Privacy Policy

1. Who we are

AISynvex is a multi-AI chat platform operated as a sole trader trading as AISynvex. For the purposes of UK GDPR and the Data Protection Act 2018, AISynvex is the data controller for the personal data described in this policy.

You can reach us at privacy@aisynvex.com for any privacy question, data subject access request, or complaint about how we handle your data.

2. What data we collect

We collect four broad categories of data:

Account data

• Email address (required to sign in and receive transactional email)
• Password (stored as a one-way hash; we never see the plaintext)
• Display name and avatar image, if you set them
• The tier you’re on (Free or Plus) and your daily credit balance

Billing data

• Subscription history and top-up purchases (mirrored from Stripe so we can show your billing settings without a network round-trip)
• Stripe customer ID and payment intent IDs (we never see your card number — Stripe handles that directly)

Chat content

• The messages you send and the responses you receive
• Files and images you attach to conversations
• Per-message metadata (token counts, timing, error codes)
• For Advanced Thinking turns: the multi-round deliberation transcript (drafts, critiques, responses, verdict)

Technical and usage data

• IP address (used for rate limiting and bot protection at signup)
• Per-API-call telemetry: which model ran, how many tokens, whether the call succeeded
• Browser type and operating system (collected by error monitoring)
• Cookies and similar storage — see section 9

3. Why we collect it (lawful basis)

Under UK GDPR Article 6, every category of data has a clear lawful basis:

• Account, billing, and chat data — Article 6(1)(b), performance of a contract. Without it, we cannot provide the service you asked for.
• Technical and usage data — Article 6(1)(f), legitimate interest. We need it to keep the service stable, prevent abuse, debug errors, and understand which features are used.
• Analytics cookies — Article 6(1)(a), consent. We only set them after you accept analytics in the cookie banner.
• Tax and accounting records — Article 6(1)(c), legal obligation. We’re required to keep certain financial records for HMRC purposes; Stripe holds these on our behalf.

4. Who we share data with (sub-processors)

We use third-party services to operate AISynvex. Each one only receives the data it needs to do its job. We’ve signed a Data Processing Agreement with each.

What goes where

When you send a chat message, the message content goes to whichever AI provider you picked (Anthropic, OpenAI, or Google). For every chat message regardless of provider, the message is also sent to OpenAI’s moderation API to check for policy-violating content. Files and images you attach travel with the message.

None of the AI providers use your chat content to train their models when accessed through their commercial APIs. They retain prompts and responses for short windows (typically 30 days) for abuse monitoring; flagged content may be reviewed for trust-and-safety purposes. We’ve verified this against each provider’s API terms.

5. International transfers

Some of our sub-processors are based outside the UK and EEA. Where that’s the case, transfers happen under:

• Standard Contractual Clauses (SCCs) and the UK Addendum, signed via each provider’s Data Processing Agreement
• Adequacy decisions for transfers to providers in jurisdictions the UK government has formally recognised

We always pick EU regions when a sub-processor offers them — Supabase, Upstash, Sentry, and PostHog are all configured to keep your data in the EU.

6. How long we keep your data

Our retention principle: keep what we need for as long as we need it, then delete or anonymise.

• Your account, conversations, and files — kept until you delete your account. We don’t purge old conversations on a timer; users tell us their threads are a knowledge base they want to keep.
• Per-API-call telemetry and credit ledger — 18 months from the event date. After that, the link to your account is severed (anonymised) but aggregate stats are kept for billing accuracy and margin analysis.
• Stripe webhook idempotency records — 6 months.
• Internal alert idempotency records — 3 months.
• Rate-limit counters — auto-expire at the end of their window (1 minute to 1 hour depending on the bucket).
• Error monitoring (Sentry) and analytics (PostHog) — per the provider’s plan defaults; we don’t override longer.
• Stripe payment records — held by Stripe per UK financial-record retention requirements (typically 7 years for VAT-relevant invoices). These are retained by Stripe even if you delete your account.

7. Your rights

UK GDPR gives you the following rights over your personal data:

• Access — get a copy of the data we hold about you
• Rectification — correct anything that’s wrong
• Erasure (Article 17, “right to be forgotten”) — request that we delete your account and data
• Portability (Article 20) — receive your data in a machine-readable format
• Restriction — pause our processing while a dispute is resolved
• Objection — object to processing based on legitimate interest (this includes opting out of certain analytics)
• Lodge a complaint with the ICO if you think we handled your data wrongly: ico.org.uk/make-a-complaint

How to exercise these rights

Three of these rights are wired into the product directly:

• Access + portability — visit /settings and click Download my data. You’ll get a JSON file with everything we hold tied to your account.
• Erasure — visit /settings and click Delete account. We schedule the deletion for 30 days from now — that grace window lets you change your mind. During the window you can sign back in and click Cancel deletion. After 30 days, your account, conversations, files, and active subscription are permanently removed.
• Rectification — display name + avatar are editable from /settings. Email changes go through the standard sign-out / sign-in flow on a new email.

For everything else — restriction, objection, or anything that doesn’t fit a button — email privacy@aisynvex.com. We respond within 30 calendar days, the statutory maximum under UK GDPR.

8. How we keep your data safe

• All data is encrypted in transit (HTTPS) and at rest (Supabase, Stripe, etc.)
• Passwords are hashed using industry-standard algorithms — we never see the plaintext
• Errors are scrubbed of personally identifiable information before they reach our error monitoring service
• Rate limits + bot protection guard signup, password reset, and chat sends against abuse
• Service accounts use principle-of-least-privilege scopes; the service-role key for the database is only used by trusted server-side code paths

9. Cookies and similar technology

We use a small number of cookies. The cookie banner on first load lets you accept or reject the optional ones; the strictly-necessary ones are always set because the service couldn’t function without them. We don’t use third-party advertising cookies.

For the full list — what each cookie does, who sets it, and how long it lasts — see our dedicated Cookies page.

You can change your cookie preferences at any time by clearing your browser’s storage for aisynvex.com — the banner reappears on next visit.

10. Children

AISynvex is not intended for use by children under 16. If you believe a child has signed up, email privacy@aisynvex.com and we will delete the account.

11. Changes to this policy

If we make a material change to this policy, we’ll update the “Last updated” date at the top, and where the change materially affects how we use your data, we’ll notify you in-product or by email. Minor edits (typos, link fixes, clarifications that don’t change the substance) won’t trigger a notification.

12. Contact

Privacy questions, data subject access requests, or complaints: privacy@aisynvex.com.