Privacy Policy

aswritten.ai, operated by Synthetic Identity Co. (“SIC”), a Delaware corporation Effective Date: June 12, 2026

1. Introduction

aswritten.ai is a platform for installing curated organizational expertise into AI tools, with provenance — the structured representation of an organization’s knowledge (“a Perspective”) that any MCP-compatible AI tool can consult and that AI agents can be deployed against. The Platform is operated by Synthetic Identity Co. (“SIC,” “we,” “us,” or “our”). Setup, perspective construction, channel provisioning, and operator training for engagement-grade deployments are performed by Penny and Damed Inc. (“PnD”), a New York S-corporation, as a subcontractor to SIC.

This Privacy Policy describes how we collect, use, store, and share information when you use the Platform — whether through self-serve plans on aswritten.ai or as a Customer under a Master Services Agreement (MSA).

Relationship to the MSA. For Customers under a Master Services Agreement with SIC, the MSA and any applicable Data Processing Addendum supersede this Privacy Policy where they conflict. This Privacy Policy continues to describe the Platform’s standard data-handling posture and remains the public reference.

By using the Platform, you agree to the collection and use of information in accordance with this policy.

2. Who This Policy Covers

This policy applies to anyone who interacts with the Platform in any of the following roles:

  • Subscribers — paid users (or organizations) who construct, maintain, and consult a Perspective. Includes Free, Expert, Team, and Organization (engagement-grade) tiers, and MSA-covered Customers.
  • Operators — designated personnel within a Subscriber organization who supervise deployed-agent conversations through the operator interface, intervene where judgment is required, and update the Perspective.
  • Recipients — individuals who interact with a Subscriber’s deployed AI agent through a communication channel (SMS, email, Slack, or others as supported).
  • Visitors — anyone visiting our website (aswritten.ai) without an account.

3. The Data Architecture (Plain English)

aswritten’s privacy posture rests on architectural design more than on policy commitments. Three primitives:

  1. The Platform does not receive — or have access to — source materials. Source artifacts — transcripts, documents, voice memos, recordings, internal tickets, meeting notes — are processed by your own AI tooling, operating under your existing agreements with AI providers, and we never connect to the systems where they live. Only the structured, refined memory content you approve is committed to a Perspective and submitted to the Platform.
  2. Your repository is the canonical Perspective; our server-side caches are derived. A Perspective is stored as structured artifacts (memories, claims, transactions, snapshots) in a git repository — either a SIC-Managed Repository (Free, Expert, Team default) or your own GitHub, GitHub Enterprise Server, or supported equivalent (Team and engagement-grade). Where you connect your own infrastructure, the canonical data resides there at all times; we read and write via API and lose access on termination. We also maintain server-side artifacts derived from or referencing your canonical Perspective in our managed Postgres — the compiled-snapshot perspective cache (7-day LRU), share records (pointer-only: owner, repo, branch/SHA, directory, recipient metadata — no materialized content), and (where enabled) eval capture (pointer-only: pointers to memory and transaction files in your repository plus result metrics — no Customer content) — alongside execution logs (14-day n8n default) and the internal Datomic-backed records that track your account, auth, and repo connections. These derived artifacts are not the source of truth and are itemized in Section 9. Share records and eval pointers depend on continued repository access — if you disconnect the repository, the underlying content becomes inaccessible from SIC’s records. All such Customer-derived data within SIC’s control stays inside our DigitalOcean infrastructure; the only outbound data flow from our environment is to LLM inference providers, routed through OpenRouter (Section 7.3).
  3. Inference is transient and third-party, and we do not train on your content. We do not store your content to serve inference — by architecture, model calls carry your content out only for the duration of the request. Inference itself is performed by third-party model providers, routed through OpenRouter, and the providers serving a given request process its content under their own data policies. We restrict routing to endpoints that do not train on request data. If you require zero-data-retention (ZDR) inference, you have two options: supply your own OpenRouter API key, so inference runs under your OpenRouter account and the provider and data-policy restrictions you configure there (including ZDR-only routing); or enter a Master Services Agreement, under which ZDR-only routing is a contractual commitment (Section 10).

