Privacy Policy
Last updated: 2026-06-13. Operated by Synthetic Smarts, Inc. d/b/a Synsmarts.
This is the public-facing summary of how Synsmarts handles personal data. The full GDPR-compliant policy with Article 6 lawful-basis analysis is maintained internally and available on request to privacy@synsmarts.ai.
Who We Are
Synthetic Smarts, Inc., doing business as Synsmarts. A Delaware corporation, with its principal place of business at 2 Park Avenue, 20th Floor, New York, NY 10016.
Privacy contact: privacy@synsmarts.ai for general privacy questions. dpo@synsmarts.ai for GDPR-specific matters (data subject rights requests, supervisory-authority correspondence, EU/UK data protection inquiries).
A Data Protection Officer and an EU Representative will be formally designated upon onboarding our first European customer (per GDPR Articles 27 and 37 where applicable), and their named contact details will be published here at that time. Until then, the dpo@synsmarts.ai mailbox is monitored by our privacy team.
What We Collect and Why
Website Visitors (synsmarts.ai)
Standard server logs (IP address, request path, timestamp, user agent) collected by Cloudflare for security and operational monitoring. No tracking cookies. No analytics that identify you. Logs are retained on Cloudflare's standard retention schedule.
Email Correspondence
If you email us at humans@synsmarts.ai, privacy@synsmarts.ai, or any other Synsmarts address, we receive your email address and message content. We use it only to respond. Email is processed by Google Workspace.
SMS Messaging Program (Internal Staff Only)
Synsmarts operates a US A2P 10DLC SMS program for internal operational alerts. We collect:
- Phone number — provided during employee onboarding for the explicit purpose of receiving on-call alerts
- Name and employee identifier — to route alerts to the correct on-call recipient
- Message delivery metadata — Twilio delivery receipts, error codes, ack/escalation events
Used only for: dispatching operational alerts and tracking which staff acknowledged which incidents. Not used for marketing. Not shared with anyone outside Synsmarts and Twilio (the carrier). Retained while you are an active recipient on the on-call roster; deleted within 30 days of removal from the roster. See /tos for opt-in, opt-out (reply STOP), and help (reply HELP) details.
Platform Tenants (When the Platform Launches)
When the Synsmarts platform launches and you create an account or become a customer, we will collect account, billing, usage, and security-log data as described in our internal GDPR-compliant privacy policy. Categories include:
- Account data: name, email, hashed password, MFA tokens, login history, API keys
- Billing data: name, email, payment-method tokens (we never store card numbers — handled by Authorize.net), invoice history, usage records
- Platform security logs: IP addresses, request metadata, error traces (PII redacted before long-term storage)
- SSH session audit logs (commands, timestamps, IPs) for tenant environments you access
Lawful basis (GDPR Art 6): contract performance for account and billing; legitimate interest for security logging; legal obligation for tax-record retention. Full per-activity detail available on request.
How Long We Keep It
- Active accounts and active SMS recipients: while the relationship is active
- Closed accounts: deleted within 30 days (live data within 7 days; backups expire on the standard 30-day cycle)
- Login history and security audit logs: 12 months
- Operational metrics: 90 days
- Invoice and payment records: 7 years (US tax law; WORM-protected)
- Email correspondence: while operationally needed; reviewed annually
Who We Share It With
We share personal data only with vendors who help us operate the service. Current sub-processors:
- Amazon Web Services — infrastructure hosting (us-east-1), including SES for transactional email
- Cloudflare — DNS, CDN, edge security, Pages hosting
- Google Workspace — email, calendar, document storage
- Twilio — SMS messaging delivery (A2P 10DLC)
- Authorize.net — payment processing (when platform launches)
- Anthropic — AI inference for the diagnostic engine and abuse-pattern review (no training on customer data per Anthropic's commercial terms; ephemeral processing)
- Slack — internal workspace
Sub-processor list is maintained internally and material changes affecting platform tenants will be notified at least 30 days in advance per the Data Processing Agreement once the platform launches, giving customers the opportunity to object. We do not sell personal data. We do not share for cross-context advertising.
Automated Decision-Making and AI Processing
We use automated systems and AI models to operate the platform. None of these systems make legal or similarly significant decisions about you without human review.
