Synthreo Logo

Version 1.3 Effective Date: September 16, 2025

Privacy Policy

At Synthreo, we are committed to protecting the privacy and security of your personal information. This Privacy Policy explains how Synthreo, Inc. (“Synthreo,” “we,” “us,” or “our”) collects, uses, discloses, retains, and safeguards information when you visit our website at synthreo.ai (the “Site”), use the Synthreo Platform (ThreoAI, Builder, and the Admin Portal), or engage our Managed AI Services (collectively, the “Services”).

This Privacy Policy forms part of a binding legal agreement between you or the entity you represent (“you,” “your,” or “Customer”) and Synthreo, and is incorporated by reference into our Terms of Service. Capitalized terms not defined in this Privacy Policy have the meanings given to them in our Terms of Service.

By accessing or using our Services, creating an account, or signing an Order Form or Partner Agreement, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, you may not access or use the Services.

Key Points to Understand:

  • Your Data Belongs to You: You retain all rights, title, and interest in Your Data. We process it only as described in this Privacy Policy and our Terms of Service.
  • We Do Not Sell Your Personal Information: We do not sell, share for cross-context behavioral advertising, or use your personal information for targeted advertising or profiling in violation of applicable law.
  • Role-Based Processing: We act primarily as a data processor on your behalf and process personal information only on your documented instructions, except where we act as a data controller for our own business operations (such as account management and billing).
  • AI Transparency: Our AI systems process data probabilistically. We are transparent about how AI interacts with your information and provide controls for opting out of anonymized data training.
  • Global Compliance: We comply with applicable data protection laws worldwide, including GDPR, CCPA/CPRA, PIPEDA, and the Australian Privacy Act.
  • Security First: We implement enterprise-grade security measures, including AES-256 encryption, logical tenant separation, and continuous monitoring.

1. Who We Are

Synthreo, Inc. is a Delaware corporation headquartered in Phoenix, Arizona. We provide AI-powered software and Managed AI Services to businesses and managed service providers (“MSPs”) through a multi-tenant platform model.

For the purposes of data protection law:

When We Act as a Data Processor (or Service Provider): When you use our Platform or Managed AI Services and submit Your Data, we act as a data processor (under GDPR) or service provider (under CCPA/CPRA), processing personal information on your behalf and solely on your documented instructions. In this capacity, you are the data controller (or business) and are responsible for ensuring that your collection, processing, and transfer of personal information complies with applicable law.

When We Act as a Data Controller (or Business): We act as a data controller for personal information that we collect directly in connection with our own business operations, including information you provide when creating an account, communicating with us, visiting our Site, or managing your billing relationship.

Where applicable, a Data Processing Agreement (“DPA”) is available upon request and is incorporated by reference into our Terms of Service.

2. Information We Collect

We collect and process the following categories of information:

2.1 Information You Provide Directly

When you create an account, subscribe to our Services, execute an Order Form, or communicate with us, you may provide:

  • Full name and professional title
  • Business email address and phone number
  • Company or organization name
  • Billing and payment information (processed through our third-party payment processor)
  • Communications you send to us, including support requests, feedback, and correspondence
  • Any other information you voluntarily submit through the Services

2.2 Your Data (Platform and Service Data)

When you use the Platform or engage our Managed AI Services, you or your end users may submit content, prompts, configurations, text, documents, files, or other information (“Your Data”) as defined in our Terms of Service. Your Data may contain personal information about your employees, customers, or other individuals. As between you and Synthreo, you retain all rights, title, and interest in Your Data.

2.3 Information Collected Automatically

When you access our Site or Platform, we automatically collect certain technical and usage information, including:

  • IP address and approximate geolocation
  • Device type, operating system, and browser type and version
  • Unique device identifiers
  • Pages visited, features used, clickstream data, and session duration
  • Referring and exit URLs
  • Date and time of access
  • Performance data, error logs, and diagnostic information

2.4 Information from Third Parties

We may receive information from third-party sources, including:

  • Third-party platforms and integrations you connect to the Services at your direction
  • Our authorized partners and resellers who provide your account and billing information
  • Publicly available sources and business directories
  • Identity verification and fraud prevention services

2.5 Sensitive Information Restrictions

You may not submit or process sensitive personal information (such as government-issued IDs, payment card numbers, protected health information, or biometric data) through the Platform unless specifically authorized by Synthreo in writing. Synthreo reserves the right to delete such information immediately upon discovery without notice. The complete list of restricted data categories, your compliance obligations, and Synthreo’s remedies are set forth in Section 9.5 (Sensitive Information Restrictions) of our Terms of Service.

