Privacy Policy

Last updated: March 5th, 2026

1. Data Controller

GYST is operated by:

GYST (SASU)
55 rue Saint-Louis en l'Île
75004 Paris
France

SIREN: 939 814 182
RCS Paris 939 814 182
VAT: FR12 939 814 182
Contact: hello@gyst.studio

2. Overview

GYST is a visual workspace designed to help individuals think clearly and organize ideas. GYST is available as a web application and as a mobile application for iOS and Android.

This Privacy Policy explains how we collect, use, store, and protect personal data when you use GYST, whether through the website, web application, or mobile app.

We are committed to:

• minimizing data collection
• protecting user privacy
• never selling personal data

3. Data We Collect

When using GYST, we may collect the following categories of information.

Account Information

• Name
• Email address
• Account ID
• Authentication provider (Google login if used)

Workspace Content

Content you voluntarily create inside GYST, including:

• notes
• boards
• text blocks
• visual organization data

Billing Information

Payments are processed by Stripe.

We receive:

• billing email
• billing country
• subscription status

We do not store credit card numbers.

Technical Data

For service operation and security:

• IP address
• browser type
• device type and operating system version
• device identifiers
• usage logs
• crash reports and diagnostics

Mobile App Data

When using the GYST mobile app, we may additionally collect:

• device model, OS version, and app version
• photos or files you choose to upload from your device

The mobile app only accesses device features (such as the camera or photo library) when you explicitly initiate an action that requires them. We do not access these features in the background.

4. Google User Data (OAuth)

If you sign in using Google, GYST accesses limited Google account information via Google OAuth.

Data Accessed from Google

When using Google Sign-In, GYST may access:

• your Google account email address
• your basic profile name
• your Google account identifier

GYST does not access Gmail content, Google Drive files, contacts, or calendar data.

Data Usage

Google account data is used solely to:

• authenticate your account
• create or link your GYST account
• allow secure login

Google User Data Restrictions

GYST does not:

• sell Google user data
• use Google user data for advertising
• use Google user data for AI or ML model training
• share Google user data with third parties except where necessary for service operation

5. How We Use Data

We use personal data only to operate and improve the service.

Purposes include:

• providing the GYST workspace
• maintaining user accounts
• processing subscriptions
• improving product functionality
• ensuring platform security

Legal basis under GDPR:

• Article 6(1)(b): performance of contract
• Article 6(1)(f): legitimate interest (service security and improvement)

6. Data Sharing

We share data only with essential service providers.

Payment Processing

Payments are handled by Stripe. Stripe processes billing data to manage subscriptions and payments.

Hosting Infrastructure

User data is hosted on infrastructure located in France or the European Union.

Legal Compliance

We may disclose data if required by law or regulatory authorities.

We do not sell personal data to advertisers or data brokers.

7. Data Storage & Protection

We implement technical and organizational measures to protect user data.

Security practices include:

• encrypted connections (HTTPS)
• secure authentication
• infrastructure access controls
• monitoring for suspicious activity

However, no online system can guarantee absolute security.

8. Data Retention

We retain personal data only as long as necessary.

Typical retention periods:

Data	Retention
Account data	Until account deletion
Workspace content	Until user deletes content or account
Billing records	As required by tax law
Security logs	Limited operational period

9. Data Deletion

Users may request deletion of their data at any time.

Options include:

• deleting content within the application (web or mobile)
• deleting your account from the account settings
• contacting support at hello@gyst.studio

Account deletion removes personal data within a reasonable timeframe except where legal retention is required. Deleting your account removes all associated workspace content, uploaded files, and personal information from our systems.

10. International Data Transfers

Some service providers (such as Stripe) may process data outside the European Union.

Where this occurs, transfers rely on appropriate safeguards such as:

• Standard Contractual Clauses
• EU-US Data Privacy Framework where applicable

11. Your Rights (GDPR)

If you are located in the European Economic Area, you have the right to:

• access your personal data
• correct inaccurate data
• request deletion
• restrict processing
• data portability
• object to certain processing

Requests may be sent to: hello@gyst.studio

You may also lodge a complaint with the French data protection authority (CNIL).

12. Changes to this Policy

We may update this Privacy Policy as the service evolves.

The latest version will always be available at:
https://gyst.studio/legal/privacy-policy