Legal
Privacy Policy
Rylvo, Inc. is committed to protecting your data. This policy explains what we collect, how we use it, and the controls you have — across your account, your agents, and the conversations they have with your end users.
Last updated July 13, 2026
Terms of ServiceIn short
- We're a control plane for AI agents. We process the data you put into the platform and the conversations your bots have with your end users.
- Bring Your Own Key (BYOK): your bots run on your own LLM provider keys, so conversation content is sent to the provider you choose (e.g. OpenAI, OpenRouter) under your own account.
- For end-user conversations, you are the controller and Rylvo is your processor — you decide what your bots collect and why.
- Provider keys, connector tokens and other secrets are encrypted at rest (AES-256-GCM) and never returned in plaintext.
- We never sell your data, and we never train AI models on identifiable customer data without your explicit written consent.
This summary is for convenience only and is not a substitute for the full text below.
01Information We Collect
We collect information you provide directly when you create an account, build and configure agents, connect tools and channels, and contact us for support:
- Account & organization: full name, work email, organization name, authentication records, and the team members, roles, and permissions you add. Firebase Authentication processes password credentials and federated sign-in; Rylvo does not receive your Google account password.
- Configuration & content you create: bots, prompts, guardrails, skills, workflows, agent groups, automations, tests, and the knowledge-base sources (URLs, files, or text) you submit for ingestion.
- Credentials & secrets: your own LLM provider keys (BYOK), connector and MCP OAuth tokens, channel credentials (e.g. Telegram, WhatsApp, Slack), and — if you enable Conversation Storage — your own database connection details. These are encrypted at rest and never shown back in plaintext.
- Runtime & conversation data: messages exchanged between your bots and your end users, decision traces, tool and MCP calls, retrieval results, guardrail outcomes, evaluation scores, and observability metrics.
- End-user (audience) data: when your bots talk to your end users over a channel, we process the identifiers and content those users send — for example a chat or user ID, message text, and attachments — on your behalf.
- Payment information: billing details are collected and processed by Dodo Payments, our payments provider and Merchant of Record. We never receive or store full card numbers or CVV codes.
- Communications: support tickets, emails, and feedback you send us.
We also collect IP address, browser and device information, request timestamps, API and security logs, and pages or product features used. Essential logs are used for security, fraud prevention, service delivery, and diagnostics. Firebase Analytics and identifiable first-party product telemetry are collected only after you grant analytics consent, which you may change through Cookie settings.
02Purposes & Legal Bases
Where European data-protection law applies, we rely on the following legal bases for operator data:
- Contract: creating and administering your account, providing requested platform features, authentication, support, billing, and service communications.
- Legitimate interests: securing the Services, preventing fraud and abuse, maintaining audit and diagnostic logs, improving reliability, and understanding aggregate service performance, balanced against your rights.
- Consent: optional Firebase Analytics and identifiable product-usage telemetry, and marketing communications where consent is required. You may withdraw consent at any time without affecting earlier lawful processing.
- Legal obligation: tax and accounting records, sanctions and fraud controls, and responding to binding legal process.
Information marked as required during signup, billing, or configuration is necessary to enter into or perform our contract with you. Without it, we may be unable to create an account or provide the requested feature.
03Your Data vs. Your End Users' Data
Rylvo handles two distinct categories of data, and our role differs for each:
- Operator data: the account, configuration, and billing data you give us directly. For this data, Rylvo is the data controller, and this Privacy Policy governs how we use it.
- End-user data: the conversation content your bots process when talking to your end users. For this data, you (the Operator) are the controller and Rylvo acts as your processor, handling it only on your documented instructions to provide the Services.
As the controller of your end users' data, you are responsible for having a lawful basis to collect it, for providing your end users with the required privacy notices, and for any AI or automated-decision disclosures your jurisdiction requires.
04How We Use Your Information
We use the information we collect to:
- Provide, operate, secure, and maintain the Rylvo platform, dashboard, and API.
- Run your agents — including model inference, knowledge retrieval, guardrail enforcement, evaluations, and human-in-the-loop escalation — on your behalf.
- Power Mission Control live supervision, observability traces, and Agent Evolution so you can monitor and improve your agents.
- Deliver the broadcasts, emails, and notifications you configure, subject to your recipients' communication preferences.
- Process subscriptions and billing through Dodo Payments and send account and payment-related messages.
- Monitor usage for billing accuracy, rate-limit and quota enforcement, and abuse prevention.
- Generate aggregated, de-identified analytics to improve platform reliability and performance.
- Comply with legal obligations and respond to lawful requests.
We do not sell your personal data, and we do not use identifiable customer content to train AI models without your explicit written consent.
05Bring Your Own Key & AI Providers
Rylvo is BYOK-first: your bots run on your own LLM provider keys. When a bot processes a turn, we route the request server-side to the provider you configured and record a trace for your own observability — we add no markup, and you pay your provider directly.
- Third-party processing: your prompts, knowledge-base context, and conversation content are transmitted to the provider you choose (for example OpenAI, OpenRouter, or any model OpenRouter fronts) under your own account, and are governed by that provider's terms and privacy policy.
- Embeddings: when you ingest knowledge-base sources, we generate vector embeddings using an embedding model (OpenAI by default, or your configured BYOK key) and store the resulting vectors in our vector database.
- Platform fallback processing: supported knowledge-base embedding, retrieval, or evaluation operations may use a Rylvo-managed OpenAI key when no compatible organization key is available. In that case Rylvo selects and instructs the provider as described in our subprocessor notice.
- Workspace Architect and platform AI tools: these use the provider key and model configured by your organization. A usable BYOK key is required, and the request is handled under that provider's terms.
