Privacy Policy

1. Who We Are

Controller – For personal data falling under the EU General Data Protection Regulation ("GDPR"), ByoViral Ltd. is the data controller.
Data Protection Officer (DPO) – Email: [email protected]

2. Data We (Usually Don’t) Collect

ByoViral is built to be privacy‑first and cookie‑free. We intentionally avoid collecting personally identifiable information ("PII") wherever possible. Depending on your interaction with the Service, we may process:

Category	Examples	Collection Purpose
Anonymous Event Data	Page URL, referrer, device type, browser class, anonymous session ID (hashed, rotates every 24 h), country & city (truncated IP → coarse geolocation), timestamp	Provide aggregated website analytics, uptime metrics & SEO performance
Account Data	Name, business email, billing address, payment method (tokenised)	Create & manage your ByoViral account, process transactions, send service emails
Support Data	Emails, chat transcripts, screenshots voluntarily submitted	Diagnose issues & improve support
Legally‑Required Logs	Server logs with truncated IPs (last 2 bytes masked)	Maintain security & detect abuse

No Cookies, No Cross‑Site Tracking – We rely on first‑party scripts and do not drop persistent cookies or use fingerprinting.

3. How We Collect Data

Directly from You – When you create an account, subscribe to newsletters, or contact support.
Automatically – Via our lightweight analytics script and server logs. All IP addresses are truncated before storage so they are no longer personal data under GDPR Recital 30.
From Third Parties – Payment processors (for subscription management) and OAuth providers (if you choose social login).

4. Legal Bases for Processing

Jurisdiction	Basis
EU/EEA (GDPR)	Legitimate interests (aggregated analytics), Contract (account & billing), Consent (marketing emails)
UK GDPR	Same as above
California (CCPA/CPRA & Delete Act)	Business purpose (service delivery) & users’ right to deletion via our universal opt‑out flow
Colorado (CPA)	Business purpose; consumers have rights to access, correct, delete & opt‑out of sale/targeted ads (which we do not perform)
Other US State Laws	Virginia CDPA, Connecticut, Tennessee, etc. – respected via a single preference centre
EU Data Act (effective 12 Sep 2025)	We enable secure export of your non‑personal data and do not impede switching providers

5. How We Use Data

Provide, maintain, and improve the Service
Generate aggregated, anonymised reports for account holders
Detect, prevent, and address security incidents
Communicate critical updates & invoices
Comply with legal obligations and enforce our Terms

We never sell personal data. We do not perform behavioural advertising or profiling.

We disclose data only to:

Infrastructure & Hosting – ISO 27001‑certified cloud providers in the EU and/or US (with EU Standard Contractual Clauses for cross‑border transfers).
Payment Processing – Stripe or Paddle (PCI‑DSS compliant). Payment details are tokenised; we never store card numbers.
Customer Support & Email – HelpScout and Postmark. Data residency set to EU where possible.
Compliance Advisors – Auditors, accountants, and legal counsel under NDA.

All vendors are bound by data‑processing agreements and assessed annually.

7. International Transfers

EU→US transfers rely on Standard Contractual Clauses and (if self‑certified) the EU‑US Data Privacy Framework.
Data stored in the US is encrypted in transit (TLS 1.3) and at rest (AES‑256).

8. Data Retention

Data Type	Default Retention
Anonymous event aggregates	6 months (Free) · 13 months (Pro) · Custom (Enterprise)
Account & billing records	Duration of subscription + 7 years (tax law)
Support tickets	24 months
Server logs	30 days

Users can request immediate deletion or shorter retention within plan limits.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

Access – Obtain a copy of your personal data.
Rectify – Correct inaccurate data.
Erase – Request deletion of your data.
Restrict – Limit processing in certain cases.
Portability – Receive data in a structured, machine‑readable format.
Opt‑Out – Object to processing for analytics or marketing.
Non‑Discrimination – Receive equal service if you exercise your rights.

How to Exercise Rights

Self‑Serve Dashboard – Delete sites, events, or your entire account.
Email – Send a request to [email protected] from the verified address.
Global Privacy Control (GPC) – We honour the GPC signal for users in applicable states.
Delete Act Requests – California residents may submit a one‑click deletion via our planned integration with the CPPA’s DROP platform when available.

Requests are authenticated, logged, and fulfilled within 30 days (45 days for Delete Act broker requests).

10. Cookies & Tracking Technologies

ByoViral does not use third‑party cookies, device fingerprinting, or localStorage. Limited first‑party cookies (e.g. __byo_session) may be used to maintain secure log‑ins.

11. Security Measures

TLS 1.3 encryption in transit; AES‑256 at rest
Quarterly penetration tests & annual SOC 2 audits
Role‑based access controls; least‑privilege IAM
Continuous monitoring & 24 / 7 incident response

12. Children’s Privacy

Our Service is not directed to children under 16. We do not knowingly collect personal data from minors. If you believe we have such information, contact us for deletion.

13. Changes to This Policy

We may update this Privacy Policy to reflect new features, laws, or regulatory guidance. We will notify users via email and an in‑app banner at least 30 days before material changes. Continued use after updates constitutes acceptance.

14. Contact Us

Questions, concerns, or requests? Email [email protected] or write to us at:

ByoViral Ltd.
Attn: Data Protection Officer

Legal Disclaimer: This template is provided for informational purposes only and does not constitute legal advice. Consult qualified counsel to adapt it to your specific business model and jurisdiction.