Privacy Policy

Table of Contents

This Privacy Policy contains the following sections:

1. Introduction

2. Who We Are

3. Scope and Application

4. Information We Collect

5. How We Use Your Information

6. Legal Bases for Processing (GDPR/UK GDPR)

7. How We Share Your Information

8. Third-Party Services and Integrations

9. AI and Large Language Model (LLM) Processing

10. International Data Transfers

11. Data Security

12. Data Retention

13. Your Privacy Rights

14. Cookies and Tracking Technologies

15. Children's Privacy

16. California Privacy Rights (CCPA/CPRA)

17. Other US State Privacy Rights

18. European Union & UK Privacy Rights (GDPR)

19. Brazil Privacy Rights (LGPD)

20. Changes to This Privacy Policy

21. Contact Us

22. Definitions and Legal References

1. Introduction

Syntari International, Inc. ("Syntari," "we," "us," or "our") is committed to protecting your privacy and being transparent about how we collect, use, and share your personal information.

This Privacy Policy describes our data practices across all Syntari services:

• Syntari Advisory Services: AI-powered management consulting advisory

• Syntari Platform: AI-native consulting workflow platform with integrated LLM agents

• Syntari Academy: Educational courses, workshops, and training programs

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

For information about our use of cookies and similar technologies, please see our Cookie Policy.

2. Who We Are

Data Controller:
Syntari International, Inc.
One Marina Park Drive, Suite 1410
Boston, MA 02210
United States

Contact Information:
Email: privacy@syntari.ai
Data Protection Officer (DPO): dpo@syntari.ai

3. Scope and Application

This Privacy Policy applies to:

• Syntari websites: syntari.ai and all subdomains

• Syntari Platform: app.syntari.ai (web and mobile applications)

• Syntari Advisory Services: Consulting engagements and deliverables

• Syntari Academy: Educational content, courses, and workshops

• Email communications: Marketing, transactional, and support emails

• Customer support: Chat, email, phone interactions

This Policy does NOT apply to:

• Third-party websites, platforms, or services (even if linked from our Services)

• Employer-controlled data when Syntari is used in a business/enterprise context (in such cases, your employer is the data controller)

4. Information We Collect

We collect information in three ways: (1) information you provide directly, (2) information collected automatically, and (3) information from third parties.

4.1 Information You Provide Directly

Account Information:

• Full name

• Email address

• Password (hashed and encrypted)

• Company name

• Job title/role

• Phone number (optional)

• Profile photo (optional)

Billing and Payment Information:

• Billing address

• Payment method details (processed by Stripe; we do NOT store full credit card numbers)

• Tax identification information (for enterprise customers)

Platform Usage Data:

• Uploaded documents, files, and content

• Prompts and queries submitted to AI agents

• Consulting deliverables and work product

• Comments, feedback, and support messages

• Integration data (when you connect third-party tools)

Academy Enrollment Data:

• Course registrations and progress

• Quiz/assessment responses

• Workshop attendance and participation

• Learning preferences

Communications:

• Messages sent via contact forms, live chat, email, or phone

• Survey responses and feedback

• Event registration information

4.2 Information Collected Automatically

When you use our Services, we automatically collect:

Device and Browser Information:

• IP address

• Device identifiers (MAC address, mobile ad ID)

• Browser type and version

• Operating system

• Screen resolution

• Language preferences

Usage Data:

• Pages visited and features used

• Click paths and navigation patterns

• Time spent on pages and in the platform

• Search queries within the platform

• Session duration and frequency

• Referral source (how you found us)

Location Data:

• Approximate location based on IP address

• Precise location (only if you grant permission via mobile app)

Log Data:

• Error messages and system logs

• API calls and responses

• Security events (login attempts, password resets)

Cookies and Similar Technologies: See Section 14 and our Cookie Policy

4.3 Information From Third Parties

Business Contact Data:

• Publicly available professional information (LinkedIn, company websites)

• Business contact enrichment services (ZoomInfo, Clearbit)

