Privacy Policy

This Privacy Policy describes how OTT Cybersecurity LLC ("Lyrie", "we", "us") collects, uses, stores, and protects personal data when you use the Lyrie AI cybersecurity platform and all related products ("Services").

This policy applies to: the Lyrie AI web dashboard and API, Lyrie WAF, LyrieHEX and OMEGA vulnerability scanners, Lyrie Remedy, Lyrie AI Security & Privacy (desktop and mobile), Captcha service, Data Breach Monitoring, SDKs, WordPress plugin, and browser extension.

For data we process on behalf of our customers (as a data processor), our Data Processing Agreement applies in addition to this policy.

Information you provide: Account registration data (name, email, password hash), billing information (processed by Stripe — we store only the card last 4 digits and billing address), domain/site configuration, support correspondence, and profile information (username, company name, website).

Automatically collected data: IP addresses (for WAF threat analysis and authentication logging), browser metadata (user-agent, headers — for bot detection), WAF request logs (URL paths, query parameters, headers — scored and stored per your retention settings), and basic usage analytics (page views, feature usage — aggregated, not individually tracked).

Endpoint agent data: Device identifiers (hashed with SHA-256 — cannot be reversed to identify hardware), OS type, process metadata (for malware detection), file hashes (for threat detection), network connection metadata, and threat detection events. Scan results and quarantined file metadata stay on-device by default and are not transmitted to our servers unless you explicitly enable cloud sync.

Mobile app data: Device model and OS version (for compatibility), app installation list hashes (for stalkerware/malware detection — not the actual app names), network connection metadata, and breach check queries (email addresses you choose to check).

Captcha data: IP address, browser fingerprint signals, and interaction patterns. This data is processed ephemerally for bot detection and is not stored beyond the verification session (typically under 5 minutes).

Account data: Used for authentication, billing, customer support, and service notifications.

WAF request data: Analyzed in real time to detect and block threats (SQLi, XSS, RCE, SSRF, path traversal, and 10+ additional attack vectors) and stored in threat logs for your review. We never use your WAF traffic data for AI/ML model training unless you explicitly opt in.

Endpoint telemetry: Used to improve detection accuracy when cloud sync is enabled. Device identifiers are hashed and cannot be reversed.

Vulnerability scan results: Stored in your account and accessible via your dashboard. We do not share scan findings with third parties.

Aggregated analytics: We use aggregated, anonymized usage data to improve the platform, identify feature adoption, and plan capacity. This data cannot be used to identify individual users.

We process personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Services you have subscribed to — account management, WAF protection, scanning, billing.
• Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, platform improvement, and abuse detection. We balance our interests against your rights and only process what is strictly necessary.
• Consent (Art. 6(1)(a)): Cloud sync of endpoint telemetry, optional marketing communications, and participation in beta programs. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): Responding to valid legal requests, maintaining required financial records.

Threat logs: Retained based on your data control settings (configurable from 7 to 365 days in your dashboard). You can delete threat logs at any time.

Account data: Retained for the duration of your account. Upon account deletion request, you verify via email and authenticator (if enabled), then all personal data is permanently wiped after a 7-day grace period.

Scan reports: Retained until you delete them or close your account. Desktop scan data stored locally follows your device's storage lifecycle.

Billing records: Transaction history is retained for 5 years from the end of the relevant tax period, as required by UAE Federal Decree-Law No. 28 of 2022 on Tax Procedures and the UAE Federal Tax Authority record-keeping rules. This data is limited to transaction amounts, dates, and invoice identifiers.

Audit logs: Retained for the duration of the account. Security-related audit entries may be retained for up to 2 years after account closure for fraud prevention.

We do not sell your personal data. We do not share your data with advertisers. We do not use your data for AI model training (contractual guarantee).

We may share data with:

• Subprocessors: Infrastructure providers, payment processors, and email services necessary to deliver the Services. See our Subprocessor list for details.
• Law enforcement: Only when legally compelled with a valid court order or subpoena. We will notify you of such requests unless prohibited by law.
• Business transfers: In connection with a merger, acquisition, or sale of assets, personal data may be transferred. You will be notified via email and prominent notice before any such transfer.