The remainder of this policy describes how this architecture interacts with specific information categories. The Trust & Security Overview at /legal/trust/ summarizes the architecture together with the input-side and output-side trust mechanisms (your repository as the gate for what enters your Perspective; the review, cite, and Front operator interfaces for what leaves it) in plain English.

4. Information We Collect

We collect and process only the personal information that is reasonably necessary, adequate, and relevant to achieve the purposes set forth in this policy. We do not collect personal information that is excessive in relation to these purposes.

4.1 Information You Provide

  • Account Information. Name, email, account-management metadata at signup. Billing information is collected and stored by our payment processor (Outseta); we do not store payment-card details.
  • Refined Memory Content. Structured memories you (or your AI tooling under your control) submit to the Platform via the MCP interface or web admin.
  • Perspective Configuration. Tier selection, repository connections, deployment configuration (channels, goals, escalation criteria) for any agents you deploy.
  • Recipient Messages (where deployed agents are in use). Content of messages sent by Recipients to a deployed agent on a channel you have provisioned, together with the Recipient’s phone number, email address, or platform user identifier as applicable.

4.2 Information Collected Automatically

  • Usage Data. API calls, tool invocations, session metadata.
  • Operational Telemetry. Server logs (IP, request times, referring URLs) and workflow execution logs (including error context). Retained per the service-specific schedules in Section 9.
  • Channel Metadata. Message timestamps, delivery status, carrier and platform metadata where messaging channels are in use.

4.3 Information from Third Parties

  • Authentication and Billing. From Outseta (auth, billing, account management).
  • Code Hosting. From GitHub for Customer-connected repositories or Managed Repositories (read/write per Customer-granted scope).
  • Channel Providers. Conversation content and delivery metadata from Front (channel layer) and the underlying providers Front routes to (Twilio for SMS, SMTP for email, Slack).
  • Inference Providers. Aggregate usage data from OpenRouter (LLM gateway).

5. How We Use Information

We use the information we collect to:

  • Provide, maintain, and improve the Platform and our obligations pursuant to an MSA
  • Compile Perspectives from refined memory content and return Platform outputs that cite their sources
  • Route messages between Recipients and deployed agents
  • Allow Operators to observe, draft, and intervene in deployed-agent conversations
  • Process subscription payments and billing
  • Send transactional notifications (account, billing, agent activity requiring review)
  • Run evaluations and quality measurement against Platform behavior
  • Derive aggregated, anonymized, or de-identified usage metrics, structural observations, and statistical insights, which we may use to inform our ontology, features, and communications
  • Improve our services
  • Detect and prevent fraud, abuse, and security issues
  • Comply with legal obligations and mandatory government requests

6. No Training on Customer Content

We do not use Customer Materials, Customer Perspective Data, or Managed Repository Content to train, fine-tune, re-train, or otherwise update the weights, parameters, or embeddings of any machine-learning model — whether ours or any third party’s — except for:

  • Creating embeddings, indexes, or similar derived representations of your own content to support the Services we provide to you (e.g., retrieval in support of your own deployed agents); and
  • As you expressly authorize in writing.

This commitment extends to all subprocessors processing Customer content under our control.

7. How We Share Information

We do not sell personal information. We share information only as follows:

7.1 With Operators You Designate

When you interact with a deployed AI agent as a Recipient, the content of your messages and your contact identifier are visible to the Operators that the deploying Subscriber has designated. The agent identifies itself as AI and names the principal it is operating on behalf of.

