Privacy Policy
This Privacy Policy explains how Synthefy, Inc. (“Synthefy,” “we,” “us,” or “our”) collects, uses, shares, and protects personal data in connection with the services described in Section 1 below (the “Services”). It also describes your rights and choices regarding your personal data.
1. Scope of this Policy
This Policy covers personal data we process in connection with:
- Our website — synthefy.com and related subdomains (marketing pages, blog, contact and waitlist forms).
- Our hosted products — the Synthefy Platform, the Synthefy API and developer console, and any documentation portals that require an account (e.g. platform.synthefy.com, console.synthefy.com, docs.synthefy.com).
- Business interactions — sales conversations, support requests, event and webinar registrations, and partner-program activity.
What this Policy does not cover. Our foundation models — including Migas-1.5 — are released as open-source model weights under Apache 2.0. When you download and run those weights yourself, on your own infrastructure, Synthefy has no access to the data you process and does not collect anything about that use. Your use of the model in that mode is governed solely by the applicable open-source model license, not by this Policy.
This Policy does apply where you access a Synthefy model through a hosted Synthefy service (for example, our API or Platform), because in that case we operate the inference infrastructure. It also applies to personal data about you that we collect when you visit our site, create a Synthefy account, or communicate with us — regardless of which product you are evaluating.
Where we process data on behalf of a customer (for example, content a customer submits to our API), the customer is the controller of that data and their privacy notice governs the processing — we act as a processor/service provider and handle such data only on the customer’s documented instructions under our customer agreement and data processing addendum (“DPA”).
2. Information We Collect
The personal data we collect depends on how you interact with us. The sub-sections below describe each collection context. If a context does not apply to your use, the associated data is not collected.
2.1 Website visitors (synthefy.com)
When you visit our public website, we collect:
- Form submissions — information you voluntarily provide through contact forms, demo requests, waitlist sign-ups, newsletter subscriptions, event registrations, and job applications. This typically includes name, email address, employer, job title, and any message content you submit.
- Analytics and device data — collected automatically through cookies and similar technologies, including IP address, approximate location derived from IP, device and browser identifiers, operating system, referring/exit URLs, pages viewed, and session timestamps. We use Google Analytics for this purpose.
2.2 Synthefy Platform, API, and console users
When you request access to, create, or use a Synthefy account on a hosted product, we collect:
- Account request information — name, email address, and any message you submit when requesting access. Access is granted only after manual review and approval by a Synthefy administrator.
- Account information — email address, name, role, and onboarding responses (such as your role, goal, and technical level). Authentication is handled by our identity provider, Supabase, which stores password credentials; Synthefy does not store passwords directly.
- Usage and telemetry — API calls, request metadata, feature usage, tutorial progress, performance data, and diagnostic logs necessary to operate and secure the Services.
- Customer Data — content you submit through the Platform or API for inference, analysis, or support (including datasets, prompts, and outputs). We process Customer Data on your behalf as a processor/service provider under your customer agreement and our DPA. We do not use Customer Data to train our foundation models.
2.3 Business contacts
If you communicate with our sales, support, or partnerships team, we collect contact details and the content of those communications. We may also obtain business-contact information from publicly available professional sources (e.g. LinkedIn) or enrichment providers in order to reach out about relevant products.
2.4 Open-source model users
If you download and run Migas-1.5 or another open-source Synthefy model on your own infrastructure without connecting to any Synthefy-hosted service, we do not collect any data about that use. (If you also visit our website or create a Synthefy account, the other sub-sections of this Section 2 apply to those interactions.)
3. How We Use Personal Data
We use personal data for the following purposes:
- To provide, operate, secure, and improve the Services;
- To create and manage accounts, authenticate users, review account-access requests, and provide customer support;
- To send administrative communications and, where applicable, manage billing;
- To communicate with you about products, features, research, and events (where permitted by law — see Section 9 on your choices);
- To conduct research, benchmarking, and analytics to improve model quality and product performance (using only data we are permitted to use for this purpose);
- To monitor for, prevent, and investigate fraud, abuse, security incidents, and violations of our terms;
- To comply with legal obligations, enforce our agreements, and establish, exercise, or defend legal claims.
3.1 Legal bases (EU / UK / EEA / Switzerland)
Where GDPR or UK GDPR applies, we rely on the following legal bases: (a) performance of a contract with you, (b) your consent (which you may withdraw at any time), (c) our legitimate interests in operating, securing, and improving our business (balanced against your rights), and (d) compliance with our legal obligations. Where we rely on legitimate interests, you may object as described in Section 8.
