ContextSynth

Privacy Policy

Last updated: January 27, 2025

GDPR Compliance

ContextSynth is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). This policy explains your rights and how we handle your data.

1. Data Controller

ContextSynth is the data controller for the personal data processed through our Service. For data protection inquiries, contact: privacy@contextsynth.com

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address - for authentication and account communications
  • Account credentials - passwordless authentication codes (stored temporarily)
  • Tenant ID - unique identifier linking your account to your API usage

2.2 Customer Data (Your Users' Data)

Data you submit via the API about your customers:

  • Customer identifiers - IDs you provide to identify your users
  • Customer data - any unstructured data you send (events, attributes, etc.)
  • Synthesized profiles - AI-generated summaries of customer data

Important: All customer data is encrypted at rest using AES-256-GCM. We apply PII redaction before sending data to AI models. We do NOT use your customer data to train AI models.

2.3 Usage Data

We automatically collect:

  • API request counts (for billing and quota enforcement)
  • Request timestamps and latency metrics
  • Error logs (without customer data content)
  • IP addresses (for security and fraud prevention)

3. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

  • Contract Performance: Processing necessary to provide the Service
  • Legitimate Interest: Fraud prevention, security, and service improvement
  • Legal Obligation: Compliance with applicable laws
  • Consent: Where required, we obtain explicit consent

4. How We Use Your Information

  • Provide, maintain, and improve the Service
  • Process API requests and synthesize customer profiles
  • Send account-related communications (authentication codes, billing, etc.)
  • Enforce usage limits and prevent fraud
  • Comply with legal obligations
  • Generate anonymized analytics (we never sell your data)

5. Data Sharing and Third Parties

5.1 AI Service Provider

We use OpenAI/Azure OpenAI to synthesize customer profiles. Before sending data to the AI:

  • We redact personally identifiable information (PII)
  • We use zero data retention agreements
  • Data is NOT used for AI model training

5.2 Infrastructure Providers

We use trusted service providers:

  • Render.com - hosting and database (EU/US regions available)
  • Resend - transactional email delivery

All providers are contractually obligated to protect your data.

5.3 We Do NOT:

  • Sell your data to third parties
  • Share data with advertisers
  • Use your data for purposes other than providing the Service

6. Data Security

We implement comprehensive security measures:

  • Encryption at Rest: AES-256-GCM for all customer data
  • Encryption in Transit: TLS 1.3 for all API communications
  • Key Management: Tenant-specific DEKs wrapped by master KEK
  • Access Controls: Role-based access with audit logging
  • PII Redaction: Automatic redaction before AI processing
  • Rate Limiting: Protection against abuse

For technical details, see our Security page.

7. Your Rights (GDPR)

Under GDPR, you have the following rights:

Right to Access

Request a copy of your personal data we hold.

Contact: privacy@contextsynth.com

Right to Rectification

Correct inaccurate personal data.

Available in your account settings

Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data.

Contact: privacy@contextsynth.com - We will delete within 30 days

Right to Data Portability

Receive your data in a machine-readable format.

Available via API or contact privacy@contextsynth.com

Right to Object

Object to processing of your personal data.

Contact: privacy@contextsynth.com

Right to Restriction

Request restriction of processing.

Contact: privacy@contextsynth.com

To exercise any of these rights, contact us at privacy@contextsynth.com. We will respond within 30 days.

8. Data Retention

We retain data for the following periods:

  • Account data: Duration of active account + 90 days after deletion
  • Customer data: Until you delete it via API or account deletion
  • Authentication codes: 10 minutes (then automatically deleted)
  • Audit logs: 90 days for security purposes
  • Billing records: 7 years (legal requirement)

9. International Data Transfers

Your data may be transferred to and processed in countries outside your residence. We ensure adequate protection through:

  • EU data centers available (Frankfurt region)
  • Standard Contractual Clauses for non-EU transfers
  • Encryption in transit and at rest

10. Cookies and Tracking

We use minimal cookies:

  • Session cookie: Required for authentication (httpOnly, secure)
  • No tracking cookies: We do not use analytics or advertising cookies

11. Children's Privacy

The Service is not intended for individuals under 18. We do not knowingly collect data from children. If we learn we have collected data from a child, we will delete it promptly.

12. Data Breach Notification

In the event of a data breach affecting your personal data, we will:

  • Notify you within 72 hours of discovery
  • Notify relevant supervisory authorities as required by GDPR
  • Provide details of the breach and mitigation steps

13. Changes to This Policy

We may update this Privacy Policy. We will notify you of material changes via email and update the "Last updated" date. Continued use after changes constitutes acceptance.

14. Supervisory Authority

If you are in the EU, you have the right to lodge a complaint with your local data protection authority if you believe we have violated GDPR.

15. Contact Us

For privacy questions or to exercise your rights:

Email: privacy@contextsynth.com

Related: Terms of Service | Security