Privacy Policy

Last updated: 16 May 2026

Who we are

Lyra ("we", "us", "our") operates the website checklyra.com. We are committed to protecting your privacy and handling your personal data transparently.

What data we collect

When you create a Lyra profile, we collect:

• Account data: Email address, password (encrypted), display name
• Profile data: Headline, bio, city, country, preferences, gift ideas, likes, dislikes, boundaries, school affiliations, external links, and profile photo — all provided voluntarily by you
• Usage data: Page views and basic analytics (via Vercel Analytics), collected anonymously unless you opt in

We do not collect: payment information, precise location data, browsing history, data from third-party sources, or any data from children under 13.

Why we collect it (lawful basis)

• Consent: You choose to create a profile and share your preferences. You can withdraw consent at any time by deleting your account.
• Legitimate interest: We use anonymised analytics to improve the service and security logs to protect against abuse.

How we use your data

• To display your public profile at checklyra.com/your-slug
• To show your profile in Lyra's search/browse page when published
• To enable AI companions (via MCP) to help people find gift ideas and understand your preferences
• To improve the Lyra service through anonymised analytics
• To send essential account emails (confirmation, password reset)

We will never sell your data, use it for targeted advertising, or share it with third parties for their marketing purposes.

Who we share data with

We use the following service providers who process data on our behalf:

• Supabase (database hosting, EU region) — stores your profile data
• Vercel (website hosting) — serves checklyra.com
• Cloudflare (DNS and CDN) — routes web traffic

Each provider has their own GDPR-compliant data processing agreements. We do not transfer data outside the UK/EU. Profile photos are stored in Supabase Storage (EU region). Database backups are stored in Cloudflare R2 with EU jurisdiction and 90-day retention.

Affiliate partners

Some of the gift suggestions Lyra surfaces are affiliate links. If you click one and make a purchase, Lyra may earn a small commission from the retailer at no extra cost to you. We work with the following affiliate networks:

• Sovrn Commerce (US-based aggregator) — routes outbound clicks to retailers and reports back which clicks led to purchases so the correct commission is paid. Sovrn's privacy policy.

When you click an affiliate link, the affiliate network receives the URL you clicked, an opaque tracking identifier generated by Lyra, and standard browser metadata (your referring page, your user agent, your IP address). We never share your account email, your name, your profile content, or the name or contents of any recipient profile with affiliate partners.

The opaque identifier lets us reconcile our internal click log against the partner's monthly report. It does not identify you to the partner. See the affiliate partners page for the full disclosure.

Lawful basis: legitimate interest under UK GDPR Art. 6(1)(f). Routing affiliate commission to the correct programme is necessary to operate the monetisation feature you are using. You can use Lyra entirely without clicking affiliate links.

We may add more affiliate partners (for example direct programmes with specific large retailers) in the future. When we do, this section and /partners will be updated.

Your rights (UK GDPR / Data Protection Act 2018)

You have the right to:

• Access: Download all your data in JSON format from your account settings
• Rectification: Edit any of your profile data at any time via the dashboard
• Erasure: Permanently delete your account and all associated data from your account settings
• Restrict processing: Unpublish your profile to hide it from public view without deleting your data
• Data portability: Export your data in machine-readable JSON format
• Object: Opt out of analytics tracking via the cookie consent banner

To exercise any of these rights, use the controls in your account settings or email us at [email protected].

Cookies

Lyra uses only essential cookies for authentication (keeping you logged in). We use Vercel Analytics which collects anonymised page view data without cookies. You can opt out of analytics via the cookie consent banner.

Affiliate links route you to retailers via a redirect. The retailer (and, when relevant, the affiliate network operating the redirect) may set their own cookies on their own domain — those are governed by the retailer's and the network's privacy policies, not ours. Lyra does not set any tracking cookies on your browser as part of clicking an affiliate link. See the Cookie Policy for the full breakdown.

Data retention

• Active accounts: Data retained while your account is active
• Deleted accounts: All data permanently deleted within 30 days of account deletion
• Security logs: Retained for 90 days, then automatically deleted

Data security

We protect your data with: HTTPS encryption in transit, encrypted database storage, Row Level Security ensuring users can only access their own data, and regular security audits.

Changes to this policy

We may update this policy from time to time. We will notify you of significant changes via email or a notice on the website.

Contact

For privacy enquiries: [email protected]

For complaints, you can contact the UK Information Commissioner's Office (ICO) at ico.org.uk.