Current version — effective 5 June 2026. This is a living document that we may update from time to time as our service and applicable law evolve; the latest version is always available on this page.
Privacy Policy
Version: v1.0 Effective date: 2026-06-05 Last updated: 2026-06-05
This Privacy Policy explains how FyraSoft ("FyraSoft", "we", "us", "our") collects, uses, shares, and protects personal data when you visit our websites, create an account, or use our B2B SaaS platform and its AI-powered modules (the "Platform").
We have written this policy in plain language. Where a section applies only to a specific role (for example, our customers versus the end users of our customers), we say so clearly.
1. Who we are (controller identity and contact)
FyraSoft is a Hungarian (EU) AI product studio that provides a business-to-business SaaS platform of AI-powered modules (for example: FyrAura, FyrAgents, FyrAero, FyrAction, FyrAcademy, and fyradmin). The Platform is sold as a platform plus customer-chosen modules; individual modules are also marketed standalone, in which case you still receive scoped access to the underlying Platform.
- Legal entity name and form: Fyra Software Korlátolt Felelősségű Társaság (FyraSoft Kft.) — a Hungarian limited liability company (korlátolt felelősségű társaság)
- Registered seat / address: 2724 Újlengyel, Petőfi Sándor utca 48., Hungary
- Company registration number (cégjegyzékszám): 13-09-241696
- EU VAT number: HU32857090 (Hungarian tax number / adószám: 32857090-2-13)
- Privacy contact email: privacy@fyrasoft.com
- General contact email: admin@fyrasoft.com
- Data Protection Officer (DPO): None appointed; a DPO is not required under Article 37 GDPR (our core activities do not involve large-scale regular and systematic monitoring of data subjects, nor large-scale processing of special-category data). For data-protection matters, contact privacy@fyrasoft.com.
- EU representative (Article 27 GDPR): Not required — FyraSoft is established in Hungary (EU), so an Article 27 representative is not applicable.
Governing law and jurisdiction: This policy and any non-contractual obligations arising out of or in connection with it are governed by the laws of Hungary and the European Union. The courts of Hungary (Budapest) have jurisdiction over any dispute, without prejudice to any mandatory consumer-protection rights you may have in your country of residence.
If you have any questions about this policy or about how we handle personal data, contact us at privacy@fyrasoft.com.
2. Our two roles: when we are a "controller" and when we are a "processor"
Data protection law distinguishes between the controller (who decides why and how personal data is processed) and the processor (who processes personal data on someone else's instructions). FyraSoft acts in both roles, depending on the data:
2.1 When FyraSoft is the controller
We are the controller for the personal data we collect to run our business and provide the Platform to our customers, including:
- account and identity data of the people who sign up, administer, or use a customer's Platform account;
- billing and subscription data (note: payment is processed through Paddle as Merchant of Record, which acts as a controller in its own right for payment data — see Section 4);
- usage, telemetry, and product-analytics data about how the Platform is used;
- support and communications data.
This Privacy Policy governs the data for which we are the controller.
2.2 When FyraSoft is the processor
When our customers (typically businesses) use the Platform's modules to process their own data — including the personal data of their employees, customers, or other end users (collectively, "Customer Tenant Data") — FyraSoft acts as a processor on the customer's behalf. The customer is the controller of that data.
For Customer Tenant Data:
- The customer's own privacy notice (not this policy) tells those end users how their data is handled.
- Our processing is governed by a Data Processing Agreement (DPA) between FyraSoft and the customer, which sets out, in line with Article 28(3) GDPR, the subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data, the categories of data subjects, and the obligations and rights of the controller — including our commitments to: process Customer Tenant Data only on documented instructions; ensure persons authorized to process it are bound by confidentiality; implement appropriate security measures (Article 32); engage sub-processors only under the conditions in Article 28(2) and (4) and our Sub-Processor List (Section 6); assist the customer with data-subject requests and with Articles 32–36 obligations; delete or return Customer Tenant Data at the end of the service; and make available the information necessary to demonstrate compliance and allow for audits.
- We process Customer Tenant Data only on the customer's documented instructions, except where EU or Member-State law to which we are subject requires otherwise (in which case we will inform the customer of that legal requirement before processing, unless the law prohibits it).
Sub-processor change notice and audit rights (DPA summary). Under the DPA: we give the customer at least 30 days' prior notice before adding or replacing a sub-processor, during which the customer may object on reasonable data-protection grounds; and the customer may audit our compliance once per 12-month period (and additionally after a personal-data breach affecting their data, or where a supervisory authority requires it), primarily through our up-to-date third-party audit reports and certifications where available, supplemented by a focused on-site or remote audit where reasonably necessary.
