L
Lylo ← Back to Home

Lylo Privacy Policy

Effective date: May 27, 2025

Last updated: May 27, 2025

1. Introduction

Lylo ("we", "our", "us") is a personal executive assistant powered by large‑language‑model (LLM) technology. This Privacy Policy explains how we collect, use, disclose, and protect your information when you connect your Gmail mailbox and Google Calendar and when you use our mobile application and related services (collectively, the "Services"). By using Lylo, you agree to the practices described below.

2. Information We Collect

2.1 Google Email & Calendar Data

When you authorize Lylo through Google OAuth, we request restricted Gmail scope https://www.googleapis.com/auth/gmail.readonly and read‑only Calendar scope https://www.googleapis.com/auth/calendar.readonly. We collect only the data necessary to provide core functionality:

  • Gmail: message metadata (sender, recipient, subject, timestamps, labels) and message body content (including attachments) when needed to fulfill a user query.
  • Google Calendar: event metadata (title, start/end time, location, attendees) and free‑busy information.

2.2 Account, Usage & Device Data

  • Authentication identifiers (Google UID, internal Lylo ID)
  • Device type, OS version, app version, and crash logs
  • Interaction logs (queries, feature usage, timestamps)

2.3 Support & Feedback

When you contact us we collect your email address and any information you choose to provide.

3. How We Use Information

  • Deliver assistant responses—summaries, reminders, suggested actions—based on your email and calendar data.
  • Index email and calendar content for semantic search within Lylo.
  • Improve model performance and user experience through aggregated, de‑identified analytics.

We do not sell or rent personal data, nor do we use Gmail or Calendar data for advertising or marketing.

4. Legal Basis & Your Rights (GDPR)

Where the GDPR applies, our legal bases include performance of a contract (providing the Services) and legitimate interests (improving and securing Lylo). You have the right to access, correct, delete, restrict, or export your personal data, and to object to certain processing.

5. Data Sharing

We share data only with:

  1. Cloud infrastructure providers (e.g., AWS, Google Cloud) needed to host and operate Lylo.
  2. LLM inference providers (e.g., OpenAI) under strict data processing agreements.
  3. Service providers for analytics, error tracking, customer support, and email delivery.
  4. Authorities when required by law or to protect rights and safety.
  5. Successors in the event of a merger or acquisition, provided the recipient honors this Policy.

6. Data Retention

  • Raw Gmail & Calendar content is processed in‑memory and deleted from our active systems within 24 hours.
  • Vector embeddings and metadata are retained for up to 30 days (or until you delete the data) to power semantic search.
  • Refresh tokens are encrypted using AES‑256 and stored until you revoke access or 90 days of inactivity.

You may delete your account or revoke Google access at any time. We will erase associated data within 30 days unless a longer period is required by law.

7. Security

  • TLS 1.3 encryption in transit and AES‑256 encryption at rest.
  • Zero‑trust access controls and least‑privilege IAM.
  • Annual penetration testing and SOC 2 Type II compliance program.
  • Continuous monitoring and automated alerts for anomalous activity.

8. Google API Services User Data Policy Compliance

Lylo's use of Gmail and Calendar data is strictly limited to providing or improving user‑facing features, in full accordance with Google's Limited Use requirements. We never transfer this data to third‑party apps except as described in Section 5, and we disable human access to content unless you explicitly request human support.

9. Your Choices

  • Disconnect Google Account: In Lylo → Settings → Data Sources.
  • Data export: Request a machine‑readable copy of your data.
  • Deletion: Delete your account in‑app or email privacy@lylo.ai.
  • Analytics opt‑out: Toggle off in Settings.

10. International Data Transfers

We store data in the United States. When transferring personal data from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses and complementary technical safeguards.

11. Children's Privacy

Lylo is not directed to children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised version in‑app and update the "Last updated" date. Material changes will be notified 30 days before they take effect.

13. Contact Us

Clarence Health, Inc. d/b/a Lylo
999 Startup Ave, New York, NY 10001 USA
Email: privacy@lylo.ai