Start Synphoria

Legal

Privacy Policy

This policy explains how SYNPHORIAAI sp. z o.o. collects, uses, and protects personal data when you use Synphoria websites, applications, clinic surfaces, and related services.

1. Controller and scope

SYNPHORIAAI sp. z o.o. (ul. Migowska 54D/4, 80-287 Gdansk, Poland; KRS 0001167839; NIP 9571187114; REGON 541473225) is the data controller for most processing described in this policy. In limited B2B, clinic, reseller, or partner workflows, another organization may be an independent controller for the data it decides to enter or manage in Synphoria.

2. Privacy contact and requests

Privacy requests: contact@synphoria.app. Security and safeguarding contact: security@synphoria.app. Postal address: SYNPHORIAAI sp. z o.o., ul. Migowska 54D/4, 80-287 Gdansk, Poland. If a service-specific notice, workspace DPA, clinic agreement, or regulator-facing filing names a Data Protection Officer or separate privacy contact, use that contact for the relevant context. We may ask for information needed to verify your identity and locate the relevant account, company, clinic, patient, recruitment, or support record before acting on a request.

3. Sources of personal data

We collect personal data directly from you and from service contexts needed to operate Synphoria.

  • Direct sources include account creation, Sofia or Mark use, check-ins, forms, clinic or company workspace joins, recruitment flows, and support contact.
  • Other sources may include your employer or workspace administrator, clinic specialist, recruitment team, reseller, payment provider, identity provider, communication-climate connector, or technical systems such as device, usage, security, and log events.
  • Some account, billing, workspace, clinic, recruitment, security, and tax fields are required to provide the requested service or meet legal duties.
  • Optional fields and consent-based features can be declined, but the related feature may not be available.
  • When data is not obtained directly from you, this section is intended to support the notice required by GDPR Article 14.

4. Categories of personal data

  • Identity and account data: email, hashed password, preferred locale, authentication state, optional profile details, and support identifiers.
  • Private support content: prompts, messages, Memory Continuum entries, uploaded files where enabled, feedback, Daily Check-In data, and support submissions.
  • Safety and safeguarding data: optional safeguarding contacts, optional location signals if enabled, risk indicators, incident metadata, and high-risk review records.
  • Company and aggregate data: workspace membership, role, department, invitations, People and Calendar records, Wellness aggregate read models, reports, Oracle evidence metadata, and privacy-floor status.
  • Recruitment data: role briefs, candidate profile records, interview responses, resume evidence, candidate report metadata, and HR-owned decision/audit records.
  • Clinic and patient-portal data: clinic membership, specialist assignment, patient profile, consent state, appointment requests, report metadata, patient-visible portal activity, and consent-scoped clinical content where enabled.
  • Technical and commercial data: device, browser, usage, log, security, billing, subscription, communication-delivery, integration, and abuse-prevention records.

5. Purposes and lawful bases

  • Service delivery and account operation: GDPR Article 6(1)(b), performance of a contract or steps requested before a contract.
  • Optional support features, clinic consent scopes, safeguarding contacts, optional location signals, and certain sensitive-data processing: Article 6(1)(a) consent and, where special-category data is involved, Article 9(2)(a) explicit consent or another Article 9 condition that applies in context.
  • Security, abuse prevention, reliability, debugging, product safety, aggregate analytics, and service improvement: Article 6(1)(f), legitimate interests, balanced against your rights and privacy expectations.
  • Billing, tax, accounting, legal compliance, data-rights handling, recordkeeping, and lawful authority requests: Article 6(1)(c), legal obligation.
  • Safeguarding and emergency-risk handling where necessary to protect a person: Article 6(1)(d), vital interests, and applicable Article 9 conditions where special-category data is involved.

6. Special categories and safeguarding

Synphoria is non-clinical by default, but support conversations, clinic records, emotional-state indicators, safeguarding data, or patient-context fields may reveal health, mental wellbeing, or other special-category data. We process such data only where a GDPR Article 9 condition applies, usually explicit consent, vital interests in a serious safeguarding context, legal claims, or another condition required for the specific clinic or professional workflow. Exceptional human review is limited to high-risk or governed support cases and is not routine employer access.

7. Product privacy boundaries

Private Sofia/Mark conversations, Memory Continuum content, Guardian details, and individual wellness indicators are owner-scoped and are not employer-visible content. Company Wellness, reports, exports, and Oracle use aggregate evidence after privacy thresholds and cohort checks. Recruitment data is separate from Wellness and private support data; HR owns hiring decisions. Clinic patient data is consent-bound and separated from Company Wellness. Clinic owners and supervisors receive derived progress or operational summaries by default, not raw private patient chat, specialist-private psychotherapy notes, or hidden clinical directive text.

