Privacy Policy | Meetlyr

INTRODUCTION & CONTROLLER INFORMATION

This Privacy Policy (“Policy“) explains how Meetlyr Limited – 16878549 (“we,” “us,” “our,” or “Company“), collects, uses, discloses, retains, and protects your personal data when you visit our website at https://meetlyr.com/ (the “Website“) and use our booking application at https://app.meetlyr.com/bookings (the “App“) and any related services (collectively, the “Services“).

This Policy applies to all users, including consumers, service providers, and business partners who interact with Meetlyr’s Services. We are committed to transparency and compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), and/or the Data Protection Act 2018 (DPA 2018), and/or Privacy and Electronic Communications Regulations 2003 (PECR), and/or EU General Data Protection Regulation (In cases where applicable).

Data Controller Details

Meetlyr Limited
Registered Address: Failsworth, Manchester, England, M35 9FD.
Email: hello@meetlyr.com
Telephone: +44 7878 837785

For data protection enquiries and to exercise your rights under this Policy, please contact our Data Protection Officer or relevant person (if applicable) or use the contact information provided in Section 12 below.

2. SCOPE AND GEOGRAPHIC APPLICATION

This Policy applies to:

United Kingdom: All users of the Website and App are subject to UK GDPR and DPA 2018.
European Union: Where Meetlyr operates or provides Services to EU residents, the EU GDPR can apply in addition to or instead of UK GDPR.
Users should be aware that data may be processed in the UK and (where applicable) transferred to EU Member States where we operate. Such transfers are lawful under the EU-UK adequacy decision or, where necessary, are protected by Standard Contractual Clauses (SCCs) as described in Section 8.

3. DATA WE COLLECT

We collect personal data directly from you, through automated means, and from third parties. The types of personal data we collect depend on how you use our Services and include:

3.1 Information You Provide Directly

Account Registration Data:

Full name
Email address
Phone number
Date of birth (where required for age verification or identity confirmation)
Profile photograph
ID (Optional & Only if Necessary)
Username and password
Short Questionnaire

Booking & Service Data:

Booking details (services requested, dates, times, locations, specific requirements)
Cancellation and rescheduling requests
Service preferences and special requests
Feedback, reviews, and ratings

Payment Data:

Payment card details to stripe (if you choose to enter them on our App; however, we strongly recommend using PCI-compliant third-party processors)
Billing address
Transaction history and payment amounts
Invoices and receipts

Communications Data:

Messages sent via our in-app messaging system
Support requests and customer service interactions
Email correspondence with our team
Feedback and complaints

Identity & Compliance Data:

Government-issued identification (where required for verification or regulatory compliance)
Background check results (if applicable for certain service providers)

3.2 Automatically Collected Data

Technical Data:

Device identifiers (device ID, hardware model, mobile network information)
IP address
Browser type and version
Operating system
Referring URL and pages visited
Timestamp of visits and session duration
Crash reports and performance data

Usage Analytics:

Features used within the App
Clickstream data
Search queries
Interaction patterns
Session recordings (with prior consent, where legally required)

Cookies and Similar Technologies:

First-party and third-party cookies
Web beacons and pixels
Local storage and similar technologies

See Section 11 for detailed information on cookies and your choices.

3.3 Location Data

Precise Location Data: If you grant permission through your device settings, we might use location data to:

Enable location-based booking services
Confirm service provider attendance
Improve service recommendations
Analyze usage patterns

Approximate Location Data: We may infer approximate location from IP addresses and device settings.

Users can disable location services at any time through device settings; however, some Services may not function optimally without location data.

3.4 Data from Third Parties

We may receive personal data about you from:

Payment processors (transaction details, fraud indicators)
Identity verification services (identity confirmation, age verification)
Background check providers (verification results for service providers)
Social media platforms (only if you link your account with us)
Analytics and marketing partners
Law enforcement and regulatory authorities (in response to legal requests)

3.5 Special Category Data

Under Article 9 of the UK GDPR and Article 9 of the EU GDPR, we generally do not collect “special category data” (data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation).

Exception: If you voluntarily disclose such information in support messages or booking requests (e.g., accessibility requirements for persons with disabilities), we will process this only to fulfill your service request and will delete it when no longer necessary.

