Privacy Policy

Last updated: 25 March 2026

1. Introduction

Vyrable ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at vyrable.ai and any related services (collectively, the "Service").

Vyrable is operated from the United Kingdom. We act as the data controller for the personal data described in this policy. Personal data and content you submit to the Service are processed globally — we use sub-processors located in the UK, the European Economic Area, the United States, and other regions worldwide to deliver the Service (see §8 for the safeguards we apply, and our Data Processing Agreement for the full sub-processor list).

We honour data-subject rights for users in every jurisdiction we serve, regardless of where you live. This policy is written against the most rights-rich frameworks we operate under — the UK GDPR and EU GDPR — and we extend equivalent rights to users covered by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), Canada's PIPEDA, the Australian Privacy Act 1988, and similar regimes worldwide. See §11 for the rights you have and §15 for how to exercise them.

Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

  • Account information (name, email address, password)
  • Profile information (job title, company, expertise areas)
  • Content you create, upload, or generate using the Service
  • Payment and billing information when you subscribe to a paid plan
  • Communications you send to us (support requests, feedback)
  • Cookie consent preferences

2.2 Information Collected Automatically

  • Device information (browser type, operating system, device identifiers)
  • Log data (IP address, access times, pages viewed, referring URL)
  • Usage data (features used, actions taken, content generated)
  • Cookies and similar tracking technologies (see our Cookie Policy)

2.3 Information from Third Parties

  • Social media account data when you connect platforms (LinkedIn, X/Twitter)
  • Authentication data from OAuth providers (Google, LinkedIn, GitHub, Microsoft)
  • Analytics data from third-party services

3. Legal Basis for Processing

Under the UK GDPR and EU GDPR, we process your personal data on one or more of the following legal bases:

PurposeLegal Basis
Providing the Service and your accountPerformance of a contract (Art. 6(1)(b))
Processing paymentsPerformance of a contract (Art. 6(1)(b))
AI content generation and personalisationConsent (Art. 6(1)(a)) / Legitimate interest (Art. 6(1)(f))
Analytics and service improvementLegitimate interest (Art. 6(1)(f))
Marketing communicationsConsent (Art. 6(1)(a))
Fraud prevention and securityLegitimate interest (Art. 6(1)(f))
Legal and regulatory complianceLegal obligation (Art. 6(1)(c))
Non-essential cookies (analytics, marketing)Consent (Art. 6(1)(a))

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Generate and personalise AI-powered content on your behalf
  • Process transactions and send related information
  • Send you technical notices, updates, and support messages
  • Respond to your comments, questions, and customer service requests
  • Monitor and analyse trends, usage, and activities
  • Detect, investigate, and prevent fraudulent or unauthorised activity
  • Comply with legal obligations

5. Personally Identifiable Information (PII)

5.1 What We Collect

  • Identifiers: name, email address, IP address, social media handles
  • Account credentials: hashed password, OAuth tokens (encrypted at rest)
  • Payment data: processed by Stripe — we do not store card numbers
  • Content data: text, images, and media you provide for content generation
  • AI interaction data: prompts, generated outputs, feedback on suggestions

5.2 Why We Collect It

Each category of PII is collected for a specific purpose tied to delivering the Service, and is limited to what is strictly necessary for that purpose (data minimisation principle, Art. 5(1)(c) GDPR).

6. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

  • Service providers: Third parties that perform services on our behalf (hosting, analytics, payment processing)
  • Connected platforms: When you authorise us to publish content to your social media accounts
  • Legal requirements: When required by law, regulation, or legal process
  • Business transfers: In connection with a merger, acquisition, or sale of assets
  • With your consent: When you have given us explicit permission

7. Sub-Processors

We engage the following sub-processors to deliver the Service. Each is bound by a Data Processing Agreement (DPA) and processes data only for the stated purpose. We will notify customers of any material changes to this list — adding, replacing, or removing a sub-processor that processes personal data — at least 14 days in advance by email, giving you a window to object on reasonable data-protection grounds before the change takes effect.

