Privacy Policy

Last updated: May 3, 2026

0. Scope

This policy covers the Synect service in full, across both the marketing website at synect.ai and the product application at app.synect.ai. The marketing website is mostly static; the only personal data it collects is when you submit the Request access form (see §1). Standard server access logs may include your IP address and user agent. Everything else described below applies to the product application where you sign in and use the service.

1. What we collect

When you use Synect, we collect and store the following data in our database (hosted on Supabase):

Account information — email address, display name, hashed password, and theme preference.
Conversations and messages — the full text of every message you send and every AI response, including any files you upload as attachments.
Uploaded files — files you upload to conversations or open in Canvas mode (e.g. DOCX, XLSX, PPTX, CSV) are stored in Supabase file storage. Their content may be sent to the AI provider to generate edits or responses. Files persist in storage for as long as your account exists and are deleted when you delete your account.
Spark configurations — any Sparks you create or interact with, including pipeline steps, API action settings, and knowledge base files.
Usage data — token counts, model identifiers, and estimated costs for each AI request, used to display your usage dashboard.
Voice and audio data — if you use the real-time voice chat feature, your audio is streamed live directly to the AI provider (OpenAI Realtime API or Google Gemini Live API). Audio is not stored by Synect. It is processed on the provider's servers to generate a spoken and text response. Audio data is subject to each provider's privacy policy.
Screen share content — if you share your screen during a live AI session, the screen frames are sent to the AI provider as visual context. Screen content is not stored by Synect. Be mindful of sensitive information visible on screen during a session.
Browser local storage — Canvas mode stores version history, undo/redo stacks, and file content snapshots in your browser's localStorage. This data never leaves your device and is not accessible by Synect or any third party. It is cleared when you clear your browser data.
OAuth tokens — if you connect third-party APIs (e.g. Google Sheets, Canva) to a Spark, we store a reference to your connection. The actual OAuth tokens for Composio-powered integrations are stored and managed by Composio, not Synect. For custom Spark API actions you configure yourself, we store the encrypted tokens in our database.
Waitlist and access control — if you request access from synect.ai, we store your name, email, optional use-case and company-size fields, optional referral source, optional UTM campaign parameters from the page URL (captured server-side at submit time; no extra marketing cookies), a SHA-256 hash of your IP combined with a server secret (for rate limiting; we do not store the raw IP on the waitlist row), and a short user-agent string. These rows live in our Supabase database until an administrator approves or rejects your request. If approved, your email is added to an invite-only whitelist table (with a per-user preview credit limit in EUR) so you can complete registration on app.synect.ai; you receive a transactional email via Brevo with a link to register.

We do not collect analytics, tracking cookies, or behavioural data beyond what is described above.

2. How your data is used

Your data is used exclusively to provide the Synect service:

Storing and displaying your conversation history.
Sending your messages to AI providers so they can generate responses.
Streaming your voice and screen content to AI providers during real-time live sessions.
Processing uploaded files to enable Canvas mode editing and AI-assisted document changes.
Executing API actions you configure in Sparks.
Performing third-party integration actions on your behalf (e.g. reading a Google Sheet, posting to Slack) when you connect integrations to a Spark and ask the AI to use them.
Displaying your usage and cost estimates.
Evaluating waitlist submissions and operating the invite-only whitelist.
Sending transactional email (verification codes, org invitations, waitlist approval notices) via Brevo.

We do not sell, rent, or share your data with any third party for advertising or marketing purposes.

3. Who can access your data

Transparency matters. Here is exactly who can access your data and why:

Platform administrators

The Synect team has administrative access to the database via Supabase's service role. This means we cantechnically read any user's data. We commit to accessing individual user data only when necessary for debugging, support requests you initiate, or to enforce our terms of service.

AI providers (text & reasoning)

Your messages, and where applicable your voice audio and screen content, are sent to the AI provider that powers each conversation. Depending on your model selection, this may include:

OpenAI — GPT, o-series, DALL-E / ChatGPT Image, Whisper transcription, and Realtime voice API
Anthropic — Claude models
Google — Gemini models, Gemini Live voice API, and Gemini image / TTS models
Perplexity — Sonar models with built-in web search (live search results may be appended to your queries by Perplexity's infrastructure)
Cohere — Command models
Groq — open-source models (Llama family) hosted on Groq's inference platform

All listed text providers state that API data is not used for model trainingby default under their commercial API terms. Your content is, however, processed on their servers to generate responses. Refer to each provider's linked policy for details.

Media generation providers

When you generate images, video, music, voice, or avatar videos, the relevant prompt (and any reference image you upload) is sent to the corresponding provider:

ElevenLabs — text-to-speech, voice cloning previews, and music generation
Runway — text-to-video and image-to-video generation
HeyGen — talking-head / avatar video generation. The text script you supply is sent to HeyGen and synthesised against your selected avatar.

