Privacy Policy

Last updated May 23, 2026

1. INTRODUCTION

Vyser Inc. ("Vyser," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web and mobile applications and related services (collectively, the "Platform").

By using the Platform, you consent to the data practices described in this policy.

2. INFORMATION WE COLLECT

Personal Information You Provide: - Account information: name, email address, phone number, profile photo - Professional information (Advisors): headline, bio, expertise, credentials, LinkedIn URL - Payment information: processed securely through Stripe (we do not store full card numbers) - Session content: booking details, session notes, ratings, and reviews - Communications: messages sent through the Platform

Information Collected Automatically: - Device information: device type, operating system, unique device identifiers - Usage data: pages viewed, features used, session duration, interaction patterns - Location data: approximate location based on IP address - Push notification tokens (with your permission) - Crash and performance data: error reports, diagnostic logs (via Sentry — not linked to your identity)

Third-Party Services Used: - Video calls: Daily.co (live video/audio is not stored by Vyser; session audio may be transcribed into text for notes and quality workflows) - Payments: Stripe Connect (payment details processed and stored by Stripe) - Push notifications: Apple APNs / Google FCM - Error monitoring: Sentry (crash data only) - AI features: Anthropic (Claude API) — only when you opt in to a feature that uses it (see Section 4) - Calendar integration: Google Calendar API (Advisors only — see Section 3)

Mobile App Device Permissions:

The Vyser mobile app requests the following operating-system-level permissions. Each is requested only at the moment you use the feature that needs it. You can revoke any of these at any time from your device settings (iOS Settings → Vyser, or Android Settings → Apps → Vyser).

- Camera (iOS NSCameraUsageDescription, Android CAMERA): used during live video sessions only. We do not store video recordings; the stream is sent through Daily.co's video infrastructure. - Microphone (iOS NSMicrophoneUsageDescription, Android RECORD_AUDIO): used during live video sessions. We do not store raw audio recordings, but session audio may be transcribed into text when transcription is enabled. - Photo Library (iOS NSPhotoLibraryUsageDescription, Android media access via the platform photo picker): used only when you tap "Change photo" to set or update your profile picture. We do not browse, index, or upload any other photos. - Bluetooth (iOS NSBluetoothAlwaysUsageDescription, Android BLUETOOTH): used during live video sessions so audio can route through wireless headphones, AirPods, or car audio. We never scan for or connect to Bluetooth devices outside the session UI. - Calendar (iOS NSCalendarsUsageDescription / NSCalendarsFullAccessUsageDescription, Android READ_CALENDAR / WRITE_CALENDAR): used when you opt in to "Calendar Sync" (Seekers) so the app can add your booked Vyser sessions as events on your selected device calendar with a 30-minute reminder. We never read or modify events that Vyser did not create. Independent from the Google Calendar integration described in Section 3, which is an Advisor-side feature for blocking unavailability. - Reminders (iOS only — NSRemindersUsageDescription / NSRemindersFullAccessUsageDescription): some iOS users prefer reminders over calendar events. Used to add session reminders only at your request. We never read or modify other reminders. - Notifications (iOS automatic, Android POST_NOTIFICATIONS): used to send session reminders, booking confirmations, refund decisions, and inbound messages. See Section 5 for how you can disable these.

We do NOT request: location (we infer approximate city from IP only — Section 2), contacts, photos beyond the picker, health/fitness data, motion, or HomeKit.

3. GOOGLE CALENDAR INTEGRATION (ADVISORS ONLY)

Advisors may optionally connect their Google Calendar to Vyser. When an Advisor connects Google Calendar:

What we access: Vyser requests read-only access to the Advisor's Google Calendar events (OAuth scope: https://www.googleapis.com/auth/calendar.readonly). We read event titles, start times, and end times for events occurring in the next 60 days.

Why we access it: We use this data solely to create unavailability blocks on the Advisor's Vyser schedule — preventing Seekers from booking time slots that conflict with existing calendar events. This is a direct, user-facing feature requested by the Advisor.

What we store: We store an OAuth refresh token (encrypted at rest in our database) that allows us to fetch updated calendar data when the Advisor requests a sync. We do not store full event details permanently — only the start and end times needed to create unavailability blocks on Vyser.

What we do NOT do: - We do not share Google Calendar data with any third parties - We do not use Google Calendar data for advertising or marketing - We do not allow any Vyser employees or contractors to read your calendar event content - We do not use Google Calendar data for any purpose other than blocking your Vyser availability - We do not access calendars other than your primary Google Calendar

Revoking access: Advisors can disconnect Google Calendar at any time from the Availability page (Settings → Availability → Calendar sync → Disconnect). This immediately deletes the stored OAuth token from our systems. You can also revoke access directly at https://myaccount.google.com/permissions.

Google API Services User Data Policy: Vyser's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. See https://developers.google.com/terms/api-services-user-data-policy.