Sub-ProcessorPurposeLocation
Hetzner Online GmbHHosting, compute and databaseGermany (EU)
Stripe, Inc.Payment processingUS (UK/EU SCCs)
Brevo SASTransactional and marketing email deliveryFrance (EU)
Google LLCOAuth sign-in, analyticsUS (UK/EU SCCs)
OpenAI, Inc.AI content generation and visibility scans (when configured)US (UK/EU SCCs / DPA)
Anthropic, PBCAI content generation and visibility scans (when configured)US (UK/EU SCCs / DPA)
Perplexity AI, Inc.AI search and visibility scans (when configured)US (UK/EU SCCs / DPA)
Other AI model providersAI content generation, brand-visibility scanning and ancillary inference. The exact upstream provider for any given inference is an internal implementation detail and may change.Multiple regions, including jurisdictions outside the UK / EEA. Current list available on request to privacy@vyrable.ai within 5 working days.

8. International Data Transfers

Vyrable processes personal data and content globally. Storage and compute happen in the United Kingdom, the European Economic Area, and the United States, and the sub-processors that deliver the Service may operate from any region they serve — including but not limited to North America, the EU, the UK, and Asia-Pacific. We do not promise any particular region of processing for any particular piece of data, because the Service depends on routing requests to the infrastructure that can serve them.

For every transfer of personal data outside the UK / EEA, we rely on one or more of the following safeguards:

  • EU Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs
  • Adequacy decisions by the UK Secretary of State or the European Commission
  • Binding Corporate Rules where applicable
  • Equivalent transfer mechanisms recognised by other applicable data-protection regimes (CCPA / CPRA, LGPD, PIPEDA, Australian Privacy Act, and similar)

You may request a copy of the relevant safeguards or the current sub-processor list by contacting us at privacy@vyrable.ai.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. This includes encryption in transit (TLS 1.2+) and at rest (AES-256), regular security assessments, and role-based access controls.

10. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

Data CategoryRetention Period
Account dataDuration of account + 30 days after deletion request
Generated contentDuration of account (deleted on account closure)
Payment records7 years (legal/tax obligation)
Server logs90 days
Analytics data26 months (anonymised after)
Support tickets3 years after resolution
Cookie consent records3 years (proof of consent)
AI interaction logs12 months (then anonymised)

11. Your Rights Globally

We extend the following rights to every Vyrable user, regardless of location. These mirror the most rights-rich frameworks we operate under (UK GDPR / EU GDPR), and we honour equivalent rights granted by your local law where they go further.

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure / deletion: Request deletion of your personal data ("right to be forgotten" under GDPR; "right to delete" under CCPA/CPRA).
  • Restriction of processing: Request that we limit how we use your data.
  • Data portability: Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
  • Objection: Object to processing based on legitimate interests, including profiling and AI-driven content suggestions.
  • Withdraw consent: Where processing is consent-based, withdraw at any time without affecting the lawfulness of prior processing.
  • Opt-out of "sale" or "sharing" of personal information: We do not sell or share personal information for cross-context behavioural advertising under CCPA/CPRA — but you may submit a verifiable opt-out request anyway and we will record it.
  • Non-discrimination: We will not deny you service, charge you a different price, or provide a different level of service for exercising any of these rights.
  • Lodge a complaint: You may complain to a supervisory authority — the UK Information Commissioner's Office (ico.org.uk), an EU member-state authority, the California Privacy Protection Agency (cppa.ca.gov), Brazil's ANPD, Canada's Office of the Privacy Commissioner, the Office of the Australian Information Commissioner (OAIC), or your equivalent local regulator.

To exercise any of these rights, contact us at privacy@vyrable.ai or use the in-app data-export and account-deletion controls. We will respond within 30 days (45 days for CCPA/CPRA verifiable consumer requests, with one 45-day extension where strictly necessary). We will never charge you a fee unless your request is manifestly unfounded or excessive.