Web-search and page-fetch providers

When you enable the "web search" toggle, search is performed by your selected AI provider's native search capability where available (Perplexity, Anthropic, Google, OpenAI). When you ask the AI to fetch a specific URL you have explicitly named, the page is retrieved through:

ScrapingBee — receives the URL only (not your conversation), returns the page's public HTML for the AI to read.

SEO data provider (Sparks only)

When you run a Spark whose pipeline includes an SEO research step (e.g. competitor keyword analysis), search-volume and keyword data are queried from:

DataForSEO — receives only the keyword or domain you instruct the Spark to analyse, never your conversation history.

File processing

All file format processing — including DOCX, XLSX, PPTX, CSV, and PDF conversion and rendering for Canvas mode — is performed either directly in your browser or on Synect's own servers. No file content is sent to any third-party processing service. File content is only sent to an AI provider when you explicitly ask the AI to edit or analyse the file.

Infrastructure providers

Supabase — hosts the database and file storage.
Vercel — hosts the web application. Has access to server logs (request metadata, not message content).
Brevo — sends verification emails. Receives only your email address.
Cloudflare — provides DNS for the synect.ai domain and routes inbound email sent to privacy@, hello@, and security@synect.ai through to our internal mailboxes. Cloudflare does not have access to application data inside the product.

Third-party integration provider (Composio)

When you connect a third-party service (such as Google Sheets, Slack, or Canva) to a Spark, the OAuth connection is handled by Composio, an integration platform. Composio stores your OAuth tokens on their infrastructure in order to perform actions on your behalf when a Spark runs.

This means Composio has technical access to the OAuth tokens for services you connect. Composio is SOC 2 compliant and does not use your tokens outside of executing the actions your Spark requests. You should review Composio's Privacy Policy before connecting sensitive accounts. You can revoke any connection at any time from within the Spark settings.

Synect does not store your third-party OAuth tokens for Composio-powered integrations — only a connection reference (account ID) is stored in our database.

MCP servers (Model Context Protocol)

Sparks can be configured to connect to Model Context Protocol servers, including Zapier's MCP server (which exposes ~8,000 third-party integrations) or any custom MCP server you provide. When such a server is attached to a Spark, the AI's tool calls and any data needed to execute them are forwarded to that MCP server in real-time during a chat turn. We store the server's URL and auth header in our database; the auth header is encrypted at rest and only readable to the Spark owner's server-side requests.

You should review the privacy policy of any MCP server you connect — particularly Zapier's, when used. Synect only acts as a transport layer; we do not retain the data sent to or returned from MCP servers beyond what appears in the conversation transcript.

4. Cookies and similar technologies

Synect uses only one cookie, and we do not load any analytics, advertising, marketing, or third-party tracking on either synect.ai or app.synect.ai.

The one cookie we set:

sb-ieredtwtwoxrnzrgxava-auth-token* — set by Supabase Auth after you sign in. It stores your encrypted authentication session so you stay signed in across page navigations and across both the marketing site (synect.ai) and the product application (app.synect.ai). The cookie is scoped to the parent domain .synect.ai, sent only over HTTPS (Secure flag), and uses SameSite=Lax. When the session token exceeds the browser's 4 KB cookie size limit it is split into chunks (...0, ...1, etc.). Lifetime: refreshed automatically while you are active; deleted when you sign out, when the refresh token expires, or when you delete your account. Classification: strictly necessary — exempt from consent under Article 5(3) of the ePrivacy Directive (EU/EEA), UK PECR, and equivalent rules in other jurisdictions, because the cookie is required to provide the authenticated service you explicitly requested by signing in.

Trackers and embeds we explicitly do NOT use:

No web analytics — no Google Analytics, Vercel Analytics, Plausible, Fathom, Umami, Mixpanel, Amplitude, PostHog, or equivalent.
No advertising or retargeting pixels — no Meta Pixel, Google Ads tag, LinkedIn Insight Tag, X / TikTok / Reddit pixels.
No session-replay or heatmap tooling — no Hotjar, FullStory, Microsoft Clarity, LogRocket.
No third-party embeds that would set their own cookies — no YouTube, Vimeo, Twitter/X, Calendly, Intercom, or Drift widgets.
No runtime third-party fonts — Inter is bundled at build time via next/font, so no requests reach fonts.googleapis.com from your browser and no Google cookies are set on your behalf.

Browser local storage(not a cookie, but worth disclosing): the product application uses your browser's localStoragefor UI state that must survive a page reload — your theme preference, Canvas mode version history, undo/redo stacks, and document snapshots. This data lives on your device and is never sent to Synect's servers or to any third party.

Server logs (also not cookies): our hosting provider Vercel retains standard request logs (timestamp, IP address, request path, user agent, response status) for approximately 30 days for security, abuse prevention, and operational debugging. These are not cookies, are not used for behavioural profiling, and are not shared with advertisers.

