Byline Privacy Notice

1. Scope

This Privacy Notice explains how Byline handles personal information when you visit our website, create an account, connect platform accounts, use Byline workflows, receive support, or interact with our emails and billing tools.

NHL AI Establishment, operating as No Human Labs from RRAA3054, 3054 Financial Boulevard, 6697, Al Aqeeq Dist., Riyadh, Riyadh 13519, Saudi Arabia, operates Byline and is the controller or business responsible for personal information unless a separate written agreement says otherwise.

Third-party platforms, payment providers, hosting providers, AI processing providers, and other services have their own privacy notices. Your use of those services is also governed by their terms and privacy practices.

2. Information you provide

• Account information such as name, email address, authentication data, profile settings, language settings, and support messages.
• Brand information such as intended readers, tone, content pillars, blocked topics, sources, uploaded files, URLs, prompts, drafts, approvals, edits, and publishing preferences.
• Workspace and usage information such as content cards, calendars, scan jobs, agent runs, Ink usage, activity logs, settings, and feedback.
• Payment and subscription information such as plan, billing status, payment provider identifiers, invoices, receipts, tax status, and purchase metadata. Full card or payment account details are processed by the payment provider or merchant of record and are not stored by Byline.

3. Social account and platform data

If you connect a platform account, Byline may receive and store platform account identifiers, usernames, display names, profile images, granted scopes, access tokens, refresh tokens, token expiration data, published post identifiers, post URLs, metrics, response records, and other data allowed by the platform permission you grant.

Byline never receives or stores your password for any connected platform; platform connections use authorization tokens granted by the platform.

For LinkedIn connections, Byline stores LinkedIn API content only where permitted by LinkedIn terms and your authorization, such as application-specific member identifiers, OAuth tokens, profile fields, post identifiers, company-page data, metrics, or other data needed for the enabled LinkedIn feature. LinkedIn API content is retained only as needed for the authorized feature and is identified, separated, and deleted as required by LinkedIn terms or your authorization.

Byline protects stored platform connection credentials with encryption and access controls. Those credentials are used to provide connected-account features such as publishing approved content, reading metrics, refreshing credentials, and disconnecting accounts.

4. Research, AI, and source data

Byline may process public web pages, public platform content, RSS feeds, public profile information, search results, uploaded files, YouTube transcripts, user-provided URLs, and your past approved content to create research briefs, draft posts, summaries, strategy suggestions, and analytics insights.

Byline does not use platform data, including content, profiles, metrics, or other data obtained through connected accounts, for platform-prohibited data uses, and does not redistribute platform data to third parties for those purposes. We may send necessary prompts, content, and context to carefully selected service providers so they can process your request under their service terms and data processing commitments.

5. Device, cookies, and diagnostics

We collect technical information such as IP address, device type, browser, operating system, pages viewed, referrer, session events, error logs, approximate location derived from IP address, and security signals.

Byline uses necessary cookies and local or session storage for authentication, OAuth security, preferences, onboarding state, blog attribution, billing redirects, and abuse prevention. See the Cookie Notice for details.

6. How we use information

• Provide, secure, maintain, debug, and improve Byline.
• Authenticate users, connect platform accounts, process OAuth callbacks, and prevent account abuse.
• Generate research, drafts, response notes, calendars, analytics, and other requested outputs.
• Process subscriptions, Ink purchases, invoices, refunds, support, and service communications.
• Comply with law, platform requirements, payment provider obligations, and enforce our terms and policies.
• Send product, support, security, billing, and account communications where permitted. You can unsubscribe from optional email updates.

7. Legal bases

Where privacy law requires a legal basis, Byline processes account, product, connected-account, billing, and support data as needed to perform our contract with you; to comply with legal, tax, accounting, payment, and platform obligations; based on your consent for optional connections, email updates, or cookies where required; and for legitimate interests such as security, fraud prevention, service improvement, support, and product analytics where those interests are not overridden by your rights.

