1. Who we are
The data controller for the personal data described in this policy is Lyto ("Lyto", "we", "our", "us"), a company registered in the Netherlands.
- Registered address: Francois Maelsonstraat 2, 2582 KC, Den Haag, Netherlands
- KvK (Chamber of Commerce) number: 99898624
- VAT number: NL005417321B70
- Privacy contact: lytoapp@gmail.com
We have not formally appointed a Data Protection Officer, as we are not legally required to do so at our current scale. The privacy contact above is the right address for any data-protection question.
2. Scope
This policy covers personal data we process when you:
- Visit our marketing website at lytoapp.com
- Create or hold an account on any Lyto product (including Workspace, Pipeline, Solve, Sum, Workstream, Tally and Pulse)
- Sign in via our authentication service at auth.lytoapp.com
- Contact us by email or by submitting a form on our website
When you use a Lyto product inside an organisation that has its own Lyto account, that organisation is the controller of the business data you contribute (timesheets, invoices, project records, etc.). Lyto is the processor of that data on their behalf. This policy applies to data Lyto controls directly — such as your account credentials, billing details, support correspondence, and product-usage telemetry.
3. What we collect and why
3.1 Account data
When you create an account, we collect your name, email address, and (if you set one) a hashed password. If you sign in with Google, we receive your Google account email, name, profile picture and a unique Google identifier. We never receive your Google password.
Lawful basis: performance of a contract (Art. 6(1)(b) GDPR) — we need this to give you access to the service you've signed up for.
3.2 Product data
To deliver the features you use — timesheets, invoices, sales pipeline records, AI-assisted suggestions, dashboards, and so on — we store the information you and your colleagues enter into the apps, plus metadata about how that information is created and changed (timestamps, the user who made each change).
Lawful basis: performance of a contract (Art. 6(1)(b)) for the customer organisation; legitimate interest (Art. 6(1)(f)) in maintaining accurate audit trails.
3.3 Billing data
For paid plans, we store your billing email, billing address, VAT number (where applicable) and the records of invoices and payments. Card or bank details, where you provide them, are handled by our payment processor and never stored on Lyto's own servers.
Lawful basis: performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) for tax and accounting record-keeping under Dutch law.
3.4 Technical and usage data
When you use Lyto, our servers automatically receive standard request information: IP address, user-agent string, the page or API endpoint requested, the response status, and the time of the request. We log a subset of this for security, abuse-prevention, and debugging.
We also record a small set of product-usage events (for example: "user signed in", "invoice created") so we can understand which parts of the product are used and detect failures. These events are tied to your user ID but do not include the content of your business records.
Lawful basis: legitimate interest (Art. 6(1)(f)) in keeping the service secure, reliable and improving over time.
3.5 Support and communication data
When you email us, fill out a form, or otherwise contact us, we keep the contents of that correspondence so we can respond and so we have a record of the question if it comes up again.
Lawful basis: legitimate interest (Art. 6(1)(f)) in providing support.
4. Sub-processors
Lyto uses a small number of trusted infrastructure providers to deliver the service. Each is bound by a written data-processing agreement, and we've chosen providers that process EU personal data within the EU or under appropriate safeguards.
| Sub-processor | Purpose | Processing region |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage, edge functions | Ireland (EU) |
| Vercel Inc. | Web and application hosting | Frankfurt (EU) |
| Twilio SendGrid | Transactional email delivery | EU region |
| Cloudflare, Inc. | Bot/abuse protection (Turnstile captcha) | Global edge; data-residency-aware |
| Google LLC | "Sign in with Google" identity verification (only if you choose to use it) | United States, under EU Standard Contractual Clauses |
| Anthropic PBC | AI-assisted features in the Tally app (input is not used to train models) | United States, under EU Standard Contractual Clauses |
We update this list as it changes. If you would like to receive notice of new sub-processors before they are engaged, email lytoapp@gmail.com.
5. International transfers
Where personal data is transferred outside the European Economic Area (currently to Google and Anthropic, for the specific purposes described above), we rely on the European Commission's Standard Contractual Clauses and, where applicable, on adequacy decisions. We do not transfer personal data to jurisdictions without an appropriate safeguard in place.
6. How long we keep it
- Active accounts: for as long as the account remains active.
- Closed accounts: personal data linked to a closed account is deleted within 90 days, except where we are legally required to retain it (for example, billing records under Dutch tax law — 7 years).
- Backups: backups containing your data are rotated out within 30 days after deletion from the live system.
- Security and abuse logs: up to 12 months.
- Support correspondence: up to 24 months after the conversation ends.
7. Your rights
Under the GDPR, you have the right to:
- Request a copy of the personal data we hold about you (right of access).
- Ask us to correct inaccurate or incomplete data (right to rectification).
- Ask us to delete your data, subject to the retention rules above (right to erasure).
- Ask us to restrict how we use your data while a dispute is resolved (right to restriction).
- Receive your data in a portable, machine-readable format (right to data portability).
- Object to processing we carry out under legitimate interest (right to object).
- Withdraw consent at any time, where we rely on consent.
To exercise any of these rights, email lytoapp@gmail.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
8. Cookies and similar technologies
Our marketing website uses only strictly necessary cookies, including a session cookie for the sign-in flow on auth.lytoapp.com. We do not use third-party advertising or cross-site tracking cookies. If we add analytics in the future, we will update this policy and ask for consent where required.
9. Security
We take security seriously and apply industry-standard practices: encryption in transit (TLS 1.2+), encryption at rest for all customer databases, hashed passwords (bcrypt or stronger), least-privilege access for our team, row-level authorisation policies on the database, multi-factor authentication for administrative access, and continuous monitoring. No system is perfectly secure; if you believe you have discovered a vulnerability, please report it to lytoapp@gmail.com.
10. Children
Lyto is built for business use and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of the page reflects the most recent change. For material changes that affect how we use existing personal data, we will give account-holders notice by email at least 30 days before the change takes effect.
12. Contact
Questions, requests, or complaints about this policy or how we handle your data:
- Email: lytoapp@gmail.com
- Post: Lyto, Francois Maelsonstraat 2, 2582 KC, Den Haag, Netherlands