If you are an end user of one of our customers and you have a question about your personal data, please contact that customer (the controller). We will support our customer in responding to your request as required by the DPA.
3. Categories of personal data we collect (as controller)
We collect the following categories of personal data. Not every category applies to every person.
| Category | Examples | Source |
|---|---|---|
| Account & identity data | name, work email, password (hashed), organization name, role/permissions, team membership, language preference | You / your organization's administrator |
| Billing & subscription data | subscription plan, credit balance and usage (including monthly-reset subscription credits and non-expiring purchased add-on credits), billing-related identifiers, partial payment information (e.g. card brand and last digits), VAT/tax identifiers, invoices and receipts | Mostly via our Merchant of Record (Paddle — see Section 4), and from you/your organization |
| Usage & telemetry data | features used, module and credit-consumption events, log data, device/browser type, IP address, timestamps, error/diagnostic data | Automatically, when you use the Platform |
| Product-analytics data | aggregated and event-level product usage to understand and improve the Platform | Automatically (analytics tools — see Section 9) |
| Website contact & lead data | name, email, company, and message content you submit through our public website forms (e.g. contact / pre-register), plus the IP address used for spam / rate-limit protection | You (website forms) |
| Support & communications data | messages you send us, support tickets, correspondence, and their contents | You |
| Content submitted to modules (as controller) | content you submit to the Platform in a non-tenant context (e.g. content you provide to us directly outside a customer tenant, such as feedback or sample data) | You |
Note on content processed inside the modules. When you (or your organization's end users) submit content into a customer tenant for AI processing — for example documents, spreadsheets, prompts, voice, or workflow data — that content is Customer Tenant Data for which we are a processor (see Section 2.2 and the DPA), not a controller.
We do not intentionally collect special-category data (Article 9 GDPR — e.g. health, biometric, or political data) for our own controller purposes, and we ask customers not to submit such data through the modules except as permitted by the DPA and applicable law.
4. Billing through our Merchant of Record (Paddle)
Our payments are handled by Paddle ("Paddle"), which acts as the Merchant of Record (MoR) — that is, Paddle, not FyraSoft, is the seller/reseller of record for your purchase. For customers outside the United States and Canada, the contracting Paddle entity is Paddle.com Market Ltd (a company incorporated in England and Wales, company number 8172165, registered office at Judd House, 18–29 Mora Street, London EC1V 8BT, United Kingdom). As MoR, Paddle:
- operates the checkout and processes your payment (FyraSoft does not process or store your card payment);
- is responsible for VAT/sales-tax calculation, collection, and remittance on the sale;
- processes refunds in accordance with Paddle's own refund policy (refunds are handled by Paddle as the seller of record).
Paddle collects and processes your payment details as a controller in its own right for these purposes, under Paddle's own privacy notice. We receive from Paddle the billing data we need to manage your subscription and account (such as plan, status, invoices, partial card details, and tax identifiers), but we do not receive or store your full payment-card number.
Please review Paddle's terms for details of how Paddle processes your payment data and acts as MoR:
- Paddle privacy notice: paddle.com/legal/privacy
- Paddle checkout buyer terms: paddle.com/legal/checkout-buyer-terms
- Paddle refund policy: paddle.com/legal/refund-policy
- Paddle Data Processing Addendum: paddle.com/legal/data-processing-addendum
How credits and billing work. The Platform is billed using euro-pegged credits. A paid subscription grants a monthly allowance of credits that reset each month (use-it-or-lose-it); separately purchased add-on credits do not expire. Credits are held in an org-level wallet, with optional per-team or per-user spend limits set by your administrator. Self-serve signup is paid-only at launch (there is no free tier). Free trials, where offered, are granted manually to selected partners.
Credits on account closure. If your account is fully closed or your contract is terminated, any unused purchased (non-expiring) credits remain available for wind-down for 30 days after termination, after which they are forfeited. Monthly subscription credits do not carry over and expire at the end of the billing period as described above.
