Privacy Policy
Who we are
Leyro ("we", "us", "our") is a calm operating system for everyday life. It helps individuals, families, and professionals keep documents, renewals, subscriptions, and household administration organised in one trusted place. Leyro is a product of Vault Co. LLC and is accessible at app.getleyro.com.
We believe privacy should feel like part of the product, not a disclaimer buried at the bottom of a page. This policy explains, in plain language, what we collect, why we collect it, and the choices you have.
For the purposes of data protection law, Vault Co. LLC is the data controller for personal data collected through Leyro.
Leyro is an independent private software platform. It is not affiliated with, endorsed by, or connected to any government, government department, or document-issuing authority. Documents you store — such as passports, visas, or identity cards — are kept for your own convenience and organisation only.
If you have a question about this policy or how your data is handled, we would genuinely like to hear from you — write to us at hello@getleyro.com.
What data we collect
Account information
- Name, email address, and password when you create an account
- Profile preferences — country, timezone, language, currency, and account mode
- Profile photo, if you choose to upload one
- Authentication method — email and password, Google or Apple sign-in, or a passkey
Documents you upload
- Files you add to your vault — passports, national IDs, insurance cards, bank statements, invoices, mortgage documents, school fee records, and any other documents you choose to store
- Information extracted from those documents — names, document numbers, expiry dates, issuers, amounts, and similar fields identified by our document processing pipeline
- Notes and tags you add to documents
Services and renewals
- Subscriptions, bills, and memberships you add manually or import from a bank statement
- Renewal dates, amounts, billing cycles, and vendor information
- Calendar integration data, if you connect Google Calendar or Microsoft Outlook
Family data
- Names and profiles of family members you invite to your family space
- Children's profiles, school records, and activity memberships you add to the Kids section
- Shared documents and services that are visible to family space members
Usage and technical data
- Login timestamps, device type, browser, and IP address
- Security events — new logins, suspicious activity, and session activity
- Feature usage patterns that help us improve the product
- Push notification tokens, if you opt in to notifications
Payment data
- Your billing plan and subscription status
- Payment processing is handled entirely by Stripe — we never see or store your full card number, security code, or bank account details
A note on biometrics
If you turn on biometric sign-in — such as fingerprint or face unlock — that check happens entirely on your device and is handled by its operating system. Leyro never sees, receives, or stores your biometric data.
How we use your data
We use the data we collect only to provide and improve Leyro. Specifically:
- To create and manage your account and verify your identity
- To store, organise, and display your documents, renewals, and services
- To extract information from uploaded documents so they are easier to track
- To send renewal reminders, expiry alerts, and other notifications you have opted into
- To generate AI insights about your documents and services
- To process payments and manage your subscription plan
- To maintain security, detect fraud, and protect your account
- To send transactional emails — account verification, password resets, security alerts
- To improve the product through anonymised, aggregated usage analysis
We do not sell your personal data. We do not use your data for advertising. We do not share your data with third parties for their own marketing purposes. Ever.
How we store and protect your data
Database
Your account data, document metadata, and preferences are stored in a managed PostgreSQL database with row-level security policies, so your records are only accessible to you and — for shared items — the family space they belong to.
File storage
Documents you upload are kept in private, encrypted object storage. Files are stored under your unique account identifier and are never publicly accessible. Downloads are served through short-lived signed links that expire within one hour.
Encryption
- All data is transmitted over HTTPS using TLS 1.2 or higher
- Data at rest is encrypted using AES-256
- Passwords are never stored in plain text — authentication is managed by a dedicated, hardened auth provider
Access controls
- Row-level security ensures users can only reach their own data
- Family space data is isolated — members can only access their own family space
- Access to production systems by our team is limited to the minimum number of people necessary, follows least-privilege principles, and is logged and audited
- Two-factor authentication is available to add an extra layer of protection to your account
We do not browse user documents. Access to stored content is restricted to narrowly-defined situations — such as resolving a technical issue you have asked us to help with, or where we are required to act by law.
An honest word on security
We use industry-standard safeguards to protect your information, and we take that responsibility seriously. At the same time, we want to be honest with you: no method of electronic transmission or storage is ever completely secure. We cannot promise absolute security, but we work continuously to protect your data and to limit the impact if something ever goes wrong.
Your device
Keeping your account safe is a shared effort. You are responsible for securing the devices you use to access Leyro — including screen locks, passcodes, biometric protection, and keeping your operating system up to date. A well-secured device is one of the most effective protections for your information.
Who we share your data with
We share data only with the service providers necessary to operate Leyro. Every provider is bound by a data processing agreement and may only use your data to provide services to us.
Our service providers
- Supabase — managed database and authentication
- Cloudflare — encrypted file storage, content delivery, and security
- Vercel — application hosting and deployment
- Stripe — payment processing and subscription management
- Resend — transactional email delivery
- Secure AI processing providers — third-party AI and vision APIs used for document text extraction and insights. Document content is processed only to provide the service to you, and is not used to train public AI models.
