Skip to content
Privacy

Privacy Policy

Effective May 27, 2026

Syncro Advisory Group LLC d/b/a Syncro (“Syncro,” “we,” “us,” or “our”) operates a unified email, calendar, and tasks client that connects to your Gmail or Microsoft 365 account through the official Google and Microsoft APIs, with optional AI features. This Privacy Policy explains what personal information we collect, how we use and protect it, and the rights you have over it. By using the Service, you agree to the practices described here.

Who we are

Syncro Advisory Group LLC is a New York limited liability company. Our mailing address is 418 Broadway # 11351, Albany, NY 12207. Privacy inquiries: [email protected].

For account information you create with Syncro and the telemetry we generate, we act as the “controller” under EU/UK GDPR and the “business” under the California Consumer Privacy Act (“CCPA/CPRA”). For the mail, calendar, contacts, and task content that Syncro pulls through OAuth, your underlying provider (Google or Microsoft) remains the system of record; Syncro acts as a processor of that content on your behalf, and you remain its controller.

Information we collect

Account information. Your name, email address, a password hash (handled by Supabase Auth), and optionally a profile photo if you choose to upload one.

Connected provider data (OAuth). When you connect a Gmail or Microsoft 365 account, we pull the message metadata and content needed to render the unified inbox, calendar, and task views inside Syncro: subjects, senders and recipients, bodies, attachments, labels and folders, calendar events, and contacts. We request only the OAuth scopes listed below, and we do not request the Google restricted full-mailbox scope (https://mail.google.com/).

Billing information. Payments are processed by Dodo Payments as our Merchant of Record. Dodo handles card processing, tax, and invoicing. Syncro stores only the Dodo customer identifier, the plan you are on, your subscription status, and the brand and last four digits of your card. Full card numbers, CVCs, and bank credentials never touch Syncro’s servers or database.

AI configuration. If you are on the Bring-Your-Own-Key (“BYOK”) tier, we store the AI provider API key you supply (for example, your OpenAI, Anthropic, Google, or other supported provider key); that key is encrypted at rest and used solely to authenticate calls you initiate to that provider. If you are on the Managed tier, no per-user key is stored — calls are proxied through our backend using our key with Anthropic. If you are on the No-AI tier, no AI configuration or prompts are collected.

Telemetry. Error reports sent to Sentry (with T0 and T1 fields — the buckets where mail and calendar content live — stripped before transmission), aggregated AI usage records (token counts and model names, never prompt or response text), and feature usage events (which screens you visit, which actions you take, timestamps, IP address, and basic device and browser characteristics).

Web push subscriptions. If you opt in to push notifications, we store your browser’s push subscription endpoint so we can wake your device. Push payloads themselves are contentless — the device fetches the subject and sender back from an authenticated endpoint after waking.

Communications. If you contact us by email, we keep the message and any attachments to respond and for our records.

OAuth scopes — what we ask for and why

Google (Gmail, Calendar, Contacts):

  • gmail.modify — read, send, label, and archive mail. This is the narrowed Gmail scope; we do not request the full restricted https://mail.google.com/ scope.
  • gmail.settings.basic — read and write your basic Gmail filter and signature settings.
  • calendar — read and write your calendar events for the auto-scheduling and unified calendar views.
  • contacts — read your address book to autocomplete recipients.
  • openid email profile — identify you and confirm your verified email at sign-in.

Microsoft Graph (Outlook, Calendar, To Do):

  • Mail.ReadWrite — read and organize your mail.
  • Mail.Send — send mail on your behalf when you explicitly press send.
  • Calendars.ReadWrite — read and write calendar events.
  • MailboxSettings.ReadWrite — manage your automatic-reply, time zone, and rule settings as needed.
  • Contacts.ReadWrite — read your contacts to autocomplete recipients.
  • OnlineMeetings.ReadWrite — create Teams meeting links when you schedule an event with a meeting.
  • offline_access — obtain a refresh token so we can continue syncing in the background.
  • User.Read — identify you and read your basic profile.

Syncro’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements for sensitive scopes such as gmail.modify and contacts.

