Privacy Policy
Effective date: June 22, 2026Last updated: June 22, 2026
This Privacy Policy explains how Seville AI Technologies, Inc., a Delaware corporation doing business as Thyn, collects, uses, discloses, retains, and otherwise processes personal information when you access or use Thyn, thyn.ai, or other websites, applications, APIs, products, and services that link to this Privacy Policy (collectively, the “Services”).
For clarity, Seville may also operate related brands, products, sites, and subdomains, including Codna.ai, Algenta.ai, Escrypto.ai, Decimas.ai, Telys.ai, and Cohenta.ai, unless a site-specific legal notice states otherwise. In this Policy, “Seville,” “Thyn,” “Company,” “we,” “us,” and “our” refer to Seville AI Technologies, Inc. and, where applicable, its affiliates involved in delivering the Services.
Our mailing address is 445 Park Avenue, 9th Floor, New York, NY 10022, USA. For privacy and data-protection inquiries, use the contact form at thyn.ai/contact or write to us at the address above.
Scope
This Policy applies to personal information we process as a controller for our own business purposes through the Services, including websites, apps, APIs, user accounts, hosted workspaces, support functions, analytics, communications, and related operations.
This Policy does not apply to information processed by third parties under their own privacy policies, including third-party integrations, app stores, payment processors, identity providers, browser vendors, linked websites, or customer-controlled deployments where we act solely as a processor under a separate written agreement.
Personal information we collect
We may collect the following categories of personal information, depending on how you use the Services:
- Account and profile information, such as your name, username, email address, password, account ID, organization, billing profile, and preferences.
- Contact and communications information, such as your email address, phone number, mailing address, support requests, survey responses, and any information you provide when contacting us.
- Inputs and uploaded content, such as prompts, messages, files, images, audio, video, code, attachments, datasets, comments, and other content you submit to the Services.
- Outputs and usage results, such as generated text, code, images, audio, classifications, recommendations, logs of actions taken through the Services, and user feedback on outputs.
- Technical, device, and log information, such as IP address, browser type, device type, operating system, identifiers, referring URLs, timestamps, approximate location derived from IP, crash data, and interaction data.
- Payment and transaction information, such as subscription plan, billing address, transaction history, and limited payment metadata. Payment card details are typically processed by our payment processors and not stored by us except as permitted by them and by law.
- Integration data, such as data retrieved from or sent to a third-party integration you choose to connect, along with tokens, scopes, and permissions required to support that connection.
- Marketing and cookie-related information, such as cookie IDs, analytics events, campaign parameters, and preference settings.
- Safety, verification, and compliance information, such as fraud signals, abuse reports, age-verification data, sanction-screening records, moderation flags, and security-event records.
- De-identified and aggregated data, derived from other categories where lawful.
Sources of personal information
We collect personal information:
- directly from you;
- automatically when you use the Services;
- from integrations, login providers, and third parties you authorize;
- from service providers acting on our behalf;
- from public or commercially available sources where legally permitted; and
- from safety, security, fraud-prevention, or compliance partners.
How we use personal information
We may use personal information to:
- provide, operate, maintain, secure, and support the Services;
- authenticate you, manage accounts, process payments, and provide customer service;
- generate, rank, return, store, and display Outputs and usage history;
- personalize and improve the Services, user experience, safety systems, and product features;
- detect, investigate, prevent, and respond to fraud, abuse, misuse, policy violations, security incidents, and unlawful activity;
- communicate with you about the Services, updates, transactions, support issues, security matters, and legal notices;
- conduct internal analytics, reporting, debugging, quality assurance, service measurement, and business operations;
- comply with law, enforce our Terms, protect rights and safety, and manage disputes or claims;
- carry out corporate transactions or diligence relating to a merger, financing, restructuring, sale, or acquisition; and
- send marketing communications where permitted by law and consistent with your choices.
