Policy Draft
Legal Review Packet
Rendered from the repo policy source as a real command-center page. Draft for review, not legal advice.
NyrA Legal Review Packet
Status: Draft packet for attorney/accountant review
Last updated: 2026-05-31
Scope: NyrA Swarm Little Buddy desktop app only
This packet is a review handoff, not legal advice. It packages the policy drafts and open business decisions needed before a paid beta can safely take money.
Packet Contents
| File | Purpose | Status |
|---|---|---|
PRIVACY_POLICY_DRAFT.md |
Public privacy policy draft covering mic, camera, screen, local memory, passive logs, third-party AI, billing, support, and cloud dashboard data | Ready for legal review |
TERMS_OF_SERVICE_DRAFT.md |
Subscription, cancellation, safe-use, prohibited-use, AI limitation, and customer responsibility terms | Ready for legal review |
EULA_DRAFT.md |
Desktop software license, activation, restrictions, updates, and third-party component terms | Ready for legal review |
REFUND_AND_CANCELLATION_POLICY_DRAFT.md |
Final-sale refund posture with billing-error/legal exceptions and self-service cancellation | Ready for legal review |
SECURITY_POLICY_DRAFT.md |
Vulnerability intake, supported versions, testing rules, implemented controls, and incident response | Ready for release review |
AI_PROVIDER_DATA_FLOW_DRAFT.md |
Provider data-flow matrix for OpenAI, Anthropic, Google Gemini, xAI/Grok, consent gates, forbidden data, hosted-AI cap, BYOK boundary, and source links | Ready for legal review |
Product Facts For Review
- Product name: NyrA Swarm Little Buddy.
- Paid offer name: NyrA Swarm Little Buddy Pro.
- First paid target: paid beta.
- Trial: no trial right now.
- Refund posture: all purchases final, with legal and billing-error exceptions.
- Support email:
nyrasupport@gmail.compending creation/confirmation. - Entity: not decided.
- State: user indicated United States / South Carolina.
- Payments: existing Stripe account intended.
- Billing architecture: Stripe Checkout, Stripe Billing, Stripe Customer Portal, backend license service, desktop device activation.
- Cloud target: Cloudflare Pages, Workers, D1, R2, and scheduled triggers.
- AI model providers: OpenAI first, plus Anthropic, Google Gemini, and xAI/Grok routes if configured.
Implemented Trust Controls
- Paid feature gates return
NYRA_PRO_REQUIRED. - Privacy/consent gates return
NYRA_CONSENT_REQUIRED. - High-impact action gates return
NYRA_HIGH_IMPACT_APPROVAL_REQUIRED. - Typed IPC hardening limits renderer access to known channels and store keys.
- First-run consent and Settings Privacy & Consent controls exist.
- Local export/delete controls exist for privacy data and memory/log cleanup.
- Clean release verification runs outside the synced Google Drive checkout.
Open Decisions Needed From User
| Decision | Why it matters |
|---|---|
| Legal business name/entity path | Required for Stripe identity, policy publisher, tax, support, and legal docs |
| Public business address/contact policy | Needed for legal docs and customer trust |
| Monthly subscription price | Required before Stripe product/price creation |
| Hosted AI cap | Required before pricing can be defended and policy can disclose usage limits |
| Domain | Required for public policy URLs, checkout success/cancel URLs, and email identity |
| Support inbox confirmation | Required before policy publication and paid beta |
| Code signing path | Required before a trusted Windows paid beta |
| Tax handling | Required before live payments at scale |
Attorney Review Checklist
- Confirm legal entity, publisher name, governing law, venue, liability cap, dispute resolution, arbitration/class waiver posture, and consumer-law exceptions.
- Review final-sale refund language and cancellation process for subscriptions.
- Review no-trial subscription disclosure language.
- Confirm privacy disclosures for microphone, camera, screen, local memory, passive context logs, third-party AI, support uploads, and cloud dashboard uploads.
- Confirm provider/subprocessor references and whether a separate data processing addendum is needed.
- Confirm AI provider data-flow language for OpenAI, Anthropic, Google Gemini, xAI/Grok, hosted-AI cap disclosures, and BYOK future boundary.
- Confirm under-13 policy and whether broader age restrictions are needed.
- Confirm biometric/voice identity language. Current draft avoids biometric recognition claims.
- Confirm breach notification and incident-response language for South Carolina and any other state where customers are sold.
- Confirm support contact, business contact, and policy update notice procedure.
Stripe Publication Checklist
Before live checkout:
- Public Privacy Policy URL exists.
- Public Terms URL exists.
- Refund/Cancellation Policy URL exists.
- Support email exists and appears on receipts.
- Checkout discloses price, billing interval, no trial, renewal terms, included usage, cancellation path, and final-sale refund posture.
- Customer Portal allows invoice access, payment method updates, and cancellation.
- Webhook endpoint is live and signed.
- Test-mode checkout, activation, cancellation, failed invoice, and refund review flows are tested.
Source Register
- FTC Privacy and Security: https://www.ftc.gov/business-guidance/privacy-security
- FTC Protecting Personal Information: https://www.ftc.gov/business-guidance/resources/protecting-personal-information-guide-business
- FTC subscription cancellation guidance: https://www.ftc.gov/business-guidance/blog/2024/10/click-cancel-ftcs-amended-negative-option-rule-what-it-means-your-business
- FTC Biometric Policy Statement: https://www.ftc.gov/legal-library/browse/policy-statement-federal-trade-commission-biometric-information-section-5-federal-trade-commission
- OpenAI Data Controls: https://platform.openai.com/docs/guides/your-data
- Anthropic Organization Data Retention: https://privacy.claude.com/en/articles/7996866-how-long-do-you-store-my-organization-s-data
- Anthropic Processor/Controller FAQ: https://support.claude.com/en/articles/9267385-does-anthropic-act-as-a-data-processor-or-controller
- Google Gemini API Data Logging and Sharing: https://ai.google.dev/gemini-api/docs/logs-policy
- xAI API Security FAQ: https://docs.x.ai/developers/faq/security
- Stripe Checkout: https://docs.stripe.com/payments/checkout
- Stripe Customer Portal: https://docs.stripe.com/customer-management
- Stripe refunds support: https://support.stripe.com/questions/how-to-refund-a-customer
- South Carolina Code Section 39-1-90: https://law.justia.com/codes/south-carolina/title-39/chapter-1/section-39-1-90/
Publication Blocker
Do not publish these policies or take live payments until the support inbox, legal entity/contact, domain, public policy URLs, pricing, hosted AI cap, and attorney review are complete.