Data protection
Privacy Policy
With this Privacy Policy we inform you about the processing of personal data when using the Synthesized web application and our website.
Controller
Controller in the sense of the GDPR is:
Valentin Lionel Weinert – Synthesized
Dr.-Rohmer-Weg 11
65719 Hofheim am Taunus, Germany
E-mail: support@synthesized.app
Scope of processing
We process personal data that you provide to us (e.g. during registration, when using the app or when contacting us) and data that is generated automatically when you use the website and the app.
The provision of personal data is partly required for the conclusion and performance of the contract (use of Synthesized). If you do not provide this data, the service cannot be used or only to a limited extent.
Categories of data
- Technical usage data when accessing the website (IP address, time of access, URL, HTTP status code, user agent, referrer URL).
- Account data for registration and login via our identity provider Clerk (e.g. name, e-mail address, authentication data).
- Billing and contract data when using paid plans via Stripe (e.g. name, address, payment information, subscription details).
- Product and usage data in the dashboard and via the API (e.g. project names, API request metadata, costs, budgets). No prompt contents or API payloads are used for own model training.
- Communication data when you contact us (e-mail content, support requests).
Purposes of processing
- Provision and operation of the website and the Synthesized platform.
- Ensuring the security and stability of our systems, error analysis and prevention of misuse.
- Contract initiation and performance, including billing of subscriptions and management of payments.
- Product-related analyses to improve functions and user experience (in aggregated or pseudonymised form).
- Processing of enquiries and support requests.
Cookies and similar technologies
We use technically necessary cookies and similar technologies to provide our website and login area (e.g. language preference, session cookies of our identity provider Clerk, cookie to store your consent choice). These are required to operate Synthesized and are used on the basis of Section 25(2) TTDSG (where applicable) and Art. 6(1)(b) and (f) GDPR.
In addition, we only use optional analytics and error tracking services (e.g. Sentry, Vercel Web Analytics, Vercel Speed Insights) if you have given your prior consent. You can change your choice at any time via the privacy settings on the website.
Legal bases
We process your data based on the following legal bases of the GDPR:
- Art. 6(1)(b) GDPR (performance of a contract) for the use of the platform, your account and the processing of API usage and subscriptions.
- Art. 6(1)(c) GDPR (legal obligation) for the fulfilment of commercial and tax retention obligations.
- Art. 6(1)(f) GDPR (legitimate interests) for the secure, stable and efficient operation of our services, product improvements (in pseudonymised/aggregated form) and the defence of legal claims.
- Art. 6(1)(a) GDPR (consent) insofar as we ask you for explicit consent for certain processing operations. You can withdraw your consent at any time with effect for the future.
Hosting and infrastructure
We host Synthesized and the associated infrastructure with specialised providers (in particular Vercel and Supabase). These act for us as processors in accordance with Art. 28 GDPR and are contractually bound to our instructions.
Depending on the service and selected region, data may be processed in the EU and – in individual cases – in third countries. In the latter case, we rely on the EU standard contractual clauses and, where available, additional technical and organisational measures.
Processors and third parties
We use selected service providers to operate Synthesized. These process data on our behalf or as independent controllers:
- Clerk (authentication and user accounts).
- Supabase (database, real-time functions).
- Stripe (payment processing and subscription management).
- Resend (transactional emails, e.g. budget alerts and team invitations).
- Sentry (error and performance monitoring) with strongly reduced personal data.
- Vercel (hosting and, where activated, privacy-friendly analytics).
Analytics and performance measurement
We may use privacy-friendly analytics and performance tools (e.g. Vercel Web Analytics, Vercel Speed Insights) to better understand stability, performance and the use of our product. These tools work without third-party cookies and focus on aggregated, pseudonymised usage data. Where this is not covered by our legitimate interests, we will obtain your consent before activating such tools.
Log files and API request data
When using Synthesized, API request metadata is logged in order to provide the core functionality (cost tracking, budgets, alerts). This includes, for example, time, model, endpoint, token usage and calculated costs.
We do not use these logs to build our own AI models. Access to log data is restricted to a small number of authorised persons and is only used to operate and secure the service as well as for support and billing.
Storage periods
We store personal data only for as long as it is necessary for the respective purpose or as we are legally obliged to do so. Usage and cost data is generally kept for the duration communicated in the product (e.g. history limits per plan), unless longer storage is required by law.
Your rights
As a data subject, you have the following rights under the GDPR:
- Right of access (Art. 15 GDPR) to the personal data we process about you.
- Right to rectification (Art. 16 GDPR) of inaccurate or incomplete data.
- Right to erasure (Art. 17 GDPR) of your data, where the legal requirements are met.
- Right to restriction of processing (Art. 18 GDPR).
- Right to data portability (Art. 20 GDPR).
- Right to object (Art. 21 GDPR), in particular to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3) GDPR) at any time with effect for the future.
You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement.
Data transfers to third countries
Where data is transferred to service providers in countries outside the European Economic Area (EEA), this is done on the basis of an adequacy decision of the European Commission or the EU standard contractual clauses and, where necessary, additional safeguards.
Changes to this Privacy Policy
We may adapt this Privacy Policy from time to time in order to reflect changes in our processing activities or legal requirements. The current version can always be found on this page.
We may adapt this Privacy Policy from time to time in order to reflect changes in our processing activities or legal requirements. The current version can always be found on this page.