Integration Data:

• Data from connected services (Google Drive, Slack, Notion, Box, Microsoft 365)

• Authentication providers (Google OAuth, Microsoft OAuth, Apple Sign-In)

Payment Processors:

• Transaction status and payment confirmation from Stripe

Analytics and Advertising Partners:

• Aggregate usage statistics from Google Analytics

• Ad performance data from Google Ads, LinkedIn, Facebook

5. How We Use Your Information

We use your information for the following purposes:

5.1 Provide and Improve Our Services

• Create and manage your account

• Deliver consulting advisory services

• Power the Syntari Platform and AI agents

• Provide access to Syntari Academy courses

• Process payments and manage subscriptions

• Authenticate users and maintain security

• Provide customer support

• Improve platform functionality and user experience

• Develop new features and services

5.2 Personalization

• Remember your preferences and settings

• Customize AI agent responses based on your industry/role

• Recommend relevant courses and content

• Tailor consulting deliverables to your needs

5.3 Communications

• Send transactional emails (account creation, password reset, payment confirmation)

• Provide product updates and feature announcements

• Send marketing communications (with your consent, where required)

• Respond to inquiries and support requests

• Notify you of policy changes

5.4 Analytics and Research

• Understand how users interact with our Services

• Measure platform performance and identify bugs

• Conduct market research and benchmarking

• Generate aggregate statistics and insights

5.5 AI Training and Improvement

• Train and fine-tune AI models (with strict controls - see Section 9)

• Improve agent accuracy and relevance

• Develop new AI capabilities

Important: We implement data isolation and do NOT train models on sensitive client data without explicit consent. See Section 9 for details.

5.6 Legal and Compliance

• Comply with legal obligations

• Enforce our Terms of Service

• Detect and prevent fraud, abuse, or security threats

• Respond to legal requests and court orders

• Protect Syntari's rights and property

5.7 Marketing and Advertising

• Deliver targeted ads on third-party platforms (Google, LinkedIn, Facebook)

• Measure ad campaign effectiveness

• Build lookalike audiences for customer acquisition

• Retarget website visitors

You can opt-out of marketing communications and targeted advertising. See Section 13.

6. Legal Bases for Processing (GDPR/UK GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds under the GDPR:

You have the right to withdraw consent at any time where processing is based on consent. This does not affect the lawfulness of processing before withdrawal.

7. How We Share Your Information

We do NOT sell your personal information for monetary consideration.

We share your information only in the following circumstances:

7.1 Service Providers and Processors

We share data with third-party vendors who perform services on our behalf:

All service providers sign Data Processing Agreements (DPAs) and are contractually obligated to protect your data and use it only for the purposes we specify.

7.2 Within Your Organization

If you use Syntari through an enterprise/team account, we may share your data with:

• Account administrators in your organization

• Team members you collaborate with

• Billing contacts designated by your organization

7.3 Business Transfers

If Syntari is involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website before any such transfer.

7.4 Legal Requirements

We may disclose your information if required by law or in response to:

• Court orders, subpoenas, or legal process

• Requests from law enforcement or government authorities

• National security requirements

• Protection of Syntari's rights, property, or safety

• Investigation of fraud, security threats, or policy violations

7.5 With Your Consent

We may share your information with third parties when you explicitly consent, such as:

• Connecting third-party integrations (Google Drive, Slack, etc.)

• Sharing work product with clients (for advisory engagements)

• Participating in case studies or testimonials

7.6 Aggregate and De-Identified Data

We may share aggregated or de-identified data that cannot reasonably be used to identify you, such as:

• Industry benchmarks and trends

• Platform usage statistics

• Research findings

8. Third-Party Services and Integrations

Syntari integrates with various third-party services. When you connect these integrations, you authorize Syntari to access data from these platforms:

Current Integrations:

• Google Workspace (Drive, Docs, Sheets): Access and sync files

• Microsoft 365 (OneDrive, SharePoint): Access and sync files

• Slack: Send messages, access channels

• Notion: Access and sync databases

• Box: Access and sync files

• Salesforce: Access CRM data (enterprise only)

