Privacy Policy

The following terms are used consistently throughout this policy and in our Terms of Use.

"Service" means the Alynd web application and all related features accessible at alynd.net.

"Account" means a registered user account on the Service.

"You" / "your" means the individual creating or using an Account.

"Content" means career data, uploaded files, CV documents, and other material you create or submit within the Service.

"Processor" means a third-party company that processes personal data on our behalf under a data processing agreement.

We collect the following categories of personal data when you create an Account and use the Service.

Account and identity data

• Full name and email address, provided at registration.
• Password, stored as a one-way cryptographic hash — we cannot read or recover it.
• Profile picture, if you choose to upload one.
• Subscription status and billing tier.

Career and professional data

• Work history including employer names, job titles, responsibilities, dates of employment, and supporting files you upload.
• Education records including institutions, qualifications, and academic years.
• Skills, certifications, publications, awards, professional memberships, training records, and conference presentations.
• CV templates, formatting choices, selected records, and export settings.

AI interaction data

• Messages and instructions you send to the Lyra career assistant.
• Pasted job descriptions and publicly accessible job URLs you provide.
• Auron interview coaching sessions, including transcripts if you use voice input.
• Conversation history within the current session.

Technical and usage data

• IP address and approximate location at country or city level.
• Browser type, operating system, and device type.
• Pages visited, features used, and session timestamps.
• Error logs and diagnostic information.

Payment data

Subscription payments are processed entirely by Stripe. We do not store card numbers or raw payment credentials. We receive only payment event confirmations from Stripe, such as whether a subscription is active or has lapsed.

Support data

If you contact us for support or submit a bug report, we retain the content of that communication to resolve your request.

Directly from you. The majority of data we hold is data you provide when you register, populate your career records, upload files, use AI features, or contact us.

Automatically. When you use the Service, our servers record technical data including your IP address, device and browser details, and the pages you access. This data is captured in server logs.

From third parties. Stripe sends us payment event confirmations when your subscription status changes. We do not receive your card details from Stripe. We do not purchase or receive data about you from data brokers or marketing lists.

We process personal data only where we have a valid lawful basis under UK GDPR and EU GDPR. The following sets out our purposes and the basis for each.

Performance of a contract — we process your account data, career records, and Content to provide the features you have asked us to provide. This includes running Lyra and Auron, parsing CV uploads, generating CV documents, and processing your subscription payment. Without this processing, we cannot provide the Service.

Legitimate interests — we process technical and usage data to maintain service reliability, diagnose errors, detect abuse, and improve the product. Our interests in operating a secure and functioning service are balanced against your interest in not having data used in ways you would not expect.

Legal obligation — we retain payment and billing records to comply with financial record-keeping requirements under applicable law.

We do not use your personal data for behavioural advertising. We do not sell your personal data to any third party.

We use strictly necessary cookies to maintain your authenticated session. These are required for the Service to function and do not require your consent.

We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies at this time. If we introduce cookies that require consent in future, we will update this policy and present you with a consent mechanism before those cookies are set.

We share personal data only with the third-party Processors listed below, solely to the extent necessary for them to perform their role in providing the Service. Each Processor operates under a data processing agreement that limits how they may use your data. We do not share your data with any other party for commercial purposes.

Cloud hosting — Railway

Railway hosts the application server and PostgreSQL database. All account and career data is stored on Railway's infrastructure.

File storage — Amazon Web Services S3, London (eu-west-2)

Uploaded files are stored in a private S3 bucket located in AWS's London region. Files are never publicly accessible. Downloads are served via presigned URLs that expire after one hour.

AI processing — OpenAI

When you use the Lyra assistant, Auron coaching, or the CV import parser, relevant text and career context is sent to OpenAI's API to generate responses or extract structured data. The data sent is limited to what is needed for the specific request. Under OpenAI's API data usage terms, data submitted via the API is not used to train OpenAI's models by default.

Voice transcription — Deepgram

If you use voice input in Auron, your audio recording is sent to Deepgram for transcription. The resulting text is then processed within Auron. Deepgram does not use API-submitted audio to train its models under standard API terms.

Payment processing — Stripe

Stripe handles all subscription billing. Stripe is PCI-DSS certified and holds your payment card data under its own controls. We receive only event confirmations from Stripe.

Transactional email

We use an email delivery provider to send transactional messages such as account confirmations, password resets, and billing notifications. These providers process only the email address and message content necessary to deliver each email.

Our primary infrastructure is located in the United Kingdom and European Economic Area. OpenAI and Deepgram are US-based companies that process data in the United States.

Where we transfer personal data outside the UK or EEA, we ensure that transfer is subject to appropriate safeguards. For transfers to US-based Processors, we rely on standard contractual clauses approved by the UK Information Commissioner's Office and the European Commission, or on equivalent transfer mechanisms that provide an adequate level of protection for your data.

We retain personal data only for as long as necessary for the purposes described in this policy.

• Account and career data — retained while your Account is active and deleted within 30 days of account deletion.
• Uploaded files — retained until you delete them or delete your Account.
• Payment and billing records — retained for 7 years following the relevant transaction to meet financial record-keeping obligations.
• Server and diagnostic logs — retained for up to 90 days.
• Support communications — retained for up to 2 years following resolution.

Where deletion cannot be completed immediately because of backup cycles, legal holds, or dispute resolution requirements, data that cannot be removed is restricted to the relevant operational purpose and is no longer used to provide the active account experience.

We apply the following technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure.

• All data in transit is encrypted using TLS 1.2 or higher.
• Passwords are stored as one-way cryptographic hashes. We cannot read your password.
• Uploaded files are stored in a private S3 bucket with no public access at the bucket policy level. File downloads require time-limited presigned URLs that expire after one hour.
• The production database has no public endpoint. Only authenticated application services can connect to it.
• Role-based access controls limit production system access to a small number of authorised personnel.
• Production startup checks enforce that critical credentials are configured and debug mode is disabled before the application accepts requests.
• AI-generated changes are shown to you as proposals for review — nothing is written to your account without your explicit confirmation.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and report to the UK Information Commissioner's Office within 72 hours of becoming aware, as required by UK GDPR.

Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, email us at privacy@alynd.net. We will respond within one month. Where a request is complex or involves a large volume of data, we may extend this period by a further two months and will notify you if we do so.

• Access. Request a copy of the personal data we hold about you.
• Correction. Ask us to correct personal data that is inaccurate or incomplete.
• Deletion. Ask us to delete your personal data. You can also delete your Account directly from Settings without contacting us.
• Restriction. Ask us to restrict processing of your data while a dispute or correction request is being resolved.
• Portability. Receive your career data in a structured, machine-readable format. You can download this directly from Settings → Export Data at any time.
• Objection. Object to processing that is based on our legitimate interests. We will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Withdraw consent. Where processing is based on your consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Complaints. If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk. EU residents may contact their local supervisory authority.

If we make material changes to this policy, we will notify you by email at least 14 days before the changes take effect and update the Last updated date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

For privacy and data rights queries: privacy@alynd.net

For general enquiries: info@alynd.net

Website: alynd.net