Privacy Policy

Last updated: January 5, 2026

SYNTHESIS, operated by OrzattyStudios ("SYNTHESIS," "we," "our," or "us"), is committed to protecting your privacy and ensuring transparency in how we collect, use, and safeguard your personal information. This Privacy Policy describes our practices regarding data collected through our AI-powered coding platform at synthesisai.pages.dev and related services.

1. Information We Collect

1.1 Information You Provide Directly

When you create an account or use our services, we collect:

• Account Information: Email address, username, password (encrypted), and optional profile information such as display name and avatar
• Payment Information: Billing name, billing address, and payment method details. Payment card information is processed and stored by our PCI-compliant payment processor (Stripe) and is never stored on our servers
• Project Data: Source code, configuration files, documentation, and other content you create, upload, or generate using our AI coding agents
• Communications: Support requests, feedback, survey responses, and any other correspondence you send to us
• Integration Credentials: OAuth tokens and API keys for connected services (GitHub, deployment platforms) stored encrypted

1.2 Information Collected Automatically

When you access our platform, we automatically collect:

• Usage Data: Features accessed, AI agent interactions, code generation requests, project activities, and session duration
• Device Information: Browser type and version, operating system, screen resolution, and device identifiers
• Log Data: IP address, access timestamps, referring/exit URLs, and pages viewed
• Performance Data: Page load times, errors encountered, and platform performance metrics

1.3 Information from Third Parties

We may receive information from:

• OAuth Providers: Basic profile information when you sign in with GitHub or Google
• Payment Processors: Transaction status and billing confirmations from Stripe
• Analytics Partners: Aggregated usage statistics and performance data

2. How We Use Your Information

2.1 Service Provision

• Operate and maintain the SYNTHESIS platform and AI coding agents
• Process your code generation requests and execute AI-powered development tasks
• Authenticate your identity and manage your account
• Process payments and manage subscriptions
• Provide customer support and respond to inquiries

2.2 Service Improvement

• Analyze platform usage patterns to improve functionality and user experience
• Identify and fix technical issues and bugs
• Develop new features and capabilities
• Conduct internal research and analytics

2.3 Communication

• Send service-related notifications (account verification, security alerts, billing)
• Provide product updates and feature announcements (with opt-out option)
• Respond to your support requests and feedback

2.4 Security and Anti-Abuse Protection

• Detect, prevent, and address fraud, abuse, and security threats
• Monitor for violations of our Terms of Service (including multi-account abuse)
• Enforce Banning Policies: We process and log IP addresses, session metadata, and request patterns to identify and block actors violating our security protocols.
  • DDoS Detection: High-frequency requests (100+ req/10s) trigger immediate network-level blocking.
  • Payload Analysis: We inspect requests for malicious code; critical payloads (>5 patterns) result in permanent IP blacklisting.
  • QuantumShield: These security logs are encrypted using post-quantum resistant algorithms for maximum integrity.
• Comply with legal obligations and respond to lawful requests

3. AI Processing and Your Code

3.1 How AI Processes Your Data

When you use SYNTHESIS AI agents:

• Your prompts and code context are sent to AI models (Google Gemini, OpenAI) for real-time processing
• AI-generated code and responses are returned directly to you
• Processing occurs in ephemeral sessions and is not retained for training purposes
• Your project files are only accessed when you explicitly invoke AI assistance

3.2 Third-Party AI Services

We use the following AI service providers:

• Google (Gemini API): Subject to Google's AI terms; data not used for model training per our enterprise agreement
• OpenAI: API usage with data retention disabled; prompts are not used for training

These providers process data according to their privacy policies but are contractually bound not to use your data for model training.

4. Data Sharing and Disclosure

We do not sell your personal information. We share data only in the following circumstances:

4.1 Service Providers

We engage trusted third parties to perform services on our behalf:

• Infrastructure: Cloudflare (hosting, CDN), Supabase (database, authentication)
• Payments: Stripe (payment processing)
• Analytics: Plausible Analytics (privacy-focused analytics)
• Email: Resend (transactional emails)

These providers are contractually obligated to protect your data and may only use it to provide services to us.

4.2 Legal Requirements

We may disclose information when required by law, court order, or governmental authority, or when we believe disclosure is necessary to:

• Comply with applicable laws or legal processes
• Protect the rights, property, or safety of SYNTHESIS, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues

4.3 Business Transfers

If SYNTHESIS is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

4.4 With Your Consent

We may share information with third parties when you explicitly authorize us to do so.

