Legal
Last updated: June 1, 2026
We collect information you provide directly to us when you create an account, configure swarm simulations, communicate with our support team, or otherwise interact with the Bijani Labs platform. This includes registration details such as your name, email address, company or institutional affiliation, job title, and billing information. When you use the platform to design and execute synthetic consumer research, we additionally collect and process the data you upload, including persona definitions, survey instruments, creative assets, brand stimuli, product descriptions, and any associated configuration parameters.
We also automatically collect certain technical information whenever you access or interact with the platform, regardless of whether you are a registered user. This includes your IP address, browser type and version, operating system, device identifiers, referral URLs, page interaction data, session duration, and aggregated usage logs. We may collect this information using server logs, cookies, and similar tracking technologies as described in Section 5 below.
If you communicate with us via email, live chat, or support tickets, we retain the contents of those communications along with any metadata (timestamps, subject lines, attachments) for the purpose of resolving your inquiry and improving our service.
We categorize the personal data we process into the following types to provide transparency about the scope and nature of our data processing activities.
Account Data includes the information you provide during registration and account management: your full name, email address, password (stored as a salted, bcrypt-hashed value), company or organization name, billing address, VAT or tax identification number, and any avatar or profile image you upload. We also maintain records of your account preferences, notification settings, API key usage, and authentication history (login timestamps, IP addresses, and device fingerprints) for security auditing purposes.
Usage Data encompasses information about how you interact with the Bijani Labs platform. This includes feature interaction logs (which panels, tools, and workflows you access), API call frequency and payload sizes, error and crash reports generated by the client or server, performance metrics such as page load times and response latencies, and the frequency and duration of your sessions. We correlate Usage Data with your account identifier to analyze platform adoption, identify training opportunities, and troubleshoot technical issues.
Research Data is the information you upload, generate, or derive through use of the Bijani Labs platform. This includes persona schemas and attribute definitions, survey question banks and response options, brand and product stimuli (images, copy, video URLs), synthetic respondent configuration parameters, raw swarm output data (including simulated responses, confidence distributions, and narrative justifications), and any reports or visualizations you export from the platform. Research Data may contain personal data if you choose to include identifying information in your research inputs. We treat all Research Data as confidential and do not use it to train or fine-tune our underlying language models.
Payment Data includes billing information collected during subscription sign-up, plan upgrades, or one-time purchases. We use Stripe, Inc. as our payment processor and do not store full credit card numbers, CVV codes, or bank account numbers on our servers. Stripe receives your payment card details, billing address, and transaction amounts and returns to us a tokenized representation along with the last four digits of the card, card brand, and expiration month/year for reference. Your Payment Data is subject to Stripe's privacy policy and data security commitments, which include PCI DSS Level 1 certification.
For individuals located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data only when we have a valid lawful basis under the General Data Protection Regulation (GDPR). Our lawful bases are as follows.
Contractual Necessity (Article 6(1)(b)). We process Account Data and Payment Data as necessary to perform our contract with you — namely, to provide you with access to the Bijani Labs platform, process your payments, and deliver the services you have subscribed to. Without this data, we cannot fulfill our contractual obligations.
Legitimate Interests (Article 6(1)(f)). We process Usage Data and certain Account Data (such as login history and feature usage) for our legitimate interests in operating, securing, and improving the platform; preventing fraud and abuse; analyzing usage trends; and communicating with you about service-related matters. We balance these interests against your rights and freedoms and have implemented appropriate safeguards, including data minimization, pseudonymization where feasible, and straightforward opt-out mechanisms for non-essential processing.
Consent (Article 6(1)(a)). Where we rely on your consent to process certain data — for example, placing non-essential cookies, sending marketing communications, or processing special categories of personal data that you may inadvertently include in Research Data — we obtain your freely given, specific, informed, and unambiguous consent before processing begins. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Legal Obligation (Article 6(1)(c)). We may process your personal data where necessary to comply with a legal obligation to which we are subject, such as retaining transaction records for tax purposes or responding to a valid legal request from a supervisory authority or law enforcement agency.
