⚠️ UNREVIEWED DRAFT (NOT LEGAL ADVICE). This Privacy Policy was generated as a starting point for the founder of byline.fyi. It has not been reviewed by a qualified data-protection lawyer and must not be published or relied upon until it has been reviewed and adapted by counsel for your jurisdiction. Every item in SQUARE BRACKETS is a placeholder a human must fill in before this goes live (legal entity name, contact details, effective date, retention periods, transfer mechanisms, and the like). An inaccurate privacy policy is itself a legal liability, so before publishing, re-verify every described data flow and every sub-processor against the running system. This draft reflects the system as documented in the byline repository on [VERIFICATION DATE]; confirm nothing has changed.
byline.fyi Privacy Policy
Effective date: [EFFECTIVE DATE] Last updated: [LAST UPDATED DATE]
This Privacy Policy explains how [LEGAL ENTITY NAME] ("byline", "we", "us") collects, uses, shares, and protects personal data in connection with the byline.fyi website, dashboard, MCP server, and related services (the "Service"). It should be read together with our Terms of Service.
If you have any questions, or wish to exercise your rights, contact us at [PRIVACY CONTACT EMAIL].
1. Who we are and our role
[LEGAL ENTITY NAME], registered in [COUNTRY OF INCORPORATION] (company number [COMPANY NUMBER]) at [REGISTERED ADDRESS], is the data controller for the personal data described in this policy where we determine the purposes and means of processing (principally account, billing, security, and operational data).
[IF APPOINTED: Our Data Protection Officer / representative is [NAME / CONTACT]. Our UK and EU representatives under Article 27 (if required) are [DETAILS].]
Controller and processor: an important distinction
byline plays two different roles depending on the data:
- We are the controller for the data we collect to run our business and provide the Service to you: your account details, authentication data, billing metadata, usage and audit logs, and similar operational data.
- We act as your processor for the content and audience data you choose to ingest into the Service. When you connect a source and instruct byline to ingest your published content, private notes, audience comments, and engagement metrics, you (the creator or your organisation) are the controller of that material, and byline processes it on your behalf and on your instructions to provide the Service. This is significant because that material can include personal data about third parties (for example, the names, usernames, platform identifiers, and comment text of members of your audience, and the identities of people in emails you forward). You are responsible for having a lawful basis to provide that data to us. See section 9 for what this means in practice, and the data-processing terms referenced there.
2. The data we collect
2.1 Account and identity data (we are controller)
- Your name, email address, and email-verification status.
- Authentication data: one-time passcodes, sign-in sessions, and identifiers from third-party sign-in providers (for example, Google) when you use them.
- Organisation and membership data: organisation name, your role, invitations you send, and team membership.
2.2 Content and source data you ingest (we are processor; you are controller)
- Published content you connect, such as Instagram posts, reels and carousels, YouTube videos and their transcripts, website articles, and similar.
- Private notes and drafts you supply, including content you forward by email to your unique inbound address. Email ingestion stores the subject, body, sender details, and attachment metadata (file name, type, size, and identifier); it does not retain attachment file contents.
- Audience comments and replies from connected platforms (Instagram and YouTube), including the comment text, the commenter's display name and platform identifier, like counts, and timestamps.
- Engagement and analytics metrics over time, such as views, likes, comment counts, reach, saves, shares, watch time, and (where the platform exposes them) aggregate audience demographics such as age, gender, city, and country bands. These are stored as time-series snapshots.
- Derived data that the Service generates from the above: text chunks, vector embeddings, transcripts, summaries, the creator profile (voice, themes, audience, formats), a working memory, and insights.
- Connection credentials for your sources, such as the access tokens issued by a connected platform (for example, an Instagram long-lived access token), which are stored so the Service can sync on your behalf.
2.3 Billing data (we are controller)
- Subscription and plan status, and billing metadata received from our payment processor, Stripe, such as your Stripe customer and subscription identifiers and plan details. We do not store full payment-card numbers; card data is handled by Stripe.
