Privacy Policy

Vyrlo ("we", "us", or "our") is based in California, United States and operates the Vyrlo platform — an AI-powered customer service agent service for businesses. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have over it.

This policy applies to: (1) business clients who create a Vyrlo account ("Clients"), and (2) end-users who interact with an AI agent deployed by a Client on their website ("End-users"). These are different relationships and we handle data differently for each.

By using the Service you agree to the practices described in this policy. If you do not agree, please discontinue use of the Service.

---

1. Information we collect

From Clients (business account holders)

When you register and use Vyrlo as a business, we collect:

• Account information: Business name, website URL, support email address, and phone number
• Authentication data: Email address and hashed password (we never store passwords in plain text)
• Payment information: Billing is processed by Stripe. We receive and store only a Stripe customer ID and subscription ID — we never see or store your full card number, CVV, or billing address
• Website content: We scrape publicly accessible pages on your business website to build your Agent's knowledge base. This content is stored on our servers and used exclusively to power your Agent
• Usage data: Conversation volume, scrape activity, feature usage, CSAT ratings, and analytics to operate the Service and generate your dashboard statistics
• Communications: Any messages you send us via email or our contact form

From End-users (your customers chatting with your Agent)

When a visitor uses an AI agent powered by Vyrlo on your website, we collect:

• Conversation messages: The full text of messages exchanged between the end-user and the Agent during a session
• Session metadata: An anonymous session ID, message count, whether the conversation was escalated to a human, and any CSAT rating provided
• Technical data: IP address (used for rate limiting only, not stored long-term), browser type and version

We do not collect names, email addresses, or any other identifying information from end-users unless they voluntarily provide it in the chat. End-users interact anonymously by default.

Automatically collected data

When you use the Vyrlo platform we automatically collect standard server log data including IP addresses, browser type, pages visited, and timestamps. This data is used for security, debugging, and service improvement and is not sold or used for advertising.

2. How we use your information

Purpose	Data used	Legal basis
Providing the Service — running your AI agent, processing chats, managing your account	All account and conversation data	Contract performance
Payment processing and billing	Stripe customer ID, subscription status	Contract performance
Sending transactional emails (verification, billing, alerts)	Email address	Contract performance
Improving AI accuracy and platform performance	Anonymised conversation patterns	Legitimate interest
Security, fraud prevention, and rate limiting	IP address, usage patterns	Legitimate interest
Responding to support requests	Communications data	Legitimate interest
Legal compliance	As required by law	Legal obligation

We do not use your data for advertising, and we do not sell your personal information to any third party.

3. Third-party service providers

We share data with the following third-party providers solely to operate the Service. All providers are contractually bound to handle data securely and only for the purposes we specify:

• Anthropic (Privacy Policy) — AI model provider. Chat messages and knowledge base content are sent to Anthropic's API to generate Agent responses. Anthropic does not use this data to train their models under our API agreement, as of the effective date of this policy. We will update this policy if Anthropic's data practices change.
• Stripe (Privacy Policy) — Payment processing and, where applicable, tax calculation and collection. Handles all card data. We receive only tokenised payment references. Stripe may collect additional information required for tax compliance in your jurisdiction.
• Firecrawl — Website scraping service used to extract content from your business website to build your knowledge base.
• Resend — Transactional email delivery (account verification, billing notifications, escalation alerts).
• Railway — Cloud infrastructure hosting. Your data is stored on Railway's servers in the United States.
• Cloudflare (Privacy Policy) — DDoS protection, DNS, and CDN services. All traffic to vyrlo.ai is routed through Cloudflare's network, which processes IP addresses and request metadata for security purposes.

We do not share your data with any advertising networks, data brokers, or analytics platforms.

4. Business transfers

If Vyrlo is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, your personal information may be transferred as part of that transaction. We will notify you via email or prominent notice on our website of any such change in ownership or use of your personal information, and any choices you may have regarding your personal information, before it is transferred and becomes subject to a different privacy policy.