4. LAWFUL BASIS FOR PROCESSING

We process personal data only where we have a lawful basis under Article 6 of the UK GDPR and Article 6 of the EU GDPR. The lawful bases for our processing include:

4.1 Contractual Necessity

We process data necessary to enter into and perform your booking contract, including:

Account creation and management
Service delivery and fulfillment
Payment processing
Provision of customer support

4.2 Consent

Where consent is the lawful basis, we process data for:

Marketing communications (email, SMS, push notifications) via PECR-compliant consent mechanisms
Analytics and usage tracking (via prior opt-in for non-essential cookies)
Automated profiling and personalization (where we inform you and provide opt-out mechanisms)
Social media integration

Consent Withdrawal: You may withdraw consent for marketing and analytics at any time by sending “unsubscribe” in communications, accessing your account preferences, or contacting us (Section 12). Withdrawal does not affect the lawfulness of processing before withdrawal. We collect explicit consent when you click the Sign up or similar consent mechanism during account registration. This consent is separate from accepting our Terms of Service. A clear link to this Privacy Policy is displayed prominently at the point of consent, and users can withdraw consent at any time without penalty (Section 4.2 – Consent Withdrawal).

4.3 Legitimate Interests

We rely on legitimate interests for:

Detecting and preventing fraud and abuse
Improving our Services and user experience
Network and IT security
Analyzing usage trends and service optimization
Direct marketing to existing customers via the “soft opt-in” exception under PECR
Compliance with legal obligations and enforcement of rights
Defending against legal claims

We balance our interests against your rights and freedoms, and we do not use legitimate interest to justify marketing to new consumers without consent.

4.4 Legal Obligation

We may process data to comply with:

UK tax law (HMRC record-keeping requirements)
Money laundering and terrorist financing regulations (KYC/AML)
Court orders and regulatory requests
Employment law (if you are a service provider)

4.5 Vital Interests

We process data where necessary to protect your vital interests or those of others in emergency situations.

5. HOW WE USE YOUR DATA

We use personal data for the following purposes:

5.1 Core Service Delivery

Creating and managing your account
Processing bookings and payments
Delivering the requested service
Communicating booking confirmations, updates, and cancellations
Handling service disputes and refunds

5.2 Customer Support

Responding to inquiries and complaints
Troubleshooting technical issues
Providing help with account management
Gathering feedback through surveys and polls

5.3 Marketing & Communications

Sending promotional emails (with consent or via soft opt-in for existing customers)
Notifying you of service updates, features, and promotions
Personalizing content and recommendations based on your usage

PECR Compliance: We comply with the Privacy and Electronic Communications Regulations 2003. For marketing emails to individuals, we obtain explicit consent or rely on the soft opt-in exception (existing customers who have not opted out). For corporate recipients, we may send email marketing without prior consent but provide clear unsubscribe options.

5.4 Personalization & Analytics

Tailoring your experience through usage analysis and profiling
Analyzing trends to optimize our Services
Creating aggregated, anonymized reports
Testing new features (A/B testing)
Detecting usage patterns to identify service improvements

5.5 Fraud & Security

Detecting unauthorized access and fraudulent transactions
Preventing abuse and misuse of Services
Enforcing our Terms of Service and other agreements
Protecting against security threats and malware

5.6 Legal & Regulatory Compliance

Responding to government requests and legal processes
Maintaining records for tax, employment, and regulatory purposes
Defending against legal claims
Enforcing contractual rights

5.7 Aggregated & Anonymized Data

We may process anonymized data (data stripped of identifying information) without restriction for:

Aggregated analytics and reporting
Service improvements
Research and product development
Sharing with business partners and public

6. DATA SHARING & RECIPIENTS

We share personal data only where necessary and permitted by law. Recipients may include:

6.1 Service Providers & Data Processors

We engage third-party service providers who act as data processors and process data on our instructions, including:

Payment Processing:

Stripe, PayPal, or other PCI-compliant payment processors
Only payment-essential data (name, billing address, transaction amount) is shared
These processors maintain their own privacy policies and security standards

Cloud Infrastructure:

Microsoft Clarity, Cloudinary, Microsoft Azure, or similar cloud service providers
Data is encrypted in transit and at rest
Processors maintain international data protection certifications (ISO 27001, SOC 2)

Communications:

Email service providers (Mailchimp, or similar)
SMS delivery services
Push notification platforms

Analytics & Performance:

Google Analytics (aggregated, pseudonymized data)
Amplitude or similar usage analytics platforms
Performance monitoring services

