The protection of personal data is our highest priority. This Privacy Policy provides transparent information about which personal data is processed in connection with the cloud-based project management service LYRIA, for what purposes, on what legal basis, and which rights data subjects have.

This Privacy Policy applies to all means of accessing LYRIA (web application, mobile applications, API access, and other digital interfaces). The German version shall prevail. German law shall apply.

1. Controller

siteface UG (haftungsbeschränkt)
Brüderweg 252
57074 Siegen
Germany
Email: team@siteface-solutions.com
Phone: +49 (0)271 2503232
Website: https://www.siteface-solutions.com
Data protection inquiries: team@siteface-solutions.com

A data protection officer is appointed where legally required.

2. Allocation of Roles When Used by Companies (B2B Use)

2.1 Use by Companies / Organizations

If LYRIA is used by companies, public authorities, or other organizations (e.g. as part of a workspace or team account), the following generally applies:

• The respective company is the controller within the meaning of Art. 4 No. 7 GDPR.
• siteface UG acts as the processor within the meaning of Art. 4 No. 8 GDPR.
• In this case, we process personal data exclusively on the documented instructions of the respective customer.

2.2 Data Processing Agreement (DPA)

For business customers, we provide a data processing agreement pursuant to Art. 28 GDPR. This agreement governs in particular:

• Subject matter and duration of processing
• Type and purpose of processing
• Categories of data subjects
• Technical and organizational measures (TOMs)
• Subprocessor arrangements
• Audit and cooperation obligations

The DPA can be requested through the customer area or concluded electronically.

3. Categories of Data Processed

Depending on the context of use, we process the following data:

3.1 Account Data

• Email address
• Username
• Display name
• Password (hashed only; no storage in plain text)

Legal basis: Art. 6 (1) lit. b GDPR

3.2 Profile Data (Voluntary Information)

• Profile picture
• Role / position details
• Optional contact information

Legal basis: Art. 6 (1) lit. b GDPR or lit. a GDPR in the case of voluntary additional information

3.3 Content Data (Customer Data)

Depending on use, the following content may be processed:

• Project and task data
• Comments
• Files and attachments
• Scheduling and status information
• User assignments within teams

In B2B use, processing takes place exclusively within the scope of the DPA.

3.4 Technical Usage and Log Data

• IP address
• Timestamps
• Accessed functions
• Browser / device information
• Error and security logs

Legal basis: Art. 6 (1) lit. f GDPR (IT security and system stability)

4. Purposes of Processing

Processing is carried out in particular for the following purposes:

• Provision and operation of the platform
• Authentication and user management
• Team and permission management
• Security monitoring
• Error analysis
• Support
• Billing and contract management

5. Hosting and Infrastructure

LYRIA is operated within the European Union. Data processing takes place on servers located in the EU using appropriate technical and organizational security measures. Our hosting providers are contractually bound as processors.

Data is transferred to third countries only if:

• this is technically necessary,
• appropriate safeguards are in place (e.g. Standard Contractual Clauses or the EU-US Data Privacy Framework),
• or explicit consent has been given.

6. Subprocessors / Processors

To provide the service, we use specialized service providers, in particular for:

• Hosting
• Email delivery
• Payment processing
• Monitoring and system supervision

All service providers are contractually bound in accordance with Art. 28 GDPR. An up-to-date list of subprocessors can be provided upon request.

7. Cookies and Consent Management

We use technically necessary cookies in order to:

• Enable login sessions
• Ensure security
• Store language preferences

Legal basis: Art. 6 (1) lit. b and lit. f GDPR.

Optional analytics or marketing technologies are activated only after consent has been given. Consent may be withdrawn at any time via the consent tool.

8. Web Analytics and Tracking (If Enabled)

If web analytics are used (e.g. GA4), this is done solely on the basis of your consent. In this context, pseudonymized usage data may be processed. Data transfers to third countries cannot be ruled out and take place on the basis of appropriate safeguards.

9. Mobile Apps

When using the mobile applications, the following may be processed:

• Device IDs
• Push tokens
• App version
• Technical diagnostic information

Push notifications can be disabled at any time in the device settings. If the app is downloaded through app stores, the privacy policies of Apple or Google also apply.

10. Retention Period

Personal data is stored only as long as:

• this is necessary for the performance of the contract
• statutory retention obligations apply
• legitimate interests in legal defense exist

Technical log files are generally deleted or anonymized no later than after 30 days, unless security-related incidents exist.

11. Account Deletion and Data Deletion Requests

Users may request deletion of their LYRIA account and the associated personal data at any time.

11.1 How Deletion Can Be Requested

Deletion can be initiated in the following ways:

• directly in the LYRIA app via Settings > “Delete Account”
• via our information page for data deletion requests: https://www.lyria-app.com/delete-request/
• alternatively by email to support@lyria-app.com

11.2 Which Data Will Be Deleted

After receipt and verification of the request, we will delete the user account and the personal data associated with it, unless statutory retention obligations or other legal reasons prevent immediate deletion.

11.3 Retention of Residual Technical Data

Technical logs, backups, or residual data that must be retained for system-related reasons may remain stored temporarily for security and recovery purposes and will then be deleted automatically, generally within 30 days.

11.4 B2B / Workspace Accounts

If LYRIA is used as part of a company or workspace account, the deletion of individual user-related data may additionally depend on the requirements or instructions of the respective workspace controller. In this case, data subjects may also contact their administrator.