7.2 With Subprocessors

Current production subprocessors:

Subprocessor Purpose
Outseta Authentication front door, billing
GitHub Customer-connected repositories and Managed Repositories — the customer-side knowledge graph lives here
OpenRouter LLM inference gateway (routing posture per Section 7.3)
DigitalOcean Platform hosting (managed Postgres, container hosting, log storage). Postgres-backed operational stores include the compiled-snapshot perspective cache, share records (pointer-only), eval capture (where enabled; pointer-only), and internal user/account/auth/repo-connection records (modeled via Datomic); execution logs from self-hosted services
Datomic Internal data layer over our managed Postgres backend for user, account, auth, OAuth-token, and repo-connection records. The customer-side knowledge graph is not stored here.
Front Channel layer for deployed agents (operator interface, draft mode, override)
Twilio (via Front) SMS provisioning and messaging
SMTP and Slack (via Front) Email and Slack channel transport

We update this list with reasonable notice. For MSA-covered Customers, the MSA and Schedule B govern subprocessor changes; the public list is provided for visibility.

7.3 With Inference Providers

Refined memory content, perspective queries, and conversation content are processed by third-party LLM inference services to generate responses and Platform-internal artifacts. We route inference through OpenRouter; the providers serving a given request process its content transiently under their own data policies. We restrict routing to endpoints that do not train on request data, and we do not use your content to train AI models (Section 6).

If you require zero-data-retention (ZDR) inference: supply your own OpenRouter API key, so inference runs under your OpenRouter account and the data-policy restrictions you configure there (including ZDR-only routing); or enter a Master Services Agreement, under which ZDR-only routing is a contractual commitment.

We may disclose information if required by law, regulation, legal process, or governmental request, with reasonable prior notice to you where legally permitted.

7.5 In Business Transfers

In a merger, acquisition, or sale of assets, your information may transfer as part of that transaction, subject to substantively equivalent commitments by the successor.

8. Source Privacy and Citation

Subscribers’ source memories — the structured representation of their organizational expertise — are not exposed to other Subscribers, Operators outside the deploying Subscriber, or Recipients. What is exposed:

  • To Recipients of deployed agents: the agent’s response, with citations linking each material claim to the underlying memory and actor where the deploying Subscriber has elected to surface that provenance.
  • To Subscribers consulting another Subscriber’s shared Perspective: the compiled Perspective — claims, structured knowledge, and citations — not the underlying source memories.

The compilation step is non-reversible: a compiled Perspective does not allow recovery of the source memories or the artifacts those memories were derived from.

9. Storage and Retention

9.1 Customer Perspective Data

Customer Perspective Data resides on infrastructure the Subscriber elects to connect (Customer-controlled repositories) or in a SIC-Managed Repository, depending on plan. For Customer-controlled infrastructure, data persists according to the Subscriber’s own retention practices; we lose access on termination. For Managed Repositories, content remains while the subscription is active and is exportable at any time during the term and for thirty (30) days following termination, after which we delete from production systems within sixty (60) days, subject to ordinary-course backup-retention rotation.

9.2 Source Materials

Not received or retained by the Platform.

9.3 Operational Caches and Logs

We retain certain operational artifacts for internal operational purposes, all on SIC-controlled DigitalOcean infrastructure:

  • Compiled-snapshot perspective cache in our managed Postgres — 7-day LRU, rebuildable from your repository content
  • Share records in our managed Postgres — permission grants referencing your repository (owner, repo, branch/SHA, directory) plus recipient metadata. Underlying compiled content is rebuilt on demand at share-consume time and flows through the snapshot cache above; not persistently stored as a share-specific copy of Customer content. Share-record pointers depend on continued repository access — if you disconnect the repository, the underlying content becomes inaccessible from the share record
  • Eval capture (where enabled) — captured Agent invocations recorded as pointers to memory and transaction files in your repository (owner, repo, commit SHA, path) plus result metrics. No Customer content is persisted in the eval table. Like share records, eval pointers depend on continued repository access — they become unresolvable from SIC’s records once the repository is disconnected
  • Execution logs — n8n self-hosted workflow execution data; retained at the n8n default (14 days), configurable per environment
  • Internal user, account, auth, OAuth-token, and repo-connection records (modeled via Datomic over Postgres) — retained for the term of your subscription
  • Authentication, configuration, and billing metadata — retained for the term of your subscription, deleted within sixty (60) days of termination except as persists in ordinary-course backups

These artifacts are retained on our standard operational schedule and are deleted in our ordinary cycle, except as persists in ordinary-course backups. We do not warrant a specific retention period for operational caches and logs in the standard offering beyond what is described here.

