Privacy Policy

Last updated: 26 January 2026

1. Introduction

Klyra Labs ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website klyralabs.com and use our services.

We are registered in England and Wales and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide when you:

  • Fill out contact forms or request a demo
  • Subscribe to our newsletter
  • Communicate with us via email
  • Register for our services

This may include your name, email address, company name, job title, phone number, and any other information you choose to provide.

2.2 Automatically Collected Information

When you visit our website, we may automatically collect:

  • Device information (browser type, operating system)
  • IP address and approximate location
  • Pages visited and time spent on our website
  • Referring website addresses

3. How We Use Your Information

We use the information we collect to:

  • Respond to your enquiries and provide customer support
  • Process and fulfil service requests
  • Send you marketing communications (with your consent)
  • Improve our website and services
  • Comply with legal obligations
  • Protect against fraudulent or illegal activity

4. Legal Basis for Processing

Under UK GDPR, we process your personal data on the following legal bases:

  • Consent: Where you have given clear consent for us to process your personal data for a specific purpose
  • Contract: Where processing is necessary for a contract we have with you
  • Legitimate interests: Where processing is necessary for our legitimate business interests, provided these are not overridden by your rights
  • Legal obligation: Where processing is necessary to comply with the law

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information with:

  • Service providers: Third parties who perform services on our behalf (e.g., hosting, analytics)
  • Legal requirements: When required by law or to protect our rights
  • Business transfers: In connection with a merger, acquisition, or sale of assets

All third-party service providers are required to maintain the confidentiality and security of your information.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

Contact form submissions are retained for up to 3 years unless you request earlier deletion.

7. Your Rights

Under UK GDPR, you have the following rights:

  • Right of access: Request a copy of your personal data
  • Right to rectification: Request correction of inaccurate data
  • Right to erasure: Request deletion of your data ("right to be forgotten")
  • Right to restrict processing: Request limitation of how we use your data
  • Right to data portability: Request transfer of your data to another service
  • Right to object: Object to processing based on legitimate interests or direct marketing
  • Right to withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us using the details below.

8. Cookies

Our website uses essential cookies to ensure proper functionality. We do not use tracking or advertising cookies without your consent.

You can control cookies through your browser settings. Please note that disabling certain cookies may affect website functionality.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (HTTPS/TLS)
  • Secure access controls
  • Regular security assessments
  • Staff training on data protection

10. International Transfers

Your data is primarily stored and processed within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements.

11. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

13. Klyra Shield

13.1 Introduction

Klyra Shield ("we", "our", or "us") is operated by Klyra Labs. This section explains how we collect, use, disclose, and safeguard your information when you use our browser extension and dashboard service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

13.2 Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Full name
  • Organisation name
  • Password (encrypted)

Extension User Information

When users connect via the browser extension, we collect:

  • Name (as entered by the user)
  • Device identifier (randomly generated)
  • Connection timestamp
  • Last activity timestamp

Activity Data

When the extension detects a prompt submission to an AI platform, we collect:

  • Which AI platform was used (e.g., ChatGPT, Claude)
  • Types of sensitive data detected (e.g., "Email Address", "API Key")
  • Risk level assigned (low, medium, high, critical)
  • Action taken (allowed, warned, blocked)
  • Whether the user proceeded after a warning
  • Timestamp of the event

What We Do NOT Collect

We explicitly do not collect:

  • The actual content of your prompts or messages
  • AI responses or outputs
  • Browsing history outside of supported AI platforms
  • Personal files or documents
  • Keystrokes or screen recordings

13.3 How We Process Data

Local Processing: All sensitive data scanning occurs locally within your browser. The extension analyses prompt text using pattern matching to identify potential sensitive information. The actual prompt content never leaves your device.

Metadata Only: Only metadata about detected patterns is transmitted to our servers. For example, we record that "1 email address was detected" but not the actual email address itself.

13.4 How We Use Your Information

We use the information we collect to:

  • Provide and maintain the Service
  • Generate compliance reports and analytics for your organisation
  • Send alerts for high-risk events (if enabled)
  • Improve and develop new features
  • Communicate with you about your account
  • Comply with legal obligations

13.5 Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

  • Your Organisation: Activity data is visible to administrators within your organisation
  • Service Providers: We use Supabase for database hosting and Vercel for application hosting
  • Legal Requirements: We may disclose information if required by law or to protect our rights

13.6 Data Retention

We retain your data as follows:

  • Account Data: Retained until you request deletion or your organisation terminates service
  • Activity Logs: Retained for 180 days to support quarterly compliance reporting
  • Audit Logs: Retained for 1 year for security purposes

Upon account deletion, all associated data is permanently removed within 30 days.

13.7 Data Security

We implement appropriate security measures including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of sensitive data at rest
  • Row-level security ensuring organisations can only access their own data
  • Regular security assessments
  • Access controls and authentication requirements

However, no method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

13.8 Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Request restriction of processing
  • Portability: Request transfer of your data
  • Objection: Object to processing of your data
  • Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at hello@klyralabs.com. We will respond within 30 days.

13.9 International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place, including Standard Contractual Clauses where required.

13.10 Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

13.11 Third-Party Services

Our Service integrates with the following third-party services:

  • Supabase: Database and authentication (PostgreSQL hosted infrastructure)
  • Vercel: Application hosting and deployment
  • Resend: Email delivery service

Each third-party service has its own privacy policy governing the use of your information.

13.12 Changes to This Section

We may update this section from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

13.13 Limitation of Liability

THE SERVICE IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND. TO THE MAXIMUM EXTENT PERMITTED BY LAW, KLYRA LABS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS OR REVENUES, WHETHER INCURRED DIRECTLY OR INDIRECTLY, OR ANY LOSS OF DATA, USE, GOODWILL, OR OTHER INTANGIBLE LOSSES RESULTING FROM:

  • Your use or inability to use the Service
  • Any unauthorised access to or use of our servers
  • Any bugs, viruses, or other harmful code transmitted through the Service
  • Any errors or omissions in the detection of sensitive data

The Service is designed to assist with data loss prevention but does not guarantee complete protection against data leaks. Users remain responsible for their own compliance obligations.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

Klyra Labs

Email: hello@klyralabs.com

Website: klyralabs.com

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated: ico.org.uk