Privacy Policy

Syntaxis is operated by Etenos Inc. ("Etenos", "Syntaxis", "we", "us", or "our"). Syntaxis provides a website, account and billing portal, hosted control plane, GitHub integration, and desktop application for approval-gated AI coding workflows.

Controller/operator: Etenos Inc., operator of Syntaxis Mailing address: [add legal mailing address before publication] Privacy contact: syntaxis@etenos.ai

This Privacy Policy explains how we collect, use, disclose, and retain personal data when you use:

• the Syntaxis website and portal, including pages on syntaxis.dev, app.syntaxis.etenos.ai, or related domains;
• the Syntaxis desktop app;
• the Syntaxis hosted control plane/API;
• the Syntaxis GitHub App or GitHub personal authorization flow;
• billing, checkout, beta, contact, support, and product communications.

This policy does not replace the privacy policies of third-party services you choose to connect, including Stripe, GitHub, OpenAI/Codex, Anthropic/Claude when supported, or your own hosting and repository providers.

Syntaxis is designed as a local-first desktop product. The reviewed control plane does not accept raw source code or raw command output in synced agent events, and the desktop event sync marks those fields as excluded.

The desktop app may read your local workspace to scan project structure, detect commands, prepare bounded file context, draft plans, generate patch previews, and apply approved changes. Some source content can be sent directly from your machine to the AI runtime/provider you configure, such as Codex/OpenAI, when you ask Syntaxis to draft a patch preview. That flow is between your local runtime/account and the AI provider; it is not sent through the Syntaxis hosted control plane in the reviewed implementation.

You can also connect GitHub. In that case, Syntaxis receives and stores GitHub account, installation, repository, project, issue, pull request, check, and review metadata needed to run the approval-gated workflow.

Account and Authentication Data

We collect account information such as email address, display name derived from your email, user ID, account status, beta/tester status, subscription status, login state, and authentication timestamps. Passwords are submitted during signup and sign-in, but the control plane stores password hashes rather than plaintext passwords.

The desktop app stores a local desktop authentication session that can include a callback code, user ID, authentication timestamp, and tester flag.

Billing Data

For paid beta access, we collect billing-related data such as email address, selected plan, billing cycle, checkout reference, subscription status, current period end, Stripe customer ID, Stripe subscription ID, Stripe checkout session ID, and Stripe event ID.

Stripe processes hosted checkout and payment details. We do not store full payment card numbers in the reviewed Syntaxis app. Stripe may collect and process payment, device, and transaction data under Stripe's own policies.

GitHub Integration Data

If you connect GitHub, we may collect and process:

• Syntaxis user ID associated with the GitHub connection;
• GitHub App installation ID, setup action, verification status, connected and verified timestamps, account login, account type, and repository selection;
• GitHub personal authorization data if you use that mode, including GitHub user ID, login, name, avatar URL, profile URL, token type, scope, access token, refresh token, token expiration, and last error;
• selected repository metadata, including repository ID, owner, name, full name, URL, private/public status, default branch, archived status, and disabled status;
• GitHub Project configuration, status fields, selected workflow statuses, branch naming pattern, assignee login, pull request settings, and project URLs;
• task and issue metadata, including project item ID, issue ID, repository name, issue number, title, body, URL, state, assignees, labels, status, updated time, and generated branch name;
• pull request data, including PR number, title, body, state, draft status, branches, URLs, head SHA, merged/closed timestamps, check-run summaries, review states, review excerpts, and review-comment excerpts.

Desktop Local Data

The desktop app stores product state in a local app data directory named Syntaxis. Depending on your platform, this is your operating system's local application data location.

Local desktop data can include recent workspace paths, workspace IDs, workspace trust records, cached workspace scans, onboarding profile, AI provider configuration, execution policy, control-plane API settings, GitHub connection mode, active task workspace links, work plans, file context summaries, implementation proposals, feedback proposals, patch previews, pull request proposals, action queue items, audit events, execution records, command invocations, command stdout/stderr, and Codex runtime last-call metadata.

This local data is stored on your device unless you explicitly sync selected audit events to the Syntaxis control plane or use an external AI/runtime provider as described below.

Workspace and Source Code Data

The desktop app may read your local workspace after you select or open a workspace. It can scan project files and metadata, detect package scripts and commands, summarize selected files, read bounded source files for patch generation, generate diffs, and apply approved patches.

For work-plan context, the reviewed app stores summaries and high-signal declarations rather than full raw file bodies. For patch-preview generation, the app may read complete contents of selected bounded files and include those contents in prompts sent to the configured local AI runtime/provider.