2.4 Usage, log, and security data (we are controller)
- An audit log of privileged and state-changing events (for example, creating a source, connecting Instagram, ingesting content, starting checkout, and signing in), recording the action, a target identifier, a timestamp, and the originating IP address for attribution.
- Technical session data such as IP address, user-agent, and timestamps.
- Aggregate, non-identifying operational counters used for cost and abuse control.
2.5 Advertising, analytics, and cookies
See section 11. By default we use only the cookies strictly necessary to run the Service. We measure how sign-ups and subscriptions convert from advertising using Meta's Conversions API, which runs server-side and sets no cookies of its own. Over the life of an account we record up to four standard events: registration (on sign-up), trial activation (on completing onboarding), the first subscription (on checkout), and each subsequent payment or renewal (which carries the amount paid). With each event we share advanced-matching signals so Meta can attribute it to an advertisement: a hashed email, hashed name, and hashed account identifier, together with ad-click identifiers, IP address, and user-agent (see section 2.6). Separately, an optional analytics tag (Google Tag Manager) loads only if it is configured.
2.6 Advertising and conversion-attribution data (we are controller)
When you arrive from an advertisement and when you sign up, we capture and store a small set of advertising-attribution signals so we can measure which campaigns lead to sign-ups and subscriptions. These are:
- Ad-click identifiers carried in the landing-page URL or in advertising
cookies set on our own domain, for example Meta's
_fbcand_fbp, Google'sgclid,wbraid, andgbraid, TikTok'sttclid, Microsoft'smsclkid, and Reddit'srdt_cid. - Campaign parameters (
utm_source,utm_medium,utm_campaign,utm_term,utm_content) from the landing-page URL. - Your IP address and user-agent as recorded at sign-up.
We store these against your user account (not your organisation) at sign-up and replay them on the later server-side conversion events described in sections 2.5 and 6. We do this because our free trial can outlast the advertising platforms' own attribution windows, so without the stored signals we could not connect a later subscription back to the advertisement you first clicked. [CONFIRM the lawful basis for this advertising-measurement processing with counsel: consent may be required in some jurisdictions before these identifiers are collected or shared with Meta, and if so this collection must be gated on that consent; see sections 4 and 11.]
3. Where the data comes from
We collect data: (a) directly from you (account details, notes, settings, content you upload or forward); (b) from the platforms you connect, on your instruction (Instagram via the Meta platform, YouTube via Google, your website, and inbound email); and (c) automatically through your use of the Service (log, session, and audit data).
4. How and why we use data, and our lawful bases
For users in the UK and the European Economic Area, the legal bases under the UK GDPR and EU GDPR are shown in brackets.
| Purpose | Examples | Lawful basis (UK/EU GDPR) |
|---|---|---|
| Provide the Service | Authenticate you, ingest and process content, generate the creator profile and insights, expose data over MCP to the tools you connect | Performance of a contract (Art. 6(1)(b)); for processing on your behalf, your instructions as controller |
| Billing and accounts | Manage subscriptions, take payment via Stripe, prevent payment fraud | Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) for tax and accounting |
| Security, abuse, and cost control | Audit logging, rate limiting, disposable-email blocking, the global cost circuit-breaker, fraud prevention | Legitimate interests (Art. 6(1)(f)) in securing the Service and preventing abuse and runaway cost |
| Service communications | Send sign-in codes, trial reminders, and service notices | Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) |
| Improve and maintain the Service | Diagnose issues, maintain reliability | Legitimate interests (Art. 6(1)(f)) |
| Comply with law | Respond to lawful requests, enforce terms, resolve disputes | Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) |
| Measure advertising and conversions | Record standard registration, trial-activation, subscription, and purchase events server-side via Meta's Conversions API, and replay ad-click identifiers so conversions attribute to a campaign; load optional analytics (Google Tag Manager) where configured | [Confirm basis with counsel] consent (Art. 6(1)(a)) where required; otherwise legitimate interests (Art. 6(1)(f)) in measuring advertising and conversions |
Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You can object to that processing as described in section 8.