Model training, product improvement, and safety review
We do not use your account content for generalized model training unless you affirmatively opt in through account settings, an in-product control, or another clear consent mechanism. If you opt in, we may use your Inputs, Outputs, and related usage data to improve model quality, features, and safety. Even if you do not opt in, we may still use:
- Feedback you voluntarily provide;
- content reasonably necessary for abuse detection, incident response, trust and safety, debugging, or legal compliance; and
- de-identified or aggregated information.
In all cases, we may analyze content with automated systems and, where reasonably necessary, limited trained-personnel review for product integrity, trust and safety, misuse prevention, legal compliance, and support.
Automated processing and decision-making
We may use automated tools to classify content, detect spam or abuse, rank or route requests, evaluate safety risk, detect fraud, authenticate accounts, personalize features, and improve Service quality. We may also use automated systems to assist moderation, filtering, and enforcement.
Unless we expressly disclose otherwise in a product-specific notice or agreement, we do not use personal information to make solely automated decisions that produce legal effects concerning you or similarly significantly affect you. If we ever do so in a context where applicable law grants specific rights, we will provide the notices and rights required by law, including rights relating to human review where applicable.
Legal bases for processing
If GDPR, UK GDPR, or similar laws apply, our legal bases may include:
- performance of a contract with you;
- legitimate interests, such as operating, securing, improving, and administering the Services;
- compliance with legal obligations;
- protection of vital interests; and
- your consent, where required.
Where we rely on consent, you may withdraw it at any time, but withdrawal does not affect processing already carried out lawfully before withdrawal.
How we disclose personal information
We may disclose personal information to:
- service providers and processors that help us host, secure, support, bill, monitor, analyze, moderate, or otherwise operate the Services;
- affiliates and related entities involved in delivering or administering the Services;
- integration partners and third parties you direct us to interact with, including when you connect an outside service or ask the Services to send or retrieve information from it;
- professional advisers, such as auditors, insurers, and legal counsel;
- authorities, courts, regulators, or law enforcement when required by law or where necessary to protect rights, safety, and security;
- transaction counterparties in a merger, acquisition, reorganization, financing, or asset sale; and
- other users or the public, if you intentionally publish, share, or make information available through public or collaborative features.
We may also disclose aggregated, anonymized, or de-identified information that does not reasonably identify you. We will not attempt to re-identify de-identified information except as permitted by law or as necessary to validate our de-identification processes.
Cookies and similar technologies
We and our partners may use cookies, pixels, SDKs, local storage, and similar technologies to operate the Services, remember preferences, authenticate sessions, measure performance, analyze usage, detect fraud, and—if enabled—support advertising or remarketing.
If required by law, we will request your consent before placing non-essential cookies or similar technologies on your device. You can manage cookie preferences through our banner, the “Cookie settings” link in the site footer, or your browser settings. If we engage in cross-context behavioral advertising or similar sharing under applicable U.S. state privacy laws, we will provide a “Your Privacy Choices” mechanism and honor required opt-out preference signals, including Global Privacy Control where applicable.
Sale, sharing, and targeted advertising
We do not sell personal information for monetary consideration. However, we may disclose identifiers or online activity information to analytics, advertising, or measurement partners in ways that may be considered “sharing” or a “sale” under certain U.S. state privacy laws. You may opt out through the “Cookie settings” controls in the site footer or an accepted opt-out preference signal where required.
If we process sensitive personal information, we will use and disclose it only as permitted by applicable law unless a broader use is separately disclosed and legally supported.
Data retention
We retain personal information for as long as reasonably necessary for the purposes described in this Policy, including to provide the Services, maintain account records, resolve disputes, enforce agreements, secure the Services, comply with law, and protect rights and safety. Retention periods vary depending on the category of data, your settings, and legal or operational needs.
Typical retention periods include:
- active account information: retained while your account is active;
- prompts, chats, workspaces, uploaded files, and outputs: retained until deleted by you or according to product settings, then deleted or de-identified within 30 days, except where longer retention is needed for backups, trust and safety, billing, tax, legal hold, dispute resolution, or compliance;
- payment and transaction records: retained as required by tax, accounting, and financial-reporting laws;
- security, fraud, and abuse records: retained for as long as reasonably necessary to detect, investigate, respond to, and prevent harmful or unlawful activity;
- de-identified and aggregated information: may be retained longer where lawful.
