Legal

Privacy Policy

How Synervaite collects, uses, and protects your information.

Privacy Policy

Synervaite, Inc.

Last Updated: April 13, 2026

Effective Date: April 13, 2026

Synervaite, Inc. (“Synervaite,” “we,” “us,” or “our”) operates the Synervaite platform (the “Platform”), a business operating system accessible via web browser, mobile web application, and progressive web app (collectively, the “Service”). This Privacy Policy describes how we collect, use, disclose, retain, and protect information when you use our Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use the Service.


  1. Definitions

  • “Account Holder” means the individual or entity that creates an organization account on the Platform.
  • “Authorized User” means any individual granted access to the Platform by an Account Holder, including employees, contractors, and team members operating under assigned roles (owner, admin, manager, member, viewer).
  • “Business Data” means information about the Account Holder’s business operations, including but not limited to customer records, financial data, inventory records, job/work order data, communications, and marketing content.
  • “End Customer” means a customer or client of the Account Holder whose information may be stored or processed within the Platform.
  • “Connected Platform” means any third-party service connected to the Platform through OAuth authorization or API integration, including but not limited to Salesforce, QuickBooks, Google Workspace, Meta (Facebook, Instagram), LinkedIn, HubSpot, RingCentral, Microsoft 365, Dropbox, and WhatsApp.
  • “AI Agent” means an automated software process operating within the Platform that performs tasks on behalf of an Account Holder, subject to configurable autonomy controls and governance policies.
  • “Knowledge Base” means the structured repository of business information created through interviews, document uploads, and manual entries that informs AI-generated content and agent behavior.
  1. Information We Collect

2.1 Account and Profile Information

When you create an account, we collect:

  • Full name, email address, and password (or authentication credentials via single sign-on)
  • Organization name, industry classification, business description, and business model
  • Role and permission level within the organization
  • Team size, customer type, and operational configuration preferences
  • Billing information including name, billing address, and payment method (processed and stored by Stripe, Inc.; we do not store full credit card numbers)

2.2 Business Data Provided by Account Holders

Account Holders and Authorized Users may input, upload, or generate the following types of Business Data through the Platform:

  • CRM Data: Contact records, company records, deal/opportunity records, pipeline stages, activity logs, communication histories, lead sources, and custom fields
  • Financial Data: Invoices, estimates, expenses, payments, purchase orders, journal entries, chart of accounts, bank transaction data, and financial reports
  • Operational Data: Job/work order records, service catalog items, job checklists and completion records, materials allocation and consumption, time tracking entries, scheduling data, and booking records
  • Inventory Data: Item records, stock levels, stock adjustments, reorder thresholds, vendor information, and inventory transaction histories
  • Marketing Content: Generated content (blog posts, social media posts, email campaigns, ad copy, brochures, case studies, press releases, newsletters, website copy, video scripts), marketing campaigns, content calendars, audience segments, and web form submissions
  • Media Assets: Images, logos, brand files, and other media uploaded to the Platform’s asset library
  • Knowledge Base Content: Business information collected through AI-guided interviews, uploaded documents (PDF, DOCX, TXT, MD, CSV, XLSX), uploaded audio files and their transcriptions, guardrail rules, and condensed business profiles
  • Communications Data: Email messages synced through connected email accounts, SMS messages, web chat transcripts, and messaging platform conversations
  • Employee and Team Data: Team member names, email addresses, roles, permissions, time entries, timesheets, and department assignments

2.3 Data from Connected Platforms

When Account Holders connect third-party platforms through OAuth authorization, we access and store data from those platforms as authorized by the Account Holder. This may include:

  • CRM Platforms (Salesforce, HubSpot): Contacts, leads, opportunities, accounts, tasks, activities, custom objects, and communication records
  • Financial Platforms (QuickBooks): Chart of accounts, invoices, expenses, payments, customers, vendors, bank transactions, profit and loss statements, balance sheets, and cash flow data
  • Social Media Platforms (Facebook, Instagram, LinkedIn, Google Business Profile): Page information, post content and engagement metrics, ad account data, campaign performance, audience insights, review data, business location information, and follower analytics
  • Email Platforms (Gmail, Outlook/Microsoft 365): Email message headers, bodies, and attachments for synced conversations; calendar events and scheduling data; contact information
  • Communication Platforms (RingCentral, WhatsApp): Call logs, message histories, and communication metadata
  • Productivity Platforms (Dropbox, Microsoft 365): File metadata, brand assets, and document content as authorized
  • Advertising Platforms (Meta Marketing API): Ad account information, campaign structures, ad creative data, audience definitions, ad performance metrics, spend data, and conversion tracking

