Legal

Privacy Policy

Last updated · July 13, 2026

Lyon trains a foundation model for each enterprise on its own data, deployed inside that enterprise's own cloud. This policy explains what information we collect through our website and business relationships, how we use it, and the commitments we make about customer data. Our core promise is simple: your business data is trained on and served from inside your perimeter, and it never leaves it.

We honor the data-protection rights of visitors wherever they live. This website and our handling of personal data are designed to comply with Brazil's Lei Geral de Proteção de Dados (LGPD, Law No. 13.709/2018) and the EU General Data Protection Regulation (GDPR): analytics runs only with your opt-in consent, fonts and assets are served from our own domain, and the rights described below are available to you regardless of jurisdiction.

Contents
  1. Who this policy covers
  2. Information we collect
  3. Customer enterprise data
  4. How we use information
  5. How we share information
  6. Security
  7. Data retention
  8. Your rights & choices
  9. Data deletion requests
  10. Brazil: LGPD
  11. International transfers
  12. Changes to this policy
  13. Contact us

Who this policy covers

This Privacy Policy applies to Lyon ("Lyon", "we", "us", or "our") and to information we handle when you visit lyon.so, contact us, book a demo, apply for a role, or otherwise interact with our website and team. It draws an important distinction between two very different categories of data:

  • Website & business-contact data — information about visitors and prospective customers that we, as a controller, collect through our site and communications.
  • Customer enterprise data — the transactional and behavioral data a customer uses to train and run their foundation model. This data is handled under our agreement with that customer, stays inside their cloud environment, and is governed by Section 3.

Information we collect

When you interact with our website or team, we may collect:

  • Contact details you provide, such as your name, work email, company, and role, when you book a demo, email us, or apply for a job.
  • Communications, the content of messages you send us and notes from calls or meetings, so we can respond and evaluate a potential engagement.
  • Usage & device data, basic technical information such as your IP address, browser type, referring page, and pages viewed, collected automatically when you visit lyon.so.

Cookies and analytics

Our website sets no analytics or advertising cookies by default. The only optional measurement we use is Google Analytics, and it loads exclusively after you click "Accept" in the cookie banner — until then, no request is made to Google and no analytics cookie is set. Your choice is stored on your device, and you can change it at any time through the "Cookie preferences" link in the footer; declining or withdrawing consent removes analytics cookies and stops all measurement. Fonts and other assets are served from our own domain, so simply visiting the site does not send your data to third parties. We do not use our website to build advertising profiles or sell personal information.

Customer enterprise data

The data a customer uses to train and operate a Lyon foundation model, transactions, orders, claims, sessions, payments, and other business events, is the customer's data. When we process it, we do so as a processor acting on that customer's instructions under a written agreement.

  • It stays in your cloud. Training and inference run entirely inside your own cloud environment (your VPC). Your enterprise data does not cross your perimeter, not during training and not in production.
  • Your model, your weights. The foundation model is trained on your data alone and belongs to you. It is a proprietary asset that no competitor can buy, rent, or replicate.
  • No cross-customer pooling. One company, one model. Your data is never mixed with any other customer's data, never used to improve another customer's model, and never used to train a general-purpose model.
  • Not retained by us. Because your data and model live in your environment, we do not retain your enterprise data on our own systems.
  • Full auditability. Access controls, audit logs, and reproducible training runs are available from day one, so your security team can review every path your data can take, all of them internal to your environment.

If you are an individual whose data is included in a customer's dataset, the customer is the controller of that data. Please direct any requests to that organization; we will support them in responding as required by our agreement and applicable law.

How we use information

We use the website and business-contact information described above to:

  • Respond to your inquiries and schedule and conduct demos.
  • Evaluate, establish, and manage a business relationship or pilot.
  • Operate, maintain, secure, and improve our website.
  • Consider your application if you apply to join our team.
  • Comply with legal obligations and enforce our agreements.

We rely on legal bases including your consent, our legitimate interest in running and growing our business, and the steps necessary to enter into or perform a contract with you or your organization. Under the LGPD, these correspond to the legal bases in Article 7: consent (Art. 7, I — used for analytics), performance of a contract or preliminary procedures (Art. 7, V — used when you request a demo or enter an engagement), compliance with legal obligations (Art. 7, II), and legitimate interest (Art. 7, IX — used for securing and operating the website, always balanced against your rights).

