Your Data Protection Rights
Global — applies to every Vyrable user · Last updated: 27 April 2026
1. Introduction
Vyrable runs a single global privacy programme rather than separate region-only ones. We honour data-subject rights for every user we serve, regardless of where you live, by writing this page against the most rights-rich frameworks we operate under (UK GDPR / EU GDPR) and extending equivalent rights to users covered by the California CCPA/CPRA, Brazil LGPD, Canada PIPEDA, the Australian Privacy Act 1988, and similar regimes worldwide.
The historical URL /gdpr is preserved for SEO + bookmarks but the page covers global rights. Read this alongside our Privacy Policy (with §11 mirroring this baseline and §12 covering region-specific notes) for the full picture of how we collect, use, and protect your personal data.
2. Your Rights — Global Baseline
These rights apply to every Vyrable user. Where your local law (CCPA, LGPD, PIPEDA, APPs, etc.) grants additional or stronger rights, we honour those too on request.
Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you. We will provide this in a structured, commonly used format (JSON or CSV) within 30 days of your request.
Right to Rectification (Article 16)
You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. You can update most account information directly through your dashboard settings.
Right to Erasure (Article 17)
You have the right to request the deletion of your personal data ("right to be forgotten"). This applies when the data is no longer necessary for the purpose it was collected, you withdraw consent, or the data has been unlawfully processed. Some data may be retained where required by law (e.g., financial records for tax compliance).
Right to Restriction of Processing (Article 18)
You have the right to request that we limit how we process your personal data. This may apply where you contest the accuracy of data, the processing is unlawful, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit it to another controller. This applies to data you have provided to us and that is processed based on consent or contract performance.
Right to Object (Article 21)
You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis. This includes the right to object to profiling based on legitimate interests. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent (Article 7(3))
Where we process your data based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
3. How to Exercise Your Rights
You can exercise your data protection rights in the following ways:
By Email
Send your request to privacy@vyrable.ai with the subject line "Data Rights Request" (or "CCPA Request" if you're a California resident, "LGPD Request" if you're in Brazil — any of these route to the same team). Please include:
- Your full name and email address associated with your account
- Which right you wish to exercise
- Any additional details to help us locate and process your request
Via API (Self-Service)
Logged-in users can use the following API endpoints for immediate self-service:
GET /api/gdpr/exportDownload a full export of your personal data in JSON format.
DELETE /api/gdpr/deleteRequest permanent deletion of your account and all associated personal data. This action is irreversible.
Response Time
We will acknowledge your request within 48 hours and fulfil it within 30 days (45 days for verifiable consumer requests under California CCPA/CPRA, with one 45-day extension where strictly necessary; 15 days for LGPD requests in Brazil). If your request is particularly complex, we may extend by up to two additional months and will notify you of the extension and the reason within the initial period.
All requests are free of charge regardless of region. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive (Article 12(5) UK/EU GDPR; equivalent provisions in CCPA/CPRA, LGPD, PIPEDA, and the Australian APPs).
4. Data Protection Officer
Our Data Protection Officer (DPO) oversees our compliance with data protection legislation. You can contact the DPO for any questions, concerns, or requests related to your personal data:
Email: dpo@vyrable.ai
Postal: Data Protection Officer, Vyrable, United Kingdom
5. Right to Lodge a Complaint
If you are unsatisfied with how we have handled your data or responded to your request, you have the right to lodge a complaint with your local supervisory authority.
United Kingdom
Information Commissioner's Office (ICO) — ico.org.uk · Helpline 0303 123 1113
European Union
The supervisory authority in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement. Directory at edpb.europa.eu.
United States — California
California Privacy Protection Agency (CPPA) — cppa.ca.gov. The California Attorney General also enforces the CCPA at oag.ca.gov/privacy/ccpa.
Brazil
Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd.
Canada
Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca. Provincial regulators in Quebec (CAI), British Columbia, and Alberta also have jurisdiction depending on your residency.
Australia
Office of the Australian Information Commissioner (OAIC) — oaic.gov.au.