8. Recipients and processors

We do not sell personal data. We share data only where necessary with vetted processors and service providers, such as hosting, database, model, email, payment, analytics, security, logging, customer-support, clinic, recruitment, and communication-delivery providers; with your workspace, clinic, recruitment, reseller, or partner organization where that surface is intended for them; with professional advisors; and with courts, regulators, law enforcement, or emergency contacts where legally required or necessary to protect vital interests.

9. International transfers

Some recipients may process data outside the EEA, the UK, or the country where you live.

  • Current provider categories referenced in the Data Safety & Security Statement include hosting, database, storage, AI, voice, Slack, Microsoft Teams, email delivery, payment, SMS/phone, security, logging, and operational providers such as Vercel, Neon, Anthropic, Slack, Microsoft, ElevenLabs, Resend, Stripe, and Twilio.
  • Processing locations may include the EEA, the UK, the United States, and other countries listed in those providers' subprocessor materials.
  • Where a restricted transfer is required, we use the applicable mechanism for that transfer. This may include an adequacy decision, the European Commission Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, the UK International Data Transfer Agreement (UK IDTA), and the UK Addendum to the EU SCCs.
  • Restricted transfers may also require transfer impact or transfer risk assessments and supplementary technical, contractual, and organizational controls.
  • SYNPHORIAAI sp. z o.o. is established in Poland; if UK GDPR or EEA data protection law requires a representative for a specific offering, that representative will be identified in the relevant service-specific notice or contract materials.
  • Detailed vendor evidence and subprocessor links are maintained in the Data Safety & Security Statement and related transfer documentation.

10. Retention schedule

  • Account, authentication, locale, profile, workspace, clinic, reseller, partner, and membership records are kept for the account or contract term, then for the period needed for export, deletion, dispute handling, security review, audit, and legal limitation duties.
  • Private Sofia/Mark conversation, Memory Continuum, Daily Check-In, Guardian, safeguarding, clinic, patient-portal, support, uploaded-file, and consent-scoped content is kept while the feature, account, consent, or professional workflow remains active, unless you delete it earlier or a safety, legal, audit, or controller instruction requires a limited hold.
  • Company Wellness and Executive Oracle records are aggregate by design. Raw private support content is not employer-visible. Aggregate snapshots, reports, evidence metadata, and privacy-floor records are kept while the company workspace, reporting need, legal duty, or audit period applies.
  • Recruitment records, candidate evidence, interview transcripts, reports, feedback, and HR audit data follow the customer workflow and configured retention controls. Candidate deletion may remove stored resume files, transcripts, reports, and identity fields while preserving bounded deletion proof or legally required audit metadata.
  • Billing, tax, accounting, payment, invoice, subscription, and commercial records are kept for the period required by tax, accounting, payment, anti-fraud, chargeback, and legal-claim rules.
  • Security logs, abuse-prevention records, break-glass audit records, access-control evidence, delivery logs, consent records, cookie choices, and data-rights request records are kept only as long as needed to prove security, compliance, consent, deletion, or dispute handling.
  • Backups and disaster-recovery copies expire on their normal rotation. Deletion may remove or revoke private content, projections, retrieval eligibility, and live access before backup expiry while preserving required metadata where law, security, audit, controller instructions, or deletion-proof duties require it.

11. Personal data breach notification

If Synphoria becomes aware of a personal data breach, we investigate, contain, document, and assess the risk to affected people.

  • Where Synphoria is controller, we notify the competent supervisory authority without undue delay and, where feasible, within 72 hours when GDPR Article 33 requires it. If notification is late, we include the reason for delay.
  • Where a breach is likely to result in high risk to affected people, we communicate with affected data subjects without undue delay under GDPR Article 34 unless an exception applies, such as effective encryption or other protection that makes the data unintelligible to unauthorized persons.
  • Where Synphoria acts as processor for a customer, clinic, reseller, partner, or other controller, we notify that controller without undue delay after becoming aware of a breach affecting its personal data and provide available information in phases when needed.
  • Notices may describe the nature of the breach, categories of affected data and people where known, contact point, likely consequences, and measures taken or proposed to address and mitigate the breach.

12. Security measures

  • Encryption in transit and evidence-bound at-rest protections for supported systems.
  • Private-content key-version protection for supported private chat, Memory, and clinic clinical-content fields.
  • Role-based least-privilege access controls.
  • Audit logging for sensitive operations.
  • Time-bounded break-glass for exceptional clinic/private-content access, with reason, scope, expiry, and metadata-only audit.
  • Secure development lifecycle and vulnerability management.

