Legal
Privacy Policy
Effective date: March 1, 2026 · Last updated: March 13, 2026
Lyzard (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Lyzard web application and related services (the “Service”). By using the Service, you consent to the practices described in this policy.
1. Information We Collect
1.1 Account Information
When you sign in with Google OAuth, we receive and store your name, email address, and profile photo. This information is used to identify you within Workspaces and attribute your review decisions.
1.2 Applicant Data
When an Admin links a Google Form to a Deck, we sync form responses from the Google Forms API. This data may include applicant names, email addresses, essay responses, demographic information, file uploads (as links), and any other fields present in the linked form. We access this data using read-only OAuth scopes: forms.responses.readonly, forms.body.readonly, and drive.metadata.readonly.
1.3 Review Data
We store decisions (accept, reject, waitlist), reviewer notes, star/flag indicators, and timestamps generated during the review process.
1.4 Usage Data
We automatically collect certain technical information when you use the Service, including your IP address, browser type, device type, operating system, referring URL, pages visited, and interaction timestamps. This data helps us monitor performance, diagnose issues, and improve the Service.
2. How We Use Your Information
- Provide the Service: Authenticate your identity, sync form responses, render applicant cards, and store review decisions.
- Enable Collaboration: Display reviewer names, aggregate decisions, and facilitate team-based review within Workspaces.
- Generate Analytics: Produce dashboard statistics, reviewer progress metrics, and decision breakdowns for Workspace Admins.
- Improve the Service: Analyze usage patterns to enhance performance, fix bugs, and develop new features.
- Communicate: Send transactional emails related to your account, such as workspace invitations and sync notifications.
3. Data Sharing & Disclosure
We do not sell, rent, or trade your personal information or Applicant Data to third parties. We may share information only in the following circumstances:
- Within Your Workspace: Review decisions, notes, and stars are visible to other members of the same Workspace based on their role (Admin, Reviewer, Viewer).
- Service Providers: We use third-party services for hosting (Vercel), database management (Supabase), and authentication (Google OAuth). These providers process data on our behalf under strict confidentiality obligations.
- Legal Obligation: We may disclose information if required by law, subpoena, court order, or governmental regulation.
- Business Transfer: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change.
4. Google API Services — Limited Use Disclosure
Lyzard’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only request the minimum OAuth scopes necessary to provide the Service. We do not use Google user data for advertising, and we do not allow humans to read your Google data except where necessary to provide support at your request, for security purposes, or to comply with applicable law.
5. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. Specific retention periods:
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion + 30 days |
| Applicant Data | Until Workspace or Deck deletion + 30 days |
| Review decisions & notes | Until Workspace deletion + 30 days |
| Usage / analytics data | 24 months from collection |
After the retention period, data is permanently deleted from our systems and backups within thirty (30) business days.
6. Data Security
We implement industry-standard security measures to protect your data, including encryption in transit (TLS 1.2+), encryption at rest for database storage, role-based access controls within the application, and regular security reviews. However, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords for your Google account.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data. Admins can delete entire Workspaces and Decks from within the Service.
- Export: Export your review data as CSV at any time through the Service dashboard.
- Revoke Consent: Revoke Google OAuth access at any time through your Google account settings.
- Object: Object to processing of your data for specific purposes under applicable law.
To exercise any of these rights, email us at getlyzard@gmail.com. We will respond within thirty (30) days.
8. FERPA Compliance
Lyzard may be used by student organizations at educational institutions. We understand that some Applicant Data may constitute education records under the Family Educational Rights and Privacy Act (FERPA). Workspace Admins are responsible for ensuring that their use of Lyzard complies with FERPA and any institutional policies governing student data. We maintain minimal data retention, do not use Applicant Data for purposes other than providing the Service, and provide data deletion capabilities to support compliance.
9. International Data Transfers
The Service is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer. We rely on standard contractual clauses and other appropriate safeguards where required by law.
10. Cookies & Tracking
We use essential cookies and local storage to maintain your authentication session and theme preference. We do not use third-party advertising cookies or cross-site tracking. Analytics, if implemented, use privacy-respecting, cookie-free solutions.
11. Children’s Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete that information promptly. If you believe a child under 13 has provided us with personal data, please contact us at getlyzard@gmail.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice within the Service at least fourteen (14) days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.
13. Contact Us
If you have questions, concerns, or requests related to this Privacy Policy or your data, contact us at: