Privacy Policy

aswritten.ai, operated by Synthetic Identity Co. (“SIC”), a Delaware corporation Effective Date: May 8, 2026

1. Introduction

aswritten.ai is a platform for installing curated organizational expertise into AI tools, with provenance — the structured representation of an organization’s knowledge (“a Perspective”) that any MCP-compatible AI tool can consult and that AI agents can be deployed against. The Platform is operated by Synthetic Identity Co. (“SIC,” “we,” “us,” or “our”). Setup, perspective construction, channel provisioning, and operator training for engagement-grade deployments are performed by Penny and Damed Inc. (“PnD”), a New York S-corporation, as a subcontractor to SIC.

This Privacy Policy describes how we collect, use, store, and share information when you use the Platform — whether through self-serve plans on aswritten.ai or as a Customer under a Master Services Agreement (MSA).

Relationship to the MSA. For Customers under a Master Services Agreement with SIC, the MSA and any applicable Data Processing Addendum supersede this Privacy Policy where they conflict. This Privacy Policy continues to describe the Platform’s standard data-handling posture and remains the public reference.

By using the Platform, you agree to the collection and use of information in accordance with this policy.

2. Who This Policy Covers

This policy applies to anyone who interacts with the Platform in any of the following roles:

Subscribers — paid users (or organizations) who construct, maintain, and consult a Perspective. Includes Free, Expert, Team, and Organization (engagement-grade) tiers, and MSA-covered Customers.
Operators — designated personnel within a Subscriber organization who supervise deployed-agent conversations through the operator interface, intervene where judgment is required, and update the Perspective.
Recipients — individuals who interact with a Subscriber’s deployed AI agent through a communication channel (SMS, email, Slack, or others as supported).
Visitors — anyone visiting our website (aswritten.ai) without an account.

3. The Data Architecture (Plain English)

aswritten’s privacy posture rests on architectural design more than on policy commitments. Three primitives:

The Platform does not receive — or have access to — source materials. Source artifacts — transcripts, documents, voice memos, recordings, internal tickets, meeting notes — are processed by your own AI tooling, operating under your existing agreements with AI providers, and we never connect to the systems where they live. Only the structured, refined memory content you approve is committed to a Perspective and submitted to the Platform.
Your repository is the canonical Perspective; our server-side caches are derived. A Perspective is stored as structured artifacts (memories, claims, transactions, snapshots) in a git repository — either a SIC-Managed Repository (Free, Expert, Team default) or your own GitHub, GitHub Enterprise Server, or supported equivalent (Team and engagement-grade). Where you connect your own infrastructure, the canonical data resides there at all times; we read and write via API and lose access on termination. We also maintain server-side artifacts derived from your canonical Perspective in our managed Postgres — primarily a compiled-snapshot perspective cache (LRU), share bundles, and eval capture — alongside server logs and error payloads on a bounded retention window. These derived artifacts are not the source of truth and are itemized in Section 9.
Inference uses zero-data-retention providers, and we do not train on your content. All third-party LLM inference subprocessors operate under zero-data-retention (ZDR) policies — they do not retain inputs, outputs, or other content beyond the inference call itself. Current ZDR terms are available on request.

The remainder of this policy describes how this architecture interacts with specific information categories. The Trust & Security Overview at /legal/trust/ summarizes the architecture together with the input-side and output-side trust mechanisms (your repository as the gate for what enters your Perspective; the review, cite, and Front operator interfaces for what leaves it) in plain English.

4. Information We Collect

4.1 Information You Provide

Account Information. Name, email, account-management metadata at signup. Billing information is collected and stored by our payment processor (Outseta); we do not store payment-card details.
Refined Memory Content. Structured memories you (or your AI tooling under your control) submit to the Platform via the MCP interface or web admin.
Perspective Configuration. Tier selection, repository connections, deployment configuration (channels, goals, escalation criteria) for any agents you deploy.
Recipient Messages (where deployed agents are in use). Content of messages sent by Recipients to a deployed agent on a channel you have provisioned, together with the Recipient’s phone number, email address, or platform user identifier as applicable.

4.2 Information Collected Automatically

Usage Data. API calls, tool invocations, session metadata.
Operational Telemetry. Server logs (IP, request times, referring URLs), error tracking payloads, workflow execution logs. Retained per our standard operational schedule.
Channel Metadata. Message timestamps, delivery status, carrier and platform metadata where messaging channels are in use.

4.3 Information from Third Parties

Authentication and Billing. From Outseta (auth, billing, account management).
Code Hosting. From GitHub for Customer-connected repositories or Managed Repositories (read/write per Customer-granted scope).
Channel Providers. Conversation content and delivery metadata from Front (channel layer) and the underlying providers Front routes to (Twilio for SMS, SMTP for email, Slack).
Inference Providers. Aggregate usage data from OpenRouter (LLM gateway) and observability tooling.