13. Your rights and how to use them

Subject to applicable law, you may request access, correction, deletion, restriction, portability, objection, withdrawal of consent, and protection against decisions based solely on automated processing.

  • These rights include Article 15 access, Article 16 rectification, Article 17 erasure, Article 18 restriction, Article 20 portability, Article 21 objection, and Article 22 automated-decision protections where they apply.
  • Send requests to contact@synphoria.app. We aim to respond within one month and may extend by up to two further months for complex requests, explaining the reason.
  • Clinic patient exports include patient-visible medical record data and bounded audit metadata where applicable.
  • Clinic exports exclude protected internal directives, specialist-private psychotherapy notes, raw provider prompts, and owner-only aggregate views unless a later legal/product decision changes that scope.
  • California/CCPA/CPRA requests use the same privacy contact. The California notice below does not reduce the GDPR rights listed here.

14. Supervisory authority and complaints

You can contact us first at contact@synphoria.app so we can review and respond to your request. You also have the right to lodge a complaint with a supervisory authority. In Poland, the competent authority is the President of the Personal Data Protection Office (Prezes UODO), Personal Data Protection Office, 1A St. Moniuszki Street, 00-014 Warsaw, Poland. If you live or work in another EEA country, you may also contact your local supervisory authority.

15. Children and minors

Synphoria public websites, B2B workspaces, company Wellness, recruitment surfaces, and ordinary Sofia/Mark accounts are not directed to children under 16.

  • We do not knowingly collect personal data from children under this age for those services.
  • Where Article 8 consent rules apply to information society services offered directly to a child, a child under 16 may use the relevant service only if consent is given or authorized by the holder of parental responsibility, unless applicable local law sets a different permitted threshold or another lawful basis applies.
  • Any clinic, school, parent, guardian, professional, or youth-support deployment that intentionally involves minors must use a separate consent model, age-appropriate notice, role boundary, and retention rule before launch.
  • If we learn that a child or minor's data was collected without a valid basis, we will restrict, delete, or obtain appropriate authorization as required by law and the relevant safety context.

16. AI transparency, automated processing, and Article 22

Where Sofia, Mark, Executive Oracle, report drafting, clinic evidence review, recruitment evidence organization, safeguarding indicators, or similar features use AI, the user is interacting with or receiving output from an AI-enabled system.

  • Sofia and Mark are AI-enabled companions, not human staff, clinicians, emergency responders, or managers.
  • AI output may be incomplete, inaccurate, stale, or uncertain and should be read with available source context, provenance, citations, data-gaps, and human review where decisions matter.
  • Synphoria does not make decisions based solely on automated processing that produce legal or similarly significant effects.
  • It does not make diagnosis, treatment, prescription, emergency dispatch, legal-effect, hiring, rejection, automated clinical, or employee-management decisions.
  • Human review and responsible human decision ownership remain required for clinic, safeguarding, company, and recruitment actions.

17. California privacy rights (CCPA/CPRA)

  • California residents may request notice, access to categories and specific pieces of personal information, correction, deletion, portability, opt-out of sale or sharing, limitation of sensitive personal information, non-discrimination, and authorized-agent handling where the CCPA/CPRA applies.
  • Personal information categories collected or disclosed may include identifiers, account records, commercial and billing data, internet or electronic activity, approximate or optional geolocation, professional/workspace/recruitment data, user communications, inferences, and support or safety metadata.
  • Sensitive personal information may include account login data, optional precise location if enabled, contents of private messages, clinic or support context that reveals health or mental wellbeing, safeguarding information, and other protected data processed only within the product boundaries described above.
  • We do not sell personal information for money. Optional marketing or ad-attribution tools, if configured and consented to, may disclose limited identifiers or device events to advertising or measurement providers and may be treated as CPRA sharing depending on context.
  • We do not knowingly sell or share personal information of children under 16, and we do not use sensitive personal information for cross-context behavioral advertising or to infer unrelated characteristics.
  • To submit a Do Not Sell or Share My Personal Information request, a Limit the Use of My Sensitive Personal Information request, or another California privacy request, email contact@synphoria.app with that request type in the subject. You can also reject marketing trackers in the cookie settings where available.

Contact: contact@synphoria.app | security@synphoria.app

Category map

Explore the connected system

Privacy-Safe Workforce Insights

Trust

Privacy, security, safeguarding, and human decision boundaries.

Home

The public promise: private support never becomes employer-facing personal data.

For Companies

Aggregate Wellness and Oracle views with a 10+ group threshold.

Executive Oracle

Executive answers bound to cohort count, source window, and refusal rules.