LEGAL
CCPA
Last Updated
CALIFORNIA CONSUMER PRIVACY ACT (CCPA)
AND CALIFORNIA PRIVACY RIGHTS ACT (CPRA)
Privacy Notice v3.0
Syntari AI, Inc.
855 Boylston Street, Suite 1000
Boston, MA 02116
Effective Date: February 23, 2026
Introduction
This Privacy Notice ("Notice") applies to consumers in the State of California and describes how Syntari AI, Inc. ("Company," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal information in connection with our artificial intelligence-powered management consulting platform for professional services firms.
This Notice explains your rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) and how you can exercise those rights. If you are a California resident, this Notice is required to be provided at or before the time we collect your personal information.Scope and Definitions
This Notice applies to "personal information" as defined under CCPA/CPRA. Under these laws, "personal information" means information that identifies, relates to, or could reasonably be linked with a particular consumer or household.
● Key terms under this Notice:
● Sensitive Personal Information: A subset of personal information subject to heightened protections, including: (a) social security numbers, driver's license numbers, passport numbers, or other government-issued identification numbers; (b) financial account information; (c) precise geolocation; (d) racial or ethnic origin, religious beliefs, or union membership; (e) mail contents; (f) genetic data; (g) biometric information for identification; (h) health information; (i) sex life or sexual orientation information; and (j) citizenship or immigration status.
● Consumer: A natural person who is a California resident and who has provided personal information to the Company.
● Service Provider: A business entity that processes personal information on behalf of the Company under a contract that restricts how the personal information is used or disclosed.
● Automated Decision-Making Technology (ADMT): Technology that uses algorithms or machine learning to make consequential decisions affecting consumers without human review.Categories of Personal Information Collected
We collect personal information from various sources, including directly from consumers, from our clients, and from third-party data sources. The categories of personal information we collect include:
● Identifiers: Name, email address, postal address, phone number, IP address, cookie identifiers, device identifiers, account username, and unique identifiers assigned by the Company.
● Commercial Information: Records of products or services purchased, obtained, or considered; purchase history; and transaction details.
● Biometric Information: Fingerprints, voice recordings (when you contact support), and facial recognition data (if applicable).
● Internet Activity: Browsing history, search history, information regarding a consumer's interaction with our website or application, and log data.
● Geolocation Data: Approximate location based on IP address; precise location (only with explicit consent).
● Sensory Information: Audio or visual information such as recordings of customer service interactions or video conference participation.
● Professional Information: Job title, company, professional affiliations, work history, and expertise areas.
● Education Information: Educational background, certifications, and training records.
● Inferred Information: Inferences drawn from personal information to create a profile reflecting your preferences, characteristics, behavior, and predispositions.
● AI-Specific Data Categories:
● Prompts and Queries: Text, voice, or other input provided to our AI systems and services.
● AI-Generated Outputs: Content generated by our AI systems in response to your inputs.
● Conversation Logs: Complete records of interactions with our AI-powered platform, including context and metadata.
● Abuse Monitoring Data: Data retained by our AI service providers (Anthropic, OpenAI, Google) for 30 days to monitor and prevent abuse, safety violations, and policy violations.Purpose of Collection and Use of Personal Information
We collect and use personal information for the following purposes:
● Providing Services: Delivering our AI-powered consulting platform, customer support, and related services.
● Business Operations: Managing accounts, processing transactions, and administering our services.
● Communications: Sending transactional emails, service updates, newsletters, and promotional communications (with consent).
● Marketing and Analytics: Analyzing usage patterns, improving our services, and conducting marketing activities.
● Compliance and Legal: Meeting legal obligations, enforcing agreements, and protecting our legal rights.
● AI Model Improvement: Training and improving our AI systems using de-identified and aggregated data (with appropriate safeguards).
● Security and Fraud Prevention: Detecting and preventing fraudulent activity, security incidents, and abuse.
● Personalization: Customizing your experience and providing recommendations based on your usage patterns.Disclosure of Personal Information to Third Parties
We disclose personal information to the following categories of third parties:
● Service Providers: We disclose personal information to service providers who process data on our behalf under contracts that require them to use your personal information only for the purposes specified by us. Service providers are NOT considered "third parties" under CCPA/CPRA and are contractually restricted from using your personal information for their own purposes.
● Business Partners: We may share information with business partners to deliver integrated services.
● Legal Authorities: We disclose information when required by law, court order, or government request.
● Successor Organizations: In the event of a merger, acquisition, or sale of assets, personal information may be transferred.
