Privacy Policy

Last updated: 11 June 2026

Lyla is a service provided by ArloWebStudio. This Privacy Policy explains how we collect, use, and protect personal data in connection with the Lyla website (meetlyla.com), the Lyla customer account portal, and the Lyla chat assistant that our customers add to their own websites (the “Service”). If you have any questions, contact us at privacy@meetlyla.com.

1. Who we are and our role

The Service is operated by ArloWebStudio (arlowebstudio.com). For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), our role depends on the data in question:

• As a controller — for personal data relating to people who visit meetlyla.com and to our business customers (account holders), we decide how and why that data is processed, and we are the controller.
• As a processor — when a business customer adds the Lyla chat assistant to their own website, Lyla collects and processes personal data from that business’s website visitors on the customer’s behalf and on their instructions. In that case, the business customer is the controller of their visitors’ personal data, and we act as their processor. Those visitors should refer to the relevant business’s own privacy notice for how their data is controlled, and may contact that business to exercise their rights.

2. The personal data we collect

a. When you visit meetlyla.com
We collect limited technical information such as your IP address, browser type, and pages viewed, together with information from essential cookies needed to operate the site securely (see Section 9).

b. When you create or use a Lyla account (business customers)

• Your email address, business name, and business website URL.
• Your account password, which is stored only as a secure hash (we never store it in plain text).
• The knowledge and content you provide for your assistant to use (for example, your opening hours, services, prices, and FAQs).
• Account and usage information, such as login activity, configuration settings, message and conversation volumes, and the enquiries your assistant captures.

c. Billing information
Payments are processed by Stripe. We do not collect or store your full card details; Stripe handles card data directly and securely. We receive limited billing information such as your subscription status, plan, and partial payment identifiers.

d. Data collected through the Lyla assistant on customer websites
When the Lyla assistant runs on a business customer’s website, it may process, on that customer’s behalf:

• Messages exchanged between a website visitor and the assistant.
• Enquiry details the visitor chooses to provide, which may include their name, email address, phone number (where the customer has enabled it), and any additional fields the customer has configured, along with the visitor’s consent to be contacted.
• Technical data such as a hashed IP address and browser/user-agent information, used for security and basic analytics.

We ask our business customers not to configure their assistant to collect special category data (such as health, racial or ethnic origin, or financial account data) or to collect data from children, and to ensure they have a lawful basis and appropriate notice and consent for the data their assistant collects.

3. How we use personal data

We use personal data to:

• Provide, operate, and maintain the Service, including generating the assistant’s responses and capturing and delivering enquiries to the relevant business.
• Create and manage accounts, authenticate logins, and provide customer support.
• Process subscriptions, setup fees, and payments.
• Keep the Service secure, prevent abuse and fraud, and diagnose technical problems.
• Communicate with you about your account, service changes, and (where permitted) relevant updates.
• Comply with our legal obligations and enforce our terms.
• Understand and improve how the Service performs.

AI processing. To generate replies, the content of a conversation together with the relevant business’s knowledge content is processed by automated systems, including third-party AI infrastructure that we use to operate the Service. Responses are generated automatically. We do not use the contents of customer conversations to train publicly available AI models.

4. Legal bases for processing (UK GDPR)

Where we act as a controller, we rely on:

• Performance of a contract — to provide the Service to our customers and operate their accounts.
• Legitimate interests — to secure, maintain, and improve the Service, and to communicate with customers, where these interests are not overridden by your rights.
• Consent — where required, for example for certain communications or non-essential cookies. You may withdraw consent at any time.
• Legal obligation — to comply with applicable law, including tax and accounting requirements.

Where we act as a processor for our customers’ website-visitor data, the customer is responsible for establishing the appropriate legal basis.

5. Sharing your data and sub-processors

We do not sell personal data. We share it only as needed to run the Service:

• Stripe — payment processing.
• ArloWebStudio — as the operator of the Service.
• We also rely on service providers for functions such as email delivery, AI processing, and hosting. All providers that process data on our behalf are required to do so only on our instructions and to keep it secure.

We may also disclose data where required by law, to enforce our terms, to protect our rights, users, or the public, or in connection with a business sale or reorganisation (subject to this policy).

6. International transfers

Some of our providers may process data outside the United Kingdom. Where personal data is transferred outside the UK or EEA, we ensure an appropriate safeguard is in place, such as an adequacy decision or the UK International Data Transfer Agreement / Standard Contractual Clauses.

7. How long we keep data

• Account data is retained for as long as your account is active and for a reasonable period afterwards, then deleted or anonymised, unless we are required to keep it longer (for example for tax records).
• Captured enquiries and conversation data are retained for the period needed to provide the Service and are subject to routine pruning; the business customer, as controller of their visitors’ data, may request earlier deletion.
• Billing records are kept as required by law.

When data is no longer needed, we delete or anonymise it.

8. How we protect your data

We use appropriate technical and organisational measures, including encryption of data in transit (HTTPS/TLS), secure password hashing (argon2id), access controls, and segregation of customer data. No method of transmission or storage is completely secure, but we work to protect personal data against unauthorised access, loss, or misuse.

9. Cookies

meetlyla.com and the account portal use essential cookies required for the site and login to function securely (for example, session and CSRF-protection cookies). These are necessary for the Service and do not require consent. If we introduce non-essential cookies (such as analytics), we will request consent where required and update this policy.

10. Your rights

Subject to applicable law, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request erasure of your data.
• Restrict or object to certain processing.
• Request portability of data you provided.
• Withdraw consent where processing is based on consent.

To exercise these rights, contact privacy@meetlyla.com. If your data was collected through a Lyla assistant on a business’s website, that business is the controller — please contact them, and we will support them in responding.

You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

11. Children

The Service is not directed at children, and we do not knowingly collect personal data from children. Business customers must not configure their assistant to collect data from children.

12. Changes to this policy

We may update this policy from time to time. We will post the updated version here and change the “Last updated” date. Significant changes will be communicated where appropriate.

13. Contact us

ArloWebStudio — operator of Lyla
Email: privacy@meetlyla.com
Web: arlowebstudio.com