4. AI PROCESSING OF SESSION CONTENT

Vyser offers optional AI-assisted features that prepare pre-session briefs and summarize completed Sessions. When you request one of these features:

- What we send: a structured summary of the booking — Advisor profile, session type, your stated goals or notes, and where applicable a transcript or summary of the Session. We do not send payment information, contact details, or unrelated account data. - Who processes it: Anthropic, via the Claude API. Anthropic's standard commercial API terms prohibit Anthropic from using customer prompts and outputs to train their general-purpose models. The completion returned by the API is stored against your booking in Vyser's database for your retrieval. - Your control: AI features are opt-in per booking. You can decline to use them; declining never affects your access to the Platform or to the underlying Session. Generated briefs and summaries are deleted when you delete the booking or your account (subject to the retention rules in Section 8). - What we do not do: we do not use AI to make consequential decisions about you, such as who can sign up, what price an Advisor charges you, whether your account is suspended, or whether a refund is approved. AI output on the Platform is informational only. - If we change LLM providers: we will update this section. If the no-training protection materially weakens, we will give existing accounts at least 30 days' notice before any new processing takes effect.

5. HOW WE USE YOUR INFORMATION

We use collected information to: - Create and manage your account - Facilitate bookings and Sessions between Seekers and Advisors - Process payments and payouts through Stripe Connect - Send session reminders, booking confirmations, and platform notifications - Improve and personalize the Platform experience - Ensure platform safety and prevent fraud - Comply with legal obligations - For Advisors who opt in: sync external calendar events to prevent booking conflicts (see Section 3) - Generate optional AI-assisted session preparation briefs and post-session summaries when you request them (see Section 4)

We may share your information with: - Other Users: Your profile information is visible to other Users as needed for the Platform's functionality. Advisor profiles are publicly visible. Seeker information is shared with Advisors they book sessions with. - Payment Processors: Stripe processes all payments and receives necessary transaction data subject to Stripe's own privacy policy. - Service Providers: Third-party services that help us operate the Platform (hosting via Supabase and Vercel, error monitoring via Sentry, video via Daily.co, AI processing via Anthropic on the opt-in features described in Section 4) receive only the data necessary to perform their services. - Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request. - Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring party, with continued protection under a privacy policy at least as protective as this one.

We do not sell your personal information to third parties. Google Calendar data (Section 3) is never shared with any third party.

7. DATA SECURITY

We implement industry-standard security measures including encryption in transit (TLS/SSL), encrypted storage, and access controls. OAuth tokens obtained via Google Calendar integration are stored encrypted at rest (AES-256-GCM) and accessed only by our server-side systems. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

8. DATA RETENTION

We retain your information for as long as your account is active or as needed to provide services. After account deletion (see Terms Section 10), we may retain certain data as required by law or for legitimate business purposes — for example, payment records retained for tax and accounting purposes for up to 7 years; anonymized booking records retained indefinitely for analytics. Google OAuth refresh tokens are deleted immediately upon disconnection or account deletion.

9. YOUR RIGHTS AND CHOICES

You have the right to: - Access: Request a copy of your personal data - Correction: Update inaccurate or incomplete information directly in your account settings, or by contacting us if a field is not editable in the app - Deletion: Request deletion of your account and personal data through Settings → Delete Account (which schedules deletion 7 days out — see Terms Section 10) or by emailing legal@vyser.co - Portability: Request a machine-readable copy of your data - Opt-out of marketing: Use the unsubscribe link in any promotional email, or turn off marketing notifications in your account settings. Transactional emails (booking confirmations, security alerts, payment receipts) cannot be opted out while your account is active - Opt-out of push notifications: Disable at the operating system level — on iOS, Settings → Notifications → Vyser; on Android, Settings → Apps → Vyser → Notifications. Vyser will continue to send in-app notifications and email for important account events - Revoke calendar access: Disconnect Google Calendar at any time (see Section 3) — the OAuth token is deleted from our systems immediately

How to submit a request: email legal@vyser.co with the request type and the email address on your account. We will respond within 30 days, or 45 days for complex requests (with notice). To verify your identity we may ask you to confirm specific account details. Authorized agents may submit requests on your behalf with a signed permission document (such as a power of attorney) and proof of the agent's own identity.

10. CHILDREN'S PRIVACY

The Platform is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided personal information, we will promptly delete it.

11. THIRD-PARTY LINKS AND SERVICES

The Platform may contain links to third-party websites or services (for example, Stripe's payment pages or Google Calendar's authorization screen). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before sharing information with them.

12. CALIFORNIA PRIVACY RIGHTS (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act and the California Privacy Rights Act give you specific rights with respect to your personal information.

Categories of personal information we collect (in the last 12 months): - Identifiers (name, email, phone, IP address, account ID) - Customer records (profile photo, bio, billing information held by Stripe) - Commercial information (bookings made, sessions completed, payment history) - Internet or other electronic activity (Platform usage, device and browser info, push notification tokens) - Geolocation data (approximate, derived from IP address) - Audio and visual information (the live audio/video stream of a Session, which Vyser does not store as raw recordings; profile photos you upload; transcript text when transcription is enabled) - Professional or employment-related information (Advisor credentials and headline) - Inferences drawn from the above (e.g., topics likely of interest to a Seeker for discovery ranking)

We do not collect: biometric identifiers, precise geolocation, sensitive demographic categories (race, religion, etc.), or genetic data.

