Start free trial
Legal

Privacy Policy

Last updated: June 3, 2026

This Privacy Policy explains how Shand Enterprises LLC ("Clyro", "we", "us") handles personal information in connection with the Clyro platform, the Clyro dashboard, the marketing site at clyro.io, and the funnels our customers publish and serve through Clyro (together, the "Service").

Clyro is a tool that businesses ("operators") use to build, host, and measure marketing funnels. That creates two different relationships, and this policy treats them separately: we are the controller of the account information operators give us, and a processor acting on each operator's behalf for the visitor information collected through that operator's funnels. The two-party model section below explains what that means for you.

Our two roles: controller and processor

Clyro plays two distinct roles depending on whose data is involved. Getting this distinction right is the foundation of the rest of this policy.

Operator account data — Clyro is the controller

When an operator signs up, logs in, configures a workspace, subscribes, or chats with the AI assistant, we decide how and why that information is used. For this data we are the data controller, and this Privacy Policy governs it directly.

Funnel-visitor data — Clyro is a processor

When a visitor lands on a funnel an operator built with Clyro, any information collected on that page — page views, device and attribution signals, and anything submitted through a form — is collected on behalf of, and under the instructions of, the operator. For that data the operator is the controller and Clyro is the processor. We process it to provide the Service to the operator and do not use it for our own independent purposes. The terms governing that processing are set out in our Data Processing Addendum.

If you are a funnel visitor trying to access, correct, or delete information collected about you on a Clyro-built page, the operator who runs that funnel is the controller of your data. Please direct your request to them; see Notice for funnel visitors.

Who we are and what this policy covers

The Service is operated by Shand Enterprises LLC, located in Los Angeles, California, United States. Our subscription billing is handled by our affiliated service, Shand Pay; see our Billing & Refund Terms.

This policy covers the Clyro marketing site, the operator dashboard, the API, and the funnel pages we host and serve for operators. It does not cover the content of a funnel itself (which the operator authors and controls), any third-party site you reach by following a link, or any tracking pixel or integration an operator chooses to add to their own funnel.

Information we collect as a controller (operators)

When you create and use a Clyro operator account, we collect:

CategoryExamplesSource
Account identityEmail address, name, and — if you set them — phone number and company nameYou, at sign-up and in profile settings
AuthenticationA securely hashed password (we never store your password in plain text), or your Google / Apple sign-in identifier if you use social login; one-time login/sign-up codes (stored only as salted hashes)You; Google or Apple at your direction
Workspace & teamWorkspace names and settings, team memberships, and invitations you send (including the invitee email)You and your team
BillingYour subscription plan and status, billing email, a payment-method token, and amounts — handled through Shand Pay. We never receive or store your full card number.You, via the Shand Pay checkout
Marketing & salesReferral source, waitlist entries, and sales-prospect records (name, email, phone) where applicableYou
Product usageFunnels and content you build, your AI assistant conversations, connected-integration settings, and API/OAuth credentials (stored only as hashes)You, as you use the Service
Technical & diagnosticLog data and error reports (with cookies and authentication tokens stripped) used to keep the Service runningAutomatically

Information we process as a processor (funnel visitors)

When you visit a funnel published with Clyro, the following may be collected on behalf of the operator who runs that funnel. The operator decides what to collect and why; we process it under their instructions to deliver analytics, attribution, and lead capture.

CategoryWhat it includes
Page & engagementPages viewed, time on page, scroll depth, clicks on tracked elements, video watch behavior, and pop-up interactions
Device & browserBrowser, operating system, device type, version and model signals, and language
Approximate & precise locationCountry, region, city, and timezone, and — where available — latitude/longitude and postal code, derived from your IP address and device signals
NetworkIP address (anonymized before we store it — see below) and network/ASN information
Device identifier & risk signalsA device identifier and fraud/bot/VPN/incognito risk signals produced by FingerprintJS Pro (see below)
AttributionReferring URL, UTM parameters, and advertising click identifiers (for example gclid, fbclid, ttclid) present in the funnel URL
Form submissionsWhatever you enter into a funnel form — which can include your name, email address, phone number, and free-text answers
CommerceIf you buy through a funnel, your buyer name and email and the payment provider's reference IDs. Card details are handled entirely by the operator's payment provider and never reach Clyro's servers.