5. How We Use Information

We use the information we collect to:

Provide, maintain, and improve the Platform
Compile Perspectives from refined memory content and return Platform outputs that cite their sources
Route messages between Recipients and deployed agents
Allow Operators to observe, draft, and intervene in deployed-agent conversations
Process subscription payments and billing
Send transactional notifications (account, billing, agent activity requiring review)
Run evaluations and quality measurement against Platform behavior
Derive aggregated, anonymized, or de-identified usage metrics, structural observations, and statistical insights, which we may use to inform our ontology, features, and communications
Detect and prevent fraud, abuse, and security issues
Comply with legal obligations

6. No Training on Customer Content

We do not use Customer Materials, Customer Perspective Data, or Managed Repository Content to train, fine-tune, re-train, or otherwise update the weights, parameters, or embeddings of any machine-learning model — whether ours or any third party’s — except for:

Creating embeddings, indexes, or similar derived representations of your own content to support the Services we provide to you (e.g., retrieval in support of your own deployed agents); and
As you expressly authorize in writing.

This commitment extends to all subprocessors processing Customer content under our control.

We do not sell personal information. We share information only as follows:

7.1 With Operators You Designate

When you interact with a deployed AI agent as a Recipient, the content of your messages and your contact identifier are visible to the Operators that the deploying Subscriber has designated. The agent identifies itself as AI and names the principal it is operating on behalf of.

7.2 With Subprocessors

Current production subprocessors:

Subprocessor	Purpose
Outseta	Authentication front door, billing
GitHub	Customer-connected repositories and Managed Repositories — the customer-side knowledge graph lives here
OpenRouter	LLM inference gateway (ZDR-only)
DigitalOcean	Platform hosting (managed Postgres, container hosting). Postgres-backed operational stores include the compiled-snapshot perspective cache, share bundles, eval capture, and internal user/account/auth/repo-connection records (modeled via Datomic)
Datomic	Internal data layer over our managed Postgres backend for user, account, auth, OAuth-token, and repo-connection records. The customer-side knowledge graph is not stored here.
Front	Channel layer for deployed agents (operator interface, draft mode, override)
Twilio (via Front)	SMS provisioning and messaging
SMTP and Slack (via Front)	Email and Slack channel transport
Sentry	Centralized logging and error tracking — broader operational logging beyond errors (integration in progress; not yet active in production)
Helicone	LLM observability and monitoring (currently inactive; may be re-enabled)
Discord	Operational alerting webhook for the SIC operations team

We update this list with reasonable notice. For MSA-covered Customers, the MSA and Schedule B govern subprocessor changes; the public list is provided for visibility.

7.3 With Inference Providers (ZDR Only)

Refined memory content, perspective queries, and conversation content are processed by third-party LLM inference services to generate responses and Platform-internal artifacts. All such providers operate under zero-data-retention (ZDR) policies — they do not retain content beyond the inference call. We do not use your content to train AI models.

7.4 For Legal Reasons

We may disclose information if required by law, regulation, legal process, or governmental request, with reasonable prior notice to you where legally permitted.

7.5 In Business Transfers

In a merger, acquisition, or sale of assets, your information may transfer as part of that transaction, subject to substantively equivalent commitments by the successor.

8. Source Privacy and Citation

Subscribers’ source memories — the structured representation of their organizational expertise — are not exposed to other Subscribers, Operators outside the deploying Subscriber, or Recipients. What is exposed:

To Recipients of deployed agents: the agent’s response, with citations linking each material claim to the underlying memory and actor where the deploying Subscriber has elected to surface that provenance.
To Subscribers consulting another Subscriber’s shared Perspective: the compiled Perspective — claims, structured knowledge, and citations — not the underlying source memories.

The compilation step is non-reversible: a compiled Perspective does not allow recovery of the source memories or the artifacts those memories were derived from.

9. Storage and Retention

9.1 Customer Perspective Data

Customer Perspective Data resides on infrastructure the Subscriber elects to connect (Customer-controlled repositories) or in a SIC-Managed Repository, depending on plan. For Customer-controlled infrastructure, data persists according to the Subscriber’s own retention practices; we lose access on termination. For Managed Repositories, content remains while the subscription is active and is exportable at any time during the term and for thirty (30) days following termination, after which we delete from production systems within sixty (60) days, subject to ordinary-course backup-retention rotation.

9.2 Source Materials

Not received or retained by the Platform.

9.3 Operational Caches and Logs

We retain certain operational artifacts for internal operational purposes:

Compiled-snapshot perspective cache in our managed Postgres — performance cache of compiled Perspective outputs (LRU)
Share bundles in our managed Postgres — materialized perspective shares for cross-account distribution
Eval capture — captured Agent invocations for evaluation and quality measurement
Operational logs and error payloads — server logs, workflow execution logs, and error tracking, retained on a bounded operational window (typical configuration: approximately 30 days for server logs and error payloads, longer for billing and authentication metadata)
Internal user, account, auth, and repo-connection records — retained for the term of your subscription
Authentication, configuration, and billing metadata — retained for the term of your subscription, deleted within sixty (60) days of termination except as persists in ordinary-course backups

These artifacts are retained on our standard operational schedule and are deleted in our ordinary cycle, except as persists in ordinary-course backups. We do not warrant a specific retention period for operational caches and logs in the standard offering beyond what is described here.

