Mythrilite Inc. — Legal
Privacy Policy
- Effective:
- May 17, 2026
- Last updated:
- May 17, 2026
This Privacy Policy describes how Mythrilite Inc.(“Mythrilite,” “we,” “us”) collects, uses, shares, and protects personal information in connection with Synonym, our voice interview platform for brand research (the “Service”). It applies to our websites, interview interfaces, applications, and APIs. Capitalized terms not defined here have the meanings given in our Terms of Service.
1Scope and Roles
This policy applies to information we collect from and about:
- Participants — individuals who create accounts and conduct voice interviews;
- Buyers — organizations and their personnel who access Research Outputs;
- Visitors — anyone who visits our websites without signing in.
For most purposes Mythrilite acts as the “controller” or “business” of personal information collected through the Service. Where we process personal information on behalf of a Buyer organization under a written agreement, we act as a “processor” or “service provider” for that data.
2Information We Collect
We collect the following categories of personal information.
Account and identity data. When you sign up, our identity provider (currently Clerk) collects your email address, the authentication method you choose (for example, a password, magic link, OAuth identity, or passkey), and identifiers such as a user ID. We receive this information to authenticate you. We do not receive or store your password.
Profile and selection data. Information you provide while using the Service, including your display name, the brands you select, the survey or interview tracks you choose, and any free-text responses.
Voice and interview content.Audio captured from your microphone during an interview, the transcript of that audio, the AI moderator’s responses, the structured fields we extract from the conversation (such as preferences, behaviors, purchase occasions, substitutes, and lapse reasons), and metrics such as turn count, duration, and quality score.
Device, log, and usage data. When you visit our websites or use the Service, we automatically collect technical information such as your IP address, approximate location derived from IP, browser type and version, operating system, device identifiers, referring and exit pages, timestamps, pages viewed, features used, error events, and similar information generated by your interaction with the Service.
Cookies and similar data.See Section 9 below.
Communications. If you contact us by email, chat, or support form, we collect the content of your message, your contact information, and any attachments you provide.
Buyer data. For Buyers, we collect contact details, organization information, the queries you run against Twins, the Research Outputs you view, and billing or order information necessary to maintain your subscription.
Sensitive information. We do not require you to provide sensitive personal information. Please do not share information about your health, sexual orientation, religious or political beliefs, biometric identifiers (other than the voice recording you knowingly create when participating in an interview), Social Security or other government-issued numbers, or financial account credentials. If you voluntarily disclose such information during an interview, we will process it to operate the Service but we ask you not to do so.
3Sources of Information
- Directly from you when you create an account, set up your profile, participate in an interview, run a query, or contact us.
- Automatically from your device when you interact with the Service, including via cookies and similar technologies.
- From service providers who help us operate the Service, including our identity provider, voice and language model providers, hosting and analytics providers, and error monitoring providers.
- From a Buyer organizationif you are accessing the Service through your employer’s account.
4How We Use Information
We use personal information for the following purposes:
- To operate the Service. Authenticate you, present the interview interface, stream voice to and from our providers, generate transcripts and structured fields, persist your Twin, and let authorized Buyers query Twins.
- To improve the Service. Diagnose bugs, measure interview quality, analyze usage patterns, evaluate AI model performance, prototype new features, and otherwise improve the Service. Where possible we use aggregated or de-identified data for this purpose.
- To produce Research Outputs.Generate transcripts, structured extractions, embeddings, summaries, and aggregated insights for delivery to Buyers under Section 8 of our Terms.
- To communicate with you. Send service messages, security notices, consent confirmations, and, where you have not opted out, occasional product updates or research opportunities.
- To protect against abuse. Rate-limit voice sessions, detect fraudulent or automated activity, enforce our Terms, and protect the rights, property, and safety of Mythrilite, our users, and the public.
- To comply with law. Respond to lawful requests, meet record-keeping obligations, exercise or defend legal claims, and meet regulatory requirements.
We process personal information on the legal bases set out in Section 14 (consent for voice recording and direct marketing; performance of a contract for delivering the Service to you; legitimate interests in securing, improving, and commercializing the Service; legal obligation where applicable).
5AI Processing and Model Training
The Service is powered by third-party AI providers. During an interview, your audio is streamed to a real-time speech model that produces a transcript and an AI voice response. After the interview, we send the transcript to a large language model to extract structured fields and generate summaries. We pass only the information needed for these tasks, and we contractually require our AI providers to:
- process inputs solely to provide their service to us;
- not use Participant content to train their foundation models; and
- retain inputs only for the period needed to deliver the service and to meet their own abuse-monitoring obligations, which is typically thirty (30) days or less.
