Loxias · Pythia
Privacy Policy
Last updated: 1 June 2026
This Privacy Policy explains how Loxias Limited(“Loxias”, “we”, “us”, “our”) collects, uses, shares and protects personal information when you use the Pythia service available at pythia.loxias.ai(the “Service”). This policy is specific to Pythia and complements our general corporate Loxias Privacy Policy.
1. Our Approach to Privacy
We are committed to processing personal information lawfully, fairly and transparently. We implement appropriate technical and organisational measures, including encryption, to protect the information you entrust to us. We collect only the data we need to operate the Service and we retain it only for as long as we have a lawful basis to do so.
2. About Us
Loxias Limited is a company incorporated in England and Wales under company number 14068686, with its registered office at Lumaneri House, Blythe Gate, Blythe Valley Park, Solihull, United Kingdom, B90 8AH. We are registered with the UK Information Commissioner’s Office (ICO) under registration C1374993.
For the purposes of UK and EU data protection law, Loxias Limited is the “controller” of the personal information processed through the Service. For the purposes of Brazil’s LGPD (Lei 13.709/2018), Loxias acts as “controlador” of customer account data and, where applicable, as “operador” on behalf of our customers in respect of YouTube live chat data collected through their authorized channels.
3. Personal Information We Collect & Use
The table below summarises the categories of personal information we collect, what we use them for, and the legal basis on which we process them.
| Category | What we collect & use | Legal basis |
|---|---|---|
| Account information | Name, email address, language preference, hashed password (or Supabase Auth identifier if signing in via a federated provider). Used to authenticate you and provision your workspace. | Contract (performance of the agreement between you and us); legitimate interests in operating a secure service. |
| YouTube data accessed via OAuth | Live chat messages from broadcasts on channels you authorize; channel and broadcast metadata (title, statistics, start/end times); caption tracks where available. Scopes: youtube.readonly and (when caption download is needed) youtube.force-ssl. | Contract; legitimate interests in providing the analytics features you have asked us to perform on your data. |
| Workspace activity | Actions you take inside the Service (broadcasts created, invites sent, settings changed). Used for audit logging, billing reconciliation and product improvement. | Contract; legitimate interests in maintaining security and improving the Service. |
| Technical & operational data | Request paths, timestamps, error stack traces with personal identifiers scrubbed, IP address (truncated where possible). Used for security, debugging and abuse prevention. | Legitimate interests in operating a reliable and secure service; legal obligations. |
| Communications | Messages you send to our support or sales channels. Used to respond to enquiries and improve our communications. | Legitimate interests; consent (if required under applicable law). |
We do not read content outside the OAuth scopes you have authorized, do not access private messages, and do not access monetization or financial data beyond the aggregated statistics returned by the YouTube API.
4. YouTube API Services
Pythia uses YouTube API Services to provide the analytics features described above. By using Pythia you also agree to be bound by the YouTube Terms of Service and acknowledge the Google Privacy Policy.
You may revoke Pythia’s access to your YouTube data at any time by visiting security.google.com/settings/security/permissions and removing “Pythia” from the list of authorised applications. We honour revocation immediately upon receiving notice from Google’s authorisation servers.
We do not use YouTube data for advertising, do not sell YouTube data to third parties, and do not train machine-learning models on user-identifiable YouTube data.
5. Anonymous & Aggregated Data
We may produce aggregated or anonymised statistics from the data we process (for example, industry benchmarks, sentiment distributions across broadcasts). Such data does not identify any individual and is not personal data for the purposes of UK GDPR, EU GDPR or LGPD.
6. Data Retention
We determine retention periods on a category-by-category basis, considering the purpose of processing, the sensitivity of the data, applicable legal obligations and the customer subscription tier. The table below sets out our standard retention windows for the Pythia service.
| Data | Retention |
|---|---|
| Live chat messages & per-message sentiment | Up to 90 days from the broadcast end date (longer windows available on higher subscription tiers). |
| Aggregated analytics (summaries, timelines, themes) | Workspace lifetime. |
| Account information | Lifetime of the account; deleted within 30 days of account closure (or longer where required by law). |
| OAuth refresh tokens | Until revoked or the account is closed. |
| Audit logs & operational logs | Up to 12 months. |
When a workspace is deleted, all associated YouTube data, sentiment classifications, summaries and uploads are removed within 30 days, subject to any longer period required by law.
