Privacy Policy
Last updated: 2026-05-20
What we collect
- Account info: email, name, role, workspace.
- Health information (PHI) entered by your provider, when you are a patient.
- Communication preferences (email, SMS opt-in).
- Usage analytics: page views, button clicks, error reports — never tied to PHI.
- Audit logs: every access to OAuth tokens, every PHI read.
Prism AAC (Augmentative & Alternative Communication)
- Camera & Head Tracking: Prism AAC uses your device camera for head tracking and eye gaze input. Camera frames are processed on-device in real time and are never transmitted, stored, or sent to any server.
- Voice & Speech: Text-to-speech audio is generated on-device or via Azure TTS. Voice clone recordings are stored locally on your device only.
- AAC Phrases & Communication Data: Your phrase history, symbol selections, and communication patterns are stored locally on your device. Cloud sync (when enabled) encrypts data in transit and at rest.
- Switch Scanning & Accessibility Input: Input method data (switch presses, dwell times, gesture data) is processed on-device and never transmitted.
PrismCoach (Fitness Coaching)
- Apple HealthKit: PrismCoach reads heart rate, HRV (heart rate variability), resting heart rate, sleep analysis, and workout data from HealthKit to compute your Body Battery score and muscle recovery state. This data is processed on-device and is never sent to our servers.
- Biometric Data: Body Battery scores, muscle charge levels, and CNS readiness indicators are computed locally. No biometric data leaves your device.
- AI Coaching: On-device AI (Prism Coder 1.7B) processes your workout context locally. For Athlete tier users, anonymized workout context (no personally identifiable information) may be sent to our inference server for enhanced coaching.
On-Device AI Processing
- Prism Coder language models (1.7B–32B parameters) run entirely on your device.
- No prompts, responses, or conversation data are sent to external servers during on-device inference.
- Cloud fallback (when enabled) sends only the query text — never patient data, health data, or personal identifiers.
How we use it
- To deliver the service you signed up for.
- To send the communications you opted into (see SMS consent).
- To respond to support requests.
- For HIPAA-required treatment, payment, and healthcare operations purposes.
- To detect and prevent fraud or security incidents.
What we DO NOT do
- We do not sell, rent, or share your contact information with third-party marketers.
- We do not use PHI for advertising or training general-purpose AI models.
- We do not access your data without a logged reason.
Security
- OAuth tokens encrypted at rest with AES-256-GCM and per-row AAD binding (Pattern C isolation).
- PHI encrypted at rest with AES-256-GCM.
- Every PHI / token decryption logged to a tamper-evident hash chain.
- SOC 2 Type II audit on file. HIPAA Business Associate Agreement provided to all providers.
Your rights
You can request your data, request deletion, or revoke any consent (including SMS opt-in via STOP). Email privacy@synalux.ai — we respond within 30 days.
Google API Services — User Data Policy Disclosure
Synalux Health's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Data Accessed
When you connect a Google account, Synalux may request the following scopes depending on which features you enable:
- Gmail (
gmail.modify/gmail.readonly) — read your inbox threads and send email on your behalf from within the Synalux Mail interface. - Google Calendar (
calendar/calendar.readonly) — read and create calendar events from within the Synalux Calendar interface. - Google Contacts (
contacts.readonly) — read your contact list to auto-complete recipient fields. - Google Drive (
drive.readonly) — read files you explicitly open in the Synalux Drive view. - OpenID / profile — your Google account name, email address, and profile photo for sign-in and display purposes.
We request only the scopes needed for the features you actively use. Unused scopes are not requested.
Data Usage
- Google user data is used only to operate the specific feature you connected (Mail, Calendar, Contacts, Drive).
- Gmail data is displayed in the Synalux Mail interface and used to send replies you compose. It is never read by background jobs, analytics pipelines, or AI training.
- Calendar data is displayed in the Synalux Calendar interface and used to create or update events you explicitly request.
- Contact data is used solely to populate auto-complete fields within your session.
- Drive data is used solely to display files you open. No files are copied to Synalux storage.
- Google data is never used for advertising, profiling, or training machine-learning models.
Data Sharing
- We do not share Google user data with any third party except as required to operate the service you requested (e.g., Supabase database hosting for token storage).
- Sub-processors with access to Google tokens are bound by Data Processing Agreements and may not use the data for any independent purpose.
- We do not transfer, sell, or broker Google user data.
Data Storage & Protection
- Google OAuth access and refresh tokens are encrypted at rest using AES-256-GCM with a per-row Authentication Associated Data (AAD) binding — pattern C isolation as defined in our security architecture.
- Tokens are never written to logs, error reports, or analytics events.
- Every token decryption is logged to a tamper-evident audit chain (HMAC-chained rows) so unauthorized access is detectable.
- Token storage is scoped to Supabase, deployed in AWS us-east-1, encrypted at the storage layer in addition to our application-layer encryption.
Data Retention & Deletion
- Google tokens are deleted immediately when you disconnect the integration from your settings page.
- Cached message previews (if any) are purged within 24 hours of disconnection.
- On full account deletion, all Google tokens and any associated cached data are permanently deleted within 7 days.
- To request immediate deletion, email privacy@synalux.ai.
Sub-processors
Synalux uses third-party providers only as needed (hosting, email/SMS delivery, payment processing). Each is bound by a Data Processing Agreement. Current list available on request.
Changes
Material changes to this policy are emailed to all account holders 30 days before they take effect.
Contact
privacy@synalux.ai or write to: Synalux Health, Privacy Officer, address on request.