Privacy Policy

Last updated: June 3, 2026

This Privacy Policy explains how Lyncro (“we”, “us”) collects, uses and protects your personal information when you use lyncro.bio and related services. We respect your privacy and we are committed to handling your data with care and transparency.

1. Information We Collect

Account information. When you sign up, we collect your email address, name (if provided), profile picture (Google), language preference and a username you choose.

Profile content. Anything you create in Lyncro — section titles, text, uploaded images, PDFs, social links, products. This content is intentionally public when your profile is published.

Authentication data. For Google sign-in we receive an authentication token from Google; for email sign-in we generate a one-time code (OTP) sent via Resend. We never store passwords.

Analytics & technical data. Page views on your profile, section visits, device/user-agent, approximate IP address (truncated for storage), session timestamps. Used for your dashboard analytics and to keep the service safe.

Payments (when applicable). If you upgrade to Pro, billing data is processed directly by Stripe. We only store a Stripe customer ID — we never see card numbers.

2. How We Use Your Information

• Provide, operate and maintain the Service.
• Authenticate you and keep your account secure.
• Show analytics on your dashboard.
• Send transactional emails (OTP codes, security alerts, billing receipts).
• Detect and prevent abuse, spam, fraud and security incidents.
• Comply with legal obligations.

3. Legal Basis (EU/UK users)

We process your data based on (a) performance of contract — to provide the Service you signed up for; (b) legitimate interest — keeping the platform safe, improving the product; (c) consent — for non-essential cookies and marketing emails; and (d) legal obligation where applicable.

4. Sharing

We share data with:

• Service providers: MongoDB Atlas (database hosting), Resend (transactional email), Vercel/Emergent (compute), Stripe (payments). These vendors are bound by data-protection agreements.
• Authorities, when legally required (subpoena, court order) and limited to what is requested.
• Successors, if Lyncro is acquired or merged — you will be notified and given choices in advance.

We do not sell your personal information.

5. Cookies & Tracking

We use a single essential cookie (lyncro_session) to keep you logged in. It is httpOnly, secure and sameSite=Lax. We also store a consent preference and the demo-edit overrides in your browser’s localStorage. No third-party advertising cookies.

6. Your Rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA/CPRA, LGPD…) you have the right to:

• Access the personal data we hold about you (use Settings → Export my data).
• Rectify inaccurate data (use Settings or contact us).
• Erase your data (use Settings → Delete account; this is irreversible).
• Restrict or object to certain processing.
• Data portability — our export is a structured JSON file.
• Withdraw consent at any time.
• Lodge a complaint with your local data-protection authority.

To exercise rights you cannot perform yourself, email privacy@lyncro.bio.

7. Data Retention

• Active accounts: kept while your account exists.
• Sessions: 30 days from last sign-in.
• Analytics events: 24 months (then aggregated).
• Deleted accounts: all personal data is removed within 30 days; minimal logs kept for legal compliance.

8. Security

We protect your data with industry-standard practices: TLS in transit, encrypted storage at rest, httpOnly secure cookies, hashed OTPs, session expiry, rate limiting on authentication endpoints, principle-of-least-privilege access for our staff, and automated dependency scanning. No method is 100% secure, but we keep improving.

9. International Transfers

Our infrastructure may process data in the United States and the European Union. When transferring personal data outside your country we rely on Standard Contractual Clauses or equivalent safeguards.

10. Children

Lyncro is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us data, contact us and we will delete it.

11. Changes to this Policy

We may update this policy. Material changes will be announced by email and via an in-app notice at least 14 days before they take effect.

12. Contact

Data controller: Lyncro. Email privacy@lyncro.bio for any privacy question, or dpo@lyncro.bio for our Data Protection Officer (EU representative on request).