privacy.md

Privacy Policy

Last updated: 2026-06-13. Operated by Synthetic Smarts, Inc. d/b/a Synsmarts.

This is the public-facing summary of how Synsmarts handles personal data. The full GDPR-compliant policy with Article 6 lawful-basis analysis is maintained internally and available on request to privacy@synsmarts.ai.

Who We Are

Synthetic Smarts, Inc., doing business as Synsmarts. A Delaware corporation, with its principal place of business at 2 Park Avenue, 20th Floor, New York, NY 10016.

Privacy contact: privacy@synsmarts.ai for general privacy questions. dpo@synsmarts.ai for GDPR-specific matters (data subject rights requests, supervisory-authority correspondence, EU/UK data protection inquiries).

A Data Protection Officer and an EU Representative will be formally designated upon onboarding our first European customer (per GDPR Articles 27 and 37 where applicable), and their named contact details will be published here at that time. Until then, the dpo@synsmarts.ai mailbox is monitored by our privacy team.

What We Collect and Why

Website Visitors (synsmarts.ai)

Standard server logs (IP address, request path, timestamp, user agent) collected by Cloudflare for security and operational monitoring. No tracking cookies. No analytics that identify you. Logs are retained on Cloudflare's standard retention schedule.

Email Correspondence

If you email us at humans@synsmarts.ai, privacy@synsmarts.ai, or any other Synsmarts address, we receive your email address and message content. We use it only to respond. Email is processed by Google Workspace.

SMS Messaging Program (Internal Staff Only)

Synsmarts operates a US A2P 10DLC SMS program for internal operational alerts. We collect:

Used only for: dispatching operational alerts and tracking which staff acknowledged which incidents. Not used for marketing. Not shared with anyone outside Synsmarts and Twilio (the carrier). Retained while you are an active recipient on the on-call roster; deleted within 30 days of removal from the roster. See /tos for opt-in, opt-out (reply STOP), and help (reply HELP) details.

Platform Tenants (When the Platform Launches)

When the Synsmarts platform launches and you create an account or become a customer, we will collect account, billing, usage, and security-log data as described in our internal GDPR-compliant privacy policy. Categories include:

Lawful basis (GDPR Art 6): contract performance for account and billing; legitimate interest for security logging; legal obligation for tax-record retention. Full per-activity detail available on request.

How Long We Keep It

Who We Share It With

We share personal data only with vendors who help us operate the service. Current sub-processors:

Sub-processor list is maintained internally and material changes affecting platform tenants will be notified at least 30 days in advance per the Data Processing Agreement once the platform launches, giving customers the opportunity to object. We do not sell personal data. We do not share for cross-context advertising.

Automated Decision-Making and AI Processing

We use automated systems and AI models to operate the platform. None of these systems make legal or similarly significant decisions about you without human review.

You have the right to request human review of any automated determination that affects you. Contact privacy@synsmarts.ai.

Data Breaches

If a personal data breach is likely to result in risk to your rights and freedoms, we will notify our supervisory authority within 72 hours of becoming aware of it, as required by GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, as required by Article 34. For platform customers, breach notification SLAs are detailed in the Data Processing Agreement.

Government and Law-Enforcement Requests

We disclose personal data to government or law-enforcement authorities only when legally compelled by a valid order, subpoena, or warrant, or where disclosure is necessary to protect life or prevent serious harm. We review each request for legal validity and scope, and we push back on overbroad requests. Where we are not legally prohibited from doing so, we will notify the affected customer before disclosure so they have an opportunity to challenge it. We will publish a transparency report covering aggregate request statistics beginning with the first full calendar year of platform operation.

Business Transfers

If Synthetic Smarts, Inc. is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal data may be transferred to the successor or acquiring entity as part of that transaction. We will notify affected customers and update this policy before any such transfer takes effect, and the successor will be bound by commitments at least as protective as those in this policy.

Your Rights

Depending on where you live, you have rights under GDPR (EU/UK), CCPA (California), and other privacy laws. These include the right to:

To exercise any of these rights, email privacy@synsmarts.ai. We will verify your identity before acting on substantive requests — typically by confirming control of the email address on file or, for platform tenants, by validating against account credentials. We will respond within 30 days; complex requests may be extended by an additional 60 days with notice. If we decline a request, we will explain why and how to appeal or lodge a complaint with your supervisory authority.

International Transfers

Synsmarts operates from the United States. If you are outside the US (in the EU/UK, for example), your data is transferred to the US under Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework where applicable. Full transfer impact assessments are available on request.

Cookies and Do-Not-Track

This website does not set tracking or analytics cookies. Cloudflare may set strictly-necessary cookies for security and bot mitigation. The platform dashboard (when launched) will use a session cookie for authentication and document its cookie usage at that time.

Because we do not engage in cross-site tracking, there is no behavioral profile to opt out of. We honor browser Do Not Track (DNT) and Global Privacy Control (GPC) signals where they are technically meaningful — in practice, our processing is the same whether or not these signals are present, because we do not sell personal data or share it for cross-context behavioral advertising in any case.

Children

This service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact privacy@synsmarts.ai and we will delete it.

California Residents

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents the rights listed in the "your rights" section above. This block is the Notice at Collection required by California law.

In the past 12 months we may have collected the following categories of personal information about California residents:

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use sensitive personal information for purposes other than those allowed by CCPA Section 7027(m).

To exercise your CCPA/CPRA rights, email privacy@synsmarts.ai. We will verify your identity before responding to substantive requests, and we will respond within 45 days (extendable by 45 more days where permitted).

Changes to This Policy

We may update this policy. The "last updated" date above reflects the most recent change. Material changes will be highlighted at the top of the page.

Contact

GDPR / data protection: dpo@synsmarts.ai
Privacy questions (general): privacy@synsmarts.ai
General contact: humans@synsmarts.ai

← back to synsmarts.ai