Enterprise customers can configure region-locked data storage and custom Data Processing Agreements (DPAs).

If you are in the European Economic Area, you have the right to:

• Access: View and export all personal data we hold about you via the Data Controls panel in your dashboard.
• Rectification: Request correction of inaccurate data via your profile settings or by contacting us.
• Erasure: Request deletion of your data (right to be forgotten). Use the account deletion flow in your dashboard or email [email protected].
• Portability: Export your data in machine-readable format (JSON, CSV) through the dashboard or API.
• Restriction: Request that we restrict processing of your data while a dispute is resolved.
• Objection: Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
• Withdraw consent: Withdraw consent for optional processing at any time via your dashboard settings.

We respond to all GDPR requests within 30 days. For complex requests, we may extend this by an additional 60 days with notice, as permitted under GDPR Article 12(3).

You also have the right to lodge a complaint with your local data protection supervisory authority.

If you are a California resident, under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), you have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Delete: Request deletion of your personal information, subject to certain exceptions.
• Opt out of sale: We do not sell personal information. There is nothing to opt out of.
• Non-discrimination: We will not discriminate against you for exercising your CCPA rights.
• Correct: Request correction of inaccurate personal information.
• Limit use of sensitive data: We do not process sensitive personal information as defined by CCPA beyond what is necessary to provide the Services.

To exercise your CCPA rights, email [email protected] or use the Data Controls panel in your dashboard. We will verify your identity before processing requests.

Categories of data collected in the last 12 months: Identifiers (name, email, IP address), commercial information (subscription and billing data), internet activity (WAF logs, usage patterns), geolocation data (IP-based, city-level), and professional information (company name, job title if provided).

If you are located in the United Arab Emirates, the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "PDPL") and its Executive Regulations grant you the following rights:

• Right to information: Receive clear information about how your personal data is processed (this Privacy Policy is intended to satisfy that requirement).
• Right of access: Request confirmation of whether we process your personal data and obtain a copy.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your personal data where it is no longer necessary, where consent has been withdrawn, or where processing is unlawful.
• Right to restrict processing: Request that processing be limited under certain conditions.
• Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to object: Object to processing for direct marketing or where processing is based on legitimate interests.
• Right regarding automated decisions: Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects, save where exceptions apply.
• Right to withdraw consent: Withdraw any consent you have given, at any time, without affecting the lawfulness of prior processing.
• Right to lodge a complaint: Lodge a complaint with the UAE Data Office (the supervisory authority established under the PDPL).

To exercise any of these rights, email [email protected] or use the Data Controls panel in your dashboard. We respond within 30 days. We may need to verify your identity before processing the request.

Lyrie AI is operated from Dubai, United Arab Emirates. If you access the Services from outside the UAE, your personal data will be transferred to and processed in the UAE and in jurisdictions where our subprocessors operate (primarily the United States and the European Union).

For transfers of personal data out of the UAE, we comply with Articles 22 and 23 of the UAE PDPL, which permit cross-border transfers where the destination jurisdiction provides an adequate level of protection or where appropriate safeguards (such as contractual clauses) are in place.

For transfers from the EEA or the United Kingdom, we rely on:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914) and the UK International Data Transfer Addendum where applicable.
• Transfer Impact Assessments where required.
• Supplementary technical measures including encryption in transit (TLS 1.2+) and at rest (AES-256).

Enterprise customers may request region-locked data processing to keep all data within the UAE or the EEA. Contact [email protected] for configuration.

The Services are not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children.

If we become aware that we have collected personal data from a child without parental consent, we will delete that data promptly. If you believe we have collected data from a child, contact [email protected] immediately.

