Privacy Policy
Your data belongs to you. Lyfos is a paid product — we have no incentive to sell your information. This policy explains exactly what we collect, why, and what you can do about it.
1. What We Collect
1.1 Account Data
When you create an account we collect your full name, email address, and a bcrypt password hash (never plaintext). We also store any optional profile details you choose to provide: display name, avatar URL, and timezone.
1.2 Integration Data
When you voluntarily connect a third-party service (Slack, GitHub, Strava, Linear, Jira, Notion) we store an OAuth access token and refresh token for that service. These tokens are used only to perform sphere-assignment operations on your behalf — for example, silencing Slack notifications during Personal Sphere hours. You can revoke any integration at any time from Settings → Integrations.
1.3 Payment Data (when subscription active)
Billing is processed by Razorpay. When you hold an active paid subscription we store your Razorpay customer ID, subscription ID, plan tier, and subscription status. We do not store full card numbers, CVV, or bank account details — those are held exclusively by Razorpay under their PCI-DSS compliance program. If you are on the free beta tier, no payment data is stored.
1.4 Telemetry and Error Logs
We collect anonymised usage events (feature interactions, page views) and crash/error reports via Sentry. These are used solely to fix bugs and improve reliability. Telemetry does not include the content of your tasks, notes, or AI coach conversations.
1.5 AI Coach Conversations
If you use the AI coach, your conversation turns are processed by our backend and forwarded to our LLM provider to generate a response. We retain conversation history to provide continuity across sessions. You can delete your conversation history at any time from Settings → AI Coach.
2. Legal Basis for Processing
We process personal data only where we have a legal basis to do so. The table below lists each processing activity and its basis under Indian law (DPDPA 2023) and EU/UK law (GDPR Art. 6).
| Processing Activity | India (DPDPA 2023) | EEA / UK (GDPR Art. 6) |
|---|---|---|
| Account creation & authentication | Consent (§ 5) + Contract (§ 7) | Art. 6(1)(b) — contract |
| Integration OAuth tokens | Consent (§ 5) | Art. 6(1)(a) — consent |
| Payment processing | Contract (§ 7) | Art. 6(1)(b) — contract |
| Error monitoring / telemetry | Legitimate interest (§ 7(i)) | Art. 6(1)(f) — legitimate interest |
| AI coach conversations | Consent (§ 5) | Art. 6(1)(a) — consent |
We do not rely on legitimate interests for any processing that involves sensitive personal data as defined under the Digital Personal Data Protection Act 2023.
3. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | Until you request deletion |
| Deleted account data | Purged within 30 days of deletion request |
| Payment records (Razorpay) | 7 years (statutory requirement) |
| Error logs (Sentry) | 90 days, then auto-purged |
| OAuth integration tokens | Until you disconnect, or account deletion |
| AI coach history | Until you clear it, or account deletion |
Account deletion is available at Settings → Account → Delete Account. Our deletion job runs daily and purges all personal data within 30 days of your request, compliant with DPDPA 2023 § 11 and GDPR Art. 17 (right to erasure).
4. Third-Party Processors
We share data only with the processors listed below, strictly for the stated purpose. We do not sell your data to any third party, ever.
| Processor | Purpose | Data Shared | Region |
|---|---|---|---|
| Render | Backend API hosting | All backend data in transit / at rest | US (Oregon) |
| Vercel | Web frontend hosting | Request logs, IP addresses | US / Edge |
| Resend | Transactional email (verification, password reset) | Email address, name | US |
| Sentry | Error monitoring | Error stack traces, anonymised session context | US |
| Razorpay | Payment processing (when subscription active) | Name, email, billing amount | India |
| Slack | Integration — only if you connect Slack | OAuth tokens scoped to notification mgmt | US |
| GitHub | Integration — only if you connect GitHub | OAuth tokens scoped to issue/PR data | US |
| Strava | Integration — only if you connect Strava | OAuth tokens scoped to activity data | US |
| Linear | Integration — only if you connect Linear | OAuth tokens scoped to issue data | US |
| Jira | Integration — only if you connect Jira | OAuth tokens scoped to issue data | US |
| Notion | Integration — only if you connect Notion | OAuth tokens scoped to page data | US |
All processors are bound by a Data Processing Agreement and are required to handle your data in accordance with applicable privacy law. Integration providers receive data only if you explicitly connect that service.
5. Your Rights
You have the following rights regardless of where you are located. We do not require you to give a reason for exercising any of them.
- Access — Request a copy of all personal data we hold about you. We will respond within 30 days.
- Deletion — Delete your account and all associated personal data via Settings → Account → Delete Account, or by emailing privacy@lyfos.ai. Deletion is unconditionally free.
- Portability — Export your data in machine-readable JSON format via Settings → Account → Export Data. This is always free, regardless of plan tier, as required by DPDPA 2023 § 11, GDPR Art. 20, and CCPA.
- Correction — Update your profile information at any time in Settings → Profile.
- Withdrawal of Consent — Disconnect any integration at any time from Settings → Integrations. This immediately withdraws consent for that integration's data processing and we will delete the associated OAuth tokens.
- Restrict Processing — Contact privacy@lyfos.ai to request restriction of processing while a dispute is being resolved.
6. Contact
Data Protection Officer
For privacy requests, data subject rights inquiries, and policy questions.
privacy@lyfos.aiIndia Grievance Officer
Per IT Act 2000 § 5(9) and IT Rules 2011 Rule 5(9):
Name: Nidish Ramakrishnan
Designation: Founder & Grievance Officer
grievance@lyfos.aiResponse SLA: 30 days from receipt of complaint, as required under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
Cognileap Eduventures LLP, LLPIN ACC-7280, Bangalore, Karnataka, India
7. Changes to This Policy
We will post a notice on the Lyfos website at least 14 days before any material change to this policy takes effect. For changes required by law we may apply them immediately. Continued use of the service after the effective date constitutes acceptance of the updated policy.
The canonical version of this policy is always available at https://www.lyfos.ai/privacy.
Privacy Policy v1.0 · Last updated 2026-06-02
Operated by Cognileap Eduventures LLP · LLPIN ACC-7280 · Bangalore, India