Syntaxis does not intentionally receive raw source code in the hosted control plane unless you send it to us yourself, for example by pasting code into a support message.

AI Runtime and Provider Data

When you configure an AI provider or runtime, Syntaxis may store provider selection and readiness metadata locally. The reviewed desktop beta supports Codex/OpenAI account-based drafting and has placeholders for other providers.

When you ask Syntaxis to draft a plan, implementation proposal, feedback fix, or patch preview with AI, the desktop app may send prompts that include task metadata, repository and issue metadata, bounded source context, selected file contents, proposed changes, and validation commands to the configured AI runtime/provider. The provider's processing is governed by your relationship with that provider and its policies.

Website, Cookie, and Local Storage Data

The website uses browser storage for user experience features, including cookie preferences, route transition state, first-visit state, and optional transition sound state. The reviewed code stores values such as cookie category selections, a playful cookie interaction count, transition navigation state, seen state, and sound preference in browser localStorage or sessionStorage.

The reviewed web app defines cookie preference categories for necessary, preferences, statistics, and marketing. No third-party analytics or advertising script was found in the reviewed web app. If we add analytics, advertising, or other tracking tools, we will update this policy and the cookie controls as required.

Our servers and hosting providers may also process ordinary request metadata such as IP address, user agent, timestamps, pages requested, referrer, and diagnostic logs.

Contact, Support, and Beta Interest Data

If you contact us, join a beta list, request support, or send feedback, we collect the information you provide, such as name, email, organization, plan interest, platform, message content, support context, and any files or code snippets you choose to send.

We use personal data to:

• provide, operate, secure, and troubleshoot Syntaxis;
• create and authenticate accounts;
• verify beta access and subscription status;
• process checkout, subscriptions, invoices, and billing events;
• connect to GitHub, list repositories/projects, claim tasks, update project statuses, create pull requests, and read pull request feedback when authorized;
• register desktop installations and receive heartbeats;
• sync redacted agent activity events when enabled;
• prepare local plans, proposals, patch previews, approvals, audit logs, and execution records;
• communicate with you about support, product updates, billing, beta access, and administrative notices;
• prevent abuse, investigate security issues, and enforce our Terms of Service;
• comply with legal obligations and protect our rights.

If the GDPR or UK GDPR applies, our legal bases may include:

• Contract: to provide Syntaxis, accounts, subscriptions, desktop access, support, and connected integrations.
• Legitimate interests: to secure and improve the service, prevent misuse, maintain logs, operate product analytics if deployed, and communicate about similar products where permitted.
• Consent: for non-essential cookies or storage where required, optional marketing communications, and any optional integrations you choose to connect.
• Legal obligation: to comply with tax, accounting, consumer protection, and lawful request obligations.

We may share personal data with:

• Stripe, for checkout, subscriptions, payment processing, fraud prevention, tax, and related billing operations;
• GitHub, when you install the Syntaxis GitHub App, authorize a personal GitHub connection, or use GitHub workflows through Syntaxis;
• AI providers or local AI runtimes you configure, such as Codex/OpenAI, when you request AI drafting or patch generation;
• infrastructure, hosting, database, logging, email, support, and security providers that help us operate Syntaxis;
• your organization or workspace administrators if a future team or enterprise feature is configured to manage shared access;
• professional advisers, auditors, insurers, or legal authorities when reasonably necessary;
• successors or affiliates in connection with a merger, acquisition, financing, reorganization, or sale of assets.

We do not sell personal data in the reviewed implementation. We do not intentionally share raw source code with advertisers or marketing networks.

We use necessary local storage to remember required product state and optional local storage for preferences such as cookie choices and transition sound. You can change cookie preferences through the website cookie control where available, and you can clear browser storage through your browser settings.

Because browser storage and similar identifiers can be regulated like cookies in some regions, we treat non-essential storage and tracking as subject to consent where required.

We retain personal data only as long as reasonably necessary for the purposes described in this policy, unless a longer period is required by law.

Typical retention periods depend on the data category:

• Account and subscription data: for the life of the account or subscription, and longer if required for billing, tax, dispute, security, or legal reasons.
• Billing records: as required for payments, accounting, tax, chargeback, audit, and compliance purposes.
• GitHub connection state and tokens: until you disconnect GitHub, reset the connection, your token expires, or we delete the account, subject to backup and legal retention.
• GitHub task snapshots and automation settings: while needed to operate the workflow, support auditability, or troubleshoot issues.
• Control-plane installation, heartbeat, and redacted activity events: while needed for product operation, monitoring, audit, troubleshooting, and security.
• Local desktop data: until you delete it, uninstall and remove app data, clear local caches, reset an integration, or use product controls that remove it.
• Website local storage: until you clear it or use provided preference controls.
• Support and contact messages: while needed to respond, maintain business records, improve the product, and defend or exercise legal rights.

