file no. 04 ↘

How we handle your data.

Synchronise AI connects to the tools your team already uses, reads signal in memory, and produces cited insights and outputs. Raw source data, including tickets, events, and messages, is never written to disk or stored anywhere. Only the derived insights and outputs we generate are kept, in Tokyo, Japan. This page is the plain-English version of how we look after that data.

v2026.04 · effective 1 May 2026UK GDPR · EU GDPRCCPAno dark patterns ✦
simple architecture ↓

What happens to source data.

1Opt-in sourcesGoogle, Slack, Intercom, Linear, Notion, GitHub, uploads.
2OAuth brokerComposio stores and refreshes OAuth credentials.
3In-memory readSynchronise AI reads source data during analysis only.
4Model inferenceOpenAI helps generate cited insights and outputs.
5Stored in TokyoOnly derived insights, outputs, chat history, and workspace metadata.

The desk, in one glance.

A.

What we do collect

  • Account. Email, name, workspace, team membership, and OAuth identity from your IdP.
  • Billing. Stripe customer ID, plan, invoices. We never see card numbers.
  • Connected source data. Only what you grant: PostHog events, Intercom tickets, Slack threads, Linear issues, Notion pages, Atlassian items, GitHub, and manual uploads. Raw data is processed in memory during analysis and immediately discarded. It is never written to our database.
  • Generated work. Insights, PRDs, PBIs, briefs, technical specs, slides, outreach, chat history, and the evidence chain we built them from.
  • Product telemetry. First-party usage events to debug the app. Not sold, not shared.
§
core promise

We never sell your data, train models on it, or use it outside your workspace.

encryption

TLS 1.3 in transit. AES-256 at rest. OAuth tokens sealed with a per-workspace key.

where it lives: Tokyo, Japan

RETENTION · synchronise
  • Raw source datanever stored
  • Insights + outputsuntil deleted
  • Chat historyuntil deleted
  • Security logs90 days
  • Backups30 days
  • Stripe receipts7 yrs · law

Kept because we have to. Deleted the moment we don't.

B.

What we don't

  • Raw source data. Tickets, events, messages, and transcripts are processed in memory only and never stored.
  • Card numbers (handled by Stripe).
  • Source-system data you didn't explicitly connect.
  • Anything from your devices outside the browser tab.
  • Biometric, location, or advertising identifiers.
models

Prompts route to model providers for inference. Your evidence is not training data.

only what you connect

Sources you point us at.

Each connector uses OAuth and requests the narrowest possible scope. You can review exactly what access you grant before connecting. We read; we never post or modify your data. Disconnect any source at any time and the OAuth token is immediately revoked. Delete your account from Settings and all your workspace data, including insights, outputs, and chat history, is permanently removed.

PostHog
events, funnels, cohorts
Intercom
conversations, tags, users
Slack
channels you pick
Linear
issues, comments, labels
Notion
pages you share
Atlassian
Jira/Confluence scope-limited
Google sources

Google user data.

  • Opt-in only. You choose whether to connect Google Sign-In, Gmail, Google Analytics, or Google Ads.
  • Visible scopes. Synchronise AI only requests the scopes shown on Google's OAuth consent screen.
  • Limited use. Google user data is used only to read source signal in memory, generate cited insights, and produce requested outputs.
  • No secondary use. Raw Google source data is not stored, sold, used for ads, or used to train models.
  • Human access limits. We do not read Google source data unless you explicitly allow it, or it is needed for security or legal reasons.
  • Revocable. You can disconnect a Google source at any time to revoke the OAuth token.

Your rights, on demand.

UK / EU GDPR articles 15–22, exercised in the app or by emailing gautham@synchronise.ai.

Access: see what we hold on you.+

Email gautham@synchronise.ai. We return an export within 30 days.

Rectify: fix what's wrong.+

Most fields are editable in-app. For the rest, ask us.

Delete: close the file entirely.+

Delete your account from Settings to remove your account and org workspace data, or email gautham@synchronise.ai. Live workspace data is deleted immediately; backups expire within 30 days.

Port: take it with you.+

Artefacts and insights export as Markdown / JSON, with the evidence chain intact.

Withdraw: pull a connector.+

Disconnecting a source removes the OAuth token and associated source connection record.

Complain: escalate.+

You can lodge a complaint with the UK ICO, or your local supervisory authority in the EEA.

Subprocessors.

the short list ↓

These providers help operate Synchronise AI. Synchronise AI is not SOC 2 certified. Several providers publish SOC 2 reports or attestations for the parts of the stack they operate.

SupabaseRegion:Tokyo, JapanPurpose:Auth, Postgres, row-level access controlSecurity:SOC 2 Type 2 compliant
VercelRegion:Global edgePurpose:App hosting, ISR, serverless functionsSecurity:SOC 2 Type 2 attestation
OpenAIRegion:Provider regionPurpose:LLM inference for insight and output generationSecurity:Independent SOC 2 Type 2 examination for API and business services
ComposioRegion:USPurpose:Managed OAuth connections to third-party sources. Credential storage and token refresh.Security:Security page states SOC 2 compliance
StripeRegion:US / IEPurpose:Subscription billing, tax, invoicingSecurity:Annual SOC 1 and SOC 2 Type II reports available on request
the human at the other end

Write to us. We'll write back.

Synchronise AI · ABN 68 960 446 366 · Gautham Srinivas, founder. We answer within three working days. Breach disclosure is the same inbox. Please mark the subject incident.

gautham@synchronise.aiBack to home
effective 1 May 2026

© Synchronise AI · this page supersedes any prior version. Material changes are emailed to workspace admins 30 days before they take effect.