Lyrie AI uses automated systems for:

• WAF threat scoring: Incoming requests are scored by AI models to determine if they are malicious. High-score requests are blocked automatically. You can review and appeal blocked requests via your dashboard.
• Captcha challenge: Behavioral analysis determines if a user is human or a bot. No personal profiles are created; the analysis is session-scoped.
• Malware detection: The endpoint agent uses AI models to classify files and processes as safe or potentially malicious.

These automated decisions relate to security operations, not decisions that produce legal effects or similarly significant effects on individuals as described in GDPR Article 22. If you believe an automated decision has adversely affected you, contact [email protected] for human review.

The Lyrie mobile app includes blockchain security features (wallet address checking, URL verification, transaction monitoring). When you use these features:

• Wallet addresses you submit for checking are compared against known malicious address databases. We do not store wallet addresses after the check is complete.
• We do not access, store, or transmit your private keys, seed phrases, or wallet contents.
• Transaction monitoring is performed locally on-device. Transaction data is not sent to our servers.

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Passwords are hashed with Argon2id. API keys are stored as SHA-256 hashes.

Our infrastructure includes: rate limiting, IP-based access controls, audit logging, 2FA (TOTP + email OTP), tamper-protected endpoint agents, CSP headers, and documented incident response procedures.

For full details, see our Security Practices page.

Strictly necessary cookies: Session tokens, CSRF protection tokens, and your cookie-consent preference. These are required to operate the Services and cannot be disabled.

Product-analytics cookies (Microsoft Clarity): We use Microsoft Clarity, a session-replay and heatmap tool operated by Microsoft Corporation, to understand how visitors use our public marketing site (lyrie.ai and its subdomains). Clarity captures clicks, scrolls, mouse movement, page URLs, browser/OS metadata, and an anonymized IP address. Text typed into form fields is masked by default — Clarity records that an input occurred, not its content. Clarity sets the following cookies:

• _clck — persists a Clarity user ID (retention: ~1 year).
• _clsk — connects multiple page views into a single session (retention: 1 day).
• CLID, MUID, ANONCHK, MR, SM — set on Microsoft domains (clarity.ms / bing.com) for fraud prevention and ID synchronization (retention: 10 minutes – 1 year+).

Microsoft retains Clarity session data for up to 13 months. Microsoft acts as our processor; their handling is governed by the Microsoft Products and Services Data Protection Addendum and the Microsoft Privacy Statement.

Legal basis & consent: In the EEA, the UK, and any other jurisdiction requiring prior consent for non-essential cookies (including the UAE under the PDPL), Clarity is loaded only after you accept analytics cookies in our consent banner. In other jurisdictions, we rely on legitimate interest. You can withdraw or change your choice at any time from the "Cookie Preferences" link in the footer.

Authenticated app and endpoint applications: The Lyrie AI dashboard (app.lyrie.ai) does not run Clarity. The Lyrie AI Security & Privacy desktop and mobile applications do not use cookies and do not run Clarity.

No advertising or cross-site tracking: We do not use advertising pixels, retargeting cookies, or third-party trackers (no Meta Pixel, no Google Ads tags, no LinkedIn Insight, no TikTok Pixel).

For full details and the live cookie inventory, see our Cookie Policy.

Do Not Track: We honor Do Not Track (DNT) browser signals on our marketing site by suppressing Microsoft Clarity when DNT is enabled.

The Services may contain links to third-party websites and services (e.g., Stripe checkout, OAuth providers, NVD, status page). We are not responsible for the privacy practices of third-party sites. We encourage you to review the privacy policies of any third-party service you interact with.

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and posted on this page with an updated effective date.

If changes materially reduce your rights, we will provide at least 30 days' notice before the changes take effect.

Privacy inquiries & data subject requests: [email protected]

Legal inquiries, DPAs, law-enforcement requests: [email protected]

For GDPR / UAE PDPL / CCPA requests: Use the Data Controls panel in your dashboard, or email [email protected]. We respond within 30 days.

Data Controller
OTT Cybersecurity LLC
Dubai, United Arab Emirates
Website: lyrie.ai

Full registered-address details and trade-licence information are available on request via [email protected], or in any Data Processing Agreement we sign with you.