Privacy Policy

Effective Date: June 18th, 2026 · Synaply Inc.

Synaply Inc. ("we," "our," or "us") values your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, share, and protect your data when you use our services, including our SaaS platform. By using our Services, you agree to the terms of this Privacy Policy.

Section 01 — Information We Collect

We collect the following types of personal data:

• Contact Information: Including emails and names.
• Account Information: Including passwords and company organization chart data (such as who reports to whom).
• Payment Information: Including billing details processed via Stripe.
• User Activity: Data about your interactions with our platform to improve your experience.

Section 02 — How We Use Your Information

• Provide and maintain our services.
• Improve the user experience, including offering customer support and personalized content.
• Communicate with you, including sending marketing materials (with your consent).
• Process payments securely via Stripe.

Section 03 — Data Storage and Sharing

Storage: Your data is stored on Amazon Web Services (AWS) servers.

Data Sharing: We do not share your personal data with third parties, except as necessary to provide our services (e.g., Stripe for payments). If this policy changes in the future, we will notify you and update this Privacy Policy accordingly.

Third-Party Service Providers: We use third-party services like AWS and Stripe. Your use of these services is subject to their respective terms of service. We are not responsible for the performance or availability of these third-party services.

Sub-processors: We share data only with sub-processors that help us deliver the Services, under contractual data-protection obligations: Amazon Web Services (cloud hosting and storage; primarily Canada, with some processing in the United States) and Stripe (payment processing). A current list is available on request at support@synaply.io.

Section 04 — Cookies and Tracking Technologies

We may use cookies and similar technologies to enhance your experience. These may be used to track activity on our platform and store preferences. If you wish to manage or disable cookies, you can do so through your browser settings.

Section 05 — User Rights

You have the right to:

• Access, update, or delete your personal data.
• Opt-out of marketing communications at any time.
• Request a copy of the data we have stored about you.

However, please note that in some circumstances, we may refuse access to certain types of personal data, such as detailed activity logs, if:

• Fulfilling the request would adversely affect the rights and freedoms of others.
• The request is manifestly unfounded or excessive.
• Providing the data would require significant technical or operational effort (e.g., retrieving complex data from our database).

If we refuse access to your data, we will notify you with an explanation of why the request cannot be fulfilled.

We do not sell or share your personal information, so there is no sale or sharing of your data for you to opt out of. Depending on your jurisdiction (for example, the EEA, UK, or California), you may also have rights to correct, restrict, port, or object to the processing of your personal data, and to lodge a complaint with your local supervisory authority.

To exercise these rights, please contact us at info@synaply.io.

Section 06 — Data Security

We implement commercially reasonable security measures to protect your data while stored on AWS. However, no method of data transmission or storage is 100% secure, so we cannot guarantee complete security. You are also responsible for maintaining the confidentiality of your account credentials and agree to notify us immediately of any unauthorized access or security breaches related to your account.

We encrypt your data in transit (TLS) and at rest (AWS KMS), isolate each organization's data in a per-tenant index, enforce least-privilege access controls, and maintain an annually audited SOC 2 Type 2 program. If a breach affects your personal data, we will notify affected customers without undue delay and, where required, no later than 72 hours after we confirm it.

Section 07 — International Data Transfers

Synaply primarily hosts customer data in Amazon Web Services data centers located in Canada (ca-central-1). Some processing and network routing may also occur in the United States. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses. For transfers between Canada and the United States, and for all other processing, we apply equivalent contractual and technical safeguards so that your data receives consistent protection wherever it is processed.

Section 08 — Data Retention

We retain your personal data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. After that, your data will be securely deleted or anonymized in accordance with applicable laws.

Section 09 — Children's Privacy

We do not knowingly collect or solicit personal data from individuals under the age of 13. If we learn that we have collected personal data from a child under 13, we will take steps to delete such information.

Section 10 — Limitation of Liability

To the maximum extent permitted by law, Synaply Inc. shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising out of or in connection with this Privacy Policy or the use of the Services, even if we have been advised of the possibility of such damages.

Section 11 — Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will post the updated policy on this page and update the "Effective Date" at the top. We encourage you to review this Privacy Policy periodically.