We use the information we collect for the following purposes: to provision and maintain your account, authenticate your access, and deliver the Bijani Labs platform and its features; to process subscription payments, issue invoices, and manage billing relationships; to provide technical support, respond to inquiries, and troubleshoot platform issues; to communicate with you regarding service updates, security advisories, planned maintenance, and changes to our terms or policies; to monitor and analyze usage patterns, performance metrics, and error rates in order to improve platform reliability, usability, and functionality; to detect, investigate, and prevent fraudulent, abusive, or unauthorized access or activity; to enforce our Terms of Service, acceptable use policies, and other legal agreements; and to comply with applicable legal obligations, regulatory requirements, and lawful requests from competent authorities.
No Model Training on Your Data. We do not train, fine-tune, or otherwise improve our underlying language models or machine learning systems on your Research Data. Your swarm configurations, persona definitions, survey instruments, and simulation outputs remain yours and are not used to enhance the capabilities of any model made available to other customers. We may use anonymized, aggregated platform-wide metrics (e.g., average simulation duration, total requests per month) for internal reporting and marketing, but these aggregates never reveal individual customer data or specific research inputs.
If we intend to use your personal data for a purpose materially different from those described in this policy, we will notify you and, where required by applicable law, obtain your prior consent.
Bijani Labs uses cookies, web beacons, and similar tracking technologies to operate, secure, and improve the platform. Cookies are small text files stored on your device by your web browser. We use both session cookies (which expire when you close your browser) and persistent cookies (which remain on your device until they expire or you delete them).
Essential Cookies. These cookies are necessary for the platform to function and cannot be disabled in our systems. They enable core functionality such as session authentication, security token validation, CSRF protection, and load balancing. Examples include session identifiers and authentication tokens. Essential cookies do not require your prior consent under applicable law but we provide transparency about their use.
Analytics and Performance Cookies. We use first-party analytics cookies (primarily via Plausible Analytics, a privacy-preserving analytics service that does not use persistent identifiers or cross-site tracking) to collect aggregated information about how visitors use the platform. These cookies help us understand which features are most popular, identify performance bottlenecks, and measure the impact of product changes. Analytics data is aggregated and anonymized; we do not use Google Analytics or any analytics provider that shares data with advertising networks.
Preference and Functional Cookies. These cookies remember your settings and preferences, such as your UI theme selection, language preference, and saved workspace state, to provide a personalized experience across sessions.
Third-Party Cookies. We do not serve third-party advertising cookies or allow advertising networks to track your activity on our platform. If you interact with embedded content from third-party services (such as a YouTube video or Vimeo showcase), those services may set their own cookies subject to their respective privacy policies. You can manage cookie preferences through your browser settings, and you may use our platform with essential cookies only by configuring your browser to block non-essential cookies. Blocking certain cookies may affect platform functionality.
Encryption. All data transmitted between your device and our infrastructure is encrypted in transit using TLS 1.3 with strong cipher suites (AEAD, Perfect Forward Secrecy). Data at rest is encrypted using AES-256 encryption at the storage layer, with separate encryption keys managed through a hardware security module (HSM) based key management system. Database backups are also encrypted and stored in geographically separate facilities.
Infrastructure. We operate a multi-region, multi-cloud architecture across AWS (primary), GCP (secondary compute), and Azure (ancillary services). Production workloads run in us-east-1 (N. Virginia), eu-west-1 (Ireland), and ap-southeast-1 (Singapore). Data is primarily stored in the region closest to you, and we provide account-level controls to restrict data residency to specific jurisdictions upon request (subject to availability and pricing).
Access Controls. Access to production systems is restricted to authorized engineering and operations personnel on a least-privilege basis, enforced through short-lived credentials, multi-factor authentication, and full audit logging. We undergo annual SOC 2 Type II examinations and maintain a dedicated security team responsible for monitoring, incident response, and compliance.