We do not sell personal data, and we do not use your content or audience data to train our own or third parties' general-purpose AI models. Content is sent to AI sub-processors only to perform the processing you request (for example, generating embeddings, transcripts, the profile, and insights). [CONFIRM with each sub-processor that data submitted via API is not used by them for model training, and align this statement with their current terms; see section 6.]
5. Automated processing and AI
The Service uses automated processing and third-party AI models to analyse your content and produce derived data such as summaries, the creator profile, and insights. This processing supports you and does not produce legal or similarly significant effects about individuals within the meaning of Article 22 of the GDPR. AI output can be inaccurate and should be reviewed before use, as explained in the Terms of Service.
6. Sub-processors and third parties we share data with
To provide the Service we share data with the third parties below, which act as our processors or sub-processors, or as independent controllers for their own services. Data is shared only as needed for the stated purpose.
[VERIFY EACH ROW before publishing: the entity's current legal name, processing location, and transfer mechanism, and obtain or link each one's Data Processing Agreement / sub-processor list. Locations below are indicative and must be confirmed.]
| Sub-processor | Purpose | Data shared | Location / transfer mechanism |
|---|---|---|---|
| Ollama (Ollama Cloud) | AI text and reasoning model (GLM-5.2) for analysis, the creator profile, and insights; AI vision model (Kimi K2.6) for image captioning | Content text, notes, audience comments, and image data sent for captioning | [Likely USA; confirm; rely on SCCs / UK Addendum] |
| OpenRouter | Routes AI requests for (a) YouTube video understanding (via Google AI Studio) and (b) text embeddings (Gemini embedding model), per current configuration | The YouTube watch URL for video analysis; text content sent for embedding | [Likely USA; confirm; SCCs / UK Addendum] |
| Google (Google AI Studio / Gemini) | Processes the YouTube video-understanding requests routed via OpenRouter | The YouTube watch URL and resulting analysis | [Confirm region; SCCs / UK Addendum] |
| Google (YouTube Data API) | Source connector: fetches your channel's videos, comments, and statistics | API requests using your configured access; returns your YouTube content and audience data | [Confirm region; relationship with platform terms] |
| Google (Sign-in / OAuth) | Optional third-party sign-in | Your Google account identifier and basic profile, only if you sign in with Google | [Confirm region; SCCs / UK Addendum] |
| Google (Tag Manager) | Optional client-side analytics, only if configured | Standard web/analytics identifiers | [Confirm; consent-gated; SCCs / UK Addendum] |
| Meta Platforms (Conversions API) | Advertising-conversion measurement: records standard registration, trial-activation, subscription, and purchase events server-side | On each event: a hashed email, hashed first/last name, and a hashed account identifier, plus ad-click identifiers (_fbc/_fbp and similar), IP address, and user-agent for attribution; the purchase event additionally carries the payment value and currency | [Confirm region; SCCs / UK Addendum; advertising-measurement terms apply] |
| Meta Platforms (Instagram Graph API) | Source connector: fetches your Instagram posts, comments, and insights | API requests using the access token you authorise; returns your Instagram content and audience data | [Confirm region; platform terms apply] |
| Postmark (ActiveCampaign / Wildbit) | Outbound transactional email (sign-in codes, trial reminders) and inbound email ingestion | Recipient email address and message content; for inbound, the emails you forward | [Likely USA; confirm; SCCs / UK Addendum] |
| Stripe | Payment processing and subscription billing | Billing identifiers, subscription and payment metadata; card data is collected directly by Stripe | [USA / Ireland; confirm; SCCs / UK Addendum] |
| Hetzner (or current hosting/object-storage provider) | Hosting of the application database and object storage for uploaded files | All data stored by the Service, at rest | [Confirm region, e.g. EU/Germany] |
| Cloudflare | Content delivery, DNS, and proxy in front of the Service | Connection metadata such as IP address and request data | [Global edge; confirm; SCCs / UK Addendum] |
Self-hosting note for the founder: the embeddings step is configured by default to use OpenRouter (a Gemini embedding model). The project intends to move embeddings to a self-hosted model, in which case embedding text would no longer leave your own infrastructure. Before publishing, confirm which configuration is live in production and update the table accordingly. Likewise, optional connectors not enabled in production (for example, additional analytics or scrapers) should not be listed until they actually process data.