3. How We Use Your Information

3.1 Purposes of Processing

We use the information we collect for the following purposes:

Service Delivery and Operations

  • Providing, operating, and maintaining the Platform and Managed AI Services
  • Processing transactions, managing subscriptions, and administering your account
  • Delivering Deliverables and professional services as specified in your Quotes or Statements of Work
  • Providing technical support and responding to your inquiries

Security and Integrity

  • Preventing, detecting, and investigating fraud, abuse, and security incidents
  • Monitoring compliance with our Terms of Service, Fair Use Policy, and Acceptable Use Policy
  • Enforcing our legal rights and protecting the safety of our users and the public

Communication

  • Sending transactional communications related to your account, services, and billing
  • Providing service announcements, security alerts, and administrative notifications
  • Sending marketing communications where you have provided consent or where otherwise permitted by applicable law (with opt-out available at any time)

Improvement and Development

  • Analyzing usage patterns and trends to improve Platform features and performance
  • Conducting research and development to enhance our Services
  • Using anonymized and aggregated insights as described in Section 4

Legal Compliance

  • Complying with applicable laws, regulations, court orders, and governmental requests
  • Establishing, exercising, or defending legal claims

3.2 Legal Bases for Processing (GDPR)

Where GDPR applies, we process personal information on one or more of the following legal bases:

  • Performance of a Contract: Processing necessary to perform our obligations under the Terms of Service, a Quote, or another agreement with you
  • Legitimate Interests: Processing necessary for our legitimate business interests, such as fraud prevention, security, service improvement, and direct marketing, where those interests are not overridden by your rights and freedoms
  • Consent: Processing based on your specific, informed, and freely given consent, which you may withdraw at any time
  • Legal Obligation: Processing necessary to comply with applicable legal requirements
  • Vital Interests: Processing necessary to protect the vital interests of any individual (used only in exceptional circumstances)

3.3 CCPA/CPRA Processing Purposes

For California residents, we collect and use personal information for the business and commercial purposes described in this Section 3, including: providing our Services, processing transactions, security and fraud prevention, debugging and repair, service improvement, and communicating with you. We do not sell your personal information, share it for cross-context behavioral advertising, or use or disclose sensitive personal information for purposes other than those permitted under the CCPA/CPRA.

4. Use of Anonymized and Aggregated Data for AI Training

Unless you opt out, we may use non-sensitive, anonymized, and aggregated data derived from your usage to improve our machine learning models and enhance the Platform. This data is stripped of all personal identifiers, cannot be linked to you or any individual, and is processed under strict safeguards designed to prevent re-identification.

You may opt out at any time by contacting privacy@synthreo.ai. We will confirm receipt and implement your opt-out within thirty (30) days. Opting out may limit access to certain AI-enhanced functionality. The complete terms governing anonymized data usage, including applicable safeguards and restrictions, are set forth in Section 9.4 (Use of Anonymized Data for AI Training) of our Terms of Service.

5. Use of AI Systems

Our Services include features powered by artificial intelligence and large language models. When your information is processed by AI systems, those systems operate probabilistically and may produce varied, incomplete, or inaccurate outputs. AI-generated outputs require qualified human review before use in high-risk contexts (such as legal, employment, medical, or financial decisions). We do not use AI to make automated decisions that produce legal effects or similarly significant effects on individuals without appropriate human oversight, unless you have configured such functionality and accepted responsibility under the Terms of Service.

For the complete AI output disclaimers, prohibited uses, human oversight requirements, and our model governance practices, see Section 16 (Warranties), Section 17 (Disclaimers), and Section 25 (Responsible AI Use and Model Governance) of our Terms of Service.

6. Cookies, Analytics, and Tracking Technologies

6.1 Types of Technologies We Use

We use cookies, pixel tags, web beacons, and similar tracking technologies to collect information about your interactions with our Site and Platform. These technologies fall into the following categories:

Essential Cookies: Strictly necessary for the operation of our Site and Platform, including authentication, session management, security, and load balancing. These cannot be disabled without affecting core functionality.

Analytics Cookies: Used to measure site performance, understand usage patterns, and improve the user experience. We use the following analytics tools:

  • Google Analytics 4
  • Google Tag Manager
  • Microsoft Clarity

These tools collect anonymized usage data. We do not combine analytics data with personal identifiers unless you have provided explicit consent.

Marketing Cookies: Used to support advertising delivery, campaign measurement, and optimization. These are only activated with your consent where required by applicable law.

6.2 Managing Your Preferences

You can manage your cookie preferences through our Cookie Settings, accessible via our Site. You may also configure your browser to block or delete cookies. Disabling certain cookies may limit your ability to use some features of the Services.

