Privacy Notice
Version: 1 Last updated: 11 June 2026 Who we are: Lead Wolf Digital Ltd, trading as Lykos AI (“we”, “us”, or “our”), registered in England and Wales with company number 12023161. Registered office: Salix House Waters Edge, Wansford, Peterborough, PE8 6LH, United Kingdom.
This Privacy Notice describes how and why we might access, collect, store, use, and/or share (“process”) your personal information when you use our services (“Services”), including when you:
- Visit our website at https://lykos-crm.com or any website of ours that links to this Privacy Notice
- Use Lykos CRM, a customer relationship management platform that helps businesses manage contacts, deals, and communications in one place
- Engage with us in other related ways, including any marketing or events
Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you have any questions, contact us at [email protected].
Summary of key points
- What personal information do we process? Account and contact details you give us, content you add to the CRM, and — if you choose to connect an email account — email metadata (never email content). Details in Section 1.
- Do we process sensitive personal information? No.
- Do we collect information from third parties? Only if you connect an email account: we then receive email metadata from Google’s or Microsoft’s APIs on your behalf. We do not buy or otherwise obtain personal information from data brokers or other third parties.
- How do we process your information? To provide, improve, and administer the Services, communicate with you, for security and fraud prevention, and to comply with law. Details in Section 2.
- With whom do we share personal information? Only the service providers needed to run the Services (Section 4 and Section 13). We do not sell personal information.
- How do we keep your information safe? Organisational and technical safeguards (Section 8) — though no internet transmission or storage can be guaranteed 100% secure.
- What are your rights? Depending on where you live, you may have rights of access, correction, erasure, portability, and objection (Sections 10 and 12).
- How do you exercise your rights? Email [email protected]. We will act on any request in accordance with applicable data protection law.
1. What information do we collect?
Personal information you disclose to us
In short: we collect personal information that you provide to us.
We collect personal information that you voluntarily provide when you register on the Services, express an interest in obtaining information about us or our products, participate in activities on the Services, or otherwise contact us. This may include:
- names
- phone numbers
- email addresses
- mailing addresses
- job titles
- usernames
- passwords
- contact preferences
- contact or authentication data
- billing addresses
- email metadata (sender and recipient addresses, subject lines, dates and times, and attachment file names) — only if you connect an email account; see Section 14
Sensitive information. We do not process sensitive information.
Payment data. If you purchase a paid subscription, we collect the data necessary to process your payment, such as your payment instrument number and its security code. Payment data is handled and stored by our payment processor, Stripe, whose privacy notice is available at https://stripe.com/privacy. We do not store full card details on our own systems.
CRM content. As a business user of Lykos CRM, you (and your colleagues) enter information about your own customers and prospects — leads, contacts, deals, tasks, and related records. Your business is the controller of that information; we process it on your behalf to provide the Services.
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes.
Information automatically collected
In short: some information — such as your IP address and browser characteristics — is collected automatically when you use the Services.
We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include device and usage information such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, country, and information about how and when you use the Services. We use this information mainly to keep the Services secure and operational, and for internal analytics and reporting. It includes:
- Log and usage data — service-related, diagnostic, usage, and performance information our servers automatically record, such as date/time stamps, pages and features used, and error reports.
- Device data — information about the computer, phone, or tablet you use to access the Services, such as IP address, browser type, operating system, and system configuration.
Information received from Google and Microsoft (connected email accounts)
If you choose to connect a Gmail or Microsoft 365 mailbox, we receive email metadata from Google’s or Microsoft’s APIs as described in Section 14.
Google API Services. Lykos CRM’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
2. How do we process your information?
In short: we process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.
We process your personal information for a variety of reasons, depending on how you interact with the Services, including:
- To provide and administer the Services — creating and managing your account, delivering CRM functionality, and (where you connect a mailbox) displaying your email conversations alongside your CRM records.
- To respond to enquiries and provide support.
- To send administrative information — service messages such as email verification, password resets, and changes to our terms and policies.
- To enforce our terms and protect the Services — security monitoring, fraud prevention, and abuse detection.
- To comply with our legal obligations.
- To save or protect an individual’s vital interest, such as to prevent harm.
3. What legal bases do we rely on to process your information?
In short: we only process your personal information when we have a valid legal reason to do so under the UK GDPR and (where applicable) the EU GDPR.
We may rely on the following legal bases:
- Consent. Where you have given us permission to process your personal information for a specific purpose — for example, connecting your email account through your provider’s consent screen. You can withdraw consent at any time (see Section 10), and you can disconnect a connected email account at any time.
- Performance of a contract. Where processing is necessary to provide the Services you have signed up for, or to take steps at your request before entering into a contract.
