Privacy Policy
Last updated: 2026-05-20
What we collect
- Account info: email, name, role, workspace.
- Health information (PHI) entered by your provider, when you are a patient.
- Communication preferences (email, SMS opt-in).
- Usage analytics: page views, button clicks, error reports — never tied to PHI.
- Audit logs: every access to OAuth tokens, every PHI read.
Prism AAC (Augmentative & Alternative Communication)
- Camera & Head Tracking: Prism AAC uses your device camera for head tracking and eye gaze input. Camera frames are processed on-device in real time and are never transmitted, stored, or sent to any server.
- Voice & Speech: Text-to-speech audio is generated on-device or via Azure TTS. Voice clone recordings are stored locally on your device only.
- AAC Phrases & Communication Data: Your phrase history, symbol selections, and communication patterns are stored locally on your device. Cloud sync (when enabled) encrypts data in transit and at rest.
- Switch Scanning & Accessibility Input: Input method data (switch presses, dwell times, gesture data) is processed on-device and never transmitted.
PrismCoach (Fitness Coaching)
- Apple HealthKit: PrismCoach reads heart rate, HRV (heart rate variability), resting heart rate, sleep analysis, and workout data from HealthKit to compute your Body Battery score and muscle recovery state. This data is processed on-device and is never sent to our servers.
- Biometric Data: Body Battery scores, muscle charge levels, and CNS readiness indicators are computed locally. No biometric data leaves your device.
- AI Coaching: On-device AI (Prism Coder 1.7B) processes your workout context locally. For Athlete tier users, anonymized workout context (no personally identifiable information) may be sent to our inference server for enhanced coaching.
On-Device AI Processing
- Prism Coder language models (1.7B–32B parameters) run entirely on your device.
- No prompts, responses, or conversation data are sent to external servers during on-device inference.
- Cloud fallback (when enabled) sends only the query text — never patient data, health data, or personal identifiers.
How we use it
- To deliver the service you signed up for.
- To send the communications you opted into (see SMS consent).
- To respond to support requests.
- For HIPAA-required treatment, payment, and healthcare operations purposes.
- To detect and prevent fraud or security incidents.
What we DO NOT do
- We do not sell, rent, or share your contact information with third-party marketers.
- We do not use PHI for advertising or training general-purpose AI models.
- We do not access your data without a logged reason.
Security
- OAuth tokens encrypted at rest with AES-256-GCM and per-row AAD binding (Pattern C isolation).
- PHI encrypted at rest with AES-256-GCM.
- Every PHI / token decryption logged to a tamper-evident hash chain.
- SOC 2 Type II audit on file. HIPAA Business Associate Agreement provided to all providers.
Your rights
You can request your data, request deletion, or revoke any consent (including SMS opt-in via STOP). Email privacy@synalux.ai — we respond within 30 days.
Google API Services — User Data Policy Disclosure
Synalux Health's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Data Accessed
When you connect a Google account, Synalux may request the following scopes depending on which features you enable:
- Gmail (
gmail.modify / gmail.readonly) — read your inbox threads and send email on your behalf from within the Synalux Mail interface. - Google Calendar (
calendar / calendar.readonly) — read and create calendar events from within the Synalux Calendar interface. - Google Contacts (
contacts.readonly) — read your contact list to auto-complete recipient fields. - Google Drive (
drive.readonly) — read files you explicitly open in the Synalux Drive view. - OpenID / profile — your Google account name, email address, and profile photo for sign-in and display purposes.
We request only the scopes needed for the features you actively use. Unused scopes are not requested.
Data Usage
- Google user data is used only to operate the specific feature you connected (Mail, Calendar, Contacts, Drive).
- Gmail data is displayed in the Synalux Mail interface and used to send replies you compose. It is never read by background jobs, analytics pipelines, or AI training.
- Calendar data is displayed in the Synalux Calendar interface and used to create or update events you explicitly request.
- Contact data is used solely to populate auto-complete fields within your session.
- Drive data is used solely to display files you open. No files are copied to Synalux storage.
- Google data is never used for advertising, profiling, or training machine-learning models.
Data Sharing
- We do not share Google user data with any third party except as required to operate the service you requested (e.g., Supabase database hosting for token storage).
- Sub-processors with access to Google tokens are bound by Data Processing Agreements and may not use the data for any independent purpose.
- We do not transfer, sell, or broker Google user data.
