Privacy Policy

This Privacy Policy explains how Clyona(“Clyona,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when you use our websites, applications, and related services (collectively, the “Service”), including Orbit (our design canvas), project and brand tools, AI-assisted creative features, subscription and billing flows, and integrations such as LinkedIn and Shopify where enabled.

By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

Data controller:

General contact: support@clyona.com
Website: https://clyona.com

If you are in the European Economic Area (EEA), UK, or Switzerland and we are required to appoint a representative, contact us at support@clyona.com or the address above for details.

This policy applies to information we process when you:

• Create or sign in to an account
• Use Clyona and Orbit (canvas editing, uploads, AI tools, chat, exports)
• Manage profile, subscription, credits, and usage
• Connect third-party services (e.g., LinkedIn, Shopify-related features)
• Contact support or interact with marketing pages

It does not cover third-party websites, apps, or services linked from the Service; those have their own policies.

We use information to:

• Provide, operate, maintain, and improve the Service
• Authenticate you and manage accounts, organizations/workspaces, and access control
• Store and sync your projects, canvases, assets, and settings
• Run AI and media processing features you request and deduct or manage credits accordingly
• Process subscriptions and payments, prevent fraud, and provide billing support
• Send service-related communications (security alerts, account notices, password reset)
• Respond to support requests and enforce our terms
• Analyze usage to improve performance, reliability, and product design (in aggregated or de-identified form where possible)
• Comply with law, protect rights, and enforce policies

We do not use your private canvas content to train public third-party foundation models unless we clearly tell you otherwise and you opt in, or unless a specific third-party's terms require it for providing the feature—in which case we rely on that provider's policies and our agreements with them.

Many features are automated and powered by external models and APIs, including but not limited to:

What is sent: text prompts, chat messages, images (including uploads and canvas exports), masks, selected regions, style parameters, and technical metadata needed to complete the job.

Outputs: generated or edited media and text returned to your account/canvas.

Credits: AI operations may consume account credits or require a paid plan.

Automated processing does not typically produce legal or similarly significant effects about you without human involvement; it is used to deliver creative tooling you initiate.

Where GDPR or UK GDPR applies, we rely on:

• Contract: to provide the Service you signed up for
• Legitimate interests: security, fraud prevention, improvement, and analytics (balanced against your rights)
• Consent: where required (e.g., non-essential cookies or optional marketing)
• Legal obligation: compliance with applicable law

You may withdraw consent where processing is consent-based, without affecting lawfulness before withdrawal.

We share information only as needed:

• Service providers (processors): hosting, database, authentication, storage, email, payment, queue/workers, and AI vendors listed above, under contracts requiring appropriate safeguards
• Payment provider: Polar (and legacy references to Stripe customer IDs in our database, if applicable) for checkout, subscriptions, and billing events
• Integration partners: LinkedIn, Shopify/Orbit APIs, and OAuth providers you choose to connect
• Within your organization: if you use organization/workspace features, content may be visible to members per product permissions
• Legal and safety: to comply with law, court orders, or to protect users, the public, or Clyona
• Business transfers: merger, acquisition, or asset sale, with notice where required

We do not sell your personal information for money. If we use analytics or advertising cookies in the future, we will update this policy and provide choices where required.

We and our providers may process data in the United States and other countries. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses) for transfers from the EEA/UK.

We retain information for as long as your account is active and as needed to provide the Service, resolve disputes, enforce agreements, and meet legal obligations.

Typical retention (subject to change and legal holds):

• Account and profile data: until you delete your account, plus a reasonable backup period
• User content (canvases, assets, projects): until you delete it or your account, unless longer retention is required by law
• Billing records: as required for tax and accounting (often several years)
• Logs and security data: for a limited period appropriate for security and debugging

You may request deletion as described in Section 12. Some data may persist in encrypted backups for a limited time after deletion.

We use administrative, technical, and organizational measures appropriate to the risk, including encryption in transit, access controls, and secured credentials for service accounts. No method of transmission or storage is 100% secure; you are responsible for keeping your password confidential and using a strong, unique password.

Depending on your location, you may have the right to:

• Access, correct, or delete personal information
• Export portable copies of your data
• Object to or restrict certain processing
• Withdraw consent (where processing is based on consent)
• Lodge a complaint with a supervisory authority (EEA/UK)

How to exercise rights: email support@clyona.com or write to us at the address in Section 2. We may verify your identity before responding.

Account controls: update profile and avatar in app settings; sign out to end your session; use password reset on the sign-in page.

Deletion: you may request account deletion by contacting us. Deleting content in the app may not immediately remove all copies from backups or logs.

California (CCPA/CPRA):California residents may have additional rights to know, delete, correct, and opt out of certain “sharing” for cross-context behavioral advertising. We do not sell personal information as defined by the CCPA. Contact us to exercise rights.

We use:

• Essential cookies: Supabase authentication session cookies required to sign you in and call protected APIs
• Preference cookies: e.g., sidebar/UI state stored in cookies or local storage
• Local storage: Orbit drafts, toolbar preferences, and similar client-side data

You can control cookies through browser settings; disabling essential cookies may prevent sign-in or core features.

The Service is not directed to children under 13 (or 16 in certain jurisdictions). We do not knowingly collect personal information from children. Contact us if you believe a child has provided data and we will delete it.

The Service may load Google Fonts and other third-party resources in the browser; those providers may receive technical data (IP address, user agent) under their own policies. External links are not covered by this policy.

We may update this Privacy Policy from time to time. We will post the revised version with a new “Last updated” date and, where required, provide additional notice (e.g., email or in-app banner). Continued use after the effective date constitutes acceptance of the updated policy.

Questions about this Privacy Policy or our practices:

Email: support@clyona.com

Mail: