Privacy Policy

Last updated: 2025‑10‑02

Introduction

Bytedrome is a product provided by Bytedromeda ("we", "us"). This Privacy Policy explains what we collect, why we collect it, how we use and share it, and the choices and rights you have. It applies to our websites and apps (the "Services").

Summary

  • We collect only the data needed to operate the waitlist/marketing site today and will update this policy when the SaaS launches.
  • We use cookies solely for preferences (e.g., language) and strictly‑necessary operations; analytics/marketing cookies will require consent.
  • You control your data. You can access, correct, or delete it and exercise regional privacy rights.

What we collect

  • Account/Contact: email you submit to the waitlist or contact forms.
  • Preference data: locale (language), theme (client UI state), and cookie consent.
  • Attribution data: UTM parameters in the URL (utm_source, utm_medium, utm_campaign, utm_term, utm_content) and HTTP Referer.
  • Technical metadata: User‑Agent, IP address (processed as a transient signal on the server; if stored, we keep only a hashed derivative for abuse prevention), timestamps, and page path.
  • Emotional/AI signals: at this stage of the marketing site we do not persist emotional inferences. When the product launches, emotional inferences may be computed on‑device or server‑side for guidance; storage will be minimized and documented here before rollout.

Sources

  • You (forms, emails).
  • Your browser (headers such as Referer and User‑Agent; cookies for locale).
  • Campaign links (UTM parameters).

How we use data

  • Provide the Services (waitlist registration, content localization, lawful security/anti‑abuse).
  • Communicate with you about early access and product updates.
  • Measure basic campaign attribution (UTM + referer). We do not perform cross‑site tracking.

Legal bases (EEA/UK)

  • Consent (GDPR Art. 6(1)(a)): newsletter/waitlist emails and any non‑essential cookies.
  • Contract (Art. 6(1)(b)): delivering the Services you request.
  • Legitimate interests (Art. 6(1)(f)): security, fraud prevention (using minimal technical data), and product analytics that are strictly necessary and privacy‑preserving. Special categories: We do not intentionally collect special‑category data (Art. 9). Any future emotional inferences will avoid storing raw sensitive attributes; if explicit consent is required, we will request it.

Automated decision‑making and profiling

  • No decisions with legal or similarly significant effects are made solely by automated means (GDPR Art. 22). Emotional guidance, when introduced, will be assistive and reversible.

Retention

  • Waitlist records (email + attribution) are kept until you opt out or for up to 24 months after last interaction, then deleted or anonymized.
  • Server logs and technical metadata are rotated (typically ≤ 30–90 days) unless needed for incident investigation.

Sharing and international transfers

  • Service providers ("processors") that help us host, send email, store data, or protect security. We require DPAs and appropriate safeguards.
  • Cross‑border transfers: where applicable, we use EU Standard Contractual Clauses (SCCs) and, for UK, IDTA/Addendum. For US transfers we assess recipient laws and apply supplementary measures.

Security

  • Encryption in transit (TLS); encryption at rest for stored data; least‑privilege access; audit trails; rate‑limiting and bot‑mitigation.
  • We follow industry guidance such as NIST AI RMF and ISO/IEC 27001 practices appropriate to our size. For AI systems we aim to align with the EU AI Act timelines as they come into effect.

Your rights

  • EEA/UK (GDPR/UK GDPR): access, rectification, erasure, restriction, portability, and objection; right to withdraw consent; right to lodge a complaint with your supervisory authority.
  • California (CCPA/CPRA): right to know, delete, correct, and to opt out of sale/share (we do not sell/share personal information). Sensitive personal information is not used to infer characteristics beyond what is necessary to provide the Services.
  • Brazil (LGPD), Canada (PIPEDA), and other regions: similar rights as above; contact us to exercise them.

Cookies and similar technologies

  • Strictly necessary cookies: session and locale (e.g., NEXT_LOCALE). These are required for basic operation.
  • Analytics/marketing cookies (if introduced) will require prior consent and granular controls. See our Cookie Policy when available.

Children

  • Our Services are not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided data, contact us to remove it.

Sub‑processors

  • We will maintain an up‑to‑date list of processors (hosting, email, storage) and make it available on request or via a public link.

Contact

  • Contact details will be provided at launch.

Changes

  • We will update this Policy when we add new data uses (e.g., product accounts, emotional guidance storage). Material changes will be notified in advance where required.