Data Storage & Protection
- Google OAuth access and refresh tokens are encrypted at rest using AES-256-GCM with a per-row Authentication Associated Data (AAD) binding — pattern C isolation as defined in our security architecture.
- Tokens are never written to logs, error reports, or analytics events.
- Every token decryption is logged to a tamper-evident audit chain (HMAC-chained rows) so unauthorized access is detectable.
- Token storage is scoped to Supabase, deployed in AWS us-east-1, encrypted at the storage layer in addition to our application-layer encryption.
Data Retention & Deletion
- Google tokens are deleted immediately when you disconnect the integration from your settings page.
- Cached message previews (if any) are purged within 24 hours of disconnection.
- On full account deletion, all Google tokens and any associated cached data are permanently deleted within 7 days.
- To request immediate deletion, email privacy@synalux.ai.
Financial Data & Plaid Integration
- Bank Account Verification: When you connect a bank account through Plaid, we receive account verification data (account and routing numbers, account holder name, balance) to enable payroll direct deposits and transaction reconciliation.
- Transaction Data: Bank transaction history is retrieved via Plaid for accounting reconciliation purposes only. Transaction data is stored in our database encrypted at rest.
- ACH Transfers: Payroll direct deposit transfers are initiated through Plaid Transfer. Transfer amounts, dates, and recipient details are logged for audit and tax reporting purposes.
- No Selling: Financial data received from Plaid is never sold, rented, or shared with third-party marketers or data brokers.
- Plaid Compliance: Our use of Plaid data complies with the Plaid End User Privacy Policy.
Data Retention and Disposal Policy
Synalux retains data only as long as necessary for the purposes described in this policy and as required by applicable law.
- Account Data: Retained for the duration of your active account. Deleted within 30 days of account closure upon written request.
- Financial Data (Plaid): Bank account tokens are deleted immediately when you disconnect the integration. Transaction history is retained for 7 years for tax and audit compliance, then permanently deleted.
- Payroll Records: Retained for 7 years as required by IRS regulations (26 CFR 31.6001-1) and state labor laws.
- Audit Logs: Security and access audit logs are retained for 3 years, then archived or deleted.
- Communication Data (Email/SMS): Retained for the duration of your active account. Purged within 30 days of opt-out or account deletion.
- Health Information (PHI): Retained per HIPAA minimum necessary standards and provider agreements. Minimum 6 years per HIPAA (45 CFR 164.530(j)).
- On-Device Data: Data processed on-device (camera frames, AI inference, HealthKit data) is never transmitted to our servers and is managed by your device OS.
Disposal Methods
- Electronic records are permanently deleted using cryptographic erasure (key destruction) or database-level hard delete.
- Backup copies are purged within 90 days of primary deletion.
- Deletion requests can be submitted to privacy@synalux.ai and are fulfilled within 30 days.
Policy Review
This data retention policy is reviewed annually or when significant changes occur to applicable regulations, business operations, or data processing activities.
SMS & Text Messaging
Synalux sends transactional SMS and WhatsApp messages in the following contexts:
- Healthcare (Synalux Health): Appointment reminders, telehealth join links, billing confirmations, two-factor authentication codes, and customer-care responses to patients of providers using our platform.
- Restaurant ordering (Synalux POS): Order confirmations with order number and total, secure payment links, and pickup-ready notifications sent after a customer places an order via phone, WhatsApp, or online.
Opt-In
Customers opt in by initiating a transaction: scheduling an appointment (healthcare) or placing an order (POS) via phone call, WhatsApp message, or web form. No marketing messages are sent.
Opt-Out
Reply STOP to any message to immediately unsubscribe. Reply START to re-subscribe. You may also email privacy@synalux.ai to opt out.
Message Frequency & Rates
Typically 1–3 messages per transaction. Message and data rates may apply depending on your carrier plan. Synalux does not charge for messages.
Data Handling
Phone numbers collected for SMS are used solely for transactional messaging and are never sold, rented, or shared with third-party marketers. Phone numbers are retained for the duration of your relationship with the service provider and deleted within 30 days of opt-out or account closure.
Sub-processors
Synalux uses third-party providers only as needed (hosting, email/SMS delivery, payment processing). Each is bound by a Data Processing Agreement. Current list available on request.
Changes
Material changes to this policy are emailed to all account holders 30 days before they take effect.
Contact
privacy@synalux.ai or write to: Synalux Health, Privacy Officer, address on request.