IP addresses are anonymized

We use your IP address momentarily to determine approximate location and to apply rate limits, but the IP address we store alongside a page view is anonymized first: the last octet of an IPv4 address (and the last 80 bits of an IPv6 address) is zeroed out so the stored value cannot identify a single device.

How location is determined

Location is derived from your IP address using FingerprintJS Pro's IP-intelligence signal where available, with a locally-bundled MaxMind GeoLite2 database as a fallback. The GeoLite2 lookup runs entirely on our own servers — no visitor data is sent to MaxMind to perform it. Your IP address reaches our servers via our CDN provider, Cloudflare.

Device identification with FingerprintJS Pro

To recognize returning devices and to flag bots, fraud, and abuse, funnel pages use FingerprintJS Pro. It runs in the visitor's browser without setting a Clyro identity cookie and returns a request reference that our servers verify with FingerprintJS. The resulting device identifier and risk signals are stored against the operator's analytics, scoped to that operator's workspace.

Lead-quality enrichment

When you submit a funnel form, the operator may have lead-quality enrichment enabled. If so, your submitted email address is checked with ZeroBounce and your submitted phone number with Twilio to assess deliverability and line type. We store the derived signals (such as a validity status and a lead-quality label) with the submission. See the Sub-processors list for details.

Aggregate analytics (counts and rollups by dimensions such as country, device type, and traffic source) do not include individual personal information.

How we use information

As a controller of operator account data, we use it to:

  • Provide, maintain, and secure the Service and your account
  • Process subscriptions, trials, renewals, and related billing communications
  • Power features you use, including the AI assistant, analytics, and integrations
  • Respond to support requests and send service and security notices
  • Detect, investigate, and prevent fraud, abuse, and violations of our Terms of Service and Acceptable Use Policy
  • Comply with legal obligations and enforce our agreements
  • Improve the Service and develop new features

As a processor of funnel-visitor data, we use that data only to provide the Service to the operator — for example, to render pages, record analytics, attribute conversions, capture leads, and run A/B tests — and as otherwise instructed by the operator under the DPA. We do not sell visitor data and do not use it to build our own cross-operator profiles of individuals.

Legal bases (EEA / UK)

Where the EU or UK GDPR applies and Clyro is the controller, we rely on these legal bases: performance of a contract (to provide the Service and your account); legitimate interests (to secure, operate, and improve the Service, and to prevent abuse), balanced against your rights; consent where required (for example, certain cookies); and legal obligation (for tax, accounting, and compliance).

Where Clyro acts as a processor for funnel-visitor data, the operator is responsible for establishing the legal basis for that processing as the controller.

AI features and your data

Clyro's in-app AI assistant is powered by Anthropic (Claude). When you use it, we send the assistant the context it needs to help you — your funnel structure and content, your brand settings, your workspace summary, and aggregated analytics (such as counts and breakdowns by country, device, and traffic source).

The AI assistant is designed so that raw visitor contact details from form submissions are not sent to the AI provider. Tools that touch submissions return only aggregate counts, quality labels, validity flags, and non-identifying answer distributions; questions that look like they capture personal details (name, email, phone, address, and similar) are excluded from any answer breakdowns.

We do not use your data to train AI models. AI training is disabled by default and blocked at the platform level, and the AI provider processes your prompts to return a response, not to train its models on your data.

Separately, if you use video features, your uploaded video audio is transcribed by Deepgram and the transcript is used by Google's generative AI to generate chapters. Those services process the content you upload; what that content contains is up to you. See the Sub-processors list.

Cookies and tracking

We keep cookies and local storage to a minimum. On the operator dashboard we set an authentication cookie and a CSRF-protection cookie. On published funnel pages, the only first-party cookie Clyro itself sets is a signed A/B-test assignment cookie, and only when an experiment is actually running. Operators may add their own tracking to their funnels, which can set additional cookies outside our control.

For the full breakdown — names, purposes, lifetimes, and which domain each one belongs to — see our Cookie Policy.

