← Home
EN · RU

Synth Cabal — Privacy Policy

Version: 2026-04-24
Effective date: 24 April 2026

1. Controller

Personal data processed through Synth Cabal (the Telegram bot @SynthCabalBot, the Telegram Mini App, and the companion web dashboard — together, the "Service") is controlled by:

Individual Entrepreneur Nikita Babenko Vladimir, Republic of Armenia
Contact: [email protected]

The Operator is the same legal entity that controls VibeNest. Deployment-related data flowing from Synth Cabal to VibeNest stays with the same controller; see section 5.

2. Scope

This policy covers personal data we process when you interact with any of Synth Cabal's three surfaces:

  • the Telegram bot;
  • the Telegram Mini App ("TMA") inside Telegram;
  • the Synth Cabal web dashboard.

It does not cover your use of Telegram itself (governed by Telegram's Privacy Policy) or your use of VibeNest after deployment (governed by the VibeNest Privacy Policy).

3. What we collect

3.1 Telegram profile

When you start a conversation with @SynthCabalBot or open the TMA, Telegram sends us: telegram_id, username, first_name, last_name, language_code, and your profile photo URL (photo_url). We use this to identify your account, localise the UI, and display your name/avatar inside Synth Cabal.

3.2 Chat content

We store the text of messages you send to the bot, and of replies the bot sends to you, in order to operate the Service (understanding your project, continuing a conversation, resuming a discovery session).

  • Retention: we retain chat messages for 12 months from the date of the message, after which they are automatically deleted by a scheduled cleanup job. Derived summaries are subject to the same 12-month schedule.
  • We do not store media content you send (photos, voice, documents) — only the text extracted by Telegram.

3.3 Behavioural signals

To adapt the UX we infer a small number of coarse signals:

  • TechSavviness (integer 0–10) — estimated technical fluency, so we can simplify or enrich explanations;
  • AverageBurstGapMs — pacing of your typing bursts, used to tune the bot's reply cadence.

These are inferred passively from your messages. You can ask us to reset them by contacting support.

3.4 Project artefacts and credentials

When you create a project in Synth Cabal we store:

  • the project's metadata, discovery summary, plan, and deployment target;
  • the Git repository URL you link (or the repository we create for you on GitHub);
  • environment variables, API keys and other secrets you provide (stored encrypted at rest with AES-256-GCM in the project_credentials table);
  • access-audit records in credential_access_logs — who/what read each credential and when.

3.5 Billing and wallet

We store a ledger of your in-app token balance, Telegram Stars purchases (stars_purchases), and wallet transactions (user_wallet_transactions). Each Telegram Stars purchase keeps the telegram_payment_charge_id and provider_payment_charge_id so we can handle refunds and reconciliation.

3.6 Pipeline & security observability

We store pipeline events (classifier results, prompt/completion token counts, latencies, errors) for up to 90 days to debug and tune the Service. Security-assessment records (per project) persist while the project exists.

3.7 Technical data

When you use the TMA or Web App we process standard technical data: IP address (briefly, for anti-abuse and rate limiting), user-agent, and TMA initData (which Telegram signs). We do not use advertising cookies.

3.8 Internal staff access to message contents

Authorized personnel of the Operator may access the contents of your chat messages with the bot, associated pipeline traces, and project artefacts for the following purposes:

  • debugging and quality analysis of the Service and of individual LLM interactions;
  • investigation of reports of abuse, fraud, or violations of the Terms;
  • responding to support requests you have submitted.

Such access is restricted to personnel who need it to perform these tasks, is limited to what is reasonably necessary for the purpose, and is recorded in an internal audit log (admin_audit_logs) that captures the action, the affected project, the timestamp, and the acting account. Staff do not have access to decrypted credential values (see section 3.4 and section 10).

