Privacy Policy

Who We Are

Synthetic Reality Inc. ("Synthetic Reality", "we", "our", or "us") is a corporation incorporated under the Canada Business Corporations Act, with its principal place of business in Montréal, Québec, Canada. We develop and operate artificial intelligence software and infrastructure for regulated financial institutions.

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you interact with our website, request access to our platform, communicate with our team, or use our services under a commercial agreement. It applies to Synthetic Reality Inc. and does not extend to our clients' own data processing activities, which are governed by the Data Processing Agreement executed between us and each client institution.

What We Collect

We collect personal information in the following categories, depending on how you interact with us:

• Contact and identity information: Your name, work email address, job title, and employer name — collected when you submit a request for access, contact us, or register for an event.
• Professional and institutional context: Your institution's sector, approximate AUM or revenue range, and a description of your current challenges — provided voluntarily on our request form to help us triage and respond appropriately.
• Platform account information: Login credentials (email and hashed password or SSO token), role assignments, and access logs — collected for users with provisioned accounts on the Synthetic Reality platform.
• Usage and interaction data: Pages visited on our website, features accessed within the platform, API call metadata (endpoint, timestamp, response code), and session duration — collected automatically via server logs and first-party analytics.
• Communications: The content of emails, meeting notes, and support tickets you send to us — retained to support your relationship with our team.

We do not collect sensitive personal information such as financial account numbers, social insurance numbers, health information, or biometric data from website visitors or access requestors.

How We Use Data

We use the personal information we collect for the following purposes, each grounded in a lawful basis under applicable privacy law:

• To respond to access requests and inquiries — processing your submitted form, scheduling discovery calls, and routing your request to the appropriate specialist. Basis: performance of a pre-contractual step at your request.
• To provision and operate platform accounts — creating and managing your login credentials, enforcing role-based access controls, and maintaining session security. Basis: performance of our contract with your institution.
• To improve our platform and services — analysing aggregated usage patterns to identify areas for improvement, prioritise feature development, and diagnose performance issues. Basis: our legitimate interest in improving our product. This analysis operates on aggregated or pseudonymised data.
• To comply with legal obligations — retaining records as required by Canadian corporate and tax law, and disclosing information in response to valid legal process. Basis: compliance with applicable law.
• To send service communications — notifying you of security incidents, API deprecations, scheduled maintenance, and material updates to this policy or our terms. Basis: our legitimate interest in keeping users informed. You may not opt out of these communications while your account is active.

We do not use your personal information for automated profiling that produces legal or similarly significant effects, nor for advertising purposes.

Client Data Processing

Synthetic Reality processes financial and transactional data on behalf of client institutions under a Data Processing Agreement (DPA). In this context, the client institution acts as the data controller and Synthetic Reality acts as a data processor. We process such data only on documented instructions from the client and do not use it for any purpose of our own.

Client data processed through our platform is logically and cryptographically isolated per client tenant. We do not combine data from one client institution with data from another, and we do not use client data to train or fine-tune models that are shared across clients without explicit written consent.

Data Sharing

We do not sell personal information. We share personal information only in the following limited circumstances:

• Service providers: We engage a small number of subprocessors who assist us in operating our infrastructure — including cloud hosting providers (AWS, Azure) and enterprise communication tools — under contractual data protection obligations consistent with this policy.
• Professional advisors: We may share information with our legal counsel, auditors, and accountants under confidentiality obligations where necessary to operate our business or defend legal claims.
• Corporate transactions: In the event of a merger, acquisition, or asset sale, personal information may be transferred to the acquiring entity, which will be required to honour this policy or provide equivalent protection.
• Legal requirements: We may disclose personal information where required by Canadian law, a valid court order, or a lawful request from a government authority with jurisdiction over us. We will notify you of any such disclosure to the extent permitted by law.

Data Retention

We retain personal information only as long as necessary for the purposes for which it was collected, subject to legal retention obligations. Our general retention practices are as follows:

• Access request information: Retained for 24 months from the date of submission if no commercial agreement results, or for the duration of the commercial relationship plus 36 months if it does.
• Platform account information and usage logs: Retained for the duration of the active account, plus 7 years following account termination for audit and legal compliance purposes.
• API audit logs: Retained for a minimum of 7 years by default, configurable to longer periods for clients with specific regulatory retention requirements.
• Communications: Retained for 3 years from the date of last substantive communication.

When retention periods expire, we delete or irreversibly anonymise personal information. Anonymised data may be retained indefinitely for statistical purposes.

Security

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the personal information we hold. Our security programme is described in detail on our Security page and includes SOC 2 Type II certification, annual penetration testing by an independent third party, encryption at rest and in transit, and role-based access controls enforced at every layer of our platform.

In the event of a personal information breach that poses a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada and the affected individuals in accordance with PIPEDA's mandatory breach notification requirements, and will notify the Commission d'accès à l'information du Québec in accordance with Law 25 where applicable.

Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Access: The right to request confirmation of whether we hold personal information about you and to receive a copy of that information.
• Correction: The right to request correction of inaccurate or incomplete personal information we hold about you.
• Deletion: The right to request deletion of your personal information, subject to our legal retention obligations and legitimate interests in maintaining audit records.
• Withdrawal of consent: Where processing is based on consent, the right to withdraw that consent at any time — noting that withdrawal does not affect the lawfulness of processing prior to withdrawal.
• Portability (Québec): Residents of Québec have the right to receive their personal information in a structured, commonly used, and technological format, and to request that it be communicated to any person or body authorized by law to collect such information.

To exercise any of these rights, contact our Privacy Officer at the address below. We will respond within 30 days. We may require identity verification before processing a request and may decline requests that are manifestly unfounded or excessive.

Cookies & Tracking

Our public website uses a minimal set of first-party cookies for session management and basic analytics. We do not use third-party advertising cookies or cross-site tracking technologies. Our analytics are self-hosted and do not transmit your browsing data to third-party analytics providers.

The Synthetic Reality platform does not use cookies for tracking purposes. Session tokens used within the platform are first-party, short-lived, and not shared with any third party.

You may configure your browser to refuse cookies. Doing so will not affect your ability to view our public website, but may affect certain functions within the authenticated platform.

Contact Our Privacy Officer

Questions, requests, or complaints regarding this Privacy Policy or our personal information handling practices may be directed to our designated Privacy Officer. We take all inquiries seriously and will respond within 30 days of receipt.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca, or with the Commission d'accès à l'information du Québec if you are a resident of Québec.