How we share information

We do not sell personal information. We share it only in these circumstances:

  • Sub-processors. Vetted service providers that host and help us run the Service (hosting, storage, CDN, email, error monitoring, payments, video, AI, and lead enrichment). Each is bound to protect the data and use it only to provide its service to us. The complete, current list is on our Sub-processors page.
  • At an operator's direction. For funnel-visitor data, where an operator connects an integration (such as a CRM or advertising platform) or adds their own tracking, data flows to those destinations as the operator chooses. The operator — not Clyro — is the controller of those onward transfers.
  • Legal and safety. Where we believe disclosure is required by law, or is necessary to protect the rights, safety, or property of Clyro, our users, or the public.
  • Business transfers. In connection with a merger, acquisition, financing, or sale of assets, subject to this policy.

International data transfers

Clyro is based in the United States and our infrastructure and sub-processors are primarily located there. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other countries where we or our sub-processors operate.

Where required, we rely on appropriate safeguards for these transfers, including the European Commission's Standard Contractual Clauses (and the UK Addendum), which are incorporated into our Data Processing Addendum.

Data retention

We retain personal information for as long as it is needed to provide the Service and for the purposes described in this policy. In practice:

  • Account and funnel data (including the funnel-visitor data an operator collects) is retained for the life of the operator's account. We do not impose a fixed maximum retention window on it — it is kept until the operator deletes the relevant funnel or workspace, or asks us to delete it.
  • Deleting a funnel or workspace permanently removes the content and the associated analytics, visitor records, and form submissions tied to it.
  • Some operational data expires automatically, including: automation event logs and video engagement heartbeats after about 30 days, draft page snapshots after about 30 days of inactivity, funnel edit history after about 90 days (or the most recent 200 edits per funnel), and AI web-capture artifacts after about 90 days.

We may retain limited information longer where necessary to comply with legal obligations, resolve disputes, and enforce our agreements (for example, billing records). To request deletion of your account and its data, contact us at team@clyro.io; see Your rights.

Security

We take reasonable technical and organizational measures to protect personal information. These include encryption in transit, hashing of passwords and credentials, encryption of stored third-party integration tokens, scoped access controls that confine each operator's data to their own workspace, CSRF protection on state-changing requests, a strict separation between the operator/dashboard domain and the domain on which funnels are served, and error monitoring that strips cookies and authentication tokens.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal information, and to object to certain processing or withdraw consent.

If you are an operator (we are the controller)

Contact us at team@clyro.io and we will respond as required by applicable law. We will not discriminate against you for exercising your rights. Note that Clyro does not currently offer self-service account deletion in the product; we handle account closure and erasure requests manually when you contact us.

If you are a funnel visitor (the operator is the controller)

Exercise your rights with the operator who runs the funnel where your data was collected — they decide how that data is used. As their processor, we will assist the operator in responding to your request. If you reach us directly, we will forward your request to the relevant operator where we can identify them.

California privacy (CCPA / CPRA)

If you are a California resident, you have the right to know the categories and specific pieces of personal information we collect, to delete it, to correct it, and to opt out of its "sale" or "sharing" as those terms are defined under the CCPA/CPRA.

We do not sell personal information, and we do not share it for cross-context behavioral advertising. The categories we collect and our purposes are described in the operator and visitor sections above. To exercise your rights, contact us at team@clyro.io. We will not discriminate against you for doing so. You may use an authorized agent to submit a request on your behalf.

Notice for funnel visitors

If you arrived here from a page that looks like a product, course, or offer, you are likely on a funnel that a Clyro operator built and published. That operator — not Clyro — decides what to collect on the page and how to use it, and is the controller of your data. Clyro hosts the page and processes the data on the operator's behalf.

For access, correction, or deletion of data collected about you on such a page, contact the operator directly. The operator should provide their own privacy notice and contact details. If you cannot reach them, you may contact us at team@clyro.io and we will assist where we can.

Children's privacy

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, contact us at team@clyro.io and we will delete it. Operators are responsible for ensuring their own funnels comply with laws protecting minors.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, for material changes, provide additional notice as appropriate. Your continued use of the Service after an update means you accept the revised policy.

Contact us

For any privacy question or to exercise your rights, contact Shand Enterprises LLC at team@clyro.io.