Privacy Policy

Effective Date: January 22, 2026
Last Updated: January 22, 2026
Version: 2.0

1. Introduction

1.1 Overview
Syntari AI, Inc. ("Syntari," "we," "us," "our") is committed to protecting your privacy and the privacy of the individuals whose data you process through our platform. This Privacy Policy explains how we collect, use, disclose, and protect information in connection with our consulting management and AI-powered analytics platform (the "Services").

1.2 Scope
This Privacy Policy applies to:
• Visitors to our website (syntari.ai)
• Users of our web application and mobile applications
• Individuals whose personal data is processed through our platform
• Business contacts and prospective customers

1.3 Data Controller
For purposes of applicable data protection laws, Syntari AI, Inc. is the data controller for personal data we collect directly from you. When you use our Services to process your clients' data, you are the data controller and Syntari acts as a data processor on your behalf.

1.4 Contact Information
Data Protection Officer: dpo@syntari.ai
Privacy Inquiries: privacy@syntari.ai
Mailing Address: Syntari AI, Inc., [Address], [City, State ZIP]

2. Information We Collect

2.1 Information You Provide

2.1.1 Account Information
• Name, email address, phone number
• Job title and company name
• Billing and payment information
• Profile photo (optional)
• Communication preferences

2.1.2 Customer Data
When you use our Services, you may upload or create:
• Client information (names, contact details, company information)
• Engagement and project data
• Financial and billing information
• Documents, proposals, and contracts
• Communications and notes
• Any other data you choose to input

2.1.3 Communications
• Emails and messages sent to us
• Support requests and feedback
• Survey responses
• Participation in webinars or events

2.2 Information Collected Automatically

2.2.1 Usage Data
• Features used and actions taken
• Search queries within the platform
• Time spent on different sections
• Error logs and performance data

2.2.2 Device and Technical Data
• IP address and approximate location
• Browser type and version
• Operating system
• Device identifiers
• Screen resolution and language settings

2.2.3 Cookies and Tracking Technologies
We use cookies and similar technologies as described in our Cookie Policy. These collect:
• Session information
• Authentication tokens
• Preference settings
• Analytics data

2.3 Information from Third Parties

2.3.1 Integrations
When you connect third-party services (e.g., email, calendar, CRM), we receive data from those services as authorized by you.

2.3.2 Single Sign-On
If you use SSO providers (Google, Microsoft, Okta), we receive basic profile information as configured by your identity provider.

2.3.3 Business Information
We may receive business contact information from data providers to support our marketing efforts, subject to applicable laws.

3. How We Use Information

3.1 Providing Services
• Creating and managing your account
• Processing and storing your Customer Data
• Enabling platform features and functionality
• Providing AI-powered insights and recommendations
• Generating reports and analytics
• Processing payments

3.2 Improving Services
• Analyzing usage patterns to improve features
• Developing new products and services
• Training AI models (aggregated, anonymized data only, with consent)
• Conducting research and analysis
• Fixing bugs and technical issues

3.3 Communications
• Sending service-related notifications
• Providing customer support
• Sending marketing communications (with consent)
• Conducting surveys and requesting feedback
• Announcing product updates and changes

3.4 Security and Compliance
• Protecting against fraud and unauthorized access
• Enforcing our Terms of Service
• Complying with legal obligations
• Maintaining audit logs (7-year retention for compliance)
• Responding to legal requests

3.5 Legal Bases for Processing (GDPR)
We process personal data based on the following legal bases:
• Contract Performance: To provide our Services as agreed
• Legitimate Interests: To improve our Services, prevent fraud, and market our products
• Consent: For optional processing such as marketing emails
• Legal Obligation: To comply with applicable laws

For detailed information about our GDPR practices, see our GDPR Notice.

4. How We Share Information

4.1 Service Providers
We share information with trusted service providers who assist in operating our Services:

All service providers are bound by data processing agreements and security requirements.

4.2 Business Partners
With your consent, we may share information with:
• Integration partners for connected services
• Consulting partners for implementation support
• Resellers and referral partners

4.3 Legal Requirements
We may disclose information when required by law or to:
• Comply with legal process (subpoenas, court orders)
• Respond to government requests
• Protect our rights and safety
• Investigate potential violations

4.4 Business Transfers
In connection with a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any change in ownership or use of your data.

4.5 Aggregated Data
We may share aggregated, de-identified data for industry benchmarks, research, and marketing purposes. This data cannot identify you or your clients.

4.6 Your Direction
We share information at your direction when you:
• Use integrations with third-party services
• Share documents or data with others
• Export your data

5. Data Sharing Disclosure (CCPA)

5.1 Categories Sold/Shared
In the preceding 12 months, Syntari has NOT sold personal information to third parties as defined by the California Consumer Privacy Act.

5.2 Categories Disclosed for Business Purposes
We have disclosed the following categories of personal information for business purposes:
• Identifiers (to service providers)
• Commercial information (to payment processors)
• Internet activity (to analytics providers)
• Professional information (to service providers)

For more information about your California privacy rights, see our CCPA Notice.