● Aggregate/De-Identified Data: We may share aggregate or de-identified data that cannot identify you personally.AI Service Providers and Subprocessor Disclosure
We use third-party AI service providers to deliver our services. These providers are classified as SERVICE PROVIDERS under CCPA/CPRA and are contractually bound to process your personal information only as directed by the Company.
AI Service Providers:
Service Provider Services Provided Data Categories Retention & Abuse Monitoring
Anthropic (Claude) AI model processing, natural language understanding, content generation Prompts, conversation logs, AI outputs, professional information 30 days (abuse monitoring only)
OpenAI (GPT) AI model processing, natural language understanding, embeddings Prompts, conversation logs, AI outputs, professional information 30 days (abuse monitoring only)
Google Cloud AI (Gemini) AI processing, analytics, infrastructure Prompts, conversation logs, AI outputs, usage data 30 days (abuse monitoring only)
AWS Infrastructure, data storage, backup services All categories (encrypted at rest) Per contract terms
Contractual Protections: All AI service providers have executed data processing agreements (DPAs) with the Company that include:
● Limitations on use of personal information to purposes specified by the Company.
● Prohibitions on combining personal information with other sources or using for their own purposes.
● Security and confidentiality obligations.
● Restrictions on subprocessing without the Company's prior consent.
● Audit and inspection rights for the Company.
● Data deletion or return obligations upon contract termination.
Abuse Monitoring and Safety: Our AI service providers monitor our use of their platforms for 30 days to detect and prevent abuse, unauthorized use, policy violations, and safety risks. Data retained for this purpose is not used to train their models or for other purposes without our explicit consent.
7. Consumer Rights Under CCPA/CPRA
California law grants you the following rights regarding your personal information:
● Right to Know: You have the right to request what personal information we collect, use, share, and sell about you, and the purposes for which we use it.
● Right to Delete: You have the right to request deletion of personal information we have collected from you, except in limited circumstances.
● Right to Correct: You have the right to request correction of inaccurate personal information.
● Right to Opt-Out of Sale: You have the right to opt out of the sale or sharing of personal information for cross-context behavioral advertising.
● Right to Opt-Out of ADMT: You have the right to opt out of automated decision-making technology that produces legal or similarly significant effects.
● Right to Limit Use of Sensitive Personal Information: You have the right to request that we limit our use and disclosure of sensitive personal information to purposes necessary to provide the services or perform reasonable business operations.
● Right to Opt-Out of AI Processing: You have the right to opt out of having your personal information used for AI model training, improvement, or processing by third-party AI providers, except where necessary to provide the services you have requested.
● Right to Non-Discrimination: We will not discriminate against you for exercising any of your rights under CCPA/CPRA. Discrimination includes denying goods or services, charging different prices, providing different quality of service, or suggesting that you will receive a different price or quality for exercising your rights.
8. How to Exercise Your Consumer Rights
To exercise any of your consumer rights, please submit a verifiable consumer request to us using one of the following methods:
● Email: privacy@syntari.ai
● Email: dpo@syntari.ai (Data Protection Officer)
● Mailing Address: Syntari AI, Inc., Attention: Privacy Team, 855 Boylston Street, Suite 1000, Boston, MA 02116
Your request must include sufficient information to allow us to reasonably understand and verify your identity. We will provide a response within 45 calendar days of receipt of a verifiable request. If we cannot verify your identity, we will notify you and explain why.
You may also authorize an agent to submit requests on your behalf. The authorized agent must provide proof of authorization and sufficient information to verify your identity.
9. Data Broker Status
Syntari AI, Inc. does not currently qualify as a "data broker" under CCPA/CPRA, as we do not sell or share consumers' personal information as our primary business purpose. We collect and use personal information primarily to provide our AI consulting services to our clients.
10. Dark Patterns Prohibition
We prohibit the use of "dark patterns"—subversive designs or interfaces that deceive, manipulate, or coerce users into making choices that are not in their best interests. Specifically, we:
● Do not use visual, audio, or other sensory elements that confuse, distract, or impede your ability to understand information or make choices.
● Do not use any design, text, or interaction pattern designed to obscure, subvert, or impair your ability to make autonomous and informed decisions.
● Provide clear, accessible mechanisms to opt out of or opt in to data practices.
● Do not require multiple opt-out steps, when a single step would suffice.
● Do not use social proof or urgency tactics to pressure you into disclosing sensitive information.
11. AI Processing and Model Training
Our Platform and AI Services: Our platform leverages AI services provided by third-party AI providers (Anthropic, OpenAI, Google Cloud AI) to deliver consulting services. When you use our platform:
● Your inputs (prompts, queries, data) are transmitted to AI service providers' servers to generate outputs.
● Your conversation logs, interactions, and AI-generated outputs are processed and stored in accordance with the privacy practices of the AI service providers.
