Vayra logoVayra
Start free

Privacy Policy

Effective date: 11 May 2026

This Privacy Policy explains how Vayra (“we”, “us”, or “our”) collects, uses, and protects personal information when you use our website and application (the “Service”). This policy is intended to comply with applicable privacy laws in the United Kingdom, European Economic Area (EEA), United States, and other English-speaking jurisdictions.

1. Scope

This Privacy Policy applies to information collected through vayra.pro and the Vayra application, including the agency workspace and the client portal. By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information we collect

Account information

When you register or use the Service, we collect personal information such as your email address and authentication identifiers. This applies to both agency team members and client portal users.

Workspace and content data

We store data you create or upload in order to provide the Service, including:

  • Workspace and team member information
  • Client names and associated records
  • Activity entries, metrics, notes, and report content
  • Generated report snapshots and PDFs
  • Brand settings such as colours and uploaded logos
  • Workload assignments and timesheet entries

Client portal data

Where an agency enables the client portal feature, we collect and store:

  • Client contact name and email address, as provided by the agency
  • Portal authentication credentials (stored securely and encrypted)
  • Portal activity including report views, comments, and report approvals
  • Activity feed interactions where the feature is enabled

Agency owners are responsible for ensuring they have a lawful basis for sharing their clients' personal data with Vayra and for obtaining any necessary consents before creating portal accounts on behalf of their clients.

Third-party integration data

Where you connect third-party integrations (such as Google Analytics 4, Google Search Console, or Meta Ads), we retrieve data from those platforms on your behalf and store it to populate your reports. We access only the data necessary to provide the integration feature. You remain responsible for ensuring your use of such integrations complies with the terms of the relevant third-party platforms and applicable data protection law.

AI processing

On Pro and Agency plans, activity entry data may be sent to Anthropic (the provider of the Claude AI models) solely for the purpose of generating report narratives, workload suggestions, and client insight summaries. Anthropic is a US-based company. Data sent to Anthropic is used only to process your request and is not used to train AI models or retained beyond the request. By using AI features, you consent to this processing. We recommend you do not include sensitive personal data in activity entries that will be processed by AI features.

Technical and usage data

We automatically collect limited technical information necessary to operate and secure the Service. This may include IP address, browser type, device information, usage activity, and log data.

Public report links

If you generate public share links, the information contained within those shared reports may be accessible to anyone with the link. You are responsible for ensuring no sensitive personal data is included in publicly shared reports.

3. How we use information

We use collected information to:

  • Provide, maintain, and operate the Service
  • Generate reports, PDFs, and share links
  • Authenticate users and manage workspace and portal access
  • Power AI features including report narrative generation and client insights
  • Retrieve and display third-party integration data on your behalf
  • Improve performance, reliability, and user experience
  • Communicate important updates or respond to inquiries
  • Detect and prevent fraud, abuse, or security issues
  • Comply with legal obligations

4. Legal bases for processing (UK/EEA)

Where applicable under UK GDPR or EU GDPR, we rely on the following legal bases:

  • Performance of a contract (providing the Service)
  • Legitimate interests in operating and improving the Service
  • Compliance with legal obligations
  • Consent, where required — including for AI feature processing

5. How we share information

We do not sell personal data. We may share information only as necessary to operate the Service:

  • With infrastructure and hosting providers (including Supabase for database and storage, and Vercel for hosting)
  • With Stripe for payment processing — Stripe handles all billing data directly and we do not store payment card details
  • With Anthropic for AI feature processing, as described in Section 2 above
  • With third-party platforms (such as Google and Meta) where you have connected integrations, solely to retrieve data on your behalf
  • With service providers that support analytics, security, or communications
  • Where required by law or to protect rights, safety, or the Service
  • In connection with a merger, acquisition, or asset sale

Brand assets such as uploaded logos are stored securely and served via time-limited signed URLs when needed for report rendering.

6. International data transfers

Your information may be processed in countries outside your own, including the United States. This includes data processed by Anthropic (AI features), Stripe (billing), and Vercel (hosting infrastructure). Where required, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms to ensure personal data transferred internationally remains protected in accordance with applicable laws.

7. Data retention

We retain personal data only as long as necessary to provide the Service and fulfil legitimate business or legal purposes. When a workspace is deleted, associated data is removed from our systems. You may request deletion of your data at any time, subject to legal or operational requirements.

8. Security

We implement appropriate technical and organisational safeguards to protect personal information, including row-level security to ensure complete isolation between workspace data. Our infrastructure providers (Supabase and Vercel) hold independent security certifications. However, no system can guarantee absolute security.

9. Your rights

Depending on your location, you may have rights regarding your personal data, including access, correction, deletion, restriction, objection, and data portability. Residents of certain jurisdictions (such as the UK, EEA, and some US states) may have additional rights under local law.

Client portal users whose data has been provided by an agency should contact the agency directly in the first instance, as the agency acts as data controller for that relationship. Where Vayra acts as data controller, contact us directly.

To exercise your rights, contact us at hello@vayra.pro.

10. Children's privacy

The Service is not intended for children under 16. We do not knowingly collect personal information from children.

11. Changes to this Privacy Policy

We may update this Privacy Policy periodically. We will update the effective date at the top of this page when changes are made. Continued use of the Service after updates constitutes acceptance of the revised policy.

12. Contact

For privacy-related questions or requests, contact:

Vayra
Email: hello@vayra.pro
Website: vayra.pro