On authenticated platform credentials. Separately from the artifacts above, SIC holds authenticated credentials — including the GitHub App private key used to mint installation access tokens for Customer-connected repositories — that grant SIC the permissions Customer authorized at install. These credentials are currently stored as environment variables on SIC-controlled DigitalOcean infrastructure (protected by the cloud provider’s transparent block-storage encryption at rest; not application-level encrypted or HSM-protected in the standard offering today). SIC disclaims any liability arising from third-party providers’ acts or omissions, including any compromise of a cloud provider’s encryption. Customer may revoke the installation at any time from the GitHub user interface; SIC’s incident-notification obligation (within 72 hours of becoming aware) applies; on-premises deployment under Enhanced Deployment Options provides credential isolation from SIC operators end-to-end.

For Subscribers requiring elimination of server-side caches entirely, customer-accessible operational logs, or a Platform instance configured for zero data retention, Enhanced Deployment Options under an SOW allow these to be configured (single-tenant managed deployment, Zero-data-retention deployment, on-premises deployment, customer-controlled storage, customer-accessible operational logs, or eval capture disable).

9.4 Recipient Conversation Data

Conversations with deployed agents are stored within the deploying Subscriber’s dedicated channel-provider workspace (Front inbox; for engagement-grade enterprise deployments, a Customer-dedicated Twilio sub-account in addition). Retention follows the Subscriber’s configuration of those tools.

9.5 Transmission and Encryption

We use TLS (HTTPS) encryption for all customer-facing data in transit, with certificates managed via Let’s Encrypt at our reverse-proxy edge. Internal service-to-service traffic within our hosting environment runs on a private virtual network in line with standard cloud-platform practice. Encryption at rest applies to managed services per cloud-provider defaults (DigitalOcean managed Postgres, GitHub repository storage). Customer-managed encryption keys are not part of the standard offering; Subscribers requiring end-to-end customer control of encryption keys should scope an on-premises deployment under an SOW.

10. Engagement-Grade (MSA) Customers

Subscribers under a Master Services Agreement receive engagement-grade service that may include:

  • A managed pilot phase (“POC”) on the Team tier, focused on Perspective construction and validation
  • An enterprise phase with channel provisioning (Customer-dedicated Front inbox; Customer-dedicated Twilio sub-account, with A2P 10DLC registration under your brand), operator training, ongoing operation, and a 98.0% monthly availability target
  • Optional Enhanced Deployment Options — single-tenant managed deployment, Zero-data-retention deployment (Customer routed to a Platform instance with n8n execution-data persistence disabled, compiled-snapshot perspective cache disabled, and pointer-only application logs; available as shared ZDR pool or Customer-dedicated single-tenant), on-premises deployment, zero-data-retention inference routing (inference restricted to ZDR-qualified endpoints as a contractual commitment), customer-managed inference (alternative inference gateways such as Azure OpenAI or Vertex AI, in conjunction with single-tenant or on-prem), customer-controlled storage (including GitHub Enterprise Server and equivalents), customer-accessible operational logs, eval capture disable, enhanced data-residency commitments, reduced subprocessor reliance, enhanced observability and monitoring (organization-specific output verification, policy-adherence monitoring, custom escalation chains, tailored review interfaces), and regulatory-compliance add-ons

For MSA-covered Customers, the MSA, applicable SOW, and any invoked Schedules (including Schedule E — Data Processing Addendum, where EU personal data is materially processed) govern. This Privacy Policy continues to describe the Platform’s standard architecture and data-handling posture.

