Privacy Policy

1. Data Controller

2. Categories of Data Collected

We collect and process the following categories of data:

• Identification data: first name, last name, email address, password (in derived and hashed form PBKDF2-SHA256), profile picture where applicable.
• Professional data (optional): Organization name and size, role, industry, VAT number for Professional Customers.
• Connection and technical data: IP address, session identifier, User-Agent, country of connection, date and time of connections, security logs.
• Usage data: created carousels and brand kits, prompts submitted to the AI, AI conversations, edit history, interface preferences, locale, achievements, onboarding status.
• Linked accounts data: OAuth tokens (LinkedIn, Google, X, Threads, Instagram), remote user identifiers, remote profile picture, granted publishing permissions.
• Payment data: Lemon Squeezy customer ID, subscription ID, amount, currency, status, payment method type, last four digits of the card (full banking data is stored only by Lemon Squeezy).
• Support data: messages sent through the contact form or by email, user feedback, screenshots provided with reports, satisfaction ratings.
• Analytical and behavioral data: product events (PostHog), traces and errors (Sentry), anonymized session replays (10% of traffic, Sentry), email open and click tracking (Mailpulse).
• Referral and affiliate data: referral code, affiliate identifier, UTM parameters (source, medium, campaign) captured via cookie.

3. Purposes of Processing

Your data is used for the following purposes:

• Account creation, authentication and management of Accounts and Organizations;
• Provision of the Service features (AI generation, editing, brand kits, exports, publishing);
• Billing, subscription management, payment fraud prevention;
• User support, complaint and incident management;
• Sending operational communications (security, updates, transactions) and, on the basis of consent, targeted marketing communications;
• Operation of the referral program, the affiliate program and promotional campaigns;
• Statistical measurement, performance analysis and Service improvement (PostHog, Sentry);
• Service security, prevention and detection of abusive uses (rate limiting, fraud detection, AI moderation);
• Compliance with legal and accounting obligations (in particular retention of invoices for 10 years pursuant to articles L.123-22 et seq. of the French Commercial Code).

4. Legal Bases (article 6 GDPR)

Each processing operation relies on an appropriate legal basis:

• Performance of a contract (art. 6.1.b): Account creation and management, provision of the Service, billing, support.
• Legitimate interest (art. 6.1.f): Service security, fraud prevention, audience measurement for improvement, operational communications.
• Consent (art. 6.1.a): marketing communications, non-essential cookies, analytical trackers requiring consent.
• Legal obligation (art. 6.1.c): retention of invoices, fight against fraud, response to judicial requisitions.
• Vital interests or public interest: not applicable to our Service.

5. Subprocessors and Technical Partners

The Publisher relies on the subprocessors listed below, in strict compliance with GDPR and Standard Contractual Clauses where transfers outside the European Union take place. This list is synchronized with the integrations actually active in the Service. Where an integration is disabled by default or progressively rolled out, the corresponding subprocessor is not displayed until it is actually used:

• Cloudflare, Inc. (United States, EU infrastructure): application hosting (Workers), database (D1), storage (R2), cache (KV), CDN proxy. Data: all data processed by the Service.
• Google LLC (United States): Gemini generative AI engines (text, image, brand kit), Google OAuth authentication, web fonts (Google Fonts), performance audits (PageSpeed). Data: user prompts, carousel content, brand kits, Google identifiers. Transfers outside the EU framed by Standard Contractual Clauses and the Data Privacy Framework.
• Lemon Squeezy LLC (United States): payment processing as Merchant of Record, invoicing, subscription management, affiliate program. Data: identity, billing address, email, payment data (stored only at Lemon Squeezy).
• Tavily, Inc. (United States): web search engine for the online research feature integrated into AI generation. Data: user queries, URLs shared in prompts. Activated only for paid plans where web search is enabled.
• LinkedIn (Microsoft Ireland Operations Limited): direct publishing on LinkedIn via OAuth. Data: access token, LinkedIn ID, published content.
• X Corp. (United States): publishing threads on X (Twitter) via OAuth, when this integration is enabled by the User. Data: access tokens, remote identifier, published content.
• ElevenLabs Inc. (United States): voice synthesis for the video export features of paid plans. Data: text of the slides to be voiced.
• Resend, Inc. (United States): transactional and marketing email delivery service. Data: email address, content of emails, deliverability events.
• PostHog Ltd. (EU region - eu.i.posthog.com): product analytics and experimentation. Data: pseudonymized identifier, email (linked to Accounts), product events, UTM properties.
• Sentry GmbH (Germany - ingest.de.sentry.io): technical monitoring, error tracking, traces and anonymized session replays (10%). Data: stack traces, technical identifiers, partial UI captures.
• Mailpulse (internal Lyten Agency service): email deliverability and engagement tracking (open pixel, redirect links). Data: email address, subject, engagement events.
• LaunchDarkly, Inc. (United States): client-side feature flag management, used in particular to roll out the Threads and Instagram integrations. Data: client SDK identifier, technical attributes.
• Discord, Inc. (United States): internal notifications (webhooks) sent to Lyten Agency teams on key events (signup, report, payment). No data is exposed publicly.