Sources: directly from you, automatically through your use of the Platform, and from third-party service providers (Stripe for payment status; Google for OAuth identity if you sign in with Google; Apple for OAuth identity if you sign in with Apple).

Business purposes for which we use this information: providing and operating the Platform, processing transactions, securing accounts and preventing fraud, communicating with you about your account, complying with legal obligations, and internal research and development of new features.

Categories of third parties to whom we disclose personal information: service providers acting on our behalf under contract (Stripe, Supabase, Sentry, Daily.co, Apple Push Notification Service, Google Firebase Cloud Messaging, our LLM-API provider for opt-in AI features), and government authorities or courts where required by law.

We do NOT sell personal information for monetary or other valuable consideration. We do NOT share personal information for cross-context behavioral advertising.

Your California rights: - Right to know what personal information we have collected about you, the sources, purposes, and recipients - Right to access a copy of that information - Right to delete personal information we hold about you (subject to legal-hold exceptions described in Section 8) - Right to correct inaccurate personal information - Right to opt out of sale or sharing (we do not sell or share, so this right is moot but available) - Right not to receive discriminatory treatment for exercising any of these rights

How to exercise these rights: email legal@vyser.co with the request type and the email address on your account. We will verify your identity using account-on-file details before responding. We will respond within 45 days (extendable once for another 45 days with notice). California residents may use an authorized agent — see Section 9.

California Shine the Light: California residents may request a list of categories of personal information that we disclosed to third parties for those third parties' direct marketing purposes in the prior calendar year. We do not disclose personal information to third parties for their direct marketing purposes; if that changes, this section will be updated.

If you are a California resident under 18 and a registered user, you may request removal of content you have publicly posted to the Platform by emailing legal@vyser.co. We will remove the content from public view, though some residual copies may remain in backups for a limited period.

13. NEVADA PRIVACY RIGHTS

If you are a Nevada resident, Chapter 603A of the Nevada Revised Statutes gives you the right to direct us not to sell certain personal information we have collected or will collect about you. As stated above, Vyser does not sell personal information. Nevada residents may still submit an opt-out request at legal@vyser.co; we will acknowledge it and confirm that no sale is taking place.

14. INTERNATIONAL DATA TRANSFERS

Vyser operates from the United States, and all of our infrastructure (Supabase, Vercel, Stripe, Sentry, Anthropic) processes data in the United States or in regions selected by those providers. If you sign up from outside the United States, you are choosing to send your personal information to a US-based service, and Vyser will store and process it accordingly.

Vyser is not currently set up to take payments from, advertise to, or actively offer the Platform to users in the European Economic Area, the United Kingdom, or Switzerland. If that changes, this section will be updated with the specific safeguards (such as Standard Contractual Clauses) that we put in place for those transfers. In the meantime, EEA, UK, and Swiss residents who sign up should understand that the comprehensive cross-border-transfer safeguards required by GDPR and the UK Data Protection Act may not currently be in place between Vyser and every sub-processor we use. To ask a specific question about your data or to request that we delete it, email legal@vyser.co.

15. DO NOT TRACK SIGNALS

Some web browsers send a "Do Not Track" (DNT) signal. The web industry has not converged on a single standard for what services should do with DNT, so most US services do not act on it. Vyser is in that category — we receive DNT signals but do not change behavior based on them. The cookie controls in your browser and the opt-out mechanisms in Sections 9 and 16 remain available to you regardless of DNT.

16. COOKIES AND SIMILAR TECHNOLOGIES

Vyser uses a limited set of cookies and similar technologies, scoped to operating the Platform:

- Essential cookies (web): required for sign-in, session management, and basic Platform function. Set by Vyser and by Supabase (our authentication and database provider) and Vercel (our hosting provider). Disabling these will prevent you from signing in. - Stripe-related cookies (web): set by Stripe when you reach checkout. Required for payment fraud prevention. Governed by Stripe's privacy policy (https://stripe.com/privacy). - Local storage (mobile): the mobile app uses device-local storage (AsyncStorage / SecureStore) to persist your session and preferences between launches. This is not a cookie but functions similarly. - No advertising or analytics cookies: Vyser does not run third-party advertising, retargeting, or behavioral-analytics cookies. We do not use Google Analytics, Facebook Pixel, IDFA, or Android Advertising ID for marketing.

You can block or delete browser cookies through your browser settings. Doing so for essential cookies will break web sign-in. For information on managing cookies in major browsers, see https://www.allaboutcookies.org/manage-cookies/.

17. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before the changes take effect.

18. CONTACT US

For questions or concerns about this Privacy Policy:

Vyser Inc. Email: legal@vyser.co