Privacy policy
Legal entity: Orion Tech Labs S.A. (“we”, “us”, “our”) — registered seat Athens, Greece.
Brand / product: Lykos is the trade name for the service we operate at https://lykos.co. In this policy, “Lykos”, “the Service”, and “the Site” refer to that website and the Lykos offering (including features used by employers and candidates, such as search, profiles, assessments, and human-capital or performance workflows where available).
Regulatory scope. This policy addresses transparency requirements under the EU General Data Protection Regulation (“GDPR”) and the UK GDPR, where those laws apply to our processing. Specific activities may require additional legal analysis (including legal bases, controller/processor roles, and sector rules).
1. Scope: who this policy is for
This policy describes how we handle personal data when you:
- visit or use the public marketing website and related pages;
- create an account, request a demo, contact us, or otherwise use Lykos as a product; or
- interact with Lykos as a candidate or employer user where your organisation uses the Service.
Your organisation and your data. If your employer (or another organisation) uses Lykos for recruitment, performance, people analytics, or similar workflows, that organisation is usually the controller of personal data about its candidates and employees. We typically act as a processor under their instructions and a written agreement (including Article 28 GDPR terms where required). Your employer’s privacy notices and contracts apply to that processing in addition to this policy. Where we are a processor, we process personal data only on documented instructions unless we are required to do otherwise by law.
2. Data controller and contact
Controller (for processing we describe as carried out by us):
Orion Tech Labs S.A.
Registered seat: Athens, Greece
Website: https://lykos.co
Email: info@lykos.co
Data Protection Officer (DPO) / representatives. If we appoint a DPO (where required under Article 37 GDPR or equivalent) or an EU/UK representative (where required under Article 27 GDPR or UK equivalent), we will publish contact details in this section.
3. Categories of personal data
Depending on how you use Lykos, we may process:
| Category | Examples (non-exhaustive) |
|---|---|
| Identity and contact | Name, email, phone, job title, postal address, company name. |
| Account and technical | Login identifiers, credentials, device/browser type, IP address, logs, diagnostics, security tokens. |
| Usage and communications | Pages viewed, actions in the Service, support tickets, email and form content you send us. |
| Recruitment and workforce (where applicable) | CV/resume, application answers, interview notes, skills, role history, referral information, identifiers your employer uploads. |
| Assessments and performance (where applicable) | Results or scores from psychometric or skills assessments, goals, feedback, ratings — only as configured for your organisation’s use of the Service. |
| Marketing and preferences | Demo requests, newsletter or event sign-ups, cookie/analytics choices (see Cookies). |
| Payment | Payment status and transaction references via our payment providers; we do not store full card numbers as described in Payment processing below. |
We apply data minimisation: we aim to collect only what is needed for the purposes below.
4. Purposes and legal bases (GDPR Article 6)
We process personal data only where we have a lawful basis under Article 6. The basis that applies depends on the activity. The following may apply, depending on the processing:
| Purpose | Legal basis (examples) |
|---|---|
| Operating the Site and Service; accounts; security; support | Contract (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)) in running a secure platform. |
| Optional marketing-site analytics cookies/scripts | Consent (Art. 6(1)(a)) via our cookie banner. |
| Complying with law (tax, accounting, court orders) | Legal obligation (Art. 6(1)(c)). |
| Direct marketing (e.g. product updates) where not covered by consent | Legitimate interests (Art. 6(1)(f)) or consent, as required by local law — you may object or unsubscribe where offered. |
| Processing on behalf of a customer organisation (employer) | Performance of our contract with that customer and the customer’s documented instructions as processor; the customer’s legal basis applies to their relationship with candidates/employees. |
If we rely on legitimate interests, we consider your rights and allow you to object where required by law (see Your rights).
5. Special categories of data (GDPR Article 9)
Special categories (e.g. health, biometric data used to uniquely identify, or certain diversity-related information) require stricter conditions. We do not intend to process special-category data on the marketing site. If the Service is configured to process such data (e.g. health-related assessments where legally permitted), we do so only where permitted by Article 9 and applicable law, and only as agreed with the relevant controller and documented in your customer agreement or record of processing.
6. Sources of personal data
We usually collect personal data directly from you (Article 13 GDPR). We may also receive it:
- from your employer or other organisation that uses Lykos (Article 14 GDPR — information may also be provided by that organisation);
- from integrations (e.g. HRIS/ATS) that your organisation connects;
- from referrals or shared links your organisation sends.
Where we did not obtain data from you, we work with the controller to ensure required transparency, unless an exemption applies.
7. Recipients, subprocessors, and sharing
We may share personal data with:
- Service providers who host, secure, email, or support the Service ( processors under Article 28 GDPR), under written agreements;
- Payment providers (see below), only as needed to process payments;
- Professional advisers (lawyers, auditors) where required;
- Authorities when required by law or to protect rights and safety.
