■ LEGALUK GDPR · EU GDPR
FILE / 003 — PRIVACYEFFECTIVE / 22 MAY 2026

Privacy.
No drama.

What we collect, why we have it, where it lives, and what you can do about it. Written in plain English. No tracking pixels. No data resale. Effective 22 May 2026.

/ 01

Who we are

Lyba is operated by Ovalay Digital Limited, a company registered in England and Wales. References to “we,” “us,” or “Lyba” mean Ovalay Digital Limited. For privacy matters we are the data controller. Reach us at review@lyba.io.

/ 02

What we collect

We collect the minimum data required to run a review-and-approval workflow. We never sell personal data. We never use customer content to train our own models.

/ Category
What it includes
Lawful basis
  • Account
    Email, bcrypt-hashed password, agency name, time zone, plan tier.
    Contract
  • Authentication
    Bcrypt-hashed API keys and licence keys. Plaintext is returned once at creation and never stored.
    Contract
  • Billing
    Stripe customer ID, subscription status, last 4 of card (held by Stripe). We never see full card numbers.
    Contract
  • Project content
    Published Framer URLs, project metadata, integration configuration you supply.
    Contract
  • Review sessions
    Comment text, pin coordinates, viewport width, browser user-agent, reviewer-supplied name and email.
    Contract
  • Approvals
    Reviewer name, email, timestamp, IP address, user-agent — captured at sign-off as a legal record.
    Contract + Legitimate interests
  • Integrations
    OAuth tokens for Linear and Slack, AES-encrypted at rest with a key held in the database, never copied into application memory in plaintext.
    Contract
  • AI classification
    Comment text and surrounding context sent to OpenRouter to draft issue proposals. Studios approve every outbound action.
    Legitimate interests
  • Operational logs
    Edge Function logs (request ID, status, latency). No raw comment bodies are logged.
    Legitimate interests
/ 03

Why we process it

Each processing purpose is tied to a lawful basis under UK GDPR and EU GDPR (Article 6):

  • Contract. Running the service you or your agency signed up for — accounts, billing, projects, sessions, comments, approvals, integrations you connect.
  • Legitimate interests. Capturing approval evidence (IP, user-agent, timestamp) to make sign-off legally durable; classifying comments into draft proposals so studios can act faster; logging Edge Function metadata to keep the platform up.
  • Legal obligation. Retaining billing records for UK tax and accounting law.
  • Consent. Optional marketing email (which we do not currently send) and any future processing that requires it. You can withdraw consent at any time.
/ 04

Who else touches the data

We use a small number of vetted sub-processors. Each is bound by a data processing agreement. We add or change sub-processors only when necessary and update this list at the same time.

/ Provider
Purpose
Region
  • Supabase
    Primary database, auth, file storage, edge runtime.
    EU (Frankfurt)
  • Vercel
    Dashboard and marketing site hosting, CDN.
    Global edge / US
  • Stripe
    Subscription billing and card processing.
    US / Ireland
  • Brevo
    Transactional email (sign-in, approval, notifications).
    EU (France)
  • OpenRouter
    LLM gateway for comment-to-issue classification. Zero data retention configured.
    US
  • Linear
    Optional. Issue creation in your connected workspace when you approve a proposal.
    US
  • Slack
    Optional. Channel notifications via incoming webhook.
    US
/ 05

International transfers

Your primary database lives in the EU (Frankfurt). Some sub-processors — Stripe, OpenRouter, Linear, Slack, and parts of Vercel’s edge — are based in or transfer data to the United States. Where personal data leaves the UK or EEA we rely on the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or an adequacy decision, depending on the recipient.

/ 06

How long we keep it

  • Account data. Until you close the account, then deleted within 30 days.
  • Project, session, and comment data. While the project is active. Deleted on account closure unless you ask us to retain it.
  • Approval records. Retained as an immutable legal record for 7 years after the approval date, even after account closure. This is the entire point of the approval — it has to stand up later.
  • Billing records. Retained for 7 years to satisfy HMRC and UK accounting law.
  • Edge Function logs. 30 days.
  • Integration tokens. Until you disconnect the integration or rotate the encryption key, then unrecoverable.
/ 07

Your rights

UK and EU residents have the rights below. To exercise any of them, email review@lyba.io. We respond within one month. We may ask for proof of identity. There is no fee unless a request is manifestly unfounded or excessive.

  • / Access

    Get a copy of the personal data we hold about you.

  • / Rectification

    Correct anything inaccurate or incomplete.

  • / Erasure

    Delete your account and associated data, subject to the retention notes below.

  • / Portability

    Receive your project, session, and comment data in a structured, machine-readable format.

  • / Restriction & objection

    Limit or object to certain processing, including AI classification.

  • / Withdraw consent

    Where processing is based on consent, you can withdraw it without affecting prior processing.

  • / Complain

    Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

Erasure does not extend to approval records during their 7-year legal retention period, or to billing records required by HMRC.

/ 08

Cookies and local storage

We use strictly necessary cookies and local storage only. No advertising. No third-party analytics that profile individuals.

  • Session cookies. Set by Supabase Auth to keep you signed in to the dashboard.
  • CSRF tokens. Short-lived, HMAC-signed, used to secure the OAuth integration flow.
  • Review tokens. Stored only in the URL fragment of review links. Rotated on every redirect.
  • Overlay early-exit. The overlay script that ships with every Framer site that installs Lyba does nothing — reads no cookies, makes no network calls — unless a Lyba review token is present in the URL.
/ 09

Security

  • Passwords, API keys, and licence keys are stored as bcrypt hashes. Plaintext exists only at the moment of creation and is shown to you once.
  • Integration tokens (Linear, Slack) are encrypted at rest with a symmetric key held inside the database. The key never crosses into application memory in plaintext.
  • All transport is TLS. Row-Level Security is enabled on every table as defence in depth; authorisation is enforced inside Edge Functions.
  • Review and approval JWTs are short-lived (30 minutes for redirects, 72 hours for plugin deep-links, 168 hours for approval links) and signed with secrets we rotate.
  • We will notify you and, where required, the ICO within 72 hours of becoming aware of a personal data breach that is likely to result in risk to your rights.
/ 10

Children

Lyba is a business tool. It is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have, contact review@lyba.io and we will delete it.

/ 11

Changes to this policy

We will post any material change here and update the effective date. Where the change affects you and we have your email, we will tell you directly before it takes effect.

/ 12

Contact

Ovalay Digital Limited · Company No. 16595254
2a Connaught Avenue, London, E4 7AA, United Kingdom
Email: review@lyba.io

You can also lodge a complaint with the Information Commissioner’s Office at ico.org.uk.

EOF / PRIVACY» Read the terms