Lyren Privacy Policy

1. Key Concepts

• API authentication: developer API requests are authenticated using x-api-key.
• User-scoped features: Memory, Knowledge Base, Workflows, Scheduler, Calendar, Connectors, and Business features may use a customer-provided identifier such as x-user-id. Lyren does not create or verify real-world end-user identities.
• Customer responsibility: if you send your end-users’ content to Lyren, you are responsible for providing appropriate notices and obtaining any required permissions or consents.
• Private API keys: customers are responsible for keeping API keys private and should not expose API keys in frontend browser code, public repositories, client-side applications, or shared screenshots.

2. Information We Collect

• Account data: name, email, authentication metadata, selected plan, account status, dashboard settings, and basic account information.
• API key and access metadata: API key metadata, key status, creation and regeneration events, usage associated with API keys, and security events related to access.
• API usage and logs: request timestamps, endpoints, status codes, latency, rate-limit events, daily-cap events, monthly quota events, error logs, and request metadata needed to operate and secure the Service.
• Chat content: prompts, messages, and context sent to Chat endpoints such as /v1/chat/completions.
• Tools inputs and outputs: content submitted to summarize, translate, rewrite, extract, fetch, and fetch-and-summarize endpoints.
• Memory content: Memory items, task memory, tags, categories, project labels, importance values, and related metadata explicitly saved through Memory endpoints such as /v1/memory/save.
• Knowledge Base uploads: files, extracted text, chunks, source names, document identifiers, and related metadata submitted through Knowledge Base features such as /v1/knowledge/upload and queried through features such as /v1/knowledge/ask.
• Workflow data: workflow names, saved workflow definitions, step configuration, and related metadata submitted through routes such as /v1/workflows/save.
• Scheduler data: scheduled job details, run times, job types, webhook URLs, reminder or follow-up payloads, optional email job payloads, job status, and execution metadata submitted through routes such as /v1/schedule/create.
• Calendar-related data: when Calendar features are enabled, customers may submit booking details, event titles, start and end times, time zones, attendee names or emails, availability requests, webhook URLs, and related scheduling metadata.
• Connector configuration: source configuration data such as sitemap URLs, RSS URLs, URL lists, webhook configuration, connector names, connector kinds, and related metadata submitted for connector features.
• Business endpoint inputs: data submitted to business endpoints, such as lead scoring inputs, churn risk signals, revenue leak events, usage trends, billing event summaries, and related business metadata.
• Customer-provided identifiers: values such as x-user-id used to scope data to a user within the customer’s own application. These identifiers are provided by customers; Lyren does not generate or verify them.
• Billing data: if you subscribe to a paid plan, payments are processed by Stripe, Inc.. We may receive subscription status, plan information, invoice identifiers, payment identifiers, customer IDs, and billing-related metadata needed for accounting, support, subscription management, and fraud prevention. We do not store full payment card numbers. Card details are collected and processed by Stripe.
• Security data: IP address, user-agent, login activity, suspicious activity signals, abuse-prevention data, and incident-response records used to protect the platform.

3. How We Use Information

• Provide the Service: process API requests for Chat, Tools, Memory, Knowledge Base, Workflows, Scheduler, Calendar-ready flows, Connectors, and Business insights.
• Authenticate and authorize: validate x-api-key, verify account status, enforce plan access, apply rate limits, apply daily caps, and apply monthly quotas.
• Scope customer data: isolate user-scoped data by customer-provided x-user-id where user-scoped features are used.
• Operate developer features: support dashboard access, API key generation or regeneration, billing checkout, subscription management, documentation access, and support workflows.
• Reliability and performance: monitor uptime, debug errors, measure latency, identify failures, and improve stability.
• Security: detect abuse, investigate suspicious activity, prevent fraud, protect API keys, and respond to security incidents.
• Billing and support: manage subscriptions, reconcile invoices, provide support, respond to privacy requests, and communicate important service updates.
• Legal compliance: comply with applicable law, enforce agreements, resolve disputes, and protect rights, safety, and security.

4. User-Scoped Data: Memory, Knowledge, Workflows, Scheduler, Calendar, Connectors, and Business

Several Lyren API features are designed to be user-scoped. Customers provide a stable identifier such as x-user-id, and Lyren stores or retrieves data within that customer-provided scope.

