Legal

Privacy Policy

Effective date: April 15, 2026 · Terms · Disclaimer · Cookies · Sub-processors

This Privacy Policy explains how CinaptixAI (“CinaptixAI”, “we”, “us”, “our”) collects, uses, discloses, and protects personal information when you access or use the CinaptixAI website, web application, API, and related services (the “Service”). It should be read together with our Terms of Service and Disclaimer.

1. Who we are & how to contact us

CinaptixAI is operated from Canada. For any privacy-related request, including access, correction, deletion, objection, portability, or a complaint, contact our Privacy Office at privacy@cinaptixai.com. We respond to verified requests within 30 days (or sooner where required by law).

2. Personal information we collect

We collect the following categories of personal information:

  • Account data — display name, username (“identity”), email, hashed password (BCrypt), role, location, preferred language, date of birth (for age-verification), timestamps for terms & privacy acceptance.
  • Your Content — ideas, text you enter, files, images, voice recordings, attachments, tags, categories, and any metadata you associate with them.
  • AI interaction data — prompts you send, responses returned, tokens used, model identifiers, and job status.
  • Billing data — tier selection, subscription status, Stripe customer identifier. Full payment-card numbers are collected, processed, and stored by Stripe; we never see or store them.
  • Technical data — IP address, browser user-agent, device information, session cookies, authentication cookies, CSRF tokens, and audit logs of security-relevant actions.
  • Communications — support emails, security reports, and onboarding email engagement.

3. How we use your information

We process personal information to:

  • Create and maintain your account and authenticate you.
  • Provide the Service — store, enrich, connect, search, and display Your Content.
  • Generate AI enrichments, transcriptions, summaries, and embeddings at your request.
  • Process subscription payments and prevent payment fraud (via Stripe).
  • Send transactional, security, and onboarding emails (you can opt out of non-essential email at any time).
  • Monitor, secure, debug, and improve the Service, including rate-limiting and abuse-prevention.
  • Comply with legal obligations (tax, accounting, law-enforcement requests, court orders).

4. Legal bases (EEA / UK users)

Where GDPR or UK GDPR applies, our lawful bases for processing are:

  • Contract (Art. 6(1)(b)) — to create your account, deliver the Service you subscribe to, and process payments.
  • Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent abuse, keep audit logs, and improve performance. We have balanced these interests against your privacy and believe the processing is proportionate.
  • Consent (Art. 6(1)(a)) — for non-essential cookies, marketing emails (where required), and optional AI processing of content you choose to submit. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, sanctions, and law-enforcement obligations.

We do not use personal information for automated decision-making that produces legal or similarly significant effects on you (GDPR Art. 22).

5. AI processing & no model training

  • When you request an enrichment, summary, transcription, or other AI action, the relevant portion of Your Content is transmitted to our AI providers (currently OpenAI) to produce the requested output.
  • We call OpenAI APIs with the store: false parameter where supported, which instructs OpenAI not to retain prompts or completions for abuse-monitoring. OpenAI’s API Data Usage Policy further states that data sent to the API is not used to train OpenAI models.
  • We do not use Your Content to train our own models or any third-party models.
  • We do not sell Your Content or personal information.

6. Sharing & sub-processors

We share personal information only with service providers that help us operate the Service, under contractual confidentiality and data-protection obligations. A current list is maintained on our Sub-processors page and includes, without limitation, Stripe (payments), OpenAI (AI processing & transcription), Microsoft Azure (hosting & storage), and SendGrid or SMTP providers (email delivery).

We may disclose personal information (a) to comply with a valid legal request, court order, or regulatory obligation; (b) to enforce our Terms; (c) to protect the rights, safety, or property of CinaptixAI, users, or the public; or (d) in connection with a merger, acquisition, or sale of assets, in which case we will give notice before your information becomes subject to a different privacy policy.

7. International data transfers

Your personal information may be processed in Canada, the United States, and the European Economic Area. Where personal information is transferred out of the EEA, UK, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards offered by our sub-processors (for example, Stripe’s and OpenAI’s published transfer mechanisms).