2.4 Data Collected Automatically

When you use the Service, we automatically collect:

  • Usage Data: Pages visited, features used, buttons clicked, timestamps, session duration, and interaction patterns
  • Device Information: Browser type and version, operating system, device type, screen resolution, and device identifiers
  • Network Information: IP address, approximate geographic location derived from IP address, and referring URLs
  • Performance Data: Error logs, load times, and system performance metrics
  • Push Notification Tokens: Device tokens for delivering push notifications when subscribed through the progressive web app

2.5 Data Collected Through AI Processing

The Platform uses artificial intelligence to process Business Data. During AI processing, the following data may be generated and stored:

  • Content Quality Scores: Automated assessments of generated marketing content
  • Knowledge Base Health Scores: Completeness and confidence metrics for business information coverage across defined categories
  • Shadow Mode Observations: Records of actions an AI Agent would have taken compared to actions actually taken by human users, including agreement rates and performance metrics
  • Embedding Vectors: Mathematical representations of text content used for search and retrieval, generated using third-party embedding models
  • Condensed Business Profiles: AI-generated summaries of business information derived from Knowledge Base content
  • Gap Analysis Results: Assessments of missing or incomplete business information
  • Content Recommendations: AI-generated suggestions for content, follow-up actions, and business operations
  1. How We Use Information

We use the information we collect for the following purposes:

3.1 Providing and Operating the Service

  • Authenticating users and managing organization access and permissions
  • Displaying, organizing, and managing Business Data through the Platform interface
  • Synchronizing data with Connected Platforms as authorized by Account Holders
  • Generating reports, dashboards, insights, and analytics from Business Data
  • Processing billing, subscriptions, and payments through Stripe
  • Delivering notifications via email, SMS, in-app dashboard, and push notifications

3.2 AI-Powered Features

  • Generating marketing content, sales materials, and business communications grounded in Knowledge Base data
  • Conducting AI-guided interviews to build and refine the Knowledge Base
  • Performing hybrid retrieval (keyword and semantic search) across Knowledge Base content to ground AI responses in verified business information
  • Providing natural language business intelligence through the Insights feature, which queries live data from Connected Platforms combined with Knowledge Base context
  • Operating AI Agents in shadow mode to observe and compare automated recommendations against human decisions
  • Operating AI Agents in active mode to perform configured tasks subject to governance rules, autonomy controls, and approval workflows
  • Generating campaign plans, content schedules, and operational recommendations
  • Scoring content quality and analyzing Knowledge Base completeness
  • Auto-tagging uploaded media assets using AI vision capabilities
  • Recommending relevant images for content based on AI analysis
  • Detecting gaps in business information and generating targeted questions to fill them
  • Transcribing uploaded audio files for Knowledge Base ingestion

3.3 Communication

  • Sending transactional emails related to account activity, billing, and platform notifications
  • Delivering notification preferences configured by the user (urgent, approval, informational tiers)
  • Sending emails, SMS messages, or other communications on behalf of Account Holders through connected communication channels, as directed by the Account Holder or their configured AI Agents
  • Publishing content to Connected Platforms (social media posts, ad campaigns) as directed by the Account Holder

3.4 Security and Compliance

  • Monitoring for unauthorized access, fraud, and security threats
  • Enforcing role-based access controls and data scoping
  • Maintaining audit logs of platform events and data changes
  • Enforcing governance rules on AI Agent actions, including mandatory human approval for all financial write operations
  • Encrypting sensitive credentials using AES-256-GCM encryption

3.5 Improvement and Development

  • Analyzing aggregate, de-identified usage patterns to improve Platform features and user experience
  • Diagnosing technical issues, bugs, and performance problems
  • Developing new features and capabilities
  1. How We Share Information

We do not sell personal information. We share information only in the following circumstances:

4.1 Third-Party Service Providers

We use third-party service providers to operate the Platform. These providers process data on our behalf under contractual obligations to protect your information:

Provider

Purpose

Data Processed

Supabase

Database hosting, authentication, file storage

All Platform data

Vercel

Application hosting and delivery

Application code, request logs

Anthropic (Claude API)

AI content generation, analysis, and agent operations

Business Data submitted for AI processing (subject to Anthropic’s data handling policies)

OpenAI

Text embedding generation for search

Text content converted to mathematical vectors

Stripe

Payment processing and subscription management

Billing information, subscription status

Resend

Transactional and marketing email delivery

Email addresses, email content

Twilio

SMS delivery

Phone numbers, message content

Upstash

Rate limiting and caching

Request metadata

Google Cloud Platform

Agent hosting and compute infrastructure

Data processed by AI Agents

4.2 Connected Platforms

When Account Holders authorize connections to third-party platforms, data flows bidirectionally as described in Section 2.3. Each Connected Platform’s use of data is governed by that platform’s own privacy policy. We encourage Account Holders to review the privacy policies of all Connected Platforms.

