Overview.
This policy explains how VYRA Data Inc. ("VYRA", "we", "us") collects, uses, shares, and protects personal information. It covers our websites, our SaaS products (Vyra Insights, Vyra Life, Vyra Code, and the VYN AI teammate), and our services: website development, SEO, static Meta ads, app development, CRM development and implementation, and AI implementation. When we build a site for a client, it usually lives on a client.vyradata.com address, and this policy governs the parts of it that VYRA operates.
We collect as little as we need, and we are direct about what we do with it. We do not sell your personal information.
VYRA is based in Halifax, Nova Scotia, Canada. Our Privacy Officer is reachable at privacy@vyradata.com. We handle personal information under Canada's federal privacy law, PIPEDA, and, for Quebec residents, under Quebec's Law 25. We also honour comparable rights for residents of the United States, the European Union, and the United Kingdom, as described in the regional sections below.
A quick note on roles. For our own websites and products, VYRA decides why and how your information is used. When we operate a product, an ad account, or a CRM on behalf of a business client, that client usually makes those decisions and we act on their instructions. In that case, this policy tells you how we handle information generally, but the client's own privacy notice governs their use of it.
Information we collect.
We collect information from a few different sources.
Information you give us.
- Your name, email address, phone number, company, and job title.
- The content of inquiries, support requests, account details, and messages you send us.
- Billing details you provide to buy a product or service. Payment card numbers go straight to our payment processor; we do not store full card numbers.
- Anything you choose to type or upload into VYN, our products, or a form on our sites.
Information we collect automatically.
- Basic device and browser data, such as browser type, operating system, and language.
- Usage data, such as pages visited, links clicked, referring page, and timestamps.
- Approximate location derived from your IP address.
- Cookie and similar identifiers, but only in line with your cookie choices. See the Cookies section.
Information from your use of VYN and the products.
- The prompts and messages you send to VYN and the responses it returns.
- Records of the features you use and the actions you take, so we can run and improve the service.
- Content you connect or upload for a product to work on.
Information from third parties.
- Our payment processor confirms whether a payment succeeded and shares limited details such as the card's last four digits.
- Analytics and advertising providers give us aggregated measurement about how our campaigns and sites perform.
- If you reach us through a client's site or a referral, we may receive the contact details you shared there.
Sensitive information.
We do not ask for sensitive information such as health data, financial account numbers, biometric data, or government ID unless a specific service genuinely needs it. Where the law treats a category of information as sensitive, we handle it with extra care and, where the law requires, we ask for your express consent before we collect or use it. We do not knowingly send sensitive information through advertising tools.
We do not sell your personal information.
How we use your information.
We use personal information to:
- Provide, operate, secure, and improve our websites, products, and services.
- Respond to your questions, requests, and support tickets.
- Set up and manage accounts and process payments.
- Send service messages, such as receipts, security notices, and important changes.
- Send marketing messages only where you have opted in, and always in a way that complies with Canada's anti-spam law, CASL. You can unsubscribe at any time, and we honour unsubscribe requests within 10 business days, as CASL requires.
- Meet our legal, tax, and regulatory obligations, and enforce our agreements.
We rely on a lawful basis for each use. In plain terms:
- To perform our contract with you, for example to deliver a product you signed up for or a service you hired us to do.
- With your consent, for example for non-essential cookies and opt-in marketing. You can withdraw consent at any time.
- For our legitimate interests, for example to keep our services secure, prevent fraud, and understand how our sites are used, balanced against your privacy.
- To meet legal obligations, for example tax records and responses to lawful requests.
AI and your data.
When you interact with an AI feature such as VYN, we tell you that you are talking to an AI, not a person.
Here is how public VYN works. Your chat inputs are used to generate a response grounded in approved public website information. VYN can prepare an inquiry draft, but the browser sends it only after you choose Send this to VYRA. A human reads every submitted inquiry before VYRA replies.
Under the business and enterprise terms of the third-party model providers we use, they do not train their models on your content. VYRA does not train its own models on your content without your written opt-in. We may use aggregated, de-identified data, which cannot reasonably be linked back to you, to measure and improve the services.
VYN chat and prompt data is kept for about 90 days, unless we need it longer to run the service, resolve a dispute, or meet a legal duty. We do not make decisions that have a significant effect on you based solely on automated processing without a route to human review. See the Automated decisions section.