• Memory: items saved via /v1/memory/save are associated with the provided x-user-id and related metadata where applicable.
• Knowledge Base: files uploaded via /v1/knowledge/upload and questions submitted through /v1/knowledge/ask may be associated with the provided x-user-id.
• Workflows: saved workflow definitions may be associated with the customer’s API key and user scope.
• Scheduler: scheduled jobs, reminders, follow-ups, webhook payloads, and optional email jobs may be associated with the customer’s API key and user scope.
• Calendar-ready flows: booking and availability-related data may be associated with the provided x-user-id when calendar features are enabled.
• Connectors: connector configurations may be associated with the customer’s API key and user scope.
• Business insights: submitted lead, churn, revenue, usage, or billing signals may be associated with the customer’s API key and user scope.

Important: customers supply user identifiers. Lyren does not verify the real-world identity behind a given x-user-id. Customers are responsible for ensuring they have the rights to store and process any end-user content or business data they send to the Service.

5. How We Share Information

We do not sell personal data. We may share limited information only as needed to operate, secure, support, and improve the Service, including with:

• Service providers: hosting, infrastructure, logging, monitoring, email delivery, analytics, security, and payment processing providers, including Stripe for billing.
• Legal and safety: when required by law, subpoena, legal process, or to protect the rights, safety, and security of Lyren, customers, end users, or the public.
• Business operations: in connection with audits, compliance, accounting, corporate transactions, or service continuity, subject to appropriate safeguards.

6. Data Retention

We retain information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, prevent abuse, and support customer requests. Retention depends on the type of data:

• Account data: retained while the account is active and for a reasonable period afterward as needed for legal, billing, security, and support purposes.
• Operational logs: retained for a limited period for reliability, debugging, abuse prevention, security, and compliance purposes.
• Memory content: retained to provide user-scoped retrieval until deleted where deletion controls are available, account closure, or another applicable retention event.
• Knowledge Base content: uploaded documents, extracted text, and chunks may be retained to provide document retrieval until deleted where deletion controls are available, account closure, or another applicable retention event.
• Workflow, Scheduler, Calendar, Connector, and Business data: retained as needed to provide those features, operate scheduled jobs, maintain configuration, support dashboards, and resolve support requests.
• Billing records: retained as required for accounting, tax, legal compliance, invoice history, dispute resolution, and subscription management.

7. Security

We use reasonable safeguards such as access controls, monitoring, API key verification, security logging, and encryption in transit where appropriate. We also use plan enforcement, rate limits, daily caps, and quota controls to help protect the Service from abuse.

• Keep API keys private and do not expose them in browser JavaScript, mobile apps, public repositories, or public screenshots.
• Use your backend server to call Lyren API instead of calling Lyren directly from frontend client code.
• Avoid sending highly sensitive secrets, such as raw private keys, passwords, or payment card data, in prompts, payloads, or files.
• Use appropriate access controls in your own application before sending end-user content to Lyren.

No system is 100 percent secure, and we cannot guarantee absolute security.

8. Customer Responsibilities

• End-user notices: customers are responsible for telling their end users when data is sent to Lyren and for obtaining any required permissions or consents.
• Data accuracy: customers are responsible for the accuracy, legality, and appropriateness of the data they submit to Lyren.
• API key handling: customers are responsible for keeping API keys confidential and rotating keys when needed.
• User identifiers: customers are responsible for choosing stable and appropriate x-user-id values and for avoiding identifiers they do not want stored or logged.
• Regulated data: customers should avoid sending sensitive regulated data unless they have confirmed that their intended use is appropriate for Lyren and permitted under their own legal obligations.

9. Your Choices and Requests

• Account: you can request access, correction, updates, or deletion of your account information.
• API keys: you can regenerate API keys from the dashboard where available.
• Memory: you can request deletion of stored Memory items, and where available, use product or API controls.
• Knowledge Base: you can request deletion of uploaded documents or document-derived content, and where available, use product or API controls.
• Workflows, Scheduler, Calendar, Connectors, and Business data: you can request support for deletion or account-level cleanup where applicable.
• Billing: you can request billing support for subscription questions, invoices, and account status.
• Privacy support: contact us for privacy-related requests using the email below.

10. Children

Lyren API is intended for developers, businesses, and professional users. It is not directed to children. Customers should not knowingly send children’s personal information to Lyren without appropriate legal authority, consent, and safeguards.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we may update the “Last updated” date above. Continued use of the Service after an update means the updated Privacy Policy applies.

12. Contact

Privacy questions or requests: lyrenapi@gmail.com