Privacy Policy

1. Introduction

MYG Media SRL, operating as Synthesis AI ("we," "our," or "us"), is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you use our AI-powered business automation platform and services.

By using Synthesis AI, including our Harv3y AI Operator service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, company name, and billing information when you create an account or subscribe to our services
• Business Data: Information you upload or input for AI processing, including business documents, workflows, and operational data
• Communication Data: Messages, feedback, and support requests you send to us
• Payment Information: Credit card details processed securely through our payment provider Stripe
• API Keys: Third-party API keys you provide (OpenAI, Anthropic, etc.) - stored encrypted in your browser only

2.2 Information Collected Automatically

• Usage Data: Features used, interactions with AI agents, and performance metrics
• Device Information: Browser type, operating system, IP address, and device identifiers
• Cookies and Tracking: Session cookies, preference cookies, and analytics data
• AI Interaction Logs: Queries, commands, and outputs from AI operations (anonymized)
• API Usage Metadata: Performance metrics and usage statistics (not content)

2.3 Information from Third Parties

• Integration Data: Information from connected business tools and platforms you authorize
• Authentication Providers: Profile information if you sign in using OAuth providers
• Analytics Services: Aggregated data about service usage and performance

3. API Key Processing (BYOK Model)

3.1 How We Handle API Keys

Your API keys are encrypted using AES-256 encryption and stored exclusively in your browser's local storage. We implement:

• Client-side encryption before storage
• Automatic deletion on logout
• Session-based access controls
• No server transmission of raw keys
• Secure key rotation capabilities

3.2 Data Flow with API Keys

When you use your API keys:

• Requests go directly from your browser to the AI provider
• Responses come directly back to your browser
• We may cache responses temporarily (max 24 hours) for performance
• Cached data is encrypted and tied to your session
• You can request immediate deletion of cached data

4. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve our AI automation services
• Personalization: To customize AI agents and workflows to your business needs
• Communication: To send service updates, security alerts, and support messages
• Billing and Payments: To process subscriptions and manage your account
• Security: To detect and prevent fraud, abuse, and unauthorized access
• Analytics: To understand usage patterns and improve our platform
• Legal Compliance: To comply with legal obligations and enforce our terms
• AI Training: To improve our AI models (only with anonymized, aggregated data)

5. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract (Article 6(1)(b)): To provide our services as outlined in our Terms of Service
• Legitimate Interests (Article 6(1)(f)): To improve our services, ensure security, and prevent fraud
• Consent (Article 6(1)(a)): For marketing communications, certain cookies, and API key storage
• Legal Obligations (Article 6(1)(c)): To comply with applicable laws and regulations

For API key processing, you provide explicit consent when connecting your keys, which you can withdraw at any time.

6. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share your data in these circumstances:

6.1 Service Providers

• Payment processors (Stripe) for billing operations
• Cloud infrastructure providers for data storage
• Analytics services for platform improvement
• Customer support tools for assistance

6.2 Legal Requirements

• To comply with legal obligations, court orders, or government requests
• To protect our rights, privacy, safety, or property
• To investigate and prevent fraudulent or illegal activities

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

6.4 Consent

With your explicit consent for purposes not covered in this policy.

7. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data transmitted between your device and our servers is encrypted using TLS 1.3
• Storage Security: Data at rest is encrypted using AES-256 encryption
• Access Controls: Strict authentication and authorization protocols
• Regular Audits: Security assessments and penetration testing
• Incident Response: 24/7 monitoring and rapid response procedures
• Data Isolation: Multi-tenant architecture with strong data separation
• Compliance: SOC 2 Type II, ISO 27001 standards (in progress)

8. Your Rights Under GDPR

Depending on your location, you have specific rights regarding your personal data:

8.1 Right to Access (Article 15)

• Request a copy of your personal data in a machine-readable format
• Access information about how we process your data

8.2 Right to Rectification and Erasure (Articles 16-17)

• Update or correct inaccurate personal information
• Request deletion of your data (subject to legal requirements)

8.3 Right to Restrict Processing and Object (Articles 18, 21)

• Opt-out of marketing communications
• Disable cookies through browser settings
• Withdraw consent for data processing
• Object to automated decision-making