Identity & Background Verification:

Didit.me or ID services (for age/identity confirmation)
Background check providers (for service providers, only where required)

Customer Support:

Tawk or similar helpdesk platforms
Support data (tickets, chat history) stored with encryption

Marketing & Communications:

HubSpot, Klaviyo, or similar marketing automation platforms
Aggregated customer data for marketing analytics

All data processors are required to:

Process data only on our documented instructions
Maintain adequate security measures (Article 32 UK GDPR/EU GDPR)
Keep personal data confidential
Assist you in exercising your data subject rights
Report any data breaches within 72 hours
Not engage sub-processors without our written approval

Data Processing Agreements: All processors sign Data Processing Agreements (DPAs) containing Standard Contractual Clauses or equivalent protections as required by law.

6.2 Business Partners & Service Providers (Joint Controllers)

We may share data with:

Integration partners (calendar systems, CRM platforms)
Payment partners and financial service providers
Marketing partners and advertisers (only aggregated, non-identifying data unless you consent)

These partners may be joint data controllers; we identify joint controllership in specific contexts and ensure transparency.

6.3 Legal & Regulatory Authorities

We may disclose personal data without your consent when:

Required by law (court order, subpoena, warrant, or government request)
Necessary to enforce our Terms of Service or other agreements
Required to protect our legal rights or those of others
Necessary to prevent fraud, abuse, or security threats

When feasible, we will notify you of such requests before disclosure, except where prohibited by law.

6.4 Business Transfers

If Meetlyr is involved in a merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction or proceeding, personal data may be transferred as part of that transaction. You will be notified of any such change in ownership or control of your personal data and of any material changes to this Policy. Personal data will remain subject to the same level of protection unless you choose to delete your account.

6.5 Aggregated & Anonymized Data

We may share aggregated, de-identified data with:

Business intelligence partners
Academic and research institutions
Industry associations
Marketing and analytics platforms
The general public (via reports and insights)

This data cannot identify you and is not subject to data protection regulations.

6.6 Sub-Processors & Sub-Processing

Authorized sub-processors engaged by our primary processors may include:

Infrastructure sub-providers (data centers, CDNs)
Backup and disaster recovery services
Third-party security and compliance tools

We maintain a current list of authorized sub-processors at: https://meetlyr.com/subprocessors

Processors must notify us before engaging new sub-processors and afford us the opportunity to object. If you object to a new sub-processor, we will work with you to find an alternative or terminate the relevant service.

7. AUTOMATED DECISION-MAKING & PROFILING

7.1 Profiling Activities

We engage in profiling to enhance your experience, including:

Booking Recommendations: Analyzing your booking history and preferences to suggest relevant services
Dynamic Pricing: Using algorithms to optimize pricing based on demand and user patterns (if applicable)
Fraud Detection: Using automated systems to identify suspicious transactions and prevent abuse
User Segmentation: Categorizing users for targeted marketing and service improvements

7.2 Automated Decision-Making Restrictions (Article 22)

Significant Automated Decisions: Where we use automated decision-making that produces legal or similarly significant effects on you (e.g., account termination, eligibility denial, access restrictions), you have the right to:

Request human intervention
Obtain an explanation of the decision logic
Challenge or appeal the decision
Obtain information about factors that influenced the decision

Examples of significant effects:

Denial of service or account suspension
Eligibility determination for services or pricing
Credit decisions

Right to Human Review: If you object to an automated decision with significant effects, we will conduct a human review within 30 days and notify you of the outcome.

7.3 Opt-Out of Profiling

You may opt out of profiling for marketing personalization by:

Contacting us to Unsubscribe (Section 12)
Clicking “Do Not Sell or Share My Personal Information” (if & where applicable)
Delete profile

Limitation: Opting out of profiling may limit the personalization and functionality of the Services.

8. INTERNATIONAL DATA TRANSFERS

8.1 UK to EU Transfers

When we transfer personal data from the UK to EU Member States where we operate, such transfers are lawful under the EU-UK adequacy decision in most cases. No additional safeguards are required for transfers from the UK to the EU.

