How we handle your data.
Synchronise AIconnects to the tools your team already uses, reads product signal through those connections, and produces cited insights and outputs. We don't build a copy of your source systems - there is no parallel database mirroring your tickets or events. What we store is your chat history, the working files and outputs we generate, anything you upload, and - when you connect a messaging channel (WhatsApp, Messenger, or Instagram) - the customer messages in your inbox and the replies you draft or send, so the shared inbox works. All of it is scoped to your workspace and held in Tokyo, Japan. Each section opens with a plain-English summary, then the full detail.
Overview & scope
We read the product signal in the tools you connect, in memory, and write back only the insights and outputs we generate. This policy covers the Synchronise AI web app and the agents that run on your behalf.
Synchronise AI is a product-intelligence tool. It connects to the systems your team already uses, analyses the signal inside them, and produces cited insights, themes, briefs, and other outputs that help product teams decide what to build.
This Privacy Policy explains what personal data and customer signal we handle, why, who we share it with, how long we keep it, and the rights you have. It applies to synchronise.ai, the in-product experience, and the autonomous agents that run on your behalf. It does not cover third-party services you connect - those are governed by their own policies.
It sits alongside our Terms of Service, our Sub-processors list, our Cookie Notice, and - for business customers - our Data Processing Addendum.
Who we are and our role
We're an Australian company (ABN 68 960 446 366). For your account we're the data controller; for the source data you connect, we act as your processor.
Synchronise AI is operated as an Australian business, ABN 68 960 446 366. You can reach the person responsible for privacy questions - including access and deletion requests and breach disclosure - at gautham@synchronise.ai.
Account data(your identity, workspace, billing, and product usage): we decide why and how it's processed, so we act as the data controller.
Connected source data (the signal we read from the systems you connect, and the outputs derived from it): you decide what to connect and why, so we act as your processor(a “service provider” under US law). Our processing terms for that data are in the Data Processing Addendum.
Information we collect
Account and billing details, the product work we generate, files you upload, and product telemetry. Raw source records are read in memory and not stored.
| Category | What it includes | Where it comes from |
|---|---|---|
| Account & identity | Email, name, workspace, team membership, and the OAuth identity from your sign-in provider. | You, when you sign up |
| Billing | Stripe customer ID, plan, invoices, and renewal dates. We never see your card number. | You & Stripe |
| Connected source signal | Signal from the systems you connect (events, tickets, threads, issues, pages, docs, recordings), read through your connection during analysis. We don't mirror it into a raw datastore, but excerpts appear in stored chat history and working files (see retention). | Sources you connect |
| Working & memory files | Notes and files an analysis or agent writes during a run. When a tool returns more than a short slice, the full output is saved to your workspace's memory so it can be referenced, and kept until you or the agent delete it. | Created during analysis |
| Generated work | Insights, themes, decision cards, briefs, specs, slides, outreach, chat history, artifacts, and the evidence chain we built them from. | Created in-product |
| Uploads | Files you attach in chat, stored in a private bucket scoped to your workspace. | You |
| Product telemetry | First-party usage events, model-usage metadata (model, token counts, latency), and masked session recordings used to debug and improve the app. | As you use the app |
| Connected messaging channels | When you connect a WhatsApp Business number, a Facebook Page (Messenger), or an Instagram professional account, the messages your customers send you and the reply you draft or send from the inbox - sender handle, message content, and the drafted/sent reply - stored so the shared inbox works. We reply only to your own customers, from your own accounts, at your direction; we never message anyone the customer didn't first contact, and we never use this data for advertising or model training. | Your customers, via channels you connect |
| Communications | Emails and, if you connect it, Telegram messages you exchange with the product and its agents. | You |
What we don't collect
- A mirror of your connected systems - we don't bulk-ingest your sources into a parallel raw datastore.
- Card numbers - handled entirely by Stripe.
- Data from systems you didn't explicitly connect.
- Biometric data, precise location, or advertising identifiers.
How and why we use it
To run the product you asked for - connect sources, generate insights and outputs, run agents, bill you, keep the service secure, and support you. We never train models on your data.
We use the data above to:
- Provide the product: connect sources, analyse signal, and generate insights, themes, and outputs.
- Run agents you configure, and deliver their results to you.
- Authenticate you, manage your workspace and team, and process billing.
- Keep the service secure: detect abuse, enforce limits, and investigate incidents.