Why is there no cookie consent banner? Because the only cookie we set is strictly necessary for the service you have explicitly requested by signing in, no consent banner is legally required under GDPR + ePrivacy Directive, UK PECR, or CCPA / CPRA. If we ever introduce a non-essential cookie — analytics, marketing, embeds, or anything else — we will update this section and add an appropriate consent flow at the same time.

5. Data security

All data in transit is encrypted via HTTPS/TLS.
Database access is protected by Row Level Security (RLS), ensuring users can only access their own data through the application.
Application code uses the user's own authentication token for data operations wherever possible, limiting the service role to administrative actions (account creation, deletion, password updates) that require elevated privileges.
Database access is monitored via PostgreSQL audit logging (pgaudit), creating an immutable trail of all read and write operations on sensitive tables.
Passwords are hashed by Supabase Auth (bcrypt) and never stored in plaintext.
Verification codes expire after 10 minutes.
Access to the platform is restricted to whitelisted email addresses during the current invite-only phase.

6. Data retention and deletion

Your data is retained for as long as your account exists. You can delete individual conversations from the sidebar, or permanently delete your entire account and all associated data from Settings → Danger zone.

Account deletion is immediate and irreversible. It removes your profile, all conversations, messages, files, Sparks, usage logs, and storage uploads.

Canvas mode data (version history, undo/redo stacks, file snapshots) stored in your browser's localStorage is retained on your device until you clear your browser data. It is not controlled by Synect and is not deleted by account deletion.

If you have connected third-party integrations via Composio, deleting your Synect account removes the connection reference from our database but does not automatically revoke the OAuth grant on the third-party service. You should revoke access directly from the connected service (e.g. your Google account security settings) or from Composio if you wish to fully remove that access.

7. Your rights

Under the General Data Protection Regulation (GDPR) and similar data protection laws, you have the following rights:

Right of access (Art. 15) — you can view all your data through the application at any time.
Right to rectification (Art. 16) — you can edit your display name and preferences in Settings.
Right to erasure (Art. 17) — you can permanently delete your account and all associated data from Settings → Danger zone. Deletion is immediate and irreversible.
Right to data portability (Art. 20) — you can export all your data (conversations, messages, labels, projects, usage logs) as a structured JSON file from Settings → Export your data.
Right to restriction of processing (Art. 18) — contact us to request that we restrict processing of your data while a complaint is being resolved.
Right to object (Art. 21) — as we do not process data for marketing or profiling, this right is generally not applicable. If you believe it is, contact us.

To exercise any of these rights, use the self-service tools in Settings or contact us at the email below.

8. Legal basis for processing (GDPR Art. 6)

We process your personal data on the following legal bases:

Contract performance (Art. 6(1)(b)) — processing is necessary to provide the Synect service you signed up for (storing messages, generating AI responses, executing Spark pipelines).
Legitimate interest (Art. 6(1)(f)) — usage logging and cost estimation to operate the platform, security monitoring via audit logs, and service reliability.
Consent (Art. 6(1)(a)) — when you connect third-party services via OAuth through Composio, you explicitly consent to Composio storing and using tokens for that integration on your behalf. You may revoke this consent at any time by disconnecting the integration from Spark settings.

9. International data transfers

Your data may be processed outside the European Economic Area (EEA) by our infrastructure and AI providers:

Supabase (AWS, US regions) — covered by their DPA and Standard Contractual Clauses.
Vercel (US) — covered by their DPA.
OpenAI, Anthropic, Google (US) — API data processing under their respective DPAs and terms.
Perplexity, Cohere, Groq (US) — API data processing under their respective terms.
ElevenLabs (US), Runway (US), HeyGen (US) — media generation API data processing under their respective DPAs and terms.
ScrapingBee (FR/EU) — public-page retrieval, no user content beyond the URL is sent.
DataForSEO (US) — keyword/SEO data lookup, no user content beyond the keyword or domain is sent.
Composio (US) — OAuth token storage and integration execution for third-party Spark integrations, covered by their DPA and Standard Contractual Clauses.
Zapier (US) — when an MCP server hosted by Zapier is attached to a Spark.
Brevo (EU-based) — email processing within the EEA.

We rely on Standard Contractual Clauses (SCCs) and adequacy decisions where applicable to ensure adequate protection for cross-border transfers.

10. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

11. Changes to this policy

We may update this policy as the platform evolves. Material changes will be communicated through the application. Continued use of Synect after changes constitutes acceptance.

12. Contact

If you have questions about this policy, want to exercise your rights under data-protection law, or have a security concern, please reach out to us:

Privacy & data-protection requests — privacy@synect.ai
General questions and support — hello@synect.ai
Security disclosures — security@synect.ai