Thoryx ("Thoryx," "we," "us," or "our") is an AI-powered business automation platform that enables commercial users — businesses, professionals, consultants, and service providers — to automate client communications, appointment scheduling, CRM operations, and related business workflows. The Service is accessible at thoryx.app and any related subdomains, APIs, and mobile or desktop applications (collectively, the "Service").
This Privacy Policy explains in detail how Thoryx collects, processes, uses, stores, transfers, and protects personal data in connection with the Service. It also describes the legal bases on which we rely to process personal data and the rights you hold with respect to your data.
Thoryx is currently operated as an independent platform. As we grow, we may establish a formal legal entity and will update this Policy accordingly. Questions about this Policy or our data practices should be directed to thoryxsystems@gmail.com.
When you create a Thoryx account, we collect the information you provide directly, including your full name, email address, business name, business type or industry, and any additional profile information you choose to provide during registration or onboarding. This information is necessary to create and administer your account and to provide the Service.
We collect subscription-related information including your selected plan, billing cycle, payment status, and transaction history. Full payment card details are processed and stored exclusively by Stripe, our payment processor; Thoryx retains only tokenized payment references and billing metadata necessary to manage your subscription.
We collect and store all configurations, AI personas, system prompts, automation workflows, business rules, and other settings you create and maintain within the Service ("Configuration Data"). This data is essential to providing the Service and delivering AI-generated outputs that reflect your specified preferences.
To power AI responses and automate workflows, the Service processes and temporarily stores message content, conversation histories, booking requests, appointment records, and related communication data that flows through the Service's integrations. The specific data processed depends on the features you have enabled and the integrations you have activated.
We automatically collect data about how you interact with the Service, including: pages and features accessed, actions performed within the platform, time and frequency of use, error events and performance metrics, feature adoption patterns, and session-level behavioral data. This data is used to improve the Service, diagnose technical issues, and understand usage patterns at an aggregate level.
We collect standard technical data transmitted by your browser or device, including: IP address (used for security and geographic inference), browser type and version, operating system, device type and identifiers, screen resolution, time zone, referring URLs, and other standard HTTP headers. This data is used for security monitoring, fraud detection, and aggregate analytics.
If you contact Thoryx directly via email, support channels, or other means, we retain records of such communications, including their content, timestamps, and any personal data included in the message, solely for the purpose of responding to your inquiry and maintaining a history of our interactions.
If you participate in the Thoryx Partner Program, we collect additional data including your application details, referral tracking identifiers, referral activity and conversion data, commission accruals and payment records, and dashboard usage data. See Section 7 for further detail.
Where the GDPR or equivalent data protection legislation applies to our processing of your personal data, we rely on the following legal bases:
We use your personal data exclusively for the following purposes:
We do not sell your personal data to any third party. We do not share your personal data with advertising networks or use it for behavioral advertising. We do not use AI to make decisions about you that produce significant legal or similarly significant effects without human oversight.
To deliver the Service, Thoryx engages third-party service providers who process personal data on our behalf ("Sub-Processors"). All Sub-Processors are engaged pursuant to data processing agreements that require them to: process data only on Thoryx's instructions; implement appropriate technical and organizational security measures; not engage further sub-processors without authorization; and delete or return data upon termination of the processing relationship.
| Sub-Processor | Purpose | Location | Policy |
|---|---|---|---|
| OpenAI | AI language model — powers conversational AI responses and message generation | United States | View ↗ |
| Meta / WhatsApp | Messaging infrastructure — WhatsApp Business API delivery and receipt | United States | View ↗ |
| Twilio | SMS and communications API delivery | United States | View ↗ |
| Stripe | Payment processing, subscription management, and billing infrastructure | United States | View ↗ |
| Supabase | Database hosting, authentication, and backend infrastructure | United States | View ↗ |
| Vercel | Cloud hosting, serverless functions, and CDN infrastructure | United States | View ↗ |
| PostHog | Product analytics, session insights, and usage event tracking — EU cloud region | European Union | View ↗ |
Thoryx will maintain this list and update it when Sub-Processors are added or changed. The current version of this list is always available in this Privacy Policy. If you are an enterprise user with a data processing agreement with Thoryx, we will notify you in advance of any new Sub-Processor additions that affect your data.
This section is critical. When you use Thoryx to manage communications with your own clients, contacts, or leads, the personal data of those individuals flows through the Service. The legal responsibility for that data rests primarily with you, not Thoryx.
With respect to any personal data belonging to your clients, contacts, prospects, or other third parties that you input into, upload to, or process through the Service, you act as the independent data controller. You determine the purposes for which that data is processed, the means of processing, and the retention period. You bear full and exclusive legal responsibility for ensuring that such processing complies with all applicable data protection law, including the GDPR, CCPA, and equivalent regulations in every jurisdiction in which your contacts are located.
Thoryx processes your clients' personal data solely as a data processor, acting on your documented instructions and solely to the extent necessary to operate the Service on your behalf. Thoryx does not use your clients' data for its own commercial purposes, does not sell it to third parties, and does not process it beyond the scope of Service delivery.
As data controller for your clients' data, you are solely responsible for:
Thoryx will provide reasonable technical assistance to help you fulfill your obligations as data controller, including by supporting the deletion of client data from the Service upon your request and providing information necessary for data protection impact assessments to the extent that such information relates to Thoryx's processing activities.
If you participate in the Thoryx Partner Program, we process the following additional personal data in connection with your participation:
This data is processed for the purposes of administering the Partner Program, calculating and paying commissions, preventing referral fraud, and providing you with accurate reporting through your Partner dashboard. The legal basis for this processing is performance of the Partner Program agreement.
