Privacy & data policy

Your documents do not get used to train anything.

Short version: we process uploads in memory, delete them after the response, and do not have a model training loop to feed.

What we collect

  • Documents you upload. Held in memory only for the duration of the request or job. Written to disk only if a specific backend has to spill a page image (for example, some OCR backends), and the spill file is deleted immediately after the job completes.
  • Metadata about the request. Operation name, file size, page count, outcome, elapsed time, credits consumed. Used for billing, rate limits, and debugging. Retained for 90 days on the managed API.
  • Account data. Email address, hashed password (or OAuth provider identifier), credit balance, purchase history. Retained while the account exists; deleted within 30 days of account deletion.
  • Logs. Structured JSON logs. Emails are masked (us***@example.com). No document contents are logged. Retained for 30 days.

What we do not do

  • We do not use your uploads to train models. The toolkit does not have LLMs in the hot path; there is nothing to train.
  • We do not sell your data.
  • We do not retain documents after the response. Scratch files are purged at job end.
  • We do not share your data with third parties except the subprocessors listed below, each strictly necessary to operate the service.

Subprocessors

  • Fly.io — application hosting (US regions by default).
  • Stripe — payment processing. Card data goes directly to Stripe; we never see the full PAN.
  • Postmark (or an equivalent transactional-email provider) — transactional email only (receipts, password resets).

HIPAA and regulated data

Lyte Lab is not HIPAA-certified today. We do not sign Business Associate Agreements on the managed API. If you need to process protected health information or other regulated data, the enterprise self-host license lets you run the whole toolkit inside your own compliant environment — see local-first for details.

GDPR and CCPA

You may request export or deletion of your account data at any time by emailing privacy@lytelab.ai. Deletion is processed within 30 days. For California residents: we do not sell personal information.

Children

Lyte Lab is not directed at children under 13. Do not use the service if you are under 13.

Security

TLS everywhere. Passwords are hashed with bcrypt. Secrets are stored in the hosting provider's encrypted secret store, never in code. We rotate keys after any suspected compromise and publish a postmortem if customer data was touched. If you find a security issue, please email security@lytelab.ai; we respond within 1 business day.

Changes

We will update this page before making any change that expands what we collect or how we share it. If the change is material, we will email active account holders at least 14 days before it takes effect.

Contact

Lyte Lab LLC (Delaware). Operating address: Austin, TX. Email privacy@lytelab.ai with any question about this policy.

Last updated: April 2026.