Privacy Policy
Last updated:
This Privacy Policy explains how Doras Media Limited ("we", "us", "Sayr") collects, uses, shares, and protects your personal data when you use the Sayr platform at sayr.io and related services.
1. Who We Are
Sayr is operated by Doras Media Limited, a company registered in Ireland. For the purposes of data protection law, Doras Media Limited is the data controller responsible for your personal data.
If you have questions about this policy or your data, contact us at support@sayr.io.
2. Data We Collect
2.1 Account Data
When you sign up via GitHub or Doras OAuth, we collect:
- Name and display name — from your OAuth provider profile
- Email address — from your OAuth provider
- Profile picture — avatar URL from your OAuth provider
- OAuth tokens — access and refresh tokens to maintain your authenticated session with the provider
2.2 Session & Security Data
When you sign in, we automatically collect:
- IP address — recorded at session creation for security purposes
- User agent — your browser and device information
- Session timestamps — when your session was created, last active, and when it expires
2.3 User-Generated Content
Data you create while using Sayr, including:
- Tasks, comments, and comment edits
- Reactions, votes, and timeline activity
- Organizations, teams, and member roles
- Labels, categories, saved views, and releases
- Uploaded files and attachments
- API keys you generate
2.4 Usage & Analytics Data
We use PostHog (EU instance, hosted in Frankfurt) to collect product analytics, including:
- Page views and navigation events
- Click interactions and form submissions (autocapture)
- Web performance metrics (page load times, web vitals)
- Session recordings to understand how users interact with the interface
- Uncaught JavaScript exceptions
PostHog identifies you by your Sayr user ID, email, and name to associate analytics with your account.
2.5 Logs & Observability Data
We use OpenTelemetry for application tracing and Axiom for log storage. Traces may include your user ID,
platform role, and a masked version of your email address (e.g., t***@g***.com).
Request URLs, HTTP methods, and user agent strings are also captured for debugging and performance monitoring.
2.6 Anonymous Voting Data
For public task voting by unauthenticated users, we generate a one-way SHA-256 hash of the voter's IP address, user agent, and a salt to prevent duplicate votes. The raw IP address is not stored for anonymous votes.
3. How We Use Your Data
We use your personal data to:
- Provide and operate the service — authenticate you, display your content, manage organizations and permissions
- Send transactional communications — notifications, invitations, and account-related emails via Send (usesend.com)
- Improve the product — analyse usage patterns, identify bugs, and optimise the user experience through PostHog analytics
- Ensure security — detect abuse, prevent fraud, and protect against unauthorised access using session data and logs
- Process payments — facilitate billing through Polar (our Merchant of Record)
- Comply with legal obligations — respond to lawful requests and enforce our Terms of Service
4. Legal Bases for Processing
Under GDPR, we rely on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the service, managing your account | Contract performance |
| Product analytics, performance monitoring, security logs | Legitimate interest |
| Transactional emails | Contract performance |
| Payment processing | Contract performance |
| Legal compliance | Legal obligation |
5. Cookies & Local Storage
Sayr uses the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| better-auth.session_token | Authentication — maintains your signed-in session | Session expiry |
| login_origin | Temporary — stores your origin URL during OAuth sign-in redirect | ~8 minutes |
| post_login_redirect | Temporary — stores where to redirect you after sign-in | Session |
| sidebar_state | Preference — remembers whether your sidebar is open or collapsed | 7 days |
| ph_* | Analytics — PostHog session tracking, distinct user ID, and feature flags | Varies |
We also use localStorage to store your theme preference (light/dark mode). This data remains on your device and is not transmitted to our servers.
6. Data Sharing & Subprocessors
We do not sell your personal data. We share data only with third-party service providers ("subprocessors") who process it on our behalf to deliver the Sayr platform. Each subprocessor is contractually obligated to protect your data.
A full list of our current subprocessors is available on our Subprocessors page.
We may also disclose your data if required to do so by law, or if we believe in good faith that such action is necessary to comply with legal process, protect our rights, or ensure the safety of our users.
7. International Data Transfers
Our primary infrastructure is hosted in the EU (Germany) via Hetzner, and we use PostHog's EU instance (Frankfurt). However, some of our subprocessors are based in the United States, including Cloudflare, GitHub, Send, and Axiom.
Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework, as applicable.
8. Data Retention
We retain your personal data for as long as your account is active and as needed to provide you with the service.
- Account data — retained while your account exists; deleted when you delete your account
- Session data — retained until session expiry, then automatically removed
- Analytics data — retained in PostHog according to their standard retention policies
- Logs — retained in Axiom according to their standard retention policies
- User-generated content — retained while your account exists; deleted upon account deletion
When you delete your account, we delete your personal data promptly. Some data may persist in encrypted backups for a limited period before being overwritten.
9. Your Rights
Under GDPR and applicable Irish and EU data protection law, you have the following rights:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate or incomplete data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Data portability — request your data in a structured, machine-readable format
- Restriction — request that we restrict processing of your data in certain circumstances
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, contact us at support@sayr.io. We will respond within 30 days.
You also have the right to lodge a complaint with the Irish Data Protection Commission (DPC) at www.dataprotection.ie.
10. Children
Sayr is a business-to-business product and is not directed at individuals under the age of 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.
11. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- OAuth-based authentication (no passwords stored by default)
- HttpOnly, Secure session cookies in production
- Email masking in observability traces
- Hashed anonymous vote identifiers (raw IPs not stored)
- Role-based access controls and permission checks
No system is perfectly secure. If you discover a security vulnerability, please report it to support@sayr.io.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
13. Contact Us
Doras Media Limited
First Floor Penrose 2
Penrose Dock
Cork T23 YY09
Ireland
Email: support@sayr.io
See also: Subprocessors | Terms of Service