Privacy Policy

Welcome to Synthgram ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our enterprise AI governance platform, including document intelligence, conversational AI, workflow automation, our website (https://www.synthgram.com), and related services (collectively, the "Service").

We use your information to: • Provide and maintain our Service across all features (document management, conversational AI, workflow automation) • Process and analyze your documents using AI technology and generate AI-powered insights • Enable Retrieval Augmented Generation (RAG) to provide contextually relevant AI responses based on your documents • Execute AI workflows and automate tasks using your configured connectors • Process conversational AI requests using third-party LLM providers (OpenAI, Anthropic Claude, Google Gemini) • Connect to external services via MCP and API integrations on your behalf • Improve and personalize your experience • Generate audit logs and usage analytics for administrators • Enforce organization-wide AI governance policies • Communicate with you about updates and features • Process payments and prevent fraud • Send you marketing communications (with opt-out option) • Identify usage trends and maintain security • Comply with legal and regulatory obligations including ISO 27001 requirements

We implement enterprise-grade security measures to protect your information: • Infrastructure: Hosted on Microsoft Azure cloud infrastructure with multi-tenant isolation • Encryption: Data encrypted at rest and in transit using industry-standard protocols • Certifications: ISO 27001 certified with SOC 2 compliance in progress • Access Controls: Role-based access control (RBAC) with authentication requirements via Azure AD External ID • Data Isolation: Strict tenant separation ensuring your data is isolated from other organizations • Security Monitoring: Regular security assessments, vulnerability scanning, and updates • Secure Data Centers: Azure data centers with physical security, redundancy, and backup systems • Audit Logging: Comprehensive logging of all access and activities for security and compliance Data Location: Your data is stored in Microsoft Azure data centers. Specific regions may vary based on your subscription.

We may share your information with: • Microsoft Azure: Our cloud infrastructure provider that hosts and stores your data • AI Service Providers: Third-party Large Language Model (LLM) providers including: - OpenAI (ChatGPT models) - Anthropic (Claude models) - Google (Gemini models) Your documents and prompts may be sent to these providers to generate AI responses. We use enterprise API agreements that prohibit these providers from using your data for model training. • MCP Service Providers: When you configure connectors, data may flow through: - Composio (for Gmail, WhatsApp, Canva integrations) - Other MCP providers you choose to enable These integrations only occur when you explicitly configure and authorize them. • Payment Processors: Secure third-party processors for billing and payment handling • Analytics Providers: For service improvement and usage monitoring • Law Enforcement: When required by law or to protect our rights • Business Transfers: In case of merger, acquisition, or sale of assets • Your Organization Administrators: Within your tenant, administrators can access usage analytics, activity metadata, and audit logs for governance purposes (see Section 11 for details on what administrators can and cannot access)

Our Service uses artificial intelligence extensively across multiple features: Document Intelligence (INDEX): • Automatically classify and tag documents • Extract metadata and key information • Create vector embeddings for semantic search • Enable Retrieval Augmented Generation (RAG) to answer questions about your documents Conversational AI (EXPLORE): • Process your queries using selected LLM providers (OpenAI, Anthropic, Google) • Generate responses grounded in your organizational documents via RAG • Create reports, visualizations, and other content • Execute actions through MCP and API connectors Workflow Automation (BUILD): • Generate workflow definitions from natural language descriptions • Execute multi-step AI processes • Combine AI reasoning with quality verification gates • Store execution history and results Important Notes: • Your documents and queries are sent to third-party AI providers to generate responses • We use enterprise API agreements that prohibit AI providers from using your data for model training • AI-generated content may be inaccurate and should be reviewed before use • Your data is used to provide contextual, organization-specific AI responses • Workflow executions may trigger external tool access based on your configured connectors

