Cyqle LogoCyqle

Privacy Policy

Last Updated: January 14, 2026

At Cyqle, we are committed to protecting your privacy and providing transparent information about how we collect, use, and protect your data. This Privacy Policy complies with 2026 privacy regulations including GDPR, CCPA, and the EU AI Act.

Privacy 3.0 Compliant - Full Transparency & User Control

Privacy at a Glance

Ephemeral by Default

Session data is wiped instantly when you close unless you enable persistence

AI Disclosure

We clearly disclose when AI systems are used and how they work

P2P Architecture

Your data may transit through peer nodes with Standard Contractual Clauses

Your Rights

Full access, deletion, portability, and objection rights under GDPR/CCPA

1. Data Collection & Legal Basis

Privacy 3.0 Transparency

We distinguish between two primary categories of data: Account Data (necessary for billing and account management) and Session Data (ephemeral data generated within your virtual desktop environment).

Account Data (Persistent)

We collect and store the following information to manage your account and provide billing services:

  • Email address (for authentication and communication)
  • Payment information (processed securely via Stripe - we do not store full credit card numbers)
  • Account preferences and subscription tier selections
  • Billing history and usage logs for invoicing purposes

Legal Basis: Contractual Necessity - This data is required to fulfill our contract with you to provide the Cyqle service.

Session Data (Ephemeral)

Data generated during your use of virtual desktop sessions. This category is inherently ephemeral due to our jailed environment architecture:

  • Files, documents, and code created within your session's isolated filesystem
  • Installed software packages and system configuration changes
  • Process metadata (running applications, resource consumption)
  • Network activity originating from your session (for security monitoring only)

Legal Basis: Contractual Necessity - Processing session data is essential to provide you with an isolated, functional virtual desktop environment.

Important: Session data in ephemeral sessions is encrypted with unique, per-session keys and is cryptographically erased upon session termination. This data cannot be recovered after deletion.

Critical Privacy Guarantee: Cyqle does NOT have access to or interfere with anything inside your jailed session. We cannot read your files, access your data, or monitor your activities within the session. The only operational data we may collect is anonymized logging (session duration, resource usage) and only when you expressly allow us (bug reports, support requests).

Technical & Diagnostic Data

We collect limited technical data to maintain platform stability and security:

  • IP addresses (hashed after 24 hours for fraud prevention)
  • Browser type and operating system (for compatibility diagnostics)
  • Session start/end timestamps and resource usage metrics (for capacity planning)

Legal Basis: Legitimate Interest - We have a legitimate interest in maintaining platform security, preventing fraud, and optimizing service performance.

2. AI Transparency (EU AI Act Compliance)

AI Disclosure

Cyqle incorporates AI-powered features to enhance your productivity. Under the 2026 EU AI Act, we are required to provide clear disclosure when you interact with or are affected by AI systems.

AI Operator Disclosure

When you use Cyqle's automation features (browser recording, task delegation, workflow scheduling), you may interact with our "AI Operator" - an AI system designed to execute repetitive web tasks on your behalf.

How the AI Operator Works

The AI Operator uses the following logic to assist you:

  • Pattern Recognition: It analyzes recorded browser interactions to identify actionable patterns (clicks, form fills, navigation sequences)
  • Task Execution: Based on your instructions, it replicates these patterns to automate repetitive tasks
  • Contextual Adaptation: It uses computer vision and DOM analysis to adapt to minor UI changes in web applications
  • Feedback Loop: You can review, approve, or modify automated actions before they execute

Human Oversight & Limitations

The AI Operator operates under your direct supervision. It does not make autonomous decisions that affect your account, billing, or access rights. All critical operations require explicit user confirmation. The AI does not access or process your session data for training purposes without explicit opt-in consent.

3. Automated Decision-Making (ADMT)

User Control

Cyqle uses limited automated decision-making systems to ensure platform security and fair resource allocation. Under 2026 CCPA requirements, you have the right to opt out of certain automated processing.

Automated Systems in Use

  • Fraud Detection:

    Our system analyzes account creation patterns, payment behaviors, and IP reputation scores to detect and prevent fraudulent sign-ups. False positives are reviewed by human operators within 24 hours.

  • Session Allocation:

    An automated load balancer allocates your session to available infrastructure nodes based on current capacity, geographic proximity, and subscription tier priority.

  • Abuse Detection:

    We monitor resource consumption patterns (CPU, memory, network) to detect violations of our Acceptable Use Policy (e.g., cryptocurrency mining, DDoS attacks).

Your Right to Opt-Out & Human Review

If an automated system flags your account or denies access, you have the right to request human review and contest the decision. You may also opt out of certain automated processing (excluding critical security functions).