- Support you, and debug and improve the product using telemetry.
- Meet legal obligations such as tax and accounting.
Legal bases (UK / EU GDPR)
- Performance of a contract - to provide the product and account you signed up for.
- Legitimate interests - to secure, debug, and improve the service, balanced against your rights.
- Consent - where required, for example connecting an optional source or non-essential cookies. You can withdraw it at any time.
- Legal obligation - to keep billing and tax records.
No training on your data
We do not train foundation models, shared machine-learning systems, or reusable model weights on your data. Your prompts, chats, connected signal, and outputs may be sent to our model provider for inference only - to produce the result you asked for - and are not used to build a shared training corpus. Our model provider, Anthropic, likewise does not use data sent through its API to train its models. We never sell your data.
Autonomous agents
Agents are jobs you set up that run on a schedule or on demand - reading the sources you connected, producing an artifact, and delivering it to your inbox, email, or Telegram. They use the same in-memory read and never store raw data.
An agent is a recurring or on-demand job you define - for example, a daily briefing that scans your connected tools and writes up what changed. When you create one, you choose the prompt, the schedule, and where the result is delivered.
Where agents run
Scheduled agents run on dedicated cloud compute provisioned per workspace (currently Fly.io). A scheduler triggers each run at the time you set; you can pause, edit, or delete any agent from your workspace.
What they can touch
An agent can read only the sources and scopes you have already connected, through the same OAuth broker described below. It reads that signal transiently to do its analysis - it does not store raw source records.
Where the output goes
The agent produces an artifact (an insight, briefing, or document) that is saved to your workspace. Depending on your settings, we then notify you in the in-app inbox, by email (the summary plus a link, not the raw artifact), and/or via Telegram if you've linked a chat. Delivering an output to Telegram sends it to that third party at your direction; we treat Telegram as a notification channel, not a place to route sensitive personal data.
Automated decisions
Agent outputs are recommendations for you to review. We do not make decisions that produce legal or similarly significant effects about anyone based solely on automated processing.
Connected sources, OAuth & Google data
You choose what to connect. Each connector uses OAuth at the narrowest scope, and the tokens are held by our broker - not by us. Disconnect any source at any time to revoke access.
Connecting a source uses OAuth and requests the narrowest read access we need. You review the access on the provider's consent screen before granting it. We read; we do not post or modify your data unless you explicitly ask an agent to.
Our OAuth broker, Composio, holds and refreshes the access tokens for connected sources. Synchronise AI stores only an opaque reference to that connection - not the tokens themselves. Disconnecting a source from Settings revokes the connection.
Connectors span analytics, support, project management, docs, communication, and accounting tools - including PostHog, Google Analytics, Mixpanel, Amplitude, Fathom, Slack, Intercom, Linear, Notion, Jira and Confluence, GitHub, HubSpot, Salesforce, Gmail, and others. We add connectors over time; the current set of services that may receive data is on the Sub-processors page.
Google user data
If you connect a Google source, our use of Google user data follows the Google API Services User Data Policy, including its Limited Use requirements:
- Opt-in only. You choose whether to connect Google Sign-In, Gmail, Google Analytics, or other Google services.
- Visible scopes. We only request the scopes shown on Google's OAuth consent screen.
- Limited use. Google user data is used only to read signal in memory, generate cited insights, and produce the outputs you request.
- No secondary use. It is not sold, used for advertising, or used to train models.
- Human-access limits. We do not read Google data unless you allow it or it is needed for security or to comply with law.
- Revocable. Disconnect a Google source at any time to revoke access.
Security & where data lives
Workspace data lives in Tokyo, Japan. Every database table enforces row-level isolation, traffic is encrypted in transit, and storage is encrypted at rest by our infrastructure providers.
Customer workspace data is stored in Tokyo, Japan. Every table in our database enforces PostgreSQL row-level security, so a workspace can only ever read its own rows, and we limit internal access to what is needed to operate the service.
Data is encrypted in transit with TLS and at rest with AES-256 by our infrastructure providers (Supabase/AWS, Vercel, and Fly.io); we do not add a separate application-level encryption layer. Third-party OAuth tokens are held by our connection broker (Composio), not stored by us, and other application secrets are kept in our hosting providers' managed secret stores.
Synchronise AIdoes not currently hold its own SOC 2 attestation. The providers we build on maintain their own certifications for the parts of the stack they operate; see the Sub-processors page.