Partner Program data is retained for the duration of your participation plus the period required to fulfill outstanding payment obligations and comply with applicable financial record-keeping law. Commission records may be retained for a minimum of seven (7) years to comply with tax and accounting obligations.
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Our general retention practices are as follows:
Upon account deletion, Thoryx will initiate deletion of your personal data within 30 days, subject to any legal obligation to retain data for a longer period. Data that has been anonymized is not subject to deletion timelines, as it no longer constitutes personal data.
Thoryx operates globally, and personal data processed through the Service may be transferred to, stored in, and processed in countries outside of your country of residence — including the United States and other countries that may not offer the same level of data protection as your home jurisdiction.
Where such international transfers involve personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, Thoryx relies on appropriate transfer mechanisms to ensure adequate protection, including Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement (IDTA), or other recognized legal transfer mechanisms.
By using the Service, you acknowledge that your personal data may be transferred to and processed in countries outside your jurisdiction. If you have concerns about international transfers of your personal data, please contact us at thoryxsystems@gmail.com.
Depending on your location and the applicable data protection law, you may hold some or all of the following rights with respect to your personal data. We will respond to all verified requests within the timeframe required by applicable law — typically 30 calendar days, with a possible extension of a further 60 days for complex or multiple requests.
To exercise any of the above rights, please submit a written request to thoryxsystems@gmail.com with the subject line "Data Rights Request." To protect your privacy and the security of your data, we may require you to verify your identity before processing your request. We will not charge a fee for processing legitimate requests, but reserve the right to charge a reasonable administrative fee or decline to process requests that are manifestly unfounded or excessive.
If you are located in the European Economic Area and are dissatisfied with our response, you have the right to lodge a complaint with the supervisory authority in your Member State of residence. If you are located in the United Kingdom, you may lodge a complaint with the Information Commissioner's Office (ICO).
The Thoryx platform uses AI systems to generate automated responses and support automated workflows on your behalf with respect to your clients. In the course of providing the Service, certain aspects of the Service may involve automated processing of data that influences how your clients are communicated with or served.
To the extent that the Service involves automated decision-making or profiling as defined under Article 22 GDPR or equivalent provisions, you are the data controller responsible for ensuring that such processing complies with all applicable legal requirements — including providing individuals with the right to object, the right to request human review, and the right not to be subject to solely automated decisions that produce significant legal or similarly significant effects.
Thoryx does not make automated decisions about you (as a Service user) that produce legal or similarly significant effects without human review by Thoryx staff.
The Thoryx platform uses the following categories of cookies and similar technologies:
If you access the Service through a Partner referral link, a tracking cookie or similar technology may be set in your browser to attribute your signup to the referring Partner. This cookie contains only a Partner identifier and does not contain personal data beyond what is necessary for referral attribution.
Most browsers allow you to view, manage, and delete cookies through the browser settings. Disabling strictly necessary cookies will impair the functionality of the Service. For analytics technologies, you may also opt out by adjusting your browser privacy settings or installing appropriate browser extensions.
Thoryx implements a comprehensive set of technical and organizational security measures designed to protect personal data against unauthorized access, disclosure, alteration, accidental loss, and destruction. Our security measures include, but are not limited to:
Notwithstanding the above measures, no security system is impenetrable, and no method of electronic transmission is 100% secure. Thoryx cannot guarantee the absolute security of personal data and accepts no liability for breaches that result from circumstances beyond our reasonable control, including sophisticated cyberattacks, zero-day vulnerabilities, or failures of third-party infrastructure providers. You are responsible for implementing appropriate security measures on your own systems and for safeguarding your account credentials.
In the event that Thoryx becomes aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Thoryx will:
If you believe that a security incident has occurred affecting your Thoryx account or personal data, please notify us immediately at thoryxsystems@gmail.com with the subject line "Security Incident." We will investigate all credible reports promptly.
The Service is designed exclusively for use by adults in a commercial or professional capacity. The Service is not directed to, and may not be used by, individuals under the age of 18. Thoryx does not knowingly collect or process personal data from individuals under 18 years of age.
If you have reason to believe that a person under 18 has provided personal data to Thoryx — whether directly or through your use of the Service — please contact us immediately at thoryxsystems@gmail.com. Upon verification, we will take prompt steps to delete such data from our systems.
Equally, if you use the Service in connection with a business that serves minors, you are solely responsible for ensuring that all applicable legal requirements protecting the privacy and data rights of minors are met, including obtaining any required parental consent.
Thoryx reserves the right to update this Privacy Policy at any time in response to changes in applicable law, our data processing practices, the services we offer, or our organizational structure. The "Effective date" at the top of this page will reflect the date of the most recent revision.
For material changes — defined as changes that substantively affect your rights with respect to your personal data or our obligations under this Policy — we will provide notice via email to the address associated with your account at least fourteen (14) calendar days before the revised Policy takes effect. Non-material clarifications or corrections may be made without prior notice.
Your continued use of the Service following the effective date of any revision constitutes your acceptance of the revised Policy. If you do not agree with the revised Policy, you must discontinue use of the Service and request deletion of your account and personal data.
We encourage you to review this Privacy Policy periodically to remain informed about how we protect your data.
For all privacy-related inquiries, data subject rights requests, questions about this Privacy Policy, or to report a security concern, please contact Thoryx using the details below. We are committed to responding to all privacy inquiries promptly and transparently.
We will acknowledge receipt of your inquiry within 5 business days and will provide a substantive response within the timeframe required by applicable law. If you are located in the European Economic Area and are not satisfied with our response to a privacy complaint, you have the right to escalate your complaint to your local data protection authority.
This Privacy Policy is available in English. In the event of any conflict between a translated version and the English version, the English version shall prevail.