8.2 Transfers Outside the UK/EEA

Where we transfer data to countries without an adequacy decision (e.g., certain third countries), we implement:

Standard Contractual Clauses (SCCs):

Transfer Impact Assessments (TIAs):

Examples of Third-Country Transfers:

Cloud storage in non-EEA data centers (with contractual safeguards)
Analytics services located outside the UK/EU
Payment processors operating globally

9. DATA RETENTION & DELETION

9.1 Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Specific retention periods are:

Data Type	Retention Period	Reason
Account Data (active users)	Duration of account + 12 months post-deletion	Account management, contractual obligations
Booking & Service History	7 years	Tax law, business records, dispute resolution
Payment Records	7 years	UK tax law (HMRC), fraud investigation
Payment Card Details	Not stored; deleted immediately by processor	PCI DSS compliance, security
Communications (support tickets)	3 years	Customer service, dispute resolution
Marketing Consent Records	5 years	PECR compliance, audit trail
Automated Decision Logs	2 years	Transparency, Article 22 compliance
Cookies & Analytics Data	13 months (except persistent features)	Analytics, performance optimization
Background Checks	3-5 years (service providers)	Duty of care, regulatory compliance
Identity Verification Data	As required by AML/KYC law (typically 5 years)	Money laundering prevention

Note: Retention periods may be extended where required by court order or regulatory request. Meetlyr Limited is responsible for the retention periods specified above. These periods comply with UK GDPR Article 5 (storage limitation principle) and UK tax law requirements. Any material changes to retention periods will be notified to users at least 30 days in advance. For clarification on your specific data retention, please reach out to us.

9.2 Right to Erasure (“Right to Be Forgotten”)

You have the right to request erasure of your personal data in the following circumstances:

Data is no longer necessary for its original purpose
You withdraw consent and no other lawful basis applies
You object to processing based on legitimate interests
Data was processed unlawfully
Erasure is required by law

Limitations: We may refuse erasure where:

Data is necessary to fulfill legal obligations
Data is needed to establish, exercise, or defend legal claims
Data must be retained for fraud prevention or security
Data is needed to fulfill a contractual obligation
Data is part of an active investigation or regulatory audit

Erasure Process: Upon receipt of a valid erasure request, we will delete identifiable data within 30 days (subject to backup retention schedules and legal holds). Some data may be pseudonymized or anonymized instead of deleted.

9.3 Backup & Archive Data

Personal data in backups and archives is retained according to our backup policy (typically 30-90 days for active backups, up to 1 year for archived data). Once the retention period expires, such data is securely destroyed.

10. DATA SUBJECT RIGHTS

Under the UK GDPR (Articles 15-22) and EU GDPR (Articles 15-22), you have the following rights:

10.1 Right to Be Informed

You have the right to be informed about how we process your data (which this Policy satisfies).

10.2 Right of Access (Subject Access Request)

You may request a copy of your personal data we hold about you. We will provide this information in a clear, structured, and commonly used electronic format (CSV or PDF or Word) within 30 days of your request. Please specify to which degree you are requesting the data.

How to Request: Contact hello@meetlyr.com with your full name, registered email address, and a clear request for access.

Extensions: We may extend the response period by two months for complex or voluminous requests, notifying you of the extension.

10.3 Right to Rectification

You may request that we correct inaccurate or incomplete personal data. We will update records within 30 days and notify any processors or recipients of the correction.

10.4 Right to Erasure

See Section 9.2 above.

10.5 Right to Restrict Processing

You may request that we limit the processing of your data to storage only (restricting use for other purposes) where:

You contest the accuracy of data (during verification period)
Processing is unlawful and you object to deletion
We no longer need the data but you require it for legal claims
You have objected to processing based on legitimate interests (pending determination)

During a restriction period, we will not process the data except with your consent, for legal claims, or to protect others’ rights.

10.6 Right to Data Portability

You may request that we transfer your personal data to another service provider in a structured, commonly used, machine-readable format (JSON, XML, CSV). This right applies where:

Processing is based on consent or contract
Processing is carried out by automated means
You wish to transmit data to another controller

We will comply within 30 days at no charge. Where technically feasible, we will transmit data directly to another service provider.

10.7 Right to Object

You may object to processing of your personal data on the grounds of legitimate interests or direct marketing.

Marketing Objection: You may opt out of marketing communications by:

writing “unsubscribe” in marketing emails
Adjusting preferences in your account settings
Contacting hello@meetlyr.com

Legitimate Interest Objection: You may object to other processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate interests or legal obligations that override your objection.

10.8 Right Not to Be Subject to Automated Decision-Making

See Section 7.2 above. You have the right to human intervention, explanation, and review of significant automated decisions.