5. Data Security

We implement comprehensive security measures to protect your data:

5.1 Technical Safeguards

• Encryption in Transit: All data transmitted between your browser and our servers uses TLS 1.3 encryption
• Encryption at Rest: Stored data is encrypted using AES-256 encryption
• Password Security: Passwords are hashed using bcrypt with appropriate cost factors
• Token Security: API keys and OAuth tokens are encrypted before storage

5.2 Infrastructure Security

• Hosted on enterprise-grade infrastructure with SOC 2 compliance
• Regular security audits and vulnerability assessments
• Automated threat detection and DDoS protection via Cloudflare
• Strict access controls and principle of least privilege

5.3 Operational Security

• Regular security training for all team members
• Incident response procedures and breach notification protocols
• Regular backup procedures with encrypted off-site storage

6. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restriction: Request limitation of processing of your personal data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection authority

Legal Basis for Processing: We process your data based on:

• Contract Performance: To provide our services to you
• Legitimate Interests: For security, fraud prevention, and service improvement
• Consent: For optional analytics and marketing communications
• Legal Obligation: To comply with applicable laws

To exercise your GDPR rights, contact us at orzattystudios@gmail.com or use the data management tools in your account settings under Dashboard > Settings > Privacy.

7. Your Rights Under CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, our business purposes, and categories of third parties with whom we share data
• Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information we maintain about you
• Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information (note: we do not sell personal information)
• Right to Limit Use: Limit use and disclosure of sensitive personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights

Categories of Personal Information Collected:

• Identifiers (email address, username, IP address, device identifiers)
• Commercial information (subscription history, billing records, transaction data)
• Internet or network activity (usage data, platform interactions, browsing history on our site)
• Professional information (project data, code files, development content)
• Inferences drawn from collected information (usage patterns, preferences)

No Sale of Personal Information: SYNTHESIS does not sell personal information to third parties, nor do we share personal information for cross-context behavioral advertising purposes.

To submit a CCPA/CPRA request, email orzattystudios@gmail.com with the subject "California Privacy Request." We will verify your identity before processing your request and respond within 45 days as required by law.

8. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

• Account Data: Retained while your account is active. Deleted within 30 days of account closure request.
• Project Files and Code: Retained while your account is active. Permanently deleted within 30 days of account deletion request.
• Usage Logs: Retained for 90 days for security, debugging, and abuse prevention purposes.
• Billing Records: Retained for 7 years as required by tax and accounting regulations.
• Support Communications: Retained for 2 years after last interaction for quality assurance and dispute resolution.
• Aggregated Analytics: May be retained indefinitely in anonymized, non-identifiable form.

Upon request for data deletion, we will remove your personal data from active systems within 30 days. Some data may be retained in encrypted backups for up to 90 days before complete removal.

9. International Data Transfers

SYNTHESIS is operated from the United States. If you access our services from outside the US, your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers from the EEA, UK, or Switzerland, we implement the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all service providers handling personal data
• Supplementary technical and organizational measures where necessary
• Assessment of third-country data protection laws when required

10. Children's Privacy

SYNTHESIS is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at orzattystudios@gmail.com. If we discover that we have collected personal information from a child under 16, we will delete it promptly.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our platform, remember your preferences, and analyze usage patterns. For detailed information about the cookies we use, their purposes, duration, and how to manage them, please see our Cookie Policy.

12. Third-Party Links and Integrations

Our platform may contain links to third-party websites and integrates with external services (such as GitHub, Cloudflare, and deployment platforms). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through our platform.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

• We will update the "Last updated" date at the top of this page
• We will notify you via email or prominent notice on our platform at least 30 days before changes take effect
• For significant changes affecting your rights, we may require your acknowledgment before continued use

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: orzattystudios@gmail.com
• Privacy Inquiries: orzattystudios@gmail.com (Subject: "Privacy Inquiry")
• Data Subject Requests: orzattystudios@gmail.com (Subject: "Data Subject Request")
• Company: SYNTHESIS by OrzattyStudios
• Website: synthesisai.pages.dev

We aim to respond to all privacy-related inquiries within 30 days. For GDPR and CCPA requests, we will respond within the timeframes required by applicable law.