6.3 Do Not Track Signals

Some browsers transmit “Do Not Track” (DNT) signals. At this time, there is no universal standard for responding to DNT signals. We do not currently respond to DNT signals, but we honor opt-out preferences expressed through our Cookie Settings and, for California residents, through the mechanisms described in Section 10.2 of this Privacy Policy.

7. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

7.1 Service Providers and Subprocessors

We engage third-party service providers and subprocessors to assist in delivering our Services, including cloud infrastructure providers, payment processors, analytics providers, and communication tools. All service providers and subprocessors:

  • Are bound by written data processing agreements with confidentiality obligations at least as protective as those in Section 20 of our Terms of Service
  • Process personal information only on our documented instructions and solely to perform services on our behalf
  • Are required to implement appropriate technical and organizational security measures
  • Are subject to regular review and assessment of their data protection practices

A list of our current subprocessors is available upon request by contacting privacy@synthreo.ai. We will notify you of any material changes to our subprocessor list in accordance with our Terms of Service and any applicable DPA.

7.2 Authorized Partners and Resellers

If you access our Services through an authorized partner or reseller, we may share information necessary to support your account, billing, and service delivery with that partner. Partners who resell our Services are contractually required to protect your information in accordance with Section 12 and Section 20 of our Terms of Service.

7.3 Third-Party Integrations

At your direction, the Platform may integrate with third-party systems (such as CRMs, help desks, productivity tools, and communication platforms). When you enable an integration, data may flow between the Platform and the third-party system in accordance with your configuration. Third-party integrations are governed by the third party’s own privacy and security policies. You are solely responsible for:

  • Ensuring you have valid rights and permissions to enable the integration
  • Reviewing the third party’s privacy practices and security posture
  • Managing security settings, access controls, and compliance for third-party systems
  • Understanding that Synthreo is not liable for any breach, misuse, or data loss involving third-party systems

7.4 Legal and Regulatory Disclosures

We may disclose your information if required to do so by law, regulation, court order, subpoena, or governmental request, or if we believe in good faith that disclosure is necessary to:

  • Comply with applicable legal obligations
  • Protect the rights, property, or safety of Synthreo, our users, or the public
  • Detect, prevent, or address fraud, security, or technical issues
  • Enforce our Terms of Service or other agreements

Where legally permitted, we will provide you with notice before disclosing your information in response to legal process.

7.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar transaction involving Synthreo, your information may be transferred to the acquiring entity or successor. We will provide notice of any such transfer and any choices you may have regarding your information.

7.6 With Your Consent

We may share your information for any other purpose with your specific, informed consent.

8. International Data Transfers

We may transfer your personal information to countries other than the one in which you reside. Our primary infrastructure is hosted in the United States through Microsoft Azure. We conduct all international transfers in compliance with applicable data protection laws, including:

  • Standard Contractual Clauses (SCCs): For transfers of personal information from the European Economic Area (“EEA”), the United Kingdom, and Switzerland to countries that have not received an adequacy decision from the European Commission or the UK Secretary of State
  • Adequacy Decisions: Where the European Commission or applicable authority has determined that the destination country provides an adequate level of data protection
  • Other Approved Mechanisms: Including binding corporate rules, certifications, or codes of conduct as approved under applicable law

You may obtain a copy of the applicable transfer safeguards by contacting privacy@synthreo.ai.

8.1 Data Localization and Residency

For customers with specific data residency requirements:

  • We may offer data localization options in certain regions, subject to additional terms and fees
  • Data residency commitments will be specified in applicable Quotes or Data Processing Agreements
  • Cross-border data transfers will be conducted in compliance with applicable legal frameworks, including the transfer mechanisms described above

9. Data Retention and Deletion

9.1 Retention Periods

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, as described in this Privacy Policy, including to satisfy legal, regulatory, accounting, or reporting requirements. Specific retention periods include:

  • Account and Service Data: Retained for the duration of your active subscription and for thirty (30) days following termination of services to allow for data export
  • Billing and Transaction Records: Retained for as long as required by applicable tax, accounting, and financial reporting laws (typically seven years)
  • Communications and Support Records: Retained for the duration of your business relationship plus a reasonable period for dispute resolution and legal compliance
  • Automatically Collected Technical Data: Retained for up to twenty-four (24) months, unless longer retention is required for security investigations or legal compliance
  • Anonymized and Aggregated Data: May be retained indefinitely, provided that such data cannot reasonably be used to identify you or any individual

9.2 Data Export and Portability

You may export Your Data from the Platform at any time during your subscription and for thirty (30) days following termination. Upon request, Synthreo will permanently delete Your Data or return it in a structured, commonly used, and machine-readable format (such as CSV or JSON). The complete terms governing data export, migration assistance, and post-termination retention are set forth in Section 9.7 (Data Portability, Retention, and Deletion) of our Terms of Service.