5. Why we process your data, and our legal bases
Under Articles 6 and 13/14 GDPR, we must tell you the purpose and the legal basis for each use of your personal data. The table below sets these out.
| Purpose | Categories used | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Create and administer your account; authenticate you | Account & identity | Contract (Art. 6(1)(b)) — necessary to provide the service you signed up for |
| Provide the Platform and its modules; meter, allocate, reset, and manage credits and wallets | Account, usage, billing | Contract (Art. 6(1)(b)) |
| Process subscriptions, payments, invoicing (in conjunction with Paddle as MoR — Section 4) | Billing & subscription | Contract (Art. 6(1)(b)); and Legal obligation (Art. 6(1)(c)) for tax/accounting records |
| Handle website contact / lead enquiries and respond to you | Website contact & lead | Legitimate interests (Art. 6(1)(f)) in responding to B2B enquiries; Consent (Art. 6(1)(a)) where you submit a form voluntarily |
| Protect website forms against spam and abuse (rate limiting) | Website contact & lead (IP) | Legitimate interests (Art. 6(1)(f)) in keeping the website secure |
| Provide customer support; respond to your requests | Support & communications, account | Contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)) in handling enquiries efficiently |
| Secure the Platform; prevent fraud and abuse; ensure reliability | Usage & telemetry | Legitimate interests (Art. 6(1)(f)) in keeping the Platform safe and available |
| Improve and develop the Platform; product analytics | Usage, product-analytics | Legitimate interests (Art. 6(1)(f)); Consent (Art. 6(1)(a)) where required for non-essential analytics (see Section 9) |
| Send service/transactional messages (e.g. security, billing, outages) | Account, billing | Contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)) |
| Send marketing/product-update messages | Account & identity | Consent (Art. 6(1)(a)) where required, or Legitimate interests (Art. 6(1)(f)) for B2B messaging to existing customers, with an opt-out |
| Comply with legal, tax, and accounting obligations | Billing, account | Legal obligation (Art. 6(1)(c)) |
| Establish, exercise, or defend legal claims | As relevant | Legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have balanced our interests against your rights and freedoms, and you can ask us for more information about that balancing test. You can object to processing based on legitimate interests — see Section 12. Where we rely on consent, you may withdraw it at any time, without affecting processing already carried out.
Are you required to provide this data? Account and billing data are necessary to enter into and perform our contract with you; without them we cannot create your account or provide the Platform. Usage and telemetry data are generated automatically as a necessary part of operating the Platform.
6. Sub-processors and who we share data with
To run the Platform and the website we use a number of carefully selected third-party service providers ("sub-processors") who process personal data on our behalf — for example, hosting, email delivery, error monitoring, analytics, payments, and AI/LLM routing.
We maintain a separate, referenced Sub-Processor List that names each sub-processor, the service it provides, and where it processes data:
- Sub-Processor List: https://fyrasoft.com/legal/subprocessors
Current and planned sub-processors include the following. Each provider's data-processing terms are linked for reference; the authoritative, up-to-date list — including locations and transfer safeguards — is the Sub-Processor List linked above.
| Provider | Purpose | Location / region | Data-processing terms |
|---|---|---|---|
| OpenRouter | LLM request routing | US-routable | Privacy · DPA / Trust Portal |
| Google (Gemini API) | Text-embedding / generative-AI APIs | US / global | Gemini API Additional Terms · Cloud Data Processing Addendum |
| Paddle (Paddle.com Market Ltd) | Payments / Merchant of Record (controller in its own right for payment data — see Section 4) | UK / EU | DPA |
| Vercel (Vercel, Inc.) | Public-website hosting, the website's contact/lead and rate-limit database, and cookieless website analytics | US (SCCs) | DPA |
| Resend (Plus Five Five, Inc.) | Transactional email (Platform + public website contact form) | US (EU-US DPF; SCCs) | DPA |
| Cloudflare (R2) | Object storage | EU / global | DPA |
| Hostinger (Hostinger International Ltd.) | EU hosting (Platform, current) | EU | DPA |
| Sentry | Error monitoring | EU region | DPA |
| PostHog | Product analytics (Platform) — optional / deferred | EU region | DPA |
| Plausible | Platform usage analytics — Plausible Cloud (EU) | EU | DPA |
| Better Stack (Better Stack, Inc.) | Uptime monitoring | EU storage | DPA |
| E2B (FoundryLabs, Inc.) | Code-execution sandbox — used for non-personal-data compute only until an EU region and a signed Article 28 DPA are in place (see Section 7) | US | Privacy · Terms · Trust portal |
The following providers are planned for later phases and will be added when the relevant features are enabled; their terms will be confirmed at adoption:
| Provider | Purpose | Note |
|---|---|---|
| ElevenLabs | AI voice synthesis | |
| Telnyx | Voice / telephony connectivity | |
| Hetzner (Hetzner Online GmbH, Germany) | Dedicated EU hosting for sovereignty-tier customers |
Hidden inter-module dependencies. Some modules have technical dependencies on other modules that are provisioned automatically under the hood to make a feature work and are not separately shown to you (for example, the AI voice module FyrAura relies on the underlying agent module FyrAgents). Where that automatic provisioning involves processing your personal data, it is covered by this policy (where we are the controller) or by the DPA (where we are the processor), and by our agreements with the relevant sub-processors.