- Legitimate interests. Where processing is necessary for our legitimate business interests and your interests and fundamental rights do not override them — for example, keeping the Services secure, preventing fraud, improving the product, and processing email metadata so that conversations can be filed against the correct CRM records.
- Legal obligations. Where processing is necessary to comply with the law, such as cooperating with a regulator or law enforcement body, or defending our legal rights.
- Vital interests. Where processing is necessary to protect someone’s life or safety.
4. When and with whom do we share your personal information?
In short: we share information only with the service providers needed to operate the Services, and in the specific situations described below. We do not sell personal information.
Vendors and service providers. We share data with third-party vendors who perform services for us or on our behalf and need access to the information to do that work. The third parties we may share personal information with are listed in Section 13 (Third-Party Service Providers): Sevalla, Kinsta, Postmark, Stripe, and — only for users who connect an email account — Google and Microsoft.
We may also need to share your personal information in the following situations:
- Business transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.
5. Do we use cookies and other tracking technologies?
In short: we use only the cookies needed to make the Services work.
We use essential cookies only — primarily a session cookie that keeps you signed in and keeps your account secure. These are strictly necessary for the Services to function.
We do not use advertising cookies, we do not permit third parties to place tracking technologies on the Services for advertising, and we do not sell or share personal information for targeted advertising. If we introduce optional analytics cookies in the future, we will update this notice and ask for your consent where the law requires it.
6. Is your information transferred internationally?
In short: our own servers are in the European Economic Area; some of our service providers are based in the United States.
We store CRM data on servers located in the European Economic Area. Some of the service providers listed in Section 13 (for example Google, Microsoft, Postmark, Stripe, and Cloudflare) are headquartered in the United States, and your information may be transferred to, stored, or processed in the United States and other countries when they process it.
Where personal data is transferred outside the UK or EEA, we take measures designed to ensure it receives an equivalent level of protection — such as transferring to countries covered by UK adequacy regulations, or using recognised safeguards such as the UK International Data Transfer Addendum and EU Standard Contractual Clauses, or transferring to US providers certified under the UK Extension to the EU–US Data Privacy Framework.
7. How long do we keep your information?
In short: as long as necessary for the purposes set out in this notice, unless the law requires longer.
We keep your personal information only as long as necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax or accounting requirements). When we have no ongoing legitimate business need to process your personal information, we will delete or anonymise it; if that is not immediately possible (for example, because it is held in backup archives), we will securely store it and isolate it from further processing until deletion is possible.
Specific to connected email accounts: disconnecting your email account permanently deletes all synced email metadata (see Section 14).
8. How do we keep your information safe?
In short: through organisational and technical security measures.
We have implemented appropriate and reasonable technical and organisational security measures designed to protect any personal information we process — including encryption of stored email-account credentials, hashed passwords and session identifiers, and access controls with audit logging. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise that hackers, cybercriminals, or other unauthorised third parties will never defeat our security. You should only access the Services within a secure environment.
9. Do we collect information from minors?
In short: no — the Services are for business users aged 18 and over.
We do not knowingly collect, solicit data from, or market to children under 18 years of age. By using the Services, you represent that you are at least 18. If we learn that personal information from users under 18 has been collected, we will deactivate the account and take reasonable measures to promptly delete the data. If you become aware of any data we may have collected from children under 18, please contact us at [email protected].
10. What are your privacy rights?
In short: in the UK, EEA, and Switzerland you have rights that allow you greater access to and control over your personal information.
In the UK, EEA, and Switzerland, you have rights under applicable data protection laws, which may include the right (i) to request access to and obtain a copy of your personal information, (ii) to request rectification or erasure, (iii) to restrict its processing, (iv) to data portability (if applicable), and (v) not to be subject to automated decision-making. In certain circumstances you may also have the right to object to processing. You can make a request by emailing [email protected]; we will consider and act upon any request in accordance with applicable data protection laws.
If you believe we are unlawfully processing your personal information, you have the right to complain to your supervisory authority — in the UK, the Information Commissioner’s Office (ICO); in the EEA, your member state data protection authority; in Switzerland, the Federal Data Protection and Information Commissioner.
Withdrawing your consent. Where we rely on your consent, you can withdraw it at any time by emailing [email protected] — or, for a connected email account, by disconnecting it in Settings. Withdrawal does not affect the lawfulness of processing before the withdrawal, nor processing conducted on lawful grounds other than consent.
Account information. If you would like to review or change the information in your account, or terminate your account, you can:
- Log in to your account settings and update your user account; or
- Contact us at [email protected].