To exercise this right, contact privacy@cyqle.in with your account email and the subject line: "ADMT Opt-Out Request."

4. International Data Transfers

Cross-Border Safeguards

Cyqle's peer-to-peer (P2P) architecture means that session data may transit through various geographic nodes during real-time collaboration. We take specific measures to ensure compliance with international data transfer regulations.

P2P Mesh Network & Data Routing

When you collaborate with other users in real-time, your session data is transmitted directly between peers using libp2p. This means:

  • Data may be routed through intermediate relay nodes located in different countries
  • The exact path of data transmission depends on network topology and peer availability
  • All P2P connections are end-to-end encrypted using TLS 1.3 and WebRTC encryption

Cross-Border Transfer Safeguards

To protect your data during international transfers, we implement the following safeguards:

  • Standard Contractual Clauses (SCCs): All data transfers to countries outside the EEA are governed by EU-approved Standard Contractual Clauses (2021/914)
  • Encryption in Transit: All data is encrypted during transmission using industry-standard encryption protocols
  • Data Minimization: Only the minimum necessary session data is transmitted through the P2P network (screen frames, input events, authentication tokens)

Your Control Over Data Location

While we cannot guarantee the exact geographic path of P2P-routed data, you can control where your persistent session data is stored by selecting your preferred data center region in your account settings (available for Pro and Power tier users).

5. Data Retention & Deletion

Ephemeral Architecture

One of Cyqle's core privacy features is the ephemeral nature of our jailed environment architecture. Here's exactly how we handle data retention and deletion:

Ephemeral Sessions (Default Behavior)

By default, all sessions are ephemeral. This means:

  • Session Encryption: Your session's writable filesystem is encrypted with a unique, randomly-generated AES-256 key created at session start
  • Instant Deletion: When you close the session, the encryption key is immediately destroyed, rendering all session data cryptographically irrecoverable
  • Zero Retention: No session files, installed software, or user-generated content is retained after session termination

Persistent Sessions (Optional, Paid Tiers Only)

If you enable persistence (available on Lite, Pro, and Power tiers), your session data is retained as follows:

  • Storage Duration: Persistent data is retained for the duration specified by your subscription tier (e.g., 30 days for Lite, 90 days for Pro)
  • Encrypted Storage: Persistent data is stored in encrypted block storage with unique per-user encryption keys managed via AWS KMS
  • Manual Deletion: You can manually delete persistent sessions at any time through your dashboard

Account Data Retention

Account data (email, billing information, usage logs) is retained for as long as your account is active, plus an additional 90 days after account closure to comply with financial record-keeping requirements. After this period, all personal identifiers are permanently deleted.

Your Right to Deletion

You may request deletion of all your personal data at any time by contacting privacy@cyqle.in. We will complete your deletion request within 30 days, except where retention is required by law (e.g., tax records, fraud prevention).

6. Your Privacy Rights

GDPR & CCPA Rights

Under GDPR (for EEA residents) and CCPA (for California residents), you have the following rights regarding your personal data:

Right to Access

You can request a copy of all personal data we hold about you

Right to Rectification

You can update or correct inaccurate personal information

Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data

Right to Data Portability

You can request your data in a machine-readable format

Right to Object

You can object to certain types of processing (e.g., marketing)

Right to Restriction

You can request that we limit how we use your data

To exercise any of these rights, email privacy@cyqle.in with your account email and specify which right you wish to exercise. We will respond within 30 days.

7. Security Measures

Technical Safeguards

We implement industry-leading security measures to protect your data from unauthorized access, disclosure, or destruction:

Security Controls

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Isolation: Each session runs in a jailed environment with strict process and filesystem isolation (see SESSION_ENVIRONMENT.md)
  • Access Controls: Role-based access controls (RBAC) limit employee access to production data
  • Security Audits: We conduct annual third-party security audits and penetration testing
  • Incident Response: We maintain a 24/7 incident response team for security events

Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will notify you within 72 hours via email and provide details about the nature of the breach, affected data categories, and remediation steps.

8. Cookies & Tracking Technologies

Tracking Disclosure

Cyqle uses minimal cookies and tracking technologies. We do not use third-party advertising trackers or sell your data to data brokers.

Essential Cookies (Required)

Session authentication token (httpOnly, secure, sameSite=strict) - expires after 30 days or logout

Analytics Cookies (Optional)

We use privacy-respecting analytics (Plausible Analytics) that does not track individual users or use cookies. You can opt out via your browser's Do Not Track (DNT) header.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes via email at least 30 days before they take effect. Your continued use of Cyqle after the updated policy takes effect constitutes acceptance of the changes.

Privacy Questions or Concerns?

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact our Data Protection Officer:

privacy@cyqle.in