How we share information

We do not sell your personal information. We share information only in limited circumstances:

  • Service providers who help us run our business, under contracts that restrict their use of the data. Today these are: Vercel Inc. (website hosting and content delivery), Cal.com, Inc. (demo scheduling — data you enter when booking a demo is collected on their pages under their privacy policy), and Google LLC (Google Analytics — only if you opt in via the cookie banner).
  • Legal and safety reasons, where we are required to by law, or to protect the rights, safety, and property of Lyon, our customers, or others.
  • Business transfers, in connection with a merger, acquisition, or sale of assets, subject to this policy.

Security

Security is central to how Lyon is built. Customer enterprise data is processed inside the customer's own cloud, behind their existing controls, with access controls, audit logging, and reproducible training runs. For the website and business-contact data we hold, we apply administrative, technical, and organizational safeguards appropriate to the sensitivity of the information. No method of transmission or storage is completely secure, but we work to protect your information and to limit access to those who need it.

Data retention

We keep website and business-contact information only as long as needed for the purposes described in this policy, to maintain our relationship with you, to meet legal and accounting obligations, and to resolve disputes, after which we delete or anonymize it. Retention of customer enterprise data is governed by the applicable customer agreement, and that data remains within the customer's environment.

Your rights & choices

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, to object to or restrict certain processing, and to withdraw consent. You can also unsubscribe from our emails at any time using the link in the message or by contacting us.

To exercise any of these rights, email privacy@lyon.so, or use the data deletion request form below. We will respond within the timeframes required by applicable law. If your data is held by us on behalf of a customer, we will refer your request to that customer.

Data deletion requests

Use this form to request deletion of the personal information Lyon holds about you (contact details, communications, demo bookings, job applications). Consistent with our no-third-parties approach, the form sends nothing to our servers or to any external service: submitting it opens a pre-addressed request to privacy@lyon.so in your own email app, so the request comes verifiably from your address.

The button opens your email app with the request pre-filled — review and hit send. If nothing opens, email privacy@lyon.so directly with the subject "Data deletion request". We confirm receipt and complete verified requests free of charge within the timeframes required by the LGPD, GDPR, and other applicable law. If your data is part of a customer's dataset, that customer is the controller and we will refer your request to them.

Brazil: LGPD

If you are in Brazil, or your personal data is otherwise processed in connection with Brazil, the Lei Geral de Proteção de Dados (LGPD, Law No. 13.709/2018) applies to that processing, and Lyon acts as the controller (controlador) of the website and business-contact data described in this policy. In addition to the rights above, Article 18 of the LGPD gives you the right to obtain, at any time and upon request:

  • Confirmation that we process your personal data, and access to that data.
  • Correction of incomplete, inaccurate, or outdated data.
  • Anonymization, blocking, or deletion of unnecessary or excessive data, or of data processed in violation of the LGPD.
  • Portability of your data to another provider, subject to ANPD regulations.
  • Deletion of personal data processed on the basis of your consent.
  • Information about the public and private entities with which we have shared your data.
  • Information about your option not to provide consent and the consequences of refusing, and revocation of consent at any time.

Our designated data protection officer (encarregado, LGPD Art. 41) can be reached at privacy@lyon.so and is the point of contact for data subjects and the Autoridade Nacional de Proteção de Dados (ANPD). You also have the right to petition the ANPD directly regarding our processing of your data. Requests are honored free of charge within the timeframes the LGPD establishes.

International transfers

We operate internationally, and the website and business-contact information we collect may be processed in countries other than your own, including the United States. Where required, we use appropriate safeguards to protect information transferred across borders: standard contractual clauses for transfers subject to the GDPR, and, for transfers subject to the LGPD, the mechanisms of Articles 33–36 (including standard contractual clauses approved by the ANPD and contractual guarantees of a level of protection equivalent to the LGPD). Customer enterprise data is processed within the customer's chosen cloud region under their agreement and is not transferred by us across borders.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, where appropriate, provide additional notice. Your continued use of our website after an update means you accept the revised policy.

Contact us

If you have questions about this policy or how we handle data, contact our data team at privacy@lyon.so. For general inquiries you can reach us at founders@lyon.so.