CovaSyn

CovaSyn Privacy Policy

Effective date: 19 May 2026 · Last updated: 19 May 2026

Deutsche Fassung: Datenschutzerklärung.

1. Who we are

This Privacy Policy applies to the CovaSyn services, including the website covasyn.com, the workspace application at workspace.covasyn.com, our MCP server endpoints, and the CovaSyn application available in the ChatGPT App Directory (collectively, "CovaSyn").

The controller is:

CovaSyn GmbH
Naunhofer Straße 67, 04299 Leipzig, Saxony, Germany
Registered in the German Commercial Register (Handelsregister), Amtsgericht Leipzig, HRB 43655
Managing Director: Dr. Oliver Kraft
Email: privacy@covasyn.com
Web: https://www.covasyn.com

For all questions about this policy or your data, contact us at privacy@covasyn.com.

2. Scope

This policy covers personal data we process when you interact with CovaSyn, including via our MCP server endpoints and via the CovaSyn application inside ChatGPT. It does not cover OpenAI's separate processing of your ChatGPT conversation, which is governed by OpenAI's own privacy policy, nor any other MCP client's processing (e.g., Claude Desktop, Cursor, VS Code) which is governed by its respective vendor's policy.

3. Data we process

When you invoke a CovaSyn tool the following data flows to us:

Scientific input data. Chemical structures (SMILES, InChI, MOL, SDF), biological sequences (protein, RNA, DNA), spectral data (NMR, IR, MS, UV-Vis), experimental measurements, and any other scientific input you provide to a tool. This data may, in rare cases, contain or imply personal information if you include it (for example, patient identifiers in clinical data). We ask users not to submit such data.

Authentication and account data. If you connect a paid CovaSyn account: API key (hashed at rest), account email, plan tier, language preference. The Free tier requires an account in the same way.

Technical metadata. Timestamp, tool name invoked, request size, response status, IP address (truncated to /24 after 24 hours), and, for ChatGPT App invocations, the session identifier provided by ChatGPT. Required for rate-limiting, abuse prevention, billing, and security.

We do NOT collect: ChatGPT conversation history outside of the specific tool invocation, your OpenAI account identity beyond what OpenAI passes us, or content from other ChatGPT apps. We do not collect biometric data, do not run advertising trackers on our application surfaces, and do not sell personal data.

4. Purposes and legal basis (GDPR Art. 6)

PurposeLegal basis
Providing the requested computational resultArt. 6(1)(b) GDPR — contract performance
Rate-limiting, abuse prevention, securityArt. 6(1)(f) GDPR — legitimate interest
Billing and account management (paid tiers)Art. 6(1)(b) GDPR — contract performance
Tax and accounting record retentionArt. 6(1)(c) GDPR — legal obligation (§ 147 AO)
Aggregated, non-identifying usage analyticsArt. 6(1)(f) GDPR — legitimate interest

5. We do not train models on your data

Scientific inputs you submit are used only to compute the requested result. We do not use customer inputs to train, fine-tune, or otherwise improve our ML models.

CovaSyn tools are deterministic computational functions built on our own chemistry, spectroscopy, and structure engines. Tool execution does not involve any external Large Language Model, foundation model, or other third-party model provider in the data path. Your inputs are processed exclusively by CovaSyn-owned, deterministic engines.

Where we develop our own predictive models internally, training uses only public datasets (for example USPTO, PubChem, ChEMBL) and data we have explicitly licensed for that purpose.

6. Data retention

  • Scientific inputs and outputs: processed in memory and not persisted to long-term storage. Short-term operational logs that may include payloads are discarded within 30 days.
  • Technical metadata (truncated IP, tool name, timestamp, credit cost): 90 days for security and abuse prevention.
  • Account data: retained while the account is active and deleted on account deletion, except where legal retention applies.
  • Billing records (paid tiers): retained for 10 years per German tax law (§ 147 AO).
  • Free-tier interactions: no payload-linked retention beyond the 90-day technical metadata window.

7. Recipients and sub-processors

We share data only with the following categories of recipients, acting as processors under Art. 28 GDPR. Data Processing Agreements (DPA / AVV) are in place with each and are available on request via privacy@covasyn.com.

  • Hetzner Online GmbH (Industriestraße 25, 91710 Gunzenhausen, Germany) — primary hosting in Leipzig (DE) for covasyn.com, workspace.covasyn.com, the MCP gateway, application backend, database servers, and internal systems. EU processing.
  • Cloudflare, Inc. (USA, EU presence) — authoritative DNS for covasyn.com. No reverse-proxy or web-application-firewall routing through Cloudflare; traffic resolves directly to our Hetzner origin. Standard Contractual Clauses (SCCs) in place.
  • Supabase Inc. (USA, EU region for our project) — authentication and database for the workspace. Data: email, password hash, profile, tool-call metadata, API key hashes. SCCs in place; data resides in the EU.
  • Stripe Payments Europe Ltd. (Ireland) — payment processing, invoicing, Stripe Tax. Data: email, billing address, VAT ID (if provided), card data (handled exclusively by Stripe).
  • Resend Inc. (USA, sending via EU AWS infrastructure) — transactional email (account confirmation, payment receipts, password reset). Data: email address and message content. SCCs in place.
  • Google Workspace (Google Ireland Ltd.) — corporate email and internal collaboration. Used only for our own business correspondence, not for processing user payloads.

We do not sell personal data. We do not share data with advertisers. The processor list is updated when changes occur; the version above reflects the state on the "Last updated" date.

8. International data transfers

If you reach CovaSyn through the ChatGPT integration, OpenAI (United States) receives your tool invocation as part of the ChatGPT flow. That transfer is governed by OpenAI's own agreements with you and by the EU–U.S. Data Privacy Framework, under which OpenAI is self-certified.

Where we use US-based processors (for example Stripe, Supabase, Resend, Cloudflare), transfers are based on Standard Contractual Clauses (SCCs) per Art. 46(2)(c) GDPR and on the EU–U.S. Data Privacy Framework where applicable.

9. Your rights (GDPR Art. 15–22)

You have the right to:

  • Access the personal data we hold about you (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (Art. 17), subject to legal retention obligations
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time, without affecting prior processing
  • Lodge a complaint with a supervisory authority. The competent authority for CovaSyn GmbH is the Saxon Data Protection Commissioner (Sächsischer Datenschutzbeauftragter), Bernhard-von-Lindenau-Platz 1, 01067 Dresden, Germany.

To exercise these rights, email privacy@covasyn.com. We respond within one month per Art. 12(3) GDPR.

10. Security

We use TLS 1.3 for all data in transit. Authentication uses bearer tokens transmitted over HTTPS; API keys are stored as Argon2id hashes. Internal systems follow the principle of least privilege, full-disk encryption is enabled on all storage volumes, and we perform regular security reviews. We will notify affected users and the competent authority within 72 hours of becoming aware of a personal data breach affecting your data (Art. 33–34 GDPR).

More detail on our security posture is available on the Security page.

11. Children

CovaSyn is intended for professional use in chemistry and pharmaceutical R&D. It is not directed at children under 16, and we do not knowingly process data from children.

12. Changes

We will post material changes to this policy on this page at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

13. Data Protection Officer

CovaSyn GmbH is currently below the statutory thresholds for mandatory designation of a Data Protection Officer under Art. 37 GDPR in conjunction with § 38 BDSG. We have therefore not designated a DPO at this time. All privacy questions and data-subject requests are handled by management at privacy@covasyn.com. Should we cross the threshold or expand into processing categories that require a DPO, we will appoint one and update this section.

Privacy Policy | CovaSyn