Privacy policy
Legal entity: Orion Tech Labs S.A. (“we”, “us”, “our”) — registered seat Athens, Greece.
Brand / product: Lykos is the trade name for the service we operate at https://lykos.co. In this policy, “Lykos”, “the Service”, and “the Site” refer to that website and the Lykos offering (including features used by employers and candidates, such as search, profiles, assessments, and human-capital or performance workflows where available).
Regulatory scope. This policy addresses transparency requirements under the EU General Data Protection Regulation (“GDPR”) and the UK GDPR, where those laws apply to our processing. Specific activities may require additional legal analysis (including legal bases, controller/processor roles, and sector rules).
1. Scope: who this policy is for
This policy describes how we handle personal data when you:
- visit or use the public marketing website and related pages;
- request a demo, contact us, or submit enquiries on the Site;
- use Lykos as an authorised user after your organisation (our customer) grants access — including employer administrators, employees (employee portal), and candidates (candidate portal), where enabled; or
- interact with Lykos in any other role made available under your organisation’s configuration.
B2B and enterprise access. We sell Lykos primarily to organisations. End-user accounts are typically created or invited by the customer organisation, not via open public sign-up on the marketing Site. Enterprise terms (including security, subprocessors, and retention) may be set out in a customer agreement and data processing agreement in addition to this policy.
Your organisation and your data. If your employer (or another organisation) uses Lykos for recruitment, performance, people analytics, or similar workflows, that organisation is usually the controller of personal data about its candidates and employees. We typically act as a processor under their instructions and a written agreement (including Article 28 GDPR terms where required). Your employer’s privacy notices and contracts apply to that processing in addition to this policy. Where we are a processor, we process personal data only on documented instructions unless we are required to do otherwise by law.
2. Data controller and contact
Controller (for processing we describe as carried out by us):
Orion Tech Labs S.A.
Registered seat: Athens, Greece
Website: https://lykos.co
Email: info@lykos.co
Privacy and data protection contact. For privacy questions and to exercise your rights under §12, contact privacy@lykos.co.
Data Protection Officer (DPO). EU/UK law requires a formal DPO only in specific cases (see Article 37 GDPR). Where a DPO is required or appointed, we will publish their name and contact details here. Until then, privacy and data-protection enquiries are handled via privacy@lykos.co (not necessarily by a person titled “DPO”).
EU/UK representative (Article 27). If we are required to designate a representative in the EU or UK, we will publish contact details in this section.
3. Categories of personal data
Depending on how you use Lykos, we may process:
| Category | Examples (non-exhaustive) |
|---|---|
| Identity and contact | Name, email, phone, job title, postal address, company name. |
| Account and technical | Login identifiers, credentials, device/browser type, IP address, logs, diagnostics, security tokens. |
| Usage and communications | Pages viewed, actions in the Service, support tickets, email and form content you send us. |
| Recruitment and workforce (where applicable) | CV/resume, application answers, interview notes, skills, role history, referral information, identifiers your employer uploads. |
| Assessments and performance (where applicable) | Results or scores from psychometric or skills assessments, goals, feedback, ratings — only as configured for your organisation’s use of the Service. |
| Marketing and preferences | Demo requests, newsletter or event sign-ups, cookie/analytics choices (see Cookies). |
| Payment | Payment status and transaction references via our payment providers; we do not store full card numbers as described in Payment processing below. |
We apply data minimisation: we aim to collect only what is needed for the purposes below.
4. Purposes and legal bases (GDPR Article 6)
We process personal data only where we have a lawful basis under Article 6. The basis that applies depends on the activity. The following may apply, depending on the processing:
| Purpose | Legal basis (examples) |
|---|---|
| Operating the Site and Service; accounts; security; support | Contract (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)) in running a secure platform. |
| Optional marketing-site analytics cookies/scripts | Consent (Art. 6(1)(a)) via our cookie banner. |
| Complying with law (tax, accounting, court orders) | Legal obligation (Art. 6(1)(c)). |
| Direct marketing (e.g. product updates) where not covered by consent | Legitimate interests (Art. 6(1)(f)) or consent, as required by local law — you may object or unsubscribe where offered. |
| Processing on behalf of a customer organisation (employer) | Performance of our contract with that customer and the customer’s documented instructions as processor; the customer’s legal basis applies to their relationship with candidates/employees. |
If we rely on legitimate interests, we consider your rights and allow you to object where required by law (see Your rights).
