Synchronise AI
PrivacySub-processorsCookieTermsLogin
Privacy

How we handle your data.

Synchronise AIconnects to the tools your team already uses, reads product signal through those connections, and produces cited insights and outputs. We don't build a copy of your source systems - there is no parallel database mirroring your tickets or events. What we store is your chat history, the working files and outputs we generate, anything you upload, and - when you connect a messaging channel (WhatsApp, Messenger, or Instagram) - the customer messages in your inbox and the replies you draft or send, so the shared inbox works. All of it is scoped to your workspace and held in Tokyo, Japan. Each section opens with a plain-English summary, then the full detail.

v2026.07 · effective 2 July 2026UK & EU GDPRUS state privacy lawsAustralian Privacy PrinciplesNo training · no resale
On this page
  1. 01Overview & scope
  2. 02Who we are and our role
  3. 03Information we collect
  4. 04How and why we use it
  5. 05Autonomous agents
  6. 06Connected sources & Google data
  7. 07How we share information
  8. 08Security & where data lives
  9. 09How long we keep it
  10. 10International transfers
  11. 11Cookies & tracking
  12. 12Your privacy rights
  13. 13Regional disclosures
  14. 14Children, changes & contact
On this page+
  1. 01Overview & scope
  2. 02Who we are and our role
  3. 03Information we collect
  4. 04How and why we use it
  5. 05Autonomous agents
  6. 06Connected sources & Google data
  7. 07How we share information
  8. 08Security & where data lives
  9. 09How long we keep it
  10. 10International transfers
  11. 11Cookies & tracking
  12. 12Your privacy rights
  13. 13Regional disclosures
  14. 14Children, changes & contact
01

Overview & scope

In short

We read the product signal in the tools you connect, in memory, and write back only the insights and outputs we generate. This policy covers the Synchronise AI web app and the agents that run on your behalf.

Synchronise AI is a product-intelligence tool. It connects to the systems your team already uses, analyses the signal inside them, and produces cited insights, themes, briefs, and other outputs that help product teams decide what to build.

This Privacy Policy explains what personal data and customer signal we handle, why, who we share it with, how long we keep it, and the rights you have. It applies to synchronise.ai, the in-product experience, and the autonomous agents that run on your behalf. It does not cover third-party services you connect - those are governed by their own policies.

It sits alongside our Terms of Service, our Sub-processors list, our Cookie Notice, and - for business customers - our Data Processing Addendum.

02

Who we are and our role

In short

We're an Australian company (ABN 68 960 446 366). For your account we're the data controller; for the source data you connect, we act as your processor.

Synchronise AI is operated as an Australian business, ABN 68 960 446 366. You can reach the person responsible for privacy questions - including access and deletion requests and breach disclosure - at gautham@synchronise.ai.

Account data(your identity, workspace, billing, and product usage): we decide why and how it's processed, so we act as the data controller.

Connected source data (the signal we read from the systems you connect, and the outputs derived from it): you decide what to connect and why, so we act as your processor(a “service provider” under US law). Our processing terms for that data are in the Data Processing Addendum.

03

Information we collect

In short

Account and billing details, the product work we generate, files you upload, and product telemetry. Raw source records are read in memory and not stored.

CategoryWhat it includesWhere it comes from
Account & identityEmail, name, workspace, team membership, and the OAuth identity from your sign-in provider.You, when you sign up
BillingStripe customer ID, plan, invoices, and renewal dates. We never see your card number.You & Stripe
Connected source signalSignal from the systems you connect (events, tickets, threads, issues, pages, docs, recordings), read through your connection during analysis. We don't mirror it into a raw datastore, but excerpts appear in stored chat history and working files (see retention).Sources you connect
Working & memory filesNotes and files an analysis or agent writes during a run. When a tool returns more than a short slice, the full output is saved to your workspace's memory so it can be referenced, and kept until you or the agent delete it.Created during analysis
Generated workInsights, themes, decision cards, briefs, specs, slides, outreach, chat history, artifacts, and the evidence chain we built them from.Created in-product
UploadsFiles you attach in chat, stored in a private bucket scoped to your workspace.You
Product telemetryFirst-party usage events, model-usage metadata (model, token counts, latency), and masked session recordings used to debug and improve the app.As you use the app
Connected messaging channelsWhen you connect a WhatsApp Business number, a Facebook Page (Messenger), or an Instagram professional account, the messages your customers send you and the reply you draft or send from the inbox - sender handle, message content, and the drafted/sent reply - stored so the shared inbox works. We reply only to your own customers, from your own accounts, at your direction; we never message anyone the customer didn't first contact, and we never use this data for advertising or model training.Your customers, via channels you connect
CommunicationsEmails and, if you connect it, Telegram messages you exchange with the product and its agents.You

