ProductDemo & Pricing

Tyle Privacy Policy

Last Updated: March 6, 2026

This Privacy Policy explains how Tyle Labs, Inc. ("Tyle," "we," "us," or "our") collects, uses, and discloses information when you use our websites (including tyle.sh, mosaic.tyle.sh, session.tyle.sh), platform, and services (collectively, the "Service"). It also describes your choices about your data.

By using the Service, you agree to the collection and use of information as described in this Privacy Policy.

1. Scope and Related Documents

This policy applies to information we process when you use the Service, including our main application, interview sessions, and API.

Related documents:

  • Data Processing Addendum (DPA) — available upon request for enterprise customers

Two categories of users. Tyle processes data in two distinct contexts:

  • Platform Users: Product teams and organizations that use Tyle to conduct research (account holders). Sections 2–10 of this policy apply primarily to Platform Users.
  • Interview Participants: Individuals who participate in Tyle-powered research interviews. See Section 11 for participant-specific disclosures.

2. Roles: Controller vs. Processor

Under GDPR and similar laws, Tyle may act as either a data controller or a data processor, depending on context:

ContextRoleExplanation
Account creation, billing, security, marketingControllerWe decide what to collect and why.
Processing interview data on behalf of a Customer organizationProcessorThe Customer organization decides the purposes; we process on their behalf.

When we act as a processor, our Customer's privacy policy governs their use of participant data. Our processing is governed by our agreement with the Customer (including any applicable DPA), not this Privacy Policy alone.

3. Personal Information We Collect

A. Information You Provide Directly

CategoryExamplesLegal Basis (GDPR Art. 6)
Account InformationName, email address, organization name, rolePerformance of contract (Art. 6(1)(b))
Billing InformationBilling contact details, payment metadata (card details handled by Stripe)Performance of contract (Art. 6(1)(b))
Customer ContentResearch plans, interview configurations, uploaded documents, integration dataPerformance of contract (Art. 6(1)(b))
Interview DataAudio/video recordings, transcripts, text responses, and participant-provided informationConsent (Art. 6(1)(a)) or Legitimate interest (Art. 6(1)(f))
Support CommunicationsMessages and files you share when contacting supportLegitimate interest (Art. 6(1)(f))
Integration CredentialsAPI keys for Zendesk, Intercom (stored encrypted at rest)Performance of contract (Art. 6(1)(b))

B. Information Collected Automatically

CategoryExamplesLegal Basis
Device & Browser DataIP address, browser type, operating system, device identifiersLegitimate interest (Art. 6(1)(f))
Usage DataPages visited, features used, interaction timestamps, session durationLegitimate interest (Art. 6(1)(f))
Log DataServer logs, error reports, performance metricsLegitimate interest (Art. 6(1)(f))

C. Information from Third Parties

  • Authentication Providers: If you sign in via Google or another SSO provider, we receive your name, email, and profile picture as permitted by your SSO settings.
  • Integrations You Enable: When you connect Zendesk, Intercom, or other third-party services, we receive ticket data, customer feedback, and related metadata at your direction.

4. How We Use Information

We use the information we collect to:

  1. Provide and operate the Service — including conducting AI-powered interviews, generating research reports, and delivering market intelligence.
  2. Process payments — manage subscriptions, invoicing, and billing via Stripe.
  3. Authenticate users and enforce security — verify identity, prevent fraud, enforce rate limits.
  4. Improve the Service — analyze usage patterns, diagnose technical issues, and develop new features.
  5. Communicate with you — send transactional emails (invitations, reports, account updates) and, where permitted, marketing communications.
  6. Comply with legal obligations — respond to lawful requests, enforce our Terms, and protect rights and safety.

5. AI and Machine Learning

The Service includes AI features that process inputs (including Customer Content and Interview Data) to generate outputs such as research reports, interview transcripts, summaries, and market intelligence insights ("Output").

You should know:

  • No training on Customer Content. We do not use your Customer Content or Interview Data to train general-purpose AI models. Your data is used solely to provide the Service to you.
  • Aggregated improvements. We may use aggregated and de-identified data derived from use of the Service to maintain, improve, and develop the Service (including performance, reliability, and safety). We do not attempt to re-identify de-identified data except as required by law.
  • Third-party AI providers. We use third-party AI providers as subprocessors to provide the Service. These may include providers such as OpenAI, Google, Anthropic, and others. Providers are listed in our subprocessor list and process data under contractual restrictions that prohibit them from using your data for their own training purposes. We may change AI providers from time to time; when we do, we will update our subprocessor list.
  • Output accuracy. AI-generated Output may be inaccurate, incomplete, or inappropriate. You are responsible for reviewing and validating all Output before relying on it.

6. How We Share Information

We do not sell your personal information. We share information only in the following circumstances:

A. Service Providers and Subprocessors

We share personal information with vendors that help us operate the Service, under contracts that limit their use of personal data. Current categories include:

Provider CategoryExamplesPurpose
Cloud Infrastructure & DatabaseSupabase, Railway, VercelHosting, storage, compute, rate limiting, session management
AI & Machine LearningOpenAI, Google, Perplexity, TavilyInterview AI, research agent, web search
Speech ProcessingOpenAI, ElevenLabs, LemonFoxText-to-speech, speech-to-text
PaymentsStripeSubscription billing
EmailResendTransactional email delivery
AnalyticsPostHogProduct analytics and usage insights
Error MonitoringSentryError tracking and diagnostics
Background ProcessingUpstashAsync job queuing and task orchestration

B. Customer Organizations (Interview Data)

When an interview is conducted on behalf of a Customer organization, interview responses, recordings, transcripts, and AI-generated insights are shared with that Customer. The Customer's own privacy policy governs their subsequent use of this data.