5. Special categories of data (GDPR Article 9)
Special categories (e.g. health, biometric data used to uniquely identify, or certain diversity-related information) require stricter conditions. We do not intend to process special-category data on the marketing site. If the Service is configured to process such data (e.g. health-related assessments where legally permitted), we do so only where permitted by Article 9 and applicable law, and only as agreed with the relevant controller and documented in your customer agreement or record of processing.
6. Sources of personal data
We usually collect personal data directly from you (Article 13 GDPR). We may also receive it:
- from your employer or other organisation that uses Lykos (Article 14 GDPR — information may also be provided by that organisation);
- from integrations (e.g. HRIS/ATS) that your organisation connects;
- from referrals or shared links your organisation sends.
Where we did not obtain data from you, we work with the controller to ensure required transparency, unless an exemption applies.
7. Recipients, subprocessors, and sharing
We may share personal data with:
- Service providers who host, secure, email, or support the Service ( processors under Article 28 GDPR), under written agreements;
- Payment providers (see below), only as needed to process payments;
- Professional advisers (lawyers, auditors) where required;
- Authorities when required by law or to protect rights and safety.
We do not sell your personal data. We do not share your information for third-party marketing unrelated to Lykos except where you have opted in where required.
Subprocessors (examples). Depending on how you use Lykos, processors may include:
| Provider | Role (summary) | Typical context |
|---|---|---|
| Vercel | Hosting, CDN, Web Analytics / Speed Insights | Marketing site and application |
| Supabase | Database, authentication, storage | Logged-in application (app.lykos.co) |
| CookieYes | Cookie consent management platform | Marketing website (lykos.co) |
| Google (Analytics / Tag Manager) | Optional marketing analytics | Marketing site, after consent |
| Cloudflare | Turnstile (bot protection) | Marketing forms when enabled |
| Resend | Transactional email (e.g. form notifications) | Marketing contact/demo flows |
| HubSpot | CRM (contact records from form submissions) | Marketing leads (server-side API) |
| Sentry | Error monitoring | Application |
This table is illustrative, not exhaustive. You may request a current list of subprocessors (or a link to our published page) by contacting security@lykos.co.
8. International transfers
If we transfer personal data outside the European Economic Area or the UK, we use appropriate safeguards such as Standard Contractual Clauses (EU Commission or UK ICO versions), adequacy decisions, or other mechanisms permitted by law. You may request a summary of relevant safeguards by contacting security@lykos.co, or see your customer agreement.
9. Retention
We keep personal data only as long as necessary for the purposes above, including:
- marketing and contact enquiries — typically for the duration of the relationship and a limited period afterwards for follow-up and legal claims;
- Service accounts — for the life of the contract and as required by law;
- customer-controlled data — as set by the customer organisation or in our customer agreement, unless a longer period is required by law.
We delete or anonymise data when no longer needed, subject to backup and legal retention requirements.
10. Security
We use technical and organisational measures appropriate to the risk (access controls, encryption in transit where appropriate, vendor vetting). No method of transmission or storage is 100% secure.
11. Automated decision-making and profiling (GDPR Article 22)
Lykos does not carry out solely automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you, within the meaning of Article 22 GDPR. The Service is designed to support employers and teams with information and workflows; employment and hiring decisions remain with people (your organisation), not with a fully automated system that would trigger Article 22 rights. If our practices change, we will update this policy.
12. Your rights
Where GDPR / UK GDPR applies, you may have the right to:
- Access your personal data (Article 15);
- Rectification (Article 16);
- Erasure (“right to be forgotten”) (Article 17);
- Restriction of processing (Article 18);
- Data portability (Article 20);
- Object to processing based on legitimate interests or for direct marketing (Article 21);
- Withdraw consent where processing is based on consent, without affecting prior lawful processing;
- Lodge a complaint with a supervisory authority (in the EU/EEA, typically where you live or work; in Greece, the Hellenic Data Protection Authority — www.dpa.gr).
