Privacy Policy

Welcome to SynthicAI. This Privacy Policy outlines the commitment of SynthicAI Inc. ("SynthicAI," "we," "us," or "our") to protecting the privacy and security of data for our clients ("Clients," "you," "your") and their end-users ("End-Users"). SynthicAI provides an enterprise-grade artificial intelligence (AI) voice agent platform (the "Service" or "Platform") designed to handle customer support communications.

This document serves as a comprehensive guide to our data handling practices. It explains what information we collect, how we use and process it, the legal basis for our processing activities, with whom we share it, and the rights you and your End-Users have concerning your data. Our Service is a business-to-business (B2B) platform that our Clients deploy to manage their own customer support operations. Consequently, this policy distinguishes between the data of our direct Clients and the data of the End-Users who interact with our AI agents on behalf of our Clients.

We recognize that the data processed by our Service, particularly voice recordings and their transcripts, is highly sensitive. Our architecture, policies, and procedures are engineered with a "privacy by design" and "security by default" philosophy. We are steadfast in our commitment to transparency, accountability, and compliance with global data protection regulations, including but not limited to the General Data Protection Regulation (GDPR) and principles aligned with SOC 2 security standards.

By subscribing to, accessing, or using the SynthicAI Service, you acknowledge that you have read, understood, and agree to the data practices described in this Privacy Policy. As a Client, you are the Data Controller for the End-User data you process using our Service, and SynthicAI acts as the Data Processor on your behalf. It is your responsibility to ensure you have a lawful basis for collecting and processing End-User data and to provide adequate notice to your End-Users about the use of our Service.

To ensure clarity and avoid ambiguity, the following terms shall have the meanings ascribed to them below:

• AI Voice Agent (or "Agent"): An autonomous, AI-powered software entity provided by SynthicAI that handles voice communications, simulates human conversation, and performs specific support tasks.

• Client: The business or entity that subscribes to the SynthicAI Service. The Client is the Data Controller of End-User Data.

• Client Data: Information related to our Clients, such as account registration details, billing information, and user configuration settings.

• Data Controller: As defined by GDPR, the entity that determines the purposes and means of processing personal data. Our Client is the Data Controller for all End-User Data.

• Data Processor: The entity that processes personal data on behalf of the Data Controller. SynthicAI acts as the Data Processor for End-User Data.

• End-User: An individual who interacts with a SynthicAI Agent via a telephone call, typically a customer of our Client.

• End-User Data: Any and all information related to an End-User that is processed by the SynthicAI platform during a voice interaction. This includes, but is not limited to, Call Audio, Call Transcripts, and Call Metadata.

• Personal Data: Any information relating to an identified or identifiable natural person, as defined under applicable data protection laws like GDPR.

• Platform: The entire proprietary technology stack, including software, APIs, infrastructure, and AI models that constitute the SynthicAI Service.

• Processing: Any operation performed on Personal Data, such as collection, recording, organization, storage, use, disclosure, or erasure.

• Call Audio: The raw digital audio recording of a voice communication between an End-User and an AI Voice Agent.

• Call Transcript: A machine-generated text file representing the spoken words from a Call Audio recording.

• Call Metadata: Technical and contextual data associated with a call, including timestamps, duration, disposition (e.g., "resolved," "escalated"), and any tags or priority levels.

We collect and process different categories of information based on your relationship with us. Our data collection is strictly limited to what is necessary to provide and improve our Service.

3.1. Client Data

This is information we collect directly from you, our Client, when you interact with our website or Platform.

• Account Information: When you sign up for a free trial or a paid plan, we collect your name, company name, email address, password, and other contact details required for account creation and management.

• Billing and Payment Information: For paid plans, we collect payment details, such as credit card information and billing addresses. This data is securely processed by our third-party payment processor (e.g., Stripe) and is not stored on SynthicAI's servers.

• Configuration Data: Information you provide to customize your AI Agents, such as flow templates, response logic, voice and personality settings, and integration credentials (e.g., API keys for Zendesk, HubSpot).

• Communications: We collect information when you contact us for support, provide feedback, or otherwise communicate with our team. This includes emails, support ticket contents, and any other attachments you provide.

3.2. End-User Data (Processed on Your Behalf)

This is data generated when your End-Users interact with the AI Agents you deploy. As the Data Processor, we process this data solely on your instruction and for the purpose of providing the Service. You, the Client, are the Data Controller.

• Call Audio and Transcripts: The core of our Service involves recording and transcribing voice calls between your End-Users and our AI Agents. These recordings and their textual transcripts contain any Personal Data the End-User chooses to share during the call (e.g., name, account number, email address, details of their support issue).

• Call Metadata: We automatically generate technical data for each call, including the End-User's phone number (caller ID), the timestamp and duration of the call, the AI Agent's performance metrics, and the final disposition of the call (e.g., issue resolved, ticket created, escalation required).

• Integration-Derived Data: When an AI Agent interacts with your integrated systems (CRM, helpdesk), it may process data retrieved from or pushed to those systems to resolve an issue. For example, retrieving an order status from your eCommerce platform or creating a ticket in your helpdesk with the End-User's details.

3.3. Website and Usage Data

When you visit our website (synthicai.com), we may collect anonymous or aggregated data about your interaction to improve user experience and for marketing analytics. This may include IP address, browser type, operating system, pages visited, and time spent on site. This is collected via standard technologies like cookies.

Our use of collected data is purposeful and strictly aligned with providing, maintaining, and improving the SynthicAI Service.

4.1. To Provide, Maintain, and Secure the Service

• To operate the AI Voice Agents as configured by you, including handling calls, processing requests, and executing automated workflows.

• To create and manage your Client account, process payments, and provide you with access to the Platform's features.

