SynapBridge
Back to synapbridge.com

Privacy Policy

Last updated July 14, 2026

This Privacy Policy describes how Elevayt Ventures LLC (d/b/a SynapBridge, "we", "us", "our") collects, uses, shares, retains, and protects personal data when you access the SynapBridge AI governance platform (the "Service"). It also describes your rights under the GDPR, UK GDPR, California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), Brazil's LGPD, and other data-protection laws. If you have signed a Data Processing Addendum ("DPA") with us, that DPA controls where it differs from this Policy.

Note. This page reflects the operating practices SynapBridge follows today. Enterprise customers who require a counter-signed Master Services Agreement or a bespoke Data Processing Addendum for procurement or audit review can email legal@synapbridge.com.

1. Scope and roles

This Policy applies to the marketing website at synapbridge.com and to the signed-in workspace at app.synapbridge.com. For account, billing, and marketing data we act as a data controller. For prompts, files, model outputs, audit records, and other content processed on behalf of a customer workspace, we act as a data processor for the customer, which is the controller of that data. Where required, our processor role is governed by the DPA.

2. Personal data we collect

We collect the following categories of personal data:

  • Account data. Name, email address, workspace name, role, MFA factor, and password hash or federated identity identifier.
  • Billing data. Billing address, plan selection, invoice history. Card numbers are collected by Stripe, Inc. and never stored on our servers.
  • Workspace content. Prompts, files, model responses, embeddings, memory-graph nodes, policy-decision records, and audit-trail entries you send through or generate in the Service.
  • Federated identity data. When you sign in with Google or Microsoft, we receive your email, name, profile picture URL, and the identity-provider user identifier.
  • OAuth grant data. When you connect a Google Cloud project or a Microsoft Azure OpenAI resource, we receive an access token, a refresh token, the project or resource identifier you selected, and the scopes you granted.
  • Support data. Messages you send to support, screenshots you attach, and communications history.
  • Technical and log data. IP address, user agent, request path, response status, correlation identifier, timestamps, and cookie or local-storage identifiers required to run and secure the Service.

We do not knowingly collect biometric identifiers, precise geolocation, or special categories of personal data (health, race, political opinions, religion, sexual orientation) unless you submit such content voluntarily as a workspace Input, in which case it is treated as workspace content and controlled by your workspace administrator.

3. Sources of personal data

We collect personal data (a) directly from you when you create an account, submit content, or contact us; (b) automatically from your device and browser when you access the Service (server logs, cookies); (c) from federated identity providers (Google, Microsoft, or your enterprise SSO provider via WorkOS) that you elect to sign in with; and (d) from your payment processor (Stripe) for invoicing and fraud prevention.

4. Why we process personal data (purposes and GDPR legal bases)

We process personal data for the purposes below. Where you are in the EEA, the UK, or Switzerland, the corresponding legal basis under Article 6 GDPR is shown.

  • Provide the Service (route AI calls, enforce policies, store audit logs, maintain memory graph) - Article 6(1)(b) performance of a contract.
  • Bill and collect payment - Article 6(1)(b) performance of a contract and Article 6(1)(c) legal obligation for tax records.
  • Secure the Service, detect abuse, prevent fraud - Article 6(1)(f) legitimate interests in operating the Service safely.
  • Respond to support and legal requests - Article 6(1)(b) performance of a contract and Article 6(1)(c) legal obligation.
  • Send transactional messages (invoices, security alerts, policy changes) - Article 6(1)(b) performance of a contract.
  • Send product marketing (only to prospective and existing customer contacts, with opt-out on every message) - Article 6(1)(f) legitimate interests, and Article 6(1)(a) consent where consent is the required basis in your jurisdiction.
  • Comply with law and enforce our Terms - Article 6(1)(c) legal obligation and Article 6(1)(f) legitimate interests.

We do not train, fine-tune, or improve any AI model on your workspace content. We do not use OAuth-granted data from Google or Microsoft for any purpose other than routing your requests to the model provider you connected.

5. How we share personal data (sub-processors)

We share personal data only with the sub-processors below, each engaged under a written contract that requires them to protect personal data on terms consistent with this Policy.

