Privacy Notice
Last updated: 2026-05-21
1. Who we are
Klyrix LLC, a limited-liability company registered in Dubai Mainland, United Arab Emirates ("Klyrix", "we", "us") operates the Klyrix management platform — a control plane for VDI / RDP fleet operations. Customers bring their own cloud infrastructure; Klyrix supplies the management layer only.
- Registered office: Dubai Mainland, United Arab Emirates
- General legal contact: legal@klyrix.com
- Privacy concerns: privacy@klyrix.com
- Data Protection Officer (DPO): dpo@klyrix.com
2. Scope of this notice
This notice applies to:
- Visitors to klyrix.com and its sub-domains;
- Customer administrators and end-users of the Klyrix platform; and
- Prospective customers, partners, and applicants interacting with us.
Where Klyrix processes personal data on behalf of a customer (e.g., end-user audit logs collected from the customer's own VDI fleet), Klyrix acts as a data processor under our Data Processing Agreement. Where Klyrix collects data directly from visitors or for billing, Klyrix is the controller.
3. What we collect
- Account data — email, full name, organisation, role, language preference.
- Authentication data — password hash (argon2id), MFA secret (encrypted), SCIM token sha256 fingerprint, SSO provider claims (subject ID, email).
- Usage data — IP address (truncated / hashed for analytics), audit_logs entries (action, target, timestamp), request metadata.
- Payment metadata — last 4 digits of card, expiry, country, Stripe customer / subscription IDs. We never see or store full card numbers — those are tokenised by Stripe.
- Screen-recording metadata (DVR) — opt-in per farm, customer-controlled retention; recordings remain in the customer's storage bucket. Klyrix sees only the index (start/end, user, farm).
- Telemetry — error reports (Sentry), performance traces, feature usage. Personal identifiers are stripped where possible.
- Optional analytics — cookie-less, aggregated visitor counts. No cross-site tracking, no advertising IDs.
- Support tickets — your messages, screenshots you attach, system context you provide.
4. Why we collect it (legal bases)
We rely on the following legal bases depending on your jurisdiction:
- GDPR Art. 6 (EU/EEA, UK GDPR) — contract performance (delivery of the service), legitimate interest (security monitoring, abuse prevention, product improvement), consent (optional analytics, marketing email), legal obligation (tax, AML, sanctions screening).
- UAE PDPL Art. 5 — consent and the necessary-for-contract / legitimate-interest grounds (subject to balancing test).
- KVKK Art. 5 (Türkiye) — açık rıza, sözleşmenin ifası, meşru menfaat, kanuni yükümlülük.
- CCPA / CPRA (California) — processing for a legitimate "business purpose" as defined in §1798.140(e).
We do not use personal data for automated decision-making that produces legal or similarly significant effects on you (GDPR Art. 22).
5. How we share it
We share personal data only with vetted subprocessors that are contractually bound to confidentiality and security standards. The current list is published at /legal/policies/subprocessors.
We do not sell personal data. "Sell" / "share" as defined under CCPA / CPRA is not applicable to our processing.
We may disclose data to law-enforcement or regulators where compelled by a binding legal order. We will challenge over-broad requests and notify the affected customer where lawful.
6. How long we retain it
| Data category | Retention |
|---|---|
| audit_logs (hot) | 90 days online |
| audit_logs (cold archive) | 1 year object-storage |
| DVR session recordings | 30 days default (customer-configurable) |
| Billing & invoices | 5 years (UAE accounting / VAT) |
| Support tickets | 5 years |
| Sandbox / trial workspaces | 14 days after expiry |
| Sanctions-screening hit log | 90 days |
| Account data (closed account) | 30 days grace + deletion |
7. International transfers
The UAE does not currently benefit from an adequacy decision from the European Commission or the UK Government. We therefore rely on EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) with each relevant subprocessor.
EU customer data is hosted on Supabase eu-central-1 (Frankfurt, EU) and remains within the EEA for storage purposes. Operational access from our UAE headquarters relies on SCCs Module Two (controller-to-processor) supplemented by encryption-in-transit and role-based access controls.
8. Your rights
- GDPR (EU/EEA) & UK GDPR — access, rectification, erasure, restriction of processing, data portability, objection, and the right not to be subject to automated decision-making (Klyrix does not perform such decisions).
- UAE PDPL — access, rectification, erasure, restriction, objection, and the right to data transfer.
- KVKK (Türkiye), Art. 11 — bilgi talep etme, düzeltme, silme / yok etme, üçüncü kişilere bildirim, otomatik analize itiraz, ve zararın tazmini.
- CCPA / CPRA (California) — right to know, right to delete, right to opt-out of sale or sharing (not applicable, since we do not sell or share personal information), right to non-discrimination for exercising your rights.
Exercise your rights via the self-service form at /legal/policies/data-rights or by emailing privacy@klyrix.com.
9. Cookies
- Strictly necessary — the
klyrix_sessioncookie (HttpOnly, Secure, SameSite=Lax) authenticates you. Without it the platform cannot function. - Functional — language preference (
klyrix_locale), tenant routing (klyrix_workspace). - Analytics — cookie-less aggregate counts only.
- Marketing — none.
A standalone cookie policy is in preparation at /legal/policies/cookies (coming soon). The site presents a cookie banner where required by local law (notably EU ePrivacy and the UK PECR).
10. Security
Security controls are summarised at our Trust Center. Notable measures include:
- SCIM provisioning tokens stored as SHA-256 fingerprints (raw token shown once on creation only).
audit_logspartitioned and append-only.- Postgres row-level security (RLS Phase 2) enforced on tenant tables.
- MFA (TOTP) and enterprise SSO (SAML / OIDC) available.
- TLS 1.2+ in transit; AES-256 at rest.
- Circuit breakers, rate limits, and per-tenant quota enforcement.
11. Children’s data
Klyrix is a business-to-business service not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact privacy@klyrix.com and we will delete it.
12. Sanctions compliance
Klyrix complies with UAE Central Bank sanctions lists and the U.S. OFAC SDN list (and equivalents in EU / UK / UN regimes). Access from comprehensively-sanctioned regions (currently Iran, Syria, North Korea, Cuba, Crimea, Donetsk, Luhansk) is blocked at the network edge with an HTTP 451 response. False-positive appeals may be submitted at /sanctions-appeal.
13. Changes to this notice
For material changes we will notify customer administrators by email at least 30 days in advance. Minor edits are reflected in the “Last updated” date above. Continued use of the platform after the effective date constitutes acceptance of the revised notice.
14. Contact
- Data Protection Officer: dpo@klyrix.com
- Privacy concerns: privacy@klyrix.com
- General legal: legal@klyrix.com
- EU representative (GDPR Art. 27): to be appointed if our EU customer base reaches the threshold requiring a designated representative.
- UK representative (UK GDPR Art. 27): to be appointed under the same conditions.
You also have the right to lodge a complaint with your local supervisory authority — see /legal/policies/data-rights for jurisdiction-specific contacts.