Skip to main content
Legal

Privacy policy

1. Who we are

Syba Security Corp, INC. operates the syba.io website and the Syba iOS application (App Store id 1609996286). Our US headquarters are at 2972 Webb Bridge Road, Alpharetta, GA 30009. Our EU entity is SYBA Inc., Site Katelijne Business Center, Baron Ruzettelaan 5/1.1, 8000 Brugge, Belgium.

For privacy-related inquiries, contact customer.service@syba.io.

2. Information we collect

We collect information you provide directly to us when you create an account, contact us, or use our services. This includes contact information (name, email address), usage data (features used, device information), identifiers (account IDs), and user content (email addresses and usernames you check in our breach-lookup and social-scan tools).

We also collect information automatically through standard web technologies, including cookies, log files, and analytics. This includes IP addresses, browser type, pages visited, and referring URLs. Please see our Cookie Policy for details.

3. How we use your information

We use the information we collect to:

  • Provide, operate, and maintain our services
  • Process transactions and send related information
  • Send technical notices, security alerts, and support messages
  • Respond to comments, questions, and customer service requests
  • Monitor and analyse trends, usage, and activities
  • Detect, prevent, and address fraud and abuse
  • Comply with legal obligations

4. How we share your information

We do not sell your personal information. We share information only with service providers who help us operate our platform (cloud infrastructure, analytics, payment processing), with EPIC Insurance Brokers & Consultants for insurance-related inquiries in the US, and with authorities where required by law. All third-party service providers are bound by contractual data-protection obligations.

5. GDPR rights (EU/UK residents)

If you are located in the European Economic Area or United Kingdom, you have the right to access, rectify, erase, restrict, or object to our processing of your personal data, and the right to data portability. To exercise these rights, email customer.service@syba.io. You also have the right to lodge a complaint with a supervisory authority.

6. Data retention

We retain your personal data for as long as your account is active or as needed to provide our services. You may request deletion of your account and data at any time by contacting customer.service@syba.io. We will comply within 30 days, subject to legal retention requirements.

7. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. However, no internet transmission is 100% secure and we cannot guarantee the security of information transmitted to or from our services.

7a. SYBA Shield browser extension (Chrome Web Store)

This section is the complete privacy disclosure for the SYBA Shield browser extension (“SYBA Cybersecurity Agent”, Chrome Web Store item afdooipifnhilpppfepjfbfkmgfipmph). SYBA Shield's single purpose is to warn you about phishing pages and malicious links while you browse. It does not sell your data, does not use it for advertising, and does not transfer it to data brokers.

What the extension accesses, and how it is handled

  • Web page URLs and titles. The address and title of pages you visit, and the URLs of network requests those pages make, are inspected on your deviceby the extension's offline heuristics (lookalike-domain, homograph, suspicious-TLD, and IP-literal checks). These URLs are not transmitted to us or to any third party, except the single page URL and title that accompany a vision scan you trigger (see below).
  • Page content signals. A lightweight content script reads passive structural signals from pages (for example, whether a password field posts to a different domain). This analysis happens on your device; only derived true/false signals are passed to the extension's own background process. We do not collect keystrokes, passwords, form values, or full page text.
  • Screenshots (only when you click “Scan”).When you explicitly start a vision scan, the extension captures an image of the currently visible browser tab and sends it, together with that tab's URL and title, to a vision-AI model for analysis. Screenshots are never captured in the background and never on a schedule. A screenshot may contain whatever is visible on that page at that moment. Screenshots are used only to produce the safety verdict and are not retained on our servers after the verdict is returned.
  • Account authentication.If you sign in with your Syba account, we issue a rolling 30-day opaque access token. It is stored in your browser's local extension storage and as a hashed copy on our servers, and is used only to authorize the extension's API calls (vision verdicts, safety co-pilot chat, subscription-tier lookup). It is revocable at any time from your account dashboard.
  • Settings and local cache. Your preferences, per-site allowlist, recent verdicts, and scan history are stored locally via chrome.storage.local on your device. They are not synced across devices and are not transmitted to us. An optional OpenRouter API key you enter is stored locally and is never sent to Syba.

Parties we share extension data with

We share data only as needed to deliver the scan you request:

  • Syba's servers (sybainsurance.com), hosted on Netlify, Inc. When you are signed in, your scan screenshot, page URL, and chat messages are sent to our endpoint, which forwards the request to the AI provider below.
  • OpenRouter, Inc. routes vision-scan and chat requests to the AI model you select.
  • AI model providers. Depending on the model you choose in Settings, the screenshot and/or text is processed by Google LLC (Gemini models), Anthropic, PBC (Claude models), or OpenAI, L.L.C. (GPT models).
  • Your own key path.If you provide your own OpenRouter API key instead of signing in, scan data is sent directly from your browser to OpenRouter and never touches Syba's servers.
  • Legal authorities where disclosure is required by law.

We do not sell extension data, do not use it for advertising or any purpose unrelated to the security features above, and do not maintain a per-page audit trail of your browsing. Your subscription status (free, Silver, Gold, Diamond) is read on each API call only to apply the correct rate limits and feature flags. Use of data received from Google APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. For extension privacy questions, contact customer.service@syba.io.

8. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the effective date. Your continued use of our services after changes take effect constitutes acceptance of the revised policy.

Effective date: 2026-05-25 · © 2026 Syba Security Corp, INC.