• HubSpot: Access marketing and sales data

What We Access:

• Only data you explicitly authorize

• File contents, metadata, sharing permissions

• User lists and organization structure (for collaboration features)

How It Works:

• You grant permissions via OAuth

• We store access tokens securely (encrypted)

• You can revoke access at any time via platform settings

Third-Party Privacy Policies:

• Google Privacy Policy

• Microsoft Privacy Statement

• Slack Privacy Policy

• Notion Privacy Policy

9. AI and Large Language Model (LLM) Processing

CRITICAL SECTION: This is unique to Syntari and requires careful disclosure.

9.1 LLM Providers We Use

Syntari's AI-powered features rely on the following third-party Large Language Models (LLMs):

9.2 What Data Is Sent to LLM Providers

When you use Syntari's AI features, the following data may be sent to our LLM providers:

• Your prompts and queries

• Uploaded documents and content (for context)

• Conversation history (for multi-turn interactions)

• Metadata (timestamp, user ID for rate limiting)

We do NOT send (unless explicitly needed for your request):

• Payment information

• Passwords or authentication tokens

• Unrelated personal data

9.3 How LLM Providers Use Your Data

OpenAI:

• API Data: NOT used for model training by default

• Retention: 30 days for abuse monitoring, then deleted

• Opt-out: Available via OpenAI Enterprise Agreement

Google (Gemini):

• API Data: NOT used for model training (for enterprise customers)

• Retention: Varies by service tier

• Privacy Controls: Available in Google Cloud settings

Anthropic (Claude):

• API Data: NOT used for model training

• Retention: 90 days for Trust & Safety, then deleted

• Privacy: Anthropic's Commitment

9.4 Data Isolation and Controls

Syntari implements strict controls:

• Prompt Redaction: Automatically redact sensitive data (SSNs, credit card numbers, etc.)

• Zero-Retention Mode: Option to prevent any data retention by LLM providers

• Client Data Isolation: Client data is NEVER mixed or used to train models for other clients

• Opt-Out of AI Training: Enterprise customers can opt-out of any AI training entirely

9.5 Your AI Data Rights

• Request deletion of your AI interaction history

• Opt-out of AI training (enterprise plans)

• Export your AI conversation logs (data portability)

• Use zero-retention mode for sensitive prompts

To exercise these rights, contact: ai-privacy@syntari.ai

10. International Data Transfers

Syntari is based in the United States. If you access our Services from outside the U.S., your information will be transferred to, stored, and processed in the United States and other countries where we or our service providers operate.

Transfer Safeguards:

For users in the European Economic Area (EEA), United Kingdom, or Switzerland:

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers to the U.S. and other third countries

• Adequacy Decisions: We rely on European Commission adequacy decisions where available

• Data Processing Agreements: All vendors sign DPAs with appropriate transfer mechanisms

For users in Brazil (LGPD):

• Standard Contractual Clauses or other legally compliant transfer mechanisms

Request a Copy: You can request a copy of the SCCs or transfer mechanisms by emailing dpo@syntari.ai

11. Data Security

We implement industry-standard technical and organizational measures to protect your data:

Encryption:

• At Rest: AES-256 encryption for stored data

• In Transit: TLS 1.2+ for all data transmission

• Passwords: Bcrypt hashing with salts

Access Controls:

• Role-Based Access Control (RBAC): Employees access only data needed for their role

• Multi-Factor Authentication (MFA): Required for all employee accounts

• Single Sign-On (SSO): Available for enterprise customers

Infrastructure Security:

• Firewall and DDoS protection

• Intrusion detection systems

• Regular security audits and penetration testing

• SOC 2 Type II certification (in progress)

Data Segregation:

• Client data isolation: Enterprise customer data is logically separated

• Audit logs: All access to sensitive data is logged

Incident Response:

• Breach notification: We will notify affected users within 72 hours of discovering a breach (GDPR) or as required by applicable law

• Incident response plan: We maintain a documented plan for security incidents

However, no system is 100% secure. You use our Services at your own risk.

12. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention Periods:

After Deletion:

• Data is permanently deleted or anonymized beyond recovery

• Backups are purged within 90 days

Your Right to Request Deletion: See Section 13.

13. Your Privacy Rights

Depending on where you live, you have various rights regarding your personal information.

Universal Rights (applicable to all users):

• Access: Request a copy of your personal data

• Correction: Request correction of inaccurate data

• Deletion: Request deletion of your data ("right to be forgotten")

• Portability: Receive your data in a machine-readable format

• Opt-Out: Unsubscribe from marketing emails

How to Exercise Your Rights:

• Email: privacy@syntari.ai

  
  

• Verification: We may verify your identity before fulfilling requests.

Response Time: We aim to respond within 30 days (or as required by applicable law).

No Discrimination: We will not discriminate against you for exercising your privacy rights.

14. Cookies and Tracking Technologies

We use cookies and similar technologies to provide, improve, and protect our Services.

For full details, see our Cookie Policy.

Quick Summary:

• Strictly Necessary: Essential for platform functionality (cannot be disabled)

• Performance: Analytics and error tracking (can be disabled)

• Functional: Remember preferences and settings (can be disabled)

• Targeting: Advertising and remarketing (can be disabled)

Manage Cookies:

• Cookie Preferences Center

• Browser settings

• Opt-out tools: NAI, DAA

15. Children's Privacy

Syntari's Services are not directed to individuals under 16 years of age (or under 13 in the United States). We do not knowingly collect personal information from children.

If you believe a child has provided us with personal information, please contact us at privacy@syntari.ai and we will delete it promptly.

16. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

16.1 Your California Privacy Rights

• Right to Know: Request details about personal information we collect, use, disclose, or sell

• Right to Delete: Request deletion of your personal information

• Right to Correct: Request correction of inaccurate personal information

• Right to Opt-Out of Sale/Sharing: We do NOT sell your personal information, but we share data for targeted advertising (see below)

• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what's necessary for services

• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

16.2 Categories of Personal Information Collected

In the past 12 months, we collected the following categories of personal information:

16.3 Do We "Sell" or "Share" Your Personal Information?

We do NOT sell your personal information for money.

However, under CCPA/CPRA, "sharing" for cross-context behavioral advertising is broadly defined and may include:

• Using cookies for targeted advertising (Google Ads, LinkedIn, Facebook)

• Sharing data with analytics partners for advertising purposes

You can opt-out:

• Do Not Sell or Share My Personal Information

• We honor Global Privacy Control (GPC) signals automatically

16.4 How to Exercise Your California Rights

• Email: privacy@syntari.ai

• Toll-Free: 1-800-XXX-XXXX

• Online: California Privacy Request Portal

Authorized Agent: You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization.

Verification: We may verify your identity using information we have on file or by requesting additional information.

Response Time: Within 45 days (may extend to 90 days for complex requests with notice).

17. Other US State Privacy Rights

If you reside in Virginia, Colorado, Connecticut, Utah, Iowa, Montana, Oregon, Texas, Delaware, Indiana, Tennessee, Nebraska, New Jersey, New Hampshire, Kentucky, Rhode Island, Maryland, or Minnesota, you have similar rights as described in Section 16.

Your Rights:

• Access, correct, delete, and port your data

• Opt-out of targeted advertising

• Opt-out of sale of personal information (we don't sell)

• Opt-out of profiling for decisions with legal/significant effects

How to Exercise:

• Same methods as California (Section 16.4)

18. European Union & UK Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:

18.1 Your GDPR Rights

• Right of Access (Art. 15): Confirm whether we process your data and obtain a copy

• Right to Rectification (Art. 16): Correct inaccurate or incomplete data

• Right to Erasure (Art. 17): Request deletion ("right to be forgotten")

• Right to Restriction (Art. 18): Limit how we process your data

• Right to Data Portability (Art. 20): Receive your data in a machine-readable format

• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing

• Right to Withdraw Consent (Art. 7): Withdraw consent where processing is based on consent

• Right Not to Be Subject to Automated Decision-Making (Art. 22): Including profiling with legal or significant effects

18.2 How to Exercise Your GDPR Rights

• Email: dpo@syntari.ai

• Online: GDPR Request Portal

Verification: We may verify your identity before fulfilling requests.