Other regions
Contact your local data-protection regulator — examples include Singapore PDPC, India Data Protection Board, South Korea PIPC, South Africa Information Regulator, UAE Data Office, Switzerland FDPIC. We'll cooperate with any legitimate authority.
6. Where Your Data Is Processed
Your personal data is primarily stored and processed in the United Kingdom and the European Economic Area (EEA). Our primary database is hosted in the EU (Frankfurt) and our application is served from EU edge locations.
6.1 Sub-processors based outside the UK/EEA
Some of our sub-processors are based outside the UK/EEA (primarily in the United States). When data is transferred to these processors, we rely on Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), the EU-US Data Privacy Framework, or adequacy decisions to ensure your data remains protected.
6.2 AI / LLM processing
Vyrable runs content generation through third-party AI model providers. The content you submit to be drafted, scored, or rewritten is sent to those providers under contractual data-processing agreements. We have selected providers whose API terms confirm that user data is not used to train their models and is processed ephemerally (no long-term storage by the provider).
You can request a list of which AI processing providers handled any specific output via the in-product cost meter or by contacting our DPO. We never share your content with AI providers for any purpose other than producing the output you requested.
6.3 Connected social platforms (your choice)
When you connect a third-party social or publishing platform (LinkedIn, X, Facebook, Instagram, TikTok, YouTube, Threads, Pinterest, Reddit, Bluesky, Spotify, Mastodon, Substack, WeChat, RedBook, and others), the content you publish flows to that platform’s servers under their privacy policy and terms — not ours. Several of these platforms host data outside the UK/EEA, including in the United States, China, and other jurisdictions:
- Meta-owned platforms (Facebook, Instagram, Threads, WhatsApp): primarily United States, with global edge processing
- X (Twitter), LinkedIn, YouTube, TikTok, Pinterest, Reddit, Snapchat: primarily United States
- WeChat, RedBook (Xiaohongshu): primarily mainland China
- Spotify, Mastodon, Bluesky, Substack: primarily United States and EU
You decide which platforms to connect. Disconnecting a platform stops Vyrable sending new content to it; data already published remains under that platform’s control until you remove it via their tools. We treat your choice to connect a platform as your informed instruction to publish to that platform under its terms.
6.4 Global accessibility
Vyrable is accessible globally. We honour data-subject rights for users in every jurisdiction we serve, including those without a comprehensive data-protection law. If your country’s law gives you stronger rights than UK/EU GDPR, we will honour those stronger rights. We do not sell or share your personal data to data brokers anywhere in the world.
For a full list of our sub-processors and their locations, see Section 7 of our Privacy Policy.
7. Legal Basis for Processing
We process your personal data under one or more of the following legal bases:
| Legal Basis | When We Use It |
|---|---|
| Consent (Art. 6(1)(a)) | Marketing emails, non-essential cookies (analytics, marketing), AI personalisation features |
| Contract (Art. 6(1)(b)) | Providing your account, processing subscriptions and payments, delivering the core Service |
| Legitimate Interest (Art. 6(1)(f)) | Service improvement, analytics, fraud prevention, security monitoring |
| Legal Obligation (Art. 6(1)(c)) | Tax and financial record-keeping, regulatory compliance, responding to lawful requests |
Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You can request a copy of our legitimate interest assessments by contacting us.
8. Data Retention Periods
We retain your personal data only for as long as necessary for the purposes it was collected. The table below summarises our retention periods:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion request |
| Generated content | Duration of account (deleted on account closure) |
| Payment records | 7 years (legal/tax obligation) |
| Server logs | 90 days |
| Analytics data | 26 months (anonymised after) |
| Support tickets | 3 years after resolution |
| Cookie consent records | 3 years (proof of consent) |
| AI interaction logs | 12 months (then anonymised) |
After the retention period expires, data is either permanently deleted or fully anonymised so that it can no longer be linked to you.
9. Contact Us
If you have any questions about your data-protection rights — wherever you live — or wish to exercise them, contact us:
Privacy team: privacy@vyrable.ai
Data Protection Officer (UK/EU): dpo@vyrable.ai
Website: vyrable.ai