10.9 Right to Lodge a Complaint

If you believe we have violated your data protection rights, you may lodge a complaint with the:

UK: Information Commissioner’s Office (ICO)
– Website: https://ico.org.uk

EU Member States: Your national data protection authority (contact information available at https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/enforcement-and-penalties/competent-authorities_en)

11. COOKIES & SIMILAR TRACKING TECHNOLOGIES

11.1 What Are Cookies?

Cookies are small text files stored on your device that allow websites and apps to recognize you and remember your preferences. We also use similar technologies including web beacons, pixels, local storage, and mobile device identifiers.

11.2 Types of Cookies We Use

Cookie Type	Purpose	Consent Required?
Strictly Necessary	Session management, security, fraud prevention, basic functionality	No
Functional	Remembering preferences, language settings, saved searches	Optional (with consent)
Analytics	Measuring usage, traffic analysis, performance optimization	Yes
Marketing/Advertising	Targeted ads, retargeting, social media integration	Yes (explicit opt-in)
Third-Party	Ad networks, social platforms, analytics partners	Yes (explicit opt-in)

Strictly Necessary Cookies are exempt from consent requirements under the ePrivacy Directive and GDPR.

11.3 Your Consent Choices

On Your First Visit: Our cookie banner allows you to:

Accept all cookies
Reject non-essential cookies
Customize your preferences (granular consent by category)

We do not use dark patterns (e.g., pre-checked boxes, delayed rejection buttons, or manipulative UI) to pressure cookie acceptance.

11.4 Managing Cookie Preferences

You may:

Adjust cookie preferences anytime by clicking the cookie banner or accessing your account settings
Change browser settings to reject or warn about cookies
Use browser extensions to block tracking (e.g., Privacy Badger, uBlock Origin)
Delete cookies from your device

Note: Disabling cookies may impair certain Website/App functionality.

11.5 Third-Party Cookies

Third-party services used may set their own cookies, including:

Google Analytics (privacy-enhanced mode: https://policies.google.com/privacy)
Amplitude, Mixpanel (usage analytics)
Facebook Pixel, Google Ads (advertising)
Intercom, Zendesk (customer support)
Stripe (payment processing)

We include links to their privacy policies below (Section 13).

11.6 Cookie Retention

Session Cookies: Deleted when you close your browser
Persistent Cookies: Retained for up to 13 months (analytics/marketing) or as specified
Marketing Cookies: Cleared upon opt-out; historical consent records retained for 5 years

12. DATA SECURITY & PROTECTION MEASURES

12.1 Technical & Organizational Safeguards

We implement comprehensive security measures to protect personal data against unauthorized access, loss, alteration, or destruction:

Encryption:

Data in transit: TLS 1.2+ encryption for all connections (HTTPS)
Data at rest: AES-256 encryption for sensitive data (payment, identity, health information)
End-to-end encryption for confidential communications where applicable

Access Controls:

Role-based access control (RBAC): Only authorized personnel access personal data
Principle of least privilege: Employees access only necessary data
Multi-factor authentication (MFA) for all administrative accounts
Regular access reviews and audit trails

Security Infrastructure:

Firewalls and network segmentation
Intrusion detection and prevention systems (IDPS)
Distributed denial-of-service (DDoS) protection
Regular vulnerability scanning and penetration testing
Security information and event management (SIEM)

Data Integrity:

Regular backups (tested recovery)
Data validation and checksums
Change management and version control

Personnel Security:

Data protection training for all employees
Confidentiality agreements and NDAs
Background checks for staff with data access
Incident response procedures and drills

Vendor Management:

Due diligence on all processors and sub-processors
Contractual security obligations (Data Processing Agreements)
Regular security audits and compliance reviews
Incident notification requirements

12.2 PCI DSS Compliance

For payment card processing:

We do not store full card details on our systems (tokenization)
Payment processing is outsourced to PCI-DSS Level 1-certified processors (Stripe, PayPal, etc.)
We maintain strict network segregation and access controls
Regular security assessments and audits are conducted

13. DATA BREACH NOTIFICATION

13.1 Our Breach Obligations

In the event of a personal data breach (unauthorized access, loss, or disclosure), we will:

To the Supervisory Authority (UK ICO or EU DPA):

Notify within 72 hours of becoming aware of a breach that poses a risk to individuals’ rights and freedoms
Include: nature of breach, affected individuals, consequences, measures taken

