure export of your non‑personal data and do not impede switching providers |
5. How We Use Data
- Provide, maintain, and improve the Service
- Generate aggregated, anonymised reports for account holders
- Detect, prevent, and address security incidents
- Communicate critical updates & invoices
- Comply with legal obligations and enforce our Terms
We never sell personal data. We do not perform behavioural advertising or profiling.
6. Data Sharing & Third‑Party Processors
We disclose data only to:
- Infrastructure & Hosting – ISO 27001‑certified cloud providers in the EU and/or US (with EU Standard Contractual Clauses for cross‑border transfers).
- Payment Processing – Stripe or Paddle (PCI‑DSS compliant). Payment details are tokenised; we never store card numbers.
- Customer Support & Email – HelpScout and Postmark. Data residency set to EU where possible.
- Compliance Advisors – Auditors, accountants, and legal counsel under NDA.
All vendors are bound by data‑processing agreements and assessed annually.
7. International Transfers
- EU→US transfers rely on Standard Contractual Clauses and (if self‑certified) the EU‑US Data Privacy Framework.
- Data stored in the US is encrypted in transit (TLS 1.3) and at rest (AES‑256).
8. Data Retention
Data Type | Default Retention |
---|---|
Anonymous event aggregates | 6 months (Free) · 13 months (Pro) · Custom (Enterprise) |
Account & billing records | Duration of subscription + 7 years (tax law) |
Support tickets | 24 months |
Server logs | 30 days |
Users can request immediate deletion or shorter retention within plan limits.
9. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access – Obtain a copy of your personal data.
- Rectify – Correct inaccurate data.
- Erase – Request deletion of your data.
- Restrict – Limit processing in certain cases.
- Portability – Receive data in a structured, machine‑readable format.
- Opt‑Out – Object to processing for analytics or marketing.
- Non‑Discrimination – Receive equal service if you exercise your rights.
How to Exercise Rights
- Self‑Serve Dashboard – Delete sites, events, or your entire account.
- Email – Send a request to [email protected] from the verified address.
- Global Privacy Control (GPC) – We honour the GPC signal for users in applicable states.
- Delete Act Requests – California residents may submit a one‑click deletion via our planned integration with the CPPA’s DROP platform when available.
Requests are authenticated, logged, and fulfilled within 30 days (45 days for Delete Act broker requests).
10. Cookies & Tracking Technologies
ByoViral does not use third‑party cookies, device fingerprinting, or localStorage
. Limited first‑party cookies (e.g. __byo_session
) may be used to maintain secure log‑ins.
11. Security Measures
- TLS 1.3 encryption in transit; AES‑256 at rest
- Quarterly penetration tests & annual SOC 2 audits
- Role‑based access controls; least‑privilege IAM
- Continuous monitoring & 24 / 7 incident response
12. Children’s Privacy
Our Service is not directed to children under 16. We do not knowingly collect personal data from minors. If you believe we have such information, contact us for deletion.
13. Changes to This Policy
We may update this Privacy Policy to reflect new features, laws, or regulatory guidance. We will notify users via email and an in‑app banner at least 30 days before material changes. Continued use after updates constitutes acceptance.
14. Contact Us
Questions, concerns, or requests? Email [email protected] or write to us at:
ByoViral Ltd.
Attn: Data Protection Officer
Legal Disclaimer: This template is provided for informational purposes only and does not constitute legal advice. Consult qualified counsel to adapt it to your specific business model and jurisdiction.