Mythrilite may use de-identified transcripts and structured fields to train, fine-tune, evaluate, and benchmark our own internal models that power the Service (for example, the interview moderator prompts, extraction schemas, and quality classifiers). We do not sell raw transcripts or audio to third parties for their own model training.
If you do not want your content to be used for our internal model improvement, email privacy@trysynonym.com with the subject line “Model Training Opt-Out.”
7Sub-Processors and Vendors
The following categories of sub-processors help us operate the Service. We require each to maintain appropriate security and privacy protections and to use information only for the purposes for which we engaged them.
- Authentication — Clerk, Inc. (U.S.). Email, identity, and session data.
- Hosting and serverless compute — Vercel, Inc. (U.S.). All application traffic and request metadata.
- Database — Neon, Inc. (U.S.). Account records, interviews, transcripts, structured fields, and Twin data.
- Object storage — Vercel Blob (U.S.). Audio recordings and finalized transcript blobs.
- Voice and speech-to-speech — OpenAI, L.L.C. (U.S.). Real-time audio and transcripts during interviews.
- Structured extraction and analysis — Anthropic, PBC (U.S.). Post-interview transcripts and prompts.
- Rate limiting and ephemeral cache — Upstash, Inc. (U.S.). IP-derived keys and counters for abuse prevention.
- Error and performance monitoring— Functional Software, Inc. d/b/a Sentry (U.S.). Diagnostic events, stack traces, and user identifiers.
- Email delivery — providers selected from time to time to send transactional and consent-related email.
We may add or change sub-processors as our infrastructure evolves. Material changes will be reflected in this policy.
8Disclosures to Buyers and Researchers
Buyers receive access to Research Outputs (transcripts, structured fields, Twins, and aggregated analyses) so they can run research queries. We take the following measures to limit re-identification risk:
- We label Twins with first name or a chosen display name only; full names, email addresses, phone numbers, and account identifiers are not exposed.
- We contractually prohibit Buyers from attempting to re-identify, contact, or single out Participants, from combining Research Outputs with external datasets for re-identification, and from using Research Outputs to train any machine learning model not operated by Mythrilite.
- We may apply additional redaction, aggregation, or differential-privacy controls depending on the sensitivity of the data.
Even with these measures, voice and free-text content can in some circumstances be identifying. Please do not share information during an interview that you would not be comfortable having a Buyer see in your Twin.
10Data Retention
We retain personal information for as long as necessary to provide the Service and for the additional periods described below, after which we delete or de-identify the data.
- Account records — for the life of the account, plus up to thirty (30) days after deletion to allow for backup expiration.
- Interview transcripts and structured fields — for as long as your Twin remains active or for up to thirty-six (36) months after your last interaction, whichever is longer, unless you request earlier deletion.
- Voice recordings — by default we retain audio for up to twelve (12) months after the interview, after which the audio is deleted and only the transcript and derived fields are retained.
- Diagnostic logs and rate-limit counters — up to ninety (90) days.
- Billing and tax records (Buyers) — for the period required by applicable accounting and tax law, generally seven (7) years.
- De-identified or aggregated data — may be retained indefinitely, as it is no longer reasonably linkable to an individual.
We may retain certain information for longer if required by law, regulator request, litigation hold, or to enforce our Terms.
11Security
We implement administrative, technical, and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit using TLS, encryption at rest for databases and object storage, role-based access controls, least-privilege environment scoping, secret management, web application firewalling, rate limiting, audit logging, and routine review of vulnerabilities and access.
No method of transmission or storage is perfectly secure. You are responsible for maintaining the secrecy of your account credentials, enabling multi-factor authentication where offered, and reporting any suspected compromise to security@trysynonym.com.
12Your Privacy Rights
Depending on where you live and the law that applies to you, you may have some or all of the following rights with respect to your personal information:
- Access — confirm whether we hold information about you and obtain a copy.
- Correction — ask us to correct inaccurate information.
- Deletion — ask us to delete information we hold about you.
- Portability — receive certain information in a structured, machine-readable format.
- Restriction or objection — limit or object to certain processing, including processing based on our legitimate interests.
- Opt-out of sale or sharing — opt out of disclosures that constitute a sale or share under applicable U.S. state law.
- Withdraw consent — withdraw any consent you previously gave, without affecting the lawfulness of processing before withdrawal.
- Complaint — lodge a complaint with your local data protection authority.