Data Deletion. You may request deletion of your account and associated data at any time by contacting privacy@syntheticpulse.ai or through your account settings. Upon deletion, we remove or anonymize your personal data within 30 days, subject to legal retention obligations (see Section 13).
As a global platform operating across multiple cloud providers and regions, Bijani Labs may transfer your personal data to countries outside your country of residence, including the United States, Ireland, and Singapore. When we transfer personal data from the EEA, the United Kingdom, or Switzerland to countries that have not received an adequacy decision from the European Commission, we rely on legally approved transfer mechanisms to ensure an equivalent level of protection.
Standard Contractual Clauses (SCCs). For transfers to our sub-processors (including AWS, GCP, Azure, Stripe, and others listed in our Data Processing Agreement), we have executed the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum. These contracts impose data protection obligations on the recipient that are substantially similar to those under the GDPR. You may request a copy of the relevant SCCs by contacting privacy@syntheticpulse.ai.
Data Residency Options. Enterprise customers on our Business and Enterprise plans may elect to have their Research Data stored exclusively in a specific geographic region (e.g., EEA-only or US-only). This capability is configured during onboarding and documented in your Order Form or Data Processing Agreement. Please note that certain operational data (e.g., authentication logs, billing records) may still be processed in other regions as necessary for platform operations and legal compliance.
We do not sell your personal information or Research Data to third parties. We do not share your personal data with third parties for their own direct marketing purposes. We may share your data only in the following circumstances, each with appropriate contractual and technical safeguards.
Service Providers (Sub-Processors). We engage trusted third-party service providers to perform functions on our behalf, including cloud infrastructure provisioning (AWS, GCP, Azure), payment processing (Stripe), email delivery (Postmark), customer support (Intercom), and incident monitoring (Datadog, PagerDuty). These providers are granted access to only the personal data necessary to perform their functions and are contractually bound to process data only on our documented instructions, implement appropriate technical and organizational measures, and promptly notify us of any data breaches. A current list of sub-processors is maintained in our Data Processing Agreement, which is available upon request.
Research Publications. We may publish anonymized, aggregated benchmark data derived from platform-wide usage (e.g., "average simulation response time," "median persona diversity score") in academic papers, whitepapers, blog posts, or marketing materials. These publications never include individual customer identities, specific research inputs, or any data that could reasonably be used to re-identify a natural person.
Legal Requirements. We may disclose your personal data if required to do so by law, regulation, or valid legal process (such as a court order, subpoena, or government demand). We will make reasonable efforts to notify you before responding to such a request unless notification is prohibited by law. We may also disclose data to establish, exercise, or defend legal claims, or to protect the rights, property, or safety of Bijani Labs, our users, or others.
Business Transfers. In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our website of any change in ownership or the purposes for which your data is processed, and you will be given the opportunity to exercise your rights under applicable law.
Depending on your jurisdiction, you may have the following rights regarding your personal data. We will respond to all legitimate requests within the timeframes required by applicable law (generally 30 days, extendable by up to 60 days for complex requests). To exercise any of these rights, please contact us at privacy@syntheticpulse.ai or via the contact methods listed in Section 16. We may need to verify your identity before processing your request.
Right of Access. You have the right to confirm whether we process your personal data and, if so, to obtain a copy of that data along with information about the purposes of processing, the categories of data concerned, the recipients or categories of recipients to whom the data has been disclosed, the retention period, and the existence of any automated decision-making.
Right to Rectification. You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. You may also update certain Account Data directly through your account settings.
Right to Erasure ("Right to be Forgotten"). You have the right to request deletion of your personal data where (i) the data is no longer necessary for the purposes for which it was collected; (ii) you withdraw your consent and no other lawful basis exists; (iii) you object to processing based on legitimate interests and your objection prevails; (iv) the data has been unlawfully processed; or (v) deletion is required to comply with a legal obligation. We will evaluate your request and delete the data unless we have a compelling legitimate ground or legal obligation to retain it.