12. Region-specific Notes

These add to — never reduce — the global baseline above.

UK & EU (UK GDPR / EU GDPR)

We act as data controller; sub-processors are bound by Standard Contractual Clauses (SCCs) where data leaves the UK/EEA. Our DPO is reachable at dpo@vyrable.ai. Breach notifications fire within 72 hours to the ICO and without undue delay to affected users where required.

California (CCPA / CPRA)

In the last 12 months we collected the categories of personal information described in §2 (identifiers, internet activity, professional content, inference data from AI scoring). We do not sell or share personal information. To submit a verifiable consumer request, email privacy@vyrable.aiwith "CCPA Request" in the subject. Authorised agents may submit requests on your behalf with written permission.

Brazil (LGPD)

We process personal data on the legal bases listed in §3, mapped to LGPD Art. 7 equivalents. Our representative for LGPD inquiries is reachable at the same DPO address; we will respond in Portuguese on request.

Canada (PIPEDA)

Cross-border transfer disclosure: personal data may be processed by sub-processors outside Canada (UK, EEA, US). Complaints can be made to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Australia (Privacy Act 1988)

We comply with the 13 Australian Privacy Principles (APPs). Complaints can be lodged with the OAIC at oaic.gov.au.

Other regions

We extend the global baseline rights in §11 to users worldwide. Where your local data protection law grants additional rights (e.g. South Korea PIPA, Singapore PDPA, India DPDP, South Africa POPIA, UAE PDPL, Switzerland nFADP), we honour them on request. Contact us at privacy@vyrable.ai.

12b. Our Compliance Programme

Vyrable runs a global privacy programme rather than separate region-only ones:

  • Single Record of Processing Activities (ROPA) covering every region we serve
  • Data Protection Impact Assessments (DPIAs) for high-risk processing, including AI-powered content generation
  • Privacy by design and by default in all new features
  • Staff training on global data-protection obligations (UK/EU GDPR, CCPA/CPRA, LGPD, PIPEDA, Privacy Act)
  • A named Data Protection Officer plus regional contact points where required
  • Data Processing Agreements with all sub-processors, with SCCs for cross-border transfers
  • 72-hour breach notification to relevant supervisory authorities; user-direct notifications without undue delay where required

13. Data Protection Officer

Our Data Protection Officer can be contacted for any questions or requests relating to data protection:

Email: dpo@vyrable.ai
Postal: Data Protection Officer, Vyrable, United Kingdom

14. Cookies

We use cookies and similar technologies to enhance your experience, analyse usage patterns, and deliver personalised content. Non-essential cookies are only set after you provide consent via our cookie banner.

What we don't use: Vyrable does not use advertising cookies, retargeting pixels, or cross-site tracking technologies of any kind. We do not sell or share personal data for cross-context behavioural advertising. Analytics cookies require explicit consent and are off by default.

14.1 Cookie Categories

CategoryPurposeConsent RequiredExamples
FunctionalEssential for the site to operate. Includes authentication, session management, security tokens, and cookie consent preferences.No (always active)next-auth.session-token, vyrable_consent, csrf-token
AnalyticsHelp us understand how visitors interact with the site so we can improve features and performance. Data is aggregated and anonymised where possible.YesGoogle Analytics (_ga, _gid), Vercel Analytics
MarketingUsed to deliver relevant advertisements, track campaign effectiveness, and build audience segments. May be shared with advertising partners.YesMeta Pixel (_fbp), Google Ads (IDE, NID), LinkedIn Insight Tag

You can change your cookie preferences at any time using the cookie banner at the bottom of the page or by visiting our Cookie Policy.

15. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal data from a child under 16, we will take steps to delete it promptly.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page, updating the "Last updated" date, and — where appropriate — sending you an email notification.

17. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

General: privacy@vyrable.ai
Data Protection Officer: dpo@vyrable.ai
Website: vyrable.ai