• To transcribe call audio, generate support tickets, and sync data with your integrated CRM and helpdesk systems.

• To monitor for security threats, prevent fraudulent activity, and ensure the integrity and availability of our Platform in line with our SLA commitments.

4.2. To Improve and Develop the Service

We are committed to enhancing our technology. For this purpose, we may use anonymized and aggregated data derived from service usage to analyze performance, train our underlying AI models, and develop new features (like the planned emotion-aware logic). Crucially, we do not use your specific, identifiable End-User Data to train general models for other clients. Your data is not resold. Any features requiring deeper model training on your specific data, such as "Custom Voice Cloning," will be offered as an explicit, opt-in service governed by separate terms.

4.3. To Communicate With You

• To send you essential administrative messages, such as service updates, security alerts, billing notifications, and changes to our terms or policies.

• To respond to your support requests, inquiries, and feedback.

• To provide information about new products, features, or offers that may be relevant to you, from which you can opt-out at any time.

For individuals in the European Economic Area (EEA), our processing of Personal Data is based on the following legal grounds:

• Contractual Necessity: We process Client Data to fulfill our contractual obligations to provide the Service as described in our Terms of Service.

• Legitimate Interests: We process Client Data and anonymized usage data for our legitimate interests, such as for security, service improvement, and marketing, provided these interests are not overridden by your fundamental rights and freedoms.

• Consent: Where required by law, we will obtain your consent for specific data processing activities, such as using non-essential cookies or sending marketing communications. You can withdraw consent at any time.

• As a Data Processor: When we process End-User Data, we do so on behalf of our Clients. It is the Client's responsibility, as the Data Controller, to establish a lawful basis for the processing of their End-Users' Personal Data (e.g., consent, contractual necessity, legitimate interest).

We do not sell or rent your Personal Data. We are not a data broker. We only share information under the following limited circumstances:

• With Sub-processors: We engage a limited number of trusted third-party companies to perform functions on our behalf. These "sub-processors" include cloud infrastructure providers (e.g., AWS for hosting, where data is encrypted and stored regionally), payment gateways (e.g., Stripe), and internal communication tools. We have Data Processing Addendums (DPAs) in place with all sub-processors, ensuring they meet our stringent security and privacy standards.

• With Your Integrated Services: When you connect your SynthicAI account to a third-party service (e.g., Zendesk, HubSpot, Freshdesk), we will share End-User Data with that service as directed by your configuration. Our responsibility ends once the data is transmitted to your integrated service.

• For Legal Compliance and Safety: We may disclose information if we believe it's required by law, subpoena, or other legal process. We may also share data to protect the safety, rights, or property of SynthicAI, our Clients, or the public.

• In a Business Transfer: If SynthicAI is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you of any such change in control or use of your Personal Data.

We implement enterprise-grade technical, administrative, and physical security measures designed to protect the data we process. Our security posture is built on principles consistent with SOC 2 standards.

• Encryption: All data, including Call Audio and transcripts, is encrypted in transit using TLS 1.2+ and at rest using AES-256 or a similarly strong cryptographic standard.

• Access Control: Access to production systems and sensitive data is strictly limited to authorized personnel on a need-to-know basis, protected by multi-factor authentication (MFA).

• Data Segregation: Each Client's data is logically segregated in our infrastructure to prevent cross-contamination or unauthorized access.

• Auditing and Monitoring: We maintain comprehensive logs of system access and activity. Admins on Client accounts have the ability to audit all conversations.

• Data Management: Our Platform provides you with tools to manage your data, including the ability to delete, redact, or audit conversations as needed.

While we take robust measures to secure your data, no system is impenetrable. We cannot guarantee the absolute security of our systems 100% of the time.

We retain data only for as long as necessary to fulfill the purposes for which it was collected.

8.1. Client Data

We retain your account and billing information for as long as your account is active and for a reasonable period thereafter to comply with our legal and financial obligations (e.g., for tax and accounting purposes).

8.2. End-User Data

End-User Data (call logs, transcripts) is retained according to the settings configured by you, the Client. You have full control to set retention policies or manually delete this data at any time through your admin dashboard. If no policy is set, we will retain the data for the duration of your active subscription. Upon termination of your account, all associated End-User Data will be permanently deleted from our production systems within a defined period (e.g., 90 days), unless required for legal retention.

Depending on your location, you may have certain rights regarding your Personal Data under laws like GDPR.

9.1. Rights of Our Clients

As a SynthicAI Client, you have the right to:

• Access, correct, or update your Client Data through your account settings.

• Object to or restrict the processing of your data in certain circumstances.

• Request the deletion of your account and associated Client Data, subject to our legal retention obligations.

• Request a copy of your data in a machine-readable format (data portability).

9.2. Rights of End-Users

SynthicAI acts as a Data Processor for End-User Data. Therefore, End-Users who wish to exercise their data protection rights (such as access, rectification, or erasure) should direct their requests to our Client (the Data Controller), who is the entity that deployed the AI Agent they interacted with. We will provide our Clients with the necessary tools and support to help them respond to such requests from their End-Users.

SynthicAI is a global service. While we offer regional data storage options to help Clients comply with data residency requirements, data may be accessed by our authorized personnel or processed by sub-processors in other countries. When we transfer Personal Data from the EEA, Switzerland, or the UK to other countries, we do so in compliance with applicable law, relying on mechanisms such as the European Commission's Standard Contractual Clauses (SCCs) and the UK's International Data Transfer Addendum.

The SynthicAI Service is not directed to or intended for use by individuals under the age of 16. We do not knowingly collect Personal Data from children under 16. If we become aware that we have inadvertently collected such information, we will take steps to delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify you by email (sent to the address specified in your account) or by posting a prominent notice on our website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.