- Abuse and security detection — automated rules and AI-assisted review flag suspicious traffic, credential-stuffing attempts, and policy violations. Any account-level action (suspension, throttling, termination) requires human confirmation within 24 hours.
- Diagnostic engine — when you open a support case, an AI model may analyze your tenant's logs and configuration to suggest a root cause. The AI's output is reviewed by a Synsmarts engineer before any change is recommended or made to your environment. Inference runs through Anthropic; data is not used to train models.
- Billing and provisioning — automated workflows create, scale, and bill tenants according to your subscription. These are deterministic systems following your instructions, not AI-driven decisions.
You have the right to request human review of any automated determination that affects you. Contact privacy@synsmarts.ai.
Data Breaches
If a personal data breach is likely to result in risk to your rights and freedoms, we will notify our supervisory authority within 72 hours of becoming aware of it, as required by GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, as required by Article 34. For platform customers, breach notification SLAs are detailed in the Data Processing Agreement.
Government and Law-Enforcement Requests
We disclose personal data to government or law-enforcement authorities only when legally compelled by a valid order, subpoena, or warrant, or where disclosure is necessary to protect life or prevent serious harm. We review each request for legal validity and scope, and we push back on overbroad requests. Where we are not legally prohibited from doing so, we will notify the affected customer before disclosure so they have an opportunity to challenge it. We will publish a transparency report covering aggregate request statistics beginning with the first full calendar year of platform operation.
Business Transfers
If Synthetic Smarts, Inc. is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal data may be transferred to the successor or acquiring entity as part of that transaction. We will notify affected customers and update this policy before any such transfer takes effect, and the successor will be bound by commitments at least as protective as those in this policy.
Your Rights
Depending on where you live, you have rights under GDPR (EU/UK), CCPA (California), and other privacy laws. These include the right to:
- Know what data we hold about you
- Receive a copy (data portability)
- Correct inaccurate data
- Delete your data (subject to legal retention requirements like tax records)
- Object to processing based on legitimate interest
- Withdraw consent at any time (where consent is the lawful basis)
- Lodge a complaint with your supervisory authority
To exercise any of these rights, email privacy@synsmarts.ai. We will verify your identity before acting on substantive requests — typically by confirming control of the email address on file or, for platform tenants, by validating against account credentials. We will respond within 30 days; complex requests may be extended by an additional 60 days with notice. If we decline a request, we will explain why and how to appeal or lodge a complaint with your supervisory authority.
International Transfers
Synsmarts operates from the United States. If you are outside the US (in the EU/UK, for example), your data is transferred to the US under Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework where applicable. Full transfer impact assessments are available on request.
Cookies and Do-Not-Track
This website does not set tracking or analytics cookies. Cloudflare may set strictly-necessary cookies for security and bot mitigation. The platform dashboard (when launched) will use a session cookie for authentication and document its cookie usage at that time.
Because we do not engage in cross-site tracking, there is no behavioral profile to opt out of. We honor browser Do Not Track (DNT) and Global Privacy Control (GPC) signals where they are technically meaningful — in practice, our processing is the same whether or not these signals are present, because we do not sell personal data or share it for cross-context behavioral advertising in any case.
Children
This service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact privacy@synsmarts.ai and we will delete it.
California Residents
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents the rights listed in the "your rights" section above. This block is the Notice at Collection required by California law.
In the past 12 months we may have collected the following categories of personal information about California residents:
- Identifiers — name, email address, IP address, phone number (SMS recipients), account or employee identifier
- Commercial information — invoice and payment history (when the platform launches)
- Internet or network activity — interactions with the website, platform usage logs (when the platform launches)
- Geolocation data — approximate location derived from IP address, never precise GPS
- Professional or employment information — limited to staff who opt in to the SMS alert program
- Inferences — operational signals drawn from the above (e.g. incident routing and escalation patterns)
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use sensitive personal information for purposes other than those allowed by CCPA Section 7027(m).
To exercise your CCPA/CPRA rights, email privacy@synsmarts.ai. We will verify your identity before responding to substantive requests, and we will respond within 45 days (extendable by 45 more days where permitted).
Changes to This Policy
We may update this policy. The "last updated" date above reflects the most recent change. Material changes will be highlighted at the top of the page.
Contact
GDPR / data protection: dpo@synsmarts.ai
Privacy questions (general): privacy@synsmarts.ai
General contact: humans@synsmarts.ai