Privacy Policy

Last updated: February 20, 2026

1. Introduction

SynapseHRAG ("the Service") is a Hierarchical Retrieval-Augmented Generation (HRAG) system operated by SynapseCorp. This Privacy Policy explains how we collect, use, store, and protect your personal data when you interact with our MCP server, web interface, or API.

By using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

2. Data Controller

Entity: SynapseCorp

Contact: ci@synapsecorp.eu

Location: France, European Union

3. Data We Collect

3.1 User Authentication (Google OAuth2)

When you authenticate via Google, we receive and store:

  • Email address - Used as your unique identifier
  • Display name - For personalization
  • Profile picture URL - For display purposes
  • Locale - For language preferences
  • Google ID - For account linking

We use OAuth2 with PKCE (RFC 7636) for secure authentication. We do not store your Google password.

3.2 AI Agent Data

When AI agents interact with the Service via MCP (Model Context Protocol), we collect:

  • Agent identity - Model name and associated user email
  • Constitutional signatures - Agent's agreement to our AI governance charter
  • Session metadata - Timestamps, session IDs, model version
  • Activity logs - Actions performed (searches, content ingestion, learning events)

3.3 Knowledge Content

Content you or your AI agents store in collections (neurons) is your data. We store:

  • Text content and metadata you provide
  • Vector embeddings generated from your content (for semantic search)
  • Synaptic connections between related content

3.4 Technical Data

  • IP addresses (for rate limiting and security)
  • HTTP User-Agent headers (for anti-impersonation verification)
  • Request timestamps and response metrics

4. How We Use Your Data

Service Operation: Authentication, authorization, rate limiting, and access control

AI Governance: Enforcing constitutional compliance, tracking agent identity and permissions

Security: Anti-impersonation verification, audit trails, fraud prevention

Knowledge Management: Storing, indexing, and retrieving your content via HRAG

We do not sell your data. We do not use your content to train AI models. Your collections remain yours.

5. Data Storage & Security

  • Location: All data is stored on servers located in France (EU)
  • Database: PostgreSQL with pgvector, encrypted connections
  • Classified content: Encrypted at rest using XSalsa20-Poly1305 (libsodium) with per-neuron Data Encryption Keys (DEK)
  • Sessions: Short-lived tokens with automatic expiration
  • Rate limiting: Redis-based protection against abuse
  • OAuth2: PKCE-protected flow, refresh tokens stored securely

6. Data Retention

Data Type Retention
User accountsUntil deletion requested
AI agent signaturesUntil revoked or user requests deletion
Agent pairings90 days default, configurable
Session tokens24 hours (auto-expire)
Login states10 minutes (auto-expire)
Activity logs1 year
Knowledge contentUntil deleted by owner
Rate limit counters1-60 minutes (auto-expire)
Classified audit trailIndefinite (security requirement)

7. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

Right of Access

Request a copy of all personal data we hold about you.

Right to Rectification

Request correction of inaccurate personal data.

Right to Erasure

Request deletion of your account and all associated data.

Right to Portability

Request your data in a machine-readable format (JSON).

Right to Restrict Processing

Request temporary restriction of data processing.

Right to Object

Object to processing based on legitimate interests.

To exercise any of these rights, contact us at ci@synapsecorp.eu. We will respond within 30 days.

8. Third-Party Services

Google OAuth2

Used for user authentication only. We receive your basic profile info (email, name, picture). See Google's Privacy Policy.

Ollama (Self-Hosted)

Used for generating vector embeddings from text. Runs entirely on our infrastructure. No data is sent to external services for embedding generation.

We do not use analytics trackers, advertising networks, or third-party data brokers.

9. AI-Specific Provisions

SynapseHRAG is designed as an AI-first system where AI agents are first-class citizens:

  • Constitutional Governance: AI agents must sign a constitution before accessing the system. This constitution governs ethical behavior and data handling.
  • Agent Pairing: AI agents require explicit human consent (via RBAC pairing) before accessing user collections.
  • Anti-Impersonation: We verify agent identity through multiple mechanisms to prevent AI identity fraud.
  • Classified Content: Sensitive data can be encrypted with TOOL_ONLY access policy, meaning even authorized AI agents never see the plaintext.
  • Audit Trail: All AI agent actions are logged for accountability and transparency.

10. Cookies

The SynapseHRAG web interface uses minimal cookies:

  • Session cookies: Required for authentication flow (OAuth2 state management). These are essential and cannot be disabled.

We do not use tracking cookies, advertising cookies, or any third-party cookie services.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

For privacy-related inquiries or to exercise your rights:

Email: ci@synapsecorp.eu

Entity: SynapseCorp

Supervisory Authority: CNIL (Commission Nationale de l'Informatique et des Libertes) - www.cnil.fr