9.3 Termination and Deletion Procedures

To formally terminate services and initiate data deletion, written notice must be submitted in accordance with the termination procedures specified in Section 13.3 of our Terms of Service. Simply ceasing to use the Services does not constitute valid termination and does not trigger data deletion. Following the thirty (30) day export period, Synthreo will securely delete Your Data from active systems unless longer retention is required by applicable law.

9.4 Secure Deletion

When data is deleted, we use commercially reasonable methods to render it unrecoverable from active systems. Data in automated backup and archival systems will be overwritten in the ordinary course of backup rotation and will not be actively processed during the retention period.

10. Your Data Protection Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information. We are committed to honoring these rights in accordance with applicable law.

10.1 Rights Under GDPR (European Union and United Kingdom)

If you are located in the EEA or the United Kingdom, you have the following rights under the General Data Protection Regulation:

  • Right of Access: You may request a copy of the personal information we hold about you and information about how it is processed
  • Right to Rectification: You may request that we correct inaccurate or incomplete personal information
  • Right to Erasure (“Right to Be Forgotten”): You may request that we delete your personal information in certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected
  • Right to Restriction of Processing: You may request that we restrict the processing of your personal information in certain circumstances, such as while we verify the accuracy of your data
  • Right to Data Portability: You may request that we provide your personal information in a structured, commonly used, and machine-readable format, or that we transmit it directly to another controller where technically feasible
  • Right to Object: You may object to our processing of your personal information based on legitimate interests, including for direct marketing purposes
  • Rights Related to Automated Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects, except where such processing is necessary for the performance of a contract, authorized by law, or based on your explicit consent
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal

Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal information violates applicable law.

Data Protection Officer: For inquiries regarding our GDPR compliance, contact our designated privacy representative at privacy@synthreo.ai.

10.2 Rights Under CCPA/CPRA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collecting it, and the categories of third parties with whom it is shared
  • Right to Delete: You may request that we delete your personal information, subject to certain exceptions permitted by law
  • Right to Correct: You may request that we correct inaccurate personal information
  • Right to Opt Out of Sale or Sharing: You have the right to opt out of the sale of your personal information and the sharing of your personal information for cross-context behavioral advertising. Synthreo does not sell personal information and does not share it for cross-context behavioral advertising
  • Right to Limit Use of Sensitive Personal Information: You may direct us to limit our use and disclosure of sensitive personal information to purposes permitted under the CCPA/CPRA
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights, including by denying you goods or services, charging different prices, or providing a different level or quality of service

Authorized Agents: You may designate an authorized agent to submit requests on your behalf. We may require verification of both your identity and the agent’s authority to act on your behalf.

Financial Incentives: We do not offer financial incentives related to the collection, sale, or deletion of personal information.

Categories of Personal Information Collected: In the preceding twelve (12) months, we may have collected the following categories of personal information as defined by the CCPA/CPRA: identifiers (name, email, IP address), commercial information (transaction records, subscription details), internet or electronic network activity (usage data, log data), professional or employment-related information (company name, title), and inferences drawn from the above. We collect this information from you directly, automatically through your use of the Services, and from third-party sources as described in Section 2.

10.3 Rights Under PIPEDA (Canada)

If you are located in Canada, your personal information is protected by the Personal Information Protection and Electronic Documents Act (“PIPEDA”) or applicable provincial privacy legislation. You have the right to:

  • Access your personal information held by Synthreo
  • Request correction of inaccurate or incomplete personal information
  • Withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual limitations
  • File a complaint with the Privacy Commissioner of Canada or the applicable provincial commissioner if you believe your privacy rights have been violated

We will only collect, use, and disclose your personal information in accordance with applicable Canadian privacy laws, with your knowledge and consent, and for purposes that a reasonable person would consider appropriate in the circumstances.

10.4 Rights Under Australian Privacy Act

If you are located in Australia, your personal information is protected by the Privacy Act 1988 (Cth) and the Australian Privacy Principles. You have the right to:

  • Access your personal information held by Synthreo
  • Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information
  • Complain about an interference with your privacy to Synthreo and, if not resolved to your satisfaction, to the Office of the Australian Information Commissioner

We will only collect, use, and disclose your personal information in accordance with Australian privacy laws, and we will take reasonable steps to ensure that the personal information we collect is accurate, up-to-date, complete, and relevant.

