Privacy Policy

Last Updated: June 25, 2025

1. Introduction

Synchronous GPT ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This policy explains how we collect, use, and protect your information when you use our AI platform at synchronousgpt.com.

🛡️ Our Compliance Commitment

Synchronous GPT is designed and operated in compliance with industry-leading security and privacy standards:

  • GDPR Compliant: Full compliance with European General Data Protection Regulation
  • SOC 2 Type II: Security, availability, processing integrity, confidentiality, and privacy controls
  • ISO 27001: Information security management system standards

By using our service, you acknowledge that you have read and understood this privacy policy and our compliance practices.

2. Information We Collect

Personal Data:

  • Name, email, and payment details (via Stripe) for account creation and billing.
  • Authentication data (via NextAuth/Supabase) including OAuth tokens from Google/GitHub.

Usage Data:

  • AI model preferences, prompts, and interactions (via OpenRouter).
  • Device/IP information for security and analytics.

Cookies:

  • Necessary Cookies: Essential for authentication and basic functionality (cannot be disabled).
  • Analytics Cookies: Track website usage and performance (optional, requires consent).
  • Preference Cookies: Remember your settings and preferences (optional, requires consent).
  • Marketing Cookies: Personalize advertisements and measure campaigns (optional, requires consent).

You can manage your cookie preferences through our cookie consent banner or by clearing your browser cookies.

3. How We Use Your Information

  • Provide, maintain, and improve our AI services.
  • Process payments and subscriptions (via Stripe).
  • Secure accounts and prevent fraud.
  • Communicate service updates or offers (opt-out available).

4. Sharing Information

Third-Party Services:

  • Stripe (payment processing).
  • Supabase (database/auth).
  • OpenRouter (AI model API calls).

Legal Compliance:

Disclose if required by law or to protect our rights.

5. Data Security & Compliance

Security Measures

  • Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • Access Controls: Role-based access control (RBAC) and multi-factor authentication
  • Infrastructure Security: Supabase and Stripe maintain SOC 2 and ISO 27001 certifications
  • Network Security: Firewalls, intrusion detection, and DDoS protection
  • Regular Audits: Quarterly security assessments and penetration testing

Compliance Frameworks

GDPR Compliance

  • • Privacy by design
  • • Data minimization
  • • Consent management
  • • Right to be forgotten
  • • Data portability

SOC 2 Type II

  • • Security controls
  • • Availability monitoring
  • • Processing integrity
  • • Confidentiality measures
  • • Privacy protection

ISO 27001

  • • Risk management
  • • Security policies
  • • Incident response
  • • Continuous monitoring
  • • Regular assessments

Monitoring & Logging

  • Security Event Logging: All authentication attempts, data access, and security events are logged
  • Audit Trail: Comprehensive audit logs maintained for compliance and forensic purposes
  • Real-time Monitoring: 24/7 monitoring of system security and performance
  • Incident Response: Automated alerts and documented incident response procedures

6. Your Rights (GDPR)

  • Right of Access (Article 15): Request a copy of all personal data we hold about you.
  • Right to Rectification (Article 16): Correct inaccurate or incomplete data via account settings.
  • Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten").
  • Right to Data Portability (Article 20): Receive your data in a machine-readable format.
  • Right to Object (Article 21): Object to processing based on legitimate interests.
  • Right to Restrict Processing (Article 18): Limit how we process your data.
  • Right to Withdraw Consent (Article 7): Withdraw consent for cookies and marketing at any time.

To exercise these rights, contact us at privacy@synchronousgpt.com or use the data export/deletion features in your account dashboard.

7. Data Retention & Legal Basis

Retention Periods

Data TypeRetention PeriodLegal Basis
User Profile DataWhile account is activeContract performance
Payment Records7 years after transactionLegal compliance
Usage Analytics1 year (aggregated)Legitimate interest
Security Logs7 yearsLegal compliance
Marketing DataUntil consent withdrawnConsent

Automated Data Management

  • Automated Deletion: Data is automatically purged according to retention schedules
  • Compliance Monitoring: Regular audits ensure retention policies are followed
  • Secure Disposal: All data deletion follows secure destruction protocols
  • Legal Holds: Data may be retained longer if required by law or legal proceedings

8. Children's Privacy

Not intended for users under 13. We do not knowingly collect their data.

9. Changes to This Policy

Updates posted at synchronousgpt.com/privacy-policy. Continued use implies acceptance.