Skip to content
SynovAI

Privacy Policy

Last updated: 2026-05-19

1. Scope

This Privacy Policy describes how SynovAI, Inc. ("SynovAI," "we") collects, uses, shares, and retains information when you use the SynovAI platform and related services (the "Platform"). It applies to information we collect through the Platform's web app, API, marketing site, and email.

2. Information We Collect

We collect the following categories of information:

  • Account information. Name, email address, organization, and role you provide when creating an account; team membership; tier and subscription status. For enterprise SSO logins via Microsoft Entra ID, we receive a stable user identifier and the email address asserted by your identity provider.
  • Customer content. Molecular structures, pipeline parameters, route favorites, reagent flags, catalog uploads, project organization, and feedback you submit. Customer content is treated as your confidential information.
  • Usage data. Logs of feature use, request metadata (timestamp, route, response status, latency), and error events. We use this to operate, debug, and improve the Platform. Usage logs do not include the bodies of customer content beyond what is needed to triage errors, and we do not associate usage logs with marketing profiles.
  • Billing information. Billing contact and payment-method tokens are processed by our payment provider (Stripe). We do not see or store full card numbers.
  • Communications. Email you send us, support tickets, and meeting notes you provide.

3. How We Use Information

  • To operate the Platform — running predictions, storing results, enforcing access controls.
  • To communicate with you about service updates, security notices, billing, and customer support. Marketing email is opt-in and you can unsubscribe at any time.
  • To debug, monitor, and improve Platform reliability and performance.
  • To detect and prevent fraud, abuse, or violations of our Terms of Use.
  • To comply with legal obligations.

We do not use customer content (your molecular structures, results, or task data) to train or fine-tune our AI/ML models without your explicit written consent.

4. Sharing and Sub-processors

We share information only with vetted sub-processors that need it to deliver the Platform, and only to the extent necessary. Current sub-processors are listed at /security.

We do not sell personal information. We do not share customer content with third parties for advertising.

We may disclose information when required by law, valid legal process, or to protect the rights, property, or safety of users or the public. When permitted, we will notify the affected customer before disclosure.

5. Retention

We retain account information and customer content for as long as your account is active. When you delete your account, we delete production data immediately and purge corresponding backup data within the standard 30-day backup retention window unless a longer retention is required by law (e.g., tax records). Anonymized aggregate metrics derived from usage data may be retained indefinitely; these cannot be used to re-identify a specific customer.

6. Security

We protect information using the technical and organizational measures described at /security, including encryption in transit and at rest, role-based access, and dependency monitoring. No system can be guaranteed perfectly secure; we work continuously to reduce risk.

7. Your Rights and Choices

You have the following rights regarding information we hold about you:

  • Access. Most of your data is visible in your account. For a complete machine-readable bundle of everything we hold under your user record, sign in and click Download my data on /account — the export covers tasks, projects, API key metadata, saved views, saved procedures, comments, and every other user-keyed table.
  • Correction. You can edit your account profile. Contact us for fields not editable in the UI.
  • Deletion. You can delete your account from account settings or by emailing us. Deletion soft-deletes your tasks, projects, and API keys; backups purge on the standard retention window noted in Section 5.
  • Portability. The same Download my data action above returns a JSON file you can re-import elsewhere. Tasks, routes, and lab bundles are also downloadable in domain-standard formats from the Platform UI.
  • Marketing opt-out. Use the unsubscribe link in marketing emails or contact us.

We will respond to verifiable requests within 30 days, or sooner where required by law. Where applicable law (e.g., GDPR, CCPA) provides additional rights, we will honor them.

7a. Additional rights for EU/UK users (GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, the General Data Protection Regulation (or its UK/Swiss equivalent) gives you the rights described in Section 7 plus a few additions, set out here for clarity.

Lawful bases. We process your data on the following GDPR Article 6 bases:

  • Performance of a contract (Art. 6(1)(b)) — account creation, processing retrosynthesis submissions, billing, supporting your use of the Platform.
  • Legitimate interests (Art. 6(1)(f)) — product improvement (anonymized aggregate usage data), debugging, abuse prevention, rate-limiting, security monitoring. We can describe our balancing test on request.
  • Consent (Art. 6(1)(a)) — marketing email, storing third-party API keys you provide for pass-through integrations.
  • Legal obligation (Art. 6(1)(c)) — tax records, responses to lawful process.

Restriction and objection (Arts. 18 + 21). You can ask us to restrict processing while we investigate a correction or accuracy dispute, or object to processing based on legitimate interests. Email us and we will pause that processing.

Right to lodge a complaint (Art. 77). You have the right to complain to your local supervisory authority if you believe we are processing your data unlawfully. We encourage you to contact us first so we can address it.

International transfers. The Platform is operated from the United States. When we transfer personal data from the EEA/UK to the US or to other non-adequacy jurisdictions, we rely on the European Commission's Standard Contractual Clauses with our sub-processors. Details are listed at /security.

EU representative. If we appoint an Article 27 EU representative, we will list their details here.

8. International Users

The Platform is operated from the United States. By using the Platform, you understand that information may be processed in the United States and other countries where our sub-processors operate. We are happy to discuss data-residency arrangements for enterprise customers with specific requirements.

9. Children's Privacy

The Platform is not directed to children under 16. We do not knowingly collect personal information from children. Educational accounts for university students are managed through the institution and require institutional consent.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or in-app notice at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent change.

11. Contact

Questions, concerns, or requests regarding this Privacy Policy or our data practices should be sent to jessica.freeze@synovai.net.