C. Integrations You Enable

If you connect third-party services (e.g., Zendesk, Intercom), you authorize us to access and process data from those services as necessary to provide the integration. Those services are governed by their own terms and privacy policies.

D. Legal, Safety, and Enforcement

We may disclose information if required to comply with law, valid legal process, or government requests, or to protect rights, safety, and security.

E. Business Transfers

In connection with a merger, acquisition, financing, or asset sale, your information may be transferred as part of that transaction. We will notify you of any such change.

7. Cookies and Tracking Technologies

We use cookies and similar technologies for:

  • Essential/Authentication: Session management, CSRF protection, and login persistence.
  • Analytics: We use PostHog to understand how the Service is used, diagnose issues, and improve performance and reliability. PostHog may set cookies and collect usage data such as pages visited, features used, and session duration. We may use additional analytics services (such as Google Analytics) in the future; if we do, we will update this policy.
  • Preferences: Remembering your settings and choices.

We do not use cookies for cross-site advertising or behavioral targeting.

You can control cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning properly.

8. Data Storage, Transfers, and Retention

Storage and Security

Your data is stored on servers in the United States, operated by our infrastructure providers (Supabase, Railway, Vercel). We implement industry-standard security measures including:

  • Encryption in transit (TLS) and at rest
  • Row-Level Security (RLS) for multi-tenant data isolation
  • Encrypted credential storage for integration API keys (Fernet encryption)
  • Rate limiting on authentication and API endpoints
  • Role-based access controls

International Transfers

If you are located outside the United States, your data will be transferred to and processed in the United States. Where required by law (e.g., GDPR), we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Your explicit consent where other mechanisms are unavailable

Retention

We retain personal data for as long as reasonably necessary to:

  • Provide the Service and fulfill our contractual obligations
  • Comply with legal obligations (e.g., tax, audit requirements)
  • Resolve disputes and enforce agreements
  • Maintain security and prevent fraud

Specific retention periods:

Data TypeRetention Period
Account informationDuration of account + 30 days after deletion
Interview recordings and transcriptsAs defined by the Customer organization, or 12 months from creation if no period specified
Billing records7 years (tax/legal requirements)
Server logs90 days
De-identified analyticsIndefinitely

When data is no longer needed, we delete or de-identify it in accordance with our data retention schedule.

9. Your Rights and Choices

Depending on your location and applicable law, you may have the following rights:

RightDescriptionAvailable Under
AccessRequest a copy of your personal dataGDPR, CCPA
CorrectionUpdate or correct inaccuraciesGDPR, CCPA
DeletionRequest deletion of your personal dataGDPR, CCPA ("Right to Delete")
PortabilityReceive your data in a structured, machine-readable formatGDPR
RestrictionRestrict certain processing activitiesGDPR
ObjectionObject to processing based on legitimate interestGDPR
Withdraw ConsentWithdraw consent at any time (without affecting prior processing)GDPR
Opt Out of Sale/SharingWe do not sell or share personal data for cross-context behavioral advertisingCCPA/CPRA
Non-DiscriminationWe will not discriminate against you for exercising your rightsCCPA

How to exercise your rights: Contact us at or use account self-service features where available. We will respond within:

  • GDPR: 30 days (extendable by 60 days for complex requests)
  • CCPA: 45 days (extendable by 45 days)

If you are an interview participant and your data was collected on behalf of a Customer organization, please contact that organization first. We will assist as required under our agreement with them.

Marketing opt-out: You can unsubscribe from marketing emails at any time via the link in the message or by contacting us.

10. California-Specific Disclosures (CCPA/CPRA)

Categories of personal information collected (in the preceding 12 months): Identifiers, commercial information, internet/electronic network activity, professional/employment information, and inferences.

Sale and sharing. Tyle does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

Service provider commitments. When we process personal information on behalf of Customer organizations, we act as a "service provider" under the CCPA. We:

  • Process personal information only for the business purposes specified in our agreement
  • Do not sell or share personal information received from Customers
  • Do not retain, use, or disclose personal information outside the direct business relationship
  • Comply with applicable CCPA obligations and provide attestations upon reasonable request

11. Interview Participants

If you participate in a research interview conducted through the Tyle platform:

What We Collect

  • Interview responses: Audio/video recordings, transcripts, and text responses you provide during the interview.
  • Technical data: IP address, device information, and browser settings to ensure a stable interview experience.

How Participant Data Is Used

  • Conduct the interview: Record, process (including AI transcription and analysis), and deliver insights to the commissioning organization (the "Research Organization").
  • Service improvement: Use aggregated, de-identified data to improve platform functionality and performance.

How Participant Data Is Shared

Your interview responses are shared with the Research Organization that commissioned the study. We do not sell participant data to third parties or use it for advertising.

Participant Rights

You have the same rights described in Section 9 above. To exercise these rights, contact us at or contact the Research Organization directly.

12. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected data from a child, please contact us at and we will promptly delete it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top indicates when it was last revised.

  • Material changes: We will provide notice via email or prominent notice on the Service at least 30 days before the changes take effect.
  • Non-material changes: Updated versions will be posted on our website.

Your continued use of the Service after changes take effect constitutes your acknowledgment of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, or wish to exercise your rights, please contact us at:

Tyle Labs, Inc. 300 Creek View Road, Suite 209 Newark, DE 19711 United States

If you are in the EU or UK, you also have the right to lodge a complaint with your local data protection authority.