We may also share personal data with professional advisers (e.g. lawyers, accountants, auditors) and with authorities where legally required, and in connection with a corporate transaction (e.g. merger or acquisition), subject to appropriate safeguards.
We do not sell your personal data.
7. International data transfers and EU data residency
7.1 EU data residency
We are committed to keeping Customer Tenant Data on EU infrastructure. Today, tenant data is processed on EU hosting (Hostinger EU); for sovereignty-tier customers we plan dedicated EU infrastructure (Hetzner, Germany).
When the Platform's AI analyzes a customer's uploaded data or spreadsheets, any data containing personal data stays on EU infrastructure. It is not sent to a non-EU compute sandbox unless and until an EU region and a signed Article 28 DPA are in place for that sandbox (see Section 7.2).
7.2 The E2B code-execution sandbox (non-PII only, for now)
The code-execution sandbox we use (E2B, operated by FoundryLabs, Inc.) is currently US-based. Until an EU region and a signed Article 28 DPA are available for it, we use it only for non-personal-data compute — we do not send personal data to it.
7.3 Transfers to non-EU sub-processors
Some of our sub-processors are located in, or route data through, countries outside the EU/EEA (for example, the United States): OpenRouter (LLM routing; US-routable), Google / Gemini (embeddings; US/global), Resend (transactional email for the Platform and the public website contact form; US), Vercel (website hosting, database, and website analytics; US), and E2B (sandbox; US, non-PII only). Paddle operates in the UK/EU.
Where personal data is transferred outside the EU/EEA, we rely on appropriate safeguards under Chapter V GDPR — in particular the European Commission's Standard Contractual Clauses (SCCs) adopted under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, applying Module Two (Controller-to-Processor) to our engagement of sub-processors — and/or UK transfer mechanisms (the UK Addendum) where relevant, together with supplementary technical and organizational measures where needed. Where a provider is certified under the EU-US Data Privacy Framework, transfers may also rely on that adequacy mechanism. The applicable mechanism for each sub-processor is recorded in our Sub-Processor List. You can ask us for a copy of, or more information about, these safeguards using the contact details in Section 1.
8. How long we keep your data (retention)
We keep personal data only for as long as necessary for the purposes described in this policy, and then delete it or irreversibly crypto-shred it (see Section 11).
| Data | Retention |
|---|---|
| Financial, tax, and accounting records (invoices, receipts) | Retained as required by Hungarian law (8 years; per Act C of 2000 on Accounting) |
| Account & identity data | For the life of your account, then deleted/crypto-shredded within 30 days following account closure, unless a longer period is legally required |
| Usage & telemetry / log data | Up to 12 months, then deleted or aggregated/anonymized |
| Product-analytics data | Up to 24 months, then deleted or aggregated |
| Website contact & lead data | Up to 24 months after the matter is resolved; rate-limit IP records are pruned within minutes |
| Support & communications | Up to 24 months after the matter is resolved |
| Customer Tenant Data (processor) | Retained and deleted per the DPA and the customer's instructions, not this policy |
Where we are required to keep certain data to comply with a legal obligation (Art. 6(1)(c)) or to establish/exercise/defend legal claims, we retain it for the period required and then delete it.
9. Cookies and analytics
We use cookies and similar technologies for essential functions (such as remembering your language and securing the site) and, where applicable, for analytics to understand and improve our products.
- Essential / functional storage is necessary for the site to work and is used on the basis of our legitimate interests / the contract with you; it does not require consent. This includes the
fyrasoft-localecookie (your UI language) and local-storage values for your theme and your cookie choices. - Website analytics is provided by Vercel Analytics, which is cookieless and is loaded only after you grant consent in our cookie banner. Vercel Analytics processes your IP address transiently to derive aggregate, anonymized metrics and does not set tracking cookies.
- Platform analytics. Inside the authenticated Platform we use PostHog (EU region) for product analytics (optional / deferred) and Plausible Cloud (EU) for cookieless usage analytics.
Where analytics or other non-essential technologies require consent under the ePrivacy rules, we ask for your consent first (Art. 6(1)(a)), and you can change or withdraw your choice at any time.
For full details of the specific cookies and storage we use, see our Cookie Notice: https://fyrasoft.com/legal/cookies.
10. AI-specific disclosures (transparency)
We build AI-powered features and take the EU AI Act's transparency rules (in particular Article 50, applicable from 2 August 2026) seriously:
- You are told when you are interacting with AI. Where you interact with an AI system (for example, an AI agent or AI voice feature), we make that clear to you.
