Privacy Policy
Last Updated: 6 October 2025
Hiasynth AB (Org.nr 559538-3703, VAT SE559538370301) operates the /hiasynth service, an AI-powered platform that lets you chat with synthetic personas reflecting your target audience. Our mission is to help teams understand what resonates before they ship, while protecting your privacy and giving you control over your data. We are committed to transparency and compliance with the EU General Data Protection Regulation (GDPR), Swedish data protection law, and other applicable privacy laws.
This Privacy Policy explains how Hiasynth collects, uses, shares, and protects personal information when you use our website, Discord bot, Slack integration, and web application (collectively, our "Services"). By using our Services, you acknowledge this Policy. This Policy incorporates our Terms of Service by reference. If you do not agree with these terms, please discontinue use of our Services.
What We Mean by Personal Data
For purposes of this Policy, "personal data" means any information relating to an identified or identifiable natural person, as defined under the EU General Data Protection Regulation (GDPR) and Swedish data protection law.
Hiasynth does not intentionally collect sensitive personal data such as health information, biometric identifiers, or precise geolocation. We instruct users not to include such information in their persona definitions or conversations.
Information We Collect
Information You Provide Directly. When you create an account, connect your Discord server, purchase a subscription, or interact with personas, you provide us with personal data including your email address, chosen password (stored only as a cryptographically hashed value using PBKDF2 with 61,000 iterations), OAuth credentials from Discord or Google (including user ID, username, and avatar URL), payment information processed through Stripe (we never store your full credit card details), and persona specifications you create (demographic traits, interests, location, tone preferences).
You also provide the messages you send to personas via slash commands in Discord or Slack. These messages are transmitted to our AI backend to generate responses but are not linked to your personal identity in that transmission. Conversation identifiers are maintained temporarily to preserve context within a session, then automatically cleared after two hours of inactivity.
Information Collected Automatically. When you interact with our Services, we automatically collect technical data to operate and improve the platform. This includes your IP address (which reveals approximate geographic location at the city level), browser type and version, operating system, device identifiers, timestamps of your interactions, pages or features accessed, error logs and debugging information, and API request patterns. We also collect usage metrics such as the number of messages sent to each persona, slash commands invoked, and subscription status.
We do not use third-party analytics services, tracking pixels, or advertising networks. We do not perform behavioral tracking, marketing profiling, or combine this technical data with persona conversations in a way that identifies you personally.
Discord and Slack Integration Data. When you install our bot in Discord or Slack, we access only the minimum information necessary to route commands and deliver responses. For Discord, this includes your user ID and username, the server (guild) ID where the bot is installed, slash command inputs you provide, and your avatar URL for display purposes. We do not read or store general channel messages outside of the slash commands you explicitly send to our bot. The same principles apply to our Slack integration when it becomes available.
Message history within Discord or Slack is controlled by those platforms' retention policies, not ours. We maintain conversation context for up to two hours to enable natural back-and-forth exchanges, after which session identifiers are cleared from our systems.
Children's Data. Our Services are intended for users aged 13 and older. For users between 13 and 16 years old located in the EU, parental consent is required. We do not knowingly collect personal data from anyone under the age of 13. If we discover we have inadvertently collected such information, we will delete it promptly. If you believe we may have collected data from a child under 13, please contact us at [email protected].
How We Use Your Information
Hiasynth processes your personal data only where we have a valid legal basis under applicable privacy law. We rely on the following legal grounds:
Performance of a Contract. We process your data to provide, maintain, and support the Services you have requested under our Terms of Service, including generating persona responses, managing your subscription, processing payments through Stripe, and delivering customer support.
Legitimate Interests. We use personal data to secure our platform, detect fraud and abuse, prevent unauthorized access, analyze usage patterns to improve features and reliability, and generate aggregate analytics that help us understand how the Services are used. These interests are balanced against your privacy rights and do not override your fundamental freedoms.
Consent. For any processing that requires your explicit consent under applicable law, such as certain marketing communications or optional features, we obtain your opt-in consent before proceeding. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
Legal Obligations. We retain and process information as necessary to comply with bookkeeping requirements, tax laws, court orders, law enforcement requests, export control and sanctions regulations, and other legal duties imposed by jurisdictions where we operate.
