1. Introduction
Synolo LLC ("Synolo," "we," "us," or "our") operates the Synolo application and website at synolo.app. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have. By using Synolo, you agree to this Privacy Policy. If you don't agree, please don't use the service.
Synolo LLC is incorporated in Pennsylvania, USA. For privacy-related questions, contact us at hello@synolo.app.
2. Google API Services User Data Policy (Limited Use)
Synolo's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In plain English:
- We only use Google account data to power features you have signed up for.
- We do not sell, rent, or share Google data for advertising or marketing.
- We do not use Google data to train AI or machine learning models, whether ours or anyone else's.
- Humans on our team do not read your Google data, except (a) with your explicit consent for support, (b) for security reasons such as investigating an attack, or (c) where required by law.
3. Google Scopes We Request
When you connect your Google account, Synolo requests a small set of permissions ("scopes"). Each one is listed below with what it grants, why we need it, and what we never do with the data.
| Scope | What it grants | Why we need it | What we never do |
|---|
| userinfo.email, userinfo.profile | Your email address, name, and profile photo | Sign you in and identify your account | Share with anyone for advertising or sell to third parties |
| calendar | Read, create, edit, and delete events on your calendars; create and delete additional calendars | Power Synolo's calendar view, Key Dates, and agent-driven scheduling | Use your events for advertising or train AI models on them |
If we add new Google scopes in the future, we will ask you to re-authorize. We will not silently expand our access.
You can revoke Synolo's access at any time at myaccount.google.com → Security → Third-party apps with account access → Synolo → Remove access.
4. Information We Collect
4.1 Information you provide
- Account info: name, email address, password (hashed and salted), timezone, and currency preferences.
- Content you create: notes, tasks, contacts, calendar events, board entries, journal entries, photos, meeting recordings, chat messages with the AI, and any other content you enter into the app.
- Financial data: if you connect a bank account via Plaid, we receive transactions, account balances, and institution details, cached on our servers.
- Meeting recordings: if you use meeting transcription, audio is temporarily stored on our servers, sent to OpenAI Whisper for transcription, and deleted from our servers immediately after transcription completes. Transcript text is kept as notes inside your account.
- Internal service tokens (such as the Meeting Recorder auth token) are encrypted at rest with AES-256-GCM.
- Support communications: the contents of messages you send us.
4.2 Information collected automatically
- Authentication cookies: a secure HTTP-only session token, a session identifier, and a non-sensitive login indicator. If a Synolo admin is impersonating an account for support, an additional pair of cookies tracks and restores their original session. All expire after 7 days.
- Push notification tokens: if you opt in to push notifications, we store your browser push subscription endpoint.
- Weather location: if you use the weather feature, your approximate location is sent to Open-Meteo and Nominatim (OpenStreetMap) to retrieve forecast data. Not persisted by us.
- Device and login metadata: on each login we record your IP address, an approximate city and country derived from the IP (via ip-api.com), browser and operating system, and a hashed device fingerprint. Used only for the security features below (known-device recognition, session management, suspicious-activity alerts) and visible to you at Settings → Security → Active Sessions.
4.3 Information we do not collect
- We do not use third-party analytics, tracking pixels, or advertising technology in the application.
- We do not track your browsing outside of Synolo.
- We do not use cookies for advertising or cross-site tracking.
- We do not sell, rent, or share your personal information with third parties for advertising or marketing.
5. How We Use Your Information
- To provide the service: your content and data power the features you interact with (calendar, tasks, notes, finance, contacts, journal, recordings, agents, and more).
- AI features: your content may be sent to OpenAI, Anthropic, or Google to power chat, summaries, suggestions, categorization, and agent automation. We do not train AI models on your data. The spending categorizer remembers your individual category corrections as private rules within your account; these stay in your account and are never used to train any model.
- Meeting transcription: audio is sent to OpenAI's Whisper API and deleted from our servers as soon as transcription completes.
- Transactional email: we use Brevo to send account email (password reset, email verification, trial reminders, announcements). We track opens and link clicks for announcement emails only.
- Payment processing: Stripe handles billing. We store your Stripe customer ID and subscription status, but never see or store credit card numbers.
- Security: device and login metadata are used to detect suspicious activity and notify you of new logins from unfamiliar places.
- Service improvement: we may review aggregated, non-identifying usage patterns to improve functionality. We do not use the contents of your notes, tasks, calendar events, or other personal content for this purpose.
6. Third-Party Processors
We share data with the third parties below only as needed to operate the application. Each acts as a data processor on our behalf and is bound by its own privacy commitments.
| Provider | Purpose | Privacy policy |
|---|
| Hetzner Online GmbH | Server hosting (Nuremberg, Germany) | View |
| Cloudflare, Inc. | CDN, DDoS protection, TLS termination, encrypted off-site backups (R2) | View |
| Google LLC | OAuth sign-in, Calendar API, and Gemini AI | View |
| OpenAI | AI chat, summaries, embeddings, Whisper transcription, image generation | View |
| Anthropic | AI chat and reasoning (Claude) | View |
| Stripe | Payment processing and subscription management | View |
| Plaid | Bank account connection and transaction sync | View |
| Brevo | Transactional and announcement email delivery | View |
| Sentry | Error monitoring and crash reporting | View |
| CoinGecko | Cryptocurrency price data | View |
| Open-Meteo | Weather forecasts | View |
| Nominatim (OpenStreetMap) | Geocoding for weather location lookup | View |
| Frankfurter | Currency exchange rates | View |
| LibreTranslate | On-demand translation (if enabled) | View |
| ip-api.com | Approximate city and country from IP on login | View |
We do not sell, rent, or share your personal information with third parties for advertising or marketing.