6. Data Retention

6.1 Retention Periods

6.2 Deletion
Upon request or account termination:
• Customer Data is deleted within 90 days
• Backups are purged within 180 days
• Some data may be retained as required by law

6.3 Anonymization
Where full deletion is not possible, we anonymize data so it can no longer identify individuals.

7. Data Security

7.1 Security Measures
We implement comprehensive security measures including:

Technical Controls:
• Encryption in transit (TLS 1.3)
• Encryption at rest (AES-256)
• Multi-factor authentication (TOTP)
• Role-based access control (50+ permissions)
• DLP scanning for sensitive data detection
• Regular vulnerability scanning and penetration testing

Organizational Controls:
• Security awareness training for all personnel
• Background checks for employees
• Incident response procedures
• Business continuity planning
• Vendor security assessments

7.2 Compliance Certifications
Our security program is designed to meet:
• SOC 2 Type 2
• ISO 27001
• HIPAA (with BAA)
• GDPR
• CCPA/CPRA

7.3 Audit Logging
All access to personal data is logged with:
• User identity
• Timestamp
• Action performed
• Data accessed
• IP address

Audit logs are retained for 7 years and protected against tampering.

8. Your Rights

8.1 All Users
Regardless of location, you have the right to:
• Access your account information
• Update or correct your information
• Delete your account
• Export your data
• Opt out of marketing communications

8.2 European Users (GDPR)
If you are in the European Economic Area, UK, or Switzerland, you also have the right to:
• Access your personal data
• Rectify inaccurate data
• Erasure ("right to be forgotten")
• Restrict processing
• Data portability
• Object to processing
• Withdraw consent
• Lodge a complaint with a supervisory authority

See our GDPR Notice for detailed information.

8.3 California Users (CCPA/CPRA)
California residents have additional rights:
• Know what personal information is collected
• Know if information is sold or disclosed
• Opt out of sale of personal information
• Delete personal information
• Non-discrimination for exercising rights
• Correct inaccurate information
• Limit use of sensitive personal information

See our CCPA Notice for detailed information.

8.4 Exercising Your Rights
To exercise your rights:
• Self-Service: Use account settings for many requests
• Email: privacy@syntari.ai
• Web Form: syntari.ai/privacy-request

We respond to verified requests within 30 days (or as required by law).

9. International Data Transfers

9.1 Transfer Locations
Your data may be transferred to and processed in the United States and other countries where our service providers operate.

9.2 Transfer Safeguards
For transfers from the EEA, UK, or Switzerland, we use:
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with appropriate safeguards
• Supplementary measures including encryption and access controls

9.3 Privacy Shield
While Privacy Shield is no longer valid for EU-US transfers, Syntari continues to adhere to Privacy Shield principles as a demonstration of our commitment to data protection.

10. Children's Privacy

10.1 Age Restrictions
Our Services are not directed to children under 16. We do not knowingly collect personal information from children under 16.

10.2 Parental Rights
If you believe we have collected information from a child under 16, please contact us immediately at privacy@syntari.ai. We will promptly delete such information.

11. Third-Party Links

11.1 External Sites
Our Services may contain links to third-party websites. We are not responsible for the privacy practices of those sites.

11.2 Integrations
When you use third-party integrations, your data may be shared with those services according to their privacy policies.

12. Updates to This Policy

12.1 Modifications
We may update this Privacy Policy periodically. Material changes will be communicated via email or through the Services at least 30 days before becoming effective.

12.2 Version History
Previous versions of this Privacy Policy are available upon request.

12.3 Review
We review this Privacy Policy at least annually to ensure it remains accurate and compliant.

13. Data Processing for Customers

13.1 Customer as Controller
When you use our Services to process your clients' or employees' data, you are the data controller and Syntari is a data processor.

13.2 Processing Instructions
We process Customer Data only according to your instructions as provided through the Services and our Data Processing Agreement.

13.3 Data Processing Agreement
Enterprise customers may request a Data Processing Agreement that includes:
• Processing details and limitations
• Security obligations
• Sub-processor management
• Data subject rights assistance
• Breach notification procedures
• Audit rights

13.4 Sub-Processors
We use sub-processors to provide the Services. A current list of sub-processors is available in our Data Processing Agreement and updated with at least 30 days notice.

14. AI and Automated Processing

14.1 AI Features
Our Services include AI-powered features that process your data to provide:
• Intelligent recommendations
• Automated insights
• Predictive analytics
• Document generation assistance
• Search and discovery

14.2 AI Decision-Making
We do not use fully automated decision-making that produces legal or similarly significant effects without human review.

14.3 AI Training
• Default: Your data is NOT used to train our AI models
• Opt-In: You may opt in to contribute anonymized, aggregated data to improve our AI
• Your Choice: This setting is controlled in your privacy preferences

14.4 AI Transparency
Upon request, we can provide information about the logic involved in AI recommendations and their potential consequences.

15. Sensitive Data

15.1 Types of Sensitive Data
Our DLP service automatically detects and protects:
• Social Security Numbers
• Financial account numbers
• Payment card information
• Health information
• Government identifiers

15.2 Special Protections
Sensitive data receives enhanced protection including:
• Additional encryption
• Stricter access controls
• Enhanced audit logging
• Automatic classification alerts

15.3 Health Information (HIPAA)
If you process Protected Health Information (PHI), additional requirements apply. Contact us to execute a Business Associate Agreement.

16. Contact Us

16.1 Privacy Questions
For questions about this Privacy Policy or our privacy practices:
• Email: privacy@syntari.ai
• Data Protection Officer: dpo@syntari.ai

16.2 Data Requests
To submit a data subject request:
• Web Form: syntari.ai/privacy-request
• Email: privacy@syntari.ai

16.3 Complaints
If you have concerns about our privacy practices:

1. Contact us first at privacy@syntari.ai

2. If unresolved, you may contact your local data protection authority

Document History

This Privacy Policy was last updated on January 22, 2026. By using Syntari's Services, you acknowledge that you have read and understood this Privacy Policy.