4.3 Within an Organization

Business Data is accessible to Authorized Users within the same organization according to their assigned role and permission level. The Platform enforces role-based view scoping: owners see all data, managers see their team’s data, members see their own data, and viewers see read-only data as configured.

4.4 At Account Holder Direction

We may share or transmit Business Data as specifically directed by the Account Holder, including:

  • Publishing content to social media platforms
  • Sending communications to End Customers
  • Executing AI Agent actions that interact with Connected Platforms
  • Generating and sending estimates, invoices, or proposals to End Customers through public-facing links

We may disclose information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

4.6 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify Account Holders via email and/or a prominent notice on the Platform of any change in ownership or use of information.

  1. AI Processing and Automated Decision-Making

5.1 How AI Processes Your Data

The Platform uses AI models provided by Anthropic (Claude) and OpenAI to process Business Data. When AI features are used:

  • Business Data relevant to the request is sent to the AI provider’s API for processing
  • The AI provider processes the data and returns results to the Platform
  • We include Knowledge Base context, guardrail rules, and grounding instructions to ensure AI outputs are factually based on verified business information
  • AI-generated content is never fabricated from assumptions; when insufficient information exists, the system asks targeted questions rather than guessing

5.2 AI Agent Governance

AI Agents operating within the Platform are subject to strict governance controls:

  • All financial write operations (creating invoices, processing payments, modifying expenses, generating journal entries) require human approval regardless of agent autonomy settings
  • Agents operate under configurable autonomy levels: draft only, act within defined limits, or full autopilot
  • All agent actions are logged with full audit trails including what action was taken, what policy governed it, and what changed
  • Account Holders can pause, demote, or disable any AI Agent at any time
  • Agents operate only within the scope of permissions and data access granted by the Account Holder

5.3 Shadow Mode

Before AI Agents are activated, the Platform may operate them in “shadow mode” where the agent observes human actions and records what it would have done, without taking any actual action. Shadow mode data is used solely to evaluate agent accuracy and build confidence before activation. Account Holders can view shadow mode performance metrics and choose whether to activate an agent.

5.4 Data Sent to AI Providers

When processing AI requests, we send the minimum data necessary for the specific task. This may include relevant Knowledge Base entries, CRM records, financial data, or other Business Data depending on the feature being used. We do not send your data to AI providers for model training purposes. Our agreements with AI providers prohibit the use of customer data for training or improving their models.

  1. Data Retention

6.1 Active Accounts

We retain Business Data for as long as the Account Holder’s account is active and as needed to provide the Service. Specific retention periods include:

  • Platform event logs: Retained for the life of the account for audit trail purposes
  • Shadow mode observations: Retained for the life of the account or until the associated agent session is deleted
  • AI-generated content: Retained until deleted by an Authorized User
  • Notification records: Retained for 12 months
  • Billing events: Retained as required by applicable tax and financial regulations

6.2 Account Deletion

Account Holders (owner role only) may request deletion of their organization and all associated data. Upon deletion:

  • All Business Data, Knowledge Base content, connected platform tokens, team member records, and generated content are permanently deleted
  • Billing records are anonymized and retained in a separate table as required by financial regulations
  • Deletion is cascading and irreversible
  • Account Holders may export their data before deletion using the GDPR-compliant data export feature

6.3 Data Export

Account Holders may request a full export of their data at any time through the Platform’s data export feature. The export includes data from 25+ tables and redacts sensitive credentials (OAuth tokens, API keys).

  1. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
  • Encryption at Rest: All OAuth tokens and third-party credentials are encrypted using AES-256-GCM before storage
  • Authentication: User authentication is managed through Supabase Auth with support for email/password and social sign-on
  • Role-Based Access Control: A five-role permission system (owner, admin, manager, member, viewer) with 12 granular permissions controls access to features and data
  • View Scoping: Data queries are automatically scoped based on user role to prevent unauthorized data access across organizational boundaries
  • CSRF Protection: OAuth flows include state token validation with 5-minute expiry to prevent cross-site request forgery
  • Non-Blocking Logging: Security and audit events are logged without impacting user-facing request performance
  • Financial Governance: All financial write operations require explicit human approval regardless of automation or agent configuration

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

  1. Your Rights and Choices

8.1 Access and Portability

You have the right to access your personal information and Business Data stored on the Platform. Account Holders may use the data export feature to obtain a machine-readable copy of their data.