We also disclose personal data where required to comply with law, to enforce our agreements, to protect the rights, safety, and property of byline, our users, or others, and in connection with a merger, acquisition, financing, or sale of assets (in which case we will require the recipient to honour this policy or notify you).
7. International data transfers
The Service and several sub-processors may process personal data outside the UK and the European Economic Area, including in the United States. Where we transfer personal data to a country that does not have UK or EU "adequacy" status, we rely on appropriate safeguards, principally the European Commission Standard Contractual Clauses and the UK International Data Transfer Addendum, together with supplementary measures where needed. [CONFIRM the safeguard relied on for each sub-processor; obtain executed SCCs / DPAs; consider the EU-US Data Privacy Framework where a recipient is certified.] You can request a copy of the relevant safeguards by contacting us at [PRIVACY CONTACT EMAIL].
8. How long we keep data (retention)
We keep personal data only as long as necessary for the purposes described in this policy.
- Content and derived data: retained for the life of your account or organisation so the Service can function, and deleted or de-identified within a commercially reasonable period after you delete the content or close the organisation. Deleting an organisation removes its content, derived data, and audience data through cascading deletion. [SET A SPECIFIC POST-CLOSURE DELETION WINDOW, e.g. within 30 days, and keep it consistent with the Terms of Service.]
- Email-ingested data: [DEFINE A RETENTION / PURGE PERIOD for ingested email payloads; the system does not currently enforce a fixed schedule, so set one before publishing.]
- Account and billing records: retained while your account is active and for as long afterwards as needed to meet legal, tax, and accounting obligations (commonly [e.g. 6 to 7 years] for financial records). [CONFIRM with counsel.]
- Audit and security logs: retained for [RETENTION PERIOD] for security, abuse-prevention, and accountability purposes. These logs deliberately survive account or organisation deletion and store only minimal identifiers (action, target, timestamp, and IP), not your content.
- Advertising-attribution data: the ad-click identifiers, campaign parameters, IP address, and user-agent captured at sign-up (section 2.6) are stored against your user account and are deleted when that account is deleted, which cascades their removal. [SET AND CONFIRM a maximum retention period for this advertising-measurement data with counsel; some regimes expect a defined, short window independent of the life of the account.]
- Aggregate cost counters: non-identifying and retained as operational records.
When retention ends, we delete or irreversibly de-identify the data. Residual copies may persist briefly in backups and are deleted in the ordinary backup cycle.
9. Audience data and your responsibilities (controller and processor)
When you connect Instagram or YouTube, or forward emails, the Service processes personal data about other people, in particular your audience: commenter names and usernames, platform identifiers, comment text, and aggregate engagement demographics, as well as the identities of senders and recipients in emails you forward.
For that third-party personal data, you are the controller and byline is your processor. This means:
- You are responsible for ensuring you have a lawful basis and any necessary notices or permissions to provide that data to us and to have it processed as described here.
- We process it only on your documented instructions to provide the Service, keep audience comments in a separate processing namespace from your own brand-voice content, and apply the security measures in section 10.
- We make available [a Data Processing Agreement / data-processing terms] that govern this processing, including confidentiality, sub-processor use, assistance with data-subject requests, and deletion on termination. [PREPARE AND LINK A DPA; it is required for business customers under Article 28 GDPR.]
- If we receive a request or complaint from one of your audience members that relates to data you control, we will refer it to you or assist you in responding, rather than acting on it unilaterally.
10. How we protect data
We use technical and organisational measures appropriate to the risk, including:
- Strict per-organisation isolation: every content query and mutation is scoped to the owning organisation, so one customer's data is not exposed to another.
- Authenticated access: the dashboard uses authenticated sessions, and the MCP server is gated by OAuth access tokens.
- Abuse and cost controls: rate limiting, disposable-email blocking at sign-up, and a global daily cost circuit-breaker.
