Skip to content
yro
Back to home
Legal

Privacy Policy

Effective 1 May 2026

This policy explains what personal data we collect when you use Byro, why we collect it, who we share it with, and how you can exercise your rights as a data subject.

Template version 1.0. This document is a starting point and must be reviewed by qualified legal counsel before reliance in any specific jurisdiction (UAE, KSA, Pakistan, EU, etc.). Check with your lawyer before publishing on a production deployment.

1. Who We Are

Byro Technologies LLC (trading as “Byro”; “we”, “us”, “our”) is the data controller for personal data collected through our website, and the data processor for personal data you upload into the Service on behalf of your end-users (employees, suppliers, etc.).

  • Company name: Byro Technologies LLC
  • Registration no.: CN-1084762
  • Registered address: Office 101, Business Bay Tower, Business Bay, Dubai, United Arab Emirates
  • Privacy contact: privacy@byro.io

2. Personal Data We Collect

2.1 Account data (you provide directly)

  • Name, email address, password (hashed)
  • Organization name, country/region, subdomain
  • Billing details: name, email, payment method (handled by payment processor — we never see card numbers)

2.2 Customer Data (uploaded by you on behalf of your end-users)

When using the Service you may upload data about your employees, suppliers, customers, and assets. This may include: names, emails, phone numbers, employee IDs, salary information, bank details, identity document numbers (Emirates ID, Iqama, CNIC, etc.), and similar HR / business records. We process this data only as a data processor on your instructions, in accordance with our Data Processing Agreement.

2.3 Usage data (collected automatically)

  • IP address, browser type, operating system, device info
  • Pages visited, features used, timestamps, referrer URLs
  • Error logs and performance metrics (via Sentry or equivalent)

3. Why We Collect It (Lawful Basis)

  • Performance of contract — to provide the Service you've subscribed to
  • Legitimate interest — to improve the Service, prevent fraud, and ensure security
  • Legal obligation — to comply with tax law, court orders, regulatory requests
  • Consent — for marketing emails (you may opt out at any time)

4. Who We Share It With

We share personal data only with: (a) sub-processors listed at /sub-processors who help us operate the Service (hosting, payments, email delivery, monitoring); (b) law enforcement when legally compelled; (c) successor entities in a merger or acquisition.

We do not sell personal data. We do not use Customer Data for advertising, training AI models for other customers, or any purpose other than providing the Service to you.

5. Where We Store It

Your data is stored in the AWS region selected at signup:

  • UAE / GCC customers: AWS Bahrain region (me-central-1)
  • Pakistan customers: AWS Mumbai region (ap-south-1) or nearest available
  • Other regions: AWS EU (Ireland) by default

For Enterprise customers, dedicated infrastructure can be provisioned in any AWS region of your choice. See DPA �6 for details on cross-border data transfers.

6. How Long We Keep It

We hold data only as long as needed to deliver the service, comply with law, and honour our contracts. The table below sets out the specific retention period for each major data type. Any retention longer than the active subscription is driven by a stated legal obligation, not by default storage.

Data typeRetentionReason
Active workspace data (employees, assets, transactions)While subscription is activeService delivery
Cancelled workspace — full restore window90 days post-cancellationCustomer reactivation
Cancelled workspace — after 90-day windowPermanently deletedData minimisation (GDPR Art. 5)
Suspended workspace (payment failed)Until resolved or cancelledContract obligation
Trial workspace (never converted)30 days after trial expiry, then deletedDemo cleanup; nothing of business value
Financial records (invoices, payslips, receipts)7 yearsTax law (UAE FTA, KSA ZATCA, UK HMRC, US IRS, etc.)
Audit log (system mutation history)7 yearsRegulatory + customer audit needs
Authentication events (sign-ins, MFA, password resets)1 yearSecurity investigation
Email outbox (transactional sends)180 daysDeliverability troubleshooting
API request logs90 daysAbuse detection + debugging
Backups (encrypted snapshots)Rolling 30 daysDisaster recovery
Marketing list (mailing list opt-ins)Until unsubscribe + 30 daysUnsub confirmation window
Visitor analytics (no PII)12 monthsProduct analytics aggregation
Support tickets / contact form submissions3 yearsCustomer service quality + dispute resolution
Anonymised aggregate stats (no individual data)IndefiniteStatistical research; cannot be re-identified

Once a retention period ends, data is permanently deleted from production systems within 24 hours and purged from encrypted backups within the next rolling 30-day window. You can request earlier deletion via GDPR Art. 17 — see Section 7. We are sometimes required to retain specific records beyond a deletion request (court order, ongoing investigation, tax-law obligations). In those cases we will tell you which records and why.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure ("right to be forgotten") — delete your data
  • Portability — receive data in a machine-readable format
  • Restriction — limit how we process your data
  • Objection — object to processing for legitimate interests / direct marketing
  • Withdraw consent — for any processing based on consent

Exercise these rights by emailing privacy@byro.io. We respond within 30 days. Account holders can also access, export, and delete their workspace data directly from the in-app settings.

For data we process as your data processor (your employees, customers, etc.), the rights request goes to you (the data controller); we will assist you in fulfilling it.

8. Security

We implement industry-standard security measures including:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Field-level encryption for highly sensitive data (bank IBANs, etc.)
  • Multi-factor authentication for admin accounts
  • Audit logging of every data-modifying action
  • Role-based access control (RBAC) within and across companies
  • Regular backups with point-in-time recovery
  • Annual penetration testing (planned)

See /security for the full security overview.

9. Cookies

We use cookies for:

  • Essential — authentication, session management, CSRF protection (cannot be disabled)
  • Functional — remembering preferences (theme, locale, active company)
  • Analytics — anonymous usage statistics (you can opt out)

We do not use third-party advertising cookies or cross-site tracking.

10. Children's Privacy

The Service is intended for business use and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact privacy@byro.io.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be notified by email at least 30 days in advance. The "Effective" date at the top of this page reflects the most recent revision.

12. Contact and Complaints

For privacy queries: privacy@byro.io.

If you are in the EU/UK and not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. UAE customers may contact the relevant data protection regulator (e.g. UAE Data Office). Pakistani customers may contact the Federal Investigation Agency (FIA) Cyber Crime Wing for data protection complaints.