10.5 How to Exercise Your Rights

To exercise any of the rights described in this Section 10, please contact us at privacy@synthreo.ai. We will:

  • Acknowledge your request within ten (10) business days
  • Verify your identity using reasonable methods before processing your request
  • Respond to your request within the timeframes required by applicable law (generally thirty (30) days under GDPR, forty-five (45) days under CCPA/CPRA, and thirty (30) days under PIPEDA)
  • Provide the requested information or action free of charge, unless the request is manifestly unfounded, repetitive, or excessive, in which case we may charge a reasonable fee or decline the request as permitted by applicable law

If we are acting as a data processor with respect to your personal information, we may redirect your request to the appropriate data controller (your organization) and assist them in responding as required by our Terms of Service and any applicable DPA.

11. Security Measures

Synthreo implements appropriate technical and organizational safeguards to protect personal information against unauthorized access, disclosure, alteration, loss, or destruction. These measures include encryption of data at rest (AES-256) and in transit (TLS 1.2+), logical tenant data separation, role-based access controls, continuous monitoring, and regular third-party security assessments.

We maintain organizational controls including personnel security training, background checks, written security policies, incident response procedures, and confidentiality obligations for all employees, contractors, and subprocessors.

In the event of a security incident that may affect your personal information, we will notify you promptly in accordance with applicable law (including within 72 hours where required under GDPR) and provide the information necessary for you to assess and respond to the incident.

Despite our security efforts, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, and you acknowledge and accept this inherent risk.

For the complete details of our security measures, certifications and compliance framework status, incident response procedures, your security responsibilities, and audit rights, see Section 19 (Security Policy and Compliance) of our Terms of Service.

12. Children’s Privacy

Our Services are not intended for individuals under the age of eighteen (18) or the age of legal majority in the applicable jurisdiction (whichever is higher). We do not knowingly collect personal information from children. If you believe that we have inadvertently collected personal information from a child, please contact us immediately at privacy@synthreo.ai, and we will take steps to delete such information promptly.

13. Third-Party Links and Services

Our Site or Platform may contain links to third-party websites, applications, or services that are not operated or controlled by Synthreo. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices or content. We encourage you to review the privacy policies of any third-party service before providing personal information.

14. Changes to This Privacy Policy

14.1 Modification Rights

We may update this Privacy Policy from time to time to reflect changes in our Services, data practices, legal requirements, or business operations.

14.2 Notification Procedures

When we make material changes to this Privacy Policy, we will provide notice by:

  • Updating the “Effective Date” and version number at the top of this page
  • Posting the updated version on our Site at synthreo.ai/privacy
  • Sending an email to the address associated with your account at least thirty (30) days before the effective date of material changes
  • Displaying a notification within the Platform upon your next login, where applicable

14.3 Types of Changes

  • Material Changes: Changes that substantially affect how we collect, use, or share your personal information require advance notice as described above
  • Non-Material Changes: Minor clarifications, formatting updates, or changes that do not affect your substantive privacy rights may be made with shorter notice
  • Legal Compliance Changes: Changes required by law or regulation may be implemented immediately with prompt notice

14.4 Acceptance

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the updated Privacy Policy, you may terminate your account before the effective date of the changes.

14.5 Version History

We maintain a version history of this Privacy Policy. Previous versions are available upon request for reference, and the current version will always be posted at synthreo.ai/privacy.

15. Data Processing Agreement

Where required by applicable data protection law (including GDPR), a separate Data Processing Agreement (“DPA”) is available upon request and is incorporated by reference into our Terms of Service. The DPA addresses:

  • The subject matter, duration, nature, and purpose of processing
  • The types of personal data processed and categories of data subjects
  • The obligations and rights of the data controller
  • Instructions for processing and restrictions on use
  • Subprocessor engagement and management
  • Technical and organizational security measures
  • Data breach notification procedures
  • Audit rights and compliance documentation
  • Data return and deletion upon termination
  • Cross-border data transfer mechanisms

To request a DPA, contact privacy@synthreo.ai.

16. Contact Information

For questions about this Privacy Policy, to exercise your data protection rights, or to raise a privacy concern:

Privacy Inquiries: privacy@synthreo.ai Security Incidents: security@synthreo.ai General Inquiries: legal@synthreo.ai Billing and Termination: accounting@synthreo.ai Support: help@synthreo.ai

Mailing Address: Synthreo, Inc. Legal Department 5227 N 7th St Phoenix, AZ 85014-2802 United States

International Contacts:

If you are located in the European Union or United Kingdom and are not satisfied with our response to your inquiry, you have the right to lodge a complaint with your local data protection supervisory authority.