4. How We Share Personal Data
We do not sell personal data. We share personal data only as described below:
- Service providers and sub-processors. Vendors that help us operate the Services — including cloud hosting and storage (Amazon Web Services), managed database and authentication (Supabase), serverless compute for agentic workloads (Modal), large-language-model inference (Anthropic), error tracking (where enabled, Sentry), and email delivery over SMTP. Each sub-processor operates under a written contract that restricts its use of personal data to what is necessary to provide its service to us. To request our current list of sub-processors, along with their locations and scope, email support@synthefy.com.
- Customers and their authorized users. If you use the Services through a customer account (for example, a Databricks workspace that has installed our integration), we share account and usage data with that customer’s administrators.
- Integration partners. When you connect a third-party service (for example, Databricks, a data warehouse, or an identity provider), we share personal data as needed to deliver the integration you requested.
- Business transfers. In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, subject to standard confidentiality protections.
- Legal and safety. To comply with applicable law, lawful requests from government authorities, to enforce our terms, or to protect the rights, safety, and property of Synthefy, our users, or others.
- With your direction or consent. In any other case where you ask us to share your personal data or consent to the sharing.
Note on LLM sub-processors. Some Platform features rely on third-party model providers (currently Anthropic) to generate responses. When you use those features, the prompts and inputs needed to produce a response are transmitted to the relevant provider, which processes them under its own enterprise data-processing terms (including, where supported, zero-retention and no-training commitments). We do not transmit Customer Data to these providers outside of the features that require it.
5. International Data Transfers
Synthefy, Inc. is a United States company. We store and process personal data primarily in the United States (AWS us-east-2 region) and may additionally process it in other countries where our service providers operate. When we transfer personal data from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards such as the Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum. Copies are available on request to support@synthefy.com.
6. Data Retention
We retain personal data for as long as necessary to provide the Services and fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law (for example, for tax, accounting, legal, or security purposes). For the Synthefy Platform specifically, Customer Data (including datasets, prompts, and outputs) is retained until you delete it — you can delete workspaces, experiments, and datasets at any time through the Platform. When personal data is no longer needed, we delete or anonymize it.
7. Cookies and Similar Technologies
We use two categories of cookies and similar technologies: (a) strictly necessary cookies required to operate the Services (including authentication session cookies set by Supabase on the Platform), and (b) analytics cookies used by Google Analytics on our public website to measure traffic and improve our content. Strictly necessary cookies cannot be turned off. Analytics cookies are set only with your consent where required by law, and you can manage your preferences through our cookie banner or your browser settings.
8. Your Rights and Choices
Depending on where you live, you may have the following rights with respect to your personal data: access, correction, deletion, portability, restriction of processing, objection to processing, the right to withdraw consent, and the right not to be subject to solely automated decisions that produce legal or similarly significant effects.
8.1 California residents (CCPA / CPRA)
California residents have the right to know the categories and specific pieces of personal information we have collected, to request deletion or correction, to opt out of the “sale” or “sharing” of personal information (we do not sell or share personal information as those terms are defined under the CCPA), to limit the use of sensitive personal information, and to be free from discrimination for exercising these rights. We have not sold or shared personal information in the preceding 12 months.
8.2 How to exercise your rights
You may exercise your rights by emailing support@synthefy.com or by using the self-service controls in your account. We may need to verify your identity before fulfilling a request. You may also appoint an authorized agent to act on your behalf. If you are a resident of the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local supervisory authority.
9. Marketing Communications
You can opt out of marketing emails at any time using the unsubscribe link in any marketing message or by contacting support@synthefy.com. We may still send you non-promotional messages about your account, security, or the Services.
10. Security
We maintain administrative, technical, and physical safeguards designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include encryption in transit (TLS/HTTPS) and at rest for data stored in our managed database and object storage, short-lived access tokens and role-based access controls, a human-review workflow for account access, vendor due-diligence for sub-processors, and application-level error tracking and telemetry to detect and respond to incidents. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
11. Children’s Privacy
The Services are not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact support@synthefy.com and we will take appropriate steps to delete it.
12. Automated Decision-Making and AI
Migas-1.5 and related models are used by our customers to make predictions from structured data. We do not use customer content to make automated decisions about individuals on our own behalf. Where a customer uses the Services to make decisions about you, that customer is the controller of the processing and is responsible for providing appropriate notices and, where required, lawful bases and human-review mechanisms.
13. Third-Party Services
The Services may contain links to, or integrate with, third-party services (for example, Databricks, identity providers, or data warehouses). This policy does not apply to those third-party services, which are governed by their own privacy notices. Please review them carefully.
14. Changes to this Policy
We may update this policy from time to time. When we make material changes, we will notify you by posting the updated policy on this page, updating the “Last updated” date, and, where required, providing additional notice (such as an email or in-product notification).
15. Contact Us
Questions, requests, or complaints about this policy or our privacy practices should be sent to:
Synthefy, Inc.Attn: Privacy
1705 Guadalupe Street, Suite 300
Austin, TX 78701
United States
Email: support@synthefy.com