Privacy Policy

How we collect, use, and protect personal information when you use our service.

Prepared for SyntaxKit Inc.

This Privacy Policy describes how SyntaxKit Inc. ("we", "us", or "our") collects, uses, discloses, and safeguards your personal information when you visit our website, create an account, or otherwise interact with the services we provide (the "Service"). We respect your privacy and are committed to handling your data transparently and in accordance with applicable data-protection laws, including the EU and UK General Data Protection Regulations (the "GDPR") and the California Consumer Privacy Act as amended ("CCPA/CPRA").

If you do not agree with this Privacy Policy, please do not use the Service. Capitalized terms not defined here have the meanings given in our Terms of Service.

1. Who we are

The data controller responsible for your personal information is SyntaxKit Inc., with its registered office at 1 Example Way, San Francisco, CA 94110, United States. You can reach us at legal@syntaxkit.com for any privacy-related question, request, or complaint. If you are located in the European Economic Area or the United Kingdom and we are required to designate a representative under Article 27 GDPR, our representative is Example EU Representative GmbH, Friedrichstraße 100, 10117 Berlin, Germany.

If you have appointed us as a data processor under a separate Data Processing Agreement, the terms of that DPA govern our processing of personal information you upload through the Service. This Policy describes our processing as a controller for our website, marketing, account management, and billing operations.

2. Information we collect

We collect information you provide to us, information generated automatically when you use the Service, and information we receive from third parties.

2.1 Information you provide

  • Account information. When you create an account we collect your name, email address, hashed password, profile image (optional), and the organization or workspace you belong to. If you sign in with a third-party identity provider (for example, Google or GitHub) we receive the basic profile information you authorize that provider to share.
  • Billing information. Subscription and payment details are processed by our payment processor, Stripe. We do not store full card numbers; we receive a customer identifier, plan, billing status, last four digits of the card, billing country, and tax-status indicators.
  • Communications. When you contact us through the contact form, by email, or through a support channel we retain the messages you send and our responses, together with any attachments you choose to share.
  • Content you create. Documents, files, chat messages (including AI-assistant conversations), uploads, and any other content you submit through the Service are processed and stored on your behalf.

2.2 Information collected automatically

  • Usage and product analytics. We collect anonymized or pseudonymized event data describing how you interact with the Service, such as page views, feature usage, button clicks, and the timing and duration of sessions. This data is collected through PostHog.
  • Device and log data. Server and application logs include your IP address, user-agent string, the pages or endpoints you accessed, request and response sizes, error codes, and timestamps. These logs are used for security, abuse prevention, and operational troubleshooting.
  • Cookies and similar technologies. We use first-party cookies and similar storage to keep you signed in, remember preferences (such as theme and locale), and protect the Service against abuse. See Section 7.

2.3 Information from third parties

  • Identity providers (Google, GitHub, and other OAuth providers you choose) share basic profile information with us when you sign in.
  • Payment processor (Stripe) shares subscription, invoice, and payment-status events with us through its webhook system.
  • Abuse-prevention provider (Cloudflare Turnstile) shares the result of bot challenges with us so we can protect sign-up, sign-in, and other sensitive endpoints.

3. How we use information

We use personal information for the following purposes:

  • To provide and operate the Service, including authenticating you, enabling collaboration in your organization, processing your subscription, and delivering features you request.
  • To communicate with you about your account, security events, billing changes, product updates, and to respond to support requests.
  • To improve the Service by analyzing aggregated usage patterns, diagnosing crashes and errors, A/B-testing changes, and informing our roadmap.
  • To protect the Service against fraud, abuse, and unauthorized access, including by applying rate limits, captchas, and anomaly-detection.
  • To comply with legal obligations, including tax, accounting, anti-money-laundering, sanctions, and lawful requests from authorities.
  • To send marketing messages about features and offers, where you have consented or where we have a legitimate interest and you have not objected. You can opt out at any time using the unsubscribe link in any marketing email.

If the GDPR or UK GDPR applies to our processing of your personal information, we rely on the following legal bases:

  • Performance of a contract (Article 6(1)(b)) for processing necessary to create your account, deliver the Service, and fulfill your subscription.
  • Legitimate interests (Article 6(1)(f)) for product analytics, security, abuse prevention, basic marketing of similar services, and improving the Service. We weigh those interests against your rights and freedoms and apply safeguards such as pseudonymization and access controls.
  • Compliance with legal obligations (Article 6(1)(c)) for tax records, regulator requests, and our legal accounting duties.
  • Consent (Article 6(1)(a)) where required, for example for non-essential cookies or marketing communications in jurisdictions that require opt-in consent. You can withdraw consent at any time.

5. Sharing and subprocessors

We do not sell your personal information. We share personal information only as necessary to provide the Service, with the categories of recipients described below. Each recipient acts under written agreements that require appropriate confidentiality and security obligations.

