Skip to main content

Privacy Policy

Last updated: April 1, 2026

1. Who We Are

Symbol ("Symbol Chat", "we", "us", "our") is a knowledge management platform operated by Databoy Pro Sites Limited, a company registered in Zambia (prosites.co.zm). The platform is available at symbol.chat and includes the Symbol web application, MCP server at mcp.symbol.chat, REST API, and associated mobile and desktop applications (collectively, the "Service").

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Service. By using the Service, you agree to the practices described in this policy.

2. Information We Collect

Account Information

When you create an account, we collect your email address and, if you choose to provide it, your display name. If you sign in via GitHub OAuth, we receive your GitHub profile information (username, email, avatar URL, and GitHub numeric ID).

Content You Create

We store the Capsules, Types, and other content you create within the platform. This includes text content, metadata (titles, tags, references), and any file attachments you upload.

File Attachments

Uploaded files are stored in cloud object storage (Cloudflare R2 / S3-compatible storage). Attachments expire after 30 days by default and are automatically deleted.

Usage and Technical Data

We collect standard server logs including IP addresses, request timestamps, and user agent strings. We may also collect approximate geographic location derived from your IP address, and device or browser metadata. We use this data for security, abuse prevention, debugging, and service improvement.

Cookies and Session Tokens

We use cookies and similar technologies to operate the Service. Specifically, we use session cookies (JWT-based, set by our authentication system) to keep you logged in, and CSRF cookies to protect against cross-site request forgery attacks. These cookies are strictly necessary for the Service to function and cannot be opted out of while using the Service. We do not use advertising or tracking cookies.

API Keys

If you generate API keys for MCP or CLI access, we store a SHA-256 hash of each key. We never store or log raw API keys after initial generation.

3. How We Use Your Information

  • Providing, operating, and maintaining the Symbol Service
  • Authenticating your identity and securing your account
  • Enabling full-text search across your Capsules using PostgreSQL search indexes
  • Sending transactional emails (password resets, team invitations)
  • Detecting and preventing fraud, abuse, and security threats
  • Diagnosing technical issues and improving service reliability
  • Complying with applicable laws and responding to lawful requests from authorities

We do not sell your personal information. We do not use your Capsule content to train AI models.

4. Team and Sharing Features

When you use team features, your Capsules may be visible to team members based on the visibility level you set (self, team_view, team_edit, or link). Share tokens allow anonymous access to individual Capsules; these tokens can be set to expire or have a maximum view count. You are responsible for the access levels you configure on your content.

5. AI Context and MCP Integration

Symbol integrates with AI assistants via the Model Context Protocol (MCP). When you use MCP tools, your AI assistant sends and receives Capsule data through our API. We do not store your AI conversation history. We only store the Capsules you explicitly save. We do not use your Capsule content to train AI models.

6. International Data Transfers

Databoy Pro Sites Limited is based in Zambia. The Service relies on third-party infrastructure providers located in other countries, including the United States. By using the Service, you acknowledge that your data may be transferred to and processed in countries outside your country of residence, including countries that may have different data protection laws than your jurisdiction. We take reasonable steps to ensure your data is handled securely regardless of where it is processed.

7. Data Security

We use industry-standard security measures including: encrypted connections (HTTPS/TLS), hashed passwords (bcrypt with salt), hashed API keys (SHA-256), UUID-based identifiers, and multi-tenant data isolation. All database queries are parameterized to prevent SQL injection. Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

8. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users as soon as reasonably practicable after becoming aware of the breach, and within 72 hours where required by applicable law. Notification will be provided via email to the address associated with your account.

9. Data Retention and Deletion

Your Capsules use soft-deletion. When you delete a Capsule, it is marked as deleted and permanently removed after any associated share tokens expire. File attachments expire and are deleted after 30 days. You can request a full data export or permanent deletion of all your data through the GDPR endpoint in your account settings or by contacting us directly.

10. Law Enforcement and Legal Disclosure

We may access, preserve, or disclose your information if we believe in good faith that doing so is required by applicable law, regulation, legal process, or a valid governmental request (such as a court order or subpoena). Where permitted by law, we will attempt to notify you before disclosing your information. We do not sell data to law enforcement agencies.

11. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us.

12. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your account and all associated data
  • Portability: Export your data in a machine-readable format
  • Restriction: Request that we restrict processing of your data in certain circumstances
  • Objection: Object to processing of your personal data where we rely on legitimate interests as our legal basis

California residents: we do not sell personal information as defined under the California Consumer Privacy Act (CCPA).

To exercise any of these rights, contact us using the email address below. We will respond within 30 days.

13. Third-Party Services

We use the following third-party services:

  • GitHub: OAuth authentication provider
  • Cloudflare R2: file attachment storage
  • Resend: transactional email delivery
  • Vercel: application hosting and deployment
  • Sentry: error monitoring and diagnostics

Each of these providers has their own privacy policy governing how they handle data. We are not responsible for the privacy practices of third-party services.

14. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of Zambia. Any disputes arising under or in connection with this policy shall be subject to the exclusive jurisdiction of the courts of Zambia.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by posting the updated policy on this page with a revised "Last updated" date. We encourage you to review this policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact

If you have questions about this Privacy Policy or your data, contact us at hello@prosites.space.

Databoy Pro Sites Limited
64 Jumbo Drive, Riverside
Kitwe, ZM 50100
Zambia
prosites.co.zm