- Server-side request protections against fetching internal or private network addresses, and size and time limits on ingestion.
- Handling of untrusted input: third-party content and comments are treated as untrusted and isolated when passed to AI models.
- An append-only audit log of privileged actions.
- Access controls and least privilege for our infrastructure, and storage with encryption at rest where supported by our providers. [CONFIRM encryption-at-rest status for the database and secrets, and tighten this statement to match reality; do not over-claim.]
No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
11. Cookies and similar technologies
We use cookies and similar technologies that are strictly necessary to operate the Service, including a sign-in session cookie and an anti-forgery cookie used during third-party connection flows. These do not require consent.
We record advertising-conversion events server-side (Meta's Conversions API)
across the account lifecycle; because they run on our server, they set no cookies of
their own. Those events may reuse the advertising identifiers described in section
2.6, including values from advertising cookies such as Meta's _fbp/_fbc where
the Meta Pixel is present on our domain. Separately, if analytics is configured (an
optional Google Tag Manager
container), the Service loads that tag, which may set non-essential analytics
cookies. Where required by law, we will obtain your consent before setting
non-essential cookies. [ADD A COOKIE BANNER / CONSENT MECHANISM if you enable
analytics or client-side ad pixels in a jurisdiction that requires prior consent,
and list the specific cookies set. CONFIRM with counsel whether the server-side
Conversions API event requires consent in your target markets.]
12. Your rights
Subject to applicable law, you have rights over your personal data. For UK and EU residents under the GDPR, these include the rights to: access a copy of your data; rectify inaccurate data; erase data ("right to be forgotten"); restrict or object to processing; data portability; and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with a supervisory authority (in the UK, the Information Commissioner's Office; in the EU, your local authority).
To exercise these rights, contact us at [PRIVACY CONTACT EMAIL]. We will respond within the time required by law (generally one month under the GDPR). We may need to verify your identity. Note that for personal data where you are the controller (your audience's data), we will direct or assist with requests rather than act unilaterally, as described in section 9.
13. California privacy notice (CCPA / CPRA)
If you are a California resident, you have rights under the California Consumer Privacy Act, as amended, including the rights to know what personal information we collect and how it is used and shared, to access and delete it, to correct it, and to be free from discrimination for exercising your rights.
We do not "sell" personal information, and we do not "share" it for cross-context
behavioural advertising, as those terms are defined under California law. We do
not knowingly collect personal information from anyone under 18. The categories of
personal information we collect and the purposes are described in sections 2 and 4;
the categories of recipients are in section 6. To exercise your rights, contact us
at [PRIVACY CONTACT EMAIL]. You may use an authorised agent, subject to
verification. [CONFIRM CCPA/CPRA APPLICABILITY AND REQUIRED DISCLOSURES WITH US
COUNSEL. In particular, reassess the "sell"/"share" statement above now that byline
sends Meta's Conversions API the ad-click identifiers (_fbc/_fbp and similar), IP
address, and user-agent captured at sign-up (section 2.6), alongside hashed email,
name, and account id, to attribute conversions to advertising. That flow may
constitute a "share" for cross-context behavioural advertising, in which case an
opt-out mechanism and updated disclosures are required. Update this paragraph
accordingly.]
14. Children
The Service is intended for users aged 18 and over and is not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us at [PRIVACY CONTACT EMAIL] and we will delete it.
15. Data-breach notification
We maintain procedures to detect, investigate, and respond to personal-data breaches. Where a breach is likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority and affected individuals as required by applicable law (under the GDPR, the authority generally within 72 hours of becoming aware). Where byline acts as your processor, we will notify you without undue delay so you can meet your own obligations as controller.
16. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or an in-product notice). The "Last updated" date shows when it was last revised. Continued use of the Service after the changes take effect constitutes acceptance of the updated policy.
17. Contact
For any privacy question or to exercise your rights, contact:
[LEGAL ENTITY NAME] [PRIVACY CONTACT EMAIL] [REGISTERED ADDRESS] [DATA PROTECTION OFFICER / EU AND UK REPRESENTATIVE, if appointed]