  • Stripe — payment processing, subscription management, invoice generation, and tax calculation. Receives billing details, customer identifier, and amounts.
  • PostHog — product analytics, error tracking, and session-level usage insight. Receives pseudonymous event data, IP address truncated where supported, and feature-flag exposures.
  • Plunk — transactional and marketing email delivery. Receives recipient email address, subject, and message body.
  • Cloudflare Turnstile — bot-protection challenges on sign-up, sign-in, and contact forms. Receives challenge tokens, IP address, and a coarse user-agent.
  • Object storage provider (S3-compatible). Stores avatars, organization logos, file uploads, and chat attachments. Receives object data and metadata you choose to upload.
  • AI provider gateway (model providers configured for chat or content features). Receives prompts and conversation history necessary to generate a response. We do not authorize providers to use your prompts to train their models.
  • Identity providers (Google, GitHub, and any other OAuth providers you enable). Receive only the metadata necessary to authenticate the sign-in attempt.
  • Hosting and infrastructure providers that operate the servers on which the Service runs.
  • Professional advisors (lawyers, auditors, accountants, insurers) under confidentiality obligations.
  • Authorities and legal successors where required by law, in response to valid legal process, or in connection with a corporate transaction such as a merger or acquisition.

A current list of subprocessors is available on request to legal@syntaxkit.com.

6. International transfers

We are based in Delaware, United States. Some of our subprocessors are located in other countries, including the United States. When we transfer personal information out of the EEA, the United Kingdom, or Switzerland, we rely on the appropriate transfer mechanisms, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions where they apply, and additional safeguards such as encryption in transit and at rest.

7. Cookies and similar technologies

We use a small number of cookies and similar storage technologies in the categories below. We do not use cookies for cross-site advertising.

  • Strictly necessary, including authentication cookies, session cookies, CSRF tokens, and preferences such as locale and theme. These cookies are essential and cannot be disabled.
  • Analytics, used by PostHog to understand how the Service is used. Where required by law we ask for your consent before setting analytics cookies; in other regions you may opt out using the controls described in Section 9.
  • Security, including bot-protection challenges from Cloudflare Turnstile.

You can clear cookies through your browser settings; doing so may sign you out and require you to reconfigure your preferences.

8. Data retention

We keep personal information only as long as necessary for the purposes described in this Policy or as required by law. Specifically:

  • Account data is retained for the lifetime of your account. After you delete your account or your organization deletes your seat, we delete or anonymize associated personal data within 90 days, except where we must retain records to meet legal obligations.
  • Billing records are retained for the period required by tax and accounting law in our jurisdiction (typically seven to ten years).
  • Server logs are retained for up to 30 days for operational purposes, with security-relevant entries retained for up to 12 months.
  • Product analytics events are retained according to PostHog's project-level retention setting, by default 12 months.
  • Email communications are retained for as long as needed to handle the conversation and for up to 24 months thereafter for support quality and legal hold purposes.

9. Your rights

Depending on where you live, you may have the following rights regarding your personal information:

  • Access: request a copy of the personal information we hold about you.
  • Rectification: ask us to correct inaccurate or incomplete information.
  • Erasure: ask us to delete your personal information.
  • Restriction: ask us to limit how we use your personal information.
  • Portability: receive a copy of certain information in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests, including direct marketing.
  • Withdrawal of consent: withdraw any consent you previously gave us, without affecting the lawfulness of processing carried out before withdrawal.
  • Right to lodge a complaint with your local supervisory authority. In the EEA, you can find your authority at edpb.europa.eu; in the UK, the Information Commissioner's Office at ico.org.uk.

If the CCPA/CPRA applies, you may also have the right to know what categories of personal information we collect, the right to delete, the right to correct, the right to opt out of any "sale" or "sharing" (we do not sell or share for cross-context behavioral advertising), and the right not to be discriminated against for exercising your rights.

To exercise any of these rights, contact us at legal@syntaxkit.com from the email address associated with your account. We may need to verify your identity before responding, typically by confirming control of the email address on file. We respond within the timelines required by applicable law (no later than 30 days under the GDPR or 45 days under the CCPA/CPRA, with permitted extensions).

10. Security

We use a defense-in-depth approach to protect your personal information, including encryption in transit (TLS), encryption at rest where supported, hashed passwords, scoped least-privilege access for our team, abuse and rate-limiting controls, mandatory two-factor authentication for sensitive operator accounts, regular dependency updates, and monitoring of authentication and billing events. No system is perfectly secure; if you believe your account has been compromised, contact us immediately at legal@syntaxkit.com.

11. Children's privacy

The Service is not directed to children. We do not knowingly collect personal information from children under the age of 16 (or the lower minimum age permitted in your jurisdiction). If you believe a child has provided personal information to us, please contact us and we will delete it promptly.

12. Automated decision-making and AI features

The Service may include AI-assistant features. Output from these features is generated by language models and should be reviewed before being relied upon for any consequential purpose. We do not make legally significant or similarly significant decisions about you solely on the basis of automated processing. Where AI features process personal data, we apply the safeguards described in this Policy.

13. Do Not Track and Global Privacy Control

Some browsers transmit a "Do Not Track" signal or implement the Global Privacy Control. Where required by law, we honor recognized opt-out signals (including GPC) for analytics and similar processing. We do not sell or share personal information for cross-context behavioral advertising.

14. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent version. If a change is material we will notify you by email or in the Service before it takes effect. Continued use of the Service after the effective date of an update indicates your acceptance of the updated Policy.

15. How to contact us

For any privacy-related question, request, or complaint, reach us at:

If you have appointed a Data Protection Officer, you can also reach them at dpo@syntaxkit.com.