Right to Restriction of Processing. You have the right to request that we restrict processing of your personal data where (i) you contest the accuracy of the data (for a period enabling us to verify accuracy); (ii) the processing is unlawful and you oppose deletion and request restriction instead; (iii) we no longer need the data for the purposes of processing but you require it for the establishment, exercise, or defense of legal claims; or (iv) you have objected to processing based on legitimate interests, pending verification of whether our legitimate grounds override your rights.
Right to Data Portability. You have the right to receive your personal data (which you have provided to us and which is processed by automated means on the basis of consent or contract) in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance from us, where technically feasible.
Right to Object. You have the right to object, on grounds relating to your particular situation, to processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where the processing is necessary for the establishment, exercise, or defense of legal claims.
Rights Related to Automated Decision-Making. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Bijani Labs does not currently engage in automated decision-making that produces legal effects, but we will notify you if this changes.
Right to Withdraw Consent. Where we process your personal data on the basis of consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
EEA, UK & Swiss Residents (GDPR). If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have all of the rights described in Section 9 above. Our lawful bases for processing are set out in Section 3. If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with your local supervisory authority — for example, the Information Commissioner's Office in the UK, the CNIL in France, or the Data Protection Commission in Ireland. Contact details for all EEA supervisory authorities are available on the European Data Protection Board website. Our representative in the EEA may be contacted at privacy@syntheticpulse.ai.
California Residents (CCPA/CPRA). If you are a resident of California, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information, as detailed in Section 11 below. For purposes of the CCPA/CPRA, "personal information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. We do not sell your personal information, nor do we share it for cross-context behavioral advertising. We have not done so in the preceding 12 months and will not do so without providing you notice and an opportunity to opt out.
This section supplements the information in the rest of this policy and applies solely to California residents. The following describes the categories of personal information we have collected, the sources from which it was collected, the business or commercial purposes for which it was collected, and the categories of third parties with whom we have shared that information in the preceding 12 months.
Categories of Personal Information Collected. (A) Identifiers such as name, email address, IP address, and account username. (B) Commercial information such as subscription plan, payment history, and transaction records. (C) Internet or other electronic network activity information such as browsing history, search history, and interaction data on the platform. (D) Professional or employment-related information such as company name and job title. (E) Inferences drawn from any of the above to create a profile about your preferences and behavior. We do not collect sensitive personal information (as defined by the CPRA) for the purpose of inferring characteristics about a consumer.
Sources of Personal Information. We collect personal information directly from you (during registration, account configuration, and platform use), automatically from your device and browser (via cookies, server logs, and analytics tools), and from our payment processor (Stripe) for billing verification purposes.
Business or Commercial Purposes. We use each category of personal information for the purposes described in Section 4 — namely, service delivery and maintenance, payment processing, security and fraud prevention, product improvement, legal compliance, and customer support.
Disclosures of Personal Information. In the preceding 12 months, we have disclosed the following categories of personal information to our service providers for business purposes: Identifiers (to AWS, GCP, Azure, Postmark, Intercom, Stripe), Commercial Information (to Stripe), and Internet/Network Activity Information (to Datadog, Plausible Analytics). We do not sell personal information or share it for cross-context behavioral advertising.
Your California Rights. In addition to the rights described in Section 9, California residents have the right to (i) request that we disclose the specific pieces of personal information we have collected about you (data portability); (ii) request that we delete personal information we have collected from you, subject to certain exceptions (e.g., to complete a transaction, detect security incidents, or comply with a legal obligation); (iii) request that we correct inaccurate personal information; (iv) opt out of the sale or sharing of personal information (we do not sell or share, but we will honor opt-out preferences should this change); and (v) limit the use and disclosure of sensitive personal information (we do not process sensitive personal information for purposes beyond those authorized by the CPRA). To exercise any of these rights, submit a verifiable consumer request to privacy@syntheticpulse.ai. We will respond within 45 days (extendable by up to 45 additional days with notice). You may designate an authorized agent to make a request on your behalf; we will require proof of authorization. We will not discriminate against you for exercising any of your California rights.
