Privacy Policy

1. Introduction and Controller

These Privacy Policy describes how the entity operating the Elyra platform at elyra.sk ("we" or "Controller") collects, processes, stores and protects personal data of individuals who use our services ("User" or "you"). Processing is carried out in accordance with the GDPR Regulation (EU) 2016/679 and applicable national data protection laws.

By using the platform you acknowledge these Policies. If you disagree with how we process your data, please discontinue use of our services immediately.

2. Personal Data We Collect

We collect the following categories of personal data:

Identity and contact data: name, email address and profile picture obtained via OAuth sign-in.
Call data: call recordings, transcripts, metadata (duration, timestamps, phone numbers) and sentiment analysis results, generated when using the voice functionality of the platform.
Configuration data: system prompts, voice agent settings, knowledge base content and other settings entered by the user.
Payment and billing data: subscription information, transaction history and billing details. Complete payment information (e.g. card numbers) is processed exclusively by a certified payment intermediary; we never store it.
Technical and operational data: IP address, browser type and version, operating system, referrer URL, access timestamps, error logs and other diagnostic information.
Communication records: email communications with customer support or sent via platform tools.

We never intentionally collect personal data of children under 16 years of age. If we discover we have inadvertently obtained such data, we will delete it without delay.

3. Legal Basis and Purposes of Processing

Performance of contract (Art. 6(1)(b) GDPR): processing necessary to provide the platform and its features, account management, billing and customer support.
Legitimate interest (Art. 6(1)(f) GDPR): platform security and integrity, fraud prevention, analytics to improve services and service communications.
Consent (Art. 6(1)(a) GDPR): marketing communications and optional analytics cookies, where you have given us explicit consent.
Legal obligation (Art. 6(1)(c) GDPR): retention of accounting records, responding to lawful requests from public authorities.

4. Sharing and Transfer of Personal Data

We do not sell, rent or disclose your personal data for commercial purposes. Data may be disclosed only in the following circumstances:

Processors (sub-processors): trusted cloud and technology service providers who process data exclusively according to our instructions and with whom we have a Data Processing Agreement in place. These providers include, but are not limited to: server and database operations, voice call processing, billing, email delivery and error monitoring.
Public authorities: where required by law, court order or regulatory body, we will disclose data to the extent strictly necessary.
Business transactions: in the event of a merger, acquisition or asset sale, personal data may be transferred to the acquirer provided that the commitments under these Policies are maintained.

Some processors may be located in or process data outside the European Economic Area (EEA). In such cases we ensure an adequate level of protection through Standard Contractual Clauses approved by the European Commission or other lawful transfer mechanisms.

5. Cookies and Tracking Technologies

The platform uses cookies and similar technologies in two categories:

Essential cookies: required for the platform to function properly (authentication, session, CSRF protection). These cookies cannot be declined without disabling platform functionality.
Analytics and performance cookies: used only with your explicit consent. You may withdraw consent at any time via the cookie management banner.

6. Your Data Subject Rights

As a data subject you have the following rights under GDPR, which you may exercise free of charge:

Right of access: obtain confirmation of whether we process your personal data and a copy of it.
Right to rectification: request correction of inaccurate or completion of incomplete data.
Right to erasure: request deletion of data in cases provided for by GDPR (right to be forgotten).
Right to restriction: request restriction of processing of your data under certain conditions.
Right to portability: receive your data in a structured, commonly used, machine-readable format.
Right to object: object to processing based on legitimate interest or for direct marketing purposes.
Right to withdraw consent: withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise these rights contact us at privacy@elyra.sk. We will respond to your request within 30 days. You also have the right to lodge a complaint with a supervisory authority — in Slovakia this is the Office for Personal Data Protection of the Slovak Republic (dataprotection.gov.sk).

7. Data Retention and Deletion

Call data: retained for a maximum of 12 months from the date of the call, unless a longer period is required by law.
Account data: retained for the duration of an active subscription and 30 days after cancellation, then permanently deleted.
Billing records: retained for 10 years in accordance with applicable accounting regulations.
Technical logs: retained for a maximum of 90 days for security and diagnostic purposes.

After the retention period, data is permanently and securely deleted or anonymised.

8. Security of Personal Data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or disclosure. Measures include in particular:

encryption of data in transit (TLS 1.2+) and at rest
access control based on the principle of least privilege
regular security audits and vulnerability assessments
pseudonymisation where technically feasible

Despite these measures, we cannot guarantee absolute security. In the event of a security incident likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and no later than 72 hours after becoming aware of it.

9. Limitation of Liability for Call Content

You, as the operator of the agent, are responsible for the content of calls conducted via your voice agents. Elyra acts solely as a technology intermediary and is not responsible for the content, lawfulness or outcomes of automated calls you make.

You are required to obtain all necessary consents for call recording and processing from your callers in accordance with applicable regulations.

10. Meta Platform Data (Facebook, Instagram)

If you connect your Facebook Page or Instagram account to the Elyra platform, you authorise us to receive and process messages sent by your customers via Facebook Messenger or Instagram Direct. We process these messages solely for the purpose of generating automated replies on your behalf.

Data we receive: sender identifier (PSID/IGSID), message text, timestamp. We do not receive or store your customers' login credentials.
How we use the data: messages are processed by our AI agent to generate a reply and stored in your Elyra account for conversation history.
Third-party sharing: Meta platform data is not shared with third parties and is not used for advertising purposes.
Data deletion: to request deletion of data associated with your Facebook/Instagram account, use our endpoint: elyra.sk/api/channels/meta/data-deletion

Use of Meta platforms within Elyra is also governed by the terms of Meta Platforms, Inc. Elyra is not affiliated with Meta Platforms, Inc.

11. Changes to This Policy

We may update these Policies periodically to reflect changes in our practices or applicable law. We will notify you of material changes by email or prominent in-app notice at least 14 days before they take effect. Continued use of the platform after changes take effect constitutes acceptance of the updated Policies.

12. Contact and Supervisory Authority

For any questions or requests regarding data protection please contact us:

privacy@elyra.sk

If you believe your rights have been violated, you have the right to lodge a complaint with the Office for Personal Data Protection of the Slovak Republic, Hranicna 12, 820 07 Bratislava 27, tel. +421 2 3231 3214, email: statny.dozor@pdp.gov.sk.