Response Time: Within 1 month (may extend to 3 months for complex requests with notice).

Free of Charge: We do not charge fees unless requests are manifestly unfounded or excessive.

18.3 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

EU Residents:

• Contact your local Data Protection Authority (DPA)

• List of EU DPAs

UK Residents:

• Information Commissioner's Office (ICO)

Switzerland Residents:

• Federal Data Protection and Information Commissioner (FDPIC)

18.4 Data Protection Officer (DPO)

Our Data Protection Officer can be reached at:

Email: dpo@syntari.ai

19. Brazil Privacy Rights (LGPD)

If you are in Brazil, you have the following rights under the Lei Geral de Proteção de Dados (LGPD):

Your LGPD Rights:

• Confirmation of processing and access to your data

• Correction of incomplete or inaccurate data

• Anonymization, blocking, or deletion

• Portability to another service provider

• Deletion of data processed with consent (when consent is withdrawn)

• Information about public/private entities with whom we share data

• Information about the possibility of denying consent and consequences

• Revocation of consent

How to Exercise:
privacy@syntari.ai

National Data Protection Authority (ANPD):
https://www.gov.br/anpd

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices

• New legal requirements

• Service improvements or new features

• User feedback

How We Notify You:

• Email notification to registered users (for material changes)

• Prominent banner on our website/platform

• Updated "Last Updated" date at the top of this Policy

Material Changes Requiring Consent:

• If changes affect processing based on consent, we will obtain fresh consent where required by law

Your Continued Use: Continued use of our Services after changes constitutes acceptance, unless law requires fresh consent.

21. Contact Us

Questions, Concerns, or Requests?

📧 General Privacy: privacy@syntari.ai
📧 Data Protection Officer: dpo@syntari.ai
📧 AI & LLM Privacy: ai-privacy@syntari.ai

📧 Mail:
Syntari International, Inc.
Attn: Privacy Team
One Marina Park Drive, Suite 1410
Boston, MA 02210
United States

22. Definitions and Legal References

Personal Data / Personal Information: Any information relating to an identified or identifiable natural person, including name, email, IP address, device identifiers, and other data that can directly or indirectly identify you.

Sensitive Personal Information: Includes account login credentials, precise geolocation, racial or ethnic origin, religious beliefs, health data, sexual orientation, biometric data for identification.

Usage Data: Information collected automatically, including IP addresses, browser type, pages visited, time spent, click paths, referring/exit pages, operating system, and other diagnostic data.

User: The individual using Syntari Services, unless otherwise specified, coincides with the Data Subject.

Data Subject: The natural person to whom Personal Data refers.

Data Processor: A natural or legal person who processes Personal Data on behalf of the Data Controller (e.g., our service providers).

Data Controller: Syntari International, Inc., which determines the purposes and means of processing Personal Data.

Services: Syntari Advisory, Syntari Platform (app.syntari.ai), and Syntari Academy, including websites, applications, and related services.

Cookies: Small data files stored on your device that help us provide and improve our Services. See our Cookie Policy.

Sale (CCPA/CPRA): Exchange of Personal Information for monetary or other valuable consideration.

Sharing (CCPA/CPRA): Sharing Personal Information with third parties for cross-context behavioral advertising.

Targeted Advertising: Displaying ads selected based on Personal Information obtained from your activities over time and across non-affiliated websites/apps.

END OF PRIVACY POLICY

This document is legally binding and enforceable. For the most current version, visit syntari.ai/privacy-policy