What we don't collect

  • A mirror of your connected systems - we don't bulk-ingest your sources into a parallel raw datastore.
  • Card numbers - handled entirely by Stripe.
  • Data from systems you didn't explicitly connect.
  • Biometric data, precise location, or advertising identifiers.
04

How and why we use it

In short

To run the product you asked for - connect sources, generate insights and outputs, run agents, bill you, keep the service secure, and support you. We never train models on your data.

We use the data above to:

  • Provide the product: connect sources, analyse signal, and generate insights, themes, and outputs.
  • Run agents you configure, and deliver their results to you.
  • Authenticate you, manage your workspace and team, and process billing.
  • Keep the service secure: detect abuse, enforce limits, and investigate incidents.
  • Support you, and debug and improve the product using telemetry.
  • Meet legal obligations such as tax and accounting.

Legal bases (UK / EU GDPR)

  • Performance of a contract - to provide the product and account you signed up for.
  • Legitimate interests - to secure, debug, and improve the service, balanced against your rights.
  • Consent - where required, for example connecting an optional source or non-essential cookies. You can withdraw it at any time.
  • Legal obligation - to keep billing and tax records.

No training on your data

We do not train foundation models, shared machine-learning systems, or reusable model weights on your data. Your prompts, chats, connected signal, and outputs may be sent to our model provider for inference only - to produce the result you asked for - and are not used to build a shared training corpus. Our model provider, Anthropic, likewise does not use data sent through its API to train its models. We never sell your data.

05

Autonomous agents

In short

Agents are jobs you set up that run on a schedule or on demand - reading the sources you connected, producing an artifact, and delivering it to your inbox, email, or Telegram. They use the same in-memory read and never store raw data.

An agent is a recurring or on-demand job you define - for example, a daily briefing that scans your connected tools and writes up what changed. When you create one, you choose the prompt, the schedule, and where the result is delivered.

Where agents run

Scheduled agents run on dedicated cloud compute provisioned per workspace (currently Fly.io). A scheduler triggers each run at the time you set; you can pause, edit, or delete any agent from your workspace.

What they can touch

An agent can read only the sources and scopes you have already connected, through the same OAuth broker described below. It reads that signal transiently to do its analysis - it does not store raw source records.

Where the output goes

The agent produces an artifact (an insight, briefing, or document) that is saved to your workspace. Depending on your settings, we then notify you in the in-app inbox, by email (the summary plus a link, not the raw artifact), and/or via Telegram if you've linked a chat. Delivering an output to Telegram sends it to that third party at your direction; we treat Telegram as a notification channel, not a place to route sensitive personal data.

Automated decisions

Agent outputs are recommendations for you to review. We do not make decisions that produce legal or similarly significant effects about anyone based solely on automated processing.

06

Connected sources, OAuth & Google data

In short

You choose what to connect. Each connector uses OAuth at the narrowest scope, and the tokens are held by our broker - not by us. Disconnect any source at any time to revoke access.

Connecting a source uses OAuth and requests the narrowest read access we need. You review the access on the provider's consent screen before granting it. We read; we do not post or modify your data unless you explicitly ask an agent to.

Our OAuth broker, Composio, holds and refreshes the access tokens for connected sources. Synchronise AI stores only an opaque reference to that connection - not the tokens themselves. Disconnecting a source from Settings revokes the connection.