8.2 Correction

You may correct or update your personal information and Business Data at any time through the Platform interface.

8.3 Deletion

Account Holders may delete their organization and all associated data. Individual records (contacts, deals, content, etc.) may be deleted or archived by Authorized Users with appropriate permissions.

8.4 Notification Preferences

Authorized Users may configure their notification preferences including:

  • Channel preferences per notification tier (email, SMS, dashboard)
  • Quiet hours with timezone support
  • Per-category notification overrides
  • Pause controls for non-urgent notifications
  • Push notification subscription management

8.5 Connected Platform Management

Account Holders may connect or disconnect third-party platforms at any time through the Settings page. Disconnecting a platform revokes the Platform’s access to that service and removes stored authentication tokens. Previously synced data may be retained unless specifically deleted.

8.6 AI Feature Controls

Account Holders control AI feature usage including:

  • Enabling or disabling capability domains that control which AI features are active
  • Configuring Knowledge Base guardrails (hard and soft rules) that constrain AI behavior
  • Setting AI Agent autonomy levels and governance policies
  • Pausing, demoting, or disabling AI Agents
  • Reviewing and approving or rejecting AI Agent draft actions before execution
  1. Rights for Residents of Specific Jurisdictions

9.1 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following additional rights under the General Data Protection Regulation:

  • Legal Basis for Processing: We process personal data based on: (a) performance of our contract with you to provide the Service; (b) our legitimate interests in operating, improving, and securing the Service; (c) your consent, where specifically requested; and (d) compliance with legal obligations
  • Right to Restrict Processing: You may request that we restrict processing of your personal data under certain circumstances
  • Right to Object: You may object to processing of your personal data based on legitimate interests
  • Right to Erasure: You may request deletion of your personal data, subject to legal retention requirements
  • Right to Lodge a Complaint: You may lodge a complaint with your local data protection supervisory authority
  • Data Transfers: Your data may be transferred to and processed in the United States, where our servers and service providers are located. We rely on Standard Contractual Clauses and other lawful transfer mechanisms to protect data transferred internationally
  • Data Protection Officer: For GDPR-related inquiries, contact us at support@synervaite.com

When we process personal data of End Customers on behalf of Account Holders, we act as a “data processor” under GDPR. The Account Holder is the “data controller” and is responsible for ensuring they have a lawful basis for processing their End Customers’ data through the Platform.

9.2 California (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions
  • Right to Correct: You may request correction of inaccurate personal information
  • Right to Opt Out of Sale or Sharing: We do not sell personal information or share it for cross-context behavioral advertising
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • Categories of Personal Information Collected: Identifiers, commercial information, internet or electronic network activity, professional or employment-related information, and inferences drawn from the above
  • Retention: We retain personal information as described in Section 6

To exercise your California privacy rights, contact us at support@synervaite.com or call [phone number to be added]. We will verify your identity before fulfilling your request.

9.3 Other U.S. State Privacy Laws

We comply with applicable state privacy laws including those in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy legislation. Residents of these states may have similar rights to access, correct, delete, and opt out of certain processing activities. Contact support@synervaite.com to exercise your rights.

  1. End Customer Data

Account Holders may store personal information about their End Customers within the Platform. With respect to End Customer data:

  • The Account Holder is responsible for obtaining any necessary consents or authorizations from their End Customers before inputting their information into the Platform
  • The Account Holder is responsible for complying with all applicable privacy laws regarding their collection and use of End Customer data
  • We process End Customer data solely as directed by the Account Holder and in accordance with this Privacy Policy
  • End Customers who wish to access, correct, or delete their personal information stored by an Account Holder should contact the Account Holder directly
  • If an End Customer contacts us directly, we will refer them to the relevant Account Holder unless legally required to respond directly
  • Account Holders who operate in regulated industries (healthcare, legal, financial services) are responsible for ensuring their use of the Platform complies with industry-specific regulations (HIPAA, attorney-client privilege, financial data protection requirements)
  1. Children’s Privacy

The Service is designed for business use and is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe we have collected information from a child under 16, please contact us at support@synervaite.com.