To exercise these rights, email privacy@trysynonym.com from the address associated with your account, or use any self-service tools we provide. We may need to verify your identity before responding and will not discriminate against you for exercising your rights. Authorized agents may submit requests on your behalf with proof of authority.
13U.S. State Privacy Notices
This section provides additional disclosures required by certain U.S. state privacy laws, including the California Consumer Privacy Act, as amended (CCPA/CPRA), and comparable laws in Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia.
Categories of personal information collected. Identifiers (account ID, email, IP address); customer records information (name, contact details); internet or other electronic activity information (usage, device, log data); audio and similar information (voice recordings, transcripts); geolocation (approximate, derived from IP); commercial information (Buyer billing data); and inferences drawn from the foregoing (structured fields, Twins).
Purposes.The categories above are collected for the purposes described in Section 4.
Sources.See Section 3.
Disclosures and “sales”/“sharing.”We disclose identifiers, internet activity, audio, and inferences to our sub-processors as described in Section 7, and we disclose de-identified Research Outputs to Buyers under Section 8. Under some U.S. state laws, our delivery of Research Outputs to Buyers in exchange for fees may be considered a “sale” or “sharing,” even though we do not market it as such and we contractually restrict re-identification.
Your rights.You may exercise the rights listed in Section 12, including the right to opt out of sale or sharing. You may submit an opt-out request by emailing privacy@trysynonym.com with the subject line “Do Not Sell or Share My Personal Information.” We honor Global Privacy Control signals where required by law as an opt-out of sale and sharing for the device or browser sending the signal.
Sensitive personal information. We do not use or disclose sensitive personal information for purposes that require offering a right to limit under applicable law.
Retention.See Section 10.
No financial incentives. We do not currently offer financial incentives in exchange for personal information.
14EEA, UK, and Swiss Notices
If you are in the European Economic Area, United Kingdom, or Switzerland, the following additional disclosures apply.
Controller. Mythrilite Inc. is the controller of personal information processed in connection with the Service, except where we act as a processor on behalf of a Buyer organization.
Legal bases. We process personal information on the following bases:
- Performance of a contract — to provide the Service you have requested.
- Consent — for voice recording, optional communications, and where otherwise required, including for our internal model improvement use. You may withdraw consent at any time.
- Legitimate interests — to secure the Service, prevent abuse, develop new features, and commercialize Research Outputs in a privacy-respecting way. We balance these interests against your rights and freedoms and will provide further information on request.
- Compliance with legal obligations — for record-keeping, responses to lawful requests, and similar purposes.
Your rights.See Section 12. You also have the right to lodge a complaint with the supervisory authority in your country of residence, work, or the place of an alleged violation.
International transfers.See Section 15.
Automated decision-making.See Section 19.
15International Data Transfers
Mythrilite is headquartered in the United States, and our sub-processors are primarily located in the United States. When we transfer personal information from the EEA, UK, or Switzerland to a country that has not been designated as providing an adequate level of protection, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses and the UK Addendum or the Swiss equivalent, supplemented by technical and organizational measures.
16Children
The Service is not directed to children, and we do not knowingly collect personal information from anyone under 18 years of age. If you become aware that a child has provided personal information through the Service, please contact privacy@trysynonym.com and we will take steps to delete the information.
17Do Not Track and Global Privacy Control
Most browsers and some operating systems support “Do Not Track” signals and the Global Privacy Control (GPC). Because there is no industry-standard meaning for the Do Not Track header, we do not respond to it. We do honor GPC signals as an opt-out of sale and sharing where required by applicable U.S. state law.
18Third-Party Links
The Service may contain links to third-party websites or services that we do not operate. This policy does not apply to those properties. We encourage you to review the privacy practices of any third-party service before providing personal information to it.
19Automated Decisions and Profiling
The Service uses automated processing to transcribe interviews, generate AI moderator responses, extract structured fields, score interview quality, and answer Buyer queries about Twins. These outputs do not produce legal or similarly significant effects on you. The Service is not designed to make decisions about credit, employment, housing, insurance, education, government benefits, or access to essential services, and we contractually prohibit Buyers from using Research Outputs for such purposes.
If you would like a human review of any automated output that concerns you, contact privacy@trysynonym.com.
20Changes to this Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page and, for material changes, provide additional notice such as an email or in-product banner. We encourage you to review this policy periodically.
21Contact Us
Mythrilite Inc., Attn: Privacy, Delaware, United States. For privacy questions or to exercise your rights, email privacy@trysynonym.com. For security reports, email security@trysynonym.com. For general legal questions, email legal@trysynonym.com.
Synonym