● AI service providers may use your data for abuse monitoring (30 days) and, with your explicit consent, for model training and improvement.
● We do not share your personal information with AI service providers beyond what is necessary to provide the services you have requested.
Opting Out of AI Processing: You may request to opt out of having your personal information used for:
● Training or improving AI models.
● Automated decision-making that produces legal or similarly significant effects.
● Secondary use by AI service providers for purposes beyond abuse monitoring and service delivery.
To exercise this right, contact us at privacy@syntari.ai or dpo@syntari.ai. Note that opting out of certain AI processing may affect the functionality and quality of our services.
12. Consumer Audit Rights for AI Processing
Under CPRA, you have the right to:
● Audit how your personal information is used by our AI systems and third-party service providers.
● Receive an explanation of how automated decision-making affects you.
● Request correction of errors in automated decision-making outcomes.
We maintain an audit trail of AI processing activities. To request an audit, contact our Data Protection Officer at dpo@syntari.ai.
13. Annual Metrics and Reporting
We are committed to transparency regarding consumer rights requests and data processing activities. Annually, we report the following metrics (next report due: February 23, 2027):
● Number of verifiable consumer requests received and processed, by request type (Know, Delete, Correct, Opt-Out).
● Number of requests denied, partially denied, or where we could not verify the consumer's identity.
● Median and maximum time taken to respond to requests.
● Number of consumers who opted out of the sale/sharing of personal information.
● Number of consumers who opted out of ADMT or AI processing.
● Number of data security incidents involving personal information.
● Details of AI service provider subprocessing relationships and their certifications (SOC 2, ISO 27001).
Metrics will be made available upon request and posted on our website at www.syntari.ai/privacy.
14. Employee and Contractor Privacy Protections (AB 1281)
Syntari AI, Inc. extends privacy protections to employees and job applicants under AB 1281 and CPRA. Specifically:
● We provide a separate notice to employees, applicants, and contractors describing our collection and use of employment-related personal information.
● Employees and contractors have the right to access, delete, and correct their employment-related personal information.
● We do not use ADMT to make automated employment decisions without employee notification and opportunity for human review.
For employment-related privacy inquiries, contact our Human Resources department at hr@syntari.ai.
15. Data Security and Retention
We implement and maintain reasonable security measures designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. These measures include:
● Encryption of data in transit (TLS/SSL) and at rest (AES-256).
● Access controls and role-based permissions.
● Regular security audits and vulnerability assessments.
● Employee training on data protection and privacy.
● Incident response plans and breach notification procedures.
Data Retention: We retain personal information for as long as necessary to provide services, comply with legal obligations, or exercise our lawful business interests, typically not exceeding three (3) years unless longer retention is required by law.
16. Sensitive Personal Information - Heightened Protections
We recognize that certain categories of personal information ("Sensitive Personal Information") require heightened protection. We limit our use of Sensitive Personal Information to:
● Providing the services you have explicitly requested.
● Ensuring the security and integrity of our systems and services.
● Complying with applicable law.
We do not use Sensitive Personal Information for:
● Marketing, advertising, or profiling purposes (unless you provide explicit consent).
● Sharing with third parties for their own purposes.
● Automated decision-making with significant effects (unless necessary for service delivery).
You have the right to limit our use of Sensitive Personal Information at any time by contacting privacy@syntari.ai.
17. Children's Privacy
Our services are not directed to individuals under the age of 13 (or the applicable age of digital consent in California). We do not knowingly collect personal information from children under 13. If we become aware that we have collected information from a child under 13, we will take steps to delete such information and terminate the child's account.
For parents or guardians who believe we have collected information about a child under 13, please contact us at privacy@syntari.ai.
18. Third-Party Links and Services
Our website and services may contain links to third-party websites and services that are not operated by us. This Notice applies only to our collection and use of personal information. We are not responsible for the privacy practices of third-party websites and services, and you should review their privacy notices before providing your personal information.
19. Changes to This Privacy Notice
We may update this Privacy Notice periodically to reflect changes in our practices, technology, or applicable law. We will notify you of material changes by updating the "Effective Date" at the top of this Notice and, where required by law, by providing additional notice. Your continued use of our services after changes become effective constitutes your acceptance of the updated Notice.
20. Contact Information and Privacy Requests
If you have questions about this Privacy Notice, our privacy practices, or wish to exercise your consumer rights, please contact us:
Privacy Team
Syntari AI, Inc.
855 Boylston Street, Suite 1000
Boston, MA 02116
Email: privacy@syntari.ai
Data Protection Officer: dpo@syntari.ai
© 2026 Syntari International, Inc. All rights reserved.