7. Recipients of Your Personal Information
We share personal information only with the categories of recipients listed below, and under contractual safeguards that bind them to protect the data.
- Service providers (sub-processors). We use the following sub-processors to operate the Service: Supabase (managed PostgreSQL, authentication, file storage); Hugging Face (dedicated inference endpoint for sentiment classification); Google Cloud — Gemini API (LLM-based summaries and analyses); Vercel (application hosting and CDN); Railway (background worker hosting); Sentry (error monitoring with payload scrubbing); Slack (optional, operational alerts to workspace administrators).
- Professional advisors. Lawyers, accountants and auditors, under duties of confidentiality.
- Parties to a business transaction. If we sell, merge or transfer all or part of our business, your data may be transferred to the acquiring party under equivalent privacy protections.
- Law enforcement and regulators. Where we are required by law, court order or to protect the rights, property or safety of Loxias, our users or the public.
- Group members. Other Loxias group entities, where necessary to provide the Service, under the same protections.
We do not sell personal data.
8. Storing & Transferring Data
All traffic between your browser and our servers is encrypted with TLS 1.3. OAuth refresh tokens and other secrets are encrypted at rest using AES-256 with an application-managed key; database volumes are encrypted by the underlying cloud provider. Row-Level Security is enabled on all database tables that contain customer or YouTube data. Access to production systems is restricted to authorised engineers and audited.
Some of our sub-processors are located outside the UK and the EEA. Where personal data is transferred internationally, we rely on the safeguards permitted by applicable law, including UK Addendum / EU Standard Contractual Clauses, adequacy decisions where available, or your explicit consent.
9. Your Rights
Under UK GDPR, EU GDPR and Brazil’s LGPD, you have the following rights in respect of your personal data. Not all of these rights are absolute and we may need to verify your identity before responding to a request.
- Right of access — to obtain confirmation of, and a copy of, the personal data we hold about you;
- Right to rectification — to have inaccurate or incomplete data corrected;
- Right to erasure (“right to be forgotten”) — to have your data deleted in defined circumstances;
- Right to restriction of processing;
- Right to data portability — to receive your data in a structured, machine-readable format;
- Right to object to processing carried out on the basis of legitimate interests;
- Right to withdraw consent at any time, where processing is based on consent (including by revoking OAuth as described in §4);
- Right to lodge a complaint with a supervisory authority — in the UK with the Information Commissioner’s Office (ico.org.uk); in Brazil with the Autoridade Nacional de Proteção de Dados (gov.br/anpd).
To exercise any of these rights, please contact us at technology@loxias.ai.
10. Cookies & Analytics
The Service uses cookies that fall into two categories:
- Strictly necessary cookies— used to authenticate you and maintain your session.
- Analytics cookies — we use Google Analytics 4 to understand how visitors find and use the Service (page views, navigation flows, traffic sources). The data collected is aggregated and used to improve product and content. We do not use these cookies for advertising, retargeting, or to identify you personally outside the Service.
Google Analytics may set cookies (such as _ga, _ga_*) and may transfer data to Google LLC servers located outside the UK/EU, including in the United States, subject to the Standard Contractual Clauses and the EU-US Data Privacy Framework. For details on how Google processes this data, see Google’s Privacy Policy. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.
We do not use third-party advertising or cross-site tracking cookies on the authenticated parts of Pythia.
11. Third-Party Links
The Service may contain links to third-party websites (including Google services). We are not responsible for the privacy practices of those sites; please review their own privacy policies before providing personal information.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced by email or by an in-app notice at least 15 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contacting Us
Loxias Limited
Lumaneri House, Blythe Gate, Blythe Valley Park,
Solihull, United Kingdom, B90 8AH
Company number: 14068686 · ICO registration: C1374993
Email: technology@loxias.ai
See also our Terms of Service and the corporate Loxias Privacy Policy.