We retain your information for as long as necessary to provide our services and fulfill the purposes outlined in this policy: • Active Accounts: Data is retained while your account and subscription are active • Deleted Documents: Removed from active storage but may remain in backups for a limited period • Chat History: Retained to maintain conversation context and improve your experience • Workflow Executions: Historical execution data retained for audit and review purposes • Audit Logs: Retained for compliance and security purposes according to regulatory requirements • Account Deletion: Upon account termination, we will remove or anonymize your information within 90 days unless we need to keep it for legal, security, or compliance reasons • Legal Holds: Some data may be retained longer to comply with legal obligations or dispute resolution

You have the right to: • Access: Request access to your personal information and data • Correction: Request correction of inaccurate or incomplete data • Deletion: Request deletion of your data (subject to legal retention requirements) • Export: Export your documents, workflows, and chat history • Opt-out: Unsubscribe from marketing communications at any time • Cookie Control: Manage cookie preferences through your browser settings • Consent Withdrawal: Withdraw consent for data processing where applicable • Restrict Processing: Request restriction of certain data processing activities For Organization Users: Your organization administrator may have additional controls over your data and activities within your tenant. Contact your administrator for organization-specific data requests. For Administrators: Organization administrators have specific governance capabilities within their tenant as detailed in Section 11 (Administrator Access and Data Privacy) below.

Synthgram is based in Israel and our Service is hosted on Microsoft Azure infrastructure. Your data may be transferred to and processed in: • Azure Data Centers: Located in various regions worldwide based on your subscription • AI Service Providers: Data may be sent to OpenAI (United States), Anthropic (United States), and Google (United States) for AI processing • MCP Service Providers: When using connectors, data may flow to third-party services based on the connector configuration We ensure appropriate safeguards are in place for international data transfers, including: • Standard Contractual Clauses (SCCs) with service providers • Compliance with GDPR and other data protection regulations • Azure's global compliance framework and certifications • Enterprise agreements with AI providers that prohibit unauthorized data use

We may update this Privacy Policy periodically. We will notify you of any material changes via email or through our Service.

Synthgram implements privacy-respecting governance that balances administrative oversight with user confidentiality: What Administrators CAN Access: Organization administrators can view: • Usage statistics and activity patterns (who is using AI features and when) • Cost metrics across users and AI models • Audit logs showing actions taken (document uploads, workflow executions, chat sessions initiated) • Which AI models and connectors are being used • System performance and analytics data • User account information and permissions What Administrators CANNOT Access: Organization administrators cannot view: • Actual chat conversations, prompts, or questions asked by users • Content of generated reports, documents, or AI responses • Specific details of documents uploaded or processed • Personal work product created using AI features • Individual messages within chat sessions • Workflow execution details beyond metadata (start time, duration, status) Privacy-First Governance Philosophy: Our approach follows industry standards set by leading enterprise AI platforms (Microsoft Copilot, ChatGPT Enterprise, Google Workspace AI) that provide governance through transparency and metrics rather than content surveillance. This approach: • Enables effective AI governance and compliance • Maintains user trust and promotes AI adoption • Complies with employee privacy regulations (GDPR, CCPA) • Provides sufficient oversight for cost control and policy enforcement • Protects intellectual property and confidential work Exceptions for Legal and Security Purposes: In limited circumstances, authorized personnel may access content with proper justification: • Legal Obligations: When required by law, court order, or regulatory investigation • Security Incidents: During active security breach investigations with documented authorization • Policy Violations: When investigating reported violations with specific evidence and legal justification • Compliance Audits: For regulated industries with mandatory audit requirements (financial services, healthcare) When exception access occurs: • Access is limited to specific authorized compliance or security officers • All access is logged and auditable • Users are notified where legally permitted • Access is time-limited and scope-restricted • Legal team approval is required

Synthgram operates as a multi-tenant platform with strict data isolation: • Tenant Isolation: Each organization's data is logically separated and isolated from other tenants • Access Controls: Users can only access data within their assigned tenant • Administrator Access: Limited to metadata and analytics as described in Section 11 • Cross-Tenant Privacy: No data is shared between different organizations without explicit consent • Role-Based Permissions: User roles (administrator vs. user) determine access levels within a tenant