We use your information for the following purposes: to provide and operate the Services, including storing your personas, routing your messages to our AI backend, generating responses that reflect live global signals, and managing conversation context; to personalize your experience by remembering your personas and preferences; to process payments and manage your subscription, including metering usage against your monthly message allowance; to communicate with you about your account, service updates, and customer support inquiries; to improve our Services by analyzing how features are used, diagnosing technical issues, and refining our AI models based on aggregated and anonymized data; to detect, prevent, and investigate security incidents, fraud, abuse, or violations of our Terms of Service; and to comply with legal obligations and protect our rights.
Automated Processing and Personas.
When you create or chat with a persona, Hiasynth’s systems perform automated processing to simulate demographic or behavioral traits based on your chosen persona configuration. This processing produces synthetic responses and is not linked to any identifiable individuals. It does not amount to profiling of you or other real persons and does not produce legal or similarly significant effects under GDPR Article 22.
Hiasynth does not engage in automated decision-making that produces legal or similarly significant effects on individuals. We collect only the personal data necessary for these purposes and retain it according to the schedule described below.
Data Storage and Security
Your data is stored and processed using Cloudflare's infrastructure. Backend services run on Cloudflare Workers, user and persona data resides in Cloudflare D1 database, and authentication tokens and session data are stored in Cloudflare KV. Your browser stores JWT tokens and basic profile information in localStorage to maintain your logged-in session.
Payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified service provider. We never store your full credit card number or CVV code. Stripe's data practices are governed by their privacy policy at stripe.com/privacy.
Transactional emails, such as email verification and password reset messages, are sent through Resend. Resend processes your email address solely to deliver these messages on our behalf.
We implement industry-standard security measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction. These measures include encryption of all data in transit using TLS, encryption of data at rest within Cloudflare's infrastructure, password hashing using PBKDF2 with 61,000 iterations and randomly generated salts, role-based access controls limiting which team members can access what data, multi-factor authentication for administrative access, regular security audits and monitoring for suspicious activity, and automated backups with recovery objectives designed to minimize data loss.
While we take reasonable precautions, no system is completely secure. We encourage you to use a strong, unique password for your Hiasynth account and enable multi-factor authentication where available. If you become aware of any security vulnerability or unauthorized access to your account, please contact us immediately at [email protected].
How We Share Your Information
Hiasynth does not sell, rent, or trade your personal data. We share your information only in the following limited circumstances:
Service Providers. We engage trusted third parties to help us operate the Services. These include Cloudflare (infrastructure hosting), Stripe (payment processing), Resend (transactional email delivery), and StevenAI (persona generation and conversation management). Each service provider is contractually required to protect your data and use it only for the specific services they provide to us.
We maintain Data Processing Agreements (DPAs) with all service providers that handle personal data on our behalf, ensuring they comply with GDPR standards and act only under our instructions.
AI Backend Processing. When you send a message to a persona, the message and temporary conversation context are transmitted to our AI backend provider to generate a response. We currently use a third-party AI system that draws on continuously refreshed, aggregated, and anonymized global signals to model likely opinions across demographics. Neither Hiasynth nor the AI provider processes or infers data about identifiable individuals. These transmissions do not include your name, email address, or other direct identifiers. The AI backend processes each message transiently and does not retain or use your data for training general models outside the scope of your conversation.
Hiasynth does not scrape or collect public data directly. All external signals used to generate persona responses are aggregated and processed by our third-party AI provider, not by Hiasynth AB.
Legal Requirements. We may disclose your information if required to do so by law or in response to valid requests by public authorities, such as to comply with a court order or similar legal process. Where legally permitted, we will notify affected users before producing data in response to government requests. We may also disclose information when we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others, investigate fraud, or respond to a lawful request.
Business Transfers. If Hiasynth is involved in a merger, acquisition, asset sale, or bankruptcy proceeding, your personal data may be transferred as part of that transaction. We will provide notice before your data is transferred and becomes subject to a different privacy policy.
International Data Transfers
Hiasynth AB is based in Sweden. Some of our service providers operate globally, which means your personal data may be transferred to and processed in countries outside the European Economic Area, including the United States, where data protection laws may differ from those in the EU. This includes Stripe, which may process payment data in the United States and other regions in accordance with the EU Standard Contractual Clauses.
We safeguard these transfers through legally recognized mechanisms under Chapter V of the GDPR, including the EU Standard Contractual Clauses (Commission Decision 2021/914) with our service providers. You may request a copy of the safeguards we have in place by contacting us at [email protected].