  1. Cookies and Similar Technologies

We use cookies and similar technologies for the following purposes:

  • Essential Cookies: Required for authentication, session management, and security. These cannot be disabled without affecting Platform functionality
  • Preference Cookies: Store user preferences such as notification settings, dashboard configurations, and display preferences
  • Analytics Cookies: Collect aggregate, anonymized usage data to help us understand how the Platform is used and improve the Service

We do not use cookies for third-party advertising or cross-site tracking. You may control cookies through your browser settings, but disabling essential cookies may prevent you from using the Platform.

  1. Third-Party Links and Integrations

The Platform may contain links to third-party websites or enable integrations with third-party services. This Privacy Policy does not apply to third-party websites or services. We encourage you to review the privacy policies of any third-party services you connect to or access through the Platform, including but not limited to:

  • Salesforce (salesforce.com/company/privacy)
  • Intuit QuickBooks (intuit.com/privacy)
  • Google (policies.google.com/privacy)
  • Meta/Facebook/Instagram (facebook.com/privacy)
  • LinkedIn (linkedin.com/legal/privacy-policy)
  • Microsoft (privacy.microsoft.com)
  • Stripe (stripe.com/privacy)
  1. Data Processing for Mobile and Progressive Web App

When using the Platform through a mobile browser or installed progressive web app (PWA):

  • Push Notifications: We collect device push notification tokens when you subscribe to push notifications. You may unsubscribe at any time through the Platform settings or your device settings
  • Camera Access: If granted permission, the Platform may access your device camera for capturing photos for job documentation, signature capture, or media uploads. Camera access is used only when actively initiated by the user
  • Offline Data: The Platform may cache certain data locally on your device using service worker technology for offline access. Cached data is limited to your current assignments, active job details, and essential client information relevant to your role
  • Location Data: The Platform does not currently collect precise GPS location data. If location features are added in the future, this policy will be updated and your explicit consent will be obtained before collection
  1. International Data Transfers

Synervaite is based in the United States. Your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from your country of residence.

When we transfer personal data internationally, we implement appropriate safeguards including:

  • Standard Contractual Clauses approved by the European Commission
  • Data processing agreements with all service providers
  • Technical and organizational security measures as described in Section 7
  1. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

  • We will update the “Last Updated” date at the top of this policy
  • We will notify Account Holders via email and/or an in-platform notification at least 30 days before material changes take effect
  • Continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy
  1. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected Account Holders without undue delay and no later than 72 hours after becoming aware of the breach, where feasible
  • Provide information about the nature of the breach, the data affected, and steps we are taking to address it
  • Notify relevant supervisory authorities as required by applicable law
  • Maintain records of all data breaches including their effects and remedial actions taken
  1. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Synervaite, Inc.

Email: support@synervaite.com

Website: https://synervaite.com

For GDPR-related inquiries, you may also contact our designated privacy representative at the email address above.

For California privacy rights requests, you may contact us at the email address above or call [phone number to be added].

  1. Supplemental Terms for AI-Powered Services

19.1 AI Content Generation Disclaimer

Content generated by the Platform’s AI features is based on the Account Holder’s Knowledge Base data and connected platform data. While we implement safeguards including factual grounding rules, fabrication prohibition, and Knowledge Base gap detection:

  • AI-generated content should be reviewed by the Account Holder before publication or distribution
  • We do not guarantee the accuracy, completeness, or suitability of AI-generated content for any particular purpose
  • Account Holders are responsible for reviewing and approving all content before it is published to external platforms or sent to End Customers
  • AI-generated financial calculations, reports, and projections use deterministic computation methods (SQL aggregation) rather than AI estimation to ensure accuracy

19.2 Agent Action Accountability

When AI Agents perform actions on behalf of an Account Holder:

  • The Account Holder remains responsible for all actions taken by AI Agents operating under their account
  • All agent actions are logged with full audit trails and can be reviewed at any time
  • Account Holders can configure approval requirements, spending limits, and operational boundaries for each agent
  • Agents cannot override governance rules, bypass approval requirements, or exceed configured autonomy levels

19.3 Data Minimization in AI Processing

We follow data minimization principles in AI processing:

  • Only data relevant to the specific AI task is sent to AI providers
  • Token budgets limit the amount of Knowledge Base context included in each AI request based on the purpose (e.g., 5,000 tokens for insights queries, 10,000 tokens for agent builds)
  • AI providers are contractually prohibited from using customer data for model training
  • Embedding vectors are mathematical representations that cannot be reverse-engineered to reconstruct original text