- AI-generated or AI-manipulated content is marked. AI-generated media is labeled and/or carries provenance information so it can be recognized as AI-generated.
- No high-risk automated decisions. The Platform does not make Annex III "high-risk" automated decisions — such as those concerning creditworthiness, employment, or law enforcement. Our acceptable-use terms forbid using the Platform for such purposes.
- Inputs to AI models. When you use AI features, your inputs may be processed by our LLM/AI sub-processors (for example, for routing and inference — see Section 6). For Customer Tenant content this is governed by the DPA; for content where we are the controller it is governed by this policy and the legal bases in Section 5.
If at any point we introduce processing that would qualify as solely-automated decision-making with legal or similarly significant effects under Article 22 GDPR, we will provide the additional information and safeguards that the law requires.
11. How we protect your data (security)
We use technical and organizational measures appropriate to the risk (Article 32 GDPR), including:
- Encryption at rest using envelope encryption (data encryption keys protected by separate key-encryption keys), which also enables crypto-shredding — deleting the keys so the underlying data becomes permanently unrecoverable;
- Encryption in transit (TLS);
- hosting on EU infrastructure;
- access controls, least-privilege permissions, and tenant isolation;
- logging, monitoring, and error tracking;
- contractual security commitments from our sub-processors.
No system can be guaranteed 100% secure, but we work to protect your data and to detect and respond to incidents. To report a security issue or suspected abuse, contact security@fyrasoft.com. Where the law requires, we will notify the relevant supervisory authority and affected individuals of a personal data breach (Articles 33–34 GDPR); where we act as processor, we will notify the affected customer without undue delay as required by the DPA.
Service availability. We provide the Platform on a reasonable-efforts basis. We do not currently offer a contractual uptime guarantee or service credits; a formal Service Level Agreement (SLA) will be introduced for enterprise customers. This does not affect your statutory rights.
12. Your data-protection rights
Subject to the conditions in the GDPR, you have the right to:
- Access — obtain confirmation of, and a copy of, the personal data we hold about you;
- Rectification — have inaccurate or incomplete data corrected;
- Erasure ("right to be forgotten") — have your data deleted; we implement erasure through crypto-shredding where appropriate (see Section 11);
- Restriction — ask us to limit processing in certain circumstances;
- Portability — receive certain data in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible;
- Objection — object to processing based on legitimate interests, and to direct marketing at any time;
- Withdraw consent — where processing is based on consent, withdraw it at any time (without affecting prior processing);
- Not be subject to solely-automated decisions with legal or similarly significant effects, except as permitted by Article 22 GDPR.
How to exercise your rights: contact us at privacy@fyrasoft.com. We will respond within the time limits set by the GDPR (generally one month, extendable by up to two further months for complex or numerous requests, in which case we will tell you). Exercising these rights is free of charge, save for manifestly unfounded or excessive requests as permitted by Article 12 GDPR. We may need to verify your identity first.
If you are an end user of one of our customers: because we are only the processor for that data, please direct your request to that customer (the controller). We will assist the customer as required by the DPA.
Right to complain: if you believe we have not handled your personal data properly, you can lodge a complaint with the Hungarian data-protection authority:
- Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) — Hungarian National Authority for Data Protection and Freedom of Information
- Headquarters: 1055 Budapest, Falk Miksa utca 9–11, Hungary
- Postal address: 1363 Budapest, Pf. 9, Hungary
- Phone: +36 (1) 391-1400
- Fax: +36 (1) 391-1410
- Email: ugyfelszolgalat@naih.hu
- Website: https://www.naih.hu
You may also complain to the supervisory authority in your EU/EEA country of residence or work.
13. Children
The Platform is a B2B product and is not directed at children. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@fyrasoft.com and we will take appropriate steps to delete it.
14. Changes to this policy
We may update this Privacy Policy from time to time — for example, to reflect changes to the Platform, our sub-processors, or the law. When we make material changes, we will update the version and "Last updated" date above and, where appropriate, notify you (for example, by email or an in-Platform notice). Please review this policy periodically.
15. Contact us
For any privacy questions or to exercise your rights:
- Privacy contact: privacy@fyrasoft.com
- Security / abuse contact: security@fyrasoft.com
- General contact: admin@fyrasoft.com
- Postal address: 2724 Újlengyel, Petőfi Sándor utca 48., Hungary
- Data Protection Officer: None appointed; not required under GDPR Art. 37 — contact privacy@fyrasoft.com (see Section 1)
Current version, effective 5 June 2026 — subject to periodic updates.