How AI features use your data

AI features run in one of two routing modes:

  • BYOK. You supply an API key for the AI provider of your choice (for example, OpenAI, Anthropic, Google, or another supported provider). Your key is encrypted at rest, and prompts go from our backend directly to the provider you selected using that key. You are the customer of record with that provider, and their handling of the data is governed by their terms and privacy policy.
  • Managed. Calls are proxied through our backend using our key with Anthropic over HMAC-signed short-lived bearer tokens. On the Managed tier, triage scoring and message summaries run on Claude Haiku; reply drafts and the command bar run on Claude Sonnet. Per Anthropic’s API terms, prompts and responses submitted through the Anthropic API are not used to train Anthropic models.

In both modes, prompts include only the mail, calendar, or task content relevant to the action you took. A master kill switch in Settings disables AI features entirely. AI mutations — send, archive, delete, RSVP, schedule — never execute automatically: every one requires you to confirm with an explicit keystroke or click. Token counts, cache keys, and model names are recorded for billing and reliability; prompt and response text is not logged.

How we use your information

We use personal information to: (i) provide and operate the Service, including unifying your mail, calendar, and task accounts; (ii) authenticate you and secure your account; (iii) generate AI responses you request; (iv) process payments and manage your subscription through Dodo Payments; (v) provide support; (vi) detect, prevent, and respond to fraud, abuse, and security incidents; (vii) comply with legal obligations; and (viii) send transactional and, with your consent, marketing communications.

Our legal bases under GDPR are: performance of the contract with you (operating the Service), your consent (marketing emails, optional integrations, non-essential cookies), our legitimate interests (securing and improving the Service), and compliance with legal obligations.

How we store data

Syncro’s application and APIs run on Netlify (functions and CDN, US region during private alpha). Our primary database, authentication, and object storage are provided by Supabase (US region during private alpha; an EU region will be provisioned before EU sales). OAuth refresh tokens are stored as encrypted bytea under a per-user data-encryption key (DEK), itself wrapped by a KMS customer master key. Email subjects, event titles, and task titles are encrypted at rest. Attachment bytes are encrypted at rest under a per-account DEK and decrypted server-side to a 90-second signed URL for download — they never reside unencrypted in our function runtime. Email bodies never appear in logs, traces, or error reports.

Sub-processors

We disclose personal information only to the categories of recipients below. Each sub-processor is bound by a written data processing agreement that restricts use of personal information to providing services to Syncro.

  • Supabase (US during alpha; EU before EU sales) — database, authentication, and object storage.
  • Netlify (US) — application and website hosting, edge functions.
  • Cloudflare (global) — domain, DNS, and edge network.
  • Anthropic (US) — AI inference on the Managed tier. BYOK calls run under your own account with the AI provider you selected, which may be Anthropic or another supported provider.
  • Dodo Payments — Merchant of Record for payment processing, tax, and invoicing.
  • Inngest — background job and integration orchestration.
  • Sentry — error and crash monitoring, with mail and calendar content fields stripped before transmission.
  • Web Push providers — the browser push services operated by Google, Apple, Microsoft, and Mozilla deliver push notifications to your device. Payloads are contentless.
  • Google and Microsoft — the mail, calendar, contacts, and task providers you choose to connect.

We will update this list as our processors change and notify you of material changes through this page or by email.

How we share information

We do not sell your personal information, and we do not “share” it for cross-context behavioral advertising as those terms are defined under CCPA/CPRA. Outside of the sub-processors listed above, we disclose personal information only when (a) we believe in good faith that disclosure is required by law, legal process, or government request; (b) it is necessary to enforce our terms, protect rights, property, or safety, or investigate fraud or security incidents; (c) Syncro is involved in a merger, acquisition, financing, or sale of assets, in which case data transfers to the successor entity subject to the same protections as this Policy; or (d) you have explicitly authorized the disclosure.

How long we keep it

We retain account information and connected mail, calendar, contacts, and task data for as long as your account is active. Items you move to trash are auto-purged after approximately 30 days. Self-serve data export bundles are auto-purged from our object storage 7 days after generation. Sentry error logs and infrastructure logs are retained according to our plan’s configured retention.

When you delete your account, we keep a 30-day cancelable grace window in case you change your mind; after that window expires we irreversibly cascade-delete the data from our primary systems. Encrypted backups roll off within 30 additional days. Audit-log rows are retained in de-identified form for security forensics. We may retain limited records longer where required by law (for example, billing records for tax purposes) or to resolve disputes and enforce our agreements.

