LogoSyncally

Privacy Policy

Last Updated: January 24, 2026GDPR & CCPA Compliant

How Syncally collects, uses, and protects your information.

1. Information We Collect

1.1 Account Information

  • Authentication data: Email address, name, profile picture (via GitHub OAuth, Google SSO, or SAML/OIDC providers).
  • Organization data: Organization name, member roles, team structure.
  • SSO metadata: Identity provider information, SAML assertions, OIDC tokens (for enterprise SSO).

1.2 GitHub Integration Data

  • Repository metadata: Repository names, branch information, commit metadata.
  • Code summaries: AI-generated summaries of your commits and codebase.
  • Embeddings: Vector representations for semantic search (3072-dimensional vectors).
  • We do NOT store your raw source code—only semantic embeddings and AI-generated summaries.

1.3 Meeting Data

  • Audio files: Temporarily stored for transcription processing.
  • Transcripts: Full text transcription of meeting audio.
  • AI summaries: Key points, action items, and decisions extracted by AI.
  • Retention: Audio files are automatically deleted after 7 days; transcripts and summaries are retained until you delete them.

1.4 Task & Project Data

  • Task titles, descriptions, status, assignments, and due dates.
  • Project names, settings, and team member associations.
  • Task links and knowledge graph connections.

1.5 Enterprise & Security Data

  • Audit logs: 30+ event types including logins, data access, settings changes, and administrative actions.
  • API key metadata: Key prefixes, scopes, usage counts, last used timestamps (keys are SHA-256 hashed).
  • RBAC data: Role assignments, custom role definitions, permission grants.

1.6 Usage & Technical Data

  • IP address, browser type, device information, operating system.
  • Pages visited, features used, interaction patterns.
  • Error logs and performance metrics.
  • Cookies and similar tracking technologies (see Section 8).

1.7 Payment Data

  • Billing address, subscription status, invoice history.
  • Payment processing is handled by Polar.sh—we do NOT store credit card numbers or bank account details.

2. How We Use Your Information

  • Provide the Service: Process code, generate summaries, answer questions, transcribe meetings.
  • Improve the Service: Analyze usage patterns, fix bugs, develop new features.
  • Security & Compliance: Detect fraud, prevent abuse, maintain audit logs, respond to legal requests.
  • Communicate: Send service updates, billing notifications, security alerts, and support responses.
  • Enterprise Features: Provide SSO, audit logs, RBAC, and API key management for enterprise customers.

We do NOT:

  • Sell your personal data to third parties.
  • Use your proprietary code to train general AI models.
  • Share your data with advertisers.
  • Access your data without a legitimate business purpose.

3. Legal Basis for Processing (GDPR)

  • Contract Performance: Processing necessary to provide the Service you requested.
  • Legitimate Interests: Improving our Service, security, and fraud prevention.
  • Legal Obligation: Compliance with applicable laws and regulations.
  • Consent: Where required, such as for marketing communications.

4. Data Sharing & Subprocessors

We share data only with service providers necessary to operate the platform:

ServicePurposeLocation
GitHubOAuth & Repository AccessUSA
Neon DatabasePrimary PostgreSQL DatabaseUSA (Azure East US 2)
SupabaseFile Storage (Meeting Audio)USA
OpenAIAI Processing & EmbeddingsUSA
Google GeminiAI ProcessingUSA
AssemblyAIAudio TranscriptionUSA
InngestBackground Job ProcessingUSA
Polar.shPayment ProcessingEU
VercelApplication HostingUSA (Global Edge)
ResendTransactional EmailUSA

AI Provider Data Handling:

We use enterprise API configurations with OpenAI, Google Gemini, and AssemblyAI that explicitly prohibit using your data for model training. Your proprietary code and meeting content are processed but never retained by these providers for training purposes.

5. Data Storage & Security

  • Primary Location: United States (Azure East US 2, Virginia).
  • Encryption in Transit: TLS 1.3 for all connections.
  • Encryption at Rest: AES-256 for database and file storage.
  • Tenant Isolation: Logical isolation at the organization level; cross-tenant access is not possible.
  • Access Control: Role-based access for employees; all access is logged.
  • API Key Security: SHA-256 hashed storage; never stored in plaintext.
  • Audit Logging: All significant actions are logged with actor, timestamp, IP, and user agent.
  • SOC 2 Type II: Certification in progress (target Q3 2026).

6. Data Retention

  • Meeting audio: Automatically deleted 7 days after upload.
  • Transcripts & summaries: Retained until you delete them or your account.
  • Code embeddings: Retained until you disconnect the repository or delete your account.
  • Audit logs: 90 days (customizable for Enterprise plans).
  • Account data: Retained until account deletion.
  • Account deletion: All data permanently deleted within 30 days of account deletion request.
  • Backups: Encrypted backups retained for 30 days for disaster recovery, then permanently deleted.

7. Your Rights

7.1 All Users

  • Access: Request a copy of your personal data.
  • Correction: Update inaccurate or incomplete data.
  • Deletion: Delete your account and all associated data from Settings.
  • Export: Export your data in a portable format.

7.2 EU/EEA Residents (GDPR)

  • Restriction: Request restriction of processing.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdrawal: Withdraw consent at any time (where processing is based on consent).
  • Complaint: Lodge a complaint with your local supervisory authority.

7.3 California Residents (CCPA/CPRA)

  • Right to Know: Request disclosure of personal information collected, used, and shared.
  • Right to Delete: Request deletion of personal information.
  • Right to Opt-Out: We do not sell personal information; no opt-out required.
  • Right to Non-Discrimination: Equal service and pricing regardless of privacy choices.
  • Right to Correct: Request correction of inaccurate personal information.
  • Shine the Light: You may request a list of third parties with whom we have shared personal information for their direct marketing purposes (we do not share such info).

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner as required by law).

8. Cookies & Tracking

We use cookies and similar technologies to provide and improve our Service.

  • Essential Cookies: Strictly necessary for authentication (Session Tokens), security (CSRF protection), and load balancing.
  • Functional Cookies: Remember your preferences (e.g., theme, language) and settings.
  • Analytics Cookies: Help us understand how you use the Service (e.g., PostHog). These are anonymized.
  • Local Storage: We use browser LocalStorage for storing UI state and session tokens.

You can control or delete cookies through your browser settings. However, disabling essential cookies will prevent you from logging in or using core features.

9. International Transfers

Your data is primarily processed in the United States. For transfers from the EU/EEA/UK, we rely on:

  • Standard Contractual Clauses (SCCs): EU Commission-approved contractual safeguards.
  • Subprocessor Agreements: Binding data protection terms with all service providers.

10. Children's Privacy

Syncally is a B2B platform intended for professionals. We do not knowingly collect personal information from children under the age of 13 (or applicable age of consent). If we become aware that we have collected personal data from a child in violation of COPPA or GDPR, we will take steps to delete that information. Contact us at [email protected] if you believe we have such data.

11. Third-Party Links

Our Service may contain links to third-party websites (e.g., GitHub, identity providers). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on this page with a new "Last Updated" date.
  • Sending an email notification to the address associated with your account for significant changes.
  • Displaying a banner or notice within the application dashboard.

Continued use of the Service after such changes constitutes your acknowledgment and acceptance of the updated Privacy Policy.

13. Contact Us

For privacy questions, data requests, or concerns:

Email: [email protected]

Security Issues: [email protected]

General Support: [email protected]

← Back to Home
Terms of ServiceData Processing Agreement