Privacy Policy

Last updated: April 23, 2026

1. Introduction

Pyrelo ("we," "us," or "our") operates the work dashboard application available at pyrelo.in. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information. Pyrelo offers two plans: Hosted (we manage the database) and Own DB (you bring your own Supabase project). In both cases, your operational data is isolated and protected.

2. Data We Collect

2.1 Purchase Information

When you purchase a Pyrelo license, we collect:

  • Your name, email address, company name, and team size
  • Razorpay order ID and payment ID (not card/UPI details — those stay with Razorpay)

This information is used to create your license, send credentials via email, and manage your subscription. Purchase records are logged in Google Sheets for order management.

2.2 Supabase Credentials (Own DB Plan)

If you use the Own DB plan, you submit your Supabase project credentials (Project URL, anon key, service role key, and database password). These are used to:

  • Provision your database schema (create tables, policies, indexes)
  • Connect your dashboard to your database

Your service role key, database password, and access token are encrypted at rest in our master database using AES-256-GCM. The encryption key is held outside the database in our server environment, so a database-only compromise cannot expose your credentials. These secrets are never sent to your browser — they are resolved on our server per request and held only in process memory for the duration of each request. We do not use these credentials to access, read, or extract your operational data.

2.3 Hosted Plan Data

If you use the Hosted plan, we manage the database on your behalf. Your operational data (tasks, messages, finances, etc.) is stored in a shared Supabase project with team-level isolation. Each team's data is separated using team IDs and row-level security policies. We have administrative access to this database for maintenance purposes but do not access your data unless required for support.

2.4 API Keys and Integrations

We store the following optional credentials that you provide:

  • Groq API key — stored in your profile for AI features. You can remove it anytime from Settings.
  • Google Drive OAuth tokens — stored in browser cookies for file storage. Revoke access from your Google account settings.

2.5 Meeting Room Guests

When external guests join a Meeting Room, we collect their name and email address for OTP verification. OTP codes are hashed before storage. Guest session tokens are stored in HTTP-only cookies (30-day expiry). Chat messages between hosts and guests are stored in the database.

2.6 Your Operational Data

All data you create through the dashboard — tasks, financial records, calendar events, timesheet entries, goals, notes, chat messages (DMs, channels, groups), leave requests, meeting room conversations, and files — is stored in your database (your own Supabase project for Own DB, or our managed database for Hosted). The Pyrelo frontend communicates directly with the database from the browser.

3. How Data Is Stored

Pyrelo offers two storage models:

Own DB Plan

  • Your operational data lives in your own Supabase project that you create and control.
  • We store your Supabase credentials (URL, keys, database password) in our master database to provision and connect your dashboard. The service role key, database password, and access token are encrypted at rest with AES-256-GCM.
  • The dashboard connects directly from your browser to your database — our servers are not involved in day-to-day data access.
  • You have full, direct access to your database through Supabase's own dashboard at all times.

Hosted Plan

  • Your data is stored in a Supabase project managed by us.
  • Each team's data is isolated using team IDs and row-level security. No team can see another team's data.
  • We have administrative access to the database for maintenance and support.
  • You can export your data as CSV at any time.

Both Plans

  • Row-level security (RLS) policies ensure each user can only access their own data.
  • Admins can manage users, approve leaves, and view team timesheets, but cannot access personal finance, notes, or private messages.
  • All database connections use SSL/TLS encryption.
  • Passwords are hashed — we never store or see plain-text passwords.

4. Payment Data

Payments are processed securely by Razorpay, a PCI-DSS compliant payment gateway. We do not collect, store, or have access to your credit card number, debit card number, UPI PIN, net banking credentials, or any other payment instrument details. Razorpay handles all payment processing, and we only receive confirmation of successful payment along with a transaction identifier. For Razorpay's privacy practices, please refer to Razorpay's Privacy Policy.

5. Cookies and Local Storage

Pyrelo uses browser localStorage and cookies:

localStorage (your device only)

  • License key and company info — to connect to your database.
  • Theme, accent color, sidebar preferences — to persist visual settings.
  • Groq API key — cached locally for AI features.
  • Demo mode flag — if using the demo version.

