Legal

Privacy Policy

Effective May 16, 2026

This Policy explains what information Synor collects, how we use it, and the choices you have.

Who we are

Synor operates Synor at getsynor.com. For questions about this Policy or your data, email contact@getsynor.com.

Our role

When you use Synor as a registered customer, we are the data controller of your account information and a data processor acting on your instructions with respect to the lead data you collect through the Service. When an end-user submits a form on your website that our embed captures, you (our customer) are the controllerof that lead’s data and we process it on your behalf.

Information we collect

From registered customers

  • Account data: name, email, password (hashed) — handled by our identity provider, Clerk.
  • Owner contact data captured at onboarding: your full name and cell phone number, used to send account, billing, and HOT-lead alerts. Never shared with your customers and never sold.
  • Business identity: business name, service type, service area, public website URL, mailing address, operating hours, optional team size and average job value. Mailing address and business website are reported to mobile carriers as part of Twilio A2P 10DLC brand registration so your SMS can be delivered.
  • AI configuration: tone preference, optional prompt notes, optional booking link.
  • Telephony: the Twilio phone number assigned to or shared with your account, optional forwarding number for missed calls, and notification email for owner alerts.
  • Billing: payment method and invoice history — handled by Stripe. We do not store full card numbers.
  • Usage data: dashboard pages viewed, features used, errors encountered.

From leads on your website (on your behalf)

  • Names, phone numbers, email addresses, and message content submitted through forms detected by our embed script or delivered via vendor webhooks.
  • Page URL of the form, origin (your site), and the time of submission.
  • IP address of the submitting browser (retained short-term for abuse prevention).
  • SMS conversation history between the lead and your Twilio number.
  • Inferred attributes generated by our AI (stage, score, intent, summary).

From your website visitors automatically

  • The embed script reads the DOM of the page it runs on to identify lead-capture forms. It does not submit or read form values until the visitor submits a form, and it does not capture keystrokes, passwords, or fields inside forms it has excluded.
  • On each page, the embed sends a lightweight heartbeat that includes the page URL, an inventory of forms detected, and third-party form vendors (e.g. HubSpot, Typeform iframes) present on the page. It does not send form field values.

How we use information

  • To operate, maintain, and improve the Service.
  • To authenticate your account and bill you.
  • To send AI-generated replies to leads, on your instructions, via Twilio SMS.
  • To generate the analytics, summaries, and scores shown in your dashboard.
  • To prevent fraud, abuse, and violations of our Terms.
  • To communicate with you about the Service (service announcements, billing, security).
  • To comply with law and respond to legal process.

We do notsell your data or your leads’ data. We do not use lead data to train third-party AI models beyond what is necessary to generate a response for the originating conversation.

If you are in the European Economic Area or the UK, we process personal data on the following bases: (a) contract — to provide the Service you registered for; (b) legitimate interests — to secure the Service, prevent fraud, and improve the product; (c) consent — for optional analytics cookies; (d) legal obligation — where required.

How we share information

We share information with third parties only in these circumstances:

  • Sub-processors who provide infrastructure and features, bound by data-processing agreements: Clerk (authentication), Stripe (billing), Twilio (SMS delivery), OpenAI (AI model inference for generating replies), Vercel (frontend hosting), Railway (backend hosting and Postgres), Upstash (rate limiting and deduplication), Sentry (error monitoring), PostHog (product analytics).
  • With your consent, for any other disclosure.
  • For legal reasons, if we in good faith believe disclosure is necessary to comply with law, legal process, or to protect the rights, property, or safety of Synor, our users, or others.
  • In a business transfer (merger, acquisition, sale of assets), with continued protection under this Policy or notice if terms change.

AI processing

When a lead sends a message, the content of that message (and recent conversation context) is transmitted to OpenAI to generate a response. OpenAI does not use API inputs or outputs to train its models. Responses are stored in our database so you can review the conversation in your dashboard.

Data retention

  • Account and business data: while your account is active, then up to 90 days after cancellation.
  • Lead and conversation data: for as long as needed to provide the Service to you, or until you delete it.
  • Billing records: as required by tax and accounting law (typically 7 years).
  • Logs: up to 30 days for IP addresses and 90 days for error logs.

Your rights

Depending on where you live, you may have rights to:

  • Access the personal data we hold about you;
  • Correct inaccurate personal data;
  • Delete your personal data (subject to exceptions);
  • Export your personal data in a portable format;
  • Object to or restrict certain processing;
  • Withdraw consent where we rely on it;
  • Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email contact@getsynor.com. If you are a lead contacting us about data held on behalf of a Synor customer, we will forward your request to that customer, who is the controller of your data.

California privacy rights

California residents have additional rights under the CCPA and CPRA, including the right to know what personal information we collect and for what purposes, the right to delete, the right to correct, and the right to opt out of the “sale” or “sharing” of personal information. Synor does not sell or share personal information as those terms are defined under the CPRA. To exercise your rights, email us at the address above.

Cookies and similar technologies

Our dashboard uses cookies and local storage to keep you signed in, remember preferences, and measure product usage via PostHog. The public embed script uses browser sessionStorageto deduplicate form submissions within the same visit; it does not set tracking cookies on your customers’ websites.

Security

We use HTTPS, hashed passwords (via Clerk), encrypted database connections, signed webhooks, and rate limiting. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.

International transfers

Our infrastructure is hosted in the United States. If you are outside the U.S., your information will be transferred to and processed in the U.S. under appropriate safeguards.

Children

The Service is not directed to children under 13 (or 16 in the EEA), and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact us and we will delete it.

Changes to this Policy

We may update this Policy. Material changes are announced by email or in the dashboard before taking effect. The effective date at the top of the page shows the most recent revision.

Contact

Synor
contact@getsynor.com

We update these documents as the product evolves. The version date at the top is the current one — material changes are sent to account owners by email before they take effect.

Terms of ServicePrivacy PolicySMS Policy