Skip to content
Back to Home

Privacy Policy

Your data belongs to you. Lyfos is a paid product — we have no incentive to sell your information. This policy explains exactly what we collect, why, and what you can do about it.

Version 1.0 Last updated: 2026-06-02Operated by Cognileap Eduventures LLP (LLPIN ACC-7280)

1. What We Collect

1.1 Account Data

When you create an account we collect your full name, email address, and a bcrypt password hash (never plaintext). We also store any optional profile details you choose to provide: display name, avatar URL, and timezone.

1.2 Integration Data

When you voluntarily connect a third-party service (Slack, GitHub, Strava, Linear, Jira, Notion) we store an OAuth access token and refresh token for that service. These tokens are used only to perform sphere-assignment operations on your behalf — for example, silencing Slack notifications during Personal Sphere hours. You can revoke any integration at any time from Settings → Integrations.

1.3 Payment Data (when subscription active)

Billing is processed by Razorpay. When you hold an active paid subscription we store your Razorpay customer ID, subscription ID, plan tier, and subscription status. We do not store full card numbers, CVV, or bank account details — those are held exclusively by Razorpay under their PCI-DSS compliance program. If you are on the free beta tier, no payment data is stored.

1.4 Telemetry and Error Logs

We collect anonymised usage events (feature interactions, page views) and crash/error reports via Sentry. These are used solely to fix bugs and improve reliability. Telemetry does not include the content of your tasks, notes, or AI coach conversations.

1.5 AI Coach Conversations

If you use the AI coach, your conversation turns are processed by our backend and forwarded to our LLM provider to generate a response. We retain conversation history to provide continuity across sessions. You can delete your conversation history at any time from Settings → AI Coach.

2. Legal Basis for Processing

We process personal data only where we have a legal basis to do so. The table below lists each processing activity and its basis under Indian law (DPDPA 2023) and EU/UK law (GDPR Art. 6).

Processing ActivityIndia (DPDPA 2023)EEA / UK (GDPR Art. 6)
Account creation & authenticationConsent (§ 5) + Contract (§ 7)Art. 6(1)(b) — contract
Integration OAuth tokensConsent (§ 5)Art. 6(1)(a) — consent
Payment processingContract (§ 7)Art. 6(1)(b) — contract
Error monitoring / telemetryLegitimate interest (§ 7(i))Art. 6(1)(f) — legitimate interest
AI coach conversationsConsent (§ 5)Art. 6(1)(a) — consent

We do not rely on legitimate interests for any processing that involves sensitive personal data as defined under the Digital Personal Data Protection Act 2023.

3. Data Retention

Data TypeRetention Period
Active account dataUntil you request deletion
Deleted account dataPurged within 30 days of deletion request
Payment records (Razorpay)7 years (statutory requirement)
Error logs (Sentry)90 days, then auto-purged
OAuth integration tokensUntil you disconnect, or account deletion
AI coach historyUntil you clear it, or account deletion

Account deletion is available at Settings → Account → Delete Account. Our deletion job runs daily and purges all personal data within 30 days of your request, compliant with DPDPA 2023 § 11 and GDPR Art. 17 (right to erasure).

4. Third-Party Processors

We share data only with the processors listed below, strictly for the stated purpose. We do not sell your data to any third party, ever.

ProcessorPurposeData SharedRegion
RenderBackend API hostingAll backend data in transit / at restUS (Oregon)
VercelWeb frontend hostingRequest logs, IP addressesUS / Edge
ResendTransactional email (verification, password reset)Email address, nameUS
SentryError monitoringError stack traces, anonymised session contextUS
RazorpayPayment processing (when subscription active)Name, email, billing amountIndia
SlackIntegration — only if you connect SlackOAuth tokens scoped to notification mgmtUS
GitHubIntegration — only if you connect GitHubOAuth tokens scoped to issue/PR dataUS
StravaIntegration — only if you connect StravaOAuth tokens scoped to activity dataUS
LinearIntegration — only if you connect LinearOAuth tokens scoped to issue dataUS
JiraIntegration — only if you connect JiraOAuth tokens scoped to issue dataUS
NotionIntegration — only if you connect NotionOAuth tokens scoped to page dataUS

All processors are bound by a Data Processing Agreement and are required to handle your data in accordance with applicable privacy law. Integration providers receive data only if you explicitly connect that service.

5. Your Rights

You have the following rights regardless of where you are located. We do not require you to give a reason for exercising any of them.

  • AccessRequest a copy of all personal data we hold about you. We will respond within 30 days.
  • DeletionDelete your account and all associated personal data via Settings → Account → Delete Account, or by emailing privacy@lyfos.ai. Deletion is unconditionally free.
  • PortabilityExport your data in machine-readable JSON format via Settings → Account → Export Data. This is always free, regardless of plan tier, as required by DPDPA 2023 § 11, GDPR Art. 20, and CCPA.
  • CorrectionUpdate your profile information at any time in Settings → Profile.
  • Withdrawal of ConsentDisconnect any integration at any time from Settings → Integrations. This immediately withdraws consent for that integration's data processing and we will delete the associated OAuth tokens.
  • Restrict ProcessingContact privacy@lyfos.ai to request restriction of processing while a dispute is being resolved.

6. Contact

Data Protection Officer

For privacy requests, data subject rights inquiries, and policy questions.

privacy@lyfos.ai

India Grievance Officer

Per IT Act 2000 § 5(9) and IT Rules 2011 Rule 5(9):

Name: Nidish Ramakrishnan

Designation: Founder & Grievance Officer

grievance@lyfos.ai

Response SLA: 30 days from receipt of complaint, as required under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Cognileap Eduventures LLP, LLPIN ACC-7280, Bangalore, Karnataka, India

7. Changes to This Policy

We will post a notice on the Lyfos website at least 14 days before any material change to this policy takes effect. For changes required by law we may apply them immediately. Continued use of the service after the effective date constitutes acceptance of the updated policy.

The canonical version of this policy is always available at https://www.lyfos.ai/privacy.

8. Cookies & Local Storage

Lyfos uses browser localStorage (not traditional HTTP cookies) to remember your preferences and, with your consent, to enable session replay for bug fixing. No data is shared with ad networks. We do not use tracking pixels or third-party advertising cookies.

CategoryWhat it storesDefaultCan opt out?
Strictly NecessaryAuth token, session ID, CSRF stateAlways onNo — required for login
AnalyticsSentry session-replay (masked, no PII)OffYes — banner or privacy settings
FunctionalSphere preferences, sidebar state, themeOffYes — banner or privacy settings

You can change your cookie preferences at any time. A banner appears on first visit and defaults to deny non-essential. Accepting “Analytics” enables Sentry session replay with all text masked and media blocked — it is used only to reproduce and fix bugs, never for ad targeting.

Privacy Policy v1.0 · Last updated 2026-06-02

Operated by Cognileap Eduventures LLP · LLPIN ACC-7280 · Bangalore, India