Privacy Policy

Effective: April 16, 2026 Last updated: June 3, 2026

Synaps ("we", "the App") is a mobile application that gives you access to AI assistants. To run the service we need to process some of your data. This policy explains what data, why, and how we protect it.

1. What data we collect

1.1. Directly from you

• Name and email — via the Clerk authentication service (Google / Apple / email+password)
• Chat messages with agents — full text of your messages and the agents' replies
• Voice messages — audio recording when you use voice input (transcribed to text; the audio is not retained after transcription)
• Images — photos you attach to messages
• Reminders — text, date, and time of scheduled push notifications

1.2. Automatically

• Time zone — derived from device settings (IANA format, e.g. Europe/Moscow)
• Push token — a technical identifier used to deliver push notifications (contains no personal data)
• Request metadata — timestamp, IP address, app version (for technical logs and diagnostics)

1.3. Access to device contacts (mobile app only)

Access to device contacts (mobile app only). If you use the "Networker" AI agent, the app may request access to your device address book — but only when you explicitly tap "Pick from contacts" in the agent's interface. The address book is not uploaded to the server as a whole. The server only stores the names and contact details you explicitly select and confirm on the agent's card. You can delete any saved contacts in the agent's "Memory" section at any time. You can revoke contacts access in system Settings → Synaps → Contacts.

1.4. Connecting email accounts (Gmail, Yandex Mail — optional)

If you connect a mailbox via "Sources → Email", agents can read, search, and label messages on your request.

What we store:

• OAuth access tokens — encrypted on the server (Fernet / AES-128) and kept in our database. Used only to make requests to Gmail / Yandex on your behalf.
• Operation metadata — the fact that "agent requested unread list" / "agent read message X" is kept for 30 days for diagnostics and audit.
• Header and AI-summary index (when smart-processing features are enabled) — the subject line, sender, date, read flag, and a 1–2-sentence AI-generated summary of each message. This metadata allows agents to quickly locate messages, sort by importance, and produce digests without re-fetching from Gmail / Yandex. Email bodies and attachments are not part of the index. When you disconnect the mailbox, the entire index is deleted.

What we do NOT store:

• Email content (bodies) is not saved in our database. The message body is fetched from the provider at request time and immediately passed to the AI model (OpenAI / Anthropic) for response generation or summarization. A short-lived in-memory cache (Redis, 5 minutes) is used only for follow-up questions about the same message within a single conversation.
• Attachments are neither stored nor indexed.

What the agent can do:

• Read messages on your request
• Search the inbox (Gmail search / IMAP search)
• Mark as read, move to archive

What the agent cannot do without your explicit confirmation via in-chat card:

• Send email
• Permanently delete email (requires a separate extended permission requested as a separate step)
• Change mailbox settings

No background scanning: we do not read your inbox automatically. Heartbeat (proactive agent messages) does not have access to email content.

You can disconnect a mailbox at any time in "Sources → Email". On disconnect: OAuth tokens are immediately deleted from our database, the Redis cache is purged, and access is revoked at the provider.

1.5. What we do NOT collect

• Location
• Address book entries (except those explicitly confirmed via Networker — see §1.3)
• Browser history
• Photo gallery (only the photos you explicitly select)
• Payment information

2. How we use the data

• Running chats with AI agents — messages, images, voice
• Authentication and identification — email, name
• Personalising agent replies — facts about you (platform memory), behaviour rules
• Push notifications (reminders) — push token, time zone
• Crash diagnostics and service improvement — technical logs

Important: your messages and facts are not used to train AI models. We do not sell your data to advertisers.

3. Who we share data with (sub-processors)

To operate the service we use third-party platforms. Each has its own privacy policy:

• OpenAI (USA) — we send message text, images, audio. Purpose: GPT replies, embeddings for search, voice transcription (Whisper)
• Anthropic (USA) — message text. Purpose: Claude replies
• Clerk (USA) — email, name. Purpose: authentication, account management
• Expo Push Service (USA) — push token, notification title/body. Purpose: delivery to APNs/FCM
• Google (Gmail API) (USA) — only if you connect a Gmail account. Purpose: read / search / label messages on your request. We send: an OAuth token. Email content does not leave Synaps except for the AI-model call needed to answer (see §1.4).
• Yandex (Russia) — only if you connect a Yandex.Mail account. Same purpose and contract as Gmail; IMAP protocol instead of REST API.
• Hosting (servers in Russia) — all database data. Purpose: storage and processing

Data is transferred over secure channels (HTTPS / TLS 1.3). OpenAI and Anthropic, under their API terms, do not use your data to train models.

4. Data retention

• Messages and memory are kept indefinitely until you delete them manually or delete your account
• Auth tokens — encrypted, stored in the device's secure storage (iOS SecureStore)
• Push tokens are deleted automatically when you uninstall the app (iOS notifies us of revocation)
• Voice recordings — deleted right after transcription (only the resulting text is kept)
• OAuth tokens for connected mail accounts — encrypted (Fernet / AES-128), kept in the database until you disconnect the account in "Sources → Email" or delete your account entirely

5. Your rights

You have the right to:

• View your data via the "Memory" screen in the app
• Delete individual messages, reminders, behaviour rules
• Export your data — email the support address below
• Delete your account entirely — email support; we remove all data within 30 days

6. Security

• Data transfer is HTTPS only
• Authentication — OAuth providers (Google, Apple) or email + hashed password
• Access tokens — kept in iOS SecureStore (hardware-backed device storage)
• Servers — firewalled, kept on a regular update schedule

7. Children

The app is not intended for users under 13. If we learn we have collected data from a child under 13 without parental consent, we will delete it.

8. Policy changes

We may update this policy. For material changes we will notify you in the app. The current version is always available at this URL.

9. Contact

For any data-related questions:

Email: azavalishchev@gmail.com Developer: Alik Zavalishchev (Indie Developer)