6.1 AI providers and your Google data
When you use AI features that touch your Calendar data, that data may be sent to the AI provider you have selected to process the request. We do not consent to providers using your data to train models where an opt-out is available, and we never send Google data outside of fulfilling a request you initiated. We are not currently on enterprise zero-retention tiers; provider-side handling otherwise follows their default API terms (typically a short retention window for abuse detection).
7. Data Storage and Security
- Your data is stored on our servers in Nuremberg, Germany (Hetzner) in an encrypted SQLite database. The database file is encrypted at rest using SQLCipher (AES-256), so direct file access does not yield readable data without the master key.
- Each user's data is logically isolated by a per-user scope in the database. Every API route validates the requesting user's identity before reading or writing data, and the database file itself has restricted file-system permissions.
- All client-server traffic is encrypted via TLS 1.2 or higher, terminated at Cloudflare's edge.
- Passwords are hashed using scrypt with per-user salts.
- Sensitive credentials (Plaid access tokens, OAuth refresh tokens, internal service tokens) are encrypted at rest with AES-256-GCM.
- Session tokens are signed with HMAC-SHA256 and stored in HTTP-only, secure, same-site cookies.
- Optional two-factor authentication via TOTP authenticator apps is available, with single-use recovery codes.
- Daily encrypted off-site backups are stored in Cloudflare R2 with 30-day rolling retention.
- Content Security Policy headers, rate limiting, and per-device login tracking are in place.
For full details, see our Information Security Policy. No electronic storage is 100% secure, and we cannot guarantee absolute security.
8. Data Retention
- Account data: retained for as long as your account is active.
- Chat history with the AI: Free Trial and Core plans retain chat history for 7 days. Pro plans retain chat history indefinitely.
- Meeting audio recordings: deleted from our servers immediately after transcription completes. Transcript text is retained as notes inside your account.
- Plaid transaction cache: stored locally and updated on sync.
- Deleted accounts: data is removed from our live servers immediately. Encrypted off-site backups in Cloudflare R2 follow a 30-day rolling retention, so deleted data may persist in backup form for up to 30 days before being permanently overwritten. We do not selectively restore deleted user data from backups.
9. Your Rights
You have the right to:
- Access your data through the application.
- Export your data: download a full JSON export from Settings → Import / Export Data, or request one by email.
- Delete your data: permanently delete your account and all associated data from Settings → Security → Delete Account, or by emailing us.
- Correct your data: update account information and content directly within the application.
- Withdraw consent: disconnect third-party integrations (Google, Plaid) at any time.
- Unsubscribe from announcement emails via the unsubscribe link in each email.
To exercise any of these rights, contact hello@synolo.app. We may need to verify your identity before acting on a request.
10. GDPR Rights (European Users)
If you are in the European Union, European Economic Area, or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):
- Right of access: request a copy of your personal data.
- Right to rectification: correct inaccurate data.
- Right to erasure ("right to be forgotten"): request deletion of your data.
- Right to restriction of processing: limit how we use your data.
- Right to data portability: receive your data in a machine-readable format.
- Right to object to processing based on legitimate interests.
- Right to lodge a complaint with your national data protection authority.
Our legal basis for processing depends on the activity:
- Performance of a contract (providing the service you signed up for).
- Legitimate interest (security, fraud prevention, service improvement).
- Consent (push notifications, third-party integrations, announcement emails).
- Legal obligation (responding to lawful requests).
To exercise any GDPR right, contact hello@synolo.app.
11. California Privacy Rights (CCPA)
If you are a California resident, you have the right to know what personal information we collect, the right to request deletion, the right to correct inaccurate information, and the right to opt out of the sale or sharing of personal information. We do not sell or share your personal information. To exercise your CCPA rights, contact hello@synolo.app.
12. International Data Transfers
Synolo is operated by a U.S. company with primary servers in Germany and a global edge network via Cloudflare. If you access the service, your information may be transferred to, stored, and processed in Germany, the United States, and other regions where our processors operate. For users in the EU, EEA, or UK, transfers outside the EEA are protected by Standard Contractual Clauses with our processors where required. By using the service, you consent to these transfers.
13. Cookies
We use only essential cookies required to operate the service (session token, session identifier, login indicator, and admin impersonation cookies when applicable). We do not use analytics, advertising, or cross-site tracking cookies, and we do not display a cookie banner because we do not collect non-essential cookies.
14. Children's Privacy
Synolo is intended for users 16 years of age or older. We do not knowingly collect personal information from anyone under 16. If we become aware that we have collected personal information from a person under 16, we will delete it promptly. If you believe a person under 16 has provided us with personal information, please contact hello@synolo.app.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the service after changes are posted constitutes acceptance of the updated policy.
16. Contact Us
If you have questions or concerns about this Privacy Policy, please contact:
Synolo LLC
Philadelphia, PA, USA
hello@synolo.app
© 2026 Synolo LLC. All rights reserved.