Privacy Policy

1. Introduction

SynContext ("we," "us," or "our") provides a Model Context Protocol (MCP) server that syncs context and memory across AI assistants such as Claude, ChatGPT, and other MCP-compatible clients. This Privacy Policy explains what information we collect, how we use it, and what choices you have.

By creating an account or using SynContext, you agree to the practices described in this policy. If you do not agree, please do not use the service.

2. Information We Collect

2.1 Account Information

When you register, we collect:

• Email address — used for authentication, password resets, and service notifications.
• Password — hashed with bcrypt before storage. We never store or have access to your plaintext password.
• API key — generated automatically and stored as a SHA-256 hash. The plaintext key is shown to you once at registration.

2.2 User Content

Content you create or store through SynContext includes:

• Projects — project names, descriptions, and status.
• Context entries — notes, documents, and status updates you store for your projects.
• Decisions — decision logs with rationale and alternatives.
• GitHub connections — if you choose to connect GitHub, your Personal Access Token and linked repositories.

Context entry content, decision text, and GitHub tokens are encrypted at rest using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256 verification).

2.3 Usage Data

We collect minimal usage data to operate the service:

• Audit log — records of actions you take (e.g., creating a project, storing context) with timestamps. Used for your activity history and debugging.
• Session tokens — temporary tokens for dashboard authentication, which expire after 24 hours.

We do not use analytics services, tracking pixels, browser fingerprinting, or behavioral tracking of any kind.

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the SynContext service.
• Authenticate your identity and authorize access to your data.
• Process payments through Stripe for paid subscriptions.
• Send transactional emails (account verification, password resets). We do not send marketing emails.
• Enforce usage quotas and rate limits based on your subscription tier.
• Respond to support requests.

We do not sell, rent, or share your personal information or content with third parties for advertising or marketing purposes.

4. Data Storage and Security

We take the security of your data seriously:

• Encryption at rest — user content (context entries, decisions, GitHub tokens) is encrypted with Fernet (AES-128-CBC + HMAC-SHA256) before being written to the database.
• Password hashing — passwords are hashed with bcrypt with automatic salt generation.
• API key hashing — API keys are stored as SHA-256 hashes.
• Encryption in transit — all connections to syncontext.dev use HTTPS with TLS.
• Tenant isolation — every database query is scoped to your user ID. Users cannot access each other's data.
• Security headers — HSTS, Content-Security-Policy, X-Frame-Options, and other protective headers are set on all responses.

5.2 Administrator Access

SynContext's administrative tools are designed with a strict metadata-only boundary. Administrators can manage accounts (change subscription tiers, suspend or delete accounts) and view aggregate system statistics, but cannot access, read, or decrypt the content of your context entries, decisions, or any other user-generated data.

This boundary is enforced structurally in the codebase: admin database queries select only metadata fields (identifiers, titles, timestamps, categories) and never include content columns. An allowlist-based helper provides defense-in-depth by stripping any non-metadata fields from admin responses.

Our database is hosted on managed PostgreSQL infrastructure in US East (Virginia). Backups are handled by our hosting provider.

5. Third-Party Services

SynContext uses a limited number of third-party services to operate. We only share the minimum data required for each service to function:

• Stripe — payment processing. Stripe receives your email and payment details when you subscribe to a paid plan. SynContext does not store credit card numbers. Stripe Privacy Policy.
• Resend — transactional email delivery (account verification, password resets). Resend receives your email address to deliver these messages. Resend Privacy Policy.
• Railway — application and database hosting. Railway Privacy Policy.
• Cloudflare — DNS, CDN, and DDoS protection. Cloudflare Privacy Policy.
• GitHub API — accessed only when you connect your GitHub account and interact with repository features. Your GitHub Personal Access Token is encrypted and stored in our database, and is used solely to make API calls on your behalf. GitHub Privacy Statement.

6. Data Retention

• Active accounts — your data is retained for as long as your account is active.
• Account deletion — when you delete your account (or an administrator deletes it), all associated data is permanently removed from our database, including projects, context entries, decisions, version history, audit logs, sessions, webhooks, and GitHub connections.
• Session tokens — expire automatically after 24 hours and are cleaned up periodically.
• Password reset tokens — expire after 1 hour.

We do not retain backups of deleted data beyond the hosting provider's standard backup retention window.

7. Your Rights

You have the following rights regarding your data:

• Access — you can view all your data through the dashboard and MCP tools at any time.
• Export — you can export your projects and all associated data as JSON using the dashboard or the hub_export_project MCP tool.
• Correction — you can update your context entries, decisions, and project details through the dashboard or API.
• Deletion — you can delete individual projects, context entries, or your entire account. Deletion is permanent and immediate.
• Portability — the JSON export format is designed to be portable and human-readable.

To exercise any of these rights or if you have questions, contact us at [email protected].

8. Cookies and Tracking

The SynContext landing page does not use cookies.

The SynContext dashboard uses browser sessionStorage to store your authentication token for the duration of your browser session. This is not a cookie and is not accessible to third parties. The token is cleared when you close your browser tab or log out.

We do not use Google Analytics, Facebook Pixel, or any third-party tracking or advertising scripts.

9. Children's Privacy

SynContext is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] and we will delete it promptly.

10. International Data Transfers

SynContext's servers and database are located in the United States (US East, Virginia). If you access the service from outside the United States, your data will be transferred to and processed in the United States. By using SynContext, you consent to this transfer.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify registered users by email before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

Continued use of SynContext after changes become effective constitutes acceptance of the revised policy.

12. Contact

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Email: [email protected]
Website: https://syncontext.dev