Privacy Policy

1. Information We Collect

1.1 Account information

When you create an account, we collect your email address, username, and encrypted password. If you sign in with Google or GitHub OAuth, we collect your name, email, and profile picture from those providers.

1.2 Conversation data

To provide the core service, we store the messages you send and responses you receive from AI models. This includes any files, images, or documents you upload.

1.3 Memory data

Synaptic's persistent memory feature extracts and stores facts and context about you from your conversations (e.g. your role, preferences, ongoing projects). These memories are encrypted and accessible only to you.

1.4 Integration data

When you connect integrations (Google, Slack, Notion, MCP servers), we store OAuth tokens encrypted at rest using Fernet symmetric encryption. We only access data on your behalf when you explicitly ask the AI to do so.

1.5 Usage data

We log basic technical data for operations: API call counts, error rates, model usage, and feature usage. This helps us maintain service quality and detect abuse.

1.6 API keys (BYOK)

If you bring your own API keys (OpenAI, Anthropic, etc.), they are encrypted with Fernet before storage. We never log them in plaintext or share them with any third party.

2. How We Use Your Data

• Provide the service — process chats, run tools, generate AI responses
• Build your memory — extract context to personalize future interactions
• Execute integrations — call APIs (Gmail, Drive, Slack, etc.) on your request
• Improve reliability — monitor errors, performance, and uptime
• Prevent abuse — rate limiting, fraud detection, security monitoring
• Communicate with you — service updates, security alerts, occasional product news

3. Third-Party Services

Synaptic uses third-party services to deliver core functionality. Each service receives only the data needed to perform its function.

3.1 AI model providers

When you use a model (GPT-4o, Claude, Gemini, etc.), your message is sent to the relevant provider (OpenAI, Anthropic, Google, etc.). Each provider has its own data policies — most do not train on API requests by default. With BYOK, your data goes directly to the provider under your own account.

3.2 Infrastructure

• Hetzner — server hosting (Germany)
• Cloudflare — DNS, CDN, DDoS protection
• Cloudflare R2 — file storage (backups, uploads)

3.3 Optional integrations

If you connect them: Google (Gmail/Drive/Calendar), Slack, Notion, GitHub, and any MCP-compatible server. You control which integrations are enabled.

4. Data Security

• Encryption at rest — All sensitive data (API keys, OAuth tokens) encrypted with Fernet
• Encryption in transit — HTTPS/TLS for all connections
• Password hashing — bcrypt with secure salts
• Database isolation — Separate databases for application data and embeddings
• Access controls — Strict authentication on all endpoints
• Backup encryption — Daily encrypted backups to Cloudflare R2

5. Your Rights

You have full control over your data:

• Access — view all your data inside the app at any time
• Delete chats — delete individual chats or all chats
• Delete memories — manage and delete extracted memories
• Disconnect integrations — revoke OAuth tokens with one click
• Delete account — permanently delete your account and all associated data
• Export — request a copy of your data (contact support)
• Opt out — disable specific features (memory, integrations) at any time

6. Data Retention

We retain your data while your account is active. When you delete your account, all personal data, chats, memories, and integrations are permanently removed within 30 days. Backups containing your data are purged within 90 days.

7. Cookies

Synaptic uses essential cookies to keep you signed in (JWT session tokens). We do not use tracking or advertising cookies. We use privacy-respecting analytics (Plausible) that does not require cookies.

8. International Users (GDPR & CCPA)

Synaptic complies with GDPR (Europe) and CCPA (California). EU and California residents have additional rights including data portability, the right to be forgotten, and the right to object to processing. Contact us to exercise these rights.

9. Children's Privacy

Synaptic is not intended for users under 16 years old. We do not knowingly collect data from children. If you believe we have, please contact us for removal.

10. Changes to This Policy

We may update this policy as our service evolves. Material changes will be communicated via email or in-app notification. The "Last updated" date at the top reflects the most recent revision.

11. Contact Us

Questions about privacy, data requests, or this policy?