Privacy & Data Policy
Effective April 4, 2026 · Last updated April 4, 2026
1. Overview
Klyro ("we", "us", "our") is a managed WordPress and web-application hosting platform operated by Capax Labs. This policy explains what data we collect, why we collect it, how we protect it, and your rights as a user.
2. Data We Collect
2.1 Account Data
| Field | Source | Purpose |
|---|---|---|
| Email address | Google OAuth | Account identification, login |
| Display name | Google profile | Displayed in UI and audit logs |
| Profile picture URL | Google profile | Avatar in the dashboard |
| OAuth provider ID | Google OAuth | Single-sign-on link |
2.2 Security & Authentication Data
| Field | Purpose |
|---|---|
| SSH public keys | Secure shell access to site environments |
| 2FA (TOTP) secret | Two-factor verification (stored hashed, never exposed via API) |
| JWT access & refresh tokens | Stateless API session management |
2.3 Site & Infrastructure Data
When you create and manage sites, we store:
- Site configuration — name, subdomain, tier, resource allocations, runtime versions, datacenter region
- Domain records — custom domains, SSL certificate status
- SFTP & database credentials — generated per-site, stored encrypted, never exposed in API responses
- Integration tokens (optional) — Telegram, Slack, Discord — used exclusively for notifications you configure
- Backup metadata — type, status, size, expiration; backup data stored in encrypted object storage
2.4 AI Agent Data
If you use Klyro's AI agents:
- Agent configuration — name, role, system prompt, heartbeat schedule
- Task & message history — titles, descriptions, priority, status, and agent-to-user messages
- Agent activity logs — timestamped records for debugging and traceability
2.5 Audit & Activity Logs
Every significant action on the platform generates an immutable audit event containing:
| Field | Example |
|---|---|
| Action performed | site.create, domain.add, backup.restore |
| Actor identity | Email, actor type (user/agent/system) |
| IP address | Client IP at time of action |
| User agent | Browser/client identifier |
| Resource affected | Type, ID, and name |
| Outcome | Success, failure, or error with HTTP status |
2.6 File Activity Logs
SFTP and file-management operations are logged with: action type (upload, download, delete, rename), file path, file name, file size, acting user, and timestamp.
2.7 Data We Do NOT Collect
No third-party analytics
No Google Analytics, Mixpanel, Hotjar, or tracking SDKs
No cookies
Auth uses JWT bearer tokens via HTTP headers
No advertising data
We don't run ads or build advertising profiles
No site visitor tracking
We never log or analyze traffic to your hosted sites
3. How We Use Your Data
| Purpose | Data Used |
|---|---|
| Account management | Email, name, avatar |
| Authentication | OAuth credentials, JWT tokens, 2FA secrets |
| Site operations | Site config, credentials, server assignments |
| Security & compliance | Audit logs, IP addresses, user agents |
| Agent automation | Agent config, task history, activity logs |
| Notifications (opt-in) | Integration tokens for Telegram/Slack/Discord |
4. Data Storage & Security
Infrastructure
- Hetzner Cloud (EU — Germany)
- MySQL with TLS-encrypted connections
- SFTPGo with per-site credential isolation
- Backups encrypted at rest
Access Controls
- Sensitive fields excluded from all API responses
- JWT tokens signed with HMAC-SHA256
- SSH keys stored as public keys only
- Per-site credential isolation
5. Data Sharing & Third Parties
| Third Party | Data Shared | Purpose |
|---|---|---|
| Email + profile (initiated by you) | Authentication only | |
| Hetzner Cloud | Server/VM metadata | Infrastructure hosting |
| AI model providers | Agent prompts and task context | AI agent execution |
We do not sell your data, share it with advertisers, provide it to data brokers, or share audit logs outside your team.
6. Data Retention
| Data Type | Retention |
|---|---|
| Account data | Until you delete your account |
| Audit events | Immutable — retained permanently for compliance |
| File activity logs | Retained for the lifetime of the associated site |
| Site data & credentials | Deleted when you terminate a site |
| Backups | Auto-expire based on your plan's backup window |
| JWT tokens | In-memory only, expire per configured window |
7. Your Rights
Access
View all personal data we hold via your dashboard and API
Rectification
Update your name and profile information via Settings
Deletion
Request account deletion — your user record will be soft-deleted and all sites terminated. Audit logs are immutable and will not be deleted.
Data portability
Export your site data via SFTP or backup download at any time
Restrict processing
Contact us to restrict specific processing activities
8. Children's Privacy
Klyro is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we discover that we have collected data from a child, we will delete it promptly.
9. Changes to This Policy
We may update this policy periodically. Material changes will be announced via the Klyro dashboard and email. The "Last Updated" date at the top will always reflect the most recent revision.
10. Contact
For privacy-related inquiries, data access requests, or to report a concern:
privacy@useklyro.com
Capax Labs
Audit trail integrity
You can verify the integrity of your audit trail at any time from the Activity Logs page. Each event displays its SHA-256 checksum and link to the previous event in the chain.