Security measures
We maintain administrative, technical, and physical safeguards designed to protect personal information, which may include encryption in transit, encryption at rest where appropriate, access controls, authentication controls, logging, network segmentation, monitoring, backup and recovery, secure development practices, vendor diligence, and incident-response procedures. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
International data transfers
We may process personal information in the United States and in other countries where we or our providers operate. When required by applicable law, we use appropriate transfer mechanisms and safeguards for international transfers, such as adequacy decisions, the EU-U.S. Data Privacy Framework where applicable, and standard contractual clauses or equivalent measures.
Your privacy rights
Depending on where you live and subject to applicable exceptions, you may have rights to:
- know whether we process your personal information;
- access and obtain a copy of your personal information;
- correct inaccurate information;
- delete information;
- port certain information;
- object to or restrict certain processing;
- withdraw consent where processing is based on consent;
- opt out of sale, sharing, targeted advertising, or certain profiling where those rights exist;
- appeal certain rights-request decisions; and
- not be discriminated against for exercising privacy rights.
To exercise your rights, submit a request through our contact form at thyn.ai/contact or by mail to the address in the “Contact us” section below. We may need to verify your identity or authority before processing your request. Authorized agents may submit requests where permitted by law.
If you are a California resident, we will process requests consistent with the CCPA/CPRA and applicable regulations, including opt-out requests and recognized opt-out preference signals where required. If you are in the EEA, UK, or Switzerland, you may also have the right to complain to your supervisory authority.
Account deletion and content deletion
You may request deletion of your account or content through your account settings or by submitting a request through our contact form at thyn.ai/contact. Unless a longer period is required or permitted by law, contractual duty, legal hold, security need, or dispute-resolution requirement, we will delete or de-identify the requested data within 30 days after completing verification and processing the request. Backups and archived copies may persist for a limited additional period before being overwritten in the ordinary course.
Children’s privacy
The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 without the consent required by law. If we learn that we collected personal information from a child under 13 without appropriate authorization, we will delete it as required by law. If you believe a child under 13 has provided us personal information, contact us through our form at thyn.ai/contact.
If Seville later launches a child-directed service or knowingly collects from children under 13, we will adopt a separate children’s privacy notice and verifiable parental-consent process before launch.
Sensitive data, health data, and no-HIPAA position
Unless a product-specific notice or signed agreement states otherwise, please do not submit:
- protected health information or other regulated healthcare data;
- government-issued identifiers except where specifically requested for verification;
- biometric identifiers used for unique identification;
- precise geolocation;
- financial account credentials;
- special-category personal data under GDPR; or
- data about children under 13.
Unless expressly agreed in writing, the Services are not offered as HIPAA-compliant services and are not intended for clinical diagnosis, treatment, emergency response, or regulated health-record processing.
Third-party links and integrations
The Services may contain links to or integrations with third-party sites or services. If you connect or use a third-party service, the third party’s terms and privacy policy apply to its handling of your information. We encourage you to review those materials carefully.
Breach notification
We maintain incident-response procedures and will notify affected individuals, regulators, business customers, and others of certain personal-data breaches when and as required by applicable law or contract. For example, EU law may require notification to supervisory authorities within 72 hours where feasible in qualifying cases; Florida law imposes notice obligations in certain circumstances, including notice to the Florida Department of Legal Affairs for breaches affecting 500 or more Florida residents.
Changes to this Policy
We may update this Policy from time to time. We will post the updated version with a revised effective date and, where required by law, provide additional notice.
Contact us
Seville AI Technologies, Inc. d/b/a Thyn
445 Park Avenue, 9th Floor, New York, NY 10022, USA
For privacy requests, support, or any other inquiry, use our contact form at thyn.ai/contact.