← back

Privacy

Last updated: 2026-05-26

The short version

Symph AI is a free consultation form. You tell us what you're trying to build or fix. We use AI to sketch a starting point, then we save your brief so our team can follow up if you ask us to. We measure how the form performs so we can make it better. Below: the details of what gets stored where, and how to ask us to delete it.

Who's responsible

Controller: Symph Inc., Cebu, Philippines. Reach us at privacy@symph.co for any privacy question.

What we collect

From the form itself:

  • Your organization name and the selections you make in the wizard (industry, business type, team size, problem/idea, follow-up answer).
  • Free-text you write in the description and follow-up.
  • Your name, email, and optional message if you submit the contact form at the end.

Technical metadata:

  • IP-derived country (used for the consent banner; we don't store the raw IP, only a one-way fingerprint for abuse prevention).
  • User-agent string.
  • Behavioral events (which step you reached, what you clicked, whether the AI guess matched).

Why we collect it

  • Contract necessity (GDPR Art. 6(1)(b), PH DPA §12c): your brief is the service you asked for. We need it to generate the recommendation and to follow up if you submit the contact form.
  • Legitimate interests (Art. 6(1)(f), PH DPA §12f): rate-limiting, abuse prevention, and product analytics on our own systems (Firestore).
  • Consent (Art. 6(1)(a), PH DPA §12a): third-party analytics (PostHog). EU visitors must opt in via the banner; PH visitors can opt out via this page.

Where it goes (processors)

  • Google (Gemini API) — anything you type is sent to the Gemini API to generate the recommendation. Data may be processed in the US. Standard Contractual Clauses apply for transfers from the EEA.
  • Google Cloud (Firestore, Cloud Run) — the brief, contact info, and behavioral events are stored in Google Cloud, in the asia-southeast1 region (Singapore).
  • PostHog (EU region) — only if you accepted analytics. Used for funnel and drop-off measurement. EU servers, GDPR-compliant DPA.
  • Resend — sends the notification email to info@symph.co when you submit the contact form or feedback.

How long we keep it

  • Contact submissions: 36 months.
  • Brief / wizard data: 24 months.
  • Behavioral events (Firestore): 12 months.
  • Behavioral events (PostHog free tier): 12 months.
  • Aggregate, fully-anonymized statistics: indefinitely.

Your rights

You can ask us to access, correct, export, or delete your data at any time. We try to respond within 30 days. Email privacy@symph.co with the request and any identifier you have (the email you submitted, the date, the org name). We'll delete from both Firestore and PostHog.

If you're in the EEA and you think we mishandled your data, you can complain to your local Data Protection Authority. If you're in the Philippines, you can complain to the National Privacy Commission (privacy.gov.ph).

Cookies and local storage

We use localStorage to remember your consent choice for 6 months, and sessionStorage to keep your wizard state during a single visit. If you accepted analytics, PostHog also sets a few of its own cookies — see their privacy policy.

Opt out of analytics

If you want to stop analytics, clear symph_consent in your browser's local storage, or email us at privacy@symph.co and we'll forget you across our systems.

terms · home