11.5 Note on Irreversibility

Once deletion has been completed, the account generally cannot be restored.

12. Data Security

We implement appropriate technical and organizational measures (TOMs), in particular:

• TLS encryption
• Role-based access control
• Authorization concepts
• Logging
• Backup and recovery procedures
• Regular security reviews

13. Rights of Data Subjects

Data subjects have the following rights:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR)
• Withdrawal of consent (Art. 7 (3) GDPR)

In the context of B2B use, data subjects should generally contact their employer or workspace administrator. In addition, there is a right to lodge a complaint with a data protection supervisory authority.

14. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy if legal requirements or the service itself change. We will provide transparent information about any material changes.

1. Scope

1.1 These General Terms and Conditions (“T&Cs”) apply to all contracts concerning the use of the cloud-based software solution LYRIA Project Management (“Service”) between

siteface UG (haftungsbeschränkt)
Brüderweg 252
57074 Siegen
Germany
– hereinafter referred to as the “Provider” –
and the respective contractual partner (“Customer”).

1.2 The Service is intended exclusively for entrepreneurs within the meaning of Section 14 of the German Civil Code (BGB). Contracts with consumers are excluded.

1.3 Any conflicting or deviating terms and conditions of the Customer shall not become part of the contract unless their validity has been expressly agreed to in writing.

2. Definitions

• Account: The Customer’s access account for using the Service.
• Workspace: An organizational unit within the Service for managing projects and users.
• User: A natural person authorized by the Customer to access the Service.
• Subscription: A term-based, paid use of a selected plan.
• Contract Period: The monthly or annual billing period booked in each case.

3. Subject Matter of the Contract

3.1 The Provider makes the Service available to the Customer as Software-as-a-Service (SaaS) via the Internet.

3.2 The subject matter of the contract is the temporary grant of a non-exclusive, non-transferable right of use to the current version of the Service for the duration of the respective Contract Period.

3.3 The Provider does not owe any specific economic success, but rather the contractual provision of the agreed functionalities.

4. Scope of Services and Further Development

4.1 The specific scope of services is determined by the service description valid at the time the contract is concluded.

4.2 The Provider is entitled to further develop or adapt functions, provided that the essential contractual purpose is not impaired as a result.

5. Availability

5.1 The Provider aims for an average annual system availability of 95%.

5.2 This does not constitute a guarantee, but describes a target value.

5.3 In particular, the following shall not be considered downtime:

• Planned maintenance work
• Disruptions beyond the Provider’s sphere of influence
• Force majeure
• Third-party attacks despite appropriate security measures

5.4 Individual service level agreements (SLAs) may be agreed separately.

6. Rights of Use and User Management

6.1 The Customer is entitled to use the Service within the scope of the booked plan.

6.2 The permitted number of users is determined by the selected pricing plan.

6.3 The Customer is responsible for managing its users and for proper use of the Service.

6.4 Transfer or sublicensing of the rights of use is not permitted.

7. Customer Obligations

• To keep access credentials confidential
• Not to store or distribute any unlawful content
• To comply with statutory data protection requirements

In a business context, the Customer is the controller within the meaning of the GDPR.

8. Prices and Payment Processing

8.1 Paid plans are provided on a subscription basis.

8.2 Payment processing is carried out via the payment service provider Stripe Payments Europe Ltd..

8.3 Payment data is not stored in full by the Provider.

8.4 Invoices are provided in electronic form.

9. Term and Termination

9.1 Contract Term

The subscription is concluded for the selected Contract Period (monthly or annually).

9.2 Automatic Renewal

The subscription is automatically renewed for a further Contract Period unless it is terminated before the end of the current period.

9.3 Termination by the Customer

• Via the customer area
• Via the Stripe customer portal
• Or in text form by email

Termination takes effect at the end of the respective Contract Period. Fees already paid will not be refunded on a pro rata basis unless mandatory statutory provisions require otherwise.

9.4 Extraordinary Termination

The right to terminate without notice for good cause remains unaffected.

10. Price Changes

10.1 The Provider is entitled to adjust prices for future Contract Periods.

10.2 Price changes will be announced at least 30 days before they take effect.

10.3 If no objection or termination is made before the change takes effect, the new prices shall be deemed accepted.

11. Liability

11.1 The Provider shall have unlimited liability in cases of intent, gross negligence, and in the event of injury to life, body, or health.

11.2 In the event of a slightly negligent breach of essential contractual obligations, liability shall be limited to the foreseeable damage typical for this type of contract.

11.3 Liability shall be limited in amount to the fees paid during the last contractual year.

11.4 Liability for loss of profit and indirect damages is excluded to the extent permitted by law.

12. Data Protection and Data Processing

12.1 Personal data is processed in accordance with the Privacy Policy.

12.2 In the case of use by companies, a data processing agreement pursuant to Art. 28 GDPR shall be concluded.

13. Changes to These T&Cs

The Provider is entitled to amend these T&Cs for objective reasons, in particular in the event of legal changes or technical developments. Material changes will be announced at least 30 days before they take effect.

14. Final Provisions

14.1 German law shall apply to the exclusion of the UN Convention on Contracts for the International Sale of Goods (CISG).

14.2 The place of jurisdiction shall be Siegen, to the extent legally permissible.