Privacy Policy
1. Applicability
This Privacy Policy covers Synzo's website (www.synzo.ai), the JSON API at /api/v1/*, the MCP server at /mcp, and the user dashboard at /dashboard. It does not cover Google Gemini's processing of file contents you submit via Synzo's tools — see Google's Privacy Policy for that.
2. Personal Data we Collect
Account information
When you sign in via WorkOS, we store your email address, your WorkOS user ID, and your WorkOS organization ID locally so we can isolate your data from other tenants. We do not store your name. Your organization's display name is generated from the local part of your email when the organization is first created and can be changed later. WorkOS itself may hold additional account information (e.g. your name, SSO provider linkage); see WorkOS's privacy policy for what they collect on our behalf.
Usage data
For every metered API call, we record the following metadata to our usage_events table: organization ID, API key ID (only when called with an API key), authentication method (oauth or api_key), tool name, unit count, status (ok / error / refunded), error code if any, and timestamp. We never store the contents of the documents or images you submit; only the metadata above.
Document and image contents
When you call a tool over the MCP server or JSON API at /api/v1/*, the file you submit is held in memory only for the duration of the call and is not written to any persistent storage on our side. The MCP upload_file tool stores the bytes in process memory under a one-time token for up to 1 hour to support multi-step tool chains; you can delete the token earlier by letting it expire or by not chaining further calls. Tools that produce binary output (such as redact_pii and detect_faces) return a short-lived URL to a memory-resident copy of the result, expiring after 1 hour. The MCP server may also fetch a file when you pass a content_url argument; that fetch is restricted to HTTPS endpoints with public IPs and a 10 MB size cap, and we do not retain the URL after the call. When you use the public web UI on www.synzo.ai (the HTMX surface — /summarizer, /translator, /redactor, /vision), your file is uploaded to S3-compatible object storage as transient scratch space so the worker can produce a downloadable result; these objects are not retained as part of any permanent record and are subject to bucket cleanup. In all paths, file contents are transmitted to Google Gemini for processing — see Google's privacy policy.
Log data
IP address, user-agent, and request timestamps via Railway's edge logs and Flask access logs.
Cookies
One Flask session cookie (marked HttpOnly, Secure, SameSite=Strict) for the dashboard and sign-in flow. No third-party trackers, no analytics — verified by source-code review: there is no Sentry, Datadog, New Relic, PostHog, Google Analytics, or comparable SDK in the codebase.
3. How we Use Personal Data
- Provide the service (process the tool call you requested).
- Bill for usage and prevent abuse (once paid plans launch).
- Respond to support requests.
- Detect and respond to security or fraud events.
- Comply with legal obligations.
5. Security
Data in transit is encrypted via TLS (terminated at Railway's edge). Data at rest in Postgres is encrypted at the storage layer. API keys are hashed (SHA-256) before storage; we never store raw keys. For vulnerability reports, see our security page.
6. International Data Transfers
Synzo is hosted in the United States. If you access the service from the EU, UK, or Switzerland, your data is transferred to the US. We rely on Standard Contractual Clauses (SCCs) for these transfers as the lawful transfer mechanism.
7. Data Retention
- Usage events (metadata only): retained for 90 days, then deleted.
- User and organization records: retained until you request deletion; processed within 30 days.
- Document bodies: never retained — they exist only in memory during the tool call.
8. Jurisdiction-Specific Provisions
EEA / UK / Switzerland (GDPR / UK GDPR)
Our lawful bases for processing are: Contract (providing the service), Legitimate Interest (security, fraud prevention), and Consent (only where we ask for it — currently none, as we use no non-essential cookies).
You have the right to: access your personal data, request rectification, request erasure, request portability, and object to processing. To exercise any of these rights, email paul@redmapleresearch.ca. You also have the right to lodge a complaint with your local supervisory authority.
United States / California (CCPA)
Categories of personal information we collect: Account, Usage, Log, Cookies (as described above). We do not sell or share personal information. You have the right to know, delete, and opt-out (the last is N/A as we do not sell).
9. Minors
Synzo is not directed to individuals under 18, and we do not knowingly collect personal data from minors. If you believe a minor has provided us personal data, please contact us so we can remove it.
10. Your Data Protection Rights
To exercise any data protection right (access, deletion, rectification, portability, objection), email paul@redmapleresearch.ca. We respond within 30 days.
11. Updates to this Policy
We update this policy when our practices change. The "Last updated" date at the top reflects the most recent revision. For material changes, we notify organization owners by email.
12. How to Contact us
For privacy questions or to exercise your rights: paul@redmapleresearch.ca.