Contact Information
Data Controller:
Hiasynth AB
Org.nr 559538-3703
VAT SE559538370301
Email Contacts:
Privacy inquiries: [email protected]
General inquiries: [email protected]
Supervisory Authority:
If you are located in the European Union, you have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data in accordance with applicable law. For users in Sweden, the relevant authority is:
Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY)
Website: imy.se
Email: [email protected]
Data Protection Officer (DPO).
Hiasynth AB is not currently required to appoint a formal Data Protection Officer under Article 37 GDPR. However, all privacy inquiries may be directed to [email protected], where our privacy team will respond promptly.
Data Retention
We retain your personal data only as long as necessary to fulfill the purposes described in this Policy or as required by law. Active account data, including your email, linked OAuth accounts, and persona configurations, is retained for the duration of your account's active status. Conversation history is stored for up to 90 days to allow you to review past interactions, after which it is automatically deleted. Conversation session identifiers are cleared after two hours of inactivity. Payment and subscription records are retained for seven years from the date of the transaction in accordance with Swedish accounting law (Bokföringslagen).
When you delete your account, we will permanently erase your personal data within 30 days. This includes your email address, OAuth credentials, persona definitions, and conversation history. Some data may persist in system backups for up to 90 days, after which backups are overwritten. We may retain anonymized records of account deletion timestamps for up to two years for business analytics purposes. These records do not contain any information that identifies you personally.
If you wish to delete your account or request earlier deletion of your data, you may do so through the account settings in our web application or by contacting us at [email protected]. We will process your request in accordance with applicable law.
Cookies and Local Storage
Hiasynth does not use cookies. We rely on browser localStorage to maintain your authenticated session and store minimal information necessary for the Services to function. Specifically, we store a JWT authentication token that identifies your session, basic profile information such as your username and avatar URL, and persona data you have created.
This use of localStorage is strictly necessary to provide the Services under Article 6(1)(b) GDPR (performance of contract) and does not require separate consent. You can clear localStorage at any time through your browser settings, but doing so will log you out and remove locally cached data.
Your Privacy Rights
Depending on your location, you have certain rights regarding your personal data. We respect these rights and will respond to verified requests in accordance with applicable law.
Right of Access. You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about how we use it. You can request access by contacting us at [email protected].
Right to Rectification. If your personal data is inaccurate or incomplete, you have the right to request that we correct or complete it. You can update most of your information directly through your account settings in the web application.
Right to Erasure. You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when you object to processing based on legitimate interests. You can delete your account through the web application or by contacting us at [email protected]. Note that we may retain certain information where required by law or for legitimate business purposes such as fraud prevention.
Right to Restriction of Processing. You have the right to request that we limit how we use your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interests. During the period we assess your request, we will restrict processing of the data in question.
Right to Data Portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. We will provide your data in JSON format upon request.
Right to Object. You have the right to object to processing of your personal data based on our legitimate interests. If you object, we will stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests or we need the data for legal claims.
Right to Withdraw Consent. Where we rely on your consent as the legal basis for processing, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal.
Right to Lodge a Complaint. If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or the supervisory authority in your EU Member State. Contact information is provided in Section 10 above.
To exercise any of these rights, please contact us at [email protected]. We will verify your identity before processing your request and respond within 30 days as required by applicable law. In some cases, we may need to extend this period, in which case we will notify you of the delay and the reason for it.
Links to Other Services
Our Services integrate with third-party platforms including Discord, Slack, and Stripe. When you use these integrations, you are also subject to the privacy policies of those platforms. We encourage you to review their policies to understand how they handle your information:
- Discord Privacy Policy: discord.com/privacy
- Slack Privacy Policy: slack.com/trust/privacy/privacy-policy
- Stripe Privacy Policy: stripe.com/privacy
We are not responsible for the privacy practices of these third parties. Any data you provide directly to them is governed by their respective privacy policies.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Services themselves. When we make changes, we will update the "Last Updated" date at the top of this document and post the revised Policy at hiasynth.co/privacy.
For material changes that significantly affect your rights or how we process your data, we will provide advance notice by email to your registered email address or through a prominent notice in the web application or Discord bot. We encourage you to review this Policy periodically to stay informed about how we protect your information.
Your continued use of the Services after the revised Policy takes effect constitutes your acceptance of the changes. If you do not agree with any changes, you may delete your account as described in this Policy. This Policy and any disputes arising from it are governed by the laws of Sweden.
Questions and Contact
If you have questions about this Privacy Policy or how we handle your personal data, please contact us at [email protected] or [email protected]. We aim to respond to all inquiries within a reasonable timeframe and will work with you to resolve any concerns.