If your organisation is the controller of your work data, we may need to direct your request to them or process it jointly with them, as required by law.
To exercise rights, contact privacy@lykos.co. We will respond within the time limits set by law (e.g. one month under GDPR, subject to extension).
13. Cookies and similar technologies
Cookies are small files used as identifiers; we also use similar technologies (such as browser local storage) to remember your choices.
13.1 Public marketing website (lykos.co)
Cookie banner (CookieYes). On the public marketing site we use CookieYes as our consent management platform. It groups cookies into categories (for example Necessary, Analytics, and Advertisement where applicable). Non-essential scripts (including Google Analytics 4 loaded via Google Tag Manager) run only if you allow the relevant category — typically by choosing Accept all or enabling Analytics in the preference centre. Necessary cookies include those needed to remember your consent choice and basic site operation (such as language preference).
What we use on the marketing site (summary):
| Category | Examples | Legal basis |
|---|---|---|
| Necessary | CookieYes consent cookie; locale preference (NEXT_LOCALE); Cloudflare Turnstile on forms (when enabled) | Legitimate interests / strictly necessary for the service you request |
| Analytics (optional) | Google Analytics 4 (G-38198M533M) via Google Tag Manager; may include Vercel Web Analytics | Consent — only if you allow Analytics |
| Advertisement | Not used on the marketing site today | N/A unless we add advertising tags later |
Google Consent Mode. Where Google tags are used, we apply Google Consent Mode v2: analytics and advertising storage default to denied until you consent, in line with CookieYes and our banner.
How you control this: Use the cookie banner on first visit, or open Cookie settings / the CookieYes preference centre (footer link when shown) to change or withdraw consent. Your choices are stored in your browser (including consent logs sent to CookieYes for compliance records). Blocking or clearing cookies may limit how the Site works.
For a maintained technical list of cookies, see the cookie policy section in the CookieYes dashboard (linked from the banner where configured).
13.2 Lykos application after login (app.lykos.co)
The logged-in product is a separate experience from the public marketing site:
- We do not use the CookieYes marketing banner on the application. Session and security cookies (e.g. authentication via Supabase) are used to operate the Service you sign in to — typically on contract / legitimate interests, not on marketing analytics consent.
- Optional product analytics (e.g. PostHog) or error monitoring (e.g. Sentry), if enabled for your deployment, are governed by this policy and your organisation’s agreement with us, not by the marketing cookie banner.
- Employer-uploaded employee or candidate data in the application is usually processed under your organisation’s instructions (see §1 — controller/processor roles).
If you only browse the marketing site and never log in, §13.1 is what applies to cookies on lykos.co.
14. Log data
When you visit the Site, we collect information that your browser sends (“Log Data”). Log Data may include your computer’s Internet Protocol (“IP”) address, browser version, pages of the Service that you visit, the time and date of your visit, time spent on those pages, and other statistics.
15. Payment processing
We do not store full credit/debit card numbers for our own purposes. Payment details are handled by authorised payment providers under their terms and PCI-DSS practices. We may receive limited payment metadata (e.g. status, last four digits, transaction ID) to operate billing.
16. Links to other sites
The Service may contain links to other sites. If you follow a third-party link, you leave our Site; we do not operate those external sites. Review their privacy policies. We have no control over and assume no responsibility for the content, privacy policies, or practices of third-party sites or services.
17. Children’s privacy
Our Services are not directed at anyone under the age of 18. We do not knowingly collect personal information from anyone under 18. If we learn that someone under 18 has provided personal information, we will delete it. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.
18. Changes to this privacy policy
We may update this Privacy Policy from time to time. We will post the updated version on this page and update the effective date where indicated. Material changes may require additional notice (e.g. email or in-product notice) where required by law.
Effective date: 21 March 2026
19. Contact us
If you have questions about this Privacy Policy or wish to exercise your rights, contact us at privacy@lykos.co.
Related documents
- Terms & conditions: https://lykos.co/terms
The defined terms in this Privacy Policy align with our Terms & conditions unless defined differently here.