We never sell your data to third parties, and we do not use it for behavioral targeted advertising.

6. International Data Transfers

Some of our subprocessors are located outside the European Union, in particular in the United States. Such transfers are framed by Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), by adherence to the Data Privacy Framework where applicable, and by additional technical and organizational measures (encryption, access control, logging). A copy of the applicable safeguards may be obtained on request at contact@lyten.agency.

7. Storage and Retention Periods

Your data is mainly hosted in Europe (Cloudflare network with European infrastructure for the D1 database and the Publisher's R2 storage).

8. Cookies and Trackers

The Service uses the following categories of cookies and trackers:

• Strictly necessary cookies: authentication (better-auth.session_token), OAuth CSRF. No consent required.
• Functional cookies: language storage, interface preferences.
• Audience measurement cookies: PostHog (anonymized, EU hosting), Sentry (technical monitoring). Subject to prior consent.
• Marketing and attribution cookies: referral_code, cg_attribution (UTM first-touch), lmsq_aff_id (Lemon Squeezy affiliation). Subject to prior consent.
• Email tracking pixel (Mailpulse): email opens and clicks. May be disabled via the unsubscribe link present in every marketing email.

The User may accept, refuse or customize the placement of non-essential cookies through the cookie management banner displayed on first visit, and may modify their choice at any time via the Cookies page accessible from the footer.

9. Your Rights

In accordance with articles 15 to 22 GDPR, you benefit from the following rights:

• Right of access: obtain a copy of personal data concerning you.
• Right of rectification: request the correction of inaccurate or incomplete data.
• Right to erasure: request the deletion of your data, subject to legal retention obligations (in particular invoices).
• Right to restriction: request the temporary restriction of a contested processing operation.
• Right to object: object to processing based on legitimate interest, or to direct marketing.
• Right to data portability: receive your data in a structured, commonly used and machine-readable format, or request its direct transfer to another controller where technically possible.
• Right to withdraw consent: at any time, without affecting the lawfulness of prior processing.
• Post-mortem directives: in accordance with article 85 of the French Data Protection Act, you may set instructions regarding the fate of your data after your death.

To exercise these rights, please send your request to contact@lyten.agency. A copy of your ID may be requested in case of reasonable doubt as to your identity. We will respond within one (1) month, extendable by two (2) months for complex requests.

contact@lyten.agency

10. Security

The Publisher implements appropriate technical and organizational measures to ensure data security, confidentiality and integrity:

• TLS/SSL encryption of communications (HTTPS);
• Password hashing using PBKDF2-SHA256 with 100,000 iterations and a 16-byte random salt;
• Authentication managed by Better Auth, sessions limited to 7 days and revocable;
• European hosting on Cloudflare (D1, R2, KV, Workers);
• Least-privilege policy: access to data restricted to those whose duties require it;
• Logging of sensitive operations (audit logs, AiCostLog);
• Regular backups and continuity plans;
• AI safety filters and rate limiting on critical endpoints.

In the event of a personal data breach likely to result in a risk to the rights and freedoms of Users, the Publisher will notify the CNIL within 72 hours and, where appropriate, the affected Users without undue delay.

11. Minors

The Service is not intended for persons under the age of 16. For minors aged 16 to 18, parental consent may be required depending on the nature of the processing. If we learn that a minor has provided data without authorization, we will delete the relevant Account as soon as possible.

12. Complaint to the CNIL

If you consider that the processing of your data does not comply with applicable rules, you have the right to lodge a complaint with the French data protection authority (CNIL), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, or online at www.cnil.fr.

13. Modifications to this Policy

The Publisher reserves the right to modify this Privacy Policy to reflect changes in features, subprocessors or applicable regulations. Any material modification is notified to Users by email or through an in-Service message at least fifteen (15) days before its entry into force. The date of last update is shown at the bottom of the page.