Privacy Policy

1. Introduction

Syntheta Ltd ("Syntheta", "we", "our", "us") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, disclose, store and protect information that identifies or could identify you ("Personal Data") when you access www.syntheta.org, use our application programming interfaces ("APIs"), software-as-a-service platform, mobile or desktop applications, or otherwise interact with us (collectively, the "Services"). It also describes your rights under the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

Please read this Privacy Policy carefully. If you have any questions, contact us using the details in section 17.

2. Who we are

Data Controller: Syntheta Ltd, a company registered in England and Wales (company no. 16497701).

Registered Office: 45 Albemarle Street, London W1S 4JL, United Kingdom.

3. Scope of this Policy

This Policy applies to Personal Data we collect from:

• visitors to our websites and online properties;
• customers and prospective customers, their employees and representatives;
• users who sign up for an account, API key, mailing list, webinar or event;
• job applicants;
• anyone who communicates with us by email, phone or otherwise.

It does not cover aggregated or fully synthetic data generated by our models, which no longer constitutes Personal Data.

4. Personal Data we collect

We do not intentionally collect special-category data unless you voluntarily provide it (e.g., in a CV) or we are legally required to process it.

Cookies & similar technologies

We do not use cookies, local storage and similar tracking technologies to operate our Sites to remember your preferences, analyse traffic and personalise content. For details see section 12.

5. Legal bases for processing

Under the UK GDPR we rely on one of the following lawful bases:

• Contract performance - where processing is necessary to deliver the Services you request or to take steps at your request prior to entering into a contract;
• Legitimate interests - to operate and improve our business (e.g., security, analytics, fraud prevention) where such interests are not overridden by your rights;
• Consent - for optional cookies, direct marketing by email/SMS, or where required by law; you may withdraw consent at any time;
• Legal obligation - to comply with laws (e.g., tax, accounting, sanctions screening).

6. How we use Personal Data

We use your data to:

• Provide & maintain the Services - create accounts, authenticate users, generate synthetic data, process API calls, deliver features;
• Measure & improve - monitor usage, debug, train and evaluate models, develop new capabilities;
• Secure & protect - detect security incidents, mitigate abuse or fraud, enforce our Terms;
• Communicate & support - respond to enquiries, send transactional notices, provide technical support;
• Bill & collect payment - issue invoices, process payments, recover debts;
• Market & promote - send newsletters, event invitations, product updates and thought-leadership content, subject to your preferences;
• Recruit - manage applications, conduct interviews, make hiring decisions;
• Comply with law - fulfil statutory record-keeping, cooperate with regulators and law-enforcement.

We may anonymise or aggregate data for statistical reporting; such data is no longer Personal Data.

7. Disclosure of Personal Data

We share Personal Data only when necessary:

• Service providers - cloud hosting, payment processors, analytics providers, email delivery, customer-relationship management (all under contract and bound by confidentiality);
• Business transfers - in connection with a merger, acquisition or sale of assets (we will give notice and options);
• Legal disclosures - where required by court order, subpoena or to protect rights, property or safety;
• With consent - for example, when you direct us to integrate with a third-party platform.

We do not sell or rent Personal Data.

8. International transfers

Our headquarters and primary servers are located in the UK and the European Economic Area (EEA). Some suppliers may operate in countries outside the UK/EEA. When we transfer Personal Data internationally, we rely on:

• UK adequacy regulations;
• standard contractual clauses approved by the UK Information Commissioner's Office (ICO) and additional safeguards;
• your explicit consent where appropriate.

9. Security measures

We implement administrative, technical and organisational measures aligned with ISO/IEC 27001 and NIST SP 800-53 frameworks, including:

• Transport Layer Security (TLS 1.3) encryption in transit;
• AES-256 encryption at rest;
• least-privilege access controls;
• continuous vulnerability scanning and penetration testing;
• multi-factor authentication for privileged accounts;
• routine backups and disaster-recovery plans.

10. Data retention

We keep Personal Data only for as long as necessary to fulfil the purposes described above, including any legal, accounting or reporting requirements. Typical retention periods:

• Account data - while your account is active plus 6 years;
• Logs - 12 months;
• Marketing data - until you withdraw consent or 24 months after last interaction;
• Recruitment data - 12 months unless you agree to a longer talent-pool period.

Synthetic data generated by our models may be retained indefinitely as it is non-identifiable.

11. Your rights

Subject to certain conditions, you have the following rights under UK GDPR:

• Access - obtain a copy of your Personal Data;
• Rectification - correct incomplete or inaccurate data;
• Erasure - request deletion ("right to be forgotten");
• Restriction - limit processing in certain circumstances;
• Portability - receive data in a structured, machine-readable format;
• Objection - object to processing based on legitimate interests or direct marketing;
• Withdraw consent - where processing is based on consent;
• Complain - lodge a complaint with the UK Information Commissioner's Office (www.ico.org.uk) or your local supervisory authority.

To exercise any right, contact us using the details in section 17. We will respond within one month or inform you if an extension is required.

12. Cookies & similar technologies

We categorise cookies as:

• Strictly necessary - essential for site operation (e.g., session cookies);
• Analytics - help us understand usage and improve performance (e.g., Google Analytics);
• Functionality - remember preferences;
• Marketing - tailor communications.

We do not use cookies or similar tracking technologies on this website. If that changes we will update this page before placing any non-essential cookies.

13. Children's privacy

Our Services are not directed to children under 16. We do not knowingly collect Personal Data from children. If we become aware that a child has provided us data, we will delete it promptly.

14. Automated decision-making & profiling

We do not engage in solely automated decisions that have legal or similarly significant effects on individuals. Our generative-AI models produce synthetic data based on user prompts but do not profile end users.

15. Third-party links

Our Services may contain links to third-party sites. We are not responsible for their privacy practices. We encourage you to read their privacy statements.

16. Changes to this Policy

We may update this Policy from time to time. We will post the revised version with a new "Last updated" date and, where appropriate, notify you by email or via the Services.

17. Contact us

If you have questions, concerns, or wish to exercise your rights, contact:

You can also reach the UK Information Commissioner's Office on 0303 123 1113 or via www.ico.org.uk.