We do not share your data with any other third parties, unless required by law or to protect our legal rights.
Document scanning and AI processing
When you upload a document, Leyro reads it to extract useful details such as names, document numbers, expiry dates, and amounts. This is done using optical character recognition (OCR) and secure third-party AI and vision APIs, so your documents become easier to organise and track.
- Document content is sent to secure AI processing APIs over encrypted connections, solely to extract and organise information for you
- Under our agreements with these providers, your document content is not used to train public AI models
- Extracted data is stored in your vault and is visible only to you — and, for shared items, your family space
- You can review, edit, or delete any extracted information before or after saving it
- You can delete any document and its extracted data at any time
AI is assistive, not authoritative
AI-extracted and AI-generated information is designed to help you stay organised — it is assistive only. It may contain inaccuracies, and it does not constitute legal, financial, tax, or any other professional advice. Please verify anything important against your original documents.
AI features may evolve
AI is a fast-moving field. The AI features within Leyro — and the providers behind them — may evolve, improve, change, or be discontinued over time as the technology matures.
A simple rule of thumb: only upload documents you are comfortable having processed by secure third-party AI services. Every transfer happens over encrypted connections.
Family accounts and shared data
If you use the Family plan, some data is shared within your family space:
- The family space admin can see documents, services, and renewals added by all accepted family members
- Family members can see shared family vault documents and services
- Children's profiles and school records are managed by the admin and are not accessible to child profiles directly
- When a family member is removed from a space, they lose access to shared data immediately
- When the Family plan is cancelled, member access to shared data is revoked
If you are a family member rather than the admin, please remember that the admin can see anything you add to the shared family space. Keep personal documents you do not wish to share in your own private vault instead.
Cookies and tracking
Leyro uses only the minimal cookies needed to operate the service:
- Session cookies — to keep you signed in during your session
- Authentication cookies — to maintain your secure, authenticated session
- Preference cookies — to remember your theme and display preferences
We do not use advertising cookies, third-party tracking pixels, or analytics services that follow you across other websites. We do not use Google Analytics or similar cross-site trackers.
If you receive marketing emails from us, those emails use standard open and click measurement so we can understand what is useful. You can unsubscribe from marketing emails at any time using the link included in every one.
Your rights
Depending on where you live, you may have the following rights over your personal data:
Right to access
You can request a copy of the personal data we hold about you by writing to hello@getleyro.com.
Right to rectification
You can update your profile information at any time from Settings, and you can edit or correct any extracted document data directly in your vault.
Right to erasure
You can request account deletion from Settings → Danger Zone. We will permanently delete your account, your documents, your stored files, and all associated data within 30 days. You will receive a confirmation email when deletion is requested, and again when it is complete.
Right to data portability
You can request an export of your data by writing to hello@getleyro.com. We will provide it in a machine-readable format within 30 days.
Right to object
You can object to certain types of processing by contacting us, and you can opt out of non-essential communications at any time from Settings.
Right to withdraw consent
Where processing is based on your consent — such as marketing emails — you can withdraw that consent at any time using the unsubscribe link in emails or from Settings.
To exercise any of these rights, email us at hello@getleyro.com. We will respond within 30 days.
Data retention
We keep your data for as long as your account is active. When you delete your account:
- Your profile and account data are deleted within 30 days
- All documents and files are permanently deleted from storage within 30 days
- Your subscription is cancelled immediately
- Security event logs are retained for up to 90 days for fraud prevention, then deleted
- Anonymised, aggregated usage statistics may be kept indefinitely, as they cannot be linked back to you
If your account becomes inactive for 24 months, we will email you before taking any action on it.
International transfers
Leyro is operated from the UAE and serves people around the world. To deliver the service, your data may be processed in the following regions:
- United States — application hosting, database, payment processing, and email delivery
- European Union and global edge locations — content delivery and security
- Document AI processing — handled by secure third-party AI and vision APIs
All international transfers are made to service providers who maintain appropriate data protection standards. For transfers from the European Economic Area, we rely on standard contractual clauses and adequacy decisions where applicable.
Children's privacy
Leyro accounts are for adults aged 18 and over. We do not knowingly collect personal data directly from anyone under 18.
The Kids section of the Family plan allows an adult family admin to store information about their children for household management purposes. This data is managed entirely by the adult admin and is not accessible to children directly. Children do not create Leyro accounts.
If you believe we have inadvertently collected personal data from a child without the appropriate parental or guardian authority, please contact us at hello@getleyro.com and we will delete it promptly.
Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes we will:
- Update the "Last updated" date at the top of this page
- Send you an email notification if the changes significantly affect your rights
- Show an in-app notice the next time you sign in
Your continued use of Leyro after changes are posted means you accept the updated policy. If you do not agree with a change, you may delete your account at any time.
Contact us
If you have any question, concern, or request relating to this policy or how we handle your personal data, we are here:
Privacy enquiries
We aim to respond to every privacy-related request within 5 business days.
hello@getleyro.com →