Grounded answers are slower to build and impossible to fake.
Cookies.
We use cookies and similar technologies to keep our sites working, remember your preferences, and understand how our sites are used. Our Cookie policy lists every tracker we use and its purpose.
For non-essential trackers, your consent is prior, free, specific, informed, and as easy to withdraw or reject as it is to give. No non-essential tracker fires before you consent. Rejecting is as simple as accepting, and you can change your mind at any time.
We group cookies into three categories:
- Necessary: required for the site to function, such as security and remembering your cookie choice. Always on.
- Analytics: help us understand how the site is used so we can improve it. Off until you allow them.
- Marketing: measure and improve the relevance of our campaigns. Off until you allow them.
When Analytics is on, we load Google Analytics 4 with IP anonymisation and a 14-month retention window for event data.
When Marketing is on, we load the Meta pixel and send matching events to Meta through the Conversions API for measurement and deduplication. If you submit a form, your email, phone number, and first name are hashed with SHA-256 on our server before they reach Meta. They are never sent in the clear, and they are never sent to Meta unless Marketing is on.
For visitors in the EEA and the UK, we send Google Consent Mode v2 signals so our tags respect your choice.
You can manage or change your choice at any time through the cookie preferences link on our sites. Turning a category off stops the related collection right away.
How we share information.
We rely on a small number of trusted providers to run our business. Each one is bound by an agreement, gets only the information it needs to do its job, and is not allowed to use it for anything else. Categories include:
- Cloud hosting.
- Database services.
- Payment processing.
- Transactional email delivery.
- AI model access.
- Website analytics.
- Advertising measurement.
- Customer support tools.
- CRM platforms we use to manage relationships and, where you are our client, to run yours.
Every provider is bound by a written agreement that limits it to our instructions, requires confidentiality and appropriate security, and forbids using your information for its own purposes. We stay accountable for the information we hand to a provider, and we review the security of the providers we rely on. See our Subprocessors page for the current list, and our Data processing agreement if you need one as a customer.
We may also share information to comply with the law, respond to a lawful request, protect our rights and users, or as part of a business transfer such as a merger or acquisition, in which case we will require the recipient to honour this policy.
We do not sell your personal information. When we send data through Meta's tools for advertising measurement, the business is the controller and Meta acts as its processor, and Meta may keep event data for up to two years. Where we run ads or a CRM on a client's behalf, we do so under written authorisation from that client and only for that client's purposes.
Data retention.
We keep personal information only as long as we need it for the purposes in this policy, to meet our legal obligations, to resolve disputes, and to enforce our agreements. When it is no longer needed, we delete it or anonymise it so it can no longer identify you.
How long we keep information depends on why we hold it:
- Account and billing records last as long as your relationship with us plus the period tax and other laws require.
- Inquiries and support messages are kept while we may still need them to help you or to keep a record of what happened.
- Marketing contact details stay until you unsubscribe.
- Where Analytics is enabled, Google Analytics 4 retains event data for 14 months.
- VYN chat and prompt data is kept for about 90 days, unless we need it longer to run the service, resolve a dispute, or meet a legal duty.
Security.
We protect personal information with safeguards that fit its sensitivity, including:
- Encryption of data in transit and at rest.
- Multi-factor authentication on administrative accounts.
- Role-based, least-privilege access, so people can reach only what their job requires.
- Monitoring and logging to detect and investigate unusual activity.
- Security review of the vendors we rely on.
No system is perfectly secure, but we work to keep the risk low and to respond quickly if something goes wrong. To report a vulnerability or a security concern, email security@vyradata.com.
If there is a data breach.
If a security breach creates a real risk of significant harm, we report it to the Office of the Privacy Commissioner of Canada and notify affected people as soon as feasible. We keep records of breaches for 24 months.
For Quebec, we report confidentiality incidents to Quebec's regulator, the CAI, and notify affected individuals where the law requires it.
For the EU and the UK, where a breach is reportable, we notify the relevant supervisory authority within the timeframe the applicable law sets, and we notify affected individuals where the risk to them requires it.
International data transfers.
Some of our providers are located in the United States or in other countries, which means your information may be processed outside your home region.
- For EU and UK personal data, we use Standard Contractual Clauses. Where we rely on the EU-US Data Privacy Framework, we keep Standard Contractual Clauses as a fallback so your data stays protected.