HTTP-only Cookies

  • pyrelo_url — routing identifier telling our server which Supabase project to connect to for your requests. Contains no secrets — just a Supabase URL (30-day expiry, strict same-site).
  • Google Drive tokens — OAuth access/refresh tokens for file storage.
  • Meeting room session tokens — guest authentication for meeting rooms (30-day expiry).

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. Supabase sets its own cookies for authentication as part of its standard client library.

6. Third-Party Services

Pyrelo integrates with the following third-party services. Each integration is optional and initiated by you:

Supabase

Provides your isolated PostgreSQL database and user authentication. Your data is stored in Supabase's infrastructure according to their security and privacy policies. You maintain full ownership and control of your Supabase project.

Razorpay

Handles payment processing for license purchases. Razorpay collects and processes payment information according to their own privacy policy and PCI-DSS requirements.

Resend

We use Resend to send transactional emails (e.g., license key delivery, setup instructions) from noreply@pyrelo.in. We share your email address with Resend solely for the purpose of delivering these communications.

Google Drive

If you enable the Google Drive integration, files you upload through the dashboard are stored in your own Google Drive account. Pyrelo does not store copies of these files. Access is governed by your Google account permissions.

Google Sheets

We use Google Sheets internally to log purchase transactions for our own record-keeping. This includes your name, email, company name, team size, and license details. This data is not shared publicly.

Groq

Powers the AI Tools feature (summaries, email drafts, action parsing). When you use AI features, your prompt and relevant work context are sent to Groq's API for processing. You can use our shared key (20 requests/day) or provide your own free Groq API key for unlimited usage. Your API key is stored in your profile in the database.

7. Data Ownership

You own all data created through Pyrelo. We do not claim any ownership or intellectual property rights over your data.

  • Own DB plan: Your data lives in your Supabase project. You have full direct access via Supabase dashboard, SQL editor, and API. Export via CSV or direct database queries anytime.
  • Hosted plan: Your data is in our managed database but is still yours. Export via CSV from every tab. If you cancel, contact us to receive a full data export.
  • Your data is stored in standard PostgreSQL format and is fully portable.

8. Data Deletion and Cancellation

You have full control over data deletion:

  • Own DB: Delete records from the dashboard, use "Reset All Data" (admin only), or manage directly via Supabase. If you cancel, your database remains untouched.
  • Hosted: Admin can clear data from the dashboard. If you cancel, contact us for a data export or deletion.
  • Admins can clear individual user data or delete users entirely from Manage Users.
  • Meeting room data can be deleted by the host by removing the room.
  • To request deletion of your purchase information (name, email, company) from our records, contact us at pyrelo.in/#contact. We process requests within 30 days.

We store Supabase credentials (URLs, keys, database passwords) for Own DB customers in our master database. These are deleted when you delete your license. If you want immediate credential removal, contact us.

9. Data Security

We take reasonable measures to protect the information we handle:

  • All connections use SSL/TLS encryption (HTTPS).
  • User passwords are hashed by Supabase — we never see or store plain-text passwords.
  • Own DB customer secrets (Supabase service role key, database password, access token) are encrypted at rest with AES-256-GCM. The encryption key is held in our server environment, outside the database, so a database-only compromise cannot expose these values.
  • Customer credentials are never stored in your browser — they stay server-side, resolved per request and held only in process memory for the duration of that request.
  • Webhooks that notify our operations tools about license events replace sensitive fields with a redaction marker before sending, so plaintext credentials never reach those systems.
  • Meeting room OTP codes are SHA-256 hashed before storage.
  • Row-level security (RLS) policies enforce data isolation at the database level.
  • API routes validate authentication before any destructive operation.
  • External URLs (Supabase credentials) are validated to only accept legitimate Supabase domains.

However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. Children's Privacy

Pyrelo is a business productivity tool intended for use by professionals and organizations. We do not knowingly collect personal information from children under the age of 18. If you believe a child has provided us with personal information, please contact us and we will take steps to delete such information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, please reach out using our contact form at pyrelo.in/#contact.