To Affected Individuals (High-Risk Breaches):

Notify directly, without undue delay, if the breach poses a high risk to rights and freedoms
Include: description of the breach, potential consequences, measures taken to mitigate risk
Provide notifications in clear, plain language

Documentation:

Maintain records for regulatory inspection
Document the assessment process, risk evaluation, and actions taken

13.2 What Constitutes a “Risk to Rights and Freedoms”

A breach is likely to result in risk if it could lead to:

Financial loss
Identity theft
Fraud
Discrimination
Loss of confidentiality or privacy
Blackmail or exploitation
Reputational damage
Other significant disadvantage

13.3 Your Rights if Breached

If your data is breached, you may:

Request confirmation that a breach occurred
Obtain details about the breach and remedial actions
Exercise your rights to access, rectification, or erasure
Lodge a complaint with the ICO or your national DPA
Pursue civil claims for damages

14. THIRD-PARTY LINKS & SERVICES

Our Website and App may contain links to third-party websites and services (e.g., social media platforms, payment processors, booking references) that are not operated by Meetlyr. This Policy does not apply to third-party services.

Your Responsibilities:

Review the privacy policies of third-party services before providing personal data
We are not responsible for third-party privacy practices or security measures
Linking to a third-party does not constitute endorsement

Social Media Integration:
If you link your social media account (Facebook, Google, etc.) with Meetlyr:

We access only the information you authorize
Check your social media privacy settings to control what information is shared
You may disconnect your social account anytime

15. CHILDREN & MINORS

15.1 Age Restrictions

Our Services are not intended for children under 13 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children under 13.

15.3 Child Data Breach

If we become aware that we have collected data from a child under 13 without parental consent, we will:

Cease collection immediately
Delete such data within 30 days
Notify parents/guardians where feasible

Report Child Data: Contact hello@meetlyr.com immediately.

16. EXERCISING YOUR RIGHTS

16.1 How to Submit Requests

By Email: hello@meetlyr.com (include “Data Subject Request” in subject line)

By Mail:
Meetlyr Limited
Privacy Team
Failsworth, Manchester, England, M35 9FD.
United Kingdom

16.2 Verification & Response

We will verify your identity before processing your request (to prevent unauthorized access)
We will respond within 30 days of receipt of a valid request
Extensions: For complex requests, we may extend up to two months (notifying you of the extension)
Costs: Requests are free; we will not charge fees unless requests are manifestly unfounded or excessive

16.3 Request Evidencing

We maintain detailed records of all data subject requests, including:

Date received and response deadline
Type of request
Information provided
Response date and method
Any extensions or denials
Justifications for any refusals

These records are available for supervisory authority inspection.

17. DIRECT MARKETING & COMMUNICATIONS

17.1 Email Marketing (PECR Compliance)

For Individuals:

New customers: Explicit opt-in consent required before sending marketing emails
Existing customers: We may send marketing via “soft opt-in” (with clear unsubscribe option in every message) provided:
- You have purchased or negotiated to purchase a similar service
- You have not previously opted out
- You receive a simple way to opt out with each message

For Corporate Recipients (businesses):

No prior consent required (but unsubscribe option mandatory)
We may not disguise our identity
We provide a valid contact address for opt-outs

17.2 SMS & Push Notifications

Explicit opt-in consent required before sending SMS or push notifications for marketing
Clear opt-out mechanism provided in every message
Frequency capped to prevent spam

17.3 Unsubscribe & Preference Management

You may opt out of marketing communications by:

accessing the “unsubscribe” link or writing unsubscribe in marketing emails
Replying to SMS with “STOP”
Adjusting notification settings in your mobile device or account
Contacting hello@meetlyr.com

We will remove you from marketing lists within 10 business days and will not send further marketing to that address.

Note: Service-related communications (booking confirmations, customer support, security alerts) are not optional and will continue.

17.4 Soft Opt-In Exception

Under PECR Regulation 22, we may send marketing emails to existing customers who purchased a similar product/service without explicit consent, provided:

✓ We gave you a simple way to opt out when we first collected your contact details (at signup, purchase, or data collection)
✓ You have purchased or negotiated to purchase a similar product or service from Meetlyr
✓ You have not previously opted out
✓ We provide a clear unsubscribe option in every marketing email
✓ Your marketing preference is not for a substantially different product or service

You may opt out anytime. We will remove you from marketing lists within 10 business days.