4. Legal bases (GDPR Art. 6)

We process personal data on the following bases, depending on the purpose:

Purpose Legal basis
Operating the Service (chat, TMA, Web App) Contract (Art. 6(1)(b))
Security, abuse detection, rate limiting Legitimate interests (Art. 6(1)(f))
Billing and Telegram Stars reconciliation Legal obligation (Art. 6(1)(c)) and contract
Optional behavioural signals (TechSavviness) Legitimate interests — you can opt out
Deployment to VibeNest / third-party integrations Contract, triggered by your explicit action

5. Sub-processors

We share data with the processors below, only as needed to operate the Service:

  • Telegram (Telegram FZ-LLC / Telegram Messenger Inc.) — messaging transport, TMA runtime, Telegram Stars payments.
  • OpenRouter and the underlying model providers routed through it — Anthropic, OpenAI, DeepSeek, Google, Meta and others depending on the model we select at the time. Your prompts and generated code are forwarded to these providers to produce model responses. OpenRouter and each provider retain content under their own policies; we select providers that state they do not use API inputs to train their models by default.
  • GitHub, Inc. — repository hosting, collaborator management, and (for Synth Cabal-managed repos) automatic repository creation under the squad-bot account.
  • VibeNest (same Operator) — when you initiate a test or production deployment, we send: your Telegram profile fields (telegram_id, first_name, last_name, username, photo_url), a non-technical project description generated from your discovery summary, and a deployment ID. VibeNest may provision a linked user account for you and return a one-time magic-link. Deployment data is then subject to the VibeNest Privacy Policy.
  • Coolify and ClickHouse (inherited through VibeNest) — used by VibeNest to operate deployments and its own observability.

We may add or change sub-processors; material changes will be reflected here and the "Version" bumped.

6. Where data is processed

Synth Cabal's servers are hosted in the Russian Federation; VibeNest's production infrastructure is hosted in Germany. Telegram routes messages through its own global infrastructure. Data transfers rely on the controller's status as an Armenian entity, on appropriate contractual safeguards with sub-processors, and — for EEA/UK users — on Standard Contractual Clauses or equivalent mechanisms.

7. Your rights

Depending on where you live (Armenia, EEA/UK, or elsewhere) you may have rights to:

  • access the personal data we hold about you;
  • rectify inaccurate data;
  • erase your data ("right to be forgotten");
  • restrict or object to processing;
  • data portability;
  • withdraw consent for optional processing at any time;
  • lodge a complaint with your local supervisory authority.

You can exercise these rights yourself from the Telegram Mini App on the "My data" page (/account/data):

  • Export — the "Download my data" button returns a single JSON file containing your profile, chats, projects, billing history, credential metadata (never decrypted values), referrals and consent records. Stored API keys are never included in decrypted form.
  • Deletion — the "Delete account" button queues your account for erasure with a 30-day grace period. During those 30 days you can change your mind and click "Cancel deletion" on the same page.
  • After the 30 days we permanently erase: chats and their summaries, projects (along with plans, tasks, stored credentials and chat bindings), subscriptions, referral codes and wallet binding.
  • We retain in anonymised form rows we are required to keep for accounting and audit reasons: wallet transactions, Telegram Stars purchases, credential access logs, admin audit logs, pipeline events. In these rows identifying fields are overwritten with a pseudonym deleted-user-<hash>; amounts, dates and deployment metadata remain intact.

You can also email [email protected] or send /paysupport in the bot if you prefer support-assisted handling. We respond within 30 days.

8. Automated decisions and profiling

We do not make legally significant decisions about you solely by automated means. The behavioural signals in section 3.3 only shape how the UI talks to you; they do not affect pricing, access, or eligibility. Security scoring can auto-hide a project flagged as clearly abusive — you can appeal via /paysupport.

9. Children

Synth Cabal is not intended for children under 13, or under 16 in the EEA/UK. If you believe a child has used Synth Cabal, email us and we will delete the account.

10. Security

We apply reasonable technical and organisational measures: TLS in transit, PostgreSQL at rest, AES-256-GCM for stored credentials, least-privilege access to production, audit logging for credential access, and sandboxed per-project workspaces on worker nodes. No system is perfectly secure — if you suspect a compromise, email us immediately.

11. Supervisory authorities

  • Armenia: Personal Data Protection Agency of the Ministry of Justice (under Law HO-49-N).
  • EEA/UK: your local Data Protection Authority. You can lodge a complaint directly.

12. Changes to this policy

We may update this policy. The effective date and version are shown at the top. When a change is material (for example, a new category of data, a new sub-processor, or a change in retention), we will notify you inside the bot and inside the TMA before it takes effect, and — where the Service requires fresh consent before a chargeable action — we will re-prompt for acceptance.

13. Contact

Controller: IE Nikita Babenko Vladimir, Republic of Armenia
Email: [email protected]
Bot: @SynthCabalBot/privacy, /terms, /paysupport.

Terms of Service · [email protected] · v2026-04-24

Connection lost

Reconnecting…

Could not restore the connection.