Connectors span analytics, support, project management, docs, communication, and accounting tools - including PostHog, Google Analytics, Mixpanel, Amplitude, Fathom, Slack, Intercom, Linear, Notion, Jira and Confluence, GitHub, HubSpot, Salesforce, Gmail, and others. We add connectors over time; the current set of services that may receive data is on the Sub-processors page.

Google user data

If you connect a Google source, our use of Google user data follows the Google API Services User Data Policy, including its Limited Use requirements:

  • Opt-in only. You choose whether to connect Google Sign-In, Gmail, Google Analytics, or other Google services.
  • Visible scopes. We only request the scopes shown on Google's OAuth consent screen.
  • Limited use. Google user data is used only to read signal in memory, generate cited insights, and produce the outputs you request.
  • No secondary use. It is not sold, used for advertising, or used to train models.
  • Human-access limits. We do not read Google data unless you allow it or it is needed for security or to comply with law.
  • Revocable. Disconnect a Google source at any time to revoke access.
07

How we share information

In short

Only with the sub-processors that run the product, and never for sale or advertising. The full, current list lives on a dedicated page.

We rely on sub-processors for hosting, agent compute, database, AI inference, OAuth, billing, email, analytics, and delivery. We require each one to protect customer data and process it only to provide the contracted service. The current list, with each provider's region and purpose, is on the Sub-processors page, which we keep up to date.

We may also share information:

  • At your direction - for example, delivering an agent's output to Telegram or exporting an artifact.
  • To comply with law - in response to a valid legal request, or to protect rights, safety, and the integrity of the service.
  • In a business transfer - if Synchronise AI is involved in a merger, acquisition, or sale of assets, under this same policy.

We never sell your personal data and never share it for cross-context behavioural advertising.

08

Security & where data lives

In short

Workspace data lives in Tokyo, Japan. Every database table enforces row-level isolation, traffic is encrypted in transit, and storage is encrypted at rest by our infrastructure providers.

Customer workspace data is stored in Tokyo, Japan. Every table in our database enforces PostgreSQL row-level security, so a workspace can only ever read its own rows, and we limit internal access to what is needed to operate the service.

Data is encrypted in transit with TLS and at rest with AES-256 by our infrastructure providers (Supabase/AWS, Vercel, and Fly.io); we do not add a separate application-level encryption layer. Third-party OAuth tokens are held by our connection broker (Composio), not stored by us, and other application secrets are kept in our hosting providers' managed secret stores.

Synchronise AIdoes not currently hold its own SOC 2 attestation. The providers we build on maintain their own certifications for the parts of the stack they operate; see the Sub-processors page.

If you believe your data or account is at risk, email gautham@synchronise.ai with the subject incident. We notify affected customers of a personal-data breach without undue delay after becoming aware of it.

09

How long we keep it

In short

We don't keep a copy of your source systems. Chat history, working files, outputs, and uploads stay until you delete them or close the workspace; billing records are kept as long as the law requires.

DataRetention
Chat history (incl. tool exchanges)Until you delete it or close the workspace
Working & memory filesUntil you or the agent delete them, or you close the workspace
Generated outputs & artifactsUntil you delete them or close the workspace (ephemeral ones expire automatically)
Uploaded filesUntil you delete them or close the workspace
Connected-source metadataUntil you disconnect the source
Billing & tax recordsAs required by law (up to 7 years)
Routine backupsOverwritten on our database provider's standard cycle

We do not maintain a parallel datastore mirroring your connected sources. Deleting your account or workspace removes live workspace data immediately by cascade and tears down any dedicated agent compute; residual copies survive only in our database provider's routine backups until they age out on the provider's standard cycle. We rely on our infrastructure providers for platform logs and do not keep a separate first-party security-event log.

10

International transfers

In short

Your workspace data is stored in Japan, but some sub-processors operate in the US, EU, and elsewhere. Transfers out of the UK/EEA rely on Standard Contractual Clauses or equivalent safeguards.