NOTE: Soft opt-in does NOT apply to:
– Prospective customers who have never purchased from us
– Contacts acquired from third-party marketing lists
– Marketing of substantially different services from what you previously purchased

18. LEGITIMATE INTERESTS BALANCING TEST

Where we rely on legitimate interests as the lawful basis (Section 4.3), we balance our interests against your rights as follows:

Our Legitimate Interests:

Fraud detection and prevention
Network and IT security
Service optimization and analytics
Direct marketing to existing customers
Enforcement of rights and contracts
Cost reduction and efficiency

Your Interests & Rights:

Privacy and confidentiality
Autonomy and freedom from surveillance
Data security
Reasonable expectations
Vulnerable population protections

Our Balancing Assessment:

We apply privacy by design principles
We collect only necessary data (minimization)
We use technical safeguards (encryption, access controls)
We provide transparency and opt-out mechanisms
We do not sell data to third parties for profit
We restrict profiling for high-risk decisions

Opt-Out Mechanisms:
You may object to legitimate-interest-based processing by contacting hello@meetlyr.com.

19. UPDATES TO THIS POLICY

We may update this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or other factors. Please note, We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. Material changes (e.g., new purposes, new recipients, international transfers) will be notified to you via email or prominent notice on the Website at least 30 days before taking effect. Minor clarifications may be updated without notice. The version published on https://meetlyr.com is the current version. Your continued use of the Services constitutes acceptance of the updated Policy.

Changes & Your Rights:

Material changes (e.g., new purposes, new recipients, international transfers) will be notified to you via email or prominent notice on the Website at least 30 days before taking effect
Minor clarifications may be updated without notice
Your continued use of the Services constitutes acceptance of the updated Policy
You may review previous versions by contacting hello@meetlyr.com

Last Updated: January, 2026

20. FINAL PROVISIONS

20.1 Severability

If any provision of this Policy is found to be invalid or unenforceable, that provision will be modified to the minimum extent necessary to comply with applicable law, and the remainder of the Policy will continue in full force and effect.

20.2 Entire Agreement

This Privacy Policy, together with our Terms of Service, constitutes the entire agreement between you and Meetlyr regarding the processing and protection of your personal data.

20.3 Governing Law & Jurisdiction

This Policy is governed by the laws of the United Kingdom (for UK data subjects) or where local laws prevail.

END OF PRIVACY POLICY
Effective Date: January, 2026
Note: This Privacy Policy is current as of January 2026. Meetlyr Limited reserves the right to update, modify, or amend this Privacy Policy at any time. To ensure you have the most current and legally binding version of this Privacy Policy and our Terms of Service, please always contact the Meetlyr team before relying on this document for legal or compliance purposes. Material changes (including changes to data processing purposes, new data recipients, changes to retention periods, or new international data transfers) will be communicated to you via email or prominent notice on the Website at least 30 days before taking effect. Your continued use of Meetlyr’s Website and App constitutes acceptance of the current Privacy Policy and Terms of Service.

ANNEX A: SUBPROCESSOR LIST

Primary Subprocessors as of January 22, 2026:

Service Category	Processor/Subprocessor	Location	Processing Activity
Cloud Infrastructure	Hostinger or other	EU/UK Data Centers	Data storage, backup, hosting
Cloud Infrastructure	Cloudinary or other	EU/UK Data Centers	Data storage, backup, hosting
Payment Processing	Stripe or other	UK/EU	Payment processing, card tokenization
Email Communications	Mailchimp or other	US (under Data Privacy Framework)	Email delivery, marketing emails
Analytics	Google Analytics, Meta, Clarity, etc. or other	US/EU (privacy-enhanced)	Usage analytics, aggregated data
Customer Support	Tawk	US/EU	Support ticket management, storage
Identity Verification	Didit or other	UK/EU	Identity verification, background checks
SMS Delivery	Local SMS provider	US	SMS delivery, notifications

Note: This list might not be up-to date. In such case please contact Meetlyr team at: Hello@meetlyr.com

ANNEX B: COOKIE CONSENT RECORD

Consent records are maintained for a minimum of 5 years as required by PECR and GDPR audit requirements. Records include:

Date and time of consent
Cookie categories consented to
Consent method (banner, settings, account)
IP address (hashed for privacy)
Consent string / identifier
Version of Privacy Policy accepted