Upon a request to terminate your account, we will deactivate or delete your account and information from our active databases. We may retain some information to prevent fraud, troubleshoot problems, assist with investigations, enforce our legal terms, and/or comply with applicable legal requirements.
11. Controls for Do-Not-Track features
Most web browsers include a Do-Not-Track (“DNT”) feature you can activate to signal that you do not want your online browsing monitored. No uniform standard for recognising DNT signals has been finalised, and we do not currently respond to them. If a standard is adopted that we must follow, we will describe that practice in a revised version of this notice. (Since we use essential cookies only and do no cross-site tracking, there is currently nothing for a DNT signal to switch off.)
12. Do United States residents have specific privacy rights?
In short: if you are a resident of certain US states, you may have rights to access, correct, delete, and obtain a copy of your personal information. Lykos CRM is a UK service; we include this section for completeness.
Categories of personal information we collect
The table below shows the categories of personal information we have collected in the past twelve months (categories follow the California Consumer Privacy Act framework):
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Real name, postal address, telephone number, online identifier, IP address, email address, account name | YES |
| B. Personal information (California Customer Records statute) | Name, contact information | YES |
| C. Protected classification characteristics | Gender, age, race, ethnicity | NO |
| D. Commercial information | Transaction information, payment information (handled by Stripe) | YES |
| E. Biometric information | Fingerprints, voiceprints | NO |
| F. Internet or similar network activity | Log data, device data, interactions with the Services | YES |
| G. Geolocation data | Device location | NO |
| H. Audio, electronic, sensory information | Images, audio, video recordings | NO |
| I. Professional or employment-related information | Job titles, business contact details | YES |
| J. Education information | Student records | NO |
| K. Inferences from collected information | Profiles about preferences and characteristics | NO |
| L. Sensitive personal information | — | NO |
We may also collect other personal information outside these categories where you interact with us in person, online, or by phone or mail — for example through customer support channels.
Sales and sharing. We have not sold or shared any personal information to third parties for a business or commercial purpose, and we do not use personal information for targeted advertising. We disclose personal information to the service providers listed in Section 13 under written contracts.
Your rights
Depending on your state of residence, you may have the right to know whether we process your personal data; to access it; to correct inaccuracies; to request deletion; to obtain a copy; to non-discrimination for exercising your rights; and to opt out of targeted advertising, sales, or profiling (we do none of these).
How to exercise your rights
Email [email protected]. We will need to verify your identity before acting on a request. You may designate an authorised agent, who must provide proof of valid authorisation. If we decline a request, you may appeal by emailing the same address; if your appeal is denied, you may complain to your state attorney general.
California “Shine The Light”. California Civil Code Section 1798.83 permits California residents to request, once a year and free of charge, information about categories of personal information (if any) disclosed to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.
13. Third-party service providers
We use the following third-party service providers to operate the Services. Each provider processes personal data only as necessary to deliver the relevant service:
- Sevalla — application and database hosting
- Cloudflare — content delivery network and security services (proxies website traffic)
- Postmark — transactional email delivery (verification, password reset, and similar service messages)
- Stripe — payment processing for paid subscriptions
- Google LLC — email data processing, only for users who choose to connect a Gmail mailbox
- Microsoft Corporation — email data processing, only for users who choose to connect a Microsoft 365 / Outlook mailbox
14. Email account integration
If you connect an email account, we store email metadata (sender and recipient addresses, subject lines, dates and times, and attachment file names) so that email conversations can be shown alongside your CRM records.
We do not store the content of your emails or attachments — these remain in your Google or Microsoft account and are retrieved temporarily only when you view them. Disconnecting your email account permanently deletes all synced email metadata.
15. Google API Services
Lykos CRM’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
16. Do we make updates to this notice?
In short: yes, as necessary to stay compliant with relevant laws.
We may update this Privacy Notice from time to time. The updated version will be indicated by an updated “Last updated” date at the top of this notice. If we make material changes, we may notify you by prominently posting a notice of the changes or by sending you a notification. We encourage you to review this notice frequently.
17. How can you contact us about this notice?
If you have questions or comments about this notice, you may email us at [email protected] or contact us by post at:
Lead Wolf Digital Ltd Salix House Waters Edge Wansford, Peterborough PE8 6LH United Kingdom
18. How can you review, update, or delete the data we collect from you?
Depending on the applicable laws of your country (or, in the US, your state), you may have the right to request access to the personal information we collect from you, details about how we have processed it, to correct inaccuracies, or to delete your personal information. You may also have the right to withdraw your consent to our processing. These rights may be limited in some circumstances by applicable law. To make a request, email [email protected].