The Bijani Labs platform is not directed to, and we do not knowingly collect personal information from, individuals under the age of 18 (or the applicable age of majority in your jurisdiction). If we become aware that we have inadvertently collected personal data from a child under 18 without verified parental consent, we will take prompt steps to delete that data and deactivate the associated account.
If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at privacy@syntheticpulse.ai so that we can investigate and take appropriate action. We encourage parents and guardians to monitor their children's online activities and to instruct them never to provide personal data through our services without parental permission.
Where we have actual knowledge that a user is under 18, we will restrict account creation and may delete any existing data associated with that user without notice, in accordance with applicable law including the U.S. Children's Online Privacy Protection Act (COPPA) and equivalent regulations in other jurisdictions.
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to provide the Bijani Labs platform, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods are determined based on the nature of the data and the legal, operational, and business requirements applicable at the time.
Account Data. We retain your Account Data for the duration of your account's active status and for 90 days after account closure or termination, after which it is permanently deleted or anonymized, except as necessary to comply with tax and legal record-keeping obligations (typically 7 years for financial and transactional records).
Research Data. Swarm configuration data, simulation inputs, and output results are retained for the duration of your active subscription and for 12 months after project completion, unless you request earlier deletion. You may export or delete your Research Data at any time through the platform or by contacting support.
Usage Data. Aggregated Usage Data (anonymized and not linked to a specific account) may be retained indefinitely for analytics and product development purposes. Individual-level Usage Data is retained for 24 months and then aggregated or anonymized.
Payment Data. Transaction records (excluding full payment card details, which are stored only by Stripe) are retained for 7 years to comply with tax and accounting regulations.
Backups. Encrypted backups of production data are retained for up to 90 days. Data deleted from the primary production environment will be deleted from backups within the same backup retention window.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or the regulatory environment. When we make material changes, we will notify you by email (to the address associated with your account) and/or by posting a prominent notice on the Bijani Labs platform at least 14 days before the changes take effect, except where a shorter notice period is required to comply with an urgent legal or security requirement.
We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when this policy was last revised. Your continued use of the Bijani Labs platform after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with a material change, you may close your account and request deletion of your data before the change takes effect.
We will maintain an archived version of previous privacy policies and will provide a copy of the version in effect at any point during your account's lifecycle upon request.
If you have a complaint about our handling of your personal data, we encourage you to contact us first at privacy@syntheticpulse.ai so that we may attempt to resolve your concern directly. We are committed to investigating and responding to all complaints within 30 days.
Supervisory Authority. If you are located in the EEA, the United Kingdom, or Switzerland and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. Contact details for all EEA supervisory authorities are maintained by the European Data Protection Board at edpb.europa.eu. The UK supervisory authority is the Information Commissioner's Office (ico.org.uk). The Swiss supervisory authority is the Federal Data Protection and Information Commissioner (edoeb.admin.ch).
Lead Supervisory Authority. For cross-border processing within the EEA, our lead supervisory authority is the Irish Data Protection Commission (dataprotection.ie), as our EEA establishment is located in Ireland.
Our Data Protection Officer. Bijani Labs has appointed a Data Protection Officer (DPO) who can be contacted at dpo@syntheticpulse.ai. Our DPO is responsible for overseeing our data protection strategy, monitoring compliance with applicable data protection laws, and serving as a point of contact for data subjects and supervisory authorities.
Questions, concerns, or requests regarding this Privacy Policy or our data processing practices should be directed to:
Bijani Labs, Inc.
Attn: Privacy / Data Protection Officer
548 Market Street, PMB 99999
San Francisco, CA 94104-5401
United States
Email: privacy@syntheticpulse.ai
DPO Email: dpo@syntheticpulse.ai
Phone: +1 (415) 555-0199
You may also contact us via our contact page or through your account's support chat. We aim to acknowledge all privacy-related inquiries within 48 hours and respond substantively within 15 business days.
SyntheticPulse is a registered trademark of Bijani Technologies, Inc. This Privacy Policy is governed by the laws of the State of California, United States, without regard to its conflict-of-law provisions.