Backups and logs may retain data for a limited additional period.

Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to processing of your personal data, to opt out of certain processing, and to withdraw consent where processing is based on consent.

You can:

• contact us at syntaxis@etenos.ai to request access, correction, deletion, or export;
• unsubscribe from product emails using the unsubscribe link when available or by contacting us;
• disconnect or reset GitHub access through Syntaxis and GitHub controls;
• clear browser local storage or update cookie preferences;
• remove local desktop app data from your device;
• use your AI provider's controls for data retention, training, and account management.

We may need to verify your request before acting on it. Some data may be retained where required for security, legal, tax, billing, or dispute reasons.

This section supplements the rest of this Privacy Policy for residents of U.S. states with consumer privacy laws, including California, Colorado, Connecticut, Delaware, Iowa, Indiana, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia, and other states as their laws become effective. Some rights apply only if we meet the legal thresholds for that state.

Categories of Personal Information

The table below summarizes categories of personal information we collect, the sources, purposes, disclosures, and retention criteria. This is intended to serve as a California Notice at Collection and a general U.S. state privacy notice.

Sale, Sharing, Targeted Advertising, and Profiling

In the reviewed implementation, we do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We also do not process personal information for targeted advertising or for profiling that produces legal or similarly significant effects.

If that changes, we will update this policy and provide any required "Do Not Sell or Share My Personal Information", targeted advertising opt-out, or universal opt-out mechanism support.

Sensitive Personal Information

We use and disclose sensitive personal information only to provide and secure the Service, authenticate accounts, process payments, connect integrations, run local-first workflows you request, detect security incidents, prevent abuse, and comply with law. We do not use sensitive personal information to infer characteristics about you.

U.S. Privacy Rights

Depending on your state, you may have the right to:

• confirm whether we process personal information about you;
• access or receive a copy of personal information we process about you;
• correct inaccurate personal information;
• delete personal information;
• obtain a portable copy of personal information;
• opt out of sale, sharing, targeted advertising, or certain profiling;
• limit certain uses of sensitive personal information where required;
• not be discriminated against for exercising privacy rights;
• appeal a denial of your privacy request.

To exercise these rights, contact syntaxis@etenos.ai. Put "Privacy Request" in the subject line and tell us your state of residence and the right you want to exercise. If we deny your request and your state gives you an appeal right, reply with "Privacy Appeal" and we will review the decision.

You may use an authorized agent where permitted by law. We may ask the agent for proof of authority and may ask you to verify your identity or confirm the request directly.

California-Specific Disclosures

For California residents:

• We do not sell or share personal information in the reviewed implementation.
• We do not knowingly sell or share personal information of consumers under 16.
• We do not use sensitive personal information for purposes that require a "Limit the Use of My Sensitive Personal Information" link in the reviewed implementation.
• We have not sold or shared personal information for cross-context behavioral advertising in the preceding 12 months based on the reviewed implementation.
• California residents may request information about categories and specific pieces of personal information collected, sources, purposes, categories disclosed, and categories of third parties/service providers.
• California residents may request deletion, correction, access, portability, opt out, and non-discrimination as provided by California law.
• California "Shine the Light": we do not disclose personal information to third parties for their own direct marketing in the reviewed implementation. If that changes, California residents may request information about that disclosure once per calendar year.

We use administrative, technical, and organizational safeguards designed to protect personal data. Syntaxis is designed to keep sensitive development work local where possible and to gate side-effecting actions through explicit approval.

No system is perfectly secure. You are responsible for securing your device, operating system account, GitHub account, AI provider account, repository credentials, and any local workspaces used with Syntaxis.

Syntaxis, our providers, and connected third-party services may process data in the United States, the European Economic Area, and other countries. Where required, we use appropriate transfer mechanisms, such as standard contractual clauses or other lawful transfer tools.

Syntaxis is intended for developers and professional users. It is not directed to children under 13, and we do not knowingly collect personal data from children under 13. We also do not knowingly sell or share personal information of users under 16. If you believe a child has provided us personal data, contact us at syntaxis@etenos.ai.

We may update this Privacy Policy as the product, legal requirements, or our practices change. We will update the date above and, where required, provide additional notice.

Questions or requests can be sent to:

Etenos Inc. / Syntaxis syntaxis@etenos.ai [add legal mailing address before publication]