Section 12 — Contact Us

If you have any questions or concerns about this Privacy Policy or how we handle your personal data, please contact us at:

Synaply Inc. 62 Carnforth Rd, Toronto, ON, M4A 2K7

• General Inquiries: info@synaply.io
• Product Support Inquiries: support@synaply.io

Section 13 — MCP & AI Integration

MCP Integration & AI Data Handling

Synaply maintains a publicly accessible privacy policy that explicitly covers MCP (Model Context Protocol) data handling. This section describes what data is accessed via the MCP integration, the purposes for which it is used, data retention periods, user rights including deletion, and contact mechanisms for privacy-related enquiries. This policy is reviewed and updated to remain current with the product's data handling practices.

What the MCP integration accesses

When you connect Synaply to an AI assistant (such as Claude via Claude.ai) through our Model Context Protocol (MCP) server, the integration is granted access to the following categories of data within your Synaply workspace, subject to your role and privacy settings:

• Insights & knowledge entries — content, titles, insight types, creation timestamps, and privacy levels for entries you and your team have published or drafted
• User identity & org structure — your profile, division memberships, reporting relationships, and team hierarchy
• Division schema — insight type definitions, form fields, and guidelines configured by your workspace admin
• Analytics summaries — aggregated submission trends and participation data across your accessible divisions

Purpose of access

Data accessed via the MCP integration is used solely to provide the Synaply knowledge management and AI assistance features you have requested — specifically, to enable your AI assistant to read, synthesize, draft, and publish organizational insights on your behalf within the Synaply platform. We do not use MCP-accessed data to train AI models, and we do not share it with third parties beyond what is necessary to operate the service.

How data is transmitted

Data passed through the MCP connection travels between Synaply's servers and your AI assistant provider (e.g., Anthropic) over encrypted HTTPS connections. Synaply does not store the content of individual MCP tool calls beyond what is necessary to fulfill the request. Your AI assistant provider's own privacy policy governs how they handle data received via MCP tool calls.

Retention

Data accessed via the MCP integration is retained in Synaply's systems for as long as your subscription is active and as necessary to provide the Services. Upon account termination or subscription cancellation, your data is handled in accordance with Section 8 (Data Retention) of this policy. Draft insights created during an MCP session but not published are stored temporarily and may be deleted if not acted upon.

Your rights & how to exercise them

You have the right to access, correct, or request deletion of data accessed through the MCP integration. To exercise these rights, or to revoke the MCP connection at any time, contact us at support@synaply.io. You may also disconnect the Synaply MCP connector directly from your AI assistant's settings at any time, which immediately terminates the integration's access to your data.

Section 14 — Connected Services & Google Workspace Data

When you or your organization's administrator connect a third-party service, Synaply accesses data on a read-only basis to build a private, permission-aware search index. We never create, modify, or delete content in the connected service.

Google Workspace data: With your authorization (or your Workspace administrator's, via domain-wide delegation), Synaply accesses Gmail (gmail.readonly), Drive (drive.readonly), Calendar (calendar.readonly), and Workspace directory user and group data (admin.directory.user.readonly, admin.directory.group.readonly). We use this data solely to provide Synaply's search and knowledge features to you and the teammates you authorize, mirroring your existing permissions so you only see results you already have access to.

Limited Use: Synaply's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Google user data is never sold or transferred to third parties except as necessary to provide or improve user-facing features, for security purposes such as investigating abuse, to comply with applicable law, or as part of a merger or acquisition with equivalent protections; is never used for advertising; is never read by humans except (a) with your explicit consent, (b) as necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data is aggregated and anonymized for internal operations; and is never used to train or develop generalized or foundation AI/ML models. Where Synaply uses AI to extract entities and relationships from your content, it does so solely to power your own search and knowledge features.

Storage, retention, and revocation: Connected-service data is encrypted in transit and at rest (AWS, KMS-backed), isolated per organization, and maintained under SOC 2 Type 2 controls. You can revoke access at any time in Settings → Integrations or at myaccount.google.com/permissions. We delete indexed data derived from a connected service within 30 days of disconnection or a deletion request. Questions: support@synaply.io.