8. Your rights

Depending on where you live, you may have the following rights in respect of your personal information:

  • Access — obtain a copy of the personal information we hold about you.
  • Rectification — correct inaccurate or incomplete information.
  • Erasure / right to be forgotten — request deletion of your account and content. You can do this yourself from your Profile page (“Delete account”), or by emailing privacy@cinaptixai.com.
  • Portability — receive a machine-readable export of your ideas, attachments metadata, and profile. Available from your Profile page (“Export my data”) or on request.
  • Restriction — ask us to pause processing in certain cases.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time (does not affect past processing).
  • Complain — lodge a complaint with a data-protection authority: the Office of the Privacy Commissioner of Canada (priv.gc.ca), the Commission d’accès à l’information du Québec, your local EU DPA, or the UK ICO (ico.org.uk).

9. California residents (CCPA / CPRA)

  • In the 12 months before this policy’s effective date, we collected the categories of personal information described in Section 2 for the business purposes described in Section 3.
  • We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we have not done so in the preceding 12 months. We do not sell or share the personal information of minors under 16.
  • You have the right to know, delete, correct, limit the use of sensitive personal information, and to opt out of “sale” or “sharing” (not applicable, as we do neither). We will not discriminate against you for exercising these rights.
  • To exercise your rights, email privacy@cinaptixai.com from the address on your account, or use the buttons on your Profile page. An authorised agent may submit a request with written permission and identity verification.

10. Canadian residents (PIPEDA / Law 25 / PIPA)

Canadian users are protected under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec’s Act respecting the protection of personal information in the private sector (“Law 25”), Alberta’s PIPA, and BC’s PIPA. In addition to the rights above, Quebec residents have the right to data portability (since September 22, 2024) and the right to be informed of any decision based exclusively on automated processing — we do not engage in such processing. Our Privacy Officer can be reached at privacy@cinaptixai.com.

11. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where that is the digital age of consent). Registration requires a confirmed date of birth. If we learn that we have collected personal information from a child below the applicable age, we will delete it promptly. Parents or guardians who believe their child has registered should contact privacy@cinaptixai.com.

12. Cookies & similar technologies

We use a small number of cookies and similar technologies, described in detail on our Cookie Policy page. In summary:

  • Strictly necessary — authentication session, CSRF anti-forgery, load-balancing. Cannot be disabled.
  • Preference — theme choice (light/dark) stored in localStorage.
  • Analytics / marketing — we do not currently use analytics, advertising, or tracking cookies. If that changes, we will obtain consent first where required.

13. Data retention

  • Account data — retained while your account is active.
  • Your Content — retained until you delete it or close your account. Deleted items are removed from live systems within 30 days and from encrypted backups on our normal rotation cycle (typically within 90 days).
  • Billing records — retained for up to 7 years to meet Canadian tax and accounting obligations.
  • Security & audit logs — retained for up to 12 months for abuse-prevention and incident-response.
  • Refresh tokens — auto-expired and purged; revoked tokens pruned on logout.

14. Security

We apply reasonable technical and organisational measures appropriate to the risk, including TLS in transit, encrypted storage for sensitive fields, BCrypt hashing of credentials, JWT access tokens with short expiry, CSRF anti-forgery, rate-limiting, role-based access control, audit logging, and least-privilege access for personnel. No system is perfectly secure; you use the Service at your own risk.

15. Breach notification

If a personal-data breach is reasonably likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay, and in any case within 72 hours of our becoming aware of it (or within the period required by applicable law, whichever is shorter). Notification will be by email to the address on your account and/or an in-app notice.

16. Automated decision-making & profiling

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing. AI outputs are suggestions; you decide whether and how to use them. See our Disclaimer.

17. “Do Not Track” signals

Because web browsers handle “Do Not Track” signals inconsistently, our Service does not respond to them. We do not track users across third-party services.

18. Changes to this Policy

We may update this Privacy Policy from time to time. If a change is material, we will notify you by email or an in-app notice before it takes effect. The “Effective date” above indicates when this policy was last revised.

19. Contact

Privacy Officer & data requests: privacy@cinaptixai.com
Security reports: security@cinaptixai.com
Legal notices: legal@cinaptixai.com