  • Amazon Web Services, Inc. - cloud infrastructure, storage, encryption, and CDN. Primary region us-east-1; regional pinning available on Business and Enterprise plans.
  • Stripe, Inc. - subscription billing, payment card processing, tax computation.
  • WorkOS, Inc. - authentication, session management, and enterprise single-sign-on / directory federation.
  • Amazon Cognito - legacy authentication for accounts created before the WorkOS migration; scheduled for retirement.
  • Amazon Simple Email Service - transactional email delivery (verification, invoices, security alerts).
  • Cloudflare, Inc. - DNS resolution and edge DDoS protection for synapbridge.com.

An up-to-date sub-processor list, including corporate address and processing purpose, is maintained at https://synapbridge.com/legal/sub-processors. Enterprise customers receive at least 30 days' notice of any new sub-processor and may object per the DPA.

We may disclose personal data to comply with a valid legal process, protect the rights and safety of SynapBridge and our users, or defend against legal claims. Where permitted, we will notify you before disclosure so you can seek a protective order.

If you connect a third-party AI provider (Google Cloud, Microsoft Azure, OpenAI, Anthropic, AWS Bedrock), the Inputs and Outputs you route through that provider are transmitted to that provider under its own terms and privacy policy.

6. Google user data

When you authorize SynapBridge to access Google APIs on your behalf, we request the scope https://www.googleapis.com/auth/cloud-platform solely to submit Vertex AI and Gemini inference calls against the Google Cloud project you select at connection time, and the scopes openid, https://www.googleapis.com/auth/userinfo.email, and https://www.googleapis.com/auth/userinfo.profile to identify the Google account that authorized the grant and display it in the workspace.

SynapBridge's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We do not sell Google user data.
  • We do not use Google user data to train, fine-tune, or improve any AI model.
  • We do not transfer Google user data to any third party except the sub-processors listed in Section 5, and only for the sole purpose of providing the Service to you.
  • We do not use Google user data for advertising or serve ads to you based on Google user data.
  • Human review of Google user data is limited to (a) the review needed to secure the Service and comply with law, (b) any review you specifically request when opening a support ticket, or (c) review of aggregated de-identified information.

OAuth access tokens and refresh tokens are stored in AWS Secrets Manager under a per-tenant AWS KMS-encrypted envelope. You may revoke SynapBridge's access at any time from https://myaccount.google.com/permissions or from your workspace settings inside SynapBridge, in which case we delete the tokens within 24 hours.

Deletion requests specific to Google user data may be sent to privacy@synapbridge.com with the subject line "Google user data deletion".

7. Microsoft user data

When you authorize SynapBridge to access Microsoft APIs on your behalf, we request only the delegated Microsoft Graph and Azure Resource Manager permissions needed to enumerate your Azure OpenAI deployments, route inference requests to your resource, and refresh access tokens - typically https://cognitiveservices.azure.com/user_impersonation and User.Read.

Specifically:

  • We do not read Outlook mail, OneDrive files, SharePoint sites, Teams messages, calendar entries, or contacts, and we do not request scopes granting that access.
  • We do not sell Microsoft user data.
  • We do not use Microsoft user data to train, fine-tune, or improve any AI model.
  • We do not transfer Microsoft user data to any third party except the sub-processors listed in Section 5, and only to provide the Service to you.
  • Our handling of Microsoft identity and Azure API data adheres to the Microsoft APIs Terms of Use and the Microsoft Services Agreement.

OAuth tokens are stored under the same per-tenant KMS envelope as Google tokens. You may revoke SynapBridge at any time from https://myapplications.microsoft.com, from your Microsoft Entra admin center, or from your workspace settings inside SynapBridge, in which case we delete the tokens within 24 hours.

8. Cookies and similar technologies

We use only strictly necessary cookies to run the Service. Specifically:

  • Session cookies (__Host-sb_session_id) required to authenticate you across pages.
  • Preference cookies (theme, sidebar layout, workspace hint) required to render the correct UI on first paint.
  • CSRF-protection tokens required for form submissions.

We do not use advertising cookies, behavioral-profiling cookies, or third-party analytics that persist across sessions without your consent. We honor Global Privacy Control signals. Where local law requires a cookie banner (EEA, UK), one is shown on first visit.