For Subscribers requiring specific retention windows, customer-controlled deletion, or elimination of operational caches entirely, Enhanced Deployment Options under an SOW allow these to be configured (single-tenant managed deployment, on-premises deployment, customer-controlled storage, or customer-accessible operational logs).

9.4 Recipient Conversation Data

Conversations with deployed agents are stored within the deploying Subscriber’s dedicated channel-provider workspace (Front inbox; for engagement-grade enterprise deployments, a Customer-dedicated Twilio sub-account in addition). Retention follows the Subscriber’s configuration of those tools.

9.5 Transmission and Encryption

We use TLS (HTTPS) encryption for all customer-facing data in transit, with certificates managed via Let’s Encrypt at our reverse-proxy edge. Internal service-to-service traffic within our hosting environment runs on a private virtual network in line with standard cloud-platform practice. Encryption at rest applies to managed services per cloud-provider defaults (DigitalOcean managed Postgres, GitHub repository storage). Customer-managed encryption keys are not part of the standard offering; Subscribers requiring end-to-end customer control of encryption keys should scope an on-premises deployment under an SOW.

10. Engagement-Grade (MSA) Customers

Subscribers under a Master Services Agreement receive engagement-grade service that may include:

A managed pilot phase (“POC”) on the Team tier, focused on Perspective construction and validation
An enterprise phase with channel provisioning (Customer-dedicated Front inbox; Customer-dedicated Twilio sub-account, with A2P 10DLC registration under your brand), operator training, ongoing operation, and a 98.0% monthly availability target
Optional Enhanced Deployment Options — single-tenant managed deployment, on-premises deployment, customer-managed inference (alternative inference gateways such as Azure OpenAI or Vertex AI, in conjunction with single-tenant or on-prem), customer-controlled storage (including GitHub Enterprise Server and equivalents), enhanced data-residency commitments, customer-accessible operational logs, reduced subprocessor reliance, enhanced observability and monitoring (organization-specific output verification, policy-adherence monitoring, custom escalation chains, tailored review interfaces), and regulatory-compliance add-ons

For MSA-covered Customers, the MSA, applicable SOW, and any invoked Schedules (including Schedule E — Data Processing Addendum, where EU personal data is materially processed) govern. This Privacy Policy continues to describe the Platform’s standard architecture and data-handling posture.

11. SMS and Other Messaging

Where a Subscriber deploys an AI agent on SMS or another messaging channel, the Recipient interacts with that agent as follows:

Consent. You consent to receive messages by initiating a conversation (texting a deployed number, replying to a deployed email address, or messaging a deployed bot in your workspace) or by submitting a web form that discloses that a message will be sent.
AI Disclosure. The first message you receive identifies the agent as AI and names the principal it is operating on behalf of.
Frequency. Varies based on conversation activity.
Carrier Charges. Message and data rates may apply.
Opt-Out. Reply STOP to opt out at any time. Reply START to resume.
Help. Reply HELP, or contact us at support@aswritten.ai.

We will not share your phone number with third parties for marketing purposes.

12. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal information we hold about you
Correct inaccurate information
Delete your personal information
Object to or restrict processing
Port your data
Withdraw consent at any time

To exercise these rights, contact us at legal@aswritten.ai. We respond within thirty (30) days or as required by applicable law.

13. International Transfers and EU/UK/Swiss Personal Data

Where the Platform is used to process personal data subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, or the Swiss FADP, the Subscriber is the data controller and SIC is a processor. For MSA-covered Customers with material EU/UK/Swiss data processing, our Data Processing Addendum (Schedule E to the MSA) applies, including Article 28 processor obligations and Standard Contractual Clauses for cross-border transfers where applicable. Self-serve Subscribers processing such data should contact us at legal@aswritten.ai before relying on the Platform for that processing.

14. Security Incident Notification

If we become aware of a security incident materially affecting your Customer Perspective Data or Customer Confidential Information held by us, we will notify you without undue delay — and within seventy-two (72) hours where required by applicable law — provide reasonable information about the incident as then available, and cooperate with your incident response.

15. Children’s Privacy

The Platform is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have, contact us at legal@aswritten.ai.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting an updated policy and updating the effective date; for MSA-covered Customers, additional notice procedures may apply per the MSA. Continued use after the effective date of an update constitutes acceptance.

17. Contact

Synthetic Identity Co. (operating aswritten.ai) Email: legal@aswritten.ai Notices: 271 W Harvey St, Philadelphia, PA 19144 Website: https://aswritten.ai