If you believe your data or account is at risk, email gautham@synchronise.ai with the subject incident. We notify affected customers of a personal-data breach without undue delay after becoming aware of it.
How long we keep it
We don't keep a copy of your source systems. Chat history, working files, outputs, and uploads stay until you delete them or close the workspace; billing records are kept as long as the law requires.
| Data | Retention |
|---|---|
| Chat history (incl. tool exchanges) | Until you delete it or close the workspace |
| Working & memory files | Until you or the agent delete them, or you close the workspace |
| Generated outputs & artifacts | Until you delete them or close the workspace (ephemeral ones expire automatically) |
| Uploaded files | Until you delete them or close the workspace |
| Connected-source metadata | Until you disconnect the source |
| Billing & tax records | As required by law (up to 7 years) |
| Routine backups | Overwritten on our database provider's standard cycle |
We do not maintain a parallel datastore mirroring your connected sources. Deleting your account or workspace removes live workspace data immediately by cascade and tears down any dedicated agent compute; residual copies survive only in our database provider's routine backups until they age out on the provider's standard cycle. We rely on our infrastructure providers for platform logs and do not keep a separate first-party security-event log.
International transfers
Your workspace data is stored in Japan, but some sub-processors operate in the US, EU, and elsewhere. Transfers out of the UK/EEA rely on Standard Contractual Clauses or equivalent safeguards.
Customer workspace data is stored in Tokyo, Japan. To provide the service, some processing happens with sub-processors in other regions - for example AI inference, email, and analytics in the United States, and billing in the US and EU. The current locations are listed on the Sub-processors page.
Where personal data is transferred out of the UK or EEA to a country without an adequacy decision, we rely on the UK International Data Transfer Agreement / Addendum or the EU Standard Contractual Clauses, together with appropriate technical safeguards.
Your privacy rights
Access, correct, delete, export, restrict, object, and withdraw consent - most in-app, or by emailing us. We respond within 30 days.
- Access & portability - see what we hold and export your artifacts and insights as Markdown or JSON, with the evidence chain intact.
- Rectification - most fields are editable in-app; for the rest, ask us.
- Erasure - delete your account from Settings to remove your account and workspace data, or email us.
- Restriction & objection - ask us to limit or stop certain processing based on legitimate interests.
- Withdraw consent - disconnect any source to revoke its access at any time.
- Complain - to a supervisory authority (see below).
Exercise these in the app, or email gautham@synchronise.ai. We may need to verify your identity. We respond within one month for UK/EU requests (extendable by two months for complex ones) and within 45 days for US state-law requests. Live workspace data is deleted immediately on a deletion request; residual backup copies age out on our provider's standard cycle.
If your personal data reached us only because someone connected a workspace you belong to, we handle it as a processor on that customer's behalf. Send your request to your workspace administrator (the controller) and we will assist them in responding.
Regional disclosures
Extra rights and disclosures for the UK and EEA, the United States, and Australia.
UK & EEA (GDPR)
You have the rights in Articles 15-22 of the UK and EU GDPR, set out above. We process on the legal bases listed in section 4 and rely on SCCs / the UK IDTA for transfers. You can complain to the UK Information Commissioner's Office (ICO) or your local EEA supervisory authority.
United States (CCPA / CPRA and other state laws)
We do not sell personal information and do not share it for cross-context behavioural advertising. The categories we collect are listed in section 3 (identifiers, commercial/billing information, and internet activity such as product usage). Residents of California and other states with comparable laws can request to know, delete, and correct their personal information, and we will not discriminate against you for exercising those rights. Submit a request to gautham@synchronise.ai.
Australia (Privacy Act & APPs)
As an Australian business, we handle personal information in line with the Australian Privacy Principles. If you have a concern we can't resolve, you can complain to the Office of the Australian Information Commissioner (OAIC).
Children, changes & contact
Synchronise AIisn't for children. We'll tell admins before material changes. Reach a human at gautham@synchronise.ai.
Children's data
Synchronise AI is a workplace product, not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.
Changes to this policy
We post updates here with a new effective date and version. For material changes, we email workspace admins before the changes take effect. This page supersedes any prior version.
How to contact us
Synchronise AI · ABN 68 960 446 366. Email gautham@synchronise.ai for any privacy question, request, or breach report - we answer within three working days. For a security incident, use the subject incident.
