Privacy Policy

Last updated: 20 April 2026

This policy explains what personal data Byron collects, why, and what you can do about it. It's written under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who we are

Byron is operated by Kinson Tech Ltd, a private limited company registered in England and Wales (company number 16583266), with its registered office at Elm House, Elm Road, East Bergholt, Colchester, England, CO7 6SG. For data protection purposes, Kinson Tech Ltd is the data controller for the personal data you provide to Byron. You can reach us at hello@getbyron.ai.

What we collect

We collect the following categories of personal data:

  • Account data — your email address, password hash, and (if you sign in with Google) your Google account ID and display name.
  • Telegram data — your Telegram user ID, first name, and username, plus the messages, voice notes, and images you send to the bot.
  • Content you create — the rough thoughts you send, the drafts Byron generates, your edits, schedules, and any engagement data you share.
  • Voice profile — a summary of your writing style derived from posts you paste, or from your recent public posts that we access with your permission when you connect LinkedIn or X. The voice profile is the only artefact we keep; the posts themselves are not stored.
  • Connected social profiles — when you connect LinkedIn or X and give permission, we access up to ~20 of your recent public posts plus basic profile metadata (handle, display name, bio). The posts are analysed to build your voice profile and then discarded at the end of that request. We do not keep copies of your posts.
  • Billing data — if you subscribe, Stripe processes your payment details on our behalf. We never see your full card number. We store your Stripe customer ID and subscription status.
  • Technical data — server logs with IP address, user agent, and timestamps, retained for security and debugging.

Why we process it (lawful basis)

Under UK GDPR we can only process personal data if we have a lawful basis. Ours are:

  • Performance of a contract (Art. 6(1)(b)) — to provide the service you signed up for: generating drafts, storing them, running scheduled reminders, and handling your subscription.
  • Consent (Art. 6(1)(a)) — to scrape your public LinkedIn or X posts, build a voice profile from them, and analyse your writing style. You give this through the explicit opt-in screen during onboarding. You can withdraw at any time.
  • Legitimate interests (Art. 6(1)(f)) — to keep the service secure, prevent abuse, debug errors, and improve the product. We balance this against your rights and don't rely on it for intrusive processing.
  • Legal obligation (Art. 6(1)(c)) — where we have to keep records (e.g. tax records for paid subscriptions).

We do not sell your data or use it to train general-purpose AI models. Your content is not used to improve any model beyond your own voice profile.

Who we share it with (sub-processors)

To run Byron we share data with a small list of trusted sub-processors. Each is contractually bound to protect your data:

  • Supabase (USA/EU) — authentication and database hosting. Our database is in Stockholm (EU).
  • Vercel (USA) — web hosting. Our functions run in the Stockholm region.
  • Anthropic (USA) — Claude AI, used to generate and edit drafts. By default Anthropic does not train models on API content.
  • OpenAI (USA) — used for voice transcription and some image generation. API content is not used for training.
  • Telegram (global) — bot messaging. Governed by Telegram's own privacy policy.
  • Apify (USA/EU) — reads your recent public LinkedIn or X posts when you give permission, so Byron can analyse your voice.
  • Zernio (USA) — handles the LinkedIn and X OAuth connections on our behalf when you connect a social account.
  • Stripe (USA/EU) — payment processing for paid plans.
  • Resend (USA) — transactional email (sign-in links, receipts).
  • Sentry (USA) — error and performance monitoring. We scrub personal data from reports before they leave our servers.

International transfers. Where we transfer data to the USA or elsewhere outside the UK, we rely on the UK Extension to the EU-US Data Privacy Framework (commonly called the UK-US Data Bridge) or on the Information Commissioner's Standard Contractual Clauses, depending on the vendor.

How long we keep it

  • Account + content — for as long as your account is active. When you delete your account (via Settings, /deleteme, or email), we delete it immediately. Backups are overwritten on our providers' standard cycles.
  • Voice profile — same as your account; deleted with it. The posts we read to build it are discarded at the end of the analysis request and not stored.
  • Server and error logs — retained per our hosting providers' defaults (Vercel runtime logs and Sentry error reports). These are used for debugging and security, not for profiling, and PII is scrubbed before it reaches Sentry.
  • Billing records — 6 years, as required by UK tax law, once you become a paying customer.

Your rights

Under UK GDPR you have the right to:

  • Access — ask for a copy of the personal data we hold about you.
  • Rectification — ask us to correct anything that's wrong.
  • Erasure — ask us to delete your data (the "right to be forgotten").
  • Restriction — ask us to stop processing your data in certain circumstances.
  • Portability — receive your data in a portable format (JSON).
  • Object — object to processing we base on legitimate interests.
  • Withdraw consent — at any time, without it affecting past processing.
  • Not be subject to automated decisions — Byron does not make legally significant decisions about you automatically.

To exercise any of these rights, email us at hello@getbyron.ai, or type /deleteme or /export to the bot. We respond within 30 days (usually much sooner).

If you're unhappy with how we've handled your data, you can complain to the UK Information Commissioner's Office at ico.org.uk. We'd appreciate the chance to fix it first.

Cookies and tracking

Byron uses only essential cookies needed to keep you signed in (set by Supabase Auth). We do not use advertising or analytics cookies, and we do not track you across other websites. See our cookies page for details.

Children

Byron is not for anyone under 16. If we learn we've collected data from someone under 16, we'll delete it.

Security

We use encryption in transit (HTTPS everywhere) and at rest on our database and storage providers, scoped credentials with the principle of least privilege, PII scrubbing before error reports leave our servers, and our providers' standard backup cycles. No system is perfectly secure, but we take it seriously. If we ever suffer a breach that risks your rights, we'll notify the ICO within 72 hours and let you know where the law requires.

Changes to this policy

If we make material changes we'll email you and update the "Last updated" date at the top. Small clarifications we'll just edit.

Contact

Questions, requests, or complaints about this policy? Email hello@getbyron.ai.