9. Data retention

Retention windows for the primary data categories:

  • Prompts, files, and model responses - honors your workspace retention setting: default 30 days on Free, 90 days on Pro, 365 days on Business, contractual on Enterprise.
  • Audit logs and policy-decision records - 12 months by default; up to 7 years by written request from Business and Enterprise customers for compliance evidence.
  • OAuth access and refresh tokens - retained while your connection is active; deleted within 24 hours after you revoke.
  • Server logs (IP, user agent, request path) - 90 days.
  • Account records and billing history - retained while your account is active; deleted within 35 days after final cancellation, subject to legal-hold and tax-record obligations.
  • Backups - persist for up to 35 days after primary deletion; then purged.

You can delete individual conversations or files from the workspace UI at any time; deletions propagate to backups per the schedule above.

10. Data storage and international transfers

Personal data is stored on AWS in us-east-1 (Northern Virginia, United States) by default. Business and Enterprise customers may pin storage to eu-west-1 (Ireland) or ap-southeast-1 (Singapore); other regions are available on request via sales@synapbridge.com.

Where personal data is transferred out of the EEA, the UK, or Switzerland to a country without an adequacy decision, the transfer relies on the European Commission's Standard Contractual Clauses (2021/914) or the UK International Data Transfer Addendum, as applicable, together with the supplementary measures described in our DPA. Sub-processors are bound by the same transfer mechanisms downstream.

11. Security

We apply TLS 1.2+ in transit, AES-256 encryption at rest via AWS KMS, per-tenant row-level security in the shared database, multi-factor authentication on every account, per-tenant secret vaulting for downstream provider credentials, least-privilege IAM, mandatory code review, dependency-vulnerability scanning, and 24/7 alerting on anomalous access patterns. Employee access to production data is limited to incident response, gated behind a break-glass workflow that is fully audited. Report suspected vulnerabilities to security@synapbridge.com; we respond within 72 hours.

12. Your rights

Depending on where you reside, you may have some or all of the rights below. We honor requests at no charge and respond within 30 days (one month under GDPR, extendable by two months for complex requests, with notice).

  • Access. Confirm whether we process personal data about you and receive a copy.
  • Portability. Receive a copy in a structured, commonly used, machine-readable format.
  • Rectification. Correct inaccurate or incomplete data.
  • Erasure. Delete personal data, subject to retention required by law.
  • Restriction. Ask us to limit processing pending resolution of a dispute.
  • Objection. Object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent. Where processing is based on consent, withdraw at any time (without affecting prior lawful processing).
  • Non-discrimination. Exercise these rights without adverse effect on service or price (California residents specifically).
  • Lodge a complaint. With your local supervisory authority (in the EEA, the UK, or Switzerland) or your state attorney general.

California residents (CCPA/CPRA). In the 12 months preceding this Policy, we collected the categories in Section 2 and disclosed the categories in Section 5 for the business purposes in Section 4. We do not sell or share personal data as those terms are defined by the CCPA/CPRA. Californians may exercise the rights to know, delete, correct, limit use of sensitive personal information, and opt out of sharing by emailing privacy@synapbridge.com with subject "CCPA request". An authorized agent may submit requests with written proof of authorization.

Brazil (LGPD). You may confirm processing, access, correct, anonymize, or delete personal data, request portability, withdraw consent, and request review of solely automated decisions.

To exercise any of these rights, email privacy@synapbridge.com. We will verify your identity before responding.

13. Automated decision-making

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing. The Service classifies requests against your policies (allow, block, redact); those classifications inform, but do not substitute for, decisions made by your workspace administrators. You may request human review of any automated classification by emailing privacy@synapbridge.com.

14. Children

The Service is not directed at anyone under 18 and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, email privacy@synapbridge.com and we will delete it. Where local law sets a higher digital-consent age (for example, 16 in parts of the EU), that higher age applies.

15. Changes to this Policy

We may update this Policy from time to time. The date at the top of this page reflects the most recent revision. If a change is material, we will post the updated Policy at https://synapbridge.com/privacy and notify workspace administrators by email at least 14 days before the effective date.

16. Contact

Elevayt Ventures LLC (d/b/a SynapBridge)
980 N Michigan Ave Ste 1090 #845294
Chicago, IL 60611, United States
Privacy inquiries and data-subject requests: privacy@synapbridge.com
Security disclosures: security@synapbridge.com
General legal: legal@synapbridge.com