8. Sharing and service providers

We share information with service providers only as needed to operate Byline, including hosting, database, authentication, storage, payment, email, error monitoring, security, AI processing, web research, analytics, support, and connected-platform providers.

We generally describe providers by function rather than publishing implementation details. Where a law, contract, or platform review requires provider-specific information, we can provide appropriate details through a private review or support channel.

Where a connected platform requires a data-processing addendum, deletion obligation, audit right, security commitment, or similar platform-data term, Byline handles the covered platform data according to that applicable platform requirement.

Business customers may request our Data Processing Agreement and current function-level service-provider list at support@byline.work. We aim to provide those materials within five business days of a verified written request, subject to appropriate confidentiality, security, and legal review.

9. Platform data boundaries

Byline uses connected platform data only to provide the features you request or authorize, maintain security, comply with platform rules, and troubleshoot support issues. We do not sell platform data, use it for unrelated advertising, or transfer it to data brokers.

LinkedIn API content is not used for ad targeting, large-scale messaging, eligibility decisions, surveillance, discrimination, platform-prohibited data uses, or any purpose outside the LinkedIn-connected feature you authorize.

If a platform imposes additional deletion, retention, display, audit, or data-use restrictions, Byline may apply those restrictions to your account and related data.

10. Retention and deletion

We retain account, workspace, brand, draft, scan, analytics, and connected-platform records while your account or the relevant connection is active, or as needed to provide the service, comply with legal and payment obligations, resolve disputes, enforce agreements, maintain security, and keep business records.

After a verified account-deletion or platform-disconnect request, we aim to delete or de-identify covered account data and connected-platform credentials within 30 days where technically feasible, unless a shorter period is required by law or platform policy or a longer period is needed for a permitted retention reason.

Support correspondence is generally retained for up to 24 months unless a longer period is needed for legal, security, audit, platform, or dispute reasons. Billing, tax, accounting, security, and fraud-prevention records may be retained for the period required by applicable law, payment rules, or accounting obligations, and in many cases up to seven years.

You can request deletion of account data or connected platform data as described in the Data Deletion Instructions. Some records may be retained for a limited period for security, audit, legal, tax, billing, backup, or fraud-prevention reasons.

11. Privacy rights

Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to certain processing of personal information. You may also have the right to appeal a privacy decision or complain to a regulator.

EEA, UK, and similar-region users may also have the right to lodge a complaint with a data protection supervisory authority. California residents may have rights to know, delete, correct, access, opt out of sale or sharing, limit certain uses of sensitive personal information, and not be discriminated against for exercising those rights.

Saudi Arabia data subjects may have rights under the Saudi Personal Data Protection Law, including rights to be informed, access personal data, obtain a copy of personal data where applicable, request correction, and request destruction of personal data, subject to legal limits.

Byline does not sell personal information or share it for cross-context behavioral advertising as those terms are used in California privacy law. We do not use sensitive personal information to infer characteristics about you beyond what is necessary to provide, secure, and support the service.

During the preceding 12 months, Byline may have collected the categories described in Section 2 and disclosed them to service providers for the business purposes described in this notice. Byline has not sold or shared those categories for cross-context behavioral advertising.

To exercise rights, contact support@byline.work. We may need to verify your identity and authority before completing a request.

12. International processing

Byline may process information in Saudi Arabia, the United States, and other countries where we or our providers operate. Those countries may have data protection laws different from where you live.

Where required, we use appropriate transfer safeguards such as data processing terms, standard contractual clauses or equivalent transfer terms, approved adequacy or transfer mechanisms, valid consent where applicable, or other legally recognized mechanisms for the relevant jurisdiction. Where Saudi PDPL applies, we assess cross-border transfers under applicable PDPL requirements.

13. Children

Byline is not directed to children under 13, or below the minimum age for data-processing consent in your jurisdiction where that age is higher. It is also not intended for users who are below the age required to use the connected platforms in their location. Do not use Byline if you are not old enough to enter into these terms or to authorize connected platform access.

14. Contact

Questions or requests about privacy can be sent to support@byline.work.