# Privacy Policy **Version 2.1** **Last Updated: April 26, 2026** ## Introduction Welcome to SynthBoard AI ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered collaborative platform. **Business Information:** - Service: SynthBoard AI - Contact: privacy@synthboard.ai --- ## 1. Information We Collect ### 1.1 Information You Provide **Account Information:** - Name and email address - Authentication credentials (encrypted) - Profile information (avatar, preferences) - Payment information (processed securely via third-party providers) **Usage Data:** - AI session transcripts and interactions - Agent configurations and custom prompts - Collaboration settings and team data - Referral and credit transaction history **Communications:** - Support requests and feedback - Email preferences and notification settings ### 1.2 Automatically Collected Information **Technical Data:** - IP address and geographic location - Browser type and version - Device information and operating system - Session duration and navigation patterns - Cookies and similar tracking technologies **Performance Analytics:** - Feature usage statistics - API usage and cost metrics - Error logs and diagnostic data --- ## 2. How We Use Your Information We use your information for the following purposes: ### 2.1 Service Delivery - Provide and maintain our AI collaboration platform - Process AI requests and generate responses - Manage your account and authentication - Process payments and credit transactions - Enable collaboration features and session sharing ### 2.2 Service Improvement - Analyze usage patterns to enhance features - Develop new AI capabilities and integrations - Optimize performance and cost efficiency - Conduct research and analytics ### 2.3 Communication - Send transactional emails (session updates, receipts) - Provide customer support - Send marketing communications (with your consent) - Notify you of policy updates or service changes ### 2.4 Security & Compliance - Detect and prevent fraud or abuse - Enforce our Terms of Service - Comply with legal obligations - Protect user safety and platform integrity --- ## 3. AI Data Processing ### 3.1 AI Provider Integration SynthBoard AI integrates with third-party AI providers (Anthropic Claude, OpenAI, Google Gemini, Perplexity). When you use our service: - Your prompts and session data are sent to these providers - Providers process data according to their own privacy policies - We do not sell your AI conversation data - You can delete your session history at any time **Provider Privacy Policies:** - Anthropic: [anthropic.com/privacy](https://www.anthropic.com/privacy) - OpenAI: [openai.com/privacy](https://openai.com/privacy) - Google: [ai.google/privacy](https://ai.google/responsibility/privacy/) - Perplexity: [perplexity.ai/privacy](https://www.perplexity.ai/privacy) ### 3.2 Data Retention - **Active Sessions:** Stored until you delete them - **Deleted Sessions:** Permanently removed within 30 days - **Account Data:** Retained while your account is active - **Backups:** Maintained for 90 days for disaster recovery ### 3.3 API & MCP Server Access SynthBoard exposes a Model Context Protocol (MCP) server and a REST API that let you — or applications you authorize — run SynthBoard sessions programmatically from clients such as Claude Desktop, Cursor, Windsurf, Zed, ChatGPT, and workflow platforms (Zapier, Make, n8n, Pipedream, Activepieces). **Authentication methods.** We support two authentication schemes: - **Bearer API keys** (prefix `sb_live_` for production, `sb_test_` for sandbox) — generated by you in Settings → API Keys. Each key is hashed with argon2id before storage; only the prefix and last four characters are retained for display. - **OAuth 2.1** with PKCE, RFC 8707 audience binding, RFC 9728 protected-resource metadata, RFC 7591 dynamic client registration, and rotating refresh tokens — used by hosted clients (Claude.ai web, ChatGPT web) that authenticate on your behalf. **Data flow.** When you invoke a SynthBoard session through MCP or the REST API, the same data is sent to the same AI providers listed in §3.1. The session runs through the same engine, is stored in the same database, and is visible in your web UI. The transport (web browser vs MCP client vs REST adapter) does not change what data we collect or where it is sent. **Per-call audit log.** Every API key and OAuth client call is written to an audit log with: tool name, redacted parameters (PII scrubbed), status, HTTP code, correlation ID, duration, and the IP address of the calling client. This log is retained for 90 days and is visible to you in Developers → Usage. **Scopes.** API keys and OAuth grants are scoped to the minimum capability needed: `session:read`, `session:write`, `synth:chat`, `assistant:use`, `integrations:read`, `integrations:write`. A read-only key cannot mutate session state. **IP allowlists and daily caps.** For each key you may configure an IP allowlist and a daily credit cap. Calls outside the allowlist or beyond the cap are rejected before any processing. **Outbound webhooks.** If you register a webhook URL on an API key, SynthBoard posts HMAC-SHA256-signed event payloads (session complete, failed, cancelled, outcomes ready) to your URL. The signing secret is yours; we do not share it. **Revocation.** You can rotate or revoke any API key at any time in Settings → API Keys. OAuth grants can be revoked in Settings → Authorized Apps. Revocation is effective within seconds and invalidates all outstanding tokens for that key or grant. ### 3.4 Third-Party Clients (MCP Directories) SynthBoard is distributed through the Anthropic Claude Connectors Directory, the Official MCP Registry (registry.modelcontextprotocol.io), the GitHub MCP Registry, ChatGPT Apps SDK, and third-party directories (Smithery, Glama, PulseMCP, mcp.so). When you install SynthBoard as a connector through any of these surfaces, the client relays your request to SynthBoard using OAuth 2.1 or your Bearer API key. The third-party client's handling of your credentials is governed by **their** privacy policy; SynthBoard never receives or stores the client's own auth state. --- ## 4. Information Sharing and Disclosure ### 4.1 We Do NOT Sell Your Data We will never sell your personal information or AI conversation data to third parties. ### 4.2 When We Share Information **Service Providers:** - Payment processors (Paddle) - Email delivery (Resend) - Cloud infrastructure (Vercel, Supabase) - Analytics tools (anonymized data only) **Legal Requirements:** - To comply with laws, regulations, or legal processes - To protect our rights or property - To prevent fraud or security threats - In connection with business transfers (mergers/acquisitions) **With Your Consent:** - Shared sessions (when you explicitly share with others) - Team collaboration (with designated team members) - Public features (if you opt-in to community features) --- ## 5. Data Security We implement industry-standard security measures: ### 5.1 Technical Safeguards - **Encryption:** All data encrypted in transit (TLS 1.3) and at rest (AES-256) - **Authentication:** Secure OAuth 2.0 with Google/GitHub - **Access Control:** Role-based permissions and least-privilege principles - **Infrastructure:** Enterprise-grade hosting with Vercel and Supabase - **Monitoring:** Security monitoring and intrusion detection ### 5.2 Organizational Safeguards - Periodic security reviews and vulnerability assessments - Access limited to necessity - Incident response procedures - Ongoing security awareness practices ### 5.3 Your Responsibility - Use strong, unique passwords - Enable two-factor authentication when offered - Keep your account credentials confidential - Report suspicious activity immediately --- ## 6. International Data Transfers Your data may be transferred to and processed in: - **United States:** Cloud infrastructure providers - **European Union:** Regional compliance requirements We ensure adequate protection through: - Standard Contractual Clauses (SCCs) - EU-US Data Privacy Framework (where applicable) - GDPR-compliant data processing agreements --- ## 7. Your Privacy Rights ### 7.1 Under GDPR (EU Users) You have the right to: - **Access:** Request a copy of your data - **Rectification:** Correct inaccurate information - **Erasure:** Request deletion of your data ("right to be forgotten") - **Portability:** Receive your data in a structured format - **Restriction:** Limit how we process your data - **Objection:** Object to processing for marketing purposes - **Withdraw Consent:** Opt-out of optional data processing ### 7.2 Exercising Your Rights To exercise any privacy rights: - Email: privacy@synthboard.ai - Response time: Within 30 days - Verification: We may request identity verification --- ## 8. Cookies and Tracking We group cookies and similar storage (`localStorage`, `sessionStorage`) into three categories. The first time you visit, a banner asks you to choose. You can change your choice anytime via the **Cookie Preferences** link in the site footer. ### 8.1 Cookie Categories **Essential** — always on, cannot be disabled. Required for the site to function. - Supabase authentication session and CSRF protection - `sb_ref` — referral attribution code (30 days) - `sb_reported_*` — referral-event de-duplication (90 days) - `sb_onboarded` — first-run state (1 year) - `synthboard-cookie-consent` — your consent record itself **Analytics** — optional, requires consent. Helps us understand which features matter and where the product is confusing. - PostHog cookies (`ph_*`) — anonymized event tracking, feature usage, session recordings (with input masking — sensitive fields are never captured) **Functional** — optional, requires consent. Remembers UI preferences across visits. - Theme preference, dismissed in-app banners, sidebar collapsed state We do **not** run advertising, marketing, or third-party tracking pixels. ### 8.2 Managing Your Choices - **First visit:** the banner offers Accept All, Reject All, or Customize. All three options are equally prominent and require a single click. - **Change anytime:** click **Cookie Preferences** in the footer to reopen the modal and adjust your choices. - **Re-consent:** your choice is stored locally and we re-prompt every 180 days, or sooner if this Privacy Policy changes materially. - **Browser-level signals:** we honor [Global Privacy Control](https://globalprivacycontrol.org/) — if your browser sends GPC, we silently record an opt-out for Analytics and Functional and never show the banner. - **Browser settings:** you can also block or clear cookies directly in your browser; doing so for Essential cookies will sign you out and may break parts of the site. ### 8.3 What Happens When You Opt Out If you reject Analytics, the PostHog script is never loaded — no requests leave your browser to analytics endpoints. If you previously accepted and then opt out, we call PostHog's opt-out API and reset any existing identifiers. --- ## 9. Children's Privacy SynthBoard AI is not intended for users under 18 years of age. We do not knowingly collect information from minors. If we discover data from a user under 18, we will delete it promptly. --- ## 10. Third-Party Links Our service may contain links to external websites. We are not responsible for their privacy practices. Please review their privacy policies before providing any information. --- ## 11. California Privacy Rights (CCPA) California residents have additional rights: - Right to know what personal information is collected - Right to delete personal information - Right to opt-out of data "sales" (we don't sell data) - Right to non-discrimination for exercising privacy rights **Contact for CCPA requests:** privacy@synthboard.ai --- ## 12. Data Breach Notification In the event of a data breach affecting your personal information: - We will notify you within 72 hours - Notification will include the nature of the breach and affected data - We will provide remediation steps and support --- ## 13. Changes to This Policy We may update this Privacy Policy periodically. Changes will be: - Posted on this page with a new "Last Updated" date - Notified via email for material changes - Effective immediately upon posting (unless otherwise stated) **Your continued use of SynthBoard AI after changes constitutes acceptance.** --- ## 14. Contact Us For privacy-related questions, concerns, or requests: **Email:** privacy@synthboard.ai **Support:** support@synthboard.ai **Data Protection Officer:** For GDPR inquiries: dpo@synthboard.ai --- ## 15. Regulatory Information **EU Supervisory Authority (GDPR):** Find your local authority: [edpb.europa.eu](https://edpb.europa.eu/about-edpb/board/members_en) --- **Thank you for trusting SynthBoard AI with your data. We are committed to transparency, security, and your privacy rights.**