We do not sell your personal data. We do not share your information for third-party marketing unrelated to Lykos except where you have opted in where required.
Subprocessors. You may request a current list of subprocessors (or a link to our published page) by contacting info@lykos.co.
8. International transfers
If we transfer personal data outside the European Economic Area or the UK, we use appropriate safeguards such as Standard Contractual Clauses (EU Commission or UK ICO versions), adequacy decisions, or other mechanisms permitted by law. You may request a summary of relevant safeguards by contacting info@lykos.co, or see your customer agreement.
9. Retention
We keep personal data only as long as necessary for the purposes above, including:
- marketing and contact enquiries — typically for the duration of the relationship and a limited period afterwards for follow-up and legal claims;
- Service accounts — for the life of the contract and as required by law;
- customer-controlled data — as set by the customer organisation or in our customer agreement, unless a longer period is required by law.
We delete or anonymise data when no longer needed, subject to backup and legal retention requirements.
10. Security
We use technical and organisational measures appropriate to the risk (access controls, encryption in transit where appropriate, vendor vetting). No method of transmission or storage is 100% secure.
11. Automated decision-making and profiling (GDPR Article 22)
Lykos does not carry out solely automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you, within the meaning of Article 22 GDPR. The Service is designed to support employers and teams with information and workflows; employment and hiring decisions remain with people (your organisation), not with a fully automated system that would trigger Article 22 rights. If our practices change, we will update this policy.
12. Your rights
Where GDPR / UK GDPR applies, you may have the right to:
- Access your personal data (Article 15);
- Rectification (Article 16);
- Erasure (“right to be forgotten”) (Article 17);
- Restriction of processing (Article 18);
- Data portability (Article 20);
- Object to processing based on legitimate interests or for direct marketing (Article 21);
- Withdraw consent where processing is based on consent, without affecting prior lawful processing;
- Lodge a complaint with a supervisory authority (in the EU/EEA, typically where you live or work; in Greece, the Hellenic Data Protection Authority — www.dpa.gr).
If your organisation is the controller of your work data, we may need to direct your request to them or process it jointly with them, as required by law.
To exercise rights, contact info@lykos.co. We will respond within the time limits set by law (e.g. one month under GDPR, subject to extension).
13. Cookies and similar technologies
Cookies are small files used as identifiers; we also use similar technologies (such as browser local storage) to remember your choices.
What the Site does (matches our cookie banner):
- Essential cookies — needed to run and secure the Site. These are always in scope when you use the Site.
- Optional analytics — cookies or scripts that help us understand how visitors use the marketing site and improve it. These are used only if you allow them by choosing Accept all in the cookie banner. If you choose Essential only, we do not enable that optional analytics layer.
How you control this: When you first visit (or after you reset), the Site shows a banner with Essential only and Accept all, and a link to this Privacy policy (same wording as the banner: essential cookies to run the site; optional analytics only with permission). Your choice is stored only in your browser using local storage (not on our servers), including a schema version and when you decided, so we do not ask on every page load. You can change your mind anytime via Cookie settings in the footer, which clears that preference and shows the banner again.
Blocking or clearing cookies or storage in your browser may limit how the Site works.
14. Log data
When you visit the Site, we collect information that your browser sends (“Log Data”). Log Data may include your computer’s Internet Protocol (“IP”) address, browser version, pages of the Service that you visit, the time and date of your visit, time spent on those pages, and other statistics.
15. Payment processing
We do not store full credit/debit card numbers for our own purposes. Payment details are handled by authorised payment providers under their terms and PCI-DSS practices. We may receive limited payment metadata (e.g. status, last four digits, transaction ID) to operate billing.
16. Links to other sites
The Service may contain links to other sites. If you follow a third-party link, you leave our Site; we do not operate those external sites. Review their privacy policies. We have no control over and assume no responsibility for the content, privacy policies, or practices of third-party sites or services.
17. Children’s privacy
Our Services are not directed at anyone under the age of 18. We do not knowingly collect personal information from anyone under 18. If we learn that someone under 18 has provided personal information, we will delete it. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.
18. Changes to this privacy policy
We may update this Privacy Policy from time to time. We will post the updated version on this page and update the effective date where indicated. Material changes may require additional notice (e.g. email or in-product notice) where required by law.
Effective date: 21 March 2026
19. Contact us
If you have questions about this Privacy Policy or wish to exercise your rights, contact us at info@lykos.co.
Related documents
- Terms & conditions: https://lykos.co/terms
The defined terms in this Privacy Policy align with our Terms & conditions unless defined differently here.