5. Conversation data and transcripts

Vyrlo logs the full text of conversations between end-users and your Agent. As a Client, you can view these conversation transcripts in your dashboard. This data is used to:

• Power your conversation history dashboard
• Send escalation transcripts to your support email when a customer requests a human
• Calculate analytics (message volume, CSAT scores, common questions)

Conversation transcripts are retained for 90 days by default and then automatically deleted. You may request earlier deletion by contacting us.

As a Client, you are a data controller for end-user conversations that occur on your website. You are responsible for disclosing to your end-users in your own privacy policy that AI chat processing occurs and that conversations may be logged.

6. Data retention

• Account data: Retained for the life of your account plus 30 days after cancellation, then deleted
• Knowledge base content: Retained while your account is active and deleted within 30 days of account termination
• Conversation transcripts: 90 days from the date of the conversation
• Payment records: Retained for 7 years as required by tax and financial regulations
• Analytics data (conversation counts, CSAT scores, question trends): Retained for the life of your account plus 30 days after cancellation, then deleted
• Server logs: 30 days

7. Data security

We implement industry-standard security measures to protect your data, including:

• Encrypted connections (HTTPS/TLS) for all data in transit
• Passwords hashed using industry-standard cryptographic hashing (scrypt) — never stored in plain text
• Database access restricted by authentication and network controls
• Session tokens that expire and require re-authentication
• No card data stored on our servers — all payment data handled by Stripe

Despite these measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security and are not liable for breaches that result from factors outside our reasonable control. In the event of a data breach that affects your personal information, we will notify affected users without undue delay and, where required by GDPR, notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Notifications will be sent to your registered email address.

8. Cookies and browser storage

The Vyrlo platform uses browser localStorage (not cookies) to store your authentication session token. This token is required to keep you logged in and is automatically cleared when you log out.

The Vyrlo embeddable widget uses localStorage to persist your end-users' chat conversation history across page refreshes. This data is stored only in the end-user's own browser and is automatically cleared when they click "End Chat". No chat history is stored in a cookie or transmitted to third parties for tracking purposes.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies on the Vyrlo platform.

Do Not Track. Some browsers may send "Do Not Track" signals. We do not currently respond to Do Not Track signals as there is no industry-standard interpretation of these signals. We will update this policy if that changes.

9. Your rights

Depending on your location, you may have the following rights regarding your personal data:

For all users

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Portability: Request your data in a structured, machine-readable format

California residents (CCPA / CPRA)

Under the California Consumer Privacy Act and the California Privacy Rights Act, California residents have the right to: know what personal information we collect and how it is used; request a copy of your personal information; request correction of inaccurate data; request deletion of personal information; opt out of the sale or sharing of personal information for targeted advertising (we do not sell or share personal information for advertising); and not be discriminated against for exercising these rights.

To submit a CCPA request, contact us at [email protected]. We will respond within 45 days.

Identity verification: To protect your privacy and security, we will verify your identity before processing access, correction, or deletion requests. We may require you to confirm your account email address or provide other identifying information.

Authorized agents: You may designate an authorized agent to submit requests on your behalf. We will require written proof of the agent's authorization and may verify your identity directly before processing the request.

EEA and UK residents (GDPR)

If you are located in the European Economic Area or United Kingdom, you have additional rights under GDPR including the right to object to processing, the right to restrict processing, and the right to lodge a complaint with your local supervisory authority. Our legal bases for processing are set out in Section 2 above.

Data transfers to the United States are made under Standard Contractual Clauses or other appropriate safeguards as required by GDPR.

10. Children's privacy

The Vyrlo platform is intended for use by businesses and is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected] and we will delete it promptly.

11. International data transfers

Vyrlo is operated from California, United States. If you are accessing the Service from outside the United States, your information may be transferred to and processed in the United States, which may have different data protection laws than your country. By using the Service you consent to this transfer. We take appropriate steps to ensure your data is protected in accordance with this Privacy Policy regardless of where it is processed.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. For material changes we will notify you by email at least 14 days before they take effect. The date at the top of this page indicates when the policy was last updated. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact us

For any privacy-related questions, requests, or concerns, contact us at:

📧 [email protected]
Or use our contact form.

We aim to respond to all privacy requests within 30 days. For formal legal correspondence, contact us at the email above and we will provide a mailing address upon request.