On account deletion or provider disconnect, we revoke Google OAuth grants by calling Google’s /revoke endpoint. Microsoft does not currently expose a programmatic consent-revoke API, so we delete the tokens locally and you can revoke consent at any time from your Microsoft account at myaccount.microsoft.com.

Your rights

From Settings → Privacy & data you can: (i) export a JSON archive of what Syncro stores about you; (ii) delete your account (30-day cancelable grace, then hard delete); (iii) update your profile information; and (iv) disconnect any linked provider, which revokes our token where possible and queues associated data for deletion.

To be transparent about the export bundle: it includes your account profile, settings, AI configuration, audit log, and message and event metadata (including subjects and titles). It does not include full email bodies or attachment bytes, because those remain authoritative in your underlying Gmail or Microsoft 365 account and we are not the canonical store for them. If you need a full mailbox export, please use your provider’s native export tool (Google Takeout or Microsoft 365 export).

EU, UK, and Swiss residents (GDPR). You have the rights to access, rectify, erase, restrict, and port your personal information; to object to processing based on our legitimate interests; and to withdraw consent where processing is based on consent. You may lodge a complaint with your local data protection authority.

California, Virginia, Colorado, Connecticut, and other US state residents. You have the rights to know what personal information we collect, to access and obtain a copy of it, to correct inaccurate information, to delete it, and to opt out of any “sale” or “sharing” (we do neither). You may designate an authorized agent to act on your behalf. We will not discriminate against you for exercising these rights.

To exercise any of these rights, use the in-app controls or email [email protected] from the address associated with your account. We will verify your request and respond within the timeframes required by applicable law (typically 30 days for GDPR and 45 days for CCPA/CPRA, extendable where permitted).

Cookies and tracking

We use cookies that are strictly necessary to authenticate your session (managed by Supabase Auth). We do not use advertising cookies, third-party trackers, or cross-site tracking pixels. If we add product analytics in the future we will name the provider here and deploy a consent banner that lets you accept or reject non-essential cookies before they are set. We honor Global Privacy Control (GPC) signals received from your browser as a valid opt-out of any sale or sharing under US state law and as a withdrawal of consent to non-essential cookies under EU/UK law.

Marketing emails

With your consent, we may send product updates, newsletters, and other marketing communications. Every marketing email includes an unsubscribe link, and you can also opt out by emailing [email protected]. Transactional messages (billing receipts, security alerts, and service notifications) are sent regardless of marketing preferences while your account is active.

Children

The Service is not directed to children under 16. We do not knowingly collect personal information from anyone under 16, and you must be at least 16 years old to create an account. If you believe a child has provided us with personal information, contact us at [email protected] and we will delete it.

International transfers

Production data is stored in the United States during our private alpha. Before we begin selling to customers in the EU or UK, we will provision an EU region with a Data Processing Addendum and Standard Contractual Clauses (or their UK equivalent) in place, and EU/UK customer data will be hosted there. For transfers of personal information from the EU, UK, or Switzerland to the United States we rely on the Standard Contractual Clauses and supplemental measures (encryption-in-transit and at-rest, per-user DEKs).

What we don’t do

  • We don’t read your mail to serve ads.
  • We don’t sell or share your data with brokers, data aggregators, or marketing networks.
  • We don’t train AI models on your content.
  • We don’t store full email bodies in logs, traces, or error reports.
  • We don’t store raw email headers — only the minimal extracted fields required to render the inbox.
  • We don’t auto-send, auto-delete, auto-archive, or auto-RSVP on your behalf — every mutating action requires explicit confirmation.

Regulated workloads

The Service is not designed or warranted for use with Protected Health Information (HIPAA), regulated financial data subject to GLBA, payment card data beyond what Dodo Payments processes on our behalf, classified government information, or other workloads with specialized regulatory requirements. Do not connect mailboxes whose contents are subject to those regimes.

Changes to this Policy

We will update this Policy when our practices change. The effective date at the top reflects the most recent version. Material changes will be announced by email or in-app notice at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

Contact us

Privacy questions, rights requests, and complaints:
Syncro Advisory Group LLC
418 Broadway # 11351
Albany, NY 12207
[email protected]