8.4 Right to Data Portability (Article 20)

• Receive your data in a structured, commonly used format
• Transfer your data directly to another controller

8.5 Rights Related to Automated Decision-Making (Article 22)

• Right not to be subject to solely automated decisions
• Right to human intervention and to contest decisions

9. Data Subject Rights Dashboard

We provide a comprehensive dashboard for managing your data rights:

• Export All Data: Download all your personal data, API usage history, and generated content
• Delete All Data: Remove API keys, clear cache, delete history, and close account
• Access Rights: View all stored data, API call logs, and processing records
• Manage Consent: Update marketing preferences and data processing choices

10. International Data Transfers

Your data may be transferred to and processed in countries other than your residence. We ensure appropriate safeguards:

• EU-US Data Privacy Framework: Compliance for US data transfers
• Standard Contractual Clauses: For transfers outside the EEA
• Adequacy Decisions: Transfers to countries with adequate protection levels
• Binding Corporate Rules: Internal data protection policies

11. Data Retention

We retain your data only as long as necessary:

• Active Accounts: Data retained while your account is active
• Legal Requirements: As required by law (typically 7 years for financial records)
• Dispute Resolution: Until resolution of any claims or disputes
• Backup Systems: Deleted data may persist in backups for up to 90 days
• Anonymized Data: May be retained indefinitely for analytics

12. Cookies and Storage Consent

We use local storage for API keys only with your explicit consent:

• You will be prompted before any API key storage
• Storage is browser-only (no server storage)
• You can revoke consent and delete keys anytime
• Essential cookies for authentication are separate

13. Children's Privacy

Synthesis AI is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we discover we have collected data from a child, we will promptly delete it.

14. Data Breach Notification

In the event of a data breach, we will:

• Notify affected users within 72 hours of discovery
• Report to relevant supervisory authorities (ANSPDCP for Romania)
• Provide detailed information about the breach and its impact
• Offer guidance on protective measures you can take
• Document all breaches in our internal register

15. Regional Privacy Rights

15.1 European Union (GDPR)

• Right to be informed about data processing
• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making

15.2 California (CCPA/CPRA)

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell data)
• Right to non-discrimination for exercising privacy rights
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information

15.3 Other Jurisdictions

If you reside in other jurisdictions with privacy laws, you may have additional rights. Contact us to exercise your rights under applicable law.

16. API Provider Relationships

When using your own API keys:

• You are the data controller for data sent to AI providers
• We are the data processor facilitating the connection
• AI providers (OpenAI, Anthropic) are separate data controllers
• You must review and accept each provider's privacy policy
• We are not liable for AI provider data practices

17. AI-Specific Considerations

17.1 AI Processing

• Your business data is processed by AI models to provide automation services
• AI outputs are generated based on your inputs and configurations
• We do not use your specific data to train general AI models
• AI decisions can be reviewed and overridden by you

17.2 AI Data Isolation

• Each customer's AI instance is isolated from others
• Your business logic and data remain confidential
• Cross-customer data sharing is prohibited

17.3 AI Transparency

• You can request explanations for AI decisions affecting your business
• AI limitations and capabilities are clearly documented
• Human oversight options are available for critical operations

18. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience:

18.1 Essential Cookies

• Session management and authentication
• Security features and fraud prevention
• Load balancing and performance optimization

18.2 Functional Cookies

• User preferences and settings
• Language and region selection
• Feature customization

18.3 Analytics Cookies

• Usage patterns and feature adoption
• Performance metrics and error tracking
• A/B testing and service improvement

19. Third-Party Links

Our service may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to review their privacy policies before providing any personal information.

20. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes through:

• Email notification to your registered address
• In-app notifications
• Prominent notice on our website

Continued use of our services after changes constitutes acceptance of the updated policy.

21. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with privacy laws. You can contact our DPO for any privacy-related concerns.

22. Supervisory Authority

For EU residents, you have the right to lodge a complaint with your local supervisory authority:

• Romania: National Supervisory Authority for Personal Data Processing (ANSPDCP)
• Website: www.dataprotection.ro
• Email: anspdcp@dataprotection.ro

You may also contact the supervisory authority in your country of residence.

If you are located in the European Economic Area and believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection supervisory authority.