Customer workspace data is stored in Tokyo, Japan. To provide the service, some processing happens with sub-processors in other regions - for example AI inference, email, and analytics in the United States, and billing in the US and EU. The current locations are listed on the Sub-processors page.

Where personal data is transferred out of the UK or EEA to a country without an adequacy decision, we rely on the UK International Data Transfer Agreement / Addendum or the EU Standard Contractual Clauses, together with appropriate technical safeguards.

11

Cookies & tracking

In short

The minimum: a sign-in cookie to keep you logged in, and first-party analytics to understand and debug the product. No advertising cookies.

We use three kinds of cookies and similar technologies:

  • Strictly necessary - the session cookie that keeps you signed in.
  • Analytics & product - first-party PostHog, for usage analytics and masked session recording that help us debug and improve the app.
  • Billing - set by Stripe during checkout.

We don't use third-party advertising cookies. The full table, with names and how to control them, is in the Cookie Notice.

12

Your privacy rights

In short

Access, correct, delete, export, restrict, object, and withdraw consent - most in-app, or by emailing us. We respond within 30 days.

  • Access & portability - see what we hold and export your artifacts and insights as Markdown or JSON, with the evidence chain intact.
  • Rectification - most fields are editable in-app; for the rest, ask us.
  • Erasure - delete your account from Settings to remove your account and workspace data, or email us.
  • Restriction & objection - ask us to limit or stop certain processing based on legitimate interests.
  • Withdraw consent - disconnect any source to revoke its access at any time.
  • Complain - to a supervisory authority (see below).

Exercise these in the app, or email gautham@synchronise.ai. We may need to verify your identity. We respond within one month for UK/EU requests (extendable by two months for complex ones) and within 45 days for US state-law requests. Live workspace data is deleted immediately on a deletion request; residual backup copies age out on our provider's standard cycle.

If your personal data reached us only because someone connected a workspace you belong to, we handle it as a processor on that customer's behalf. Send your request to your workspace administrator (the controller) and we will assist them in responding.

13

Regional disclosures

In short

Extra rights and disclosures for the UK and EEA, the United States, and Australia.

UK & EEA (GDPR)

You have the rights in Articles 15-22 of the UK and EU GDPR, set out above. We process on the legal bases listed in section 4 and rely on SCCs / the UK IDTA for transfers. You can complain to the UK Information Commissioner's Office (ICO) or your local EEA supervisory authority.

United States (CCPA / CPRA and other state laws)

We do not sell personal information and do not share it for cross-context behavioural advertising. The categories we collect are listed in section 3 (identifiers, commercial/billing information, and internet activity such as product usage). Residents of California and other states with comparable laws can request to know, delete, and correct their personal information, and we will not discriminate against you for exercising those rights. Submit a request to gautham@synchronise.ai.

Australia (Privacy Act & APPs)

As an Australian business, we handle personal information in line with the Australian Privacy Principles. If you have a concern we can't resolve, you can complain to the Office of the Australian Information Commissioner (OAIC).

14

Children, changes & contact

In short

Synchronise AIisn't for children. We'll tell admins before material changes. Reach a human at gautham@synchronise.ai.

Children's data

Synchronise AI is a workplace product, not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.

Changes to this policy

We post updates here with a new effective date and version. For material changes, we email workspace admins before the changes take effect. This page supersedes any prior version.

How to contact us

Synchronise AI · ABN 68 960 446 366. Email gautham@synchronise.ai for any privacy question, request, or breach report - we answer within three working days. For a security incident, use the subject incident.

Related documents
  • Sub-processorsThe services that help run Synchronise AI.
  • Cookie NoticeWhat we set in your browser and why.
  • Data Processing AddendumProcessor terms for connected customer data.
  • Terms of ServiceThe agreement that governs use of the product.

Synchronise AI · ABN 68 960 446 366 · Gautham Srinivas, founder · Tokyo, Japan data residency. Questions and requests: gautham@synchronise.ai.

© Synchronise AI. This page supersedes any prior version. We email workspace admins before material changes take effect.