- Before we transfer Quebec personal information outside Quebec, we run the assessment that Law 25 requires.
- Under PIPEDA, we require every provider that processes personal information on our behalf to give it comparable protection by contract.
Automated decisions.
We do not make decisions that have a significant effect on you based solely on automated processing without a way to get a human to review them.
Where such processing does apply, residents of Quebec and of the EU and the UK can ask us for the main factors and personal information used in the decision, and can request that a person review it. Contact privacy@vyradata.com.
Your privacy rights.
Depending on where you live, you may have the right to:
- Access the personal information we hold about you.
- Correct information that is wrong or out of date.
- Delete your personal information.
- Receive a copy of your information in a portable format.
- Object to or restrict certain processing.
- Withdraw consent where we relied on it, without affecting anything we did before you withdrew it.
To exercise any of these rights, email privacy@vyradata.com. We may need to verify your identity before we act, so that no one else can use your rights to reach your data. In most cases we reply within 30 days, and where a law sets a different clock we follow it. If we need more time for a complex request, we will tell you why and how long we expect to take. If your information is held by us on behalf of one of our clients, we will point you to that client, who is best placed to answer, and help where we can. You will not be treated differently for exercising a right, and using one is always free unless a request is clearly excessive or repetitive.
Regional privacy rights.
Some regions add specific rights on top of the ones above. These sections explain the extras.
Canada.
Under PIPEDA you can ask to access and correct your personal information and to understand how we use it. If Quebec's Law 25 applies to you as a resident, you also have the right to data portability, and you can rely on VYRA's designated person in charge of protecting personal information, reachable at privacy@vyradata.com. Before we send Quebec personal information outside Quebec, we run the assessment Law 25 requires, and where an automated decision applies you can ask for the main factors used and a human review.
If you are not satisfied with how we handled your request, you can complain to the Office of the Privacy Commissioner of Canada or, for Quebec, to Quebec's CAI.
United States.
If you are a resident of California or another state with a comprehensive privacy law, you may have the right to know what personal information we collect and how we use it, to delete it, to correct it, and to opt out of the sale or sharing of personal information. We honour Global Privacy Control browser signals as a valid opt-out.
You can also ask someone to make a request for you as an authorized agent, and we may ask them to prove they act for you and ask you to confirm the request. If we turn a request down, you can ask us to look again, and where your state gives you a right to appeal we will tell you how to use it. We answer within the window your state sets, usually 45 days, and we will not treat you differently for using a right.
We do not sell your personal information. Even so, we provide a "Do Not Sell or Share My Personal Information" choice so you can exercise that right. To make any of these requests, email privacy@vyradata.com. You may also contact your state Attorney General.
Europe and the United Kingdom.
If you are in the EU or the UK, the GDPR and the UK GDPR give you the rights listed in the Your privacy rights section, exercised against the lawful bases described in How we use your information: performance of a contract, consent, legitimate interests, and legal obligations. You have the right not to be subject to a decision based solely on automated processing that produces a significant effect on you, and you can ask for human review.
If you have a concern, you can complain to the UK ICO or to your local data protection authority.
Children's privacy.
Our websites, products, and services are not directed to children. We do not knowingly collect personal information from children, and where a minimum age of consent applies under local law we honour it. We do not knowingly send data about anyone under 13 through our advertising tools. If you believe a child has given us personal information, email privacy@vyradata.com and we will delete it.
Changes to this policy.
We may update this policy from time to time. When we make a material change, we update the last-updated date at the top and give you notice where appropriate. If a change introduces a new purpose or new sharing that the law says needs your consent, we will ask for that consent before it applies to you, rather than treating your continued use as acceptance. For other changes, your continued use of the services after the change takes effect means you accept the updated policy.
How to contact us.
- For privacy questions and to exercise your rights: privacy@vyradata.com.
- For security and vulnerability reports: security@vyradata.com.
- For general and legal questions: contact@vyradata.com.
We are based in Halifax, Nova Scotia, Canada. If you would rather write to us by mail, email privacy@vyradata.com and ask for our Privacy Officer, and we will give you a mailing address. If you are not satisfied with our response, you can complain to the Office of the Privacy Commissioner of Canada, Quebec's CAI, the UK ICO, your EU data protection authority, or your US state Attorney General.