11. SMS and Other Messaging

Where a Subscriber deploys an AI agent on SMS or another messaging channel, the Recipient interacts with that agent as follows:

  • Consent. You consent to receive messages by initiating a conversation (texting a deployed number, replying to a deployed email address, or messaging a deployed bot in your workspace) or by submitting a web form that discloses that a message will be sent.
  • AI Disclosure. The first message you receive identifies the agent as AI and names the principal it is operating on behalf of.
  • Frequency. Varies based on conversation activity.
  • Carrier Charges. Message and data rates may apply.
  • Opt-Out. Reply STOP to opt out at any time. Reply START to resume.
  • Help. Reply HELP, or contact us at support@aswritten.ai.

We will not share your phone number with third parties for marketing purposes.

12. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you. You may confirm whether we process your personal information and access a copy of the personal information we process.
  • Correct inaccurate information. You may request that we correct inaccuracies in your personal information that we maintain, taking into account the information’s nature and processing purpose.
  • Delete your personal information. You may request that we delete personal information about you that we maintain, subject to certain exceptions under applicable law.
  • Object to or restrict processing.
  • Port your data. To the extent feasible, data will be provided in a portable format. Depending on your state, you may have the right to receive additional information and it will be included in the response to your access request.
  • Withdraw consent at any time.

To exercise these rights, contact us at legal@aswritten.ai. We respond within thirty (30) days or as required by applicable law. To appeal a decision regarding a consumer rights request, please contact us at legal@aswritten.ai with “Appeal” in the subject line.

California Residents

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). This section provides information about those rights and how to exercise them.

We do not collect sensitive personal information as defined by the CCPA (such as Social Security numbers, driver’s license numbers, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric information for identification purposes, health information, or sex life or sexual orientation information).

See Section 4 above identifying the categories of personal information that we collect and the sources of personal information we collect, Section 5 regarding our use of personal information, Section 7 regarding our disclosure of personal information, and Section 9 regarding our storage of personal information.

Some browsers include a “Do Not Track” (DNT) setting. Because there is not yet a common understanding of how to interpret the DNT signal, our Platform does not currently respond to browser DNT signals. Instead, you can use the range of other tools to control data collection and use, including the rights described in this section.

You may exercise the following rights as noted above:

  • Right to Delete: You have the right to request that we delete personal information we collected from you, subject to certain exceptions set forth in this policy.
  • Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
  • Right to Opt-Out: While we do not currently sell personal information or share it for cross-context behavioral advertising, if our practices change, you will have the right to opt out of such sales or sharing.
  • Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA privacy rights.

13. International Transfers and EU/UK/Swiss Personal Data

Where the Platform is used to process personal data subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, or the Swiss FADP, the Subscriber is the data controller and SIC is a processor. For MSA-covered Customers with material EU/UK/Swiss data processing, our Data Processing Addendum (Schedule E to the MSA) applies, including Article 28 processor obligations and Standard Contractual Clauses for cross-border transfers where applicable. Self-serve Subscribers processing such data should contact us at legal@aswritten.ai before relying on the Platform for that processing.

14. Security Incident Notification

If we become aware of a security incident materially affecting your Customer Perspective Data or Customer Confidential Information held by us, we will notify you without undue delay — and within seventy-two (72) hours where required by applicable law — provide reasonable information about the incident as then available, and cooperate with your incident response.

15. Children’s Privacy

The Platform is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have, contact us at legal@aswritten.ai.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting an updated policy and updating the effective date; for MSA-covered Customers, additional notice procedures may apply per the MSA. Continued use after the effective date of an update constitutes acceptance.

17. Contact

Synthetic Identity Co. (operating aswritten.ai) Email: legal@aswritten.ai Website: https://aswritten.ai

© 2026 Synthetic Identity Co. d/b/a Aswritten.ai · Privacy · Terms · Trust · aswritten.ai
This site uses Just the Docs, a documentation theme for Jekyll.