Privacy Policy

Last updated: 3 July 2026

1. Introduction

SynthVault Inc. ("SynthVault," "we," "us," or "our") is committed to protecting the privacy and personal information of individuals who interact with our secure AI model vault platform and website at synthvault.pro. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation in Canada.

SynthVault is a technology platform that provides secure storage and governance infrastructure for artificial intelligence model assets. We are not a marketing agency and do not engage in advertising, lead generation, or promotional data practices. Our data collection is limited to what is necessary to operate our platform, respond to enquiries, and fulfil contractual obligations with enterprise clients.

By using our website or platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services or submit personal information through our contact forms.

2. Scope and Application

This Privacy Policy applies to personal information collected through synthvault.pro, our contact forms, client onboarding processes, platform user accounts, and any other channel where SynthVault acts as the data controller. It does not apply to personal information processed by our enterprise clients within their own vault instances — in those cases, the client organisation acts as the data controller and their privacy policies govern that processing.

This policy covers visitors to our website, individuals who submit contact enquiries, registered platform users, and representatives of client organisations who interact with SynthVault in a business capacity. It applies regardless of whether you access our services from Canada or from another jurisdiction, though our primary compliance framework is Canadian privacy law.

3. Information We Collect

3.1 Information You Provide Directly

When you contact us through our website form, we collect your name, email address, subject line, and message content. You must provide explicit consent under PIPEDA before we process this information. We do not pre-check consent boxes — affirmative consent is required.

During client onboarding, we may collect additional business contact information including job title, organisation name, phone number, and billing address. Enterprise clients may provide technical contact details for integration and support purposes.

3.2 Information Collected Automatically

When you visit synthvault.pro, we automatically collect certain technical information including your IP address, browser type and version, operating system, referring URL, pages viewed, and timestamps of visits. This information is collected through server logs and, if you consent, through analytics cookies as described in our Cookie Policy.

3.3 Platform Usage Data

Registered users of the SynthVault platform generate usage data including login timestamps, vault access events, model upload and download records, and configuration changes. This data is essential for platform operation, security monitoring, and audit compliance. Platform usage data is governed by both this policy and the applicable master services agreement with your organisation.

3.4 Information We Do Not Collect

SynthVault does not collect sensitive personal information such as government identification numbers, financial account details, health records, or biometric data through our public website. We do not purchase marketing lists or engage third-party data brokers. We do not track individuals across unrelated websites for advertising purposes.

4. How We Use Information

We use personal information for the following purposes, each grounded in identified business needs and limited to what is reasonably necessary:

  • Responding to Enquiries: Processing and responding to contact form submissions, demo requests, and support tickets.
  • Platform Operation: Creating and managing user accounts, authenticating access, and providing vault storage and governance services to enterprise clients.
  • Security and Fraud Prevention: Monitoring for unauthorised access, investigating security incidents, and maintaining audit trails required for compliance.
  • Service Improvement: Analysing aggregated, de-identified usage patterns to improve platform features and user experience.
  • Legal Compliance: Fulfilling obligations under PIPEDA, responding to lawful requests from authorities, and enforcing our Terms of Service.
  • Contractual Performance: Billing, account management, and delivery of professional services under master services agreements.

We do not use personal information for automated decision-making that produces legal or similarly significant effects on individuals. We do not sell personal information to third parties.

5. Disclosure of Information

We may disclose personal information to the following categories of recipients, subject to appropriate safeguards:

  • Service Providers: Third-party vendors who assist with hosting, email delivery, analytics (with consent), and payment processing. All service providers are bound by contractual obligations to protect personal information and use it only for specified purposes.
  • Professional Advisors: Lawyers, accountants, and auditors who require access to information for advisory purposes, bound by professional confidentiality obligations.
  • Enterprise Clients: Where you are a platform user employed by or representing a client organisation, certain usage data may be accessible to your organisation's vault administrators as part of normal platform operation.
  • Legal Authorities: When required by law, court order, or governmental regulation, or when we believe disclosure is necessary to protect the rights, property, or safety of SynthVault, our users, or the public.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, personal information may be transferred to the acquiring entity, subject to the same privacy protections described in this policy.

6. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Contact form submissions are retained for twenty-four months unless a business relationship is established, in which case contact records are retained for the duration of the relationship plus seven years for legal and accounting purposes.

Platform audit logs and access records are retained according to the terms of each client's master services agreement, typically for a minimum of three years. Server logs for the public website are retained for ninety days. Analytics data collected with consent is retained in aggregated form for twenty-six months.

When personal information is no longer required, we securely delete or de-identify it using industry-standard methods. De-identified data that cannot reasonably be linked to an individual may be retained indefinitely for statistical and service improvement purposes.

7. Security Measures

SynthVault implements technical and organisational measures designed to protect personal information against unauthorised access, alteration, disclosure, and destruction. These measures include AES-256 encryption at rest, TLS 1.3 encryption in transit, role-based access controls, multi-factor authentication for platform access, regular security assessments, and employee privacy training.

While we strive to protect personal information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security and do not represent that our systems are immune from breach. In the event of a data breach affecting personal information, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as required by PIPEDA, without unreasonable delay.

8. Your Rights Under PIPEDA

Under PIPEDA, you have the following rights regarding your personal information held by SynthVault:

  • Right of Access: You may request access to the personal information we hold about you.
  • Right to Correction: You may request correction of inaccurate or incomplete personal information.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time, subject to legal or contractual restrictions.
  • Right to Challenge Compliance: You may challenge our compliance with PIPEDA by contacting our Privacy Officer or filing a complaint with the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, contact our Privacy Officer using the details in Section 13. We will respond to verified requests within thirty days, or inform you if an extension is required. We may request identity verification before processing access or correction requests to prevent unauthorised disclosure.

9. Cookies and Tracking

Our website uses cookies and similar technologies as described in our Cookie Policy. Essential cookies are necessary for website functionality and do not require consent. Analytics cookies are deployed only with your explicit consent through our cookie banner. You may withdraw consent at any time by clearing your browser cookies or adjusting preferences through our cookie customisation modal.

10. Cross-Border Transfers

SynthVault is based in Canada and our primary data processing occurs within Canada. Where we use service providers located outside Canada, personal information may be transferred to and processed in other jurisdictions. In such cases, we ensure appropriate safeguards are in place, including contractual clauses requiring equivalent privacy protections, and we inform affected individuals as required by PIPEDA.

Enterprise clients may configure data residency requirements for vault-stored model assets. Self-hosted and private cloud deployments keep all platform data within the client's chosen jurisdiction.

11. Children's Privacy

SynthVault's platform and website are not directed at individuals under the age of eighteen. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information promptly. Parents or guardians who believe their child has provided personal information to us should contact our Privacy Officer.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify registered users by email or platform notification. We encourage you to review this policy periodically.

13. Contact Our Privacy Officer

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of personal information, contact our Privacy Officer:

SynthVault Inc. — Privacy Officer
595 Burrard Street, Suite 2100
Vancouver, BC V7X 1L3, Canada
Email: [email protected]
Phone: +1 (236) 555-4826

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.