Because BYOK calls leave Rylvo for your chosen AI provider, we cannot control how that provider retains or processes the content you send. Review your provider's data policies and choose providers and settings appropriate to your data.
06Knowledge Base & Content Ingestion
When you add a knowledge-base source — a URL to crawl, an uploaded file, or pasted text — we fetch and parse it, split it into chunks, generate embeddings, and store the chunks and vectors so your bots can retrieve relevant context at runtime.
You are responsible for ensuring you have the right to ingest any content you submit. You can delete a source at any time, which removes its derived chunks and vectors from retrieval.
07Conversation Storage & Retention Controls
By default, we keep a time-bounded operational copy of conversations to power Mission Control, observability traces, Agent Evolution, and edge-case detection, subject to your plan's retention window.
If you enable Bring Your Own Database (BYODB), conversation events are also streamed to a database or webhook endpoint you control, where you are solely responsible for long-term storage, retention, and protection.
08Data Retention
We retain different categories of data for different periods:
- Account & configuration: kept while your account is active. A self-service deletion request normally has a 7-day cancellation window; deletion is then completed without undue delay and generally within 30 days, subject to backups, legal holds, security records, and legally required retention.
- Conversation, trace, and observability data: kept according to your plan's retention window — from 7 days on the Free plan to longer windows on paid plans.
- Provider keys, connector tokens, and channel credentials: kept (encrypted) until you remove them or delete the associated bot or connection.
- Billing records: invoices and transaction-ledger records are generally retained for approximately 7 years, or longer where law or a legal hold requires; Dodo Payments separately retains records as Merchant of Record.
- Analytics: consented first-party analytics events are configured with a 90-day rolling retention period. Firebase Analytics retention is governed by our configured Google Analytics settings.
- Support, security, and audit records: retained for as long as reasonably necessary for support, security, dispute resolution, compliance, and establishment or defense of legal claims, then deleted or de-identified.
You can initiate account deletion from the dashboard or request deletion of your personal data at any time by emailing contact@rylvo.com. We process deletion requests within 30 days.
09Data Security
We apply layered, industry-standard safeguards to protect your data:
- TLS encryption for all data in transit.
- AES-256-GCM encryption for credentials and secrets at rest, held in a dedicated credential vault.
- Authentication is handled through Firebase Authentication; sensitive platform credentials are encrypted or one-way hashed according to their use and are not returned in plaintext after storage.
- Org-scoped tokens, role-based access controls, and least-privilege internal access on a need-to-know basis.
- Server-controlled audit trails, access controls, backups, monitoring, and periodic security review.
No method of transmission or storage is ever 100% secure. If you discover a vulnerability, please report it responsibly to contact@rylvo.com with the subject line ‘Security report’.
12Your Rights
Depending on your location, you may have the right to access, correct, delete, port, restrict, or object to the processing of your personal data. If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority.
To exercise these rights over your operator data, withdraw consent, or appeal a denied request, email contact@rylvo.com with the subject line ‘Privacy request’. We will verify and respond within the period required by applicable law and will not discriminate against you for exercising a privacy right. If your request concerns end-user data an Operator's bot processed, contact that Operator first; we will assist the Operator as required by our Data Processing Addendum.
13United States Privacy Rights
Residents of states with applicable comprehensive privacy laws may have rights to know or access, correct, delete, and obtain a portable copy of personal data, and to appeal certain decisions. Rylvo does not sell personal data or share it for cross-context behavioral advertising. We do not use sensitive personal information to infer characteristics about operators.
California residents may submit requests through contact@rylvo.com and may use an authorized agent where permitted. Because legal coverage depends on statutory thresholds and context, this section applies to the extent the relevant state law applies to Rylvo and the request.
14Automated Decisions
Rylvo does not use operator account data to make solely automated decisions that produce legal or similarly significant effects about operators. Operators may configure agents that classify, route, recommend, or act on end-user information. The Operator determines that purpose and must provide notices, lawful bases, human review, and contest mechanisms required for its deployment.
15International Data Transfers
Rylvo is based in the United States, and your data may be processed in the United States and other regions where our infrastructure providers operate. Data protection laws in these regions may differ from those in your country.
Where a restricted international transfer requires contractual safeguards, we use the applicable European Commission Standard Contractual Clauses, UK transfer addendum or agreement, or another lawful mechanism. You may request information about the safeguard relevant to your data by emailing contact@rylvo.com. Our DPA explains the mechanism for customer-controlled end-user data.
16Children's Privacy
Rylvo accounts are intended for professional and organizational users who are at least 18. The Services are not designed for child-directed deployments. Operators must not knowingly use Rylvo to collect personal data from children under 13, or a higher age where local law requires, unless they have first obtained all required parental consent and Rylvo has agreed in writing to the deployment. If we learn that operator data was collected from a child contrary to this section, we will take appropriate deletion or restriction steps. End-user requests should ordinarily be directed to the Operator controlling that bot.
17Changes to This Policy
We may update this Privacy Policy as the Services and legal requirements evolve. We will notify you of material changes by email and/or a prominent notice on our website at least 14 days before they take effect. This July 13, 2026 version takes effect for existing Operators on July 27, 2026 and applies immediately to accounts created on or after July 13, 2026.
Your continued use of the Services after changes take effect constitutes acceptance of the updated policy. If you do not agree, you must stop using the Services before the changes take effect.
18Contact
If you have questions about this Privacy Policy, wish to exercise your data rights, or want to report a privacy or